| |
| |
| |
|
Comments:
<0> Odd problem: I've got a system with two ethernet adapters, and I'm using stunnel to handle SSL for a service that listens on the first adapter (eth0); stunnel also listens on eth0. What I'd like to do is use iptables to take the connections from stunnel to $SERVICE (which go through lo), and make them appear to be coming in from the address ***ociated with eth1.
<0> Is this possible?
<0> The following rule doesn't seem to work: iptables -t nat -A POSTROUTING -s ETH0_IP/255.255.255.255 -o lo -d ETH0_IP/255.255.255.255 -p tcp --destination-port 80 -j SNAT --to-source ETH1_IP
<0> (And adding a -j LOG shows the rule as matching the proper packets).
<1> Hi, I have a 2pc's connected over a crosscable. i have pc1 ( My Gateway [mandriva] : 192.168.1.1 ) and pc2 ( ubuntu : 192.168.1.2 ). I have my gateway:pc1 configured with iptables to do nat/masq, and is working well. Once i connect the cable and do "ifconfig eth0 192.168.1.2 up;route add default gw 192.168.1.1 netmask 255.255.255.0" from pc2. after that i can ping pc1 and pc2 bothways. but i cannot ping google.com or its IP. Pls help ?
<2> ip_forward activated on pc1 ?
<3> I'm running a breezy server and there is a samba and NAT (netshare) with dsl connect. Yesterday I rebooted it but after that the XP clients can't browse the internet only the google download other sites doesn't loading. The ping and dns working on the clients. Any ide?
<1> matth_: yes, i put echo '1' > /proc/sys/net/ipv4/ip_forward in my rc.local script.
<1> so it should be forwarding.
<2> fire up a tcpdump and see where it blocks when pinging from pc2 to an IP on the internet
<1> matth_: tcpdump on pc2 ?
<2> well on pc1 would be wiser
<1> matth_: ok !
<1> matth_: i dont understant what it is saying..
<2> another problem
<1> :)
<2> what is your iptable's line to masquerade ?
<4> iptables -P FORWARD DROP
<4> iptables -A FORWARD -s 192.168.1.0/24 -d 0/0 -j ACCEPT
<4> iptables -A FORWARD -d 192.168.1.0/24 -s 0/0 -j ACCEPT
<4> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
<1> matth_: ^
<1> matth_: Is it ok ?
<2> I don't get it
<1> matth_: huh ? something wronge with the table ?
<2> oh oki, that was an arrow
<5> heh
<1> matth_: |lostbyte| is my pc1 nick..
<2> yep figured that out too late
<1> i dont know what i am missing..
<1> :)
<2> don't you have to specify the interfaces in the FORWARD accepting rules ?
<1> i am new to iptables..
<2> maybe by default any are ok
<2> I'm not sure
<1> Two guys here on this channel told me those lines.. some weeks back.
<2> I prefer being verbose and be sure to what is done, than relying on default behavior you're not so sure about
<1> matth_: ok ! what do i have to add. worth the shot..
<2> -i and -o check the man
<0> Any reason why the following rule wouldn't cause packets to appear to be coming from ETH1_IP? iptables -t nat -A POSTROUTING -s ETH0_IP/255.255.255.255 -o lo -d ETH0_IP/255.255.255.255 -p tcp --destination-port 80 -j SNAT --to-source ETH1_IP
<1> matth_: Alright ! only for the middle two, right ?
<1> FORWARD ones ?
<2> yes but nm, actually that won't change anything
<1> yeah ! but as you said to be more informative... i'll try.
<1> matth_: :(
<1> matth_: i still get ping: unknown host google.com
<4> iptables -P FORWARD DROP
<4> iptables -A FORWARD -i ppp0 -o eth0 -s 192.168.1.0/24 -d 0/0 -j ACCEPT
<4> iptables -A FORWARD -i ppp0 -o eth0 -d 192.168.1.0/24 -s 0/0 -j ACCEPT
<4> iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -j MASQUERADE
<1> matth_: any ideas ?
<2> I would have written for the 2 accept lines :
<2> iptables -A FORWARD -i eth0 -o ppp0 -s 192.168.1.0/24 -j ACCEPT
<2> iptables -A FORWARD -i ppp0 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
<2> I think you swapped the interfaces in your lines
<1> matth_: ppp0 is the internet for my pc1
<6> "Unknown host" could also mean misconfigured DNS resolvers. Did you try using an IP address?
<1> ok ! will try..
<2> shadow__: I guessed that
<1> :) ok
<2> and you really think you'll receive packets from the net with ip_src in 192.168.1.0/24 ?
<2> btw gg to bed
<5> mmmm sleep
<1> matth_: no !
<7> How would I change ports on incomming packets... if a packet is coming in to port 111 and I want to redirect it to port 112 (UDP packets)? Im having some trouble making the REDIRECT target work
<1> matth_: nope ! does'nt
<1> matth_: You Have a nice night :)
<7> im using string matching to determine if the port should be changed
<6> matadon: did you try REDIRECT?
<7> yes.
<6> chemokid: any possibility to use routing instead of NAT? I think with NAT you're stuck with the logging problem.
<7> the problem is, with UDP packets once a UDP packet matches the string all udp packets are then considered a connection so future packets also have their port changed
<1> any one here who can help me ?
<7> s/changed/redirected --- let me test something here now that I think about it
<1> Hi, I have a 2pc's connected over a crosscable. i have pc1 ( My Gateway [mandriva] : 192.168.1.1 ) and pc2 ( ubuntu : 192.168.1.2 ). I have my gateway:pc1 configured with iptables to do nat/masq, and is working well. Once i connect the cable and do "ifconfig eth0 192.168.1.2 up;route add default gw 192.168.1.1 netmask 255.255.255.0" from pc2. after that i can ping pc1 and pc2 bothways. but i cannot ping google.com or its IP from pc2. Pls help ?
<5> rob0: well i'm looking at all options before i actually head down to the office where the firewall in question is
<5> this is someone else's script (i usually use ipfilter) so i'm not sure what their justification was =/
<5> ****s not being able to test it out here (my other box needs its motherboard replaced)
<6> Ideally you would put the servers in their own "DMZ" segment, and just route to them, no NAT.
<6> If you don't have a spare NIC for that segment, vlan is a possibility (see vconfig(8).)
<5> yea no spare nic
<5> might be able to pick one up on tuesday though
<0> rob0: What would REDIRECT do for me in this case...?
<0> rob0: I mean, packets are flowing appropriately -- I just want to mask (read: alter) the source IP.
<7> string matching in the nat table is not working hrmm
<7> maybe I could mark it in raw and go from there
<6> I see. When you do change a source IP, the replies go there. Could that be the problem?
<0> rob0: Just to make sure; we're talking about my SNAT above, right?
<6> matadon: I think so, at least as much as I understand it. The initial description sounded like a job for REDIRECT, so I thought.
<0> rob0: I don't think so. Everything works, other than the source IP being the IP of eth0, rather than eth1, and since I want to 'rewrite' the source IP (without breaking things), SNAT seemed ideal. I mean...I guess I'm curious as to how I could even apply a REDIRECT in this case.
<7> anyone know how to make string matching (-m string) case insensitive?
<8> danieldg: hi ! Do you use Stunnel in your apache2 for SSL connections ?
<9> anybody help please
<9> HI, help needed for iptables any one having some free time ?
<10> I've got a question about iptables. There are three PC stations in two countries. A sends packet to B. B changes source IP from A to B and destination IP from B to C and forwards the packet to C. So the C receives packet from B. Scheme: A sends packets to B and they forwarded to C like from B. Question: B has one NIC which connects through aDSL.
<10> is it possible to change IPs on B?
<10> Hello!
<8> hi all
<11> I'm trying to make port forwarding for a specific range
<11> can I use hostnames instead of ip addresses?
<5> does anyone have a simple, easy to read (meaning no custom chains) iptables ruleset that i can base mine on? i basically need it to replace an ugly hackish one. for a router that provides internet access for two servers behind it and allows ports 80 and 25 to be forwarded to the internal servers
<5> all the ones that i'm coming across using Google searches seem to pretty overboard
<12> eeeeeeedddddddddddddw\
<12> wooopa
<8> danieldg: are you there ?
Return to
#iptables
or
Go to some related
logs:
ubuntu wake up fail
#perl
resolveconf gentoo
#centos
#math
gentoo yellow use flags
#web
#perl
utsa doesn't exist
yhg1s __doc__
|
|