| |
| |
| |
|
Comments:
<0> --dport is actually in a module (-m tcp) but it's just automatically included when you specify -p tcp
<1> And we hope, without the admin being loaded too. :)
<2> haha
<3> hi, all
<3> the scheme is users - 3128 squid any - outside. is there any way to mark external packets to detect from which user they are going from?
<3> i need to control these packets by tc
<4> hello
<4> I want to forward port 80 to 192.168.0.2 on my network
<4> how do I do that?
<4> whats the command for debian
<5> hi!
<5> I've just finaly got iptable LOG to output to differnt file then /var/log/messages
<5> with syslog-ng
<5> but the question, how to clear dmesg ?
<6> delete it?
<5> :)
<5> I mean how to keep it clean from iptables output
<5> may be it is not exactly iptables issue, rather then kernel logging,...
<5> but anyway, please, you should be used to manage such system, as I think iptables produce most output to kernel (at least at mine)
<5> err: to logger
<4> I want to forward port 80 to 192.168.0.2 on my network
<4> whats the command for debian
<6> iptables
<7> hi folx
<8> how can I redirect the request to one page to other server
<8> ?
<8> how can I redirect the request to one domain to other server?
<9> seelen_: Wouldnt you be better doing that in Apache with a redirect?
<8> PlutoniumDragon, I can't my server is a router ... and I need to sent the request to other server because my server for one extrange reason can access to hotmail domain
<8> PlutoniumDragon, I don't have apache in this server
<8> PlutoniumDragon, It's posible make DNAT to a domain?
<9> seelen_: You can use iptables to redirect pakets based on ip but not http1.1 virtual hosting within an ip
<9> seelen_: I think DNAT works on the layer of TCP/IP rather than HTTP
<9> seelen_: So you could change 81.1.1.1 to 84.2.9.2 for instance
<8> PlutoniumDragon, yes you are right, then I need all the IP's from hotmail to make a DNAT?
<9> seelen_: Are you trying to redirect packets going to hotmail to go to a different box?
<8> PlutoniumDragon, no I try sen the request of hotmail from other box different to router
<8> PlutoniumDragon, because the router can't open hotmail and I don't know why?
<9> seelen_: I'm sorry I don't understand... if you want to redirect traffic that would go to hotmail to another box or router then yes you can do it with DNAT... It might be smarter to use a HTTP proxy of some kind like Squid though (if its just HTTP traffic)
<8> PlutoniumDragon, yes I need to proxy from other proxy different ... but only the hotmail request
<9> seelen_: If you're changing the route you're much better off adding a static route on your router for the hotmail netblocks
<9> seelen_: DNAT will change the destination IPs
<8> PlutoniumDragon, Can I change the source IP address, to fool hotmail block
<9> seelen_: Umm
<8> PlutoniumDragon, SNAT
<8> ?
<9> seelen_: Without seeing a network diagram I can't be sure what you're trying to do here and what would help
<8> PlutoniumDragon, Clients ----------- Web-Server ---------- Router (Proxy, Iptables, QoS) --------- Internet
<9> seelen_: Where is your hotmail traffic being blocked? And it what direction?
<8> PlutoniumDragon, I don't know ... i try to open hotmail an this not opens
<9> seelen_: I think you need to diagnose that first
<9> seelen_: Otherwise you're pretty blind
<9> seelen_: Have you tried tracerouting?
<8> PlutoniumDragon, yes and ther make the conection and finsd hotmail ... but hotmail cant respond the HTTP request ... like if was in hotmail black list
<9> seelen_: If that is the case then there is nothing you can do
<9> seelen_: Except to come from a different IP
<9> seelen_: Which you cant do with SNAT or DNAT
<8> PlutoniumDragon, One client had a virus and my internal IP was banned .... I removed this ban from many lists but, I still can't access to hotmail ... i wrote Hotmail's support and they said that I wasn't banned by them.
<9> seelen_: I see. I presume you mean your external IP. No one would know what your internal IP was.
<8> PlutoniumDragon, I check from different clients ... and the problem Is the same
<9> seelen_: Do you have a range of external ips?
<8> PlutoniumDragon, yes public IP's , but the banned IP is the one from my ISP, the WAN IP
<9> seelen_: What do you mean the banned ip is thw an ip?
<8> PlutoniumDragon, yes, is the IP that connects to my internet service provider, and not my public IP range
<9> seelen_: That shouldnt matter. No one sees that IP except the next hop router. What matter is the public address of the packet (e.g. one of your client ips). Most likely a block of ips got blocked, not just one.
<8> PlutoniumDragon, but my no all my clients have a public IP, and even the public IP clients can't access to Hotmail
<9> seelen_: Yeah so that whole block is blocked
<8> PlutoniumDragon, but I checked this and it does not appear blocked
<8> PlutoniumDragon, you can check plz this is my WAN IP 65.199.245.126
<9> seelen_: There is no way I can check whether you are blocked
<10> are mangle table chains evaluated before nat table chains?
<10> never mind. read the tutorial.
<10> err, for clarity's sake: I read the tutorial.
<8> PlutoniumDragon, do you know any banned or abuse look up page ?
<9> seelen_: Sorry no
<9> seelen_: If your traceroute to hotmail works though then they're not blocking your ICMP traffic
<8> PlutoniumDragon, yes it's works ... what colud be the problem ?
<8> PlutoniumDragon, http://pastebin.com/559709
<9> seelen_: Hmm
<9> seelen_: That's more or less what I get
<9> seelen_: Have you tried telneting to port 80 on www.hotmail.com and doing a GET / ?
<11> hi
<11> how do i make sure to delete ALL my iptables and put all to accept policy? -F?
<12> http://linuxkungfu.org/files/scripts/flush
<11> cool
<12> you'd think there'd be an iptables --superflush or something
<11> nop, i knew it has to be part by part, but that should be grate
<11> has to be something difficult to write for security reasons
<12> I don't think that makes it any more secure
<12> I just think the iptables folks chose not to put high level stuff like that in
<11> trappist: now i think that i can't eeeh... resolve dns cause i didn't put nameserver befor the ip number
<11> i mean, difficult to write or some question like "Don't do this unless you really know what you are doing"
<11> well, it doen't matter, i can't find the grammar and the bocabulary to express my self
<12> heh
<11> god save the queen
<11> damn! that neardental allways win
<11> bye
<13> hola alguien me puede ayudar con iptables
<8> PlutoniumDragon, the problem is solved, I don't know how but I rebot the machine and hotmail horks now... thanks
<14> how could be a 'basirule' for my router (192.168.1.1 eth0) that olready has an eoa-0 connection to let another (192.168.1.5) machine go out to internet?
<14> basi=basic
<0> have you set up NAT already?
<14> danieldg: yes, is active
<0> ok, you're wanting a rule for putting in FORWARD then?
<14> danieldg: i can't understand the rule. i have put a translation from 192.168.1.5 to 0.0.0.0/255.255.255.255 and don't let me put that rule #2
<0> tell me what rule you tried to add
<14> mmhh danieldg: the flabour is called: "basicrule"
<14> danieldg: is an adsl/router
<14> danieldg: with that php-style-http configuration interface
<0> oh
<14> danieldg: it says: from range:? and destination range:?
<14> and protocol:?, interface:?
<14> can i paste a captured screen somewhere?
<0> maybe, but I probably can't help much unless it actually runs iptables
<0> (runs it directly, that is)
<14> mmmh
<14> how you do an iptables rule to 'take' an olready started EOA connection in 192.168.1.1 with your machine in 192.168.1.5?
<14> "do you" no "you do"
<14> how do you add an iptables rule for that?
<0> iptables -A FORWARD -s 192.168.1.5 -j ACCEPT
<14> ok
<14> ill try that\
<14> thanks
<15> Can someone help me out with a QoS question please?
<15> I have a connection I'm trying to manage which users are saying has become slow (now more users are on it)... I'm wondering if I have to shape ingress and egress or just egress (its a dsl connection)
<10> robhu: one or the other should do the trick, I'd think.
<10> robhu: I think that egress is where people tend to do traffic shaping. your users can't download any faster than they can request data.
<15> sohmestra: OK great
<15> sohmestra: The router had a load of 6 and a cpu usage of about 50%... is that too high to also be doing the shaping? Do I need to keep cpu usage really low?
<10> robhu: hmm. I don't know, to be honest. my routers are all overpowered ;o)
<15> sohmestra: Heh... this is like a P200 or something :P
<15> sohmestra: It uses ~0% doing the shaping, but ntop chews cpu
Return to
#iptables
or
Go to some related
logs:
#javascript
patbin
#math
sysv-Rc-conf disable GDM
#web
ubuntu +webmin dapper debian +removed +why
#ubuntu
soap::data::complextype example
alsa mic acting
gvba slow
|
|