| |
| |
| |
|
Page: 1 2
Comments:
<0> Thanatermesis: yes and no :)
<0> Consider this: try "dig www.nasa.gov". Then try it again in 5 minutes or whatever the TTL is. Different IP's.
<1> :/
<0> www.nasa.gov.speedera.net. 120 IN A 63.216.25.145
<0> 2 minute TTL
<0> When you use a hostname in an iptables command, you get whatever it resolves to then and there.
<0> For many sites, that might be good enough. But big Web sites might do the Speedera DNS trick for load balancing.
<2> so what's the deal with the local table?
<2> is there an irc channel for iproute2?
<3> #lartc on OFTC
<2> what's OFTC?
<3> another IRC network
<4> OFTC
<2> that channel seems pretty dead
<2> this is crazy... why can't I do DNAT to 127.0.0.1?
<0> chrooted: -j REDIRECT
<2> REDIRECT doesn't work either
<2> it seems like REDIRECT and DNAT will only work if they are on the same subnet as the source address
<4> what are you trying todo?
<2> 17:10 < chrooted> what I'm trying to do is: have a firewall for a computer where the firewall doesn't have it's own dedicated IP address, but if a packet is going to a certain port, ie 22 or 443, redirect it to the firewall instead of routing it to the box
<2> 17:11 < chrooted> so far I've tried the iptables targets: SNAT, DNAT, REDIRECT, and MARK using ip rule and custom ip route table
<4> so its just a firewall in your lan?
<4> should it be reachable on that ip?
<4> the ports
<2> yeah it's using proxy_arp
<2> come on man, tell me it's possible
<4> i dont know your situation of machines
<2> ok let's say my machine is 192.168.8.123 and the other machine I connect to is 192.168.8.16 and the firewall is in between without it's own address
<2> so when I type in http://192.168.8.16/ into my browser, it should go to the other machine, but if I use https://192.168.8.16, it should go to the firewall
<2> need any more info?
<4> so your firewall is running a https server?
<2> yeah
<4> then you need to use PREROUTING
<4> its NAT's the packet before a lookup is being used into your routing table
<2> oh ****
<4> http://www.siliconvalleyccie.com/linux-hn/iptables-intro.htm
<2> oh **** I think I might have gotten it to work
<2> linux routing is soo weird
<4> why?
<2> I got DNAT and REDIRECT to work by setting it to 169.254.1.1 instead of 127.0.0.1
<2> it totally doesn't make any sense but oh well at least I think it's workin how I want
<2> I guess it's probably better this way anyways cause then I can connect to the firewall with an apipa address
<2> as well as the redirect
<2> anyone happen to have a subnet calculator in bourne shell script?
<5> hi folx
<6> hi
<7> moien
<8> I have a iptables firewall/router with NAT, how do I configure it so that machines on the local network can correctly request one of the translated (public) IPs ?
<3> so you have multiple public IPs; what do you mean by requesting one of them? All connections to that public IP would go to the internal IP?
<8> I have a few public IPs, but the main issue is that I have NAT port translation (eg: an external request for http//87.1.21.67:80/ gets directed to http//192.168.0.1:8080/, and i want the same thing to happen when I request it from a local machine)
<3> see the second URL in the topic; you need to do SNAT for internal->internal connections
<3> (it has an example)
<9> hi all
<9> what should make DCC file transfer work in MASQ/NAT mode?
<3> modprobe ip_nat_irc
<9> I did
<9> but I still get failed
<9> when I accept
<3> hmm... not sure then
<0> You didn't need that file anyway. ;) :)
<8> danieldg: I tried that, but it still doesn't work, I get when I do a "curl -v http//87.1.21.67/" I get "Trying 87.1.21.67... Connexion refused"
<9> rob0, no I did want it
<3> maxine: show ruleset
<10> Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL" to a pastebin such as pastebin.ca, and tell us the resulting URL. Include the network setup if it is not immediately obvious
<3> retro_neo: can you paste that?
<8> danieldg: http://pastebin.ca/57612
<3> retro_neo: no, the ruleset
<8> danieldg: here's the postrouting section : http://pastebin.ca/57616
<8> 192.168.0.1 is the router and 192.168.0.11 the HTTP server
<3> retro_neo: I need the PREROUTING section too
<8> http://pastebin.ca/57620
<3> ah. Add another rule in PREROUTING with -d 87.1.21.67 instead of -i eth0
<3> or, just remove the -i eth0 (missed the -d since the IP was changed)
<8> danieldg: now I get "Trying 87.1.21.67... " and nothing happens
<8> I now have : http://pastebin.ca/57635
<3> ok, I'd look at a packet dump on the firewall to see what's happening
<3> you'll also have to make sure it's not blocked in FORWARD
<8> danieldg: http://pastebin.ca/57639
<3> I have no idea where that came from, and since you're changing the IP's I can't tell from that either
<3> it's an ACK/FIN anyway, so not a new connection
<8> danieldg: can I PM you?
<3> sure
<11> hi
<11> i have big difficulty getting eth0 to forward to eth1
<11> can anyone help?:
<12> hi
<13> hello
<13> can anyone help me with a question on how to filter http traffic
<3> set up a transparent proxy
<13> well i tried
<13> iptables -a input -i eth0 -p http ! 0.0.0.0 -j reject
<13> but that didnt seem to work
<13> anything wrong with it
<3> besides being in lowercase?
<13> i should say that the not ip address is something differnt
<3> -p does not mean port
<3> maxine: block port
<10> block port is iptables -A INPUT -p tcp --dport $port -j REJECT; use FORWARD if it's for machines behind the firewall
<13> sorry i thought if it was http traffic the i would put http there
<13> -p means protocol
<13> so -p http
<3> well, it means IP protocol
<13> true
<3> so TCP/UDP/ICMP/etc
<13> so if i'm filtering http traffic what should i use?
<3> look at tcp port 80
<13> i know basic tcp stuff but not sure on this
<3> (port 80 == www)
<13> ptables -a input -i eth0 -p http --dport 80 ! 0.0.0.0 -j reject
<13> but is still dont have the -p right if i have http there
<3> -p tcp
<13> it should just be tcp i take it?
<3> HTTP is only on TCP
<13> well -p tcp
<13> true
<13> duh not being very clever today
<13> am i
<13> sorry
<13> can you clarify the filter command
<13> do i really need to have it if its just a local machine
<3> no, you don't need that rule
<3> you'd want to add REDIRECT on OUTPUT
<3> maxine: REDIRECT
<10> REDIRECT is probably a target for sending packets to localhost, useful for implementing a transparent proxy. The original destination address can be obtained by using the SO_GETORIGDST socket option on the REDIRECTed socket - use this instead of reading the Host: header
<13> hmm need to study that one
<3> or look in the iptables manpage for REDIRECT
<13> i'm just starting out with iptables and it a more complex subject than i imagined
<3> maxine: packet flow
<10> well, packet flow is http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png or for the link layer, http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png
<3> that's an overview of how packets go through iptables
<13> if I wanted toallow ssh traffic from anywhere and on any device
<13> iptables -t filter -A INPUT -i eth0 -p tcp --dport ssh -j ACCEPT
<13> is that correct
<3> yes
<3> (btw, the -t filter is the default, and so it's optional)
<13> ahh cool wasnt sure of that so thanks for answering that one
<13> with my previous question of Allowin http traffic from anywhere and does not come from 146.176.166.1 can i do this with one line
<13> or do i need more than one line
<3> as long as you only want to exclude one IP, just add -s ! thatip
<13> -s source
<13> yeah cool
<3> or, add -s thatip and -j REJECT
<3> that scales a bit better :)
<13> yeah if i used drop
<13> it would halt and not go to another rule after that
<3> right
<13> that is the impression i was given
<3> maxine: rule order
<10> i heard rule order was important, because rules are evaluated in order until one matches. iptables -I can be used to insert the rule at the start of a chain; iptables -A puts it at the end
<13> bit like basic
<13> if your not careful you can cause branches or halts you dont want
Return to
#iptables
or
Go to some related
logs:
postfix virtual_alias_map example
ubuntu lucidatypewriter
#web
#qemu
bcm94318+linux
#gentoo
xserver-xgl libc6
madwifi-kmod rpm fc5
editor +autocompletation
cannot write to /mnt/sda1
|
|
