| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> FWIW you should be able to REJECT UDP. It would result in an "ICMP port unreacable" repsonse from netfilter to the originating host.
<1> Woody: Yes, that is what REJECT acutally does. And "port-unrechable" is the default, but you can not use it as default policy.
<1> For tcp connections you would use -j REJECT --reject-with tcp-reset
<2> hi
<2> Is it possible to delay packages for x ms using iptables?
<3> hmmm, not sure. Interesting idea, though. I think there are some targets which can have a similar effect. I've never played with them.
<2> ok :)
<4> Hi. I am trying to setup a linux box with 2 internet connections but I can't get it to work. I keep getting "Network is unreachable" when using ip route add default via. does anybody know what I could be doing wrong?
<3> omarc55: http://www.ssi.bg/~ja/#routes (requires patched kernel, patch is here)
<4> version 2.6.9-1.667smp requires this patch?
<4> thats odd since this was working before (with an old connection) now they got a new connection and it doesn't want to work.
<3> http://www.ssi.bg/~ja/#routes-2.6
<3> oh I guess it depands how you want to use it. If you only want one default gateway and the other one merely reply to connections received, you don't need the patch.
<4> yeah. what I was doing was, having both connections running. all tcp traffic would go through eth1 and all udp traffic through eth2
<4> and I can't get that to work, I am stuck on that command. and I know the device is up, I checked with ifconfig. and I can ping the gateway.
<3> Hmmm, I would think with a protocol split like that you'd have to use -t mangle -j MARK and ip rule ... fwmark.
<3> (I've never tried that.)
<4> yeah, thats what I was doing.
<4> but do you know why I could be getting that error?
<3> "ip route list ; ip rule list" might have some ideas.
<4> I have the 2 internet connections running at the same time. but now I can't split traffic, anybody know how to send udp data via eth1 for example and tcp data via eth2, all incoming eth0?
<5> maxine: multiple uplinks
<6> danieldg: i'm not following you...
<5> maxine: multiple uplink
<6> danieldg: sorry...
<5> anyway, I think that can be done directly with iproute, using multiple routing tables
<4> I am using ip route to setup just the udp table, do I need another table for the tcp?
<5> I think it can be on the main table, if that has a default route going out eth2
<5> you may have to turn of rp_filter or something
<5> s/of/off/
<4> yeah, thats how I have it. the main table has the default gateway on eth2 and an additional table for eth1 but its not working. it does filter the packets, but if eth1 is disconnected it routes the packets properly for a few seconds then just drops.
<5> can you run a script on disconnection to correct it?
<4> what do you mean?
<5> well, on my laptop I run ifplugd so it switches the default route between the ethernet and wireless
<5> could you have it remove the rules when eth1 is disconnected?
<4> hrmm, I don't have ifplugd. what rules should I remove?
<5> my guess is the rules sending traffic to eth1 ;)
<4> well, here are the rules I am using: http://pastebin.ca/58751
<4> are those ok?
<4> for some reason... without that ip route add 66.92.214.. line I can't ping eth1 don't know if that has something to do with it
<5> what is 66.92.214.?
<4> its the server that eth1 needs to connect to, I only need it to connect to that server but udp only.
<4> does that make sense?
<5> why not just block the other protocols except UDP from that server? or is that not what you are trying to do?
<4> well, I can't do that because that server also delivers other information (which should be routed via eth2 since its not udp)
<4> so thats why, what I really wanted was all udp data goes through eth1 and the rest through eth2. I only added that line that specifies the remove server ip since without it, I can't ping eth1
<5> maybe because the ping packets aren't UDP?
<4> right, but then why does it work when I add that line? doesn't make sense. plus if I do ping -I eth1, it still doesn't work without that line.
<5> it doesn't work with -I because the packet is sent out, but not to the gateway
<4> ah. ok.
<4> then, let me try it without that line and just try to send udp data to it... maybe everything works without that line and I am just ***uming
<4> nope, it doesn't work without that line. now it doesn't filter udp traffic at all.
<7> Is it posible to list the current NAT rules (e.g. iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE) isn't listed in 'iptables --list'
<4> chowells2: iptables -t nat --list
<5> maxine: show ruleset
<6> Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL" to a pastebin such as pastebin.ca, and tell us the resulting URL. Include the network setup if it is not immediately obvious
<5> chowells2: that or iptables -t nat -vL
<7> danieldg: ahh, thanks. It's been years since I used iptables, I feel embar***ed having to ask these questions :(
<5> well, you could try reading the manpage if that's less embarrasing :)
<5> but really no problem
<7> danieldg: I've read through the docs again, but apparently missed that
<4> danieldg: http://pastebin.ca/58754 this is what I get running those commands.
<7> hah, finally got NAT working. Wrong default gateway. Damn that took too long to debug :)
<5> omarc55: oh, I didn't ask that for you. How are you testing if it filters UDP?
<4> the remote server tells me what hosts are connected and I see the ip of eth2 instead of eth1.
<5> I'm pretty much out of ideas. #lartc on OFTC _might_ know more; that's the channel for routing stuff
<4> alright. I'll give that a try. thanks for your help.
<8> all of a sudden this iptables script is taking forever to add each port and its slowing the network down when doing it
<9> /me pokes somegeek
<9> hmm
<9> somegeek: I might need to ask you about this non profit thing some time
<10> hi,all
<11> hi2all
<11> I have one small question about iptables...
<11> is it somehow possible to determine how much data (bytes) were sent (or forwarded) to/from ONE exact IP?
<12> good morning
<13> mogguh
<14> whats to command to reject all ports but 22, 80, 1000, 31337, 6667, 7020, 7021, 21, 25?
<15> plasmoduck => maybe !
<15> ! --dports ...
<15> or ! --sports
<15> with -m multiports
<15> something like that
<14> iptables 22, 80, 1000, 31337, 6667, 7020, 7021, 21, 25 -j ACCEPT?
<14> what do I have to type exactly
<15> You didn't say precisely what you want to do :)
<15> inbound trafic?
<15> outound?
<14> I only want to allow those ports inbound
<14> and reject all others
<14> do I need to do iptables -P INPUT REJECT ?
<15> iptables -A INPUT -m multiport ! --dports 22,80,...,25 -j REJECT
<15> You can't set default policy to REJECT :)
<15> only ACCEPT or DROP.
<15> you can do -P INPUT DROP and -m multiport --dports 22,...,25 -j ACCEPT
<15> I think ..
<14> # iptables -A INPUT -m multiport ! --dports 22,80,1000,31337,6667,7020,7021,21,25 -j REJECT
<14> iptables v1.2.11: multiport needs `-p tcp' or `-p udp'
<14> eth0 is the internet
<15> okay then add -p tcp of -p udp before
<14> and eth1 is thet ethernet
<14> where?
<15> iptables -A INPUT -p tcp -m multiport ...
<14> do I need to do
<15> do you want to manage inbound traffic related to eth0 or eth1 ?
<14> iptables -A INPUT -m multiport ! --dports 22,80,...,25 -j REJECT
<14> and you can do -P INPUT DROP and -m multiport --dports 22,...,25 -j ACCEPT
<14> eth0
<15> it depends on what you want to do with unallowed traffic
<15> reject or drop ?
<14> whats better?
<14> security wise
<15> maybe drop
<14> okay
<15> reject will send a icmp packet back to the sender
<14> so do the command again but with just drop?
<14> maybe I should flush all the rules first?
<15> I don't know if you should flush all first but if you have saved them, you can ..
<14> no
<14> okay then
<15> then ...?
<15> :)
<16> be back later
<14> I just done iptables -A INPUT -p tcp -m multiport ! --dports 22,80,1000,31337,6667,7020,7021,21,25 -j DROP
<14> is that all I need to do?
<16> it's sufficient
<14> okay
<14> thanks
<16> don't forget to test :)
<16> If your default policy is DROP you have to do -j ACCEPT without "!"
<16> If your default policy is ACCEPT so you rule above is correct
<16> If your default policy for INPUT is DROP then this rule will not accept those inbound traffic ..
<16> the rule has an effect only if the default policy is ACCEPT. :)
<14> can you test for me?
<15> plasmoduck => allowed for 6667 and 80
<14> is that all?
<14> hmm
<14> how do I undo that rule
<15> I just tested the two
<15> :)
<14> 80 isn;t working
<14> try http://delta9.0xf050.org/phpsysinfo
<14> none
<15> I got it ..
<14> sick
<15> here's your server's signature :
<15> Server: Apache/2.0.54 (Debian GNU/Linux) PHP/4.3.10-16
<15> :)
<14> :)
<15> so ... 80 was allowed when i performed the test
<17> Hi. I've got a question. I've setup a box with network bridging between two interfaces. but how do I, with IPtables, deny all traffic on a certain port, between the interfaces?
Return to
#iptables
or
Go to some related
logs:
#math
#css
#perl
banshee ipod waiting for transcoder
coldplugging pnp devices hang
perl +submit +blinken
#css
Bencode.pm ubuntu
#lisp
WinTV-NOVA-T-USB2 ubuntu dapper
|
|