| |
| |
| |
|
Page: 1 2
Comments:
<0> syntax to forward a port to a different IP?
<1> SkramX: second URL in topic has details
<1> basically, you DNAT it and SNAT it
<0> do i need anything other than iptables for dnat/snat?
<1> set /proc/sys/net/ipv4/ip_forward to 1
<1> and don't block stuff in FORWARD
<0> hercules masilverberg # cat /proc/sys/net/ipv4/ip_forward
<0> 1
<0> Okay..
<2> SkramX: hey doode =)
<0> hey.
<0> arg, im updating E17
<2> E17 ?
<2> SkramX: you tired http://hwfirewall.sf.net yet ?
<0> no.
<2> lol tired .... tried =P
<0> why hwfirewall?
<0> its software!
<2> its a IPTables Script , that allows you to easily setup port forwarding ... ect ect
<0> does it need it's own server, or what?
<2> nope
<2> it can run on any PC
<0> meh
<2> on any Linux Distro
<0> i dont have anywhere to test it
<2> awww well =) was just trying to help =)
<2> no need to test ,,, it works out of the box =)
<0> can it take rules right from iptables?
<0> does it use iptables already set rules?
<0> BRB
<0> lets talk more later?
<2> SkramX: yes it can
<2> you can add them to the user config it creates it /etc/hwfw
<2> anyways .... yeah mate i have to go , i have a huge Yard to Mow + Grocery Shopping + Washing ...
<2> Yay
<0> welp
<2> welp ???
<3> winhelp
<3> =)
<4> (sigh) I you want to know how bad Microsoft can be... I found a bug in Vista yesterday... A bug that I reported while working there about 7-8 years ago...
<0> ANY RRDTOOL people around :(
<5> are there any ip table howto's for noobs like myself
<1> URL in topic
<5> which? ;) i
<1> first
<5> thanks
<6> yo
<6> i have set up a tunnel device (tun0) and it shows up in ifconfig and /proc/net/dev, it's currently UP. yet when i do "ip route add default dev tun0" i get "RTNETLINK answers: No such device", any ideas?
<7> is this openvpn?
<6> no, this is a gre tunnel
<7> tun != GRE
<6> that's just what i called it
<6> i can make it squiggles01
<7> ah
<6> got it. you need to clear the ip field with a "ifconfig tun0 0.0.0.0"
<7> It's misleading, BTW, to name a GRE tunnel "tun0", because that's what the tun driver uses for names.
<6> fair enough, i can change it later if i need to anyway
<8> hello guys
<8> is someone successfully using connlimit with 2.6.15.4?
<8> I took the 2.6.14 connlimit patches and hand applied it on 2.6.15.4
<8> it seems OK (compiled with no warnings), but am getting "invalid argument" for the man example
<8> also, I'm not getting anything useful from google :(
<8> iptables-1.3.3
<8> is patch-o-matic-ng cvs/svn down?
<1> works for me
<9> ditto
<8> what's the correct address then?
<8> cvs.netfilter.org is down from here :(
<1> https://svn.netfilter.org/netfilter/
<1> there is no cvs
<8> guessing svn.netfilter.org seems down too
<8> I'll try yours
<8> that one works, thanks
<9> i do believe its the only one
<8> I'm trying to download the svn tree, but no success at all :|
<8> at least doing what the docs say, no success.
<1> svn co https://svn.netfilter.org/netfilter/trunk/
<8> that works! thanks, danieldg
<1> yw
<8> it would be a lot easier if that was at http://www.netfilter.org/projects/patch-o-matic/index.html
<1> email the netfilter.org webmaster
<8> in a moment
<8> I want to get connlimit working asap
<8> mailed
<8> oh boy :(
<8> iptables: Unknown error 4294967295
<1> what command?
<8> iptables -v -A do_accept_ssh -p tcp -m connlimit --connlimit-above 2 -j REJECT --reject-with tcp-reset
<1> did ipt_connlimit module load?
<8> I'll check with strace
<1> yeah, that'll give you the actual error too
<8> open("/usr/lib/iptables/libipt_connlimit.so", O_RDONLY) = 3
<8> setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0
<8> \0\0\0"..., 5172) = -1 EINVAL (Invalid argument)
<1> does lsmod|grep connlimit show anything?
<8> I don't use modules
<1> oh
<8> (kernel modules)
<8> it's all built-in
<8> (netfilter stuff)
<8> from dmesg:
<8> ipt_connlimit: init v2.2 gctimeout=10....
<1> you could see if #netfilter has any ideas (that's the dev channel) or file a bug report
<8> I'll try that, thanks
<8> first I'll check if patch-o-matic has a patch matching my kernel
<8> the only one I found before knowing the correct svn link is for 2.6.14
<8> applied somewhat cleanly, but...
<8> damn. connlimit on patch-o-matic seems to be older than the one I have
<8> is there any alternative way to limit parallel connections from a client?
<8> I think hashlimit isn't appropriate for this
<1> maybe using -m recent, but that's not really what it's for
<8> but I believe that with recent I may block myself out
<8> it seems that I'll be only able to use -m limit :/
<7> Why not modules?
<8> what do you mean, rob0?
<7> Why did you build that in and not stick with modules?
<8> connlimit isn't distributed in the mainline kernel
<7> Is this for an embedded system?
<8> no
<8> I just prefer not to use modules
<7> why?
<8> extra overhead for something that I'll be always using
<7> Rebooting is overhead too. rmmod $X ; modprobe $X is a lot faster.
<8> kernel modules incur in some overhead (some claim that it is around 10-20%)
<7> And recompiling the whole kernel whenever you want to change something minor ...
<7> do you have proof of that? I'd be interested to see it.
<8> I'll reboot until it gets "nice", then no reboot :)
<8> not at the moment (proofs)
<8> full reboot takes less than 1 minute here, thus it's negligible
<10> MI
<11> I have a problem setting up a nat, my setup is the following: eth0(lan1) eth1(lan2) eth2(lan3) in lan1 is a router and lan2 and lan3 should only be able to use this router for internet
<11> can anyone help me defining the rules for this setup?
<12> hi guys
<12> if i have ip_gre loaded, and i've got stateful matching set up for established/related, as well as a general masquerade rule for internal nat, should i be able to make outgoing vpn connections?
<10> yes
<12> is there any reason why i might not be able to?
<10> i dont know
<13> if I set policy to DROP on both INPUT & OUTPUT, do I need two --state ESTABLISHED,RELATED statements on input & output chains ?
<14> is this ok "iptables -A INPUT -m state --state NEW -p tcp --dport 25 -d 192.168.1.202 -j LOG"
<14> ?
<7> kimo__, I don't recommend OUTPUT DROP policies. I figure if you have to ask how to make it work, you don't need it. :)
<7> ough: What do you mean, "ok"? It's okay with me. :) But what are you wanting to do?
<14> sorry, it is that only the kernel space modules was loaded
<14> rob0: im on an embedded arch
<14> little space ..
<14> or something like that ...
<13> rob0: is there any insecurity to setting OUTPUT traffic to accept?
<7> If an attacker is already "in" such that s/he's generating OUTPUT traffic, OUTPUT restrictions might slow the attacker down, but not for long.
<15> kimo__: very little, if any - there's a marginal advantage to it, but then, for the most part, if your box is cracked and the attacker has root access, not really
<16> good evening
<3> trappist: Ping?
Return to
#iptables
or
Go to some related
logs:
__mikem disassembler
#freedesktop
#gimp
rbol protocol
debian wifi accesspoint
fatal: open /etc/postfix/main.cf: Permission denied
awk column-separated
initialising catalogues
dig resolves wrong
#bash
|
|