| |
| |
| |
|
Page: 1 2
Comments:
<0> hi! is there a way to specify hostnames instead of IPs, in order to build rules for iptables?
<1> In most cases, sure! What did you try?
<0> rob0, didn't try yet... all the docs i red spoke about ips and not names. going to try, now :)
<1> The one place it won't work is in --to* options, those need IP addresses.
<1> Sometimes I do --to `dig +short name.fqdn`, but that's only safe if you know name.fqdn resolves to a single address.
<1> And offer is void where taxed, prohibited by law, or if BIND isn't installed. :)
<0> rob0, can I use wildcards?
<1> Give an example of what you want to do. Maybe, maybe not.
<0> i want to drop any packet to and from any subdomain from statcounter.com
<1> ah, no, that won't work. You have to know what netblocks they are using.
<1> How much do you know about DNS?
<0> little. only that it is a system to give numbers a name :))
<1> Ok. There's "forward" DNS which looks up the IP address for a name, and "reverse" DNS which ... does the reverse of that.
<0> i was wondering if there were a more beutiful way of doing that than putting 127.0.0.1 www.statcounter.com in /etc/hosts ....
<1> Nope, that's probably your best bet.
<1> If you're running BIND you could serve the statcounter.com zone with a wildcard record.
<1> I do something similar to that at some sites. We blackhole known spyware domains that way.
<0> rob0: too complicated for my purposes. it should be a simple way to filter traffic to some unuseful services. the /etc/hosts solution has the problem that browsers can loose some time trying the connection to localhost.
<2> if you firewall it, they lose time connecting to nowhere
<0> danieldg: if they immediately receive something like a "not found", they will not have to wait. i ask that because some web pages will loose many time waiting for stupid services, such statcounter or google-analytics...
<2> try mapping them to 0.0.0.0 instead of 127.0.0.1
<0> ok
<0> but, what does 0.0.0.0 stands for? just a non-existent IP like 300.0.0.0?
<2> not like 300.0.0.0, it's still valid, but it is a nonexistent host
<3> hi
<3> i have a masq client
<3> i want to block a ip for it from the masq gateway
<3> which command i need?
<3> ?
<4> hello
<4> any reason for this? iptables-restore v1.2.11: iptables-restore: unable to initializetable 'nat'
<2> try iptables -t nat -L
<2> and what kernel version?
<4> 2.6.16-git10
<2> using nf_conntrack, or ip_conntrack?
<4> iptables v1.2.11: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
<4> Perhaps iptables or your kernel needs to be upgraded.
<4> danieldg, how do i know that?
<4> let me check
<2> (unrelated question) do you have the ip_tables module?
<4> let me see
<4> no "ip_tables" mod
<2> looks like you didn't configure iptables in your kernel
<4> however i just "make oldconfig" from my previous _working_ 2.6.15-git6
<4> it was configured
<2> check make menuconfig
<4> i think i have lst that option with "make oldconfig"
<2> they changed a bunch of stuff
<4> ok
<4> i will not trust with make oldconfig anymore
<2> well, I think it should have worked. btw, why are you using the -git version?
<4> i needed the last changes in v4l stuff
<5> oldconfig worked fine for me from 2.6.15.6 to 2.6.16
<4> rob0, mine is 2.6.16-git10
<5> Well, ymmv :-)
<4> CONFIG_IP_NF_CONNTRACK=m
<4> there is it
<2> ok, NAT does not work with NF_CONNTRACK
<2> (yet)
<4> -CONFIG_IP_NF_IPTABLES=m
<2> oh, i isread
<4> for some reason it was removed by make oldconfig without asking me for anything
<2> IP_NF_CONNTRACK is correct
<2> CONFIG_NF_CONNTRACK is the new one
<2> sorry
<2> why not use make menuconfig?
<4> i usually have no time to configure everything from scratch each time
<2> menuconfig will use your old config file...
<4> it would still require me to check for changed options etc..
<2> I use oldconfig first, then menuconfig
<2> only if I want to edit something
<4> ok. ill do menuconfig to see what's the real problem with nat now
<4> ok. the only problem is that ip_conntrack is not loaded automatically if compiled as a module
<4> i'll have to update my udev conf
<2> why not load it in /etc/modules?
<4> fc3 does not have it
<4> incredible, isnt it?
<4> modprobe.conf does not exist too
<2> strange
<4> i miswrote . modprobe.conf does exists, but it does not exist a file containing modules you always want to load at boot
<5> l_r: that's distro-dependent iirc; slackware uses /etc/rc.d/rc.modules
<4> yeah.. i still have to find what's the one in fc3
<4> :)
<4> brb
<4> ok. guys. there must be a bug in .16-git10. ipconntrack is builin in the kernel statically but iptables-restore cant see the nat filter
<4> iptables-restore v1.2.11: iptables-restore: unable to initializetable 'nat'
<4> probably my iptables tools are too old
<4> let me see
<2> try 1.3.5, and try modprobing iptable_nat
<4> oh... i see now
<4> the prob is that xtables was not selected
<4> i just noticed the big changes
<5> :-)
<4> ok let's reboot
<1> Let's not, and say we did.
<6> hi, I get logs in messages like IN=eth0 OUT= MAC=10:00:00:00:00:00:00:10:4b:
<6> 07:15:90:08:00 SRC=81.246.233.40 DST=192.168.0.63 LEN=56 TOS=0x00 PREC=0x00 TTL=
<6> 106 ID=39597 DF PROTO=TCP SPT=6881 DPT=39172 WINDOW=30672 RES=0x00 ACK PSH URGP=
<6> 0
<6> im using bit-torrent, but why is something from another computer trying to access 39172 on my computer?
<6> i have opened up ports 6881 tcp and udp
<7> how to know how much mbytes the users has download/uploaded using iptables ?
<8> I am running a combination of iptables and iproute2 to manage five interfaces in a machine. Three of them are to the internet/isps and two are for local nets. I port forward incoming from the net packets based on ports to the appropriate machines I wish to handle the packets. It seems to work just fine from the internet but when I try to connect to one of the external ip addresses from inside the local net I get connection refused. I can pi
<9> anybody awake?
<8> maybe a little.
<9> baffled: cool, want to explain how a snippet from slackfire firewall works?
<9> baffled: i can pastebin if you wish
<9> only 5 lines
<8> I would if I could but I'm not familiar with slackfire. You can show us though.
<8> I'm not familiar with pastebin either.
<9> http://en.pastebin.ca/47035
<8> What do you get when you run that? it looks like it is defining some user chain which isn't part of the snip.
<9> iptables runs without errors, appears to work but want to test it, learn how it works
<8> Well, that variable must be defined somewhere but I can't help unfortunately.
<9> ok
<10> Hi I have tried to apply a quota patch to my 2.6.15 kernel and I get this error:
<10> unable to find ladd slot in src /tmp/pom-6399/net/ipv4/netfilter/Makefile (./patchlets/quota/linux-2.6/./net/ipv4/netfilter/Makefile.ladd)
<10> anyone got any ideas, I used patch-o-matic
<9> xDamox: do those files exist on your box?
<10> the quota patch?
<10> I though it comes with patch-o-matic
<9> anyone want to explain how a snippet from slackfire firewall works? only 7 lines long
<9> http://en.pastebin.ca/47035
<2> gnubien: looks like this accepts a 10 SYNs per second and logs the rest
<2> (only logging if "$LOG_SYNFLOOD" = "1")
<10> Has anyone sucessfully installed the time extention?
<9> danieldg: thanks, thought so, curious part is there is no variable named LOG_SYNFLOOD anywhere in the firewall, docs, or config's
<2> gnubien: ok, guess it only logs for debugging and someone forgot to document it
<9> danieldg: any idea where i can view the debugging logs?
<2> gnubien: you mean if you have it turned on? dmesg
<9> danieldg: so if iptables firewall creates any error or warning it posts to syslog or dmesg?
<2> yes
<9> danieldg: thanks, any way to have iptables log only 2 occurances and then not log after that?
<2> xDamox: there were a lot of changes in the kernel structure of iptables in 2.6.14-2.6.16, that might have been when it was moved
<2> gnubien: yes, use limit on the log rule - $FLOOD_LOG_RATE looks like it does that
<10> ok
<9> danieldg: ok, thanks again
<2> xDamox: I think you can edit the pom/patchlets/quota/linux-2.6/net/ipv4/netfilter/Makefile.ladd and make it work
<10> ok cheers
<2> try changing LIMIT to HASHLIMIT
<10> danieldg, in the Makefile.ladd I have:
<10> obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
<10> obj-$(CONFIG_IP_NF_MATCH_CONNLIMIT) += ipt_connlimit.o
<2> in quota's Makefile?
<10> this one is for the connlimit as that file didnt work too
<2> ah. ok, change STATE to HASHLIMIT
<10> ok
<2> (HASHLIMIT just being the first entry in the "matches" section of /usr/src/linux/net/ipv4/netfilter/Makefile
<10> Ill let you know if it works
<10> Same error :(
Return to
#iptables
or
Go to some related
logs:
#mysql
t
#web
wingaim encoding
smeserver7 vs
OpenSPC install fedora
#css
ubunut Xclient
$AOSS $MOZ_PROGRAM $@
#math
|
|