| |
| |
| |
|
Comments:
<0> hello, I'm trying to setup an internal openvpn server and I'm having some issues with the iptables based firewall.
<0> I have the server running, and my pings go across the firewall to the openvpn server
<0> when I try to ping another server on the internal lan through the tunnel the packets aren't getting back.
<0> using tcpdump, I was able to determine that they are leaving my client machine, entering the vpn server, hitting the other machine on the internal lan...
<0> the internal lan is trying to send the ping back and it gets stuck at the gateway/firewall machine
<0> I keep getting this in my logs: DENY IN=eth1 OUT=eth1 SRC=[internal ip] DST=10.8.0.6
<0> this should catch it but it's not working:
<0> $IPTABLES -A FORWARD -s [internal net]/24 -d 10.8.0.0/24 -m state --state NEW -j ACCEPT
<0> but that's not matching and it's still getting blocked by the "default deny" policy.
<0> when I changed that to 'default allow' the pings went through, so I'm sure it's an iptables issue.
<0> any ideas?
<1> hey, i'm trying to setup a transparent proxy on a new box: using iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-dest 127.0.0.1:1234 just gets the packets dropped. forwarding is on; non-NATted links work fine..
<2> Perhaps you're looking for the REDIRECT target
<1> robw810: hmm, does that actually point the connection at the local box?
<2> j_M: man iptables, then /REDIRECT
<2> in short, yes
<1> robw810: i tried it and only got conn-refused, thinking it was just pointing the packet at the given port on the original target
<1> k
<1> robw810: hm, i really just get timeouts now -- and the proxy is definitely listening on the given port, 127.0.0.1
<3> What's in filter / INPUT ?
<1> rob0: -A INPUT -p icmp -j DROP
<1> rob0: same if i iptables -t filter -F
<2> What's the default policy?
<1> ACCEPT on every chain
<3> oh, is it ONLY listening on 127.0.0.1 ? I am not sure that would work.
<1> rob0: it was, but now i've set it to listen to 0.0.0.0
<3> I think REDIRECT ... ok, does it work now?
<1> nope, still just hangs :(
<3> REDIRECT gives it to the primary IP on the incoming interface, IIRC.
<1> know of any routing issues with 2.6.15?
<1> hrm
<1> oh, hmm -- there is a server running on port 80, btw
<1> it may be bound to 0.0.0.0 -- though it only needs ot listen to a certain IP
<1> ugh, now that i stop apache, i get an immediate connection-refused
<2> j_M: did you add the --to-ports option on the REDIRECT?
<1> yep
<3> show your rule
<2> Double check that you ahve the correct interface specified
<3> that was what I was thinking too.
<1> k: -t nat -A PREROUTING -s 12.34.56.78 -d 10.0.0.5 -i eth0 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8888
<3> Maybe this wasn't coming in on eth0
<3> is the source 12.34.56.78 ? and the destination 10.0.0.5 ?
<1> (eth0 is the only NIC; 12.34.56.78 is definitely the IP the request is coming from; 10.0.0.5 is the intended target)
<3> from 12.34.56.78 do "telnet 10.0.0.5 80"
<1> ah, i see that when i stopped apache, as i was using `nc', it appeared as if it were hanging, although it wasn't -- the requests are now beginning to show up int he proxy's log
<1> don't know why apache affects that...
<2> (nor have I ever set one up) -- perhaps I should
<2> That may be a project for the summer at school
<3> You'd find it a 1-2 hour project of RTFM, if that.
<1> ugh, now tinyproxy is freaking out -- "waiting servers (539634209) exceeds MaxSpareServers (20). Killing child." crazy.
<2> hehe...
<3> I'll bet your IT staff couldn't do it tho. :)
<2> haha
<1> heh
<2> Well, I may set up a test one, and if it works well, propose to bring it on line for the campus - they're always trying to conserve bandwidth, so...
<3> Mine are all squid or Dansgaurdian+squid ... oh and I think I set up DNS and NTP proxying too.
<2> They ought to put one up at the district level, really
<3> I'm surprised a school district wouldn't have a proxy already. Probably an expensive one which doesn't work well. :)
<2> rob0: there's one at the state level; has some content filtering built in
<4> has anyone come across this error in firewalls "dst cache overflow"
<5> hello?
<5> ah ok just checking something
<6> hi
<6> i've got strange issue
<6> http://pastebin.com/574693 < why those packets are only present in INPUT and not in PREROUTING?
<7> mkay: what iptables modules you got loaded if any ?
<7> brb
<7> mkay: you about ?
<6> hard__ware: wait a minut
<6> hard__ware: http://pastebin.com/574741
<7> well that certainly is enough
<7> hmmm ...
<6> hmm - i've got it in nat, if i'm connecting from outside that box. i don't get it when connecting from localhost
<6> ist that normal?
<6> hard__ware: PS: i've got it in mangle
<7> oh , lol
<7> you wont from localhost
<7> thats what -t nat output is for ....
<7> s/output/OUTPUT
<7> iptables -t nat -I OUTPUT 1 -d 127.0.0.1 -p tcp --dport 22222 -j REDIRECT --to 22
<7> nc 127.0.0.1 22222
<6> hmm - that'd explain my problem a bit;>
<7> =)
<6> i've got one more problem if you got a minutre
<7> ja
<6> http://pastebin.com/574762 < here's my iptanbles config from diffrent serwer. i don't have access to ftp with it (even from localhost). everything works, if i change INPUT policy to ACCEPT
<6> and i've got LOCALFTP lines in logs..
<6> hmm
<6> but only with proto=UDP
<7> UDP ... for FTP, thats odd
<7> you using tftp or something =P
<6> wel nope.. i've added it for tests...
<7> anyways ,,, dont make me sift through all your rules plz, i can point you in the right direction, but i dont have the time right now to look at it
<7> how long have you been using iptables ?
<8> Is there a module that will let me filter by application? Like: allow outgoing for squid and socks...
<9> you can filter by uid, so just run squid on it's own uid
<8> danieldg: Ah, that sounds cool.
<10> re
<6> http://pastebin.com/574762 < with this fw i hadn't access to ftp (even from localhost). it started to work, when i added "iptables -A INPUT -s <my_ip> -j ACCEPT". anyone could explain me why?
<6> i've even tried "tcpdump srd host <my_ip> and dst host <my_ip>" (which doesn't have any sense for me) and try to connect to ftp, but no packets mached...
<6> s/srd/src
<6> s/mached/matched
<6> ;>
<9> mkay: did you tcpdump on the loopback interface?
<9> also, do you have ip_conntrack_ftp loaded?
<6> hmm - actuallly not in lo, but i had -s 127.0.01 -j ACCEPT rule earlier nad that didn't work, so it looks for me like he needs some packets via eth
<9> try changing -s 127.0.0.1 to -i lo
<6> danieldg: if ip_nat_ftp depends on ip_conntrack_ftp, than yes, if not i'm not sure
<6> but it shouldn't be needed for connection from localhost or lan, should it?
<6> ok, trying
<9> I think ip_nat_ftp depends on ip_conntrack_ftp, check and make sure
<11> do you have a rule to allow -m state --state ESTABLISHED,RELATED ?
<6> danieldg: yep - i had ip_conntrack_ftp (ip_nat_ftp depends on it)
<6> danieldg: the trick with changing 127.0.0.1 into lo works
<6> but hmm
<6> i don't understand why it's needed;/
<6> trappist: tep - line 33
<9> traffic to your own IP goes over lo
<6> danieldg: but why ftp (proftpd to be exactly) want to connect to itself? and why wasn't the rule from line 40 enought?
<9> where are you testing this from?
<6> danieldg: in company i work for. i've tried both - from localhost and from other computers in LAN without success;/
<11> mkay: you pretty much always want to allow all traffic on the lo device. all kinds of stuff breaks inexplicably if you don't.
<6> i think i know what the problem was
<6> i'm using authentication with mysql and i'm accessing mysqld (runned on the same server) by IP, not 127.0.0.1
<11> hah.
<6> the one thing i havn't think about is that i'm connecting to "real" ip via lo, so tcpdump havn't show any additional packets while listeng on eth and i lost pretty much time on it;] well - i'll be smarter in future;> thanks for hints
Return to
#iptables
or
Go to some related
logs:
libgtk-1.2 dapper repo
beeplogic
grub loading error 17 ubuntu
gentoo pvresize
#php
mdadm broken-drive
#php
#perl
S_IREAD python
problema cursor ubuntu
|
|