| |
| |
| |
|
Page: 1 2
Comments:
<0> hello all
<0> I'm having some problems getting all but ssh traffic accepted
<0> I've this in a server configuration:
<0> iptables -A INPUT -p tcp -s 192.168.1.0/24 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
<0> yet, from a connection from a client in the local network I get:
<0> ssh_exchange_identification: Connection closed by remote host
<0> any ideas on what I'm doing wrong?
<0> all output traffic isn't being filtered
<1> fantastic, iptables channel
<1> hi all, is there a default location/config-file for iptables rules under debian ?
<1> i cant seem to find anything useful and the docs look out of date
<1> i mean online howtos
<1> rather than docs
<2> InfraRed you can look netfilter.org
<2> InfraRed there you can find lots of useful information
<1> cool
<3> InfraRed: see the first url in /topic
<1> excellent
<1> that's enough for me to start from
<1> thanks :)
<3> yw
<4> i'm tryin to write some ingress rules
<4> i wanna block 10.x 172.16.x 192.168.x networks
<4> anyone know how to write those in cidr notatiobn?
<3> 10.0.0.0/8 172.16.0.0/16 192.168.0.0/16
<4> thank you
<3> See http://slackwiki.org/index.php/Binary_Numbers for explanation of binary numbers
<4> thanks even more ;-)
<3> the CIDR /# notation defines how many bits "matter"
<4> is it possible to jump 2 things at once?
<4> without having created an alias
<4> found answer
<5> hi
<6> hi
<5> I have a rather simple question
<5> how can I map a reverse connection when I do masquerading ?
<5> I mean, If I host something behind the router
<5> how can I tell it to forward the incoming connect at server
<5> ?
<5> s/connect/connections
<7> maxine: forward port
<8> forward port is iptables -t nat -A PREROUTING -p tcp --dport $port -j DNAT --to-destination $destip; see http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html for more info
<7> sque: that should do it, if you aren't blocking it in FORWARD
<5> ty :)
<5> I have a problem with connection tracking, I am looking around it a few weeks now
<5> There is a thread, discrebing everything:
<5> http://forums.gentoo.org/viewtopic-t-466374.html
<7> you'd want to use REDIRECT instead of DNAT if the webpage is on your firewall. Otherwise, what's the problem?
<9> How is that thread related to connection tracking?
<9> The reply was basically on track. I do think someone has written SQL patches for dhcpd, however.
<5> OMG
<5> I AM AN IDIOT
<5> wrong link
<5> http://forums.gentoo.org/viewtopic-t-463726.html
<5> sry sry
<5> this one is the right one
<9> conntrack has to be protocol-neutral, which is why a TCP SYN is not required for --state NEW.
<5> very well
<5> but If I sent an ACK packet at a random target
<5> then, the conntrack creates a new connection flagged as ESTABLISHED that will time-out in 5days
<9> Yeah, that part I could not explain.
<7> try changing /proc/sys/net/ipv4/ip__conntrack_tcp_be_liberal to 0
<7> one underscore there ^^
<5> what's that?
<7> that will make conntrack _not_ track connections that it hasn't seen the first packet on
<7> is that the right name? I was guessing since it changed in 2.6.16 if you have a certian option enabled
<5> there is no such file
<7> ok, try /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
<7> or /proc/sys/net/netfilter/ip_conntrack_tcp_be_liberal
<7> maxine: ip_conntrack_tcp_be_liberal
<8> danieldg: excuse me?
<5> ok it's /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal
<5> I ll try it in 10 minutes
<5> I have removed router from network
<5> :p
<7> maxine: ip_conntrack_tcp_be_liberal is the number of packets which must be sent (in both directions) before a connection is accepted, when conntrack has not seen the first packet. Recommend setting this to zero after a router is up and all connections have recieved traffic.
<8> OK, danieldg.
<7> maxine: no, ip_conntrack_tcp_be_liberal is /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal or /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal; it is the number of packets which must be sent (in both directions) before a connection is accepted, when conntrack has not seen the first packet. Recommend setting this to zero after a router is up and all connections have recieved traffic.
<8> ...but ip_conntrack_tcp_be_liberal is the number of packets which must be sent (in both directions) before a connection is accepted, when conntrack has not seen the first packet. Recommend setting this to zero after a router is up and all connections have recieved traffic....
<7> maxine: forget ip_conntrack_tcp_be_liberal
<8> danieldg: I forgot ip_conntrack_tcp_be_liberal
<5> lol
<7> maxine: ip_conntrack_tcp_be_liberal is /proc/sys/net/ipv4/netfilter/ip_conntrack_tcp_be_liberal or /proc/sys/net/netfilter/nf_conntrack_tcp_be_liberal; it is the number of packets which must be sent (in both directions) before a connection is accepted, when conntrack has not seen the first packet. Recommend setting this to zero after a router is up and all connections have recieved traffic.
<8> OK, danieldg.
<9> there?
<8> there are files in /etc/sysconfig/network usually.
<7> here?
<8> here is, like, the code
<9> :)
<2> hello, anyone who could succesfully give, transparent proxy (iptables +squid ) access to multiple networks (example 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24 and so on..)
<9> felipe_: what is the problem?
<8> the problem is, like, I'm not getting traffic coming back from machien on inside of the netowkr
<2> i have the following topology
<2> http://people.nl.linux.org/~felipe/diagrama-red-idsn-laboratorios.PNG
<2> i have two networks connected via cisco routers, on 192.168.0.0 network ,the gateway 192.168.0.1 is also actting as NAT, the another network 192.168.20/24 (each network, can "ping", the another one, for example, from 192.168.0.100 to 192.168.20.4 and viceversa)
<5> the problem is you are idiot
<5> maxine, the problem is you are idiot
<8> ...but problem is you are idiot...
<5> lol
<5> that bot rocks!
<5> maxine, what are you?
<8> i heard i was the bot? or a pocket calculator
<9> She's a cute idiot, that is true.
<2> the problem is the 192.168.20.0/24 network cant go throgh the transparent proxy, with squid,
<9> felipe_: I bet the "having NAT issues?" link in /topic will help.
<2> ive read it yet
<2> but it doesnt help me :(
<2> the nat machine (192.168.0.1), already have the rules to MASQUERADE the traffic for both networks
<2> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o eth0 -j MASQUERADE
<2> and
<7> it just needs a REDIRECT rule then? or is it not running the proxy?
<2> iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -o eth0 -j MASQUERADE
<2> the 192.168.0.0/24 can go throught perfectly trough the transparent proxy
<2> but the 192.168.20.0/24 no...
<2> first i need just MASQUERADING for the 192.168.20.0/24 network
<6> felipe te anduvo?
<6> recien te leo
<6> hola hola???
<5> iptables order?
<5> maxine, iptables?
<8> iptables is, like, a generic table structure for the definition of rulesets. Each rule within a chain consists of a number of cl***ifiers (iptables matches) and one optional connected action (iptables target)
<5> maxine, iptables order?
<8> sque: wish i knew
<7> maxine: rule order
<8> hmmm... rule order is important, because rules are evaluated in order until one matches. iptables -I can be used to insert the rule at the start of a chain; iptables -A puts it at the end
<5> :)
<5> the 1st rule that agrees from top to bottom?
<5> that's the order?
<7> yep
<5> ty
<7> maxine: iptables order is rule order
<8> OK, danieldg.
<2> hola know
<5> iptables order?
<8> iptables order is rule order
<5> aha
<10> hello! short question: what mark does a packet have if i don't mark it explicitly?
<10> and how can i see the packet markers (tcpdump does not show, or i can't make it show)
<11> .. no mark ? :p
<10> or mark = 0?
<11> dunno
<12> #mp3
<12> ops
<12> sorry
<13> packets don't seem to traverse on port 3000, how do I best debug?
<14> hola
<15> hard__ware: dude?!
<15> !seen hard__ware
<16> Sarah-Away => hi :)
<17> hello
<17> alguien que hable castellano
Return to
#iptables
or
Go to some related
logs:
#css
black-screen cursor photosmart
#mysql
#mysql
lostocean torrent
windows pendrive-on
export DISPLAY to fc5 xhost
diskmounter reiserfs
ubuntu serpentine mp3 suport
#css
|
|
