| |
| |
| |
|
Page: 1 2
Comments:
<0> if a packet matches a rule with target -j LOG will the packet stil traverse the chain to be processed for reject, accept, drop or whatever?
<1> Yes. LOG is a non-terminating target.
<0> thanks
<2> Hello. I am trying to redirect all traffic with src XX port YY to destination ZZ port YY. XX is an IP on my server. ZZ is an IP on another server. is this possible with iptables?
<2> XX is the destination IP, which is my server
<2> 40$ paypal to whoever can help me get this going
<1> Well, the short answer is "yes".
<2> ai2097, can you help me get the syntax right? i'll pay you
<1> The long answer is, it's not something I personally ever do. What you've described is called "port forwarding"
<2> yes port forwarding but to another host
<3> is the traffic generated by the machine running the firewall?
<2> traffic comes in from the net, hits my server A, i want to redirect it to my server B
<3> you'd have to basically proxy it at the IP level. it's explained in the second URL in the topic
<2> ok ill check it out. thx dude
<2> sometimes i cant bribe people to do my work for me
<1> Try "iptables -t nat -A PREROUTING --proto tcp --sport YY --source XX -j DNAT --to-destination ZZ:YY"
<2> ok
<1> Actually, no; that should be
<4> rickhax, pastebin exactly what you want to do, including IP addresses and routing information.
<1> Try "iptables -t nat -A PREROUTING --proto tcp --dport YY --dest XX -j DNAT --to-destination ZZ:YY"
<4> and throw in a present "iptables-save" for good measure
<4> I have a feeling your answer is the "NAT issues" in /topic.
<2> ai2097, your last one spit out.. iptables v1.2.8: Unknown arg `--dest'
<1> Meh, it would, wouldn't it. I don't particularly like pre/post routing rules; they're irritating in their restrictions. rob0 is likely able to help you out on this better than I can -- I don't generally use iptables for packet mangling.
<2> rob0, thx. http://pastebin.com/529856
<2> rob0, I wrote it in english, is that clear enough?
<4> bye rickhax :)
<2> wait
<2> i need help dude
<2> ill pay you
<3> rickhax: iptables -t nat -A PREROUTING -d X -p tcp --dport Y -j DNAT --to-destination Z; iptables -t nat -A POSTROUTING -d Z -p tcp --dport Y -j SNAT --to-source X
<2> trying..
<2> WINNER
<2> 40$
<2> PM me your paypal email
<2> quick before i turn into a shady ***hole and log off
<5> can i do wildcards in iptables rules?
<5> I want to monitor b/w how do i do this?
<1> Depends on what you're trying to "wildcard."
<2> hi SkramX, I have done a fair amount of bandwidth accounting in linux
<2> the best way I have found is to watch /proc/net/dev
<2> theres no advantage to using iptables unless you want to do some fancy ****
<2> unless your linux box is a router, then n
<2> m
<6> if you have DROP as the default policy, is specifying "iptables -A INPUT -p tcp ! --syn -j DROP" makes sense?
<5> rickhax: welp, any programs do it for me?
<5> i want to track by source/destination IP
<1> SkramX: Check iftop. It may do what you want.
<5> others
<5> im compiling iftop as we speak
<1> Ah :)
<5> it shows per connection
<5> not ip/whatever
<1> There's a rule language for filtering; I don't know, but it might do aggregation, too.
<5> iftop -n -u eth0:0008
<5> doesnt work :(
<2> SkramX, do you have control/access over your nearest router?
<5> No.
<2> cisco netflow solves your exact problem
<5> It is a dedicated server :(
<2> check out ntop
<5> compiling deps
<2> ah come on
<2> i was compiling ntop when i was 17
<5> ?
<5> LOL
<5> this is a new server.
<2> what distro are you running
<5> What else? Gentoo
<5> almost done..
<5> if i do an accept everythng on destination ip (user's) then it shows b/w usage, right?
<5> (when i do iptables -L -v)
<5> ntop startup - waiting for user response!
<5> Please enter the p***word for the admin user:
<5> wtf?
<1> Wtf wtf? You think a regular user should be able to look at all the network traffic on the machine?
<5> i thought ntop just showed realtime graphs
<5> i thot i have used it before
<1> It very well might show RT graphs, but it has to generate those graphs somehow.
<5> right
<5> so it has a web interface?
<1> I have no idea -- but it's become standard procedure for me to go root whenever I want to use a libpcap-esque program (kismet, snort, iftop, ethereal, what have you).
<5> hehe
<7> hello..
<7> how did iptables masquerade 2 network under 1 nic ? i need to masquerade 192.168.1.0/24 and 10.10.10.0/24
<8> sup all,, im gettin this error while running a command to rate limite connections based on destinatin ip's and im gettin this
<8> iptables v1.2.11: Couldn't load match `dstlimit':/lib64/iptables/libipt_dstlimit.so: cannot open shared object file: No such file or directory
<8> any idea how to this module ?!!
<9> hey all
<10> hello?
<11> hi folks
<11> I used quicktables to generate a script
<11> but it didnt quite do the job I wanted
<11> now my client machines cant access the internet ! :(
<11> I havent blocked any thing
<11> any hints guys
<11> i know I am vague here
<11> but I donno what more information to give
<11> my script is here http://pastebin.com/530237
<12> is it possible to limit connection cast usage whit iptables
<4> m0dY: is -m dstlimit shown in your man page? Maybe it wasn't included in that version of iptables. Upgrade?
<12> is it possible to limit connection cast usage whit iptables
<13> kAiSeR`sOSe: please turn that crap off
<14> :)
<13> I hate seeing an activity indicator on a slow channel only to find out that somebody who's never even spoken on this channel has gone to the bathroom
<4> :)
<15> You can learn just by hering trappist. But talking is far better.
<14> :)
<16> hehe
<17> what's the best way to run multiple web servers behind NAT? just forward the packets to both webservers and let apache figure it out based on dns and Bind directive?
<18> maybe mod_proxy
<13> yeah mod_proxy is a better solution
<17> trappist: why?
<17> more secure, I suppose
<13> deb_user: because the layer iptables operates at isn't aware of domain names, so any solution will be a hack. mod_proxy exists for this.
<17> ok, but if the fqdn for both servers points to the same IP
<17> can't I just forward traffic for port 80 to both servers?
<4> ???
<3> you can't forward 1 packet to 2 servers
<4> you want two Web servers to handle one port 80?
<17> i suppose I could bind to a different port, eh rob?
<4> indeed, that's the only thing you can do.
<4> (different *external* port, both could be on 80 inside the NAT'ed LAN.)
<17> but...
<17> the client would still query on port 80, wouldn't it?
<3> http://server:81/page
<4> http://your.name.here/ --> internal server 1:80
<4> http://your.name.here:8080/ --> internal server 2:80
<17> that's a nice easy solution
<17> esp. since the second server won't be used too often
<17> any suggestions as to a port to use that won't interfere with other services?
<4> 8080 is a common choice.
<17> thanks again
<17> a lot easier than installing mod_proxy
<17> and more than suitable for my purposes
<17> but then...once the connection is established, it will revert to port 80, no?
<13> no
<13> use mod_proxy
<13> mod_proxy really isn't hard to work with
<19> how I can block a IP if it make 15 conections smtp in 10 seconds or something like this?
<3> use -m recent
<19> hm
Return to
#iptables
or
Go to some related
logs:
mysql dialect documentation
#gcc
libungif.la gentoo
#web
unmasking hardmasked
sudo in gnome
#css
compile gnome-debian
xdpyinfo: unable to open display :0.0. chroot
amarok sony media device nw
|
|