| |
| |
| |
|
Page: 1 2 3
Comments:
<0> evening
<0> well, worst thing ever, a MSN messenger issue, but somehow strange. I may try to explain maybe somone get an idea. Little network with windows and linux clients, gentoo server/gateway with iptables. MSN Messenger runs with a problem on all windows client but not on my linux client. MSN on my linux client runs if I connect direct to the internet. So something must be wierd on my gateway...
<0> sorry: without a problem on all windows clients*
<0> :)
<1> hey guys anyone used patch-o-matic?
<1> unable to find ladd slot in src /tmp/pom-2386/net/ipv4/netfilter/Makefile (./patchlets/connlimit/linux-2.6.11/./net/ipv4/netfilter/Makefile.ladd)
<1> ;/
<2> Oli: maybe it's blocking some port MSN uses, and Windows is able to use another port
<2> phycho: ah, I had a patch for that... just a sec
<1> k
<0> danieldg: may I post on pastebin my iptables rules? its quite small, maybe you see something
<2> maxine: show ruleset
<3> Please post the output of "iptables-save -c" or, if that is not available, "iptables -vnL" to a pastebin such as pastebin.ca, and tell us the resulting URL. Include the network setup if it is not immediately obvious
<2> Oli: sure
<2> phycho: http://daniel.6dns.org/misc/connlimit.patch
<1> k ty
<2> 2.6.16 changed some internal data structures
<1> dont i need to patch thingy as well? (iptables?)
<0> danieldg: http://phpfi.com/120785 its not that big :)
<2> no, it's just the kernel part that changed
<1> ah k
<1> how would i use patch-o-matic to just patch iptables?
<2> iptables is already patched for connlimit iirc
<1> aah
<1> k
<1> it cant find the file specified. its looking for Makefile.ldd which doesnt exist on 2.6.16
<1> Makefile.ladd
<1> only Makefile exists
<2> it's not a patch to the kerne
<2> it's a patch to pom
<1> ah
<1> explains a lot =)
<2> apply it inside the patchlets/connlimit subdir
<1> k
<2> Oli: I don't see anything wrong with it
<2> I'd try using ethereal or tcpdump to look at the differences between windows's connection and linux's attempts
<4> anyone reccommend a channel relating to packet capture techniques?
<0> yes :\ danieldg, its strange that it just dont work with my linux laptop over MY gateway, if I go thought the linux gateway in our office it works...
<0> mhh maybe I should check with a plain masq, without anything just pure nat
<2> that's pretty much what you have
<0> well finally time to move all to jabber then :)
<0> maybe try to remove in the ffwd chain: DROP all -- anywhere 192.168.0.0/16 ? its problem the otherway, mhh I'm not so a expert
<2> try removing it if you think it's a problem
<0> danieldg: mhh i just tooked some iptables script and now it works :\
<5> hi!
<5> how i configure my firewall to permit only one conection from user to my database?
<5> iptables -A FORWARD -s $IP -m limit --limit 1 -j ACCEPT -> this dosent work
<5> anyone?
<6> chatran: man iptables --> /connlimit
<6> oops, he left; oh well
<2> told him about it in #netfilter
<6> okay, I /msg'd him too :D
<7> hm, i've got a problem with traffic shaping.
<7> i have a wireless connection and up and downstream together are ~ 900kb/s
<7> now i want to shape that but the problem is: up and downstream together can be max of 900kb/s so both happening at the same time is 450kB/s each
<7> what method is best to handle such a thing?
<7> i have no problem with ack-packets, its a symmetric connection that supports either 900kb/s downstream or 450kb/s up and 450kb/s up at the same time.
<7> uhm 450 up and 450 down
<7> so actually max available downstream is 900-upstream
<0> Hiho, how can I define that my rules they are logged not going to instead to /var/log/message to /var/log/iptables_log?
<7> Oli: you can set log level of the rules and then have your logging daemon send that log level to messages
<7> also if using syslog-ng you can filter from the set --log-prefix an have only that directed to messages.
<0> ah right
<8> hello the chan
<8> I need some tips to setup an iptable rules, i would like to block the ping from one machin to my whole network, i did a "iptables -A OUTPUT -p icmp -d 10.10.0.0/8 -j DROP" but it also block the input ping : i can't ping the machin anymore, any idea ?
<9> CronoS6: source maybe?
<8> -s 127.0.0.0/8 ?
<9> CronoS6: do you want to do the following, the machine in question shouldn't be able to ping the 10.10.0.0/8 subnet, but other machines should be able to ping it.
<9> if thats the case then just iptables -A OUTPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT and then iptables -A OUTPUT -p icmp -d 10.10.0.0/8 -j DROP
<8> let me test thanks
<8> i want to make this machine blind to my network
<8> but others machines can see it
<8> looks like it work jorgan , thanks
<8> but i don't really understand the trick, could you explain to me please ?
<9> the state module inspects packets and your iptables accepts the ping and when the ping travels out from your machine it has the state of related and established, but when your machine tries to ping any host the packet in the output que has the state of NEW
<8> thanks jorgan, hard for me to setup something like this from scratch ;)
<10> What's the difference between --dport and --sport? The first should be used in the OUTPUT chain, and the latter in INPUT for it to make sense?
<11> --dport destination port example a http server have --dport 80
<11> --sport source port.. example.. one server of pop3 have a source port 110
<11> --dport ..... remote http server ...
<10> Okay, the destination port thing is trivial... but what source port would a client use if connecting to http with destination port 80?
<12> oe above 1024 I guess
<10> Shouldn't specifying the source port be pretty redundant when you know the destination port then?
<13> I have this line "-A INPUT -s 81.0.0.0/8 -j DROP" in my firewall, as a matter of testing, I'm trying to understand why this prevents whois on the localmachine from contacting whois.denic.de which has IP 81.91.162.8 ...
<13> I am making an outbound request.. ooh.. n/m.. it cannot answer back.. sheesh.. time to eat
<7> killermach: probably because you are not using stateful filtering...
<13> callee: that rule was meant to drop ALL incoming packets from the 81.0.0.0 network, how could stateful filtering differ
<7> meaning: you send a whois request out, and get an answer. however iptables is unable to see that the incoming request is a reply to the previous outgoing request. thats why you need the state module
<13> callee: I see.. that could be useful
<7> see, you do not only want to request the whois query, but you surely want an anser...
<7> answer
<13> yes yes.. I'm also new to iptables. I have to learn more
<7> look at the tutorial in the topic
<13> callee: can you get someone to remove the " ; " from the URL.. it gives a page not found, I already removed it in Firefox, so I'm there now
<7> killermach: i do not see a ";" in the url
<7> ah, there it is
<13> mostly I'm trying to remove network access from what seems to be mostly spam emailers, I hate to do such blanket rules, but until I find a way to fine tune iptables without spending all day everyday doing it, this is it
<7> well, technically there is no ";" in the url, just behind it
<7> killermach: try the hash module
<7> however dunno how that exactly works
<7> but there is no O(1) way to get rid of the spammers with iptables
<7> if you run a mailserver it's best to stick with blacklists on the maildaemon side
<7> or greylists or whatever you prefer, but don't try to use iptables for that. remember iptables does only packet filtering and is often the first but not only line of defence, so it is unnecessary to make the mesh too tight at the beginning, for you screw more up then you fix
<7> if you wanna drop traffic from i.e. rpc worms or so just drop all traffic to the ports on the WAN interface you are not serving explicitly.
<7> this only applies to incoming traffic of course. iptables is not useful for restricting outgoing packets
<7> thats not what iptables is written for. you can do outgoing filtering, but it is not recommended (at least for the most part)
<13> ok.. if I want to block incoming traffic from 81.0.0.0 completely with one exception, I would like traffic from 81.91.162.8
<13> .. then do I put the ACCEPT rule above the DROP rule?
<14> killermach: allow the one IP first, then block the netblock
<14> killermach: yes
<13> trappist: thank you.. I am starting to actually retain this stuff
<14> I thought briefly you might be able to do it with one rule, but I got: iptables v1.3.3: multiple -s flags not allowed
<13> ok thanks
<10> When some httpd sends stuff back, does the client open up some specific port to be able to receive or what?
<15> http does not _send_ stuff. Data will be transmitted. sport 80 -> dport 1024:
<10> WoodyWoodpecker: what about the case of NAT - how the heck does the router know which client to forward the packet to when the only clue is dport 1024?
<15> 1024: == 1024:65535
<10> Aha, so it's random?
<15> That is managed by the forward chain, and it just changes source and destination port as well as address
<15> Depends
<15> On either the application and/or the router and/or the client and/or the server/service
<15> And yes, the sport is something between 1024 and 2^16
<10> I still don't understand how it would identify the packet and send it to the correct location.
<15> Well if you take it really serious it is actually something between ~39000 and 56535
<15> That is what NAT does
<15> Or even better: a proxy
<15> NAT just mangages this for you. Read it up if you don't understand NAT that well.
<15> It keeps trakes of the clients <-> Router and Router <-> Server
<15> s/trakes/trake/
<15> And mappes it back if packages arrive from the server to (virtuall) the client
<10> But the must be some part of the packet that gives the destination address away, no?
<10> With the endless stream of packets, how would it know?
<16> basic IP header has source and address IP and socket
<16> (port number)
<16> I mean that's TCP/IP 101 stuff
<10> Hmm, I think I have a theory on how it works now.
<15> What is TCP/IP 101 stuff?
<16> for NAT routing, IPTables keeps track of which LAN IP originated an outbound connection to what IP
<16> so that inbound packets from that IP get sent to the right LAN IP
<15> ^^ That is what I sayed
<16> even for multiple LAN machines using the same protocol
<16> but this is also why you have to have port mapping for servers behind the NAT router
<15> Shadewalker: It uses the dport of the client to the router as match
<16> because otherwise, it would not know what to do with new connections from outside
<15> PAT is a special form of DNAT
<10> Basically, as far as I understand, when contacting some remote server, the router keeps track of the source port, and when packets come back with a matching dest. port value, it knows to which LAN machine to send the packet.
<16> yep
<16> basically
<15> It keeps track of the sport and the dport, because what was sport will be dport in the data back ; and reverse
<10> Cool. :-)
<16> but if you are running servers behind the NAT router, they are not the originators of the connection
Return to
#iptables
or
Go to some related
logs:
#fedora
noegnud ubuntu
libgnutls13 armel
livna unable to read package metadata
msr.c ubuntu
#linuxhelp
how to reset sound devices
the <=x11-base/xorg-x11-6.9 package conflicts with another package
#888D88
#python
|
|