| |
| |
| |
|
Page: 1 2 3
Comments:
<0> RE
<1> anyone know if it's possible to mangle a source mac address?
<2> trappist: like using ebtables's snat?
<1> danieldg: I dunno, is that a sample solution?
<2> well, I think that SNAT will change the source MAC of a packet
<2> what do you mean by "mangle"?
<1> well I'd want the mac to become the mac of the -o device on the linuxbox
<3> If you're forwarding a packet on another segment, that's what happens, it becomes your MAC. If you're bridging, the MAC stays the same.
<4> hi all
<4> hard__ware: around?
<4> for some reason,
<4> 0 0 RETURN all -- any any 0.0.0.0 anywhere
<4> 0.0.0.0 is everything
<2> ok, so maybe no packets are reaching it
<2> oh
<4> but packets are racing other ip's on the host
<2> 0.0.0.0 is not everything
<4> how do i specify anything then
<2> 0.0.0.0/0 is everything
<2> or just omit it
<4> but that wouldnt allow me to see the difference between in/out
<2> um, 0.0.0.0/0 wouldn't let you tell the difference either
<4> oh
<4> :INPUT ACCEPT [42021:6149242]
<4> -A INPUT -j INPUT_COUNTERS
<4> -A INPUT_COUNTERS -d 0.0.0.0 -j RETURN
<2> that's pointless
<4> sorry
<2> no, just pointing out that that will never match anything as 0.0.0.0
<4> id i do -A INPUT_COUNTERS -d any -j RETURN
<2> and as 0.0.0.0/0 it will match anything
<4> will it count only INPUT?
<2> yes
<2> ohhhh
<2> ok, now I get what you want to do
<4> :)
<4> yes.
<4> :)
<2> ok, use 0.0.0.0/0
<4> okay
<4> will that work for output too?
<2> yes
<4> could i just do
<4> -A INPUT_COUNTERS -j RETURN
<4> that will count all traffic incoming, and return it
<4> return means it will look for other rules too?
<4> because I also have rules for each of the ips
<2> yes
<2> you could even leave off the -j RETURN if you wanted
<4> uhh
<4> with the -j return, it doesnt count as any other IPs.
<4> -A INPUT_COUNTERS
<4> ?
<2> did you have other rules in INPUT_COUNTERS? if so, RETURN will byp*** them
<4> well
<4> i took return off
<4> both work now!
<4> woo hoo
<4> hard__ware: we have a problem
<4> danieldg: is specifying no -d/-s the same as 0.0.0.0/0
<5> hello need help with ping logging for a university question
<5> hmm maybe not to late in the day
<3> Are university pings different from regular /bin/ping pings? :)
<5> hmm
<5> probably not they just come far more intelligent than me
<5> :)
<5> so dense i cant manage what is a comparitivley simple question bah
<5> try looking here
<5> http://linuxzoo.net/page/tut_fire.html
<5> its question 6
<5> trying to find what i got
<5> when the question says clean out your chain you think they mean flush iptables -f ?
<5> -F
<3> possibly
<5> wait a sec
<3> the LOG target is nonterminating, so when you use it you often use 2 identical rules. The first one -j LOG, the second one (same match criteria) -j something else.
<5> trying to find the rules i input in a text form
<5> right got powerpoint
<5> slide i'll copy it from there
<5> oh hmm
<5> right if i paste here it gonna get me kicked for a flood i think
<5> but try it anyway
<2> paste in a pastebin
<5> iptables -N pinglog
<5> iptables -A pinglog -m limit --limit 15/minute -j LOG --log-prefix PINGlog:
<5> iptables -A pinglog -j DROP
<5> iptables -A INPUT -p icmp -m icmp --icmp-type 0 -j pinglog
<3> ok, that works, with the match ... yes.
<5> so i have those four lines
<5> but when i try the question it always seems to fail but i also have the previous question in the firewall also
<5> so maybe it won work when both are in there
<5> but what you say it if i want to do logging the four lines i pasted are basically correct?
<3> it depends what rules precede these :)
<5> yeah i'm beggining to see that
<5> :)
<2> karaya1: that question says to only log if you recieve it faster than 1/second, you haven't done that part yet
<5> but iptables is a fairlly logical
<3> If an earlier terminating target matches the packets you're trying to match, the later rules are ignored.
<5> deal
<5> aaaaaaaaaaaaaaaaaaaaaaahhhh
<4> has hard__ware been around lately?
<5> yeah that would make much sense
<5> can you explain the first line i pasted please
<5> i think it just mean new pinlog
<5> but does it have any other references that i might be unaware of?
<5> iptable -N pinlog
<5> iptables -N pinlog
<5> bah givup
<5> to tired to type well
<3> -N, creates a new chain which can then be used as a -j jump target, this is in the man page.
<5> ah right
<5> think i see
<5> so if i had pervious rules not related to icmp
<5> it would do those rules first and then start on the new rules set after iptables -N?
<5> by previous
<5> i mean rules coming before the icmp logging
<5> in the firewall script i'm writting
<5> oh the joys of command line editing with vi
<5> :)
<3> "iptables -N newchainname" does not directly affect your rules, it simply makes a new chain to which rules can be added. At the same time the name becomes a valid --jump target.
<5> time to go
<3> bye
<5> before i do
<5> since -N
<5> means new
<5> as in new chain
<5> does that mean anything above it will be ignored
<5> or will it still be acted on
<5> ?
<3> 00:23 < rob0> "iptables -N newchainname" does not directly affect your rules, ...
<5> hmm
<3> no: 00:24 < karaya1> does that mean anything above it will be ignored
<3> yes 00:24 < karaya1> or will it still be acted on
<5> cool
<5> it not rocket science just have to approach it more logically i think
<5> well rob pal thanks for the advice
<3> yup
<3> np
<5> hope to get the chance to annoy you again sometime :)
<5> take care
<3> :)
<6> Greetings.
<6> As a cl*** ***ignment we need to design an enterprise network based on a given diagram to do a bunch of ****, mostly forward around RADIUS (1645 TCP right?), SNORT/CISCO IDS connections, secure wireless, and implement PPTP
<6> I'm having trouble locating documentation on how to get iptables to forward PPTP
<6> I have a network on one side like 10.1.1.0/24 and one on the other with a PPTP server 192.168.1.10
<6> I can't figure out how to just make it conntrack PPTP from 10.1.1.0/24 to 192.168.1.10 and be done with it, so any suggestions?
<3> The pptpclient site has documentation. You have to forward both the control port (1723/tcp) and GRE.
<6> nobody has any idea on routing PPTP?
<6> ah
<6> rob0: so straight iptables -A FORWARD -s 10.1.1.0/24 -d 192.168.1.10 -p tcp --dport 1723 -j ACCEPT
<6> rob0: and forward GRE on a port, or by some magic?
Return to
#iptables
or
Go to some related
logs:
sqlalchemy temporary table
#linux
#xine
#php
karma on gentoo
toshiba satellite a75 xgl
#debian
#web
Input Error: Unknown option * specified.
suse linux uninstall xgl uninstall uninstall xgl
|
|