| |
| |
| |
|
Comments:
<0> dudes, i have a problem with an iptables command: iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth2 -p tcp -m multiport --dport 80,443 -m multiport --sport 1024:65535
<0> Error: *** glibc detected *** double free or corruption: iptables
<1> p0ts: which release ?
<0> anyone? about my problem?
<2> 16:24 < Regit> p0ts: which release ?
<0> iptables or kernel?
<2> how about both?
<0> iptables 1.2.11.31
<0> kernel 2.6.9
<0> the commaind is ok right?
<2> I think so, although I usually have the -j at the end.
<2> oh, wait. Try removing the second -m multiport
<0> iptables v1.2.11: invalid port/service `1024:65535' specified
<0> Try `iptables -h' or 'iptables --help' for more information.
<0> without the secont -m multiport
<0> secont = second
<2> try sports instead of sport?
<0> iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth2 -p tcp -m multiport --dport 80,443 --sports 1024:65535
<0> iptables v1.2.11: invalid port/service `1024:65535' specified
<0> Try `iptables -h' or 'iptables --help' for more information.
<3> isn't 1.2.11 a bit old?
<0> no idea
<0> doing yum update now
<3> did you upgrade the kernel? glibc?
<0> it came with fedora 3 or something
<0> might try that
<0> ok have to run now...
<3> no, I waswondering if you DID
<0> 10x...
<3> ok
<0> i will though...
<0> ok shoot my self:)
<0> ok = or
<0> byez
<4> do localy genetrated packets traverse prerouting?
<5> no , output
<4> output, then postrouting
<6> greetings
<6> in such a scenario where we have two interfaces with ips 1.1.1.1 and 2.2.2.2, and if somebody pings 2.2.2.2 from the subnet behind 1.1.1.1 (say from 1.1.1.2) - the packets do not enter the FORWARD table
<6> how come?
<6> anyone?
<7> gug
<8> gug
<9> gug :)
<9> re
<10> filtering packets with "tc filter .. handle <fw mark>" for ingress shaping is not possible cause packet is marked after going thru ingress? only u32 filter can be used?
<0> dudes, i have a problem with an iptables command: iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth2 -p tcp -m multiport --dport 80,443 -m multiport --sport 1024:65535
<0> Error: *** glibc detected *** double free or corruption: iptables
<7> which version of iptables are you using?
<0> 1.2.11-3.1.fc3
<0> that's the latest...
<7> for fc3, you mean?
<0> for my distro anyway...
<0> yeah
<0> what should i do?
<7> maybe has already been fixed
<0> ?
<7> I mean that it's quite an old version
<2> there are two '-m multiport's in that rule
<7> so it's possible that it's already fixed somewhere
<7> danieldg: yes, but it shouldn't do a double free() anyway
<2> right
<2> I have 1.3.5 and got a similar error:
<2> # iptables -A INPUT -p tcp -m multiport --dport 45,47 -m multiport --sport 45:48
<2> *** glibc detected *** double free or corruption (!prev): 0x08055198 ***
<7> could you try to run it under valgrind?
<2> tons of output, you want it all?
<0> danieldg, i know there are 2 -m but it wont work without it
<2> Hidden: http://daniel.6dns.org/misc/ipt-valgrind
<0> is there a way to divide that command into multiple commands so that i wont get the error?
<2> p0ts: sure, have one part jump to a chain whose only command is the other half
<0> iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth2 -p tcp --dport 80 -m multiport --sport 1024:65535
<0> iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth2 -p tcp --dport 443 -m multiport --sport 1024:65535
<0> or something else?
<2> that will work
<0> you had something shorter in mind?
<2> yeah, but never mind
<2> why are you filtering on sport anyway?
<0> tell me, i want to keep it short
<0> couse i want to catch all 80 and 443 trafic and divert it to my proxy
<2> so just omit the sport stuff
<0> but that would divert all trafic to the proxy?
<2> yes
<2> well, I'm not sure about diverting to the proxy
<0> but, squid cant handle ftp trafic all that well, i dont want it to
<2> right. so don't try to catch _dport_ 21
<0> i have a flaw in the new command now
<0> iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth2 -p tcp --dport 80 -m multiport --sport 1024:65535
<0> iptables v1.2.11: multiport expection an option
<0> how do i do that --!dport 21 ?
<2> no
<2> just don't redirect port 21
<2> you aren't redirecting anything so far
<0> ok:)
<0> anyhow about the error above?
<2> never seen it before, I'd have to look and see what causes it
<0> iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth2 -p tcp --dport 80 --sport 1024:65535
<0> this worked...
<2> yes
<7> danieldg: could you submit a bug report this problem to the netfilter-devel list?
<7> danieldg: along with a link to the valgrind output, if possible
<2> not to bugzilla?
<7> even better :)
<2> bugzilla's SSL certificate is expired, btw
<7> then please drop a mail to Harald, too :)
<11> hi
<12> i am having trouble reaching a port on a remote machine, the remote firewall allows 2 ports access from my IP, and i can access the second one but the first one doesn't respond. nmap says that port is filtered and the second one is open. are there any tools that would help me figure out where this port isgetting blocked along the way?
<10> is there any good diagram which show packet flow thru egress/ingress and iptables chains?
<10> i have a problem to understand how i can mark packets with iptables (prerouting) and filter them to ingress qdisc?
<10> used http://lartc.org/howto/lartc.cookbook.synflood-protect.html and i think this can't work, cause packets are marked after going thru ingress
<2> http://ebtables.sourceforge.net/br_fw_ia/PacketFlow.png
<10> ok, thanks. and as i can see on this pictures it is impossible to mark a packet for a ingress qdisc. or?
<10> or something i misunderstand?
<2> I don't know, haven't done QoS
<10> ok, will go to larc ML. thanks anyway
<4> Can someone explain to me the diffrence between nat OUTPUT and nat POSTROUTING as far as localy generated packets goes?
<13> OUTPUT is like PREROUTING except that it's for locally generated packets
<13> both routed and locally generated packets go through POSTROUTING
<4> Gandalf_, Oh....
<4> dur
<4> POSTROUTING can do SNAT, not DNAT
<4> duh....
<13> yes
<4> heh
<4> ok, now I am not condused
<14> with NAPT (SNAT), what chains see an inbound (i.e. "returning") udp packet? I'd guess that INPUT before unNATing, and must accept it. Then FORWARD would see the same packet, after unNATing. Is this correct?
<14> (I'm using iptables 1.2.8 that came with RHL 8)
<4> no
<4> INPUT and OUTPUT don't look at packets being routed
<14> inbound packets to be unNATed have the router's IP address on them. Unless unNATing is done before any chains in "filter" are consulted, I would have thought that INPUT would be consulted. Is there a nice diagram somewhere that shows the plumbing, including deNATting?
<4> it is done before the filter chain is consuilted, yes.
<4> http://iptables-tutorial.frozentux.net/iptables-tutorial.html#TRAVERSINGOFTABLES
<4> connection tracking and prerouting are consulted first
<14> ryan`: thanks. That helped.
Return to
#netfilter
or
Go to some related
logs:
seanmeir
gimp tutorial tree
suse usign rug
#ldap
setarch ubuntu
cramfs: wrong magic ltsp
#ubuntu
chronowiz
septic tank nohup
config_file_to_use = str(cedega_ + Point2Play_ref.default_winex)
|
|
