| |
| |
| |
|
Comments:
<0> gug
<1> how is it I enbale NAT between two interfaces again? (i can't reach www till this works, so bare with me :)
<1> found it out, next issue
<1> I'd like to catch outbound connections for my external IP in my gateway and just redirect them to the interface that faces the router...
<1> so connecting to my own server will only reach my server/gateway and not travel all the way to my router
<1> ...and back
<1> is there no DNAT in the default kernel version af iptables?
<2> Riis: there's DNAT in all kernels that have NAT support, it's a builtin target
<1> http://rafb.net/paste/results/rDnVUM45.html <- ideas?
<3> you need another SNAT rule
<1> i'm pretty clueless here, A rule that does what?
<3> iptables -t nat -A POSTROUTING -d 10.0.0.2 -j SNAT --to-source $INTERNAL_IP_OF_FW
<3> http://iptables-tutorial.frozentux.net/chunkyhtml/x4013.html
<1> FW being?
<3> firewall
<1> the LAN-side Ip of the server?
<3> yes
<1> iptables -t nat -A POSTROUTING -d 10.0.0.2 -j SNAT --to-source 192.168.0.1
<1> i guess
<1> danieldg: and still I need the iptables -A PREROUTING -t nat -i eth1 -d 212.242.210.229 -J DNAT --to 10.0.0.2 rule right?
<3> wait, is the box running iptables have the IP of 10.0.0.2?
<1> yes
<3> just use REDIRECT, don't use DNAT
<1> danieldg: look at the "diagram" in the top of my paste...
<3> then you don't need the SNAT rule
<1> or should i elaborate?
<3> I tried
<1> its a bit long
<3> yes; use redirect for this
<1> 212.242.210.229 [Router] 10.0.0.1 -- 10.0.0.2 (eth0)[server](eth1) 192.168.0.1 -- 192.168.0.2 [laptop]
<1> the short edit
<3> I see it now
<3> didn't notice the horizontal scrollbar
<1> ahh
<1> danieldg: iptables -t nat -A PREROUTING -i eth1 -d 212.242.210.229 -j REDIRECT --to 10.0.0.2 ?
<3> no, use REDIRECT --to-ports ...
<1> mhat's the syntax for all ports? *
<3> can you add 212.242.210.229 to one of the interfaces of the server? Then you wouldn't have to redirect at all
<1> danieldg: not really, if I understand you...I can't make the router stop NAT'ing and connect the server directly to the wan
<1> (without paying)
<3> no, just add an IP to the interface
<1> ahhh
<3> 212.242.210.229/32 with no routes
<1> that should catch it ....
<1> ahh
<1> danieldg: happen to know how I do that in the gentoo net-config-file?
<3> no
<1> k
<1> danieldg: but my services aren't listening on 212.242.210.229, so will it still work?
<3> why not have the services listen on 0.0.0.0?
<1> well I could
<1> turns out they already do
<1> hmm, how on earth do I test this thing?
<1> danieldg: tehthreal and then watching or connections to the router maybe?
<1> *for
<3> sure, that's how I'd test
<4> gug
<1> http://rafb.net/paste/results/mV7UC753.html <- any ideas as to why SIP-calls are not masq'ed? (don't work)
<5> Not looking to start a flame war but does a cisco pix 515 firewall provide anything beneficial over linux+netfilter(iptables)?
<6> daeamarthw: I don't think it can be compared in that way
<6> daeamarthw: I'm not in cisco-fan-club but sometimes cisco gives move more stability, linux + netfilter require more skills that cisco, and everything depends what you whant to do
<6> s/whant/want
<5> sorry was afk work.
<5> From what little I have seen so far it seems like quite frankly the cisco pix has less capabilities. Just from a personal standpoint I find linux easier just because I seem to have more methods of being able to access the device and a greater number of options for both software and hardware configs.
<5> but thats just me.
<5> I do not know what inherent software issues there are. ie: the way the filter is done versus one or the other, etc.
<5> Building a project and a grand for a linux pc is a lot more appealing that like 7-12 grand for a pix. lol
<5> And that wouldnt even include upgrade support.
<6> daeamarthw: yup linux pc is cheaper and It is multiuser , but when you have kernel panic on you super-firewall , and you must push the reset buttom it can make you client litle nervous
<5> True but there is nothing to say a pix wont "panic" and in my experience running many linux firewalls for literally years even without badly needed updates I have yet to see a panic.
<5> If you are really concerned over that you should run failover/load balancing. IMHO
<5> heres another question... Where can I find out what each of the modules in /lib/iptables... are for? ie: libipt_NETMAP.so I did a strings on it but not much in the compiled lib. Tried to find local docs and a bit of googling but no luck thus far.
<6> daeamarthw: man iptables search target NETMAP
<6> NETMAP
<6> This target allows you to statically map a whole network of addresses onto another
<6> network of addresses. It can only be used from rules in the nat table.
<5> Ah. Was no a machine that didnt have it when I did man. =) Thanks!
<6> NETMAP
<6> This target allows you to statically map a whole network of addresses onto another
<6> network of addresses. It can only be used from rules in the nat table.
<5> not NETMAP that is. Different mod. That was just the closest to cut and paste. lol
<6> hehehe
<5> libipt_TARPIT.so
<6> http://svn.netfilter.org/netfilter/trunk/patch-o-matic-ng/patchlets/TARPIT/help
<5> Thanks!
<6> daeamarthw: failover/loadbalancing is always good solution but from other side imagine that you preparing new kernel for your firewall and you want patch called "patch-xyz" , after patching you have lot of warnings/errors on your console, or simple your firewall is working and in random time is crashing
<6> s/that/that you are/
<5> Again I would say you should have failover in that critical of an env, also that pix could do the same, and also... You should always test your changes before implementing them and have a rollback plan. I really do not see how any of this is "better" if dealing with cisco versus linux.
<5> ie: If nothing else you should have two firewalls. Upgrade the second. Run some testing/regression testing. If that goes well failover to it. If that goes well upgrade primary and fail back.
<6> daeamarthw: yeah , I know you don't need to convince me ;> I've also my firewalls routers on linux with netfilter ;]
<5> No. Its cool. You are playing devils advocate. =) Which is what needs to be done in looking at ideas etc.
<5> I just really seriously question the use of supposed "hardware" firewalls and the like versus what they call "software".
<5> the reference is really quite incorrect and outright wrong in most cases. ie: What in a pix is anymore hardware than a PC running netfilter?
<2> most hardware firewalls are software firewalls with "dedicated" hardware
<5> They have some at least partially proprietary hardware running their IOS running their firewall software. Is that correct?
<6> yup
<7> There are software firewalls you can control, and there are software firewalls you CAN'T control.
<2> the pix is a standard pc with standard e100 nics
<5> So if thats what a PIX is than its no more a "hardware" firewall than a freaking PC running linux and netfilter. lol
<2> it runs pixos
<2> there are articles about how you can build your own pix
<5> Anyhow at lesat in the case of the PIX I really do no see the advantages unless it has some bells and whisltes if you will regarding the firewalling that netfilter does not offer.
<7> PIX bells and whistles don't always ring / whistle properly. :) Case in point: SMTP Fuxup.
<6> some told me that in pix image are some strings from openssl libraries
<5> lol
<6> s/are/have
<8> and to clarify, a PIX is NOT a router, it is a NAT box that does a poor job of NAT'ing
<8> I learned the hard way that even using a public IP based DMZ on a PIX you have to NAT to the public IP boxes on the DMZ or the PIX will not forward packets.
<8> I'll take linux/netfilter over the PIX any day :)
<6> Woody: true , but try to tell this to some guyes from some bank
<6> s/some//
<1> any ideas as to why SIP is working through NAT, but not double NAT?
<6> Riis: with stun ?
<1> no, without
<6> Riis: becouse remote sip proxy/server can't connect to your signaling port (5060 or similar) , or even if you have DNAT to your phone , rtp path is negotiated in signaling path
<1> rtp?
<1> dflow: well it works fine when i just use NAT once (through my router)
<1> but when i put it through http://rafb.net/paste/results/mV7UC753.html it doesn't
<6> Riis: put -j LOG as last rule on chain FORWARD , you will see what is wrong
<6> and use tcpdump on output interface :>
<1> dflow: excuse my ignorance, but how do I do that? :)
<1> well I've been tetherealing a whole lot
<1> 0.052294 10.0.0.4 -> 212.130.58.214 SIP Request: REGISTER sip:musimi.dk ; 0.088743 212.130.58.214 -> 10.0.0.4 SIP Status: 401 Unauthorized (0 bindings)
<1> is a propr req/reply
<1> but in double nat i only see the req
Return to
#netfilter
or
Go to some related
logs:
set up vhost on fedora
#lgp
breezy wpa bcm43
ndismapper
kwebdev manual
mdraid raid 5 $howto
(let f(x) = -x + -cos) + matlab
#javascript
#physics
#perl
|
|