| |
| |
| |
|
Comments:
<0> http://img2.uploadimages.net/show.php?img=637933network.gif i have this network .. i am trying to ping 192.168.0.10 to 192.168.2.2 .. i am not able to but i can ping 192.168.0.1 from 192.168.2.2 .. what am i missing
<1> xerophyte: are you able to ping from 192.168.0.1 to 192.168.2.2 ?
<0> rmj 192.168.0.1 router
<0> but i can ping from 2.2 to 0.1
<0> and 0.30 also a linux router
<0> i am testing hotspot configuration in the room
<0> i can ping from 2.2 to 0.1
<0> but i can not ping from 0.10 to 2.2 or 2.2 to 0.10
<1> xerophyte: how abt from 0.20 to 2.2 ?
<2> good diagram
<0> nope
<0> rob0, :)
<0> rob0, 0.30 is linux router
<1> xerophyte: have you set the ip forward variable to 1 ?
<0> yes thst why i am able to ping the 0.1
<1> in 0.1
<0> from 2.2
<0> 0.1 is dlink router
<2> Do 0.10 and .20 have a route to 2.0/24?
<0> nope
<1> xerophyte: and how abt from 0.10 to 0.20 ?
<2> ip route add 192.168.2.0/24 via 192.168.0.30
<0> i can ping
<2> (not sure of syntax)
<1> as rob0 says, you would need to add the route
<0> how do i add :)
<0> route add -net 192.168.2.0/24 gw
<0> something or
<1> route add -net 192.168.2.0 netmask 255.255.255.0 gw 192.168.0.30
<3> for a web server behind my linksys router, with its own iptables rules, which would be better: DROP or DENY?
<0> rmj, i did still could not ping from 2.2 to 0.1
<2> I don't like firewalls behind firewalls, in general.
<2> And DENY is ipchains syntax, I think.
<2> REJECT is the iptables target, and I use REJECT for tcp.
<1> xerophyte: Is there a way you can check the routing table of 0.1
<0> rmj nope its dlink router
<0> the web interface does not have any thing to list the routes
<0> rmj actuall from 2.2 i can not even ping the 0.1
<0> but from 2.2 i can ping the 0.30
<0> what am i missing on the 0.30 table
<0> i made a mistake
<0> 0.30 is 0.102
<0> 192.168.1.0 * 255.255.255.0 U 0 0 0 eth1
<0> 192.168.0.0 * 255.255.255.0 U 0 0 0 eth0
<0> default 192.168.0.1 0.0.0.0 UG 0 0 0 eth0
<0> thats what i have now on the 0.30
<1> xerophyte: you were able to ping 0.1 from 2.2 earlier right ?
<0> nope
<0> i was only able to ping
<0> 2.2 to 0.30
<0> i am not able to ping from 2.2 to 0.1
<0> when i tracecrt .. it goes to 2.2 --> 1.1 --> time out
<0> from 2.2 to 0.1
<1> xerophyte: it makes sense. Your 0.1 router has no route to 2.0 network
<1> hence it will try to send to the default router and that should fail
<0> okay
<0> how can i configure the 0.30 so
<0> i can ping from 2.2
<0> to 0.1
<3> rob0, I dont have much choice. The "main" firewall is a wireless linksys router, which I can only port-forward to this box. To further control access, I have to have the internal firewall
<1> xerophyte: a route needs to be added in 0.1 inorder to do so IMHO
<0> even to ping
<1> yup
<0> i mean if ping from 2.2 to 0.1
<2> ok DartmanX2, yes, I have done that before too.
<0> oh 0.1 need to echo back
<0> am i right
<1> xerophyte: yes
<0> di-604 thats my 0.1
<0> i looked at it
<0> there is no way to add route
<2> I don't think so xerophyte, I had a DI-614+ and it had a place to add static routes.
<0> may be i am missing it
<2> I don't still have it, so I can't help, but really you should have those routes on .10 and .20 also.
<2> OS on .10 and .20?
<0> linux
<2> so did you add the routes there?
<0> di-604 does not have static route
<0> nope
<3> okay, I just named my script 10iptables and put it in /etc/network/if-up.d
<2> 23:52 < rob0> ip route add 192.168.2.0/24 via 192.168.0.30
<0> rob0, i am tryin to ping from 2.2 to 0.1
<3> hopefully that will work correctly
<2> you originally said that ping to 0.1 worked?
<0> rob0, sorry nope it didnt work
<0> i was wrong
<3> thanks for the help, now and earlier today
<2> oh I guess it wouldn't.
<2> you could do SNAT on .30 ... SNAT for the 2.0/24 segment
<2> that's ugly but it works
<0> hmmm
<1> gtg guys. good luck xerophyte :)
<4> I'm setting up my NAT at home. I'm trying to setup DNAT rules for applications. I'm trying do forward port ranges with ip ranges
<4> iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5250:5252 -j DNAT --to 192.168.0.2-192.168.0.101:5250-5252 i've seen examples like this but it doesn't seem to work properly
<4> iptables question. i'm trying to do DNAT with an ip range. iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 5250:5252 -j DNAT --to 192.168.0.2-192.168.0.100 , so from what i've read that iptables will randomly choose the ip from the range? I'm trying to ge tit to find any established connectins and forward it appropriatly on the LAN. anyone familiar with this?
<5> gug
<6> gug
<7> gug
<8> hi
<8> could someone cancel subscription of deneme@bwdow.com from the user's netfilter ML ? his daily spam is quiet annoying
<9> hey, is there a kind of "plausibilty check" then do SNAT/DNAT? I observed that setting a -j DNAT autoloads the connection tracking module and if I do NAT over serveral hosts (i,e, I have two machines doing nat for one connection), at one point the routing suddenly stops. It looks like the packet in question never reached the PREROUTUNG Chain.
<9> Is iptables NAT different from iproute2 nat? Or are they remote controls for the same kernel API?
<5> derjohn: they have nothing in common and the difference could never have been any greater
<9> LaF0rge himseld! BTW: Thanks for all you effort!
<9> *himself
<9> so if I do DNAT and SNAT netfilter is 'dump' i.e. replaces the IP in the header as I wish? (at least: should they?)
<9> I see packets via tcpdump comming in with a sender address that should match me rule (tried with LOG, too) but somewhere they get dropped on the second NAT box ...
<9> between tcpdump and netfilter ... so: whats in between then?
<9> I disabled the rp_filter and the icmp_redirects ... no success
<5> derjohn: they are neither dump nor replace stuff in the header. they merely configure per-connection based nat bindings
<9> LaF0rge, well, which part does the replacement of the IP address? or is this done by some other kernel part (i.e. no iptables code) ?
<9> errrr, i mean netfiler ....
<9> grr, OMG what typos today: I was talking about netfilter code.
<10> is there a possibility to receive udp/tcp packets together with the ip and udp/tcp header?
<1> aton`: isnt that what is supposed to happen ??? Every udp/tcp packet encapsulated in an ip packet
<10> and the kernel strips off that encapsulation?
<10> giving me the data when i do recv()
<1> aton`: yes
<10> so re-read my question
<1> aton`: so you are talking about getting so at application layer ?
<10> yes
<10> or well i could also write an iptables target
<1> aton`: aahh ok
<9> LaF0rge, what did you mean by 'per-connection based nat bindings' ? i.e. does NAT track connections?
Return to
#netfilter
or
Go to some related
logs:
#php
powermated ubuntu
automount esata linux
#centos
Ubuntu Dell 5150c
#debian
#perl
#ubuntu
libkdu_v42R
tcsetattr: Invalid argument
|
|
