| |
| |
| |
|
Comments:
<0> ProGuy: ipv6tables is missing a lot....
<1> ok, i figured this out once, and my hard drive died and now i cant figure it out again; internal network is 192.168.1.x with .1 being the linux router. external we'll call 1.2.3.4, iv got SNAT setup and some ports forwarded, but i'd like to be able to hit the external ip from the internal ips (192.168.1.100 say) and have it forward through as if i were outside
<2> Hey
<2> I was wondering, is there a way to match packets according to their flowlabel?
<2> I just need to be perfectly sure that there isn't before I start creating something myself :-)
<3> ProGuy: What you mean by flowlabel ?
<2> dflow: The flowlabel field in the IPv6 header
<2> Should have mentioned that it's IPv6
<2> There are hop-by-hop options header match rules and destination header match rules, but now flow label field match rule. There doesn't seem to be a general match rule to match contents of the main IPv6 header either.
<2> Of course, I could just be looking the weong places :-)
<2> s/weong/wrong
<2> And before I start creating a match rule myself I just need to ensure that I haven't overlooked a trivial solution
<2> s/match rule/match target/ :-)
<3> ProGuy: ahh , this flowlabel :)
<2> hehe
<2> The field noone uses :-)
<4> I have two internet connections, both are working fine, but I cant selectivly send some traffic out of one, i've added a rule to use a table with that as the default route, and the traffic is getting natted, but its not making it back to the original client :/
<4> how can i tell what happens to this packet on the way back :/
<5> add -j LOG in every place :)
<5> http://xkr47.outerspace.dyndns.org/netfilter/packet_flow/packet_flow9.png
<4> if only it was that simple
<4> its not being DROP'd by anything
<4> 16:14:52.651029 IP 10.50.0.2 > 66.102.9.104: icmp 64: echo request seq 90
<4> 16:14:52.706388 IP 66.102.9.104 > 10.50.0.2: icmp 64: echo reply seq 90
<4> in conntrack: icmp 1 29 src=10.3.254.245 dst=66.102.9.104 type=8 code=0 id=5679 [UNREPLIED] src=66.102.9.104 dst=10.50.0.2 type=0 code=0 id=5679 use=1
<4> where 10.3.254.245 is my machine sending a ping to google, 10.50.0.2 is the gateways ip (***igned by adsl modem) and the other ip is google
<4> AAAHm what a ****er, it was the rp_filter
<6> darkskiez: was about to say that ..... looks like your router is not changing the IP's back for ICMP
<6> ive seen allot of bsd based modem/routers do that same kind of activity
<4> the modems fine
<4> its whatever rp_filter does
<6> well that all depends really ... is the subnet of both the machine and router Cl*** A ( /8 ) ?
<6> you maybe able to relax rp_filter a little bit was it set to 1 or 2 ?
<6> darkskiez: you using IPSec ?
<4> not using ip set, i set rp_filter to 0 and now it works
<4> ip sec
<6> ok ... try with rp_filter setto 1
<6> if not try it set to 2
<6> http://www.linuxguruz.com/iptables/howto/2.4routing-13.html .... explains what rp_filter does
<4> its not coming in on the interface with an unusual ip
<6> darkskiez: that tcpdump you did
<6> was that on the Host or the router ?
<4> on the router (connected to modem)
<6> ahhh, you router is a Machine with an OS not an embeded device ?
<4> i'm not being clear
<4> that was on our gateway (ip 10.50.0.2) hooked up to adsl modem 10.50.0.1
<4> with lan client 10.3.254.245
<6> what is the Gateway ?
<4> the linux machine running netfilter
<6> ok ... justa making sure ....
<6> DSL / Cable modem is set to Bridged ?
<4> no, DMZ set to 10.50.0.2
<6> ahhh , well that says it all =)
<6> packets coming from the internet to the gateway , if DMZ'd and not just NAPT'd ... on some embeded modems will make the packet appear as if there not from the internet although they really are
<6> so in the end, basiclly internet packets now will have a MAC of the Modem
<6> when really they should have no MAC address at all ...
<6> only real soloution is to diable RP_filter sadly enough
<6> oops Disable ....
<7> whops
<6> im off to bed .... cyas ...
<7> ta, laters
Return to
#netfilter
or
Go to some related
logs:
songbird ALSA lib unable to open slave
* CONFIG FILE NOT LOADED (NOT FOUND, OR ERROR)
gentoo tuxracer error: Couldn't initialize video: Couldn't find matching GLX vis
mkfs -t vfat /dev/sda
driver
aircrak deb
#asm
Gentoo on Dialup
bibus dapper
apt dist-upgrade error xserver-common
|
|
