| |
| |
| |
|
Page: 1 2
Comments:
<0> i'm having trouble with the ipv6 state match with iptables 1.3.5 and linux 2.6.16.1. all i have in my forward chain is a rule to accept any packet with --state RELATED,ESTABLISHED and another that accepts traffic coming from the local network and going to the ipv6 tunnel. the stateful rule doesn't match *anything*
<1> are you using a bridge?
<0> if i add a -j LOG at the end of the chain, i can see that it's dropping SYN/ACK packets coming back that should be part of the state table.
<0> well, no.
<0> the tunnel interface has a /64 address on it, and the network interface has a different /64, but no bridge.
<1> ok, just asking because there was a bug with a bridge and tunnel going over the same interface that has the behavior you described
<0> tbh this does seem like a bug.
<0> the same rules worked with ipv4.
<1> do you have nf_conntrack_ipv6 loaded?
<0> what's the kernel config option for that?
<1> it should be a module...
<0> not in my kernel.
<1> ok, just a sec
<1> CONFIG_NF_CONNTRACK_IPV6
<0> fyi 2.6.16 has the new NETFILTER_XT stuff
<1> I'm running it too :)
<2> I don't suppose you'd also know about the recent ipsec changes? As in, why does my ipsec tunnel no longer work for outgoing traffic in 2.6.16?
<0> nope.
<1> no, haven't done ipsec stuff
<0> hmm that's strange. i don't have it defined OR commented out in a "not set" thing. i built this with menuconfig.
<2> ok, thanks anyhow
<0> i have CONFIG_NETFILTER_XT_MATCH_CONNTRACK
<2> it's weird, ipsec traffic comes into my network just fine...it's going out where it doesn't work
<1> jhujhiti: which IPv4 conntrack are you using? CONFIG_NF_CONNTRACK_IPV4 or CONFIG_IP_NF_CONNTRACK?
<0> the latter.
<1> that's the problem
<1> you need to disable that, then go enable the new NF_CONNTRACK
<0> ah. i upgraded from 2.6.14.3 with make oldconfig. did that cause it?
<1> up one menu level. It's experimental
<1> yes, it's new in 2.6.16
<0> ahh excellent.
<0> thanks.
<0> Primer: still using gentoo?
<0> *shudders*
<0> danieldg: should i also have CONFIG_NF_CONNTRACK? it appears after i disable CONFIG_IP_NF_CONNTRACK
<1> jhujhiti: yes
<2> jhujhiti: of course
<1> then enable the CONFIG_NF_CONNTRACK_IPV[46] that appear
<0> Primer: ah. i started using debian. i got sick of waiting forever for packages to build. and i couldn't take the "stable"/mask system anymore
<2> so wtf you using now?
<0> jhujhiti: Primer: ah. i started using debian. ...
<2> oh boy
<2> my condolences
<0> ah yes, that's the kind of ignorant thing i would have said a few months ago.
<0> as long as you stay away from the stable branch, it's quite nice.
<0> "stable" means "exceptionally well tested". the things that aren't "stable" aren't unreliable at all.
<1> no, those all go in "experimental"
<2> while gentoo has its issues, I couldn't hang with a binary based distro and having to compile programs that had no packages from source
<0> say, what ipv6 tunnel broker is everyone using?
<1> 6to4
<2> I get my tunnel though a friend who has native ipv6
<0> Primer: why not? you build them and make a package and install. just like an ebuild with extra steps.
<2> except his box is in .be
<2> and I'm west coast USA
<0> danieldg: do they happen to do udp encapsulation?
<1> no, it's not even a tunnel broker
<0> i'm with hexago right now. i can't use he.net because my isp apparently blocks ipv6-in-ipv4.
<0> and i wasted my credits on sixxs with that kind of tunnel to find that out.
<2> they block proto 41?
<2> that's ****ing stupid
<0> i'm seeing like 20% packet loss with hexago though.
<0> Primer: that's ****ing at&t.
<0> Primer: i haven't found anything on the web about it, but i connected the modem to an unfirewalled box and tried to use it. pings went out and never came back.
<0> on both he.net and sixxs.
<2> http://sh.nu/ipv6.png
<2> my little network, at its height
<0> neat. why use the tunnels?
<2> heh, no other way
<2> the only one that's native was the box at the top
<2> ok, home
<2> later
<0> oh, these are remote sites? not your own boxes.
<0> later
<0> danieldg: kernel is finished building. need to reboot it now. if i don't return, you can safely ***ume success!
<0> danieldg: thanks a lot for your help
<0> i have returned =(
<0> where did my nat table go?
<1> NAT isn't supported with the new conntrack
<1> (yet)
<0> *cries*
<0> so basically there's no way for me to do stateful ipv6 filtering and nat at the same time?
<0> withouth running the ipv6 filtering on a netbsd machine, which i've already tried and is a giant pain in the ***.
<1> not that I know of
<0> do you know of an ETA on new nat?
<1> no; someone else in here might
<0> should it be announced on the netfilter-announce list?
<3> gug
<4> gug
<5> bjbb
<5> gug*
<6> gug
<3> hello
<7> hey I want to forward incomming connections from a specific ip address on port 443 to port 22
<7> would DNAT be the best way to do that
<7> i was reading and it looks like you cant specify just a port
<7> I want to just redirect incomming tcp connections on 443 to port 22
<8> illsci: you can supply a port with DNAT
<7> how so...
<8> -j DNAT --to-destination 1.2.3.4:22
<7> iptables -t nat -A PREROUTING -i eth1 -p tcp -s 205.131.188.5 -dport 443 -j DNAT -
<7> right...
<7> well why would i have to specify the ip too
<8> because that is the ip where the connection gets forwarded to
<7> it just seems kinda redundant
<7> because its the same ip thats accepting the connection in the first place
<7> what happen to the REDIRECT target
<7> can you still use that
<7> could i do iptables -t nat -A PREROUTING -i eth1 -p tcp -s 1.2.34.5 -dport 443 -j REDIRECT --to-ports 22 ?
<8> depends on what you want. Do you want connections to your firewall on port 443 to be redirected to port 22 on the firewall?
<7> yeah
<7> its just a host based firewall
<7> im on a network where i cant ssh out to the internet and this is my way around it
<7> i just setup a redirect rule...
<8> -j REDIRECT --to-ports 22
<7> word up!
<7> sweet its working..
<7> thanks
<9> stupid questions of the day. I'm maintaining a setup like this: two networks, one internal, other external, one machine in the middle. one of the rules I found says: iptables -t mangle -A INPUT -i <internal_iface> -p tcp -s <internal_net> -d ! <external_net> -j MARK --set-mark 80. this mark is later used for routing those packets to a secondary gateway. the questions are: a) has this any sense? seems like the packet is going in, not bein
<10> I have a SNAT rule that snat everything going through a box to a different ip, but for some reason when I ping an external host through the router I see the original ip with tcpdump what give?
<9> trandall: the rule specifies the protocol?
<9> as in, -p tcp?
<9> or similar?
<10> no actually it does not
<10> is that required
<10> ?
<10> I want it to NAT all protocols
<9> no, but take in accpount that ping is icmp, no t tcp or udp
<9> account*
<10> but manpage says if -p is omitted all is ***umed
<10> here is my cmd
<9> yes
<9> ups, wrong channel
<10> iptables -t nat -A POSTROUTING -o eth0 -m nexthop --nexthop $GW -s $LAN_NW/$LAN_NM -j SNAT --to $ext_ip
<10> but when i tcpdump on the wan side I see my internat IP's
<9> I suppose eth0 is the outter nic...
<10> yeah
<9> weird
<9> *should* work
<10> yes, thats what I thought?
<10> i also have another rule, is this maybe breaking that rule
<9> paste it
<10> iptables -t nat -A POSTROUTING -o eth0 -d $WAN_NW/$WAN_NM -s $LAN_NW/$LAN_NM -j SNAT --to $ext_ip
<10> this is so I can talk to my other wan ip's
<9> trandall: I suppose $GW is in $WAN_NW
<10> yes, its the default gw for the isp
<9> is it before or after the other rule?
<9> order is important here
<9> but
<10> the nexthop rule comes first
Return to
#netfilter
or
Go to some related
logs:
spamassassin Extra_Flags
#gaim
use autobox perl
#php
what's gfxboot
#css
#css
ubuntu apt-get install glib
#linux
#javascript
|
|
