IRC Networks
Irc Logs Stats
Start date: 2007-09-27 02:48:27
Last update: 2008-04-02 18:00:08
Channels: 41
Logged Lines: 6229042
Size: 1806.44 MB
Powered by
Channel Info
Network: freenodeChannel: #iptables |
Search in www.irclog.org
Log from #iptables at freenode 2006-07-29
[00:25]<zjgvzzvggvjz>how block named on my subnet ?
[00:26]<zjgvzzvggvjz>how block named on my network ?
[00:27]<dnzjzdsvnz>contraventor: block port 53
[00:27]<myzzrrn>hi
[00:27]<myzzrrn>good evenning
[00:28]<dnzjzdsvnz>contraventor: however, that will probably make all DNS lookups fail :P
[00:28]<dnzjzdsvnz>Just turn off named?
[00:28]<myzzrrn>I would like translating iptables to Portuguese.
[00:28]<myzzrrn>What should I do?
[00:28]<dnzjzdsvnz>edit the source code. Change all english output to portugese output. Do the same with the help files and man pages.
[00:29]<zjgvzzvggvjz>DerJamster not work ;/
[00:29]<myzzrrn>I see. Do I need only understanding on printf function?
[00:29]<zjgvzzvggvjz>DerJamster i'm using pppoe to my client'
[00:29]<dnzjzdsvnz>Mirrage: not sure. I don't know the iptables code :>
[00:30]<dnzjzdsvnz>contraventor: what, exactly, are you trying to do?
[00:30]<zjgvzzvggvjz>iptables -A INPUT -p all -s 10.0.1.31 -j DROP
[00:30]<zjgvzzvggvjz>not work ..
[00:30]<zjgvzzvggvjz>my username ping www.host.com , return ip on www.host.com
[00:31]<zjgvzzvggvjz>how block 10.0.1.31 total ?
[00:31]<zjgvzzvggvjz>all DROP work ?
[00:31]<zjgvzzvggvjz>Mirrage you talking from brazil ?
[00:31]<myzzrrn>Listen, I have a brief question. Can I tell masquarade not only to masquarade ip-addresses but port numbers as well?
[00:31]<myzzrrn>contraventor, Yes I am.
[00:32]<zjgvzzvggvjz>Mirrage good, i'm brazilian from Bahia
[00:32]<zjgvzzvggvjz>;D
[00:32]<dnzjzdsvnz>contraventor: you just did that line blocks everything from 10.0.1.31. However, there might be a rule above that that lets stuff through.
[00:32]<dnzjzdsvnz>remove the '-p all' by the way..not needed.
[00:34]<myzzrrn>This is my scenario: I would like running apache beyond priviledged 1-1024 ports but want iptables to redirect port 80 connections to , say, 1026. That is easy. However, I want answers from 1026 to go out as if it's source was port 80.
[00:34]<myzzrrn>contraventor, legal. bahia é tudo de bom.
[00:34]<zjgvzzvggvjz>Mirrage ;D
[00:35]<myzzrrn>DerJamster, would you mind helping me out? If I am not to be abusive by asking.
[00:35]<zjgvzzvggvjz>Mirrage vc sabe como eu dropo tudo de uma conexão ?
[00:35]<myzzrrn>contraventor, claro
[00:35]<zjgvzzvggvjz>Mirrage como por exemplo ?
[00:35]<myzzrrn>private message me, contraventor
[00:36]<zjgvzzvggvjz>Mirrage ok
[00:36]<dnzjzdsvnz>matth: hmh. use SNAT
[00:37]<myzzrrn>Hi guys. I want to run apache as non root, meaning, I wanna run it from port numbers higher then 1024. Whereas I still want to have my webserver looking like if it were listening on port 80.
[00:38]<myzzrrn>I know that my outgoing connections must have their source-port as 80, otherwise we would break up the tcp logical "connection".
[00:40]<myzzrrn>So?
[00:40]<myzzrrn>Does masquarade includes port-numbers masquarading?
[00:46]<myzzrrn>hello?
[00:46]<myzzrrn>DerJamster, help?
[00:47]<myzzrrn>Can I translate just the MANUAL pages?
[00:49]<dnzjzdsvnz>I don't know. can you? :P
[00:49]<dnzjzdsvnz>I'm not related to netfilter.
[00:49]<myzzrrn>ok
[00:50]<myzzrrn>how about my little masquarading issue?
[00:53]<myzzrrn>If no one helps me I am gonna design an ode to Microsoft ISA Server web site and it will be really famous :o]]
[00:53]<dnzjzdsvnz>No idea, sorry. I think it keeps port numbers the same.
[01:01]<lremmjr>Mirrage: masquarading is for ip address only. if you what to change the port numbers then you are going to have to get creative with your rules to first change the port number before it's received by post routing.
[01:02]<vyrn-vnzsr>question is, why does he want to do this in the first place?
[01:03]<myzzrrn>Lazydog, oh I see. I think I have a lack of architecture insight. Can you tell me which chain and table handles package alteration whilist passing throught output chain?
[01:03]<myzzrrn>vice-versa, that doesnt really matter but Ive explained. Apache won't run as ordinary user if you bind it to priviledged ports.
[01:04]<myzzrrn>vice-versa, I dont want people having to type my address followed by a :portnumber.
[01:04]<myzzrrn>its not likely the average user will like doing that
[01:05]<vyrn-vnzsr>right, which makes me wonder why you want to create the problem in the first place.
[01:07]<myzzrrn>vice-versa, do you ask what your clients are gonna do with their ultra-modern banana stripper?
[01:07]<myzzrrn>No, you provide the solution.
[01:08]<myzzrrn>Even, thought I described my motivation , I don't think that matters.
[01:08]<vyrn-vnzsr>good enough, good luck with it
[01:09]<myzzrrn>vice-versa, thanks, you didnt look like you would help me at all.
[01:09]<vyrn-vnzsr>not now ;)
[01:11]<myzzrrn>right. I think I should really read documentation on iptables before asking. I understand that I could do the same thing using a third-party daemon but I dont want to run a daemon if I have a native kernel solution
[02:09]<-- svgvsdyzgjvr xrs>/dev/null")
[02:11]<rlraxne>in order to obtain high security of the filtering with iptables im thinking of check for syn in state NEW packets... but should I just check for -p --syn or should I go for -p tcp --tcp-flags ALL SYN ?
[02:11]<rlraxne>the later means that of all flags only syn is set
[02:11]<rlraxne>can a true syn packet contain other flags aswell and still be valid ?
[02:37]<wgzggac>hello... I'm trying to do something so simple here but nothing seems to work... I have this machine with two ethernet cards eth0, eth1, with an adsl connection on eth0 and connected to other machine on eth1...
[02:38]<wgzggac>I'm trying with nat to make the other machine have access to internet too, setting this as gateway ... the last rule I tried was: iptables -t nat -A POSTROUTING -s 192.168.1.2 -o eth0, where 192.168.1.2 is the other box... what's wrong here ?
[02:40]<vyrn-vnzsr>Apachez: -p tcp ! --syn -m state --state NEW -j DROP should cover that nicely I would think
[02:40]<wgzggac>I found a lot of tutorials for settting up a machine as gateway and others using it, but nothing like this...
[02:42]<vyrn-vnzsr>werneck: you're going direct from nic to nic between the two machines?
[02:42]<wgzggac>vice-versa: yes
[02:42]<vyrn-vnzsr>werneck: are you are using a crossover cable?
[02:43]<wgzggac>vice-versa: yes, sure
[02:43]<wgzggac>vice-versa: the connection between them is working... I just can't get the other to access the internet too
[02:44]<vyrn-vnzsr>werneck: ok, just making sure as I've been down that road with others
[02:45]<vyrn-vnzsr>werneck: is cat /proc/sys/net/ipv4/ip_forward 1 or 0?
[02:45]<wgzggac>1
[02:46]<vyrn-vnzsr>werneck: can you pastbin output of iptables-save -c
[02:46]<wgzggac>is it right to use -o eth0, or should I try -o ppp0 ?
[02:46]<wgzggac>ok... just a second
[02:46]<rlraxne>vice-versa: nope, that line wont cover a NEW packet who has only say FIN set
[02:47]<rlraxne>a NEW packet according to iptables is a packet that doesnt match any current state
[02:47]<rlraxne>a NEW packet according to iptables is a packet that doesnt match any current connection
[02:49]<wgzggac>vice-versa: http://deadbeefbabe.org/paste/1327
[02:49]<vyrn-vnzsr>Apachez: hmm, I was always under the impression every new connection attempt should begin with a syn packet
[02:51]<vyrn-vnzsr>werneck: are your private addys static?
[02:51]<wgzggac>vice-versa: yes
[02:51]<wgzggac>but dsl is dynamic
[02:52]<rlraxne>vice-versa: check the tutorial in topic :P
[02:52]<vyrn-vnzsr>:)
[02:53]<rlraxne>"However, the packet may as well not be a SYN packet and still be considered NEW."
[02:54]<rlraxne>so I thought of being a bit more strict of what I consider to be NEW for a tcp packet and do something like
[02:55]<rlraxne>-p tcp --tcp-flags ALL SYN -m state -state NEW -j ACCEPT
[02:55]<rlraxne>but in the tcp handshake sequence, of the tcp flags - is SYN the only one allowed to be set ?
[02:55]<rlraxne>or is a say SYN + URG a valid syn packet in tcp handshake ?
[02:55]<mrrynfmr>you can also disable connection pickup by echo 0 > /proc/sys/net/netfilter/ip_conntrack_tcp_loose
[02:56]<mrrynfmr>(connection pickup is where NEW is not SYN)
