* access to server @ 2003-04-29 22:49 netfilter_user 2003-04-30 1:10 ` Arnt Karlsen 0 siblings, 1 reply; 8+ messages in thread From: netfilter_user @ 2003-04-29 22:49 UTC (permalink / raw) To: netfilter Hello netfilter users, In my network, Linux machine connect Local net (eth1) with internet (ppp0). As a default all INCOMING traffic is deny. I made some rules to access SMTP, HTTP etc. but its not important now. It is necessery for nodes from local net to access server that is in Internet. The address of this server is 62.233.202.165 and listen on port 23073 and 23083. Rule: "iptables -A FORWARD -i eth1 -p udp -m --multioport --dport 23073,23083 -j ACCEPT" wont work and i have received msg in log like this: Apr 30 02:28:41 slack kernel: IPT:UnhandledForward:IN=eth1 OUT=ppp0 SRC=192.168.1.2 DST=62.233.202.165 LEN=36 TOS=0x00 PREC=0x00 TTL=127 ID=23780 PROTO=UDP SPT=1552 DPT=13073 LEN=16 Im newbe at iptables and cant resolve that problem alone. Maybe anyone of You have got idea how to force that to work. -- Best regards, mailto:netfilter_user@o2.pl ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: access to server 2003-04-29 22:49 access to server netfilter_user @ 2003-04-30 1:10 ` Arnt Karlsen 2003-04-30 1:38 ` Re[2]: " netfilter_user 0 siblings, 1 reply; 8+ messages in thread From: Arnt Karlsen @ 2003-04-30 1:10 UTC (permalink / raw) To: netfilter_user; +Cc: netfilter On Wed, 30 Apr 2003 00:49:31 +0200, netfilter_user <netfilter_user@o2.pl> wrote in message <5436369716.20030430004931@o2.pl>: > Rule: "iptables -A FORWARD -i eth1 -p udp -m --multioport --dport /\ ..is " -m --multioport " a valid match in iptables, or a correct quote of your attempt to write ' -m --multiport ' ? -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re[2]: access to server 2003-04-30 1:10 ` Arnt Karlsen @ 2003-04-30 1:38 ` netfilter_user 2003-04-30 2:47 ` Arnt Karlsen 0 siblings, 1 reply; 8+ messages in thread From: netfilter_user @ 2003-04-30 1:38 UTC (permalink / raw) To: Arnt Karlsen; +Cc: netfilter Hello Arnt, Wednesday, April 30, 2003, 3:10:30 AM, you wrote: AK> On Wed, 30 Apr 2003 00:49:31 +0200, AK> netfilter_user <netfilter_user@o2.pl> wrote in message AK> <5436369716.20030430004931@o2.pl>: >> Rule: "iptables -A FORWARD -i eth1 -p udp -m --multioport --dport AK> /\ AK> ..is " -m --multioport " a valid match in iptables, or a correct AK> quote of your attempt to write ' -m --multiport ' ? damn my wrong...it should looks like this: iptables -A FORWARD -i eth1 -p udp -m --multioport --dport 23073,23083 -j ACCEPT -- Best regards, mailto:netfilter_user@o2.pl ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Re[2]: access to server 2003-04-30 1:38 ` Re[2]: " netfilter_user @ 2003-04-30 2:47 ` Arnt Karlsen 2003-04-30 13:32 ` Re[4]: " netfilter_user 0 siblings, 1 reply; 8+ messages in thread From: Arnt Karlsen @ 2003-04-30 2:47 UTC (permalink / raw) To: netfilter_user; +Cc: netfilter On Wed, 30 Apr 2003 03:38:12 +0200, netfilter_user <netfilter_user@o2.pl> wrote in message <1246491441.20030430033812@o2.pl>: > Hello Arnt, > > Wednesday, April 30, 2003, 3:10:30 AM, you wrote: > > AK> On Wed, 30 Apr 2003 00:49:31 +0200, > AK> netfilter_user <netfilter_user@o2.pl> wrote in message > AK> <5436369716.20030430004931@o2.pl>: > > >> Rule: "iptables -A FORWARD -i eth1 -p udp -m --multioport --dport > AK> /\ > AK> ..is " -m --multioport " a valid match in iptables, or a correct > AK> quote of your attempt to write ' -m --multiport ' ? > > damn my wrong...it should looks like this: > iptables -A FORWARD -i eth1 -p udp -m --multioport --dport 23073,23083 > -j ACCEPT /\ || ..lets try again: I don't find "-m --multioport" _anywhere_ in the docs, so, if you _actually_ try '-m --multioport' in your rule set, it _should_ fail, then you'll wanna try '-m --multiport', without your extra "o". ;-) -- ..med vennlig hilsen = with Kind Regards from Arnt... ;-) ...with a number of polar bear hunters in his ancestry... Scenarios always come in sets of three: best case, worst case, and just in case. ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re[4]: access to server 2003-04-30 2:47 ` Arnt Karlsen @ 2003-04-30 13:32 ` netfilter_user 2003-04-30 14:59 ` Alistair Tonner 0 siblings, 1 reply; 8+ messages in thread From: netfilter_user @ 2003-04-30 13:32 UTC (permalink / raw) To: Arnt Karlsen; +Cc: netfilter Hello Arnt, Wednesday, April 30, 2003, 4:47:45 AM, you wrote: AK> On Wed, 30 Apr 2003 03:38:12 +0200, AK> netfilter_user <netfilter_user@o2.pl> wrote in message AK> <1246491441.20030430033812@o2.pl>: >> Hello Arnt, >> >> Wednesday, April 30, 2003, 3:10:30 AM, you wrote: >> >> AK> On Wed, 30 Apr 2003 00:49:31 +0200, >> AK> netfilter_user <netfilter_user@o2.pl> wrote in message >> AK> <5436369716.20030430004931@o2.pl>: >> >> >> Rule: "iptables -A FORWARD -i eth1 -p udp -m --multioport --dport >> AK> /\ >> AK> ..is " -m --multioport " a valid match in iptables, or a correct >> AK> quote of your attempt to write ' -m --multiport ' ? >> >> damn my wrong...it should looks like this: >> iptables -A FORWARD -i eth1 -p udp -m --multioport --dport 23073,23083 >> -j ACCEPT /\ AK> || AK> ..lets try again: I don't find "-m --multioport" _anywhere_ AK> in the docs, so, if you _actually_ try '-m --multioport' in AK> your rule set, it _should_ fail, then you'll wanna try AK> '-m --multiport', without your extra "o". ;-) Oh yes, now i got, i was too sleepy yestorday to understand. Actualy this rule looks like this: iptables -A FORWARD -i eth1 -p udp -m --multiport --dport 23073,23083 -j ACCEPT and after run, shows no error msg. Thats mean it works but it wont helps me to achive this what i want. I repeat my msg here again: In my network, Linux machine connect Local net (eth1) with internet (ppp0). As a default all INCOMING traffic is deny. I made some rules to access SMTP, HTTP etc. but its not important now. It is necessery for nodes from local net to access server that is in Internet. The address of this server is 62.233.202.165 and listen on port 23073 and 23083. Rule: "iptables -A FORWARD -i eth1 -p udp -m --multiport --dport 23073,23083 -j ACCEPT" wont helps and i have received msg in log like this: Apr 30 02:28:41 slack kernel: IPT:UnhandledForward:IN=eth1 OUT=ppp0 SRC=192.168.1.2 DST=62.233.202.165 LEN=36 TOS=0x00 PREC=0x00 TTL=127 ID=23780 PROTO=UDP SPT=1552 DPT=13073 LEN=16 Im newbe at iptables and cant resolve that problem alone. Maybe anyone of You have got idea how to force that to work. -- Best regards, mailto:netfilter_user@o2.pl ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Re[4]: access to server 2003-04-30 13:32 ` Re[4]: " netfilter_user @ 2003-04-30 14:59 ` Alistair Tonner 2003-04-30 17:00 ` Re[6]: " netfilter_user 0 siblings, 1 reply; 8+ messages in thread From: Alistair Tonner @ 2003-04-30 14:59 UTC (permalink / raw) To: netfilter_user, Arnt Karlsen; +Cc: netfilter On April 30, 2003 09:32 am, netfilter_user wrote: > Hello Arnt, > > Wednesday, April 30, 2003, 4:47:45 AM, you wrote: > > AK> On Wed, 30 Apr 2003 03:38:12 +0200, > AK> netfilter_user <netfilter_user@o2.pl> wrote in message > > AK> <1246491441.20030430033812@o2.pl>: > >> Hello Arnt, > >> > >> Wednesday, April 30, 2003, 3:10:30 AM, you wrote: > >> > >> AK> On Wed, 30 Apr 2003 00:49:31 +0200, > >> AK> netfilter_user <netfilter_user@o2.pl> wrote in message > >> > >> AK> <5436369716.20030430004931@o2.pl>: > >> >> Rule: "iptables -A FORWARD -i eth1 -p udp -m --multioport --dport > >> > >> AK> /\ > >> AK> ..is " -m --multioport " a valid match in iptables, or a correct > >> AK> quote of your attempt to write ' -m --multiport ' ? > >> > >> damn my wrong...it should looks like this: > >> iptables -A FORWARD -i eth1 -p udp -m --multioport --dport 23073,23083 > >> -j ACCEPT /\ > > AK> || > AK> ..lets try again: I don't find "-m --multioport" _anywhere_ > AK> in the docs, so, if you _actually_ try '-m --multioport' in > AK> your rule set, it _should_ fail, then you'll wanna try > AK> '-m --multiport', without your extra "o". ;-) > > Oh yes, now i got, i was too sleepy yestorday to understand. Actualy > this rule looks like this: > > iptables -A FORWARD -i eth1 -p udp -m --multiport --dport 23073,23083 -j > ACCEPT > > and after run, shows no error msg. Thats mean it works but it wont > helps me to achive this what i want. > > I repeat my msg here again: > > In my network, Linux machine connect Local net (eth1) with internet > (ppp0). As a default all INCOMING traffic is deny. I made some rules > to access SMTP, HTTP etc. but its not important now. > It is necessery for nodes from local net to access server that is in > Internet. The address of this server is 62.233.202.165 and listen on port > 23073 and 23083. > > Rule: "iptables -A FORWARD -i eth1 -p udp -m --multiport --dport > 23073,23083 -j ACCEPT" > wont helps and i have received msg in log like this: > > Apr 30 02:28:41 slack kernel: IPT:UnhandledForward:IN=eth1 OUT=ppp0 > SRC=192.168.1.2 DST=62.233.202.165 LEN=36 TOS=0x00 PREC=0x00 TTL=127 > ID=23780 PROTO=UDP SPT=1552 DPT=13073 LEN=16 > From that packet it seems that you want to have --dport accept on port 13073 NOT 23073 ... or perhaps as well as! -- Alistair Tonner nerdnet.ca Senior Systems Analyst - RSS Any sufficiently advanced technology will have the appearance of magic. Lets get magical! ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re[6]: access to server 2003-04-30 14:59 ` Alistair Tonner @ 2003-04-30 17:00 ` netfilter_user 2003-04-30 17:48 ` Alistair Tonner 0 siblings, 1 reply; 8+ messages in thread From: netfilter_user @ 2003-04-30 17:00 UTC (permalink / raw) To: Alistair Tonner; +Cc: Arnt Karlsen, netfilter Hello Alistair, Wednesday, April 30, 2003, 4:59:48 PM, you wrote: AT> On April 30, 2003 09:32 am, netfilter_user wrote: >> Hello Arnt, >> >> Wednesday, April 30, 2003, 4:47:45 AM, you wrote: >> >> AK> On Wed, 30 Apr 2003 03:38:12 +0200, >> AK> netfilter_user <netfilter_user@o2.pl> wrote in message >> >> AK> <1246491441.20030430033812@o2.pl>: >> >> Hello Arnt, >> >> >> >> Wednesday, April 30, 2003, 3:10:30 AM, you wrote: >> >> >> >> AK> On Wed, 30 Apr 2003 00:49:31 +0200, >> >> AK> netfilter_user <netfilter_user@o2.pl> wrote in message >> >> >> >> AK> <5436369716.20030430004931@o2.pl>: >> >> >> Rule: "iptables -A FORWARD -i eth1 -p udp -m --multioport --dport >> >> >> >> AK> /\ >> >> AK> ..is " -m --multioport " a valid match in iptables, or a correct >> >> AK> quote of your attempt to write ' -m --multiport ' ? >> >> >> >> damn my wrong...it should looks like this: >> >> iptables -A FORWARD -i eth1 -p udp -m --multioport --dport 23073,23083 >> >> -j ACCEPT /\ >> >> AK> || >> AK> ..lets try again: I don't find "-m --multioport" _anywhere_ >> AK> in the docs, so, if you _actually_ try '-m --multioport' in >> AK> your rule set, it _should_ fail, then you'll wanna try >> AK> '-m --multiport', without your extra "o". ;-) >> >> Oh yes, now i got, i was too sleepy yestorday to understand. Actualy >> this rule looks like this: >> >> iptables -A FORWARD -i eth1 -p udp -m --multiport --dport 23073,23083 -j >> ACCEPT >> >> and after run, shows no error msg. Thats mean it works but it wont >> helps me to achive this what i want. >> >> I repeat my msg here again: >> >> In my network, Linux machine connect Local net (eth1) with internet >> (ppp0). As a default all INCOMING traffic is deny. I made some rules >> to access SMTP, HTTP etc. but its not important now. >> It is necessery for nodes from local net to access server that is in >> Internet. The address of this server is 62.233.202.165 and listen on port >> 23073 and 23083. >> >> Rule: "iptables -A FORWARD -i eth1 -p udp -m --multiport --dport >> 23073,23083 -j ACCEPT" >> wont helps and i have received msg in log like this: >> >> Apr 30 02:28:41 slack kernel: IPT:UnhandledForward:IN=eth1 OUT=ppp0 >> SRC=192.168.1.2 DST=62.233.202.165 LEN=36 TOS=0x00 PREC=0x00 TTL=127 >> ID=23780 PROTO=UDP SPT=1552 DPT=13073 LEN=16 >> AT> From that packet it seems that you want to have --dport accept on port 13073 AT> NOT 23073 ... or perhaps as well as! ok, so what means a LEN (lenght ???), TOS, PREC ? Is SPT means source port? Is DPT means destination port? Another thing, In client program i have told that i should use port 23073 or 23083 ( 23073 is set as default). Is taht means that when i use rule "iptables -A FORWARD -i eth1 -p udp -m --multiport --dport 23073,23083 -j ACCEPT" i make able demand packets to go out and then server answer from 62.233.202.165:1552(SPT) to my blocked port 13073 (DPT) ? But if its like i suspect, shouldent help rule that i set earlyer? : iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -- Best regards, mailto:netfilter_user@o2.pl ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Re[6]: access to server 2003-04-30 17:00 ` Re[6]: " netfilter_user @ 2003-04-30 17:48 ` Alistair Tonner 0 siblings, 0 replies; 8+ messages in thread From: Alistair Tonner @ 2003-04-30 17:48 UTC (permalink / raw) To: netfilter_user; +Cc: Arnt Karlsen, netfilter On April 30, 2003 01:00 pm, netfilter_user wrote: > Hello Alistair, > > Wednesday, April 30, 2003, 4:59:48 PM, you wrote: > > AT> On April 30, 2003 09:32 am, netfilter_user wrote: > >> Hello Arnt, > >> > >> Wednesday, April 30, 2003, 4:47:45 AM, you wrote: > >> > >> AK> On Wed, 30 Apr 2003 03:38:12 +0200, > >> AK> netfilter_user <netfilter_user@o2.pl> wrote in message > >> > >> AK> <1246491441.20030430033812@o2.pl>: > >> >> Hello Arnt, > >> >> > >> >> Wednesday, April 30, 2003, 3:10:30 AM, you wrote: > >> >> > >> >> AK> On Wed, 30 Apr 2003 00:49:31 +0200, > >> >> AK> netfilter_user <netfilter_user@o2.pl> wrote in message > >> >> > >> >> AK> <5436369716.20030430004931@o2.pl>: > >> >> >> Rule: "iptables -A FORWARD -i eth1 -p udp -m --multioport --dport > >> >> > >> >> AK> /\ > >> >> AK> ..is " -m --multioport " a valid match in iptables, or a correct > >> >> AK> quote of your attempt to write ' -m --multiport ' ? > >> >> > >> >> damn my wrong...it should looks like this: > >> >> iptables -A FORWARD -i eth1 -p udp -m --multioport --dport > >> >> 23073,23083 -j ACCEPT /\ > >> > >> AK> || > >> AK> ..lets try again: I don't find "-m --multioport" _anywhere_ > >> AK> in the docs, so, if you _actually_ try '-m --multioport' in > >> AK> your rule set, it _should_ fail, then you'll wanna try > >> AK> '-m --multiport', without your extra "o". ;-) > >> > >> Oh yes, now i got, i was too sleepy yestorday to understand. Actualy > >> this rule looks like this: > >> > >> iptables -A FORWARD -i eth1 -p udp -m --multiport --dport 23073,23083 -j > >> ACCEPT > >> > >> and after run, shows no error msg. Thats mean it works but it wont > >> helps me to achive this what i want. > >> > >> I repeat my msg here again: > >> > >> In my network, Linux machine connect Local net (eth1) with internet > >> (ppp0). As a default all INCOMING traffic is deny. I made some rules > >> to access SMTP, HTTP etc. but its not important now. > >> It is necessery for nodes from local net to access server that is in > >> Internet. The address of this server is 62.233.202.165 and listen on > >> port 23073 and 23083. > >> > >> Rule: "iptables -A FORWARD -i eth1 -p udp -m --multiport --dport > >> 23073,23083 -j ACCEPT" > >> wont helps and i have received msg in log like this: > >> > >> Apr 30 02:28:41 slack kernel: IPT:UnhandledForward:IN=eth1 OUT=ppp0 > >> SRC=192.168.1.2 DST=62.233.202.165 LEN=36 TOS=0x00 PREC=0x00 TTL=127 > >> ID=23780 PROTO=UDP SPT=1552 DPT=13073 LEN=16 > > AT> From that packet it seems that you want to have --dport accept > on port 13073 AT> NOT 23073 ... or perhaps as well as! > > > ok, so what means a LEN (lenght ???), TOS, PREC ? > Is SPT means source port? > Is DPT means destination port? > > Another thing, > In client program i have told that i should use port 23073 or 23083 ( > 23073 is set as default). > Is taht means that when i use rule "iptables -A FORWARD -i eth1 -p udp > -m --multiport --dport 23073,23083 -j ACCEPT" i make able demand > packets to go out and then server answer from 62.233.202.165:1552(SPT) > to my blocked port 13073 (DPT) ? > > But if its like i suspect, shouldent help rule that i set earlyer? : > iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT Hmm. Okay ... from this packet *alone* I cannot tell what rules need be there. BUT -- this packet appears to be *from* your inside computer (SRC=192.168.....) and headed to the server to which yau are connecting (DST=62.233.....) SRC = where the packet started DST = where the packet is going SPT= which port on the sending computer emitted the packet DPT = which port on the recieving computer the packet is pointed at. I realize that this is NOT the entire datastream for the connection, but the issue may be that the application uses somewhat more resources than the designers report. I'd have to see the /proc/net/ip_conntrack entry to see if this would be tapped as related,established connection ... but connection a from point a to point b does NOT nessesarily allow all other connections from point a to point b. Further I can't recall at the moment how UDP is handled by EST, REL rules... (I'm a little off lately, have been hammering on wine... so some of my iptables stuff is slipping) -- Alistair Tonner nerdnet.ca Senior Systems Analyst - RSS Any sufficiently advanced technology will have the appearance of magic. Lets get magical! ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2003-04-30 17:48 UTC | newest] Thread overview: 8+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2003-04-29 22:49 access to server netfilter_user 2003-04-30 1:10 ` Arnt Karlsen 2003-04-30 1:38 ` Re[2]: " netfilter_user 2003-04-30 2:47 ` Arnt Karlsen 2003-04-30 13:32 ` Re[4]: " netfilter_user 2003-04-30 14:59 ` Alistair Tonner 2003-04-30 17:00 ` Re[6]: " netfilter_user 2003-04-30 17:48 ` Alistair Tonner
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.