Re: Help

Re: Help

[Antony Stone]

On Thursday 31 October 2002 8:27 am, Renato Rossi wrote:

> Hi Antony
> I'm sorry for my accademical English!
> I've a lot of problem with DNAT,
> I've web server (192.168.2.1/24) behind a dual homed firewall ($EXT=eth0
> $EXT_IP=A.B.C.D $INT=eth1 $INT_IP= 192.168.2.252)
> I set up DNAT roule and I can see packets with iptables -L -v -t nat, but
> no pakets wolk my internal lan (I use ethereal)
> I modify my rule to view if I can telnet web server in port 80 and all is
> ok SNAT work fine
>
> # SNAT
> $FW -t nat -A POSTROUTING -o $EXT -s $INT_NET -j SNAT --to-source $EXT_IP
>
> # DNAT
> $FW -t nat -A PREROUTING -p tcp -i $EXT --dport 80 -j DNAT --to-destination
> 192.168.2.1
>
> # FORWARD
> $FW -A FORWARD -i $EXT -p tcp --dport 80 -d 192.168.2.1 -j ACCEPT
> $FW -A FORWARD -o $EXT -p tcp --dport 80 -s 192.168.2.1 -j ACCEPT
>
> How can I resolv it??

There's no problem with the rules above.

Are you sure your ISP is allowing incoming connections on TCP port 80 ?

Try putting a LOG rule into your PREROUTING chain to log TCP port 80 packets 
and see if anything seems to be coming in to the firewall at all.

Antony.

-- 

The difference between theory and practice is that
in theory there is no difference, whereas in practice there is.

Help...

[manish]

Hello 
Its really nice to see a detail information about NAT
in Linux 2.4 NAT HOWTO.It works well but i have a
small problem, i m not able to connect to voice from
my internal LAN to the internet. I am giving you the
details, which will help you to understand my problem.

   A----------B----------C
   	      |
	      |
	      |
	      D
  
Here A is my windows client with IP address
192.168.101.1 Mask 255.255.0.0
Here B is my Linux7.3 Server with IP address
192.168.0.1 Mask 255.255.0.0
B is also connected to Internet with Generic Serial
Modem (ppp0).
Here C is my windows client with IP address
192.168.101.3 Mask 255.255.0.0
Here D is my Linux client with IP address 192.168.80.1
Mask 255.255.0.0.
I am sharing internet to all my client i.e A, C and D.
using this command.

> iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on the IP forwarding
  echo 1 > /proc/sys/net/ipv4/ip_forward

Upto this everything works fine all clients (A, C, D)
share internets.
Now if i wanted to start any chat services i.e Yahoo
Messenger or vat tool the person who has logged on
from A not able to use audio chat to person
logged on from C or D.
or even a person who is also online from out of this
network also not able to call or do voice chat.
# I had use this command after that
> iptables -t nat -A PREROUTING -i ppp0 -j DNAT
--to-destination 192.168.101.3
This time i am able to call people from outside from
machine C (192.168.101.3) and also able to do voice
conversation in vat. But another side A and D are not
able to talk to that person outside the network. Also
the above command will not for other hosts A and D. At
a time only one machine is able to make a vat
connection from B.

1) What should i do so A, C, and D all together can
use to call outside and able to do voice conversation
in vat?
2) what should i do so A can talk to B in yahoo or vat
voice chat?

please let me know that is there any solution for my
problem?
Thanks
Regards.

Manish.

__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Help...

[manish]

Hello 
Can any one look up to my problem. The problem is:
I have set up a small lan with both wired and wireless
clients, here i am describing only wired lan.

I am giving you the details, which will help you to
understand my problem.

    A----------B----------C
               |
               |
               |
               D

Here A is my windows client with IP address
        192.168.101.1 Mask 255.255.0.0
Here B is my Linux7.3 Server with IP address
        192.168.0.1 Mask 255.255.0.0
      B is also connected to Internet with Generic
        Serial Modem (ppp0).
Here C is my windows client with IP address
        192.168.101.3 Mask 255.255.0.0
Here D is my Linux client with IP address
        192.168.80.1 Mask 255.255.0.0.
I am sharing internet to all my client i.e A, C and D.
using this command.
>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on the IP forwarding
>echo 1 > /proc/sys/net/ipv4/ip_forward

Upto this everything works fine all clients (A, C, D)
share internets.
Now if i wanted to start any chat services i.e Yahoo
Messenger or vat tool the person who has logged on
from A not able to talk to person logged on from C or
D. or even a person who is also online from out of
this network (Somewhere from internet)also not able
to call or do voice chat.
# I had use this command after that
>iptables -t nat -A PREROUTING -i ppp0 -j DNAT
 --to-destination 192.168.101.3

This time i am able to call people from outside from
machine C (192.168.101.3)and also able to do voice
conversation in vat. But another side A and D are not
able to talk to that person outside the network. Also
the above command will not work for other hosts A and
D. At a time only one machine is able to make a vat
connection from B.

1) What should i do so A, C, and D all together can
  use to call outside and able to do voice
conversation
  in vat or vive-versa?
2) what should i do so A can talk to B in yahoo or vat
 voice chat?

please let me know that is there any solution for my
problem? Mostly i wanted to run vat?
Thanks
Manish.


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Help...

[manish]

Hello 
Can any one look up to my problem. The problem is:
I have set up a small lan with both wired and wireless
clients, here i am describing only wired lan.

I am giving you the details, which will help you to
understand my problem.

    A----------B----------C
               |
               |
               |
               D

Here A is my windows client with IP address
        192.168.101.1 Mask 255.255.0.0
Here B is my Linux7.3 Server with IP address
        192.168.0.1 Mask 255.255.0.0
      B is also connected to Internet with Generic
        Serial Modem (ppp0).
Here C is my windows client with IP address
        192.168.101.3 Mask 255.255.0.0
Here D is my Linux client with IP address
        192.168.80.1 Mask 255.255.0.0.
I am sharing internet to all my client i.e A, C and D.
using this command.
>iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Turn on the IP forwarding
>echo 1 > /proc/sys/net/ipv4/ip_forward

Upto this everything works fine all clients (A, C, D)
share internets.
Now if i wanted to start any chat services i.e Yahoo
Messenger or vat tool the person who has logged on
from A not able to talk to person logged on from C or
D. or even a person who is also online from out of
this network (Somewhere from internet)also not able
to call or do voice chat.
# I had use this command after that
>iptables -t nat -A PREROUTING -i ppp0 -j DNAT
 --to-destination 192.168.101.3

This time i am able to call people from outside from
machine C (192.168.101.3)and also able to do voice
conversation in vat. But another side A and D are not
able to talk to that person outside the network. Also
the above command will not work for other hosts A and
D. At a time only one machine is able to make a vat
connection from B.

1) What should i do so A, C, and D all together can
  use to call outside and able to do voice
conversation
  in vat or vive-versa?
2) what should i do so A can talk to B in yahoo or vat
 voice chat?

please let me know that is there any solution for my
problem? Mostly i wanted to run vat?
Thanks
Manish.


__________________________________________________
Do you Yahoo!?
Yahoo! Mail Plus - Powerful. Affordable. Sign up now.
http://mailplus.yahoo.com

Re: Help...

[Maciej Soltysiak]

> >iptables -t nat -A PREROUTING -i ppp0 -j DNAT
>  --to-destination 192.168.101.3
>
> This time i am able to call people from outside from
> machine C (192.168.101.3)and also able to do voice
> conversation in vat. But another side A and D are not
> able to talk to that person outside the network. Also
This looks obvious, as all the traffic comming back to you
from the Internet you are directing to C. All, means,
initiated by host A or B too.

> 1) What should i do so A, C, and D all together can
>   use to call outside and able to do voice
> conversation
>   in vat or vive-versa?
You would need a nat_helper for that protocol, so the router
stores connection information and knows which packets should be
sent to whom.

You could try directing the traffic from that protocol to a
local broadcast address (specify the port of the service),
maybe the applications can manage to filter out their packets
somehow by ID's.

What chat protocol is that?

Regards,
Maciej Soltysiak

help

[Laxman Gummadavally]

[-- Attachment #1: Type: text/plain, Size: 105 bytes --]

Hi,

How to disable Ipchains in Linux???

I need to enable iptables ...........


Thanks
Laxman

[-- Attachment #2: Type: text/html, Size: 652 bytes --]

RE: help

[Khanh Tran]

Try:

/sbin/chkconfig --level=2345 ipchains off
/sbin/rmmod ipchains

Hope that helps.

Khanh Tran 
Network Operations 
Sarah Lawrence College 


-----Original Message-----
From: Laxman Gummadavally [mailto:laxman@oxynetworks.com]
Sent: Monday, February 17, 2003 5:11 AM
To: netfilter@lists.netfilter.org
Subject: help


Hi,

How to disable Ipchains in Linux???

I need to enable iptables ...........


Thanks
Laxman

help

[prem nath]

Hi ,
I have problem in configuring firewall using Iptables .I h...
8.0. I am using webmin to configure the firewall.
The existing IP is


2 static Ips are there from ISp eg:61.11.56.42,61.11.56.115
Webserver and DNS server is hosted on 61.11.56.42
I have an Internal network 192.168.1.x
The linux box has 2 Interfaces ETH0 61.11.56.115
eth1 is 192.168.1.19
ETH0 is connected to external and internal to switch is connected to
192.168.1.19.
They have a mail server where smtp and pop3 has to be forwarded .
Please let me know how to NAT 192.168.1.19 with 61.11.56.115.
At the same time squid proxy should work .
I need to allow ports 80,8080,22,21,23,25,110,1494,1328.
All the queries should reach the DNS server & Webserver(61.11.56.42)
eg:80,80801494,1328
Please do give me a plan so that I can forward all these to both servers
.(mail server * Webserver )
I have an idea of putting DNS server in linux firewall box but cant  forward
the queries to webserver.


Please do help me out with natting and forwarding .Getting really confused.
Awaiting reply .
Advance thanks
Regards
Prem




_________________________________________________________________
Vrroooom…… Fasten your seatbelts. 
http://server1.msn.co.in/msnSpecials/formula2003/index.asp Get set for F1 
2003

help

[dawn lin]

hi,

i have 3 computers A, B and C.
i need A to talk to C through B(not a router)

I was hoping iptables will help me do mac filtering.

is it possible?

What i need is A is able to talk B only and B is to resend A's message to B.
Which is in a way where A wants to talk to C but it can only go through B to 
talk to C.
Can anyone advice me how i can use iptables for that?

one senerio:
A send packets to C-> packet info shows MAC source=A, MAC dest=B,IP 
source=A,IP dest=C
When packet reaches B-> packet info shows MAC source=B,MAC dest=C,IP 
source=A,IP dest=C

is that possible?

_________________________________________________________________
Download Norah Jones, Eminem and more! http://www.msn.com.sg/ringtones/

RE: help

[George Vieira]

You have not mentioned anything about IPs so I assume they are on the same subnet. In that case, use a bridge which proxies the ARP requests and MAC addresses on each side of the firewall. Otherwise this won't work without routing.

A and C will see each other via B when B is setup as a bridge. You may need some patching on the kernel for iptables to work on a bridge.. not sure, brain dead this morning.. ;)

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

-----Original Message-----
From: dawn lin [mailto:alantisjun@hotmail.com]
Sent: Thursday, June 05, 2003 7:19 PM
To: netfilter@lists.netfilter.org
Subject: help


hi,

i have 3 computers A, B and C.
i need A to talk to C through B(not a router)

I was hoping iptables will help me do mac filtering.

is it possible?

What i need is A is able to talk B only and B is to resend A's message to B.
Which is in a way where A wants to talk to C but it can only go through B to 
talk to C.
Can anyone advice me how i can use iptables for that?

one senerio:
A send packets to C-> packet info shows MAC source=A, MAC dest=B,IP 
source=A,IP dest=C
When packet reaches B-> packet info shows MAC source=B,MAC dest=C,IP 
source=A,IP dest=C

is that possible?

_________________________________________________________________
Download Norah Jones, Eminem and more! http://www.msn.com.sg/ringtones/

help

[durga prasad]

 --- netfilter-request@lists.netfilter.org wrote: >
Send netfilter mailing list submissions to
> 	netfilter@lists.netfilter.org
> 
> To subscribe or unsubscribe via the World Wide Web,
> visit
> 
>
https://lists.netfilter.org/mailman/listinfo/netfilter
> or, via email, send a message with subject or body
> 'help' to
> 	netfilter-request@lists.netfilter.org
> 
> You can reach the person managing the list at
> 	netfilter-admin@lists.netfilter.org
> 
> When replying, please edit your Subject line so it
> is more specific
> than "Re: Contents of netfilter digest..."
> 
> 
> Today's Topics:
> 
>    1. MARK - set with mask or read, add, set???
> (Bill Chappell)
>    2. VLANs and DNAT (Damien Mason)
>    3. ssl forward / proxy question (jen@saturn5.com)
>    4. Re: Not quite understanding DNAT (Philip
> Craig)
>    5. RE: ssl forward / proxy question (George
> Vieira)
>    6. (no subject) (Bryan Schmidt)
>    7. Re: -m limit --limt 1/s from "Bryan Schmidt"
> <absolut_bryan@hotmail.com> (Bill Chappell)
>    8. Re: DNAT question.. (Rio Martin.)
>    9. Re: Installing IPtables-1.2.8 (Jerry M. Howell
> II)
>   10. Re: Keeping Log (Jerry M. Howell II)
>   11. source quench packets (cc)
>   12. VLANS + intervlan forwarding + SNAT (Damien
> Mason)
>   13. RE: port-based filtering of IPsec packets?
> (Rick Kennell)
> 
> --__--__--
> 
> Message: 1
> Date: Thu, 24 Jul 2003 18:52:37 -0400
> From: Bill Chappell <chappell@borg.com>
> To: netfilter@lists.netfilter.org
> Subject: MARK - set with mask or read, add, set???
> 
> 
> --------------CC055BE056B322A30C53E8B1
> Content-Type: text/plain; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> > Condensed version - I need to share the nfmark
> with
> > another developer on the same packet, where I use
> the
> > high-order 8 bits and she can have the low-order
> 24 bits.
> > Problem is that -j MARK --set-mark writes one
> unsigned
> > integer so I would wipe out her nfmark and vice
> versa.
> >
> > I have successfully used a mask in a mark match:
> > iptables -t nat -A mychain -m mark --mark
> $mymark/0xFF000000
> > and had the packets flow as desired.
> >
> > It was not documented that a mask would work with
> > -j MARK --set-mark <number>/<mask>, but I tried
> > anyway.
> > I used <number> = 0xFF000000 (which does work by
> itself)
> > with <mask> = 0xFF000000 and <number> = 0xFFFFFFFF
> > with <mask> = 0xFF000000 and got the error
> message:
> > "Bad MARK value `<number>/<mask>'
> >
> > I could read the existing nfmark, add the second
> one, and set
> > the summed nfmark, but I do not see any way to
> read an nfmark
> > in iptables.
> >
> > I do see a solution using the mark match to
> identify the current
> > nfmark/mask (one rule for each possible nfmark)
> with the new nfmark
> > equal to the sum of the matching nfmark/mask and
> the nfmark
> > of the second use, but that gets clunky very
> quickly as the number
> > of possible nfmarks increases and it forces each
> use to know
> > which nfmarks the other is using (== reduced
> modularity).
> >
> > Any help would be greatly appreciated and
> attributed in the project.
> >
> > Thank you.
> >
> > Bill Chappell
> >
> >
> >
> >
> > --
> > William Chappell,     Software Engineer,    
> Critical Technologies, Inc.
> > Suite 400 Technology Center, 4th Floor 1001 Broad
> Street, Utica, NY 13501
> > 315-793-0248  x148  < bill.chappell@critical.com >
>  www.critical.com
> >
> 
> --------------CC055BE056B322A30C53E8B1
> Content-Type: text/html; charset=us-ascii
> Content-Transfer-Encoding: 7bit
> 
> <!doctype html public "-//w3c//dtd html 4.0
> transitional//en">
> <html>
> 
> <blockquote TYPE=CITE>Condensed version - I need to
> share the nfmark with
> <br>another developer on the same packet, where I
> use the
> <br>high-order 8 bits and she can have the low-order
> 24 bits.
> <br>Problem is that -j MARK --set-mark writes one
> unsigned
> <br>integer so I would wipe out her nfmark and vice
> versa.
> <p>I have successfully used a mask in a mark match:
> <br>iptables -t nat -A mychain -m mark --mark
> $mymark/0xFF000000
> <br>and had the packets flow as desired.
> <p>It was not documented that a mask would work with
> <br>-j MARK --set-mark &lt;number>/&lt;mask>, but I
> tried
> <br>anyway.
> <br>I used &lt;number> = 0xFF000000 (which does work
> by itself)
> <br>with &lt;mask> = 0xFF000000 and &lt;number> =
> 0xFFFFFFFF
> <br>with &lt;mask> = 0xFF000000 and got the error
> message:
> <br>"Bad MARK value `&lt;number>/&lt;mask>'
> <p>I could read the existing nfmark, add the second
> one, and set
> <br>the summed nfmark, but I do not see any way to
> read an nfmark
> <br>in iptables.
> <p>I do see a solution using the mark match to
> identify the current
> <br>nfmark/mask (one rule for each possible nfmark)
> with the new nfmark
> <br>equal to the sum of the matching nfmark/mask and
> the nfmark
> <br>of the second use, but that gets clunky very
> quickly as the number
> <br>of possible nfmarks increases and it forces each
> use to know
> <br>which nfmarks the other is using (== reduced
> modularity).
> <p>Any help would be greatly appreciated and
> attributed in the project.
> <p>Thank you.
> <p>Bill Chappell
> <br>&nbsp;
> <br>&nbsp;
> <br>&nbsp;
> <pre>--&nbsp;
> William Chappell,&nbsp;&nbsp;&nbsp;&nbsp; Software
> Engineer,&nbsp;&nbsp;&nbsp;&nbsp; Critical
> Technologies, Inc.
> Suite 400 Technology Center, 4th Floor 1001 Broad
> Street, Utica, NY 13501
> 315-793-0248&nbsp; x148&nbsp; &lt;
> bill.chappell@critical.com >&nbsp;
> www.critical.com</pre>
> </blockquote>
> </html>
> 
> --------------CC055BE056B322A30C53E8B1--
> 
> 
> 
> --__--__--
> 
> Message: 2
> Date: Fri, 25 Jul 2003 09:40:02 +1000
> From: Damien Mason <kinetic@suse.net.au>
> To: netfilter@lists.netfilter.org
> Subject: VLANs and DNAT
> 
> Hi Everyone,
> 
=== message truncated === 

=====
DURGAPRASAD
--
http://www.linuxindguy.com
UNDERSTANDING  ARISES THROUGH MAKING !!!!!!!

________________________________________________________________________
Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/

help...

[Cristiano Soares]

[-- Attachment #1: Type: text/plain, Size: 716 bytes --]

Hi, i would like to know if u guys could help me with a simple problem that im having trying to set up a network server. I have DSL conection and im sharing it with a network. I had set up the DHCPD server, all the DHCP clients in my network can receive an IP from the server, but they cant browse. I know that there as some lines that i have to set up to make de server allow the clients to browser normaly. and i also know that it has something to do with iptables, and maskarading. Please, i need help doing this. I have MSN and ICQ if anyone would like to help me. I have SSH server running also. please, please, i need help. Thanks a lot.

MSN: stillnick@hotmail.com
ICQ #: 3794264

Ass.: Cristian Soares

[-- Attachment #2: Type: text/html, Size: 1310 bytes --]

Re: help...

[Ian Hunter]

Start off by giving us your existing rules?
----- Original Message ----- 
From: "Cristiano Soares" <stillnick@terra.com.br>
To: <netfilter@lists.netfilter.org>
Sent: Sunday, December 14, 2003 5:30 PM
Subject: help...


Hi, i would like to know if u guys could help me with a simple problem that
im having trying to set up a network server. I have DSL conection and im
sharing it with a network. I had set up the DHCPD server, all the DHCP
clients in my network can receive an IP from the server, but they cant
browse. I know that there as some lines that i have to set up to make de
server allow the clients to browser normaly. and i also know that it has
something to do with iptables, and maskarading. Please, i need help doing
this. I have MSN and ICQ if anyone would like to help me. I have SSH server
running also. please, please, i need help. Thanks a lot.

MSN: stillnick@hotmail.com
ICQ #: 3794264

Ass.: Cristian Soares

Re: help...

[Antony Stone]

On Wednesday 17 December 2003 6:09 pm, Ian Hunter wrote:

> Start off by giving us your existing rules?
> ----- Original Message -----
> From: "Cristiano Soares" <stillnick@terra.com.br>
> To: <netfilter@lists.netfilter.org>
> Sent: Sunday, December 14, 2003 5:30 PM
> Subject: help...
>
> Hi, i would like to know if u guys could help me with a simple problem that
> im having trying to set up a network server. I have DSL conection and im
> sharing it with a network. I had set up the DHCPD server, all the DHCP
> clients in my network can receive an IP from the server, but they cant
> browse. I know that there as some lines that i have to set up to make de
> server allow the clients to browser normaly. and i also know that it has
> something to do with iptables, and maskarading. Please, i need help doing
> this. I have MSN and ICQ if anyone would like to help me. I have SSH server
> running also. please, please, i need help. Thanks a lot.

Sounds like this guy simply needs to know:

iptables -A POSTROUTING -o $EXTIF -j MASQUERADE
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

If that doesn't do the trick then yes, post your existing ruleset and tell us 
what works and what doesn't (and how you're testing it).

Antony.

-- 
Abandon hope, all ye who enter here.
You'll feel much better about things once you do.

                                                     Please reply to the list;
                                                           please don't CC me.

help

[Marcos]

help



      

Re: help

[Oskar Berggren]

Are you kidnapped? Where should we send the police?

/Oskar


2010/9/20 Marcos <mczueira@yahoo.com.br>:
> help
>
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>