binding nntp to one interface

binding nntp to one interface

[Rasmus Reinholdt Nielsen]

Hi

I have two different internet connections, to two different ISP's, set up 
as load balancing.

My problem is that both my isp's have ip restricted their newsservers, so I 
need to bind all outgoing trafic on port 119 to a specific interface or ip. 
Anybody knows how to do this?

I have tried using redirect but it didn't work

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 119 -j REDIRECT --to 
<wan-ip>

and I get an error of "Invalid argument" on this SNAT rule

iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 119 -j SNAT --to <wan-ip>

hope somebody knows haw to do this.

Thanks

/Rasmus

Re: binding nntp to one interface

[Anders Fugmann]

Rasmus Reinholdt Nielsen wrote:
> Hi
> 
> I have two different internet connections, to two different ISP's, set 
> up as load balancing.
> 
> My problem is that both my isp's have ip restricted their newsservers, 
> so I need to bind all outgoing trafic on port 119 to a specific 
> interface or ip. Anybody knows how to do this?

You have to use the iproute2 program package to do this. iptables cannot 
set or change routes, only hint on how routing should be done by marking
packets. In the mangle-PREROUTING chain, use the MARK target to mark the
packets with some id:

iptables -t mangel -A PREROUTING -d news.isp.dk --dport 119 -j MARK 
--set-mark 1
iptables -t mangel -A OUTPUT -d news.isp.dk --dport 119 -j MARK --set-mark 1

Next use the iproute2 package and create a routing policy, which
send the packets in the correct routing table.

I'm not that familliar with iproute2, but i guess that the following 
would work:

list all possible routes to the news server:
$ ip route get news.isp.dk
This should list two routes:
xx.xx.xx.xx dev eth0 src yy.yy.yy.yy realms AA...
xx.xx.xx.xx dev eth1 src zz.zz.zz.zz realms BB...

Say that you want to route through eth0, then instruct the routing that 
it should route all packets with mark 10 to this realm:
$ ip rule add fwmark 10 table BB prio 100

As I said, I am not familliar with this, so it is only a qualified 
guess. Take a look at lartc.org and the documentation in the iproute 
package on howto set this up.

Hope it works
Anders Fugmann

-- 
Author of FIAIF
FIAIF Is An Intelligent/Iptables FIREWALL
http://fiaif.fugmann.dhs.org

Re: binding nntp to one interface

[Antony Stone]

On Thursday 12 September 2002 8:05 am, Rasmus Reinholdt Nielsen wrote:

> Hi
>
> I have two different internet connections, to two different ISP's, set up
> as load balancing.
>
> My problem is that both my isp's have ip restricted their newsservers, so I
> need to bind all outgoing trafic on port 119 to a specific interface or ip.
> Anybody knows how to do this?

I'm not sure I understand the problem.

You have an nntp server set up to connect to your ISP's nntp server (either 
one, or both, of your ISPs).

Because your ISPs systems are very close (in network hops) to your external 
interface, surely your routing makes sure that requests to ISP A's nntp 
server go through the connection to ISP A, and requests to ISP B's nntp 
server go through the connection to ISP B ?

Then you just need to decide whether your nntp server is going to connect 
only to one, or to both, of your ISPs.

Alternatively, if your routing doesn't automatically determine which way to 
get to either of your ISPs servers, a few iproute2 commands should fix this.

I don't think you need to do anything with netfilter (in fact I don't think 
you can) because this sounds like a routing issue, not a filtering problem.

Antony.

-- 

Anyone that's normal doesn't really achieve much.

 - Mark Blair, Australian rocket engineer

IPTABLES NewBie

[HareRam]

Hi all

iam using Redhat 7.2 with Iptable 1.2.4 upgraded
and patched with p-o-m
now my application is allow only register mac Address and rest all drop
i am having home based network
ever customer have give specific address, since they have regiter only one
PC for Browsing
he should get only for that PC,, they are using Winproxy and consuming lot
of bandwidth

can i have small example how do i enable only register MAC to allow all
Services
rest all should deny directly

right now iam using like this script
iam forwarding all the 80 port traffic to squid cache server


m=modprobe
$m ip_conntrack_ftp
$m ip_conntrack_irc
$m ip_conntrack
$m ip_nat_ftp
$m ip_nat_irc
$m ip_queue
$m iptable_filter
$m iptable_mangle
$m iptable_nat
$m ip_tables
$m ipt_limit
$m ipt_LOG
$m ipt_mac
$m ipt_mark
$m ipt_MARK
$m ipt_MASQUERADE
$m ipt_MIRROR
$m ipt_multiport
$m ipt_owner
$m ipt_REDIRECT
$m ipt_REJECT
$m ipt_state
$m ipt_tcpmss
$m ipt_TCPMSS
$m ipt_tos
$m ipt_TOS
$m ipt_unclean
/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -t nat -A PREROUTING -s 192.168.20.0/24 -p tcp --dport 80 -j
REDIRECT --to-port 3129
/sbin/iptables -t nat -A PREROUTING -s 192.168.3.0/24 -p tcp --dport 80 -j
REDIRECT --to-port 3129
/sbin/iptables -t nat -A POSTROUTING -s 192.168.20.0/24 -o eth0 -j
MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o eth0 -j MASQUERADE


suggest me how do i have sample to add, to deny un authorised MAC address

thanks in advance
hare

Re: IPTABLES NewBie

[Antony Stone]

On Thursday 12 September 2002 12:31 pm, HareRam wrote:

> can i have small example how do i enable only register MAC to allow all
> Services
> rest all should deny directly

I suggest you create a special user-defined chain for MAC address matching, 
and call it near the top of your FORWARD chain:

iptables -N macmatch

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j macmatch
... other FORWARDing rules allowing specific protocols etc ...

iptables -A macmatch -m mac --mac-source 00:11:22:33:44:55 -j RETURN
iptables -A macmatch -m mac --mac-source 11:22:33:44:55:66 -j RETURN
iptables -A macmatch -m mac --mac-source 22:33:44:55:66:77 -j RETURN
iptables -A macmatch -j DROP

where the macmatch rules list all your permitted MAC addresses.

The reason for putting the jump to the macmatch chain after the ESTABLISHED, 
RELATED rule in your FORWARD chain is so that MAC matching is only done on 
the first packet of each connection - if that is accepted then there's no 
need to do all the checking again for every other packet in the connection.

Antony.

-- 

Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

NAT and NAT

[HareRam]

Hi all 

i have ADSL connection
ADSL provider didnot provide Public IP
he is doing NAT with ADSL router

iam trying to have Redhat Box as a gateway for all
my ADSL router ip is 192.168.40.1
my router (linux is 192.168.40.2, gateway is 192.168.40.1)
now any Router (Linux) another ethernet start from 192.168.30.1
and client ip start from 192.168.30.2.... 253.
iam running transparent Squid also

and i have another Link which is Public IP also connected to same network
here iam using another Linux Server with Different IP block
192.169.100.1 ethernet 1 and clients are from 192.168.100.2 onwards


now iam looking
i want to club both network to one  IP block and Serve them load balance
is this NAT and NAT os possible
is there any performance issues
is there any limitations
how do the load automatically shift if link 1 down to link 2
how do the load automatically shift if link 2 down to link 1

any sample URL or script will be appriciated

thanks
hare

Re: binding nntp to one interface

[Anders Fugmann]

Rasmus Reinholdt Nielsen wrote:
> thanks a lot
> 
> it seams like its working now
Perfect. Glad I could help.
Just to be sure, was all the steps I gave you correct?

Regards
Anders Fugmann

-- 
Neo: 'Can you fly that thing?'
Trinity: 'Not yet'.
$ apt-get install pilot-prg-v212helicopter.

Re: binding nntp to one interface

[Rasmus Reinholdt Nielsen]

almost

insmod /lib/modules/2.4.19-pre9/kernel/net/ipv4/netfilter/iptable_mangle.o
iptables -t mangle -A PREROUTING -d news.isp.dk -j MARK --set-mark 1
iptables -t mangle -A OUTPUT -d news.isp.dk -j MARK --set-mark 1

for the iptables marking and

echo 203 table1.out >> /etc/iproute2/rt_tables
echo 204 table2.out >> /etc/iproute2/rt_tables
ip rule add fwmark 1 table table1.out
ip rule add fwmark 2 table table2.out

ip route add default via <gateway1> dev ppp0 table table1.out
ip route add default via <gateway2> dev eth2 table table2.out

for iproute2

and it all work like a beuty

Thanks again

Rasmus

At 13:51 12-09-2002 +0200, Anders Fugmann wrote:
>Rasmus Reinholdt Nielsen wrote:
>>thanks a lot
>>it seams like its working now
>Perfect. Glad I could help.
>Just to be sure, was all the steps I gave you correct?
>
>Regards
>Anders Fugmann
>
>--
>Neo: 'Can you fly that thing?'
>Trinity: 'Not yet'.
>$ apt-get install pilot-prg-v212helicopter.

iptables newbie

[ads nat]

[-- Attachment #1: Type: text/plain, Size: 1235 bytes --]

Hi,
I have Linux REDHAT 8.0 server. Iptables are installed while installing Linux 8.0. version 1.2.6a
 
I am getting following error.
 
[root@xyz root]# /etc/init.d/iptables restart
Flushing all current rules and user defined chains:        [  OK  ]
Clearing all current rules and user defined chains:        [  OK  ]
Applying iptables firewall rules: iptables-restore v1.2.6a: Unknown arg `--dport'
Try `iptables-restore -h' or 'iptables-restore --help' for more information.
                                                           [FAILED]
 
In iptables file i have used  :
*filter
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
-A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
-A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
COMMIT
*nat 
-A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
COMMIT
 
Do i have to install any additional module.
Thanks

 


---------------------------------
Do you Yahoo!?
Yahoo! SiteBuilder - Free, easy-to-use web site design software

[-- Attachment #2: Type: text/html, Size: 1935 bytes --]

Re: iptables newbie

[Pascal Vilarem]

you could have run the equivalent iptables command lines of each line in 
order to
find the wrong one by yourself :-(

for your problem, try to write the last line using -m parameter:
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-port 3128

or check your RH-Lokkit-0-50-INPUT definition.

hope this can help,
Pascal.


ads nat wrote:

> Hi,
> I have Linux REDHAT 8.0 server. Iptables are installed while 
> installing Linux 8.0. version 1.2.6a
>  
> I am getting following error.
>  
> [root@xyz root]# /etc/init.d/iptables restart
> Flushing all current rules and user defined chains:        [  OK  ]
> Clearing all current rules and user defined chains:        [  OK  ]
> Applying iptables firewall rules: iptables-restore v1.2.6a: Unknown 
> arg `--dport'
> Try `iptables-restore -h' or 'iptables-restore --help' for more 
> information.
>                                                            [FAILED]
>  
> In iptables file i have used  :
> *filter
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 0:1023 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 2049 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 0:1023 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p udp -m udp --dport 2049 -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 6000:6009 --syn -j REJECT
> -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 7100 --syn -j REJECT
> COMMIT
> *nat
> -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
> COMMIT
>  
> Do i have to install any additional module.
> Thanks
>
>  
> ------------------------------------------------------------------------
> Do you Yahoo!?
> Yahoo! SiteBuilder 
> <http://us.rd.yahoo.com/evt=10469/*http://sitebuilder.yahoo.com> - 
> Free, easy-to-use web site design software 

iptables newbie

[Johan Cimen]

Hi!

I am an iptables newbie and this is what I want do do with iptables:
1. I want to ulog incomming packets at PREROUTING, incomming at specific
ports with UDP protocol.
2. I am going to generate UDP packets from my local station, from specific
ports.
3. I want to set TOS and TTL fields of my packets matching specific ports
at OUTPORT or POSTROUTING.

Problem that I have is:
1. I cannot use:
   iptables -t mangle -A OUTPUT -o $IFACE -p UDP --dport 7001 -j TOS
--set-tos 0x10
   Using iptables -L shows nothing under OUTPUT headline.
   I cannot use tables at all.
2. I cannot use (just an example, nothing to do with what i want to do):
   iptables -A POSTROUTING -o $IFACE -p UDP --dport 7001
   iptables says: No chain/target/match by that name
   Above iptable command works for INPUT, FORWARD and OUTPUT chains.

Question is:
1. Have I missed something in my kernel configurations?
2. Have I missed something in building chains and targets?
3. I need help!

-Johan-


This is a part of my kernel konfigurations:
# Loadable module support

CONFIG_MODULES=y
CONFIG_MODVERSIONS=y
CONFIG_KMOD=y

# Networking options

CONFIG_PACKET=m
# CONFIG_PACKET_MMAP is not set
CONFIG_NETLINK_DEV=m
CONFIG_NETFILTER=y
CONFIG_NETFILTER_DEBUG=y
CONFIG_FILTER=y
CONFIG_UNIX=y
CONFIG_INET=y
CONFIG_IP_MULTICAST=y
CONFIG_IP_ADVANCED_ROUTER=y
CONFIG_IP_MULTIPLE_TABLES=y
CONFIG_IP_ROUTE_FWMARK=y
CONFIG_IP_ROUTE_NAT=y
CONFIG_IP_ROUTE_MULTIPATH=y
CONFIG_IP_ROUTE_TOS=y
CONFIG_IP_ROUTE_VERBOSE=y
CONFIG_IP_ROUTE_LARGE_TABLES=y
# CONFIG_IP_PNP is not set
CONFIG_NET_IPIP=m
CONFIG_NET_IPGRE=m
# CONFIG_NET_IPGRE_BROADCAST is not set
# CONFIG_IP_MROUTE is not set
# CONFIG_ARPD is not set
CONFIG_INET_ECN=y
# CONFIG_SYN_COOKIES is not set

# Ip_ Netfilter Configuration

CONFIG_IP_NF_CONNTRACK=y
CONFIG_IP_NF_FTP=m
# CONFIG_IP_NF_AMANDA is not set
# CONFIG_IP_NF_TFTP is not set
CONFIG_IP_NF_IRC=m
CONFIG_IP_NF_QUEUE=m
CONFIG_IP_NF_IPTABLES=y
CONFIG_IP_NF_MATCH_LIMIT=m
CONFIG_IP_NF_MATCH_MAC=m
CONFIG_IP_NF_MATCH_PKTTYPE=m
CONFIG_IP_NF_MATCH_MARK=m
CONFIG_IP_NF_MATCH_MULTIPORT=y
CONFIG_IP_NF_MATCH_TOS=y
CONFIG_IP_NF_MATCH_NTH=m
# CONFIG_IP_NF_MATCH_IPV4OPTIONS is not set
# CONFIG_IP_NF_MATCH_RECENT is not set
CONFIG_IP_NF_MATCH_ECN=m
CONFIG_IP_NF_MATCH_DSCP=m
CONFIG_IP_NF_MATCH_AH_ESP=m
CONFIG_IP_NF_MATCH_LENGTH=m
CONFIG_IP_NF_MATCH_TTL=m
CONFIG_IP_NF_MATCH_TCPMSS=m
CONFIG_IP_NF_MATCH_HELPER=m
CONFIG_IP_NF_MATCH_STATE=m
# CONFIG_IP_NF_MATCH_CONNLIMIT is not set
CONFIG_IP_NF_MATCH_CONNTRACK=m
# CONFIG_IP_NF_MATCH_UNCLEAN is not set
# CONFIG_IP_NF_MATCH_OWNER is not set
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_NETLINK=m
# CONFIG_IP_NF_TARGET_MIRROR is not set
CONFIG_IP_NF_NAT=m
CONFIG_IP_NF_NAT_NEEDED=M
CONFIG_IP_NF_TARGET_MASQUERADE=M
CONFIG_IP_NF_TARGET_REDIRECT=M
# CONFIG_IP_NF_NAT_LOCAL is not set
# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
CONFIG_IP_NF_NAT_IRC=m
CONFIG_IP_NF_NAT_FTP=m
CONFIG_IP_NF_MANGLE=y
CONFIG_IP_NF_TARGET_TOS=y
CONFIG_IP_NF_TARGET_ECN=m
CONFIG_IP_NF_TARGET_DSCP=y
CONFIG_IP_NF_TARGET_MARK=y
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_TTL=y
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_IP_NF_TARGET_TCPMSS=m
# CONFIG_IP_NF_ARPTABLES is not set
# CONFIG_IPV6 is not set
# CONFIG_KHTTPD is not set
# CONFIG_ATM is not set
CONFIG_VLAN_8021Q=m
# CONFIG_IPX is not set
# CONFIG_ATALK is not set

Re: iptables newbie

[John A. Sullivan III]

On Sat, 2003-12-27 at 08:31, Johan Cimen wrote:
> Hi!
> 
> I am an iptables newbie and this is what I want do do with iptables:
> 1. I want to ulog incomming packets at PREROUTING, incomming at specific
> ports with UDP protocol.
> 2. I am going to generate UDP packets from my local station, from specific
> ports.
> 3. I want to set TOS and TTL fields of my packets matching specific ports
> at OUTPORT or POSTROUTING.
> 
> Problem that I have is:
> 1. I cannot use:
>    iptables -t mangle -A OUTPUT -o $IFACE -p UDP --dport 7001 -j TOS
> --set-tos 0x10
>    Using iptables -L shows nothing under OUTPUT headline.
>    I cannot use tables at all.
> 2. I cannot use (just an example, nothing to do with what i want to do):
>    iptables -A POSTROUTING -o $IFACE -p UDP --dport 7001
>    iptables says: No chain/target/match by that name
>    Above iptable command works for INPUT, FORWARD and OUTPUT chains.
> 
> Question is:
> 1. Have I missed something in my kernel configurations?
> 2. Have I missed something in building chains and targets?
> 3. I need help! <snip>

Are you remembering to specify the table with -t mangle or -t nat if you
are not using the filter table? You do this in rule #1 but not rule #2
and if you do iptables -L OUTPUT you will see the rules of the filter
table OUTPUT chain and not mangle or nat.  Good luck - John
-- 
John A. Sullivan III
Chief Technology Officer
Nexus Management
+1 207-985-7880
john.sullivan@nexusmgmt.com
---
If you are interested in helping to develop a GPL enterprise class
VPN/Firewall/Security device management console, please visit
http://iscs.sourceforge.net 

Re: iptables newbie

[Johan Cimen]

A more precise explanation of my problem:
When I use below command within my script,

iptables -t mangle -A OUTPUT -o $IFACE -p UDP --dport 7001 -j TOS
--set-tos 0x10

where I have an iptables -L at the very end, I can see the results:

Chain OUTPUT (policy ACCEPT)
target  prot opt source  destination
TOS     udp -- anywhere  anywhere    udp dpt:7001 TOS set Maximize-Throughput

But very next used: iptables -L at my prompt shows nothing else than
headlines. The results shown from my script are disapeared! iptables -L
was the last thing my script did before exit 0.

> On Sat, 2003-12-27 at 08:31, Johan Cimen wrote:
> > Problem that I have is:
> > 1. I cannot use:
> >    iptables -t mangle -A OUTPUT -o $IFACE -p UDP --dport 7001 -j TOS
> > --set-tos 0x10
> >    Using iptables -L shows nothing under OUTPUT headline.

#2 below was just an example used at prompt. If I use iptables command
without tables, because tables used at prompt are not shown:
iptables -A OUTPUT -o $IFACE -p UDP --dport 7001,
And after that using iptables -L shows:

Chain OUTPUT (policy ACCEPT)
target  prot opt source  destination
        udp -- anywhere  anywhere

But if I use PREROUTING or POSTROUTING it says: No chain/target/match by
that name. I cannot use PREROUTING and POSTROUTING at prompt, which is
possible in script.

> > 2. I cannot use (just an example, nothing to do with what i want to do):
> >    iptables -A POSTROUTING -o $IFACE -p UDP --dport 7001

> >    iptables says: No chain/target/match by that name
> >    Above iptable command works for INPUT, FORWARD and OUTPUT chains.


> On Sat, 27 Dec 2003, John A. Sullivan III wrote:
> Are you remembering to specify the table with -t mangle or -t nat if you
> are not using the filter table? You do this in rule #1 but not rule #2
> and if you do iptables -L OUTPUT you will see the rules of the filter
> table OUTPUT chain and not mangle or nat.  Good luck - John

Yes I understand that I have to use -t mangle if I dont use filter table.
But I cannot se the results from my commands included with -t mangle. Is
this not possible? If not, why is my script showing results that are
disapeared after execution of my script terminations?

What I am trying to explain is that I got results when I am using iptables
commands in my script and those are disapeared after the termination of my
scripts. And I am trying to say that if I use iptables commands without
tables and without PREROUTING, POSTROUTING, its OK, but I want to use
tables and PREROUTING, POSTROUTING as well in script as at prompt. I
cannot do this.

Suggestions ??

 -Johan-

Re: iptables newbie

[Iced Tea]

----- Original Message ----- 
From: "Johan Cimen" <c99jcn@cs.umu.se>
To: "John A. Sullivan III" <john.sullivan@nexusmgmt.com>
Cc: <netfilter@lists.netfilter.org>
Sent: Saturday, December 27, 2003 6:05 PM
Subject: Re: iptables newbie


>
> A more precise explanation of my problem:
> When I use below command within my script,
>
> iptables -t mangle -A OUTPUT -o $IFACE -p UDP --dport 7001 -j TOS
> --set-tos 0x10
>
> where I have an iptables -L at the very end, I can see the results:
>
> Chain OUTPUT (policy ACCEPT)
> target  prot opt source  destination
> TOS     udp -- anywhere  anywhere    udp dpt:7001 TOS set
Maximize-Throughput

for detailed information use verbose option -v:

iptables -vL OUTPUT

tschoe
  Ulrich

Re: iptables newbie

[Johan Cimen]

On Sat, 27 Dec 2003, Iced Tea wrote:

> >
> > A more precise explanation of my problem:
> > When I use below command within my script,
> >
> > iptables -t mangle -A OUTPUT -o $IFACE -p UDP --dport 7001 -j TOS
> > --set-tos 0x10
> >
> > where I have an iptables -L at the very end, I can see the results:
> >
> > Chain OUTPUT (policy ACCEPT)
> > target  prot opt source  destination
> > TOS     udp -- anywhere  anywhere    udp dpt:7001 TOS set
> Maximize-Throughput
>
> for detailed information use verbose option -v:
>
> iptables -vL OUTPUT

Noop! Shows nothing as usually.

Thanks for your suggestion.

-Johan-

RE: iptables newbie

[Mark E. Donaldson]

The command defaults to the filter table if no table is specified  as an
argument.  Try  iptables -v -n -x -L -t mangle and see what you get.

-----Original Message-----
From: netfilter-admin@lists.netfilter.org
[mailto:netfilter-admin@lists.netfilter.org] On Behalf Of Johan Cimen
Sent: Saturday, December 27, 2003 9:05 AM
To: John A. Sullivan III
Cc: netfilter@lists.netfilter.org
Subject: Re: iptables newbie


A more precise explanation of my problem:
When I use below command within my script,

iptables -t mangle -A OUTPUT -o $IFACE -p UDP --dport 7001 -j TOS --set-tos
0x10

where I have an iptables -L at the very end, I can see the results:

Chain OUTPUT (policy ACCEPT)
target  prot opt source  destination
TOS     udp -- anywhere  anywhere    udp dpt:7001 TOS set
Maximize-Throughput

But very next used: iptables -L at my prompt shows nothing else than
headlines. The results shown from my script are disapeared! iptables -L was
the last thing my script did before exit 0.

> On Sat, 2003-12-27 at 08:31, Johan Cimen wrote:
> > Problem that I have is:
> > 1. I cannot use:
> >    iptables -t mangle -A OUTPUT -o $IFACE -p UDP --dport 7001 -j TOS 
> > --set-tos 0x10
> >    Using iptables -L shows nothing under OUTPUT headline.

#2 below was just an example used at prompt. If I use iptables command
without tables, because tables used at prompt are not shown:
iptables -A OUTPUT -o $IFACE -p UDP --dport 7001, And after that using
iptables -L shows:

Chain OUTPUT (policy ACCEPT)
target  prot opt source  destination
        udp -- anywhere  anywhere

But if I use PREROUTING or POSTROUTING it says: No chain/target/match by
that name. I cannot use PREROUTING and POSTROUTING at prompt, which is
possible in script.

> > 2. I cannot use (just an example, nothing to do with what i want to do):
> >    iptables -A POSTROUTING -o $IFACE -p UDP --dport 7001

> >    iptables says: No chain/target/match by that name
> >    Above iptable command works for INPUT, FORWARD and OUTPUT chains.


> On Sat, 27 Dec 2003, John A. Sullivan III wrote:
> Are you remembering to specify the table with -t mangle or -t nat if 
> you are not using the filter table? You do this in rule #1 but not 
> rule #2 and if you do iptables -L OUTPUT you will see the rules of the 
> filter table OUTPUT chain and not mangle or nat.  Good luck - John

Yes I understand that I have to use -t mangle if I dont use filter table.
But I cannot se the results from my commands included with -t mangle. Is
this not possible? If not, why is my script showing results that are
disapeared after execution of my script terminations?

What I am trying to explain is that I got results when I am using iptables
commands in my script and those are disapeared after the termination of my
scripts. And I am trying to say that if I use iptables commands without
tables and without PREROUTING, POSTROUTING, its OK, but I want to use tables
and PREROUTING, POSTROUTING as well in script as at prompt. I cannot do
this.

Suggestions ??

 -Johan-

Re: iptables newbie

[Johan Cimen]

Hi!

I am answering my own question.

Using:
iptables -t mangle -A OUTPUT -o $IFACE -p UDP --dport 7001 -j TOS
--set-tos 0x10

can be viewed using:
iptables -t mangle -L

This will also show POSTROUTING AND PREROUTING chains.

If a iptable command is not properly written it will answere: No
chain/target/match by that name, so do it as it shall be done. :)

Thanks all for your support. I am still a newbie. :)

-Johan-

On Sat, 27 Dec 2003, Johan Cimen wrote:

> Hi!
>
> I am an iptables newbie and this is what I want do do with iptables:
> 1. I want to ulog incomming packets at PREROUTING, incomming at specific
> ports with UDP protocol.
> 2. I am going to generate UDP packets from my local station, from specific
> ports.
> 3. I want to set TOS and TTL fields of my packets matching specific ports
> at OUTPORT or POSTROUTING.
>
> Problem that I have is:
> 1. I cannot use:
>    iptables -t mangle -A OUTPUT -o $IFACE -p UDP --dport 7001 -j TOS
> --set-tos 0x10
>    Using iptables -L shows nothing under OUTPUT headline.
>    I cannot use tables at all.
> 2. I cannot use (just an example, nothing to do with what i want to do):
>    iptables -A POSTROUTING -o $IFACE -p UDP --dport 7001
>    iptables says: No chain/target/match by that name
>    Above iptable command works for INPUT, FORWARD and OUTPUT chains.
>
> Question is:
> 1. Have I missed something in my kernel configurations?
> 2. Have I missed something in building chains and targets?
> 3. I need help!
>
> -Johan-