[ilugd] An iptables problem on Debian Etch (amd64)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I used to connect to internet by PPPoE dialing to my ISP from my box (172.16.0.3). I wanted to DNAT TCP packets coming from external world on 9053 TCP port of ppp0 interface (which gets created a result of PPPoE dialing) to the my machine's ethernet interface (eth0)'s TCP port 1203. The network service which I wanted to expose is listening on 172.16.0.3:1203 . For that I've created following iptables rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3:1203 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 1203 -j ACCEPT But unfortunately above rules are not working as documented. I've then modified service to listen on same TCP port as exposed to external world, i.e. 9053 . And also modified iptables rules accordingly and it worked. Following are the new rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 9053 -j ACCEPT I'm running Linux kernel version 2.6.18-5-amd64, can anyone tell what I'm doing wrong ? TIA Ashish Shukla - -- Ashish Shukla Wah Java !! आशीष शुक्ल weblog: http://wahjava.wordpress.com/ ,= ,-_-. =. | DRMs are often designed by ambitious, well-funded consortia, | ((_/)o o(\_)) | with top-notch engineers from every corner of the industry. | `-'(. .)`-' | They spend millions. They take years. They are defeated in | \_/ | days, for pennies, by hobbyists.- Cory Doctorow | The best optimizer is between your ears. - Michael Abrash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHHF+pHy+EEHYuXnQRAvgmAKCKcT/VMBCW2RA6zZMAlBYFAb9hJACgoqrK dviQXyQs4fAF5O3EB6Lwvlg= =hpAF -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] An iptables problem on Debian Etch (amd64)
Hi All, I am planning to buy a laptop. Could any one suggest me which one is best in the market with the ease fof installation of Linux.. My budget is 35-40 K.. Thanks in advance.. Manmohan Sethi 9899482425 On 10/22/07, आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I used to connect to internet by PPPoE dialing to my ISP from my box (172.16.0.3). I wanted to DNAT TCP packets coming from external world on 9053 TCP port of ppp0 interface (which gets created a result of PPPoE dialing) to the my machine's ethernet interface (eth0)'s TCP port 1203. The network service which I wanted to expose is listening on 172.16.0.3:1203 . For that I've created following iptables rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3:1203 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 1203 -j ACCEPT But unfortunately above rules are not working as documented. I've then modified service to listen on same TCP port as exposed to external world, i.e. 9053 . And also modified iptables rules accordingly and it worked. Following are the new rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 9053 -j ACCEPT I'm running Linux kernel version 2.6.18-5-amd64, can anyone tell what I'm doing wrong ? TIA Ashish Shukla - -- Ashish Shukla Wah Java !! आशीष शुक्ल weblog: http://wahjava.wordpress.com/ ,= ,-_-. =. | DRMs are often designed by ambitious, well-funded consortia, | ((_/)o o(\_)) | with top-notch engineers from every corner of the industry. | `-'(. .)`-' | They spend millions. They take years. They are defeated in | \_/ | days, for pennies, by hobbyists.- Cory Doctorow | The best optimizer is between your ears. - Michael Abrash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHHF+pHy+EEHYuXnQRAvgmAKCKcT/VMBCW2RA6zZMAlBYFAb9hJACgoqrK dviQXyQs4fAF5O3EB6Lwvlg= =hpAF -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/ -- Regards Manmohan Sethi 9899485425 ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] October Meet
Hi All, It was nice to have all you LUG'ers visiting our campus for the October Meeting at JIIT University, Noida. Thanks to Mr. Arun Chaturvedi (Faculty Coordinator, JIITU-LUG), Gaurav (ILUG-D), Varun Mittal (JIITU), members of ILUG-D and the JIIT Administration to make the meeting a success. Here are the pics/videos of the meeting: http://picasaweb.google.com/angadsingh007/ILUGDOctober07MeetingAtJIITU Hope you all liked it here and that we continue to have a fruitful association in the future, Regards, Angad Singh JIITU-LUG On 10/17/07, Gaurav Mishra [EMAIL PROTECTED] wrote: On 10/17/07, vivek khurana [EMAIL PROTECTED] wrote: --- Gaurav Mishra [EMAIL PROTECTED] wrote: Hi all, ILUGD October meet is finalized at Jaypee institute of Information technology , Noida Which is having a fair amount of Linux student enthusiasts. hmm... I think it makes sense to post meeting date and time with the announcement. Since more topics in agenda were expected. the time was not finalized . will do it today. -- Thanks and Regards Gaurav Mishra Linux User #348873 ILUGD General Secretary, GZLUG Moderator RKGIT Alumni(Guiding Light) Software Engineer , UnitedVillages http://gauravmishra.info/blog When i can run , i will run , When i can walk , i will walk, When i can crawl , i will crawl. But i will not stop moving forward ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/ ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] An iptables problem on Debian Etch (amd64)
On 10/22/07, आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, I used to connect to internet by PPPoE dialing to my ISP from my box (172.16.0.3). I wanted to DNAT TCP packets coming from external world on 9053 TCP port of ppp0 interface (which gets created a result of PPPoE dialing) to the my machine's ethernet interface (eth0)'s TCP port 1203. The network service which I wanted to expose is listening on 172.16.0.3:1203 . Its not clear so I am assuming here that the service and the internet connection are on the same machine. For that I've created following iptables rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j EPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3:1203 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 1203 -j ACCEPT The packets will hit the PREROUTING chain first and the dst port will be modified therefore in your INPUT chain rule you give port 1203. Also there is no need to use state module , because you need to open this port for NEW as well as ESTABLISHED packets. iptables -t filter -A INPUT -i ppp0 -p tcp --dport 1203 -j ACCEPT Hint , use: iptables -t table-name -nvL chain-name , to debug which rules are being hit. But unfortunately above rules are not working as documented. I've then modified service to listen on same TCP port as exposed to external world, i.e. 9053 . And also modified iptables rules accordingly and it worked. Following are the new rules: iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j ACCEPT iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3 iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 9053 -j ACCEPT I'm running Linux kernel version 2.6.18-5-amd64, can anyone tell what I'm doing wrong ? TIA Ashish Shukla ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] An iptables problem on Debian Etch (amd64)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ,--[ On Mon, Oct 22, 2007 at 09:14:02PM +0530, Jasbir Khehra wrote: | On 10/22/07, आशीष शुक्ल Ashish Shukla [EMAIL PROTECTED] wrote: [...] | I used to connect to internet by PPPoE dialing to my ISP from my box | (172.16.0.3). I wanted to DNAT TCP packets coming from external world | on 9053 TCP port of ppp0 interface (which gets created a result of | PPPoE dialing) to the my machine's ethernet interface (eth0)'s TCP port | 1203. | | The network service which I wanted to expose is listening on 172.16.0.3:1203 . | | Its not clear so I am assuming here that the service and the internet | connection are on the same machine. I think I mentioned that my box is at 172.16.0.3 and service is listening on 172.16.0.3:1203 :) . | For that I've created following iptables rules: | | iptables -t filter -A INPUT -i ppp0 -p tcp -m state --state NEW --dport 9053 -j EPT | iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 9053 -j DNAT --to-destination 172.16.0.3:1203 | iptables -t filter -A FORWARD -d 172.16.0.3 -p tcp --dport 1203 -j ACCEPT | | The packets will hit the PREROUTING chain first and the dst port will | be modified therefore in your INPUT chain rule you give port 1203. | Also there is no need to use state module , because you need to open | this port for NEW as well as ESTABLISHED packets. | iptables -t filter -A INPUT -i ppp0 -p tcp --dport 1203 -j ACCEPT Thanks for above explaination. I figured out, that I'm not accepting the new DNATted connection in INPUT chain. So I need to remove that -t filter -A FORWARD rule, and change it to -t filter -A NAT, as packets will reach FORWARD chain only when packets are destined for this host. :) Thanks Ashish Shukla - -- Ashish Shukla Wah Java !! आशीष शुक्ल weblog: http://wahjava.wordpress.com/ ,= ,-_-. =. | DRMs are often designed by ambitious, well-funded consortia, | ((_/)o o(\_)) | with top-notch engineers from every corner of the industry. | `-'(. .)`-' | They spend millions. They take years. They are defeated in | \_/ | days, for pennies, by hobbyists.- Cory Doctorow | The best optimizer is between your ears. - Michael Abrash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHHMzoHy+EEHYuXnQRAga5AKCmBkLqvXNRSaNAPzhqWGHypVcVLACfcld8 JA4uS+VlPTjEE+XuoDMHuUQ= =6IeV -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] An iptables problem on Debian Etch (amd64)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ,--[ On Mon, Oct 22, 2007 at 09:46:43PM +0530, आशीष शुक्ल Ashish Shukla wrote: | packets will reach FORWARD chain only when packets are destined for this s/ are / aren't / Sorry for the typo. Ashish Shukla - -- Ashish Shukla Wah Java !! आशीष शुक्ल weblog: http://wahjava.wordpress.com/ ,= ,-_-. =. | DRMs are often designed by ambitious, well-funded consortia, | ((_/)o o(\_)) | with top-notch engineers from every corner of the industry. | `-'(. .)`-' | They spend millions. They take years. They are defeated in | \_/ | days, for pennies, by hobbyists.- Cory Doctorow | The best optimizer is between your ears. - Michael Abrash -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (GNU/Linux) iD8DBQFHHM7WHy+EEHYuXnQRAkeUAJ96fa/u3nTZ7PiYvVpIK5x5MxWXpgCfRZ3/ cV2gUjBn0/zNvt9dTG4NAR8= =HOme -END PGP SIGNATURE- ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
[ilugd] remove unsubscribe
Please unsubscribe to my mail [EMAIL PROTECTED] - - D.Dharma Rao Coordinator Knowledge Management Center (KMC) Hindustan Latex Family Planning Promotion Trust (HLFPPT) Corporate Office B- 11, Sector- 59 Noida, 201301- UP India Mobile: 09958075134 Phone : 0120-4231060/61/62 Ext: 340 Fax: 0120- 4231065 www.hlfppt.org ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
Re: [ilugd] October Meet
On Mon, 2007-10-22 at 19:28 +0530, Angad Singh wrote: Hi All, It was nice to have all you LUG'ers visiting our campus for the October Meeting at JIIT University, Noida. [...] Gaurav, if you have notes for the meeting, could you please post those. Else, please let me know, and I will post what notes I took. I think that there were various important items that were discussed. From the perspective of JIIT, I think that there are some things to consider for Freed 2008. JIIT has great facilities, and many big colleges, and companies around it. While it probably does not yet make sense to move the venue there, we could think of a satellite conference there, either immediately before, or after the main conference. JIIT folk are going to get back to us on this, but such a satellite conference will be developer-oriented, though initially aimed at an introductory level over a 2-day period. We can discuss a 3-day event, where the 3rd day is devoted to higher-level stuff, such as the Python sub-conference that we talked so much about last year. Regards, Gora ___ ilugd mailinglist -- ilugd@lists.linux-delhi.org http://frodo.hserus.net/mailman/listinfo/ilugd Next Event: http://freed.in - September 28-29, 2007 Archives at: http://news.gmane.org/gmane.user-groups.linux.delhi http://www.mail-archive.com/ilugd@lists.linux-delhi.org/
