[Solved] 1:1 nat with iptables

Similar Messages

• [SOLVED] Problem with Iptables and DNS-resolving

  So I'm changing my iptables default policy from ALLOW to DROP, and are tightening up the rules too.
  However, I'm having troubles with allowing DNS-queries, while keeping things as locked down as possible.
  /etc/resolv.conf
  domain home
  nameserver 192.168.1.1
  Relevant rules:
  # Allow HTTP
  $CMD -A OUTPUT -o wlan0 -p tcp --dport 80 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  $CMD -A INPUT -i wlan0 -p tcp --dport 80 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  # Allow HTTPS
  $CMD -A OUTPUT -o wlan0 -p tcp --dport 443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  $CMD -A INPUT -i wlan0 -p tcp --dport 443 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  # DNS-related rules
  $CMD -A INPUT -i wlan0 -s 192.168.1.1 -p tcp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  $CMD -A INPUT -i wlan0 -s 192.168.1.1 -p udp --sport 53 -m conntrack --ctstate ESTABLISHED -j ACCEPT
  $CMD -A OUTPUT -o wlan0 -d 192.168.1.1 -p tcp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  $CMD -A OUTPUT -o wlan0 -d 192.168.1.1 -p udp --dport 53 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT
  What am I missing here?
  Last edited by graph (2012-03-20 18:36:23)

  Gcool wrote:I'm assuming you just want to allow that box to surf the net?
  Yepyep. Sorry for not mentioning that.
  192.168.1.1 is my router, and when I'm disabling the firewall, everything is working perfectly. This is with 192.168.1.1 as nameserver in /etc/resolv.conf.
  I tried changing my rules to your rules, but I still can't get it to work.
  The following is the output while I'm connecting to www.xkcd.com using elinks:
  Output of tcpdump -n '(port 80 or 443 or 53)'
  without iptables running: pastebin.com
  with iptables running: pastebin.com
  It seems to me that DNS is working properly, and that iptables is blocking port 80, right?
  Last edited by graph (2012-03-20 08:20:44)

• [Solved] Help me, please with D-Link DWA-125

  Hi everybody!
  Firstly, sorry for my english. I'm from Russia .
  Recently i bought D-Link DWA-125 and Prestigio MultiPad 9.7 Pro. I want to make D-Link DWA-125 work like access point.
  lsusb | grep -i wireless
  Bus 002 Device 002: ID 2001:3c19 D-Link Corp. DWA-125 Wireless N 150 Adapter(rev.A3) [Ralink RT5370]
  What i tried to do:
  1)
  netcfg up bridge
  :: bridge up [DONE]
  My /etc/network.d/bridge:
  cat /etc/network.d/bridge
  INTERFACE="br0"
  CONNECTION="bridge"
  DESCRIPTION="Bridge connection"
  BRIDGE_INTERFACES="eth0"
  #POST_UP="ifconfig br0 inet 192.168.0.1 netmask 255.255.255.0 up"
  IP="dhcp"
  #ADDR='192.168.0.1'
  #GATEWAY='192.168.0.0'
  #DNS=('192.168.0.1')
  ## sets forward delay time
  #FWD_DELAY=0
  ## sets max age of hello message
  #MAX_AGE=10
  2)
  /etc/rc.d/hostapd start
  :: Starting hostapd [DONE]
  My /etc/hostapd/hostapd.conf:
  cat /etc/hostapd/hostapd.conf
  #wireless interface to use as AP
  interface=wlan0
  #bridge device (needed for madwifi & nl80211 drivers)
  bridge=br0
  #driver interface type (hostapd/wired/madwifi/prism54/test/none/nl80211/bsd)
  # Use nl80211 for wifi drivers that implement MAC80211 interface
  #You should set this to your relevant driver interface type
  driver=nl80211
  #Enables logging to standard output (useful for debugging)
  logger_stdout=-1
  logger_stdout_level=2
  #Set SSID to use
  ssid=MS_WiFi_AP
  # Operation mode (a = IEEE 802.11a, b = IEEE 802.11b, g = IEEE 802.11g)
  # note your card may not support every mode.
  hw_mode=g
  #Channel to use (1-13)
  channel=1
  # IEEE 802.11 specifies two authentication algorithms. hostapd can be
  # configured to allow both of these or only one. Open system authentication
  # should be used with IEEE 802.1X.
  # Bit fields of allowed authentication algorithms:
  # bit 0 = Open System Authentication
  # bit 1 = Shared Key Authentication (requires WEP)
  auth_algs=3
  #maximum number of stations (clients connecting to AP) allowed
  # Maximum number of stations allowed in station table. New stations will be
  # rejected after the station table is full. IEEE 802.11 has a limit of 2007
  # different association IDs, so this number should not be larger than that.
  max_num_sta=5
  #Enable WPA2
  # This field is a bit field that can be used to enable WPA (IEEE 802.11i/D3.0)
  # and/or WPA2 (full IEEE 802.11i/RSN):
  # bit0 = WPA
  # bit1 = IEEE 802.11i/RSN (WPA2) (dot11RSNAEnabled)
  wpa=1
  #Set passphrase for WPA
  wpa_passphrase=my_password
  wpa_key_mgmt=WPA-PSK
  # Set of accepted cipher suites (encryption algorithms) for pairwise keys
  # (unicast packets). This is a space separated list of algorithms:
  # CCMP = AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
  # TKIP = Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
  # Group cipher suite (encryption algorithm for broadcast and multicast frames)
  # is automatically selected based on this configuration. If only CCMP is
  # allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise,
  # TKIP will be used as the group cipher.
  # (dot11RSNAConfigPairwiseCiphersTable)
  # Pairwise cipher for WPA (v1) (default: TKIP)
  wpa_pairwise=TKIP CCMP
  # Pairwise cipher for RSN/WPA2 (default: use wpa_pairwise value)
  rsn_pairwise=CCMP
  3)
  /etc/rc.d/dnsmasq start
  :: Starting DNS/DHCP daemon [DONE]
  My /etc/dnsmasq.conf:
  cat /etc/dnsmasq.conf
  # Configuration file for dnsmasq.
  # Format is one option per line, legal options are the same
  # as the long options legal on the command line. See
  # "/usr/sbin/dnsmasq --help" or "man 8 dnsmasq" for details.
  # Listen on this specific port instead of the standard DNS port
  # (53). Setting this to zero completely disables DNS function,
  # leaving only DHCP and/or TFTP.
  #port=5353
  # The following two options make you a better netizen, since they
  # tell dnsmasq to filter out queries which the public DNS cannot
  # answer, and which load the servers (especially the root servers)
  # unnecessarily. If you have a dial-on-demand link they also stop
  # these requests from bringing up the link unnecessarily.
  # Never forward plain names (without a dot or domain part)
  domain-needed
  # Never forward addresses in the non-routed address spaces.
  bogus-priv
  # Uncomment this to filter useless windows-originated DNS requests
  # which can trigger dial-on-demand links needlessly.
  # Note that (amongst other things) this blocks all SRV requests,
  # so don't use it if you use eg Kerberos, SIP, XMMP or Google-talk.
  # This option only affects forwarding, SRV records originating for
  # dnsmasq (via srv-host= lines) are not suppressed by it.
  #filterwin2k
  # Change this line if you want dns to get its upstream servers from
  # somewhere other that /etc/resolv.conf
  #resolv-file=
  # By default, dnsmasq will send queries to any of the upstream
  # servers it knows about and tries to favour servers to are known
  # to be up. Uncommenting this forces dnsmasq to try each query
  # with each server strictly in the order they appear in
  # /etc/resolv.conf
  #strict-order
  # If you don't want dnsmasq to read /etc/resolv.conf or any other
  # file, getting its servers from this file instead (see below), then
  # uncomment this.
  #no-resolv
  # If you don't want dnsmasq to poll /etc/resolv.conf or other resolv
  # files for changes and re-read them then uncomment this.
  #no-poll
  # Add other name servers here, with domain specs if they are for
  # non-public domains.
  #server=/localnet/192.168.0.1
  # Example of routing PTR queries to nameservers: this will send all
  # address->name queries for 192.168.3/24 to nameserver 10.1.2.3
  #server=/3.168.192.in-addr.arpa/10.1.2.3
  # Add local-only domains here, queries in these domains are answered
  # from /etc/hosts or DHCP only.
  #local=/localnet/
  # Add domains which you want to force to an IP address here.
  # The example below send any host in double-click.net to a local
  # web-server.
  #address=/double-click.net/127.0.0.1
  # --address (and --server) work with IPv6 addresses too.
  #address=/www.thekelleys.org.uk/fe80::20d:60ff:fe36:f83
  # You can control how dnsmasq talks to a server: this forces
  # queries to 10.1.2.3 to be routed via eth1
  # server=10.1.2.3@eth1
  # and this sets the source (ie local) address used to talk to
  # 10.1.2.3 to 192.168.1.1 port 55 (there must be a interface with that
  # IP on the machine, obviously).
  # [email protected]#55
  # If you want dnsmasq to change uid and gid to something other
  # than the default, edit the following lines.
  user=arch
  #group=
  # If you want dnsmasq to listen for DHCP and DNS requests only on
  # specified interfaces (and the loopback) give the name of the
  # interface (eg eth0) here.
  # Repeat the line for more than one interface.
  interface=br0
  # Or you can specify which interface _not_ to listen on
  #except-interface=
  # Or which to listen on by address (remember to include 127.0.0.1 if
  # you use this.)
  #listen-address=
  # If you want dnsmasq to provide only DNS service on an interface,
  # configure it as shown above, and then use the following line to
  # disable DHCP and TFTP on it.
  #no-dhcp-interface=
  # On systems which support it, dnsmasq binds the wildcard address,
  # even when it is listening on only some interfaces. It then discards
  # requests that it shouldn't reply to. This has the advantage of
  # working even when interfaces come and go and change address. If you
  # want dnsmasq to really bind only the interfaces it is listening on,
  # uncomment this option. About the only time you may need this is when
  # running another nameserver on the same machine.
  bind-interfaces
  # If you don't want dnsmasq to read /etc/hosts, uncomment the
  # following line.
  #no-hosts
  # or if you want it to read another file, as well as /etc/hosts, use
  # this.
  #addn-hosts=/etc/banner_add_hosts
  # Set this (and domain: see below) if you want to have a domain
  # automatically added to simple names in a hosts-file.
  #expand-hosts
  # Set the domain for dnsmasq. this is optional, but if it is set, it
  # does the following things.
  # 1) Allows DHCP hosts to have fully qualified domain names, as long
  # as the domain part matches this setting.
  # 2) Sets the "domain" DHCP option thereby potentially setting the
  # domain of all systems configured by DHCP
  # 3) Provides the domain part for "expand-hosts"
  domain=local
  #domain=thekelleys.org.uk
  # Set a different domain for a particular subnet
  #domain=wireless.thekelleys.org.uk,192.168.2.0/24
  # Same idea, but range rather then subnet
  #domain=reserved.thekelleys.org.uk,192.68.3.100,192.168.3.200
  # Uncomment this to enable the integrated DHCP server, you need
  # to supply the range of addresses available for lease and optionally
  # a lease time. If you have more than one network, you will need to
  # repeat this for each network on which you want to supply DHCP
  # service.
  #dhcp-range=192.168.0.50,192.168.0.150,12h
  #dhcp-range=192.168.0.10,192.168.0.255,12h
  # This is an example of a DHCP range where the netmask is given. This
  # is needed for networks we reach the dnsmasq DHCP server via a relay
  # agent. If you don't know what a DHCP relay agent is, you probably
  # don't need to worry about this.
  #dhcp-range=192.168.0.50,192.168.0.150,255.255.255.0,12h
  dhcp-range=10.70.100.50,10.70.100.150,255.255.255.0,24h
  # This is an example of a DHCP range which sets a tag, so that
  # some DHCP options may be set only for this network.
  #dhcp-range=set:red,192.168.0.50,192.168.0.150
  # Use this DHCP range only when the tag "green" is set.
  #dhcp-range=tag:green,192.168.0.50,192.168.0.150,12h
  # Specify a subnet which can't be used for dynamic address allocation,
  # is available for hosts with matching --dhcp-host lines. Note that
  # dhcp-host declarations will be ignored unless there is a dhcp-range
  # of some type for the subnet in question.
  # In this case the netmask is implied (it comes from the network
  # configuration on the machine running dnsmasq) it is possible to give
  # an explicit netmask instead.
  #dhcp-range=192.168.0.5,static
  # Enable DHCPv6. Note that the prefix-length does not need to be specified
  # and defaults to 64 if missing/
  #dhcp-range=1234::2, 1234::500, 64, 12h
  # Do Router Advertisements, BUT NOT DHCP for this subnet.
  #dhcp-range=1234::, ra-only
  # Do Router Advertisements, BUT NOT DHCP for this subnet, also try and
  # add names to the DNS for the IPv6 address of SLAAC-configured dual-stack
  # hosts. Use the DHCPv4 lease to derive the name, network segment and
  # MAC address and assume that the host will also have an
  # IPv6 address calculated using the SLAAC alogrithm.
  #dhcp-range=1234::, ra-names
  # Do Router Advertisements, BUT NOT DHCP for this subnet.
  # Set the lifetime to 46 hours. (Note: minimum lifetime is 2 hours.)
  #dhcp-range=1234::, ra-only, 48h
  # Do DHCP and Router Advertisements for this subnet. Set the A bit in the RA
  # so that clients can use SLAAC addresses as well as DHCP ones.
  #dhcp-range=1234::2, 1234::500, slaac
  # Do Router Advertisements and stateless DHCP for this subnet. Clients will
  # not get addresses from DHCP, but they will get other configuration information.
  # They will use SLAAC for addresses.
  #dhcp-range=1234::, ra-stateless
  # Do stateless DHCP, SLAAC, and generate DNS names for SLAAC addresses
  # from DHCPv4 leases.
  #dhcp-range=1234::, ra-stateless, ra-names
  # Do router advertisements for all subnets where we're doing DHCPv6
  # Unless overriden by ra-stateless, ra-names, et al, the router
  # advertisements will have the M and O bits set, so that the clients
  # get addresses and configuration from DHCPv6, and the A bit reset, so the
  # clients don't use SLAAC addresses.
  #enable-ra
  # Supply parameters for specified hosts using DHCP. There are lots
  # of valid alternatives, so we will give examples of each. Note that
  # IP addresses DO NOT have to be in the range given above, they just
  # need to be on the same network. The order of the parameters in these
  # do not matter, it's permissible to give name, address and MAC in any
  # order.
  # Always allocate the host with Ethernet address 11:22:33:44:55:66
  # The IP address 192.168.0.60
  #dhcp-host=11:22:33:44:55:66,192.168.0.60
  # Always set the name of the host with hardware address
  # 11:22:33:44:55:66 to be "fred"
  #dhcp-host=11:22:33:44:55:66,fred
  # Always give the host with Ethernet address 11:22:33:44:55:66
  # the name fred and IP address 192.168.0.60 and lease time 45 minutes
  #dhcp-host=11:22:33:44:55:66,fred,192.168.0.60,45m
  # Give a host with Ethernet address 11:22:33:44:55:66 or
  # 12:34:56:78:90:12 the IP address 192.168.0.60. Dnsmasq will assume
  # that these two Ethernet interfaces will never be in use at the same
  # time, and give the IP address to the second, even if it is already
  # in use by the first. Useful for laptops with wired and wireless
  # addresses.
  #dhcp-host=11:22:33:44:55:66,12:34:56:78:90:12,192.168.0.60
  # Give the machine which says its name is "bert" IP address
  # 192.168.0.70 and an infinite lease
  #dhcp-host=bert,192.168.0.70,infinite
  # Always give the host with client identifier 01:02:02:04
  # the IP address 192.168.0.60
  #dhcp-host=id:01:02:02:04,192.168.0.60
  # Always give the host with client identifier "marjorie"
  # the IP address 192.168.0.60
  #dhcp-host=id:marjorie,192.168.0.60
  # Enable the address given for "judge" in /etc/hosts
  # to be given to a machine presenting the name "judge" when
  # it asks for a DHCP lease.
  #dhcp-host=judge
  # Never offer DHCP service to a machine whose Ethernet
  # address is 11:22:33:44:55:66
  #dhcp-host=11:22:33:44:55:66,ignore
  # Ignore any client-id presented by the machine with Ethernet
  # address 11:22:33:44:55:66. This is useful to prevent a machine
  # being treated differently when running under different OS's or
  # between PXE boot and OS boot.
  #dhcp-host=11:22:33:44:55:66,id:*
  # Send extra options which are tagged as "red" to
  # the machine with Ethernet address 11:22:33:44:55:66
  #dhcp-host=11:22:33:44:55:66,set:red
  # Send extra options which are tagged as "red" to
  # any machine with Ethernet address starting 11:22:33:
  #dhcp-host=11:22:33:*:*:*,set:red
  # Give a fixed IPv6 address and name to client with
  # DUID 00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2
  # Note the MAC addresses CANNOT be used to identify DHCPv6 clients.
  # Note also the they [] around the IPv6 address are obilgatory.
  #dhcp-host=id:00:01:00:01:16:d2:83:fc:92:d4:19:e2:d8:b2, fred, [1234::5]
  # Ignore any clients which are not specified in dhcp-host lines
  # or /etc/ethers. Equivalent to ISC "deny unknown-clients".
  # This relies on the special "known" tag which is set when
  # a host is matched.
  #dhcp-ignore=tag:!known
  # Send extra options which are tagged as "red" to any machine whose
  # DHCP vendorclass string includes the substring "Linux"
  #dhcp-vendorclass=set:red,Linux
  # Send extra options which are tagged as "red" to any machine one
  # of whose DHCP userclass strings includes the substring "accounts"
  #dhcp-userclass=set:red,accounts
  # Send extra options which are tagged as "red" to any machine whose
  # MAC address matches the pattern.
  #dhcp-mac=set:red,00:60:8C:*:*:*
  # If this line is uncommented, dnsmasq will read /etc/ethers and act
  # on the ethernet-address/IP pairs found there just as if they had
  # been given as --dhcp-host options. Useful if you keep
  # MAC-address/host mappings there for other purposes.
  #read-ethers
  # Send options to hosts which ask for a DHCP lease.
  # See RFC 2132 for details of available options.
  # Common options can be given to dnsmasq by name:
  # run "dnsmasq --help dhcp" to get a list.
  # Note that all the common settings, such as netmask and
  # broadcast address, DNS server and default route, are given
  # sane defaults by dnsmasq. You very likely will not need
  # any dhcp-options. If you use Windows clients and Samba, there
  # are some options which are recommended, they are detailed at the
  # end of this section.
  # Override the default route supplied by dnsmasq, which assumes the
  # router is the same machine as the one running dnsmasq.
  #dhcp-option=3,1.2.3.4
  # Do the same thing, but using the option name
  #dhcp-option=option:router,1.2.3.4
  # Override the default route supplied by dnsmasq and send no default
  # route at all. Note that this only works for the options sent by
  # default (1, 3, 6, 12, 28) the same line will send a zero-length option
  # for all other option numbers.
  #dhcp-option=3
  # Set the NTP time server addresses to 192.168.0.4 and 10.10.0.5
  #dhcp-option=option:ntp-server,192.168.0.4,10.10.0.5
  # Send DHCPv6 option. Note [] around IPv6 addresses.
  #dhcp-option=option6:dns-server,[1234::77],[1234::88]
  # Send DHCPv6 option for namservers as the machine running
  # dnsmasq and another.
  #dhcp-option=option6:dns-server,[::],[1234::88]
  # Set the NTP time server address to be the same machine as
  # is running dnsmasq
  #dhcp-option=42,0.0.0.0
  # Set the NIS domain name to "welly"
  #dhcp-option=40,welly
  # Set the default time-to-live to 50
  #dhcp-option=23,50
  # Set the "all subnets are local" flag
  #dhcp-option=27,1
  # Send the etherboot magic flag and then etherboot options (a string).
  #dhcp-option=128,e4:45:74:68:00:00
  #dhcp-option=129,NIC=eepro100
  # Specify an option which will only be sent to the "red" network
  # (see dhcp-range for the declaration of the "red" network)
  # Note that the tag: part must precede the option: part.
  #dhcp-option = tag:red, option:ntp-server, 192.168.1.1
  # The following DHCP options set up dnsmasq in the same way as is specified
  # for the ISC dhcpcd in
  # http://www.samba.org/samba/ftp/docs/textdocs/DHCP-Server-Configuration.txt
  # adapted for a typical dnsmasq installation where the host running
  # dnsmasq is also the host running samba.
  # you may want to uncomment some or all of them if you use
  # Windows clients and Samba.
  #dhcp-option=19,0 # option ip-forwarding off
  #dhcp-option=44,0.0.0.0 # set netbios-over-TCP/IP nameserver(s) aka WINS server(s)
  #dhcp-option=45,0.0.0.0 # netbios datagram distribution server
  #dhcp-option=46,8 # netbios node type
  # Send an empty WPAD option. This may be REQUIRED to get windows 7 to behave.
  #dhcp-option=252,"\n"
  # Send RFC-3397 DNS domain search DHCP option. WARNING: Your DHCP client
  # probably doesn't support this......
  #dhcp-option=option:domain-search,eng.apple.com,marketing.apple.com
  # Send RFC-3442 classless static routes (note the netmask encoding)
  #dhcp-option=121,192.168.1.0/24,1.2.3.4,10.0.0.0/8,5.6.7.8
  # Send vendor-class specific options encapsulated in DHCP option 43.
  # The meaning of the options is defined by the vendor-class so
  # options are sent only when the client supplied vendor class
  # matches the class given here. (A substring match is OK, so "MSFT"
  # matches "MSFT" and "MSFT 5.0"). This example sets the
  # mtftp address to 0.0.0.0 for PXEClients.
  #dhcp-option=vendor:PXEClient,1,0.0.0.0
  # Send microsoft-specific option to tell windows to release the DHCP lease
  # when it shuts down. Note the "i" flag, to tell dnsmasq to send the
  # value as a four-byte integer - that's what microsoft wants. See
  # http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
  #dhcp-option=vendor:MSFT,2,1i
  # Send the Encapsulated-vendor-class ID needed by some configurations of
  # Etherboot to allow is to recognise the DHCP server.
  #dhcp-option=vendor:Etherboot,60,"Etherboot"
  # Send options to PXELinux. Note that we need to send the options even
  # though they don't appear in the parameter request list, so we need
  # to use dhcp-option-force here.
  # See http://syslinux.zytor.com/pxe.php#special for details.
  # Magic number - needed before anything else is recognised
  #dhcp-option-force=208,f1:00:74:7e
  # Configuration file name
  #dhcp-option-force=209,configs/common
  # Path prefix
  #dhcp-option-force=210,/tftpboot/pxelinux/files/
  # Reboot time. (Note 'i' to send 32-bit value)
  #dhcp-option-force=211,30i
  # Set the boot filename for netboot/PXE. You will only need
  # this is you want to boot machines over the network and you will need
  # a TFTP server; either dnsmasq's built in TFTP server or an
  # external one. (See below for how to enable the TFTP server.)
  #dhcp-boot=pxelinux.0
  # The same as above, but use custom tftp-server instead machine running dnsmasq
  #dhcp-boot=pxelinux,server.name,192.168.1.100
  # Boot for Etherboot gPXE. The idea is to send two different
  # filenames, the first loads gPXE, and the second tells gPXE what to
  # load. The dhcp-match sets the gpxe tag for requests from gPXE.
  #dhcp-match=set:gpxe,175 # gPXE sends a 175 option.
  #dhcp-boot=tag:!gpxe,undionly.kpxe
  #dhcp-boot=mybootimage
  # Encapsulated options for Etherboot gPXE. All the options are
  # encapsulated within option 175
  #dhcp-option=encap:175, 1, 5b # priority code
  #dhcp-option=encap:175, 176, 1b # no-proxydhcp
  #dhcp-option=encap:175, 177, string # bus-id
  #dhcp-option=encap:175, 189, 1b # BIOS drive code
  #dhcp-option=encap:175, 190, user # iSCSI username
  #dhcp-option=encap:175, 191, pass # iSCSI password
  # Test for the architecture of a netboot client. PXE clients are
  # supposed to send their architecture as option 93. (See RFC 4578)
  #dhcp-match=peecees, option:client-arch, 0 #x86-32
  #dhcp-match=itanics, option:client-arch, 2 #IA64
  #dhcp-match=hammers, option:client-arch, 6 #x86-64
  #dhcp-match=mactels, option:client-arch, 7 #EFI x86-64
  # Do real PXE, rather than just booting a single file, this is an
  # alternative to dhcp-boot.
  #pxe-prompt="What system shall I netboot?"
  # or with timeout before first available action is taken:
  #pxe-prompt="Press F8 for menu.", 60
  # Available boot services. for PXE.
  #pxe-service=x86PC, "Boot from local disk"
  # Loads <tftp-root>/pxelinux.0 from dnsmasq TFTP server.
  #pxe-service=x86PC, "Install Linux", pxelinux
  # Loads <tftp-root>/pxelinux.0 from TFTP server at 1.2.3.4.
  # Beware this fails on old PXE ROMS.
  #pxe-service=x86PC, "Install Linux", pxelinux, 1.2.3.4
  # Use bootserver on network, found my multicast or broadcast.
  #pxe-service=x86PC, "Install windows from RIS server", 1
  # Use bootserver at a known IP address.
  #pxe-service=x86PC, "Install windows from RIS server", 1, 1.2.3.4
  # If you have multicast-FTP available,
  # information for that can be passed in a similar way using options 1
  # to 5. See page 19 of
  # http://download.intel.com/design/archives/wfm/downloads/pxespec.pdf
  # Enable dnsmasq's built-in TFTP server
  #enable-tftp
  # Set the root directory for files available via FTP.
  #tftp-root=/var/ftpd
  # Make the TFTP server more secure: with this set, only files owned by
  # the user dnsmasq is running as will be send over the net.
  #tftp-secure
  # This option stops dnsmasq from negotiating a larger blocksize for TFTP
  # transfers. It will slow things down, but may rescue some broken TFTP
  # clients.
  #tftp-no-blocksize
  # Set the boot file name only when the "red" tag is set.
  #dhcp-boot=net:red,pxelinux.red-net
  # An example of dhcp-boot with an external TFTP server: the name and IP
  # address of the server are given after the filename.
  # Can fail with old PXE ROMS. Overridden by --pxe-service.
  #dhcp-boot=/var/ftpd/pxelinux.0,boothost,192.168.0.3
  # If there are multiple external tftp servers having a same name
  # (using /etc/hosts) then that name can be specified as the
  # tftp_servername (the third option to dhcp-boot) and in that
  # case dnsmasq resolves this name and returns the resultant IP
  # addresses in round robin fasion. This facility can be used to
  # load balance the tftp load among a set of servers.
  #dhcp-boot=/var/ftpd/pxelinux.0,boothost,tftp_server_name
  # Set the limit on DHCP leases, the default is 150
  #dhcp-lease-max=150
  # The DHCP server needs somewhere on disk to keep its lease database.
  # This defaults to a sane location, but if you want to change it, use
  # the line below.
  #dhcp-leasefile=/var/lib/misc/dnsmasq.leases
  # Set the DHCP server to authoritative mode. In this mode it will barge in
  # and take over the lease for any client which broadcasts on the network,
  # whether it has a record of the lease or not. This avoids long timeouts
  # when a machine wakes up on a new network. DO NOT enable this if there's
  # the slightest chance that you might end up accidentally configuring a DHCP
  # server for your campus/company accidentally. The ISC server uses
  # the same option, and this URL provides more information:
  # http://www.isc.org/files/auth.html
  #dhcp-authoritative
  # Run an executable when a DHCP lease is created or destroyed.
  # The arguments sent to the script are "add" or "del",
  # then the MAC address, the IP address and finally the hostname
  # if there is one.
  #dhcp-script=/bin/echo
  # Set the cachesize here.
  #cache-size=150
  # If you want to disable negative caching, uncomment this.
  #no-negcache
  # Normally responses which come form /etc/hosts and the DHCP lease
  # file have Time-To-Live set as zero, which conventionally means
  # do not cache further. If you are happy to trade lower load on the
  # server for potentially stale date, you can set a time-to-live (in
  # seconds) here.
  #local-ttl=
  # If you want dnsmasq to detect attempts by Verisign to send queries
  # to unregistered .com and .net hosts to its sitefinder service and
  # have dnsmasq instead return the correct NXDOMAIN response, uncomment
  # this line. You can add similar lines to do the same for other
  # registries which have implemented wildcard A records.
  #bogus-nxdomain=64.94.110.11
  # If you want to fix up DNS results from upstream servers, use the
  # alias option. This only works for IPv4.
  # This alias makes a result of 1.2.3.4 appear as 5.6.7.8
  #alias=1.2.3.4,5.6.7.8
  # and this maps 1.2.3.x to 5.6.7.x
  #alias=1.2.3.0,5.6.7.0,255.255.255.0
  # and this maps 192.168.0.10->192.168.0.40 to 10.0.0.10->10.0.0.40
  #alias=192.168.0.10-192.168.0.40,10.0.0.0,255.255.255.0
  # Change these lines if you want dnsmasq to serve MX records.
  # Return an MX record named "maildomain.com" with target
  # servermachine.com and preference 50
  #mx-host=maildomain.com,servermachine.com,50
  # Set the default target for MX records created using the localmx option.
  #mx-target=servermachine.com
  # Return an MX record pointing to the mx-target for all local
  # machines.
  #localmx
  # Return an MX record pointing to itself for all local machines.
  #selfmx
  # Change the following lines if you want dnsmasq to serve SRV
  # records. These are useful if you want to serve ldap requests for
  # Active Directory and other windows-originated DNS requests.
  # See RFC 2782.
  # You may add multiple srv-host lines.
  # The fields are <name>,<target>,<port>,<priority>,<weight>
  # If the domain part if missing from the name (so that is just has the
  # service and protocol sections) then the domain given by the domain=
  # config option is used. (Note that expand-hosts does not need to be
  # set for this to work.)
  # A SRV record sending LDAP for the example.com domain to
  # ldapserver.example.com port 389
  #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389
  # A SRV record sending LDAP for the example.com domain to
  # ldapserver.example.com port 389 (using domain=)
  #domain=example.com
  #srv-host=_ldap._tcp,ldapserver.example.com,389
  # Two SRV records for LDAP, each with different priorities
  #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,1
  #srv-host=_ldap._tcp.example.com,ldapserver.example.com,389,2
  # A SRV record indicating that there is no LDAP server for the domain
  # example.com
  #srv-host=_ldap._tcp.example.com
  # The following line shows how to make dnsmasq serve an arbitrary PTR
  # record. This is useful for DNS-SD. (Note that the
  # domain-name expansion done for SRV records _does_not
  # occur for PTR records.)
  #ptr-record=_http._tcp.dns-sd-services,"New Employee Page._http._tcp.dns-sd-services"
  # Change the following lines to enable dnsmasq to serve TXT records.
  # These are used for things like SPF and zeroconf. (Note that the
  # domain-name expansion done for SRV records _does_not
  # occur for TXT records.)
  #Example SPF.
  #txt-record=example.com,"v=spf1 a -all"
  #Example zeroconf
  #txt-record=_http._tcp.example.com,name=value,paper=A4
  # Provide an alias for a "local" DNS name. Note that this _only_ works
  # for targets which are names from DHCP or /etc/hosts. Give host
  # "bert" another name, bertrand
  #cname=bertand,bert
  # For debugging purposes, log each DNS query as it passes through
  # dnsmasq.
  #log-queries
  # Log lots of extra information about DHCP transactions.
  #log-dhcp
  # Include a another lot of configuration options.
  #conf-file=/etc/dnsmasq.more.conf
  #conf-dir=/etc/dnsmasq.d
  4)
  iptables -F
  iptables -t nat -F
  iptables -P INPUT DROP
  iptables -P OUTPUT ACCEPT
  iptables -P FORWARD ACCEPT
  iptables -A INPUT -i lo -j ACCEPT
  iptables -A INPUT -i br0 -j ACCEPT
  iptables -A INPUT -i wlan0 -j ACCEPT
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p 41 -j ACCEPT
  iptables -A INPUT -p icmp -j ACCEPT
  iptables -A FORWARD -p tcp -m tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  iptables -t nat -A POSTOUTING -o eth0 -j MASQUERADE
  rc.d save iptables
  /etc/rc.d/iptables start
  :: Starting IP Tables [DONE]
  In sum:
  ifconfig
  br0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 metric 1
  inet 10.70.100.161 netmask 255.255.0.0 broadcast 10.70.255.255
  inet6 fe80::92e6:baff:fe83:1f33 prefixlen 64 scopeid 0x20<link>
  ether 90:e6:ba:83:1f:33 txqueuelen 0 (Ethernet)
  RX packets 29337 bytes 8111048 (7.7 MiB)
  RX errors 0 dropped 1784 overruns 0 frame 0
  TX packets 5568 bytes 756908 (739.1 KiB)
  TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
  eth0: flags=4419<UP,BROADCAST,RUNNING,PROMISC,MULTICAST> mtu 1500 metric 1
  ether 90:e6:ba:83:1f:33 txqueuelen 1000 (Ethernet)
  RX packets 285252 bytes 323627813 (308.6 MiB)
  RX errors 0 dropped 37 overruns 0 frame 0
  TX packets 133067 bytes 10924478 (10.4 MiB)
  TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
  lo: flags=73<UP,LOOPBACK,RUNNING> mtu 16436 metric 1
  inet 127.0.0.1 netmask 255.0.0.0
  inet6 ::1 prefixlen 128 scopeid 0x10<host>
  loop txqueuelen 0 (Local Loopback)
  RX packets 174 bytes 5542 (5.4 KiB)
  RX errors 0 dropped 0 overruns 0 frame 0
  TX packets 174 bytes 5542 (5.4 KiB)
  TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
  mon.wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 metric 1
  unspec CC-B2-55-00-B0-F6-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC)
  RX packets 2 bytes 262 (262.0 B)
  RX errors 0 dropped 0 overruns 0 frame 0
  TX packets 0 bytes 0 (0.0 B)
  TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
  wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 metric 1
  inet6 fe80::ceb2:55ff:fe00:b0f6 prefixlen 64 scopeid 0x20<link>
  ether cc:b2:55:00:b0:f6 txqueuelen 1000 (Ethernet)
  RX packets 0 bytes 0 (0.0 B)
  RX errors 0 dropped 0 overruns 0 frame 0
  TX packets 20653 bytes 2063361 (1.9 MiB)
  TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
  iwconfig
  br0 no wireless extensions.
  mon.wlan0 IEEE 802.11bgn Mode:Monitor Frequency:2.412 GHz Tx-Power=0 dBm
  Retry long limit:7 RTS thr:off Fragment thr:off
  Power Management:on
  eth0 no wireless extensions.
  lo no wireless extensions.
  wlan0 IEEE 802.11bgn Mode:Master Frequency:2.412 GHz Tx-Power=0 dBm
  Retry long limit:7 RTS thr:off Fragment thr:off
  Power Management:on
  In wifi settings MultiPad 9.7 Pro written "connected", but i can't open any web site (timed out).
  I don't know what's wrong.
  Thanks in advice.
  PS: my D-Link DWA-125 working in access point mode very well on Windows 7
  Last edited by 32reg (2012-08-12 10:07:47)

  1) I deleted bridge-utils, netcfg
  2) I edited /etc/hostapd/hostapd.conf:
  interface=wlan0
  #bridge=br0
  edited /etc/dnsmasq.conf:
  interface=wlan0
  dhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,24h
  and edited /etc/rc.local:
  ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
  ifconfig wlan0 up
  3) I added in autostart these daemons: hostapd, dnsmasq and iptables.
  Profit!

• Lightroom 4 crashes when trying to open the slideshow module. I spent over three hours with both Adobe and Apple tech support and we know it is a permission issue but have not been able to get it solved.  It started with the last upgrade to 10.8

  Lightroom 4 crashes when trying to open the slideshow module. I spent over three hours with both Adobe and Apple tech support and we know it is a permission issue but have not been able to get it solved.  It started with the last upgrade to 10.8

  Back up all data.
  This procedure will unlock all your user files (not system files) and reset their ownership and access-control lists to the default. If you've set special values for those attributes on any of your files, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. Do so only after verifying that those settings didn't cause the problem. If none of this is meaningful to you, you don't need to worry about it.
  Step 1
  If you have more than one user account, and the one in question is not an administrator account, then temporarily promote it to administrator status in the Users & Groups preference pane. To do that, unlock the preference pane using the credentials of an administrator, check the box marked Allow user to administer this computer, then reboot. You can demote the problem account back to standard status when this step has been completed.
  Triple-click the following line to select it. Copy the selected text to the Clipboard (command-C):
  { sudo chflags -R nouchg,nouappnd ~ $TMPDIR.. ; sudo chown -Rh $UID:staff ~ $_ ; sudo chmod -R u+rwX ~ $_ ; chmod -R -N ~ $_ ; } 2> /dev/null
  Launch the Terminal application in any of the following ways:
  ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
  ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
  ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
  Paste into the Terminal window (command-V). You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. If you don’t have a login password, you’ll need to set one before you can run the command. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
  The command will take a noticeable amount of time to run. Wait for a new line ending in a dollar sign (“$”) to appear, then quit Terminal.
  Step 2 (optional)
  The first step should give you usable permissions in your home folder. This step will restore special attributes set by OS X on some user folders to protect them from unintended deletion or renaming. You can skip this step if you don't consider that protection to be necessary.
  Boot into Recovery by holding down the key combination command-R at startup. Release the keys when you see a gray screen with a spinning dial.
  When the OS X Utilities screen appears, select
  Utilities ▹ Terminal
  from the menu bar. A Terminal window will open.
  In the Terminal window, type this:
  resetpassword
  That's one word, all lower case, with no spaces. Then press return. A Reset Password window will open. You’re not  going to reset a password.
  Select your boot volume ("Macintosh HD," unless you gave it a different name) if not already selected.
  Select your username from the menu labeled Select the user account if not already selected.
  Under Reset Home Directory Permissions and ACLs, click the Reset button.
  Select
   ▹ Restart
  from the menu bar.

• How to use Mac Mini Server as NAT with only one port??

  How to use Mac Mini Server as NAT with only one ethernet port??

  But why did apple sell me this server that does NAT with one port? I don't get it.

• Router 1941 Nat with H.323 traffic

  Hi expert,
  I have the scenario as the diagram:
  I want the 192.168.1.50 IP nat to 200.200.200.10 which for network B  with the H323 packet,As what i know there is the Payload problem for the  H323 and been recommend me use the NAT with ALG.May i know more detail  on how to implement this?Urgent
  thanks
  -Gilbert

  Hi,
  Add in 1 thing the equipment is the Video Conferencing product.
  thks
  -gilbert

• [Solved] Allowing ip ranges in iptables

  Hello everyone.
  I don't have much experience with iptables. After about an hour on Google and several tries on getting iptables to limit a port on my server, I am forced to ask for help from you iptables gurus I have set up an OpenVPN server on TCP port 8080, which I only want a certain IP range (92.122.x.x) on the internet to be able to access, anyone elses packets to the port should be dropped.
  I would appreciate if someone could guide me in the right direction or just give me a command which I should type into iptables.
  Regards,
  David
  Last edited by nullvoid (2009-06-26 19:10:06)

  Thank for the quick reply.
  I have tried adding -s !92.122.0.0/16 and -s 92.122.0.0/16 without success. I have also tried --src-range and a various of other paramters, still without success. Probably I'm just missusing them.
  Here's a few of my attempts which have failed:
  iptables -A INPUT -i eth0 -p tcp -m tcp -s '!92.122.0.0/16' --dport 8080 -j DROP
  iptables -A INPUT -i eth0 -p tcp -m tcp --src-range '!92.122.0.0-92.122.255.255' --dport 8080 -j DROP
  iptables -A INPUT -i eth0 -p tcp -m iprange ! --src-range '92.122.0.0-92.122.255.255' --dport 8080 -j DROP
  iptables -A INPUT -i eth0 -p tcp -m iprange --src-range '92.122.0.0-92.122.255.255' --dport 8080 -j DROP
  iptables -A INPUT -i eth0 -p tcp -m iprange --src-range '! 92.122.0.0-92.122.255.255' --dport 8080 -j DROP
  iptables -A INPUT -i eth0 -p tcp -m iprange -s '!92.122.0.0/16' --dport 8080 -j DROP
  iptables -A INPUT -i eth0 -p tcp -s '!92.122.0.0/16' -i eth0 --dport 8080 -j DROP
  iptables -A INPUT -i eth0 -p tcp -s '!92.122.0.0/16' --dport 8080 -j DROP
  Either iptables gives me an error or it simply doesn't work the way I want.
  Last edited by nullvoid (2009-06-26 17:35:07)

• How to solve the problem related with inputing of the text into Wordpress from Firefox 9 and 9.0.1. The problem is that after inputing the formatting gets lost. Taking in account high popularity of Wordpress I suppose the problem is quite serious.

  How to solve the problem related with inputing of the text into Wordpress from Firefox 9 and 9.0.1.
  The problem is that after inputing the formatting gets lost.
  Taking in account high popularity of Wordpress I suppose the problem is quite serious.

  Perform the suggestions mentioned in the following articles:
  * [https://support.mozilla.com/en-US/kb/Template:clearCookiesCache/ Clear Cookies & Cache]
  * [[Troubleshooting extensions and themes]]
  * Clipboard not working -> [http://kb.mozillazine.org/Clipboard_not_working]
  * Rich Text Editing -> [http://kb.mozillazine.org/Rich_text_editing]
  * Update All your Firefox Plugins -> [https://www.mozilla.org/en-US/plugincheck/]
  Check and tell if its working.
  Might not be related to your problem but some of your Plugins are out-dated
  * Update All your Firefox Plugins -> [https://www.mozilla.org/en-US/plugincheck/]
  * '''When Downloading Plugins Update setup files, Remove Checkmark from Downloading other Optional Softwares with your Plugins (e.g. Toolbars, McAfee, Google Chrome, etc.)'''

• [SOLVED] Help needed with iptables rule with unusual setup

  Hi I recently setup hostapd on my netbook so I could share a wireless network with my phone and I'm having trouble because my netbook is also hosting a Jetty sever (Subsonic media streamer).
  My setup is as follows
  [CABLE MODEM]===[WIRED ROUTER]=====[NETBOOK] ))))) [PHONE]
  The wired router provides the DHCP server.
  On my netbook I created a (br0) bridge between eth0 and wlan0 and started hostapd. That all works fine when I'm not trying to host my Jetty server on my netbook.
  The netbook has the IP 192.168.0.8
  The phone has the IP 192.168.0.6
  I do not want to give the Jetty server root permissions just so it can run on port 80. So instead I start it instead on port 4040 and then use a iptables rule to redirect connections to port 80 to port 4040.
  Before I setup hostapd on machine I used to use the following.
  iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 4040
  However when I'm using hostapd and try to access websites on my phone its web browser is ALWAYS REDIRECTED to my jetty server. I'm not really surprised at this as the rule I mentioned above is for any destination or any source.
  I tried this rule:
  iptables -t nat -A PREROUTING -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 4040
  This didn't work. On my phone I could access websites as expected but nobody (tried external from network and internally) could access the jetty server on port 80. Does anyone know why this rule doesn't work?
  I tried this rule:
  iptables -t nat -A PREROUTING \! -s 192.168.0.6 -p tcp --dport 80 -j REDIRECT --to-ports 4040
  This rule worked (Redirect port 4040 connections to port 80 if the connection isn't from my phone). But this is NOT very good at all as it means I would need a separate rule for every wireless device that connected to my netbook (via hostapd). Also if the IP address of my phone ever changes this rule becomes useless too!
  Does anyone have any ideas?
  Any help would be greatly appreciated.
  Thanks.
  Last edited by delcypher (2010-07-24 20:17:35)

  Well looks like I fixed my own problem.
  I added a LOG target in the PREROUTING chain like so
  iptables -t nat -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix 'cheesy-redirect'
  iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 80
  When I looked at /var/logs/everything I noticed this.
  dan-netbook kernel: cheesy-redirectIN=br0 OUT= PHYSIN=eth0 MAC=00:26:18:73:ea:28:00:09:5b:5d:0a:33:08:00 SRC=178.102.41.92 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=51411 DF PROTO=TCP SPT=48219 DPT=80 WINDOW=49640 RES=0x00 SYN URGP=0
  The destination is 192.168.0.3 ! Which is very very weird. This the IP address I had told my router to give my eth0 card in the past when I wasn't using a network bridge (br0). I was connected to the network using 192.168.0.8 on br0. The eth0 interface wasn't assigned an IP address.
  192.168.0.3 was also the IP address I setup for static port forwarding (which I forgot about) so when I accessed my jetty server from outside my network all packets would of been forwarded to 192.168.0.3
  I should never of received those packets as I was 192.168.0.8 not 192.168.0.3 at the time of logging so how I even received these packets is a mystery to me. Maybe the router software is buggy
  Fixing was pretty straight forward I changed the port forward to go to 192.168.0.8 and then tried connecting to the jetty server externally and noted in the log
  cheesy-redirectIN=br0 OUT= PHYSIN=eth0 MAC=00:25:d3:46:4d:0d:00:09:5b:5d:0a:33:08:00 SRC=178.102.41.92 DST=192.168.0.8 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=65326 DF PROTO=TCP SPT=33597 DPT=80 WINDOW=49640 RES=0x00 SYN URGP=0
  So the correct redirect rule is
  iptables -t nat -A PREROUTING -p tcp --dport 80 -d 192.168.0.8 -j REDIRECT --to-ports 80
  which works nicely
  One last question though. Does anyone know how I can use a hostname rather than 192.168.0.8 which points to whatever the IP address of br0 is set to? localhost points to 127.0.0.1 so that doesn't work.

• [SOLVED] Test conversion to systemd - Help with iptables status

  With all the discussion around systemd and with a move for systemd to [core] soon, I thought I would convert an arch laptop from initscripts to systemd and see how it worked.
  I followed the advice on the arch wiki for systemd, having already moved the systemd compatible parameters out of rc.conf a while ago. After installing systemd and systemd-arch-units, and adding init=/bin/systemd to the boot kernel line the system booted up nicely with systemd - graphical login failed as the relevant unit is not enabled at that stage - so hitting return to get a login prompt and logging as root it was quick to enable graphical.target and kdm.service, and rebooting then gave me a normal kdm login screen and then a normal login to kde.
  All fine at this point. (By the way total login time was just over 30 seconds for both initscripts and systemd) - then it was necessary to check which services were running - most were running by default under systemd including postfix, dovecot, and sound worked fine with a quick check on a browser for a video feed. Networking was working fine too.
  However iptables which was previously working fine under initscripts was not running - I checked that the firewall rules file was intact which is was.  Executing systemctl enable iptables.service appeared to be accepted but after executing systemctl start iptables.service and checking status again it was "exited" - the commands listed under the "start" command seemed normal and no error message appeared in the /var/log/messages file about iptables.
  Can anyone suggest what is needed to get iptables working under systemd (yes I have read the wiki entries but nothing seemed to be relevant to fixing that particular issue).
  Thanks in advance.
  Last edited by mcloaked (2012-08-30 09:01:25)

  cfr wrote:
  I think what you're seeing is normal. Does it give a 0 exit status?
  The service is of type "oneshot". I *think* that means that it is expected to exit.
  As I understand it, iptables is a bit like ipfw. It's in the kernel and the userspace tools just provide an interface to that. So there's no daemon to run.
  You can tell if it has worked correctly by
  iptables --list
  to check that your rules have been loaded correctly.
  Note: I hope somebody will quickly correct me if I'm wrong about this because I've been assuming this is the expected behaviour on my own machine!
  Perfectly correct - I didn't think to check iptables --list but yes all the rules are there as they should be.
  It would be nice to have this documented in the wiki under systemd to help anyone else coming across the same issue.
  I will mark this as solved in the topic title - thank you for replying - it was very helpful (and stopped me continuing the search for a solution by googling!)

• [SOLVED] Setting up NAT for a secondary network

  Countless guides on iptables have failed to help me with this problem.. I'm trying to set up a NAT on this box which
  is connected to the wired home network on 192.168.2.0/24 (eth0) and a wireless Ad-Hoc network on
  10.0.0.0/24 (bat0 - B.A.T.M.A.N routing protocol).
  This machine is statically assigned to 192.168.2.109 and I'm trying to MASQUERADE/SNAT packets from the
  Ad-Hoc to appear to originate from this machine. The 192.168.2.0/24 network itself is NAT'd to the internet
  aswell, so basically a NAT within a NAT.
  A little graphical helper:
  [ Internet ] - - - - - - [ Router ] - - - - - - [ This ] o o o o o o o o [ Ad-Hoc ]
  This is my iptables.conf:
  # Generated by iptables-save v1.4.12 on Mon Aug 15 12:52:13 2011
  *mangle
  :PREROUTING ACCEPT [4585:1017080]
  :INPUT ACCEPT [4585:1017080]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [4478:581526]
  :POSTROUTING ACCEPT [4498:584466]
  COMMIT
  # Completed on Mon Aug 15 12:52:13 2011
  # Generated by iptables-save v1.4.12 on Mon Aug 15 12:52:13 2011
  *filter
  :INPUT ACCEPT [4585:1017080]
  :FORWARD ACCEPT [0:0]
  :OUTPUT ACCEPT [4478:581526]
  COMMIT
  # Completed on Mon Aug 15 12:52:13 2011
  # Generated by iptables-save v1.4.12 on Mon Aug 15 12:52:13 2011
  *nat
  :PREROUTING ACCEPT [8:1360]
  :INPUT ACCEPT [8:1360]
  :OUTPUT ACCEPT [82:6393]
  :POSTROUTING ACCEPT [82:6393]
  -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE
  COMMIT
  # Completed on Mon Aug 15 12:52:13 2011
  IPv4 forwarding in sysctl is enabled. The iptables modules are loaded. It doesn't work. I tried MASQUERADE, SNAT and every
  possible guide on the net, nothing works. What's the problem here?
  EDIT:
  I have managed to solve the issue - emberassingly enough it wasn't iptables that failed... my default route within the ad-hoc mesh
  was bad.
  Last edited by Sadface (2011-08-15 10:59:39)

  Yeah, normally I click on "open network settings" click on "advanced" and then go to the 802.1x tab. Thats where the problem begins. I'm not to sure what to do from there. I've tried basically all the options available and still have had no luck. In the domain option, I have tried all three options, User, System, and Login Window, and I've put my user name and password, but when the computer tries to connect to the server it says I can't because of something to do with the certificate or something along those lines.

• [SOLVED] Share Ethernet Internet with Wifi AdHoc Network

  After several hours of searching other similar threads, I cannot find anything which turns out to be useful for what I'm trying to do specifically.
  I have a laptop with ethernet card and built-in wifi. With Arch Linux I have configured both before using both the ipconfig/iwconfig methods and using Wicd. I am currently connected to the internet using Wicd and Ethernet (only because Wicd is already installed and configured when I got this internet connection). It would violate the terms of my internet service here (in a dorm room through dorm sponsored internet) to connect a wireless router to the internet connection.
  What I want to do then, is set up my laptop so that it accesses the internet through the ethernet connection, and shares it with my iPod Touch through an Adhoc configured on the wifi card. I believe this still may be a small violation of the terms of service with my provider, but I really just want to be able to update/download apps on my iPod.. not let the whole floor have internet for the low price of one room.
  Thanks in advance for any help, let me know if I need to provide more specifics for what I'm trying to do.
  Last edited by sethfouts (2010-07-01 14:31:40)

  you can use iwconfig to set up the ad hoc connection (i dont know enough about wicd to see if it'll work with it)
  iwconfig wlan0 up
  iwconfig wlan0 192.168.100.1 netmask 255.255.255.0
  iwconfig mode ad-hoc
  iwconfig wlan0 channel auto
  iwconfig wlan0 essid MYPC
  you can then use your ipod to connect to this ad hoc network and assign the ipod an ip address 192.168.100.2, make sure to ping the ipod to see if its connected corrently or not.
  you can then use iptables to NAT the connections, iptables -t nat -A POSTROUTING  -s 192.168.100.0/24 -o eth0 -j MASQUERADE
  make sure ip forwarding is enabled by using, echo  1 > /proc/sys/net/ipv4/ip_forward

• SOLVED: Limit default view with Multiple non-destructive filters mode

  This was solved:
  I deleted the { subPaths: "word" } within my dataset. The dataset was pulling and displaying the subpath content which I don't need.
  ==================================================================
  Hi,
  I’m using the Multiple Filters Mode Sample to filter headlines in my xml file by the keywords associated with them.
  My question is, with no filters selected, how do you display only one headline for the default view? So, instead of the <headline> node repeating itself for every keyword within that node, it just displays one headline. I just want to display only one headline instead of repeating the headline based on the amount of keywords associated with it.
  If you view the donut example given a donut is displayed for every topping associated with it.
  I’m not as experienced with JS but I thought that if I create an array of all the possible keyword combinations and then use an if-then to display just one combination then it might work. The problem is that the amount of keywords will grow with time. I might amass 15-20 keywords in the next month, so an array might not be practical.
  Also, my “Remove All Filters” doesn’t work. The debugger is giving me an error that states: ‘documents.forms.0.noneCB’ is null or not an object -This would mean that the checkbox has not been selected is this correct?
  I’ve included the code and my xml data below. Any assistance would be greatly appreciated!
  <html>
  <head>
  <script language="JavaScript" type="text/javascript" src="/SpryAssets/xpath.js"></script>
  <script language="JavaScript" type="text/javascript" src="/SpryAssets/SpryData.js"></script>
  <script language="JavaScript" type="text/javascript" src="/SpryAssets/SpryDataExtensions.js"></script>
  <script type="text/javascript">
  <!--
  var dsHeadlines = new Spry.Data.XMLDataSet("headlines_test.xml", "/headlines/headline", { subPaths: "word" });
  function ffNone(ds, row, index){ return (row.word == "None") ? row : null; };
  function ffJudicial(ds, row, index){ return (row.word == "Judicial leadership") ? row : null; };
  function ffProBono(ds, row, index){ return (row.word == "Pro bono") ? row : null; };
  function ffHearings(ds, row, index){ return (row.word == "ATJ hearings and events") ? row : null; };
  function ffCreation(ds, row, index){ return (row.word == "ATJ entities creation and structure") ? row : null; };
  function ToggleFilter(enable, f)
              if (enable)
                          dsHeadlines.addFilter(f, true);
              else
                          dsHeadlines.removeFilter(f, true);
  function RemoveAllFilters()
              document.forms[0]["noneCB"].checked = false;
              document.forms[0]["judicialCB"].checked = false;
              document.forms[0]["probonoCB"].checked = false;
              document.forms[0]["hearingsCB"].checked = false;
              document.forms[0]["creationCB"].checked = false;
              dsHeadlines.removeAllFilters(true);
  -->
  </script>
  </head>
  <body>
              <div class="liveSample" style="float: left; margin-bottom: 4px;">
              <form action="">
              <p>Select any of the following:</p>
              <ul style="list-style:none">
                  <li><label><input name="noneCB" type="checkbox" value="" onclick="ToggleFilter(this.checked, ffNone);" />None</label></li>
                  <li><label><input name="judicialCB" type="checkbox" value="" onclick="ToggleFilter(this.checked, ffJudicial);" />Judicial leadership</label></li>
                  <li><label><input name="probonoCB" type="checkbox" value="" onclick="ToggleFilter(this.checked, ffProBono);" />Pro Bono</label></li>
                  <li><label><input name="hearingsCB" type="checkbox" value="" onclick="ToggleFilter(this.checked, ffHearings);" />ATJ hearings/events</label></li>
                  <li><label><input name="creationCB" type="checkbox" value="" onclick="ToggleFilter(this.checked, ffCreation);" />ATJ entities: creation and structure</label></li>
  </ul>
              <p><label>Filter Mode: <select onchange="dsHeadlines.setFilterMode(this.value, true);"><option value="and" selected="selected">-- AND --</option><option value="or">-- OR --</option></select></label>
              <input type="button" value="Remove All Filters" onclick="RemoveAllFilters();" /></p>
              </form>
              </div>
              <div spry:region="dsHeadlines">
                  <table>
                      <tr><th>Title</th><th>Date</th><th>State</th></tr>
                      <tr spry:repeat="dsHeadlines"><td valign="top"><a href="{hyperlink}">{title}</a><p></p></td><td valign="top">{date}</td><td valign="top">{state}</td></tr>
                  </table>
              </div>
  </body>
  </html>
  <?xml version="1.0" encoding="UTF-8"?>
  <headlines>
    <headline>
      <id>1</id>
      <title>
        <![CDATA[Save the date! 2009 National Meeting of State Access to Justice Chairs will take place in Orlando in Saturday, May 16, 2009. Invitations will be mailed out in late January.]]>
      </title>
      <hyperlink>
        <![CDATA[http://www.abanet.org/legalservices/sclaid/atjresourcecenter/annualmeeting.html]]>
      </hyperlink>
      <state>FL</state>
      <date>20090516</date>
      <word id="0001">None</word>
    </headline>
    <headline>
      <id>2</id>
      <title>
        <![CDATA[ABA Day in Washington. ABA Day legislative visits on April 21-22 will focus solely on access to justice issues. Register and receive materials, training, and schedule of events free before March 14 at: http://www.abanet.org/poladv/abaday09/.]]>
      </title>
      <hyperlink>
        <![CDATA[http://www.abanet.org/poladv/abaday09/]]>
      </hyperlink>
      <state>DC</state>
      <date>20090421</date>
      <word id="0002">Pro bono</word>
      <word id="0004">ATJ hearings and events</word>
      <word id="0005">Judicial leadership</word>
    </headline>
    <headline>
      <id>3</id>
      <title>
        <![CDATA[North Carolina Bar Association and North Carolina Bar Association Foundation host second annual 4ALL Statewide Service Day ask-a-lawyer event at five call centers around the state. (3/6/2009)]]>
      </title>
      <hyperlink>
        <![CDATA[http://www.4allnc.org/]]>
      </hyperlink>
      <state>NC</state>
      <date>20090306</date>
      <word id="0002">Pro bono</word>
    </headline>
    <headline>
      <id>4</id>
      <title>
        <![CDATA[Wyoming Access to Justice Commission holds its first meeting. (2/27/2009)]]>
      </title>
      <hyperlink>
        <![CDATA[http://www.nlada.org/DMS/Documents/1236184561.24/AJC%20Appointing%20Order%202009.pdf]]>
      </hyperlink>
      <state>WY</state>
      <date>20090227</date>
      <word id="0003">ATJ entities creation and structure</word>
    </headline>
    <headline>
      <id>5</id>
      <title>
        <![CDATA[Tennessee’s Supreme Court launches Access to Justice Campaign with the first in a series of public hearings. (2/26/2009)]]>
      </title>
      <state>TN</state>
      <date>20090226</date>
      <word id="0003">ATJ entities creation and structure</word>
      <word id="0004">ATJ hearings and events</word>
      <word id="0005">Judicial leadership</word>
    </headline>
  </headlines>

  1) I deleted bridge-utils, netcfg
  2) I edited /etc/hostapd/hostapd.conf:
  interface=wlan0
  #bridge=br0
  edited /etc/dnsmasq.conf:
  interface=wlan0
  dhcp-range=192.168.0.2,192.168.0.255,255.255.255.0,24h
  and edited /etc/rc.local:
  ifconfig wlan0 192.168.0.1 netmask 255.255.255.0
  ifconfig wlan0 up
  3) I added in autostart these daemons: hostapd, dnsmasq and iptables.
  Profit!

• Need help with setting up 2 xboxs to open NATS with my Cisco DPC3825

  Hey,
  I have 2 xboxs, 1 is wired and one has the microsoft adapter for wireless.. I have been searching tons of forums to try to solve this issue, and I'm at my end if it! I really need both my nats open, so far I can get 1 nat open while the other one is strict. I have a Cisco DPC3825. Any help would be great!! Thanks!

  Hi Casteel,
  Thank you for your question.  However this community is for Cisco Small Business Products and the DPC3825 is not a Cisco Small Business Product.
  Your product is an internet service provider (ISP) supported  product.  In otherwords you need to  contact your ISP or technology  reseller that you purchased this from to help you with your question.
  Regards,
  Cindy  Toy
  Cisco Small Business  Community Manager
  for Cisco Small  Business Products
  www.cisco.com/go/smallbizsupport

• WRT1900AC Problem With open NAT with multiple Xbox One's

  I am starting a new thread for some possible help with this. I have just recently replaced my r7000 with the wrt1900ac router and for the life of me cannot get my 2 xbox ones in the house to have open nat. Only one of them will show open NAT. Anyone get this to work and work 100% of the time? I have reseverved the IP's. I tried port forwarding.. I tried putting one in the dmz. I have tried port triggering. None of it works. One will be open the other stays at moderate. I have got it in strict before as well. I have upnp on. I cannot figure out what is wrong with it. Ideas? Also It seems my router reboot on its own and turning the LED's off after a reboot the wireless led's come on. Seems like a bug.

  Hewligun, found this on another Linksys thread, it appears that Linkysy may need to update their UPnP and all should be good. Original thread:Packet Dropping thread  Excerpt from thread: Re: WRT1900AC packet dropping[ New ] Options  ‎05-01-2014 06:16 PM  I did some research. Microsoft documents that port forwarding will only work for the one xBox in the forwarding rule. In the same document it mentions that the only way to have two xBoxes running at the same location behind a router is with UPnP. The UPnP protocol has be the newest version in order for it to work. I guess the WRT1900AC is running a later version of UPnP in which case a firmware upgrade will solve this. Keep in mind that Microsoft xBox Live itself is having documented issues as well so we can't really know for sure if the UPnP on the WRT1900 is the newer version or not at this point. Look at the affect services in the current xBox Live status: Affected platforms:Xbox Onexbox one outage;Social and Gaming,Xbox 360xbox 360 outage;Social and Gaming, Affected services:Accessing all game featuresJoining other Xbox Live members in online gamesPosting game performance or viewing the performance of other Xbox Live members https://support.xbox.com/en-CA/xbox-live-status
  Please remember to Kudo those that help you.
  Belkin\Linksys
  Communities Technical Support