Debian Configuration :: IPTables Output Block Not Local
Sep 19, 2015
I try to create some rules to detect an outgoing traffic from my debian jessie that is not from my IP or loop.
#!/bin/bash
/sbin/iptables -N C_OUT_N_LOCAL
/sbin/iptables -N C_OUT_N_LOCAL_LO
/sbin/iptables -A C_OUT_N_LOCAL -m limit --limit 2/min -j LOG --log-prefix "PK: output not local : " --log-level 4
LO_IP="127.0.0.1"
MY_IP="192.168.0.4"
/sbin/iptables -I OUTPUT -p ALL ! -s $LO_IP -j C_OUT_N_LOCAL_LO
/sbin/iptables -A C_OUT_N_LOCAL_LO -p ALL ! -s $MY_IP -j C_OUT_N_LOCAL
View 0 Replies
ADVERTISEMENT
Feb 7, 2016
I managed to set up an openvpn server, ip-forwarding and a nat iptable rule for that.
Almost everything works as expected, but my problem is:
Smartphone -> VPN -> Internet ==> works (by ip and hostname)
Smartphone -> VPN -> machine in my local network by IP ==> works
Smartphone -> VPN -> machine in my local network by its hostname => DOES NOT WORK
Machine w/ VPN server -> ping to machine in local network by ip or hostname => works
So, i wonder why i cant access a local machine through the vpn by its hostname. I guess I'm missing a forwarding rule??
iptables dump:
# Generated by iptables-save v1.4.21 on Sun Feb 7 20:56:52 2016
*nat
:PREROUTING ACCEPT [786:59064]
:INPUT ACCEPT [728:53047]
:OUTPUT ACCEPT [19:1487]
:POSTROUTING ACCEPT [20:1576]
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Feb 7 20:56:52 2016
View 0 Replies
View Related
Sep 20, 2010
I have a strange iptables issues. I have just built a new Debian install and starting adding some real basic rules (see below) the problem seems to be that the localhost itself can't get any returning traffic. That is, it seems to be allowed outgoing traffic but not the connected, returning traffic. Ordinarily allowing Established Connections would resolve this, see the rule below, but it hasn't. Why this doesn't work. Removing the last DROP in the INPUT chains obviously makes the traffic work!
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -s x.x.x.x
iptables -A INPUT -j ACCEPT -s x.x.x.x
iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 80
iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 8080
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -j DROP
View 3 Replies
View Related
Jun 17, 2010
I am working on a Debian 2.6.26-19 Distribution with exim4 as MTA. After a system restart a problem occurred with delivering emails to local addresses. These local addresses use a 1and1 mailserver for email. The MX records for the local domain are set correctly but exim does not use a DNS lookup for these addresses because it identifies them as local addresses. I figured this out by executing the exim4 -d -bt command. The dns lookup part of the result looks like this (I replaced the actual address with placeholders):
[Code]....
The eventual result of the exim4 -d -bt command is: [user]@[domain.ext] is undeliverable: Unrouteable address How can I make sure, that exim4 makes a DNS lookup for the local addresses instead of skipping it? I know that I have to edit a exim4 configuration file, but I could not figure out which and how.
View 1 Replies
View Related
Mar 23, 2010
I am having problems while testing out squid proxy server. I just can't get it block anything. So, I'm running Debian lenny on my Virtualbox and Squid on it. I'm having windows 7 on virtualbox too and they can ping each other and the webserver on debian (apache2) is working fine. The problem is i can't get squid to block webpages. I have the correct settings on windows proxy settings, but i'm not so sure about squid. I want to block lets say www . xxx. com for example. So I add to the main configuration file:
[Code]...
View 3 Replies
View Related
Apr 28, 2011
I am configuring the iptables in the debain squeeze and then running the: iptables-save
View 4 Replies
View Related
Jul 11, 2011
I follow this instructions but after iptables-restore < /etc/iptables.test.rules I see this error # iptables-restore < /etc/iptables.test.rules Bad argument `#' Error occurred at line: 3 Try `iptables-restore -h' or 'iptables-restore --help' for more information. The line 3 is the same as the link - # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
View 3 Replies
View Related
Mar 22, 2016
The problem I have is so simple yet difficult for me to resolve. My Postfix MTA allow fake mails from me@example.com to me@example.com. How can I block them?
For example, if I do "telnet smtp.mail.yahoo.it 25", as I write the MAIL FROM command I get the alert "Authentication required". How can I achieve that?
View 13 Replies
View Related
Mar 29, 2016
This is a redirect of the output of command apt-get update to a text file in /home/user
Code: Select allIgn:1 http://dl.google.com/linux/talkplugin/deb stable InRelease
Hit:2 http://ftp.us.debian.org/debian testing InRelease
Hit:3 http://dl.google.com/linux/talkplugin/deb stable Release
Ign:4 http://linux.dropbox.com/debian sid InRelease
Hit:5 http://deb.opera.com/opera sid InRelease
[Code] ...
They all refer to repos that cannot validate authenticity.
View 2 Replies
View Related
Jan 15, 2010
I am working with linux-source-2.6.30 from squeeze.
The only changes I made in the config file were the processor type, and I disabled CONFIG_SYSFS_DEPRECATED_V2 to avoid some warnings from udev.
When I tried to build the kernel package, this is what I get:
(The bottom bit is from 'time').
Searching for this error turned up a plethora of results, none of which seemed relevant.
I see that it tells me to file a bug report, but I'm not sure if that is meant for the Debian kernel team or upstream.
View 1 Replies
View Related
Nov 10, 2010
I've been trying to forward some ports using iptables for some time now, but still haven't figured out how to get it to work..What i'm trying to accomplish is to forward all traffic from port 80 to port 8080, and all traffic from port 443 to port 8443, this because i would like to run tomcat as a non-root user, and the original ports can only be used as root.. I've currently setup my iptables like this:
# Generated by iptables-save v1.4.2 on Wed Nov 10 16:44:45 2010
*nat
:PREROUTING ACCEPT [39350:6120333]
[code].....
View 2 Replies
View Related
Jul 8, 2011
For some reason my FTP packets are blocked by iptables even though I thought I allowed them through
My syslog errors are along this line:
And my iptables ruleset:
View 4 Replies
View Related
Jul 6, 2010
I am trying to set up a DMZ host - that is, one multifunctional PC between the WAN and the LAN. I've started with a basic router, and expanding upon that as the need arises. I am currently trying to gain access (from the WAN) to a website hosted on one of the servers in the LAN, but I am having trouble accessing the host from the WAN; I think my iptables configuration may be too restrictive. On the DMZ host, I'm using Debian (Etch). I have setup dhcp3-server, a script to configure iptables and pound (reverse-proxy). The (virtual) machine has 4 network cards: eth0, eth1, eth2, eth3; eth0 is the WAN, eth1 through eth3 serve 3 different virtual LANs.
All machines in the LAN (except one windows 2008 server - I might want to address that problem later) get their IP adresses correctly via dhcp from the DMZ host. All machines on the LAN can access the internet (including the 2008 server if I configure it manually) as they should. If I access http://localhost on the DMZ host, pound reports "The service is not available. Please try again later." - as it should.
I can ping the DMZ host from the WAN on 10.0.0.79 However, if I try to access the DMZ host from the WAN (http://10.0.0.79) I get "Unable to connect" from firefox. I'm sure this is not a pound problem, so I think it's in the iptables, or maybe I should be installing some extra software that I'm unaware of.
[code]....
View 3 Replies
View Related
Dec 30, 2010
I'm having some trouble with the configuration of the iptables. I want to setup a network server to serve as Fail Over (for my 2 ISPs), DHCP and DNS. I have 3 network cards, 2 connected to ISP's routers and 1 that serves as UPLINK for my switch.
I want to add some Iptables rules so I can achieve what I want to do. The problem is that the rules I try to use, they have to effect.... they don't load, here are the rules I am trying to add:
#iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
#iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE
#iptables --table nat --append POSTROUTING --out-interface eth2 -j SNAT --to EXTIP
When I try to check to see if it loads, with the command:
#iptables -L
It returns empty
View 2 Replies
View Related
Jul 6, 2011
I was just downloading a few torrent files when all of a sudden my network connection just died. I checked the output of dmesg an I saw this:
[25148.587960] [UFW BLOCK] IN=wlan0 OUT= MAC=00:26:c7:05:3f:c8:00:24:a5:34:93:91:08:00 SRC=192.168.106.1 DST=192.168.106.5 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=26519 DF PROTO=TCP SPT=4631 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
[25174.135763] [UFW BLOCK] IN=wlan0 OUT= MAC=00:26:c7:05:3f:c8:00:24:a5:34:93:91:08:00 SRC=150.101.154.95 DST=192.168.106.5 LEN=58 TOS=0x00 PREC=0x00 TTL=114 ID=3696 PROTO=UDP SPT=18091 DPT=51413 LEN=38
[code]...
Of course their were hundreds of lines just like these,but just so you get the idea. I had to physically power down my router in order to get connected again, then all of this continued. I'm clueless in the networking department, but this seems alarming to me , as some of those source IP's are external. Is someone probing me? Or is this normal with torrent activity? I've never seen so much activity by my firewall. I recognize port 51413 is for transmission, but 3389? That's for remote desktop connections as far as I know.
View 4 Replies
View Related
Apr 4, 2010
a good IPTABLES protocol to reject all incoming ssh trafiic except for a single IP or IP range?
View 4 Replies
View Related
May 3, 2010
I'm intending to replace my current router (486DX2 w/16MB running FREESCO which has been faithfully working 24/7 for well over a decade) with a debian box with a bit more grunt and newer features. I'm currently setting up my iptables ruleset and am after a bit of advice re the FORWARD policy. A few example rulesets I have found set the default policy to DROP and the have two lines for each port forward, one to allow the traffic and one to direct the incoming packets to the correct machine.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 10.0.100.10:25
iptables -A FORWARD -i eth1 -p tcp --dport 25 -o eth0 -d 10.0.100.10 -m conntrack --ctstate NEW -j ACCEPT
I'm thinking of setting the default policy to ACCEPT to cut down on typing as my default INPUT policy is DROP and unless there is a valid FORWARD rule for a particular port, the packets aren't going anywhere anyway. Or have I misunderstood something. My googling returned heaps of example scripts & not much intelligent commentary. Alternatively, what do you all use to configure & maintain your debian gateways; hand rolled iptables rules, or any toolset recommendations?
View 4 Replies
View Related
May 9, 2010
After resetting a pc running lenny I get iptables errors at boot ("resource temporarily unavailable", "bad rule" etc). "setting up firewall" (Guarddog) is not followed by any errors and the firewall apparently operates ok.How can I restore my iptables to the default installation values?
View 2 Replies
View Related
Nov 2, 2010
What would be necessary to run an ftp server (or a web server) on my local PC so that other people I know could access it and download stuff from it? The idea is to share photos, videos etc with friends/family where the files are a bit too big for email. (All 100% legal, own-content, no copyright issues, needless to say). Security isn't that vital, I'd just put files in the ftp directory, email the link and let them download the files, then remove them again. No passwords are required, and no uploads.
Obviously there's the problem that both computers have to be on at the same time, and I assume I'd have to change my computer's firewall settings and my router's settings to allow the traffic through, but my question is more basic than that - is it even possible? My internet connection is through a router, and as I understand it, my router has the IP address, not my computer. So I can connect through my router using my computer's IP address, but only my router knows my computer's IP address, and all the rest of the internet just sees my router and its IP address. Which means (I think) that I can't just send my IP address for my family to connect to, because that only gets them as far as my router, and the router would have no idea what to do with such requests. Am I right so far?
So is there any way for my family's computers to contact an FTP server or a web server running on my computer? Or does it require some kind of intermediary server to act as a traffic-forwarder? Is there such a thing? I'm assuming that setting up little private torrents would be fiddly and inefficient. Or would it be better/simpler to use one of the free filesharing services and put up with the (sometimes not too family-friendly) adverts associated with them?
View 12 Replies
View Related
Dec 24, 2010
Two nights ago I decided to switch from testing to unstable. Since then I am able to connect to the internet, but not to anything on my local network. I am unable to ping this computer from another one on the network. This computer is connected through wireless. I thought that something might have changed with iptables that was blockinghe localnetwork. I tried to "flush the iptables settings with "iptables -F". Since that didn't work I uninstalled iptables (which didn't work and I reinstalled iptables). In my browser I tried to connect to my router and that doesn't work either.I connect to this computer daily through ssh and connect to a NAS. Without ssh and my NAS I feel kinda lost
View 6 Replies
View Related
Jan 5, 2011
I'd like configuring NTP service on my Lenny Debian client to retrieve time from my local NTP server, so I thought to configure /etc/ntp.conf and to insert into crontab this command 'ntpd -qg', which is indicated in man. Can I run ntpd service to synchronize time for my client, avoiding to listen on port 123, beacuse my scope is to alignment time on client and to not give service to others, for this scope there is ntp server !
View 1 Replies
View Related
Jan 15, 2011
I can't get past the "scp -p id_rsa.pub" step; ssh fails with "Could not resolve hostname" errors. Both machines are connected with a hub. I've also tried using the IP address in the place of hostnames with no avail. Both machines can ping eachother successfully.The server has the "openssh-server" package installed.
View 1 Replies
View Related
Mar 10, 2011
Backround:
I'll have 2 routers:
- ADSL-router (D-link DSL-2640U)
+ NAT on (needed as one static IP from ISP)
+ Server's IP as 192.168.X.xxx
+ router firewall port-forwards set for needed ports (21,22, 80 etc) to 192.168.0.xxx - 2nd LAN-router
[Code]....
Is there any setting/file on Debian-user-machine, where I could fix that abc.mydomainXYZ.com/defg is always in something to do with 192.168.X.xxx
View 4 Replies
View Related
Dec 1, 2015
I'm trying to use these cookie cutter rules that I found. But every time I use them, after a few seconds my wifi connection goes dead. The exception was the first time I used then. Which lasted me a couple of minutes.
By dead I mean I can no longer open a webpage or ping google.
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
View 9 Replies
View Related
Sep 3, 2015
I'm trying to set up a *simple* MTA in my local network. The only thing it should be able to do is send system / daemon mails to admin@mylocaldomain. but at the moment I'm pretty much overwhelmed by everything i *should* know in order to set up this MTA
my infrastructure:
- servers:
* test01.mylocaldomain --> should send mails (with exim) to admin@mylocaldomain
* dns01.mylocaldomain --> dns-server
* mail.mylocaldomain --> mail-server (postfix / iredmail package)
I configured exim to be in "internet"-mode. now i have a variety of errors I can choose from (and a variety of solutions that i don't like ).. my test is always an email from test01.mylocaldomain:
echo "Hello World" | mail -s Testmail admin@mylocaldomain
- after running the config, i get the error: admin@mylocaldomain: all relevant MX records point to non-existent hosts --> google says, edit and udpate update-exim4.conf.conf --> dc_relay_domains='mylocaldomain' --> but this exim installation should not be a relay at all. it should only be able to SEND (to this domain), not deliver it. or do i get something wrong?
- after i added dc_relay_domains='mylocaldomain', i get --> SMTP error from remote mail server after RCPT TO:<admin@mylocaldomain>: host mail.mylocaldomain [192.168.x.x]: 550 5.1.1 <root@mylocaldomain>: Sender address rejected: User unknown in virtual mailbox table --> but i don't want to create an account on the mailserver for the SENDER...
- ...so i thought, i'd config exim with the domain "test01.mylocaldomain" (including the server name), so that the sender is clearly from another domain than the mail server handles (e.g. user@test01.mylocaldomain).. but then i get this --> SMTP error from remote mail server after RCPT TO:<admin@mylocaldomain>: host mail.mylocaldomain [192.168.x.x]: 450 4.1.8 <root@test01.mylocaldomain>: Sender address rejected: Domain not found
I really just wanna send mails in my local network.
View 0 Replies
View Related
Feb 11, 2016
I will see ipcam in my local network from my tablets. I'm install server/client but I can't even ping my Ipcam from my tablet.I'm ping my ipcam from my server
Code: Select allping 10.42.0.22
PING 10.42.0.22 (10.42.0.22) 56(84) bytes of data.
64 bytes from 10.42.0.22: icmp_seq=1 ttl=64 time=0.639 ms
eth1:1 Link encap:Ethernet HWaddr 00:25:22:1c:6e:05
inet addr:10.42.0.1 Bcast:10.42.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.42.0.1 P-t-P:10.42.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MULTICAST MTU:1500 Metric:1
RX packets:1775 errors:0 dropped:0 overruns:0 frame:0
[code]...
my tablet can receive ip, can see ftp on server but can't see anything in my home network.
View 3 Replies
View Related
Jan 28, 2010
i rarely need my wireless, and i want it off by default, i am going to disable it during bootup with
echo 0 > /sys/devices/platform/acer-wmi/wireless
what would be the proper place for this? if i put it in rc.local it will be executed very late, i'd rather have it sooner. if add a new script to init.d, then run update-rc.d, i would have to adhere to the start|stop|reload structure of these scripts, right? or do i go a totally different way about this?
View 2 Replies
View Related
Apr 21, 2010
I have a new Debian 5.04/ppc install on a G5 tower and it's not able to browse the local network. The clean install could see the network, then I installed the Samba server, and it hasn't worked since. Samba server never really worked, and I'm guessing I messed something up. I've reinstalled network-manager, and removed / reinstalled samba.
I have a small home network (6 machines) running wired and/or wireless, pc/mac and linux.This machine can PING other machines by name and IP address.This machine can PING itself by name and IP address
Other machines can PING this machine by IP address only, not by name.Nautilus network browser only shows the "Windows Network" icon, which, when clicked, shows an empty window.I've got networking up fine on all my other machines but this one is stumping me.
View 1 Replies
View Related
Jul 25, 2010
I have three Debian systems running, along with several XP laptops, PS3 and two DirecTV systems. I use two of the three Debian systems as media servers, and the third is an older system mostly for playing around with. My home network is running fine with the following nuisance. The two newer Debian (Lenny) systems are <barney> and <mitzi>, the older is named <oscar>, running Debian Sarge 3.1. From either locally or remote login to <barney> and <mitzi> I can ssh into either of the other two systems, however when logged into <oscar> I cannot ssh by name to either of the other systems. e.g. ssh: mitzi: Temporary failure in name resolution..However, from <oscar> I can ping outside my network (e.g. ping www.google.com) with no problems.I can also ssh to the other systems via IP address, just not by name.
I've compared the /etc/ssh/ssh_config, /etc/resolv.conf, /etc/ssh/sshd_config and other files between the two systems and not seeing anything peculiar. arp, route, etc., don't show different behavior between the systems either.
View 6 Replies
View Related
Sep 15, 2010
At home I have two computers running linux connected to the same router. I would like to be able to connect them so that I can move files between them and execute simple commands. What is the most simple way to access a prompt on the other computer or to mount a partition currently used by the other computer?Using the www it is possible to connect two computers using ssh, but it should be easier to do this over the LAN, right? I have been googling a lot but not found anything.
View 10 Replies
View Related
