I'm intending to replace my current router (486DX2 w/16MB running FREESCO which has been faithfully working 24/7 for well over a decade) with a debian box with a bit more grunt and newer features. I'm currently setting up my iptables ruleset and am after a bit of advice re the FORWARD policy. A few example rulesets I have found set the default policy to DROP and the have two lines for each port forward, one to allow the traffic and one to direct the incoming packets to the correct machine.
I'm thinking of setting the default policy to ACCEPT to cut down on typing as my default INPUT policy is DROP and unless there is a valid FORWARD rule for a particular port, the packets aren't going anywhere anyway. Or have I misunderstood something. My googling returned heaps of example scripts & not much intelligent commentary. Alternatively, what do you all use to configure & maintain your debian gateways; hand rolled iptables rules, or any toolset recommendations?
After resetting a pc running lenny I get iptables errors at boot ("resource temporarily unavailable", "bad rule" etc). "setting up firewall" (Guarddog) is not followed by any errors and the firewall apparently operates ok.How can I restore my iptables to the default installation values?
I'm having trouble to configure my debian (2.6.26-2-686) with some routing tuning. In fact, I have a VPN provider. I want my Squid Proxy use this VPN provider and I have to use policy routing because my ISP forbid IP spoofing.
I've read the instruction about setting up the iptables rules to filter all port except HTTP, SSH, FTP. I require first remove all default iptables rules and set default rules to all chains as DROP: # Set default-deny policies for all three default chains $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT DROP
Then allow only some ports: #Accept inbound packets that are part of previously-OK'ed sessions $IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED # Accept inbound packets which initiate SSH sessions $IPTABLES -A INPUT -p tcp -j ACCEPT --dport 22 -m state --state NEW # Accept inbound packets which initiate FTP sessions $IPTABLES -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW # Accept inbound packets which initiate HTTP sessions $IPTABLES -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW # Log anything not accepted above $IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default:"
But I hired a VPS from other country so the only mean I can manage it is via SSH. If I setup the default rule to DROP first, I afraid that I can no longer connect via SSH to tell iptables allow SSH So my question is: - Does the IP tables take effect immediately after I input a rule? - Is there any mean to run this as a batch job (create a script and run all these rules one time). - My VPS has a web control panel which have a terminal via web. Is this a native terminal or just a connection via port 80 or 22?
I've got Debian Sid x64 on my machine. Problem is that in my KDE setup several programs don't work, namely System Load Viewer plasmoid, plasmoid with temperature info and update-notifier-kde. System Load Viewer always shows 0% RAM and swap usage, as well as no processors, temperature sensors plasmoid shows no sensors available even after I installed lm-sensors and run sensors-detect, update-notifier-kde doesn't show any notifications even if I run aptitude update manualy. I might be mistaken but it seems to me that these three programs are not working because of some common reason, most likely some policy package either missing or misconfigured, but I can't figure out what is it.
When I reboot my computer, my iptables sets itself to a policy of dropping everything, adds a bunch of rules, and a bunch of extra chains, to the effect that (due to everything being set to drop) I can't do anything. I know how to fix this from the terminal to the extent of just clearing most of it and changing the policies back. However, what I don't know is how to make it stay that way. I have a file with the iptables rules I want, so every time I start up I just run iptables-restore, but I don't want to have to do this every time, particularly since others use this computer who do not have admin privileges.
I've tried changing /etc/network/interfaces with the added code pre-up iptables-restore < (etc) But that never does anything, or if it does it just makes stuff work even less. I've tried changing init.d before based on similar info elsewhere, still no luck. I don't know how to get it to stick, and I don't know why it is defaulting to the rules it is, other than that I used a firewall app a while ago and afterwards this was the result, for which I uninstalled that app after no success using it to reverse the damage.
I need to be able to do the following: Physical Router located at 192.168.40.1 On Ubuntu 10.04 Lucid machine:
eth0 with static ip 192.168.40.2 eth1 with static ip 192.168.40.3 eth2 with static ip 192.168.40.4
Associate a virtual address to eth1 with an entirely different network address such as 192.168.50.1 Do the same (virtual address) for eth2 -- e.g. 192.168.60.1 In the application:
register phone number A at 192.168.40.1 (The application will automatically use eth0 for this) register phone number B at 192.168.50.1 register phone number C at 192.168.60.1
Somehow forward all traffic (including the register request) sent to 192.168.50.1 to 192.168.40.1 as if the register had been made directly to 192.168.40.1. In other words, the app "sends" registration and traffic to 192.168.50.1 but then Ubuntu forwards it to 192.168.40.1 (but the app does not know that). Similarly, forward all traffic sent to 192.168.60.1 to the router at 192.168.40.1.
Do the same for the reverse, forward all traffic that the router sends back to 192.168.40.3 (eth1) to 192.168.50.1 (within the Ubuntu machine) so that the app knows it is for phone B. Similarly forward all traffic that the router sends back to 192.168.40.4 (eth2) to 192.168.60.1 so that the app knows it is for phone C. Thus, the application believes that it is registering at 3 completely separate routers on 3 completely separate networks via 3 separate network interfaces but in fact is really registering all three to the same router (but does not know that). Similarly, the router believes that it is receiving 3 separate registrations because it receives each registration request and traffic from 3 separate interfaces and thus 3 separate mac addresses (i.e., of eth0, eth1, and eth2). Traffic sent to and from the router for each of the 3 phone numbers (via eth0, eth1, and eth2) are not mixed because the translation happens in both directions.
I have set the iptables INPUT policy to DROP. As I have expected tcpdump wasn't showing any packages... for a while. Suddenly it begun to show UDP syslog packages being sent by a remote host. It is conform with the configuration of syslog, but since the INPUT policy was set to DROP, with no exceptions, it is not conform with configuration of iptables. Why after setting INPUT policy to DROP, with no exceptions most of the packets recieved before are being dropped and some not, as tcpdump shows?
I am trying to do a NAT forward in iptables but get the following error:Quote:[root@server88-xxx-xxx-198 openvpn]# iptables -t nat -I POSTROUTING -i tun0 -o eiptables v1.3.5: Can't use -i with POSTROUTINGAny ideas on what to do?I have an OpenVON server running and I need the client to use the ports on the OpenVPN server
When I try to install my propriety graphics driver. I don't know what it means. Here are the steps I took and what resulted:
killerzen@Decode666:~$ cd ~/Desktop killerzen@Decode666:~/Desktop$ chmod +x ati-driver-installer-9.2-x86.x86_64.run killerzen@Decode666:~/Desktop$ ./ati-driver-installer-9.2-x86.x86_64.run Created directory fglrx-install.pHiKQh Verifying archive integrity... All good. Uncompressing ATI Proprietary Linux Driver-8.582 ATI Technologies Linux Driver Installer/Packager
Error: ./default_policy.sh does not support version default:v2:i686:lib::none:2.6.32-22-generic; make sure that the version is being correctly set by --iscurrentdistro Removing temporary directory: fglrx-install.pHiKQh
So here is my issue in a nutshell. I need to take FTP requests that hit Server_A and forward them to Server_B. Server_B is not natted...Server_B is another public server in a completely different location in the world. One thing to note is that I only have one NIC hence why you will see both in and out being eth0. This is what I have in my iptables on SERVER_A:iptables -A FORWARD -p tcp -i eth0 --sport 21 -o eth0 -d SERVER_B --dport 21 -m state --state NEW -j ACCEPTiptables -A FORWARD -p tcp -i eth0 --sport 20 -o eth0 -d SERVER_B --dport 20 -m state --state NEW -j ACCEPTI've also tried both of the above without the --sport option. When I FTP to SERVER_A (where the above iptables rule are) it connects to SERVER_A instead of forwarding them to SERVER_B.
my company is a small company!and it only have one public ip,but my company have a lot of websites to access!now i use Reverse Proxy Server -- apahce to solve temporary!it is not convenience for me !So i think out whether iptables can not be used to forward according to the domain!!it is the test as follows:
public ip :10.0.0.1 privite ip1 :192.168.1.1 matching website domain:www1.test.com privite ip2:192.168.1.2 matching website domain:www2.test.com
and if someone access [URL] the iptables will know they want to access 192.168.1.1 and it will forward to the server 192.168.1.1!!
A week ago I opened this thread viewtopic.php?f=17&t=61580 in "Board index ‹ Help ‹ Installation" and asked for a moderator to move this to here. Because it hasnt happened up to know, I am reopening the thread here. It would be reeeeally great if somebody could help me with my problem!
I own two computers, one netbook and one laptop. I want to boot my netbook as a diskless client via PXE.I set up a dhcp-, tftp and nfs-server on my laptop but when i boot my netbook, the follwoing messages are displayed:(to make it more clear, i uploaded the whole output and shortened the output below)
I follow this instructions but after iptables-restore < /etc/iptables.test.rules I see this error # iptables-restore < /etc/iptables.test.rules Bad argument `#' Error occurred at line: 3 Try `iptables-restore -h' or 'iptables-restore --help' for more information. The line 3 is the same as the link - # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
I need to forward a port to use dtella. I'm using Fedora 10, using iptables for my firewall.
I'm currently trying to forward it from terminal with this command:
Code: sudo iptables -t nat -A PREROUTING -p udp -i eth0 -d [ip address] --dport 11823 -j DNAT --to 192.168.0.2:80 this is what I get from iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
I just upgraded my fedora 13 to fedora 14. I changed the cpu and the motherboard so i had to install from scratch...but I saved my iptables. The problem is that I do all the suff service iptables save And apparently it works... But everytime I reboot I have to re run the script to forward Internet...Everything else works just fine...I mean I can ssh, vnc, etc but wont forward intel :S dont know why?
I have three machines on three networks192.x.x.x10.x.x.x172.x.x.xThe routers are set to forward communication between 192. network and 10. network, and between the 10. network and the 172. network.However, there's not routing between 192. and 172.I want to fix that by using a machine on the 10. network to forward communication between the other two networks.The machine has one etherent connection eth0 whose address is 10.1.1.11I set up an aliased ip address eth0:0 to be 10.1.1.12 using Quote:ifconfig eth0:0 10.1.1.12Then I tried to set forwarding rules the 10. machine such that 10.1.1.12 address will provide access to the machine 172.1.1.55 as followsQuote:# iptables -t nat -A PREROUTING -d 10.1.1.12 -j DNAT --to-destination 172.1.1.55The default policies for all chains is ACCEPT.I then try to access 10.1.1.12 from 192.1.1.20 expecting it to actually access 172.1.1.55 ; it does not work
Lets say i have two machines on public ips. If i get incoming traffic on machine #1 on port 55242 i would just like to forward it to machine #2 on port 35000.I would just like to use machine #1 same way as a dns server works. It just redirects the traffic and tells the client where to go.
I've been trying to forward some ports using iptables for some time now, but still haven't figured out how to get it to work..What i'm trying to accomplish is to forward all traffic from port 80 to port 8080, and all traffic from port 443 to port 8443, this because i would like to run tomcat as a non-root user, and the original ports can only be used as root.. I've currently setup my iptables like this:
# Generated by iptables-save v1.4.2 on Wed Nov 10 16:44:45 2010 *nat :PREROUTING ACCEPT [39350:6120333]
I am trying to set up a DMZ host - that is, one multifunctional PC between the WAN and the LAN. I've started with a basic router, and expanding upon that as the need arises. I am currently trying to gain access (from the WAN) to a website hosted on one of the servers in the LAN, but I am having trouble accessing the host from the WAN; I think my iptables configuration may be too restrictive. On the DMZ host, I'm using Debian (Etch). I have setup dhcp3-server, a script to configure iptables and pound (reverse-proxy). The (virtual) machine has 4 network cards: eth0, eth1, eth2, eth3; eth0 is the WAN, eth1 through eth3 serve 3 different virtual LANs.
All machines in the LAN (except one windows 2008 server - I might want to address that problem later) get their IP adresses correctly via dhcp from the DMZ host. All machines on the LAN can access the internet (including the 2008 server if I configure it manually) as they should. If I access http://localhost on the DMZ host, pound reports "The service is not available. Please try again later." - as it should.
I can ping the DMZ host from the WAN on 10.0.0.79 However, if I try to access the DMZ host from the WAN (http://10.0.0.79) I get "Unable to connect" from firefox. I'm sure this is not a pound problem, so I think it's in the iptables, or maybe I should be installing some extra software that I'm unaware of.
iptables and multiple public-facing IP addresses. With the current setup I have a public-facing firewall with iptables which will then forward traffic to a LAN IP. I will hopefully be allotted 1 private IP per public IP, which I hope will make this much more simple. For example, I have server A with the LAN IP of 10.0.0.1 which I would like to have traffic forwarded from 5.0.0.1, the public IP. I also have server B with LAN IP of 10.0.0.2 which I would like to have forwarded from 5.0.0.2, the second public IP. From what I have read and understood, this should be a simple task, however I would just like to double check to make sure that it is in fact possible, and if so, how would it be recommended that I go about doing so. Essentially, I need to forward each public IP to a corresponding LAN IP with all ports.
The goal is to make connection calls (ssh, ping, ...) possible from one LAN (LAN-1) to a number of (at the moment two) separate smaller LANs.These smaller LANs (LAN-2a, LAN-2b, ...) have exact same specifications (same IP range, same number of nodes, ...)!The idea is to use a Fedora box (release 14 with 2.6.35.6-45.fc14.i686) and implement an appropriate iptables routing/forwarding.The Fedora box has three network interfaces:
- eth0 (aaa.bbb.ccc.m) on LAN-1 (aaa.bbb.ccc.0/24) - eth1 (ddd.eee.fff.n) on LAN-2a (ddd.eee.fff.0/27) - eth2 (ddd.eee.fff.p) on LAN-2b (ddd.eee.fff.0/27)
I'm having some trouble with the configuration of the iptables. I want to setup a network server to serve as Fail Over (for my 2 ISPs), DHCP and DNS. I have 3 network cards, 2 connected to ISP's routers and 1 that serves as UPLINK for my switch.
I want to add some Iptables rules so I can achieve what I want to do. The problem is that the rules I try to use, they have to effect.... they don't load, here are the rules I am trying to add:
