Debian Installation :: How To Install Netfilter / Iptables
Apr 5, 2011How to install netfilter/iptables ? debian6
View 1 Replies
ADVERTISEMENT
Debian :: Iptables - Netfilter Queue Handling
Jul 17, 2015I have created a nfq handler via nfq_open() and using the returned qhandle to bind my application program to a specific queue number that is configured in iptables. when i invoke nfq_create_queue() my program is stuck there and the back trace shows it is blocked in recvfrom()
bt
in recvfrom () from /lib/x86_64-linux-gnu/libpthread.so.0
in nfnl_recv () from /usr/lib/libnfnetlink.so.0
in nfnl_catch () from /usr/lib/libnfnetlink.so.0
Ubuntu Servers :: Iptables / Netfilter Config Stops Sendmail From Working?
Oct 8, 2010I have an ubuntu server virtual machine with a webhost. I am trying to configure the firewall. I am having a problem with sendmail and the required firewall configuraiton If I type the command:
iptables -F
Then sendmail works perfectly. I can see the emails sent in my googlemail inbox. I then configure my firewall as follows:
iptables -F
iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p tcp --dport 2252 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
[Code]....
(I have moved SSH to a diffrent port) Once this is setup sendmail no longer works. I had assumed that sendmail will establish a tcp connection and the first rule will allow all established connections to pass. why this iptables/netfilter config stops sendmail from working.
Debian Configuration :: Message Package Netfilter-persistent Is Not Configured Yet
Sep 3, 2015I installed few days ago Debian Jessie (Linux server-1 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u3 (2015-08-04) x86_64 GNU/Linux) for some tests.I tried to install iptables-persistent with the command "apt-get install iptables-persistent".During the install process, I got the following message :
Code: Select allPreconfiguring packages ...
Selecting previously unselected package netfilter-persistent.
(Reading database ... 31677 files and directories currently installed.)
Preparing to unpack .../netfilter-persistent_1.0.3_all.deb ...
Unpacking netfilter-persistent (1.0.3) ...
Selecting previously unselected package iptables-persistent.
[code]....
Some talks about cups, acpid, ipv6 or systemd but nothing has solved the issue in my case.I used iptables-persistent many times with older debian versions.
Debian :: How To Install Iptables-persistent As Loadable Kernel Module
Nov 10, 2015I'm working on my iptables rules on a debian 8 vps and I tried to install iptables-persistent but I was told "Unable to locate package"...
Where can I get this so that I may save my rules for reboot?
General :: Install Module U32 Into The Netfilter Module For Kernel 2.6.27
Jan 30, 2011I need to install module u32 into the netfilter module for kernel 2.6.27.
I did not see the source code in the kernel version I have. where can I find the code for U32 module.
I have checked "netfilter.org" and looks like POM is discontinued. Is the u32 module committed to kernel version 2.6.27 or need to patch it. If yes, where can I find the patch?
I building the kernel for a MIPS processor.
Server :: Debian 5.0.6 Iptables Modules Installation - VMware
Mar 2, 2011I use Debian 5.0.6 32-bit through VMware workstation installed on my Windows Server 2003. I just simply installed it from CD-1 and I use Directadmin on that.
I need a lot of iptables commands for blocking but I keep getting missing module errors on that one, I did lsmod | grep -i iptables to see there are no modules. It should have been installed by the disc image but I don't know why it didn't. So I now want to know how to get those modules required by iptables.
Debian Configuration :: How To Restore Iptables To Default Installation Values
May 9, 2010After resetting a pc running lenny I get iptables errors at boot ("resource temporarily unavailable", "bad rule" etc). "setting up firewall" (Guarddog) is not followed by any errors and the firewall apparently operates ok.How can I restore my iptables to the default installation values?
View 2 Replies View RelatedNetworking :: Netfilter: Connection Tracking Bandwidth Accounting?
Dec 10, 2010On Kernel 2.6.33.4 I get this from /proc/net/ip_conntrack:
tcp 6 431557 ESTABLISHED src=X.X.X.X dst=X.X.X.X sport=44242 dport=993 packets=128 bytes=9267 src=X.X.X.X dst=X.X.X.X sport=993 dport=44242 packets=85 bytes=53950 [ASSURED] mark=0 use=2
On Kernel 2.6.36.2 I get this from that same file:
tcp 6 431665 ESTABLISHED src=X.X.X.X dst=X.X.X.X sport=4640 dport=8082 src=X.X.X.X dst=X.X.X.X sport=8082 dport=4640 [ASSURED] mark=0 use=2
It's missing the data on bytes and packets transmitted through that particular connection. I had written a program that uses this information. Was this pulled out of the kernel on purpose or did I miss some option when compiling the new kernel for my box?
Security :: Netfilter Conntracking For P2P Protocols - Edonkey - Bittorent
May 17, 2009I would like to allow multi users to access P2P networks, so I wonder if there's a way to tracking these kind of protocols with netfilter, and also compatibility with nat, like the module conntrack_ftp seems to do with the FTP protocol.
View 3 Replies View RelatedNetworking :: NETFILTER And Extraction Of Data From Non Linear Area Of Skbuff
Feb 25, 2011i am writing a netfilter module for linux 2.6.34.6-47 / 2.6.35. while i could capture the packets on the incoming hook since the same came as a single packet in probably the allocated skbuff area by the stack, i found that packets going out of the machine are getting splitted into linear and non-linear area. skb->data gives the total length of packet as correct, but when i extract skb-> data to print it, it prints only ip and tcp header. Now to treat the data i need to extract it and then push it back on the route.
To clarify if my data is 3 bytes . the total length by passing pointers show as 55 bytes = ( 52 byte of header + 3 byte of data), but i can't access these 3 bytes by using skb->tail - skb->data. how to extract outgoing data for any further action and then put it back on route for further encapsulation by the L2 stack or whatever. will skb_linearize() or skb_linearize_cow() be of any use , if yes how and why?
Programming :: Configure Netfilter By Importing A Text File With C++ Language
Feb 27, 2010Well my problem is that i want to configure Net filter (FORWARD) not manually but by importing a text file which may contain a binary array with c++ language like :
0 0 1
1 1 0
0 0 1
with 0 is "IPTABLES -A FORWARD -p udp -j ACCEPT"
and 1 is "IPTABLES -A FORWARD -p udp -j DROP"
so after importing i want to find in my firewall 9 rules equal to the numbers of the binary array.
Networking :: Netfilter's -state INVALID Triggered By Foreign Dual WAN Routers?
Dec 22, 2010Recently I am logging the packets that are supposedly INVALID and I found out that I am dropping a lot of packets that seem legitimate (in the sense that they are clients that are allowed to contact us).
Code:
:invalid - [0:0]
-A invalid -j LOG --log-prefix "[DROP INVALID] : " --log-tcp-options --log-ip-options
-A invalid -j DROP
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
[Code]...
I would like to know If I can tell a complaining client that his dual-WAN solution is not behaving properly.Should such a dual WAN-router spoof its IP to the one that initiated the connection? And what happens if these packets are not dropped? Will they be accepted by the application or does it depend on the application? It sounds like a security risk if it does. It seems to me those packets will be ignored anyway by the application Netfilter's manual says that it's safe to drop these packets.
Security :: Netfilter Hook - Kernel Module - Skb_transport_header - Tcphdr Fields Wrong Values
Apr 1, 2010We are trying to implement a firewall as kernel module through netfilter hooking (in C). In the following code we are allowing only TCP traffic. Source port number and destination port number are printed for every TCP packet. On execution, this code prints wrong port numbers. This is the first time we are using skb_transport_header function for accessing tcp headers.
We verified port numbers being printed by firewall through NFS traffic. On the same machine where firewall is running, we hosted an NFS server. An NFS client (from a different system) puts a file in exported mount. Firewall is able to capture packets for this file transfer but port numbers printed are wrong. It prints '69' for source portnumber (whereas ethereal capture shows it as 790) and prints '553231' for destination port (whereas for nfs version 4 it has to be 2049).
[Code]....
Debian :: Debian Lenny Iptables Does Not Logs
Mar 29, 2011I have problem with loging, actually iptables logs a data but it seems that for some reasons does not writes in a log file:
Code:
iptables -L -v
Chain INPUT (policy ACCEPT 406 packets, 124K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT tcp -- any any xxxxxxxxxxx anywhere tcp dpt:xxxx
[Code]....
i checked /var/log/message and /var/log/syslog nothing is here related to iptables. then i create separate file for Iptables by adding this: kern.warning /var/log/iptables.log in my rsyslog.conf it does create iptables.log file inside /var/ but its still empty
Fedora Servers :: Unable To Restore My Iptables From Iptables-save After Upgrading
Nov 26, 2010I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
View 2 Replies View RelatedGeneral :: When Restart The Iptables Service Then The Firewall Entries Are Again Shown In Iptables?
Sep 17, 2010I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
[code]....
Debian :: How To Set Iptables With Config
Feb 18, 2015I`d like to block bruteforce attack from china, russia to my mysql and i want to open 3306 mysql port just for one type adress from internet like this:: 212.23.165.xxx, and for others I want to block just for 3306.In my new installaton of weezy I`ve not configured iptables..how should looks like iptables config and how to set iptables with this config?
View 3 Replies View RelatedDebian :: Getting Iptables To Run On Boot?
May 30, 2011I don't like this[URL]because every time there is slight change in firewall rules, all that would have to be done again and again
View 3 Replies View RelatedUbuntu :: Try `iptables -h' Or 'iptables --help' For More Information - ' Not Found.4.4: Host/network `98.200.58.73
Nov 3, 2010I recently installed a new Ubuntu PC that runs iptables and PSAD. I had the same script on another Ubuntu PC, but when I copied the script onto the new PC, I got this error. I don't remember where I found the tutorial for this, all I know is that this is the script (Edited for my usage):
Code:
#!/bin/bash
# Script to check important ports on remote webserver
# Copyright (c) 2009 blogama.org
# This script is licensed under GNU GPL version 2.0 or above
[code]....
Safe.txt contains:
Code:
127.0.0.1
192.168.1.8
192.168.1.1
98.200.58.73
192.168.0.1
And the error message generated is:
Code:
root@NETWORK-SERVER:/var/ddosprotect# ./ipblock.sh
' not found.4.4: host/network `127.0.0.1
Try `iptables -h' or 'iptables --help' for more information.
' not found.4.4: host/network `192.168.1.8
[code]....
Fedora :: IPtables Creates An Error During Startup - Applying Firewall Rules: Iptables-restore: Line 21 Failed
Jul 17, 2010IPtables creates an error during startup as well as when I try to restart it: Here's the output of:
[Code]....
Debian :: Iptables Log UDP Flood Under 64 Packages?
Jan 22, 2011how to do iptables log to file UDP Flood under 64 packages?
View 14 Replies View RelatedDebian :: Iptables Cannot Save The Configuration?
Apr 28, 2011I am configuring the iptables in the debain squeeze and then running the: iptables-save
View 4 Replies View RelatedDebian Configuration :: Bad Argument '#' In Iptables
Jul 11, 2011I follow this instructions but after iptables-restore < /etc/iptables.test.rules I see this error # iptables-restore < /etc/iptables.test.rules Bad argument `#' Error occurred at line: 3 Try `iptables-restore -h' or 'iptables-restore --help' for more information. The line 3 is the same as the link - # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
View 3 Replies View RelatedUbuntu Servers :: Setup Iptables Rules In /etc/if-up.d/iptables?
Apr 16, 2011I am running Ubuntu server 10.10 and trying to setup iptables rules in /etc/if-up.d/iptables
Quote:
root@host# cat /etc/network/if-up.d/iptables
#!/bin/sh -e
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Problem is that iptables doesn't get updated and I don't see them when iptables -L is executed after reboot.
CentOS 5 :: Custom Iptables: Remove The Existing Iptables First?
Apr 28, 2009To expand: I'm trying to set up a box with l7-filter, and I need to patch and compile iptables 1.4.1.1 as part of the process. I ./configured it with the prefix= argument so it would install into /sbin instead of /usr/sbin, and I did a yum remove iptables before installing it so as not to get in the way of the original iptables, but I'm wondering if this is really necessary - it's kind of annoying, because removing the original iptables removes the init.d script, deregisters the service, etc. If I don't, is it possible that iptables 1.4.1.1 might get overwritten in a system update or something, or will yum see that I've got a custom/newer version in there and leave it be?
View 4 Replies View RelatedDebian Configuration :: Iptables Forwarding For Tomcat?
Nov 10, 2010I've been trying to forward some ports using iptables for some time now, but still haven't figured out how to get it to work..What i'm trying to accomplish is to forward all traffic from port 80 to port 8080, and all traffic from port 443 to port 8443, this because i would like to run tomcat as a non-root user, and the original ports can only be used as root.. I've currently setup my iptables like this:
# Generated by iptables-save v1.4.2 on Wed Nov 10 16:44:45 2010
*nat
:PREROUTING ACCEPT [39350:6120333]
[code].....
Debian Configuration :: Iptables Blocks FTP Connections
Jul 8, 2011For some reason my FTP packets are blocked by iptables even though I thought I allowed them through
My syslog errors are along this line:
And my iptables ruleset:
Debian :: How To Use IPtables - Basic Firewall Setup
May 16, 2010Recently I have been working on iptables and trying to understand how to use it. Here's a little script I have written to setup a basic firewall for myself:
Code:
#!/bin/bash
if [ `id -u` -ne 0 ]; then
echo "You need root privilege"
exit 1
fi
PROG=/sbin/iptables
$PROG -F
function sethttp {
echo "Opening http port..."
$PROG -A INPUT -p tcp --dport 80 -j ACCEPT
}
function sethttps {
echo "Opening https port..."
$PROG -A INPUT -p tcp --dport 443 -j ACCEPT
}
function settorrent {
echo "Opening torrent port..."
$PROG -A INPUT -p tcp --dport 52413 -j ACCEPT
}
while getopts "hst" option; do
case "$option" in
h) sethttp;;
s) sethttps;;
t) settorrent;;
*) echo "DOH!"
esac
done
$PROG -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$PROG -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$PROG -A INPUT -i lo -j ACCEPT
$PROG -A OUTPUT -o lo -j ACCEPT
$PROG -A INPUT -j DROP
$PROG -A FORWARD -j REJECT
echo "Done setting up the firewall! Enjoy :)"
exit 0
OK, this can take 3 arguments that open ports 80, 443 and 52413. And at the end, some default rules are applied. But here's the thing I don't understand:
if I don't give the argument for port 80, I can still view web pages... and also, when I remove the line:
Code:
$PROG -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Whether I say it to open port 80 or not, I can't view any web pages.
Networking :: Iptables Configuration On Debian Dmz Host?
Jul 6, 2010I am trying to set up a DMZ host - that is, one multifunctional PC between the WAN and the LAN. I've started with a basic router, and expanding upon that as the need arises. I am currently trying to gain access (from the WAN) to a website hosted on one of the servers in the LAN, but I am having trouble accessing the host from the WAN; I think my iptables configuration may be too restrictive. On the DMZ host, I'm using Debian (Etch). I have setup dhcp3-server, a script to configure iptables and pound (reverse-proxy). The (virtual) machine has 4 network cards: eth0, eth1, eth2, eth3; eth0 is the WAN, eth1 through eth3 serve 3 different virtual LANs.
All machines in the LAN (except one windows 2008 server - I might want to address that problem later) get their IP adresses correctly via dhcp from the DMZ host. All machines on the LAN can access the internet (including the 2008 server if I configure it manually) as they should. If I access http://localhost on the DMZ host, pound reports "The service is not available. Please try again later." - as it should.
I can ping the DMZ host from the WAN on 10.0.0.79 However, if I try to access the DMZ host from the WAN (http://10.0.0.79) I get "Unable to connect" from firefox. I'm sure this is not a pound problem, so I think it's in the iptables, or maybe I should be installing some extra software that I'm unaware of.
[code]....