I can't seem to get CBQ / tc working when I attempt to filter ip+port. It works when I just filter on IP though, I don't understand what the problem is. Here is my CBQ file.Quote:
DEVICE=ppp0,51200Kbit, 51200Kbit
RATE=512Kbit
WEIGHT=512Kbit
[code]....
Even though I've set up HTTPS to be trusted, it still blocks my school's https site: "mnsu.edu/eservices" same with SAMBA and SSH.
If enter the GUI and authenticate as root, change anything and apply, then exit: it works fine and so does SAMBA. However, after restarting, everything stops working again.
yet secure firewall configuration that doesn't require any login or headaches.
I am trying solve a strange problem which ocurred after upgrading many packages including kernel and iptables.This is a Fedora 10 PC acting as a small home-server I've been using over a year without problems. Recently, I've run a yum upgrade and after that, connections outside home wouldn't work. No changes in IPtables (firewall) rules have been done. But connection through local network is working.Symptom is.I've connected to my second PC at home and connected to the server. It works fine on local network. I restart network services (service network restart) and outside connections could be established.I have disabled iptables and ip6tables and after reboots it works fine. But PC is running without firewall.
View 5 Replies View RelatedI'm trying to build a firewall with IPTables: INTERNET <--------> (eth0) FIREWALL (eth1) <------------->FTP_srvI set all rules DROP by default.My rules for forwarding packet to FTP server:
#iptables -t nat -A PREROUTING -i eth1 -d $FIREWALL_EX_ADDR -p tcp --dport 21 -j DNAT --to-destination $FTP_ADDR:21
#iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
[code]....
I need to create filename 70-android.rules in the directory /etc/udev/rules.d/I have Adm privileges in my user account properties, but when I use sudo to create this file the Ubuntu OS does not allow me the privilege... I am running Ubuntu 10.04 LTS and here's the Terminal output below:daddy@gatomon-laptop:/etc/udev/rules.d$ sudo cat > 70-android.rulesbash: 70-android.rules: Permission denieddaddy@gatomon-laptop:/etc/udev$ ls -ltotal 8drwxr-xr-x 2 root root 4096 2011-03-16 18:03 rules.d-rw-r--r-- 1 root root 218 2010-04-19 04:30 udev.conf
View 2 Replies View Relatedi have just setup a firewall using iptables on centos 5.3 but there's an issue with ftp
i can connect and i can login when i give command "ls" it says entering passive mode
and afterwards it times out do you know why? i have port 21 open in my firewall but still....
Recently I had made some udev rules to communicate with a few devices using USB ports. For some odd reason, they suddenly stopped working. Here are my rules:
Code:
ATTRS{idVendor}=="0403", ATTRS{idProduct}=="6001", SYMLINK="HCS12"
ATTRS{idVendor}=="067b", ATTRS{idProduct}=="2303", SYMLINK="Driver12"
ATTRS{idVendor}=="050d", ATTRS{idProduct}=="0109", SYMLINK="Driver34"
According to the documentation, all that is needed to write proper rules is one match operator (relevant info) and one assignment operator (name of port). I am running kernel 2.6.31-22, so udev rules are valid for use (they require at least 2.6.15). My only guess is to include something that identifies the serial port.
After a system update a couple of days back - which as far as I can remember included some xorg packages - neither of the policy files I have written for my keyboard, synaptics touchpad and mouse work.Below are the files and the Xorg log file.
99-x11-keyboard.fdi
<?xml version="1.0" encoding="UTF-8"?>
<deviceinfo version="0.2">
[code]...
I added a few rules to my /etc/iptables.rules file and then used sudo iptables-restore < /etc/iptables.rules but i got an error saying "iptables-restore: line 29 failed".But the only word on that line.
View 1 Replies View RelatedIs it possible to apply a rule to a specific local IP? For example lets say I have a two IP's assigned to my server, 1.1.1.1 and 2.2.2.2.;.I want to deny all connections going to 1.1.1.1 only asides from a couple of trusted IP's I will define.
View 1 Replies View RelatedI need with some iptables rules. I've done all I can, Googling all over, to cover as many exploits as possible and the following script is what I've come up with. The current set up works and I've checked with NMAP. I just need some sort of confirmation that this is pretty much what I can do.
Code:
LAN="eth0 eth1"
RANGE=10.1.0.0/17
WAN=eth2
# Delete all existing rules
[code]....
Also, if I wanted a broadcast to be relayed to all subnets within a defined range, how would such a iptables rule look like? I need this in order to find a networked Canon MP640 printer.
On my firewall I have DNAT for certain UDP streams. I have set up the DNAT and FORWARD rules:
Code:
#: Redirect port 6006 to TH2
$IPTABLES -A FORWARD -j ACCEPT -d $hst_stratus_th2 -p udp --dport $prt_mdi
[code]....
I just install 1 firewall using Iptables.
Firewall includes 2 NIC:
NIC1 <IP PUBLIC>
NIC2 192.168.10.1
I installed 1 web server IP: 192.168.10.2
I have some PC IP range: 192.168.10.10->20
I set rules NAT on firewall and PC & web server can connect internet good, but I have problems:
When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP Public. But outside internet, I can access to web server using IP Public.
Rules on IPTables
Code:
# Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010
*nat
:PREROUTING ACCEPT [950:126970]
:POSTROUTING ACCEPT [89:5880]
:OUTPUT ACCEPT [19:1342]
-A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124
*filter
:INPUT DROP [1599:157409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [232:34452]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
COMMIT
I am building a router and I wonder if I have some rules like this and
/proc/sys/net/ipv4/conf/all/accept_source_route is 0 will it work.
Code:
echo 1000 TEST >> /etc/iproute2/rt_tables
iptables -A PREROUTING -s 192.168.2.0/24 -t mangle -j MARK --set-mark 1
ip rule add fwmark 1 table TEST
ip route add default via 192.168.3.5 dev eth2 table TEST
I am not quite sure is it source routed packages at all. And also even if it works with my router will next firewall drop such packages. I have mentioned before that some things like:
Code:
ip route add default via 192.168.3.5 dev eth2 src 192.168.2.0/24
do not work
For some reason, Ubuntu keeps assigning my network interface wrong MAC address. This happens only after fresh boot (I have dual boot with WinXP, if I start Windows first and then restart to Ubuntu without switching computer off, the MAC is correct). Contents of /etc/udev/rules.d/70-persistent-net.rules:
Code:
# PCI device 0x10ec:0x8136 (r8169)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:22:19:ef:1c:3d", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
# PCI device 0x168c:0x001c (ath5k_pci)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:17:c4:78:f4:f8", ATTR{type}=="1", KERNEL=="wlan*", NAME="wlan0"
[code]....
EDIT: I made a workaround by adding
Code:
auto eth0
iface eth0 inet dhcp
hwaddress ether 00:f3:f5:ef:fe:56
to /etc/network/interfaces and it works. However, I'd still like to know why Ubuntu ignores my udev rules, regardless whether the workaround happens to work or not...
How do I get ufw to refresh firewall rules after accidentally running iptables -F
View 3 Replies View RelatedDoes anyone have tips about iptables rules for filtering network traffice?
View 2 Replies View RelatedI am working on a Fedora 13 iso that will be used on some of the PC's at my work, the computers will have a varying amount of Ethernet ports, at least two onboard and up to 6 external. In order to ensure that the same physical port on the back of the computer is always used for the internet connection I have written a script to rearrange the contents of /etc/udev/rules.d/70-persistent-net.rules. The script ensures that the two Ethernet ports on the motherboard are listed as eth0 and eth1, without it they could end up as any port in the eth0-7 range.
The script works well however when its run I need to reboot the PC for the ifconfig to load the correct port as eth0/eth1. I have tried placing calls to my function through the rc.sysinit/rc.5d/rc.local and so on however nothing seems to work.Is there a way to make ifconfig check the mac/eth configuration files for changes (There appears to no longer be an ifprobe command which sounds like what I need). Alternatively is there somewhere I can place the script after udev has created the persistent-net.rules but before anything else loads the information. I have tried chkconfig --level 2345 network off and loading the service later but it still uses the wrong information, only a reboot seems to get it to work
every now and then Firewall Builder fails to open rules (*.fwb)and I have to use some old backup. it does load 'object libraries' but the main 'currently editing policy' panel is empty.(in gnome, debian testing amd64)
View 1 Replies View RelatedI'm trying to configure NFS sharing behind a firewall, I got it to work and all but I was caught by something that (to me anyways) seems odd.I've been able to mount the export on another computer and am transferring files over as we speak, but I'm just interested in knowing why the RELATED,ESTABLISHED rule seems to be catching almost all the traffic coming from the other node. Any ideas? Should I be concerned that my firewall isn't protecting anything or something?
View 1 Replies View RelatedWhenever I add a rule to iptables, all of the policy counters reset. The counters for each individual rule remain intact, however, the main counter resets. Here's what I mean:
Code:
[root] ~ # iptables -vL
Chain INPUT (policy ACCEPT 65M packets, 83G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 50M packets, 30G bytes)
pkts bytes target prot opt in out source destination .....
The following is my setup. wireless server (ip of this server is 192.168.1.1) -- target board ( wireless client [ip of this is got for wireless server is 192.168.1.3 ] , bridge (192.168.36.1) )-- linux pc ( 192.168.36.3) as show above i have target board for that i have a wireless interface and a linux pc is connected to target board.now the ips are like this for linux pc 192.168.36.3 and my target board bridge ip s 192.168.36.1
my wireless interface got ip from another server like 192.168.1.3 ,now if i do ping on my target board for 192.168.1.1 it goes through wireless interface to the 192.168.1.1 wireless server.but when i do the same from target board connected linux pc its not pinging from linux pc i could able to ping to 192.168.1.3 but not 192.168.1.1 .I think i need to write a iptable rule properly on my target board to forward the 192.168.1.* packtes to wireless interface.
Is there a way to check older iptable rules that were loaded? I accidentally overwrote my iptables and that has killed internet access to all computers in the intranet. I must have accidentally deleted some line in the iptable rules and cannot figure how to get it back to how it was. I am using Debian 5.05 by the way.
View 1 Replies View RelatedI have a machine with 3 internet facing nics, all of which have static IP's. The IP's are all in the same subnet, and use the same default gateway.Using ip tables and rules, will I be able to make all three of these able to handle traffic?I have the following configured, but it doesn't appear to work:
# ip rule
0:from all lookup local
500:from 72.43.220.146/29 lookup 1
[code].....
I need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument
Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode
[Code]...
I have a strange problem for internet. My clients (winxp - S2) can't get internet.Let me explain my scenerios. Fedora 10 with lan (eth0) having direct internet from dsl model, client (XP service pack 2) can use samba shares using dhcp (wlan0) installed in Fedora 10 box. client can ping my linux box.Now problem is: client (dosbox) can ping the google ip address (i.e ping 74.125.39.106) but can't use 'ping www.google.com'. That means ping with ip works for internet from my client. My linux box can. I can use internet from FC10 but can't use iexplorer from my client to have internet. I have enable ipmasquarding in Firewall and dhcpd is running on wlan0 for dynamic ip address of my clients.Can someone suggest me what kind of problem having I? What should i do to success iexplorer for internet? what possibly am i missing?
View 3 Replies View RelatedSeems like this should be a simple question, but I've looked around and have not found an obvious location to keep custom policy based routing rules in Ubuntu./etc/network/if-up.d comes to mind, but I was wondering is that was a "standard" spot. Also it doesn't seem like these rules really need to run each time an interface is up'ed or down'ed.
View 4 Replies View RelatedI two servers set up: 192.168.1.150 and 192.168.1.160 Initially, I want all traffic to be served by server 150. So for this purpose I am leaving the IPTables on .150 empty. At a point in time, I want to forward all incoming traffic to be served by .160 instead. I have accomplished this using these commands (on .150):
iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
iptables -t nat -I POSTROUTING -j MASQUERADE
My problem is that if I have an open SSH connection to .150 (prior to adding the rules), the packets are still handled by .150 after adding the rules.. e.g. my SSH session stays active. I want these packets to be forwarded to .160, which would effectively disconnect the SSH session. I do not want the packets flat out dropped, I just want them forwarded on in whatever state they are in. If I try a new SSH session, it is properly forwarded to .160
I have set up a master DNS server at 192.168.50.9 and a slave DNS at 192.168.50.6. Both servers are BIND9.Machines are for testing/experimenting, hence the IP addresses. Initially, the zone transfer was blocked by the firewall on the master, as the slave uses randomly selected non-privileged ports for zone-transfer query. So, as far as I understand, there are two possible approaches:
1. Allow connections based on source, which should be
Code:
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -s 192.168.50.6 --sport 1024:65535 --dport 53 -j ACCEPT
(and it works for me fine)
2. Allow ESTABLISHED and RELATED connections, which would be something like
Code:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
which was my initial idea but didn't work, but has inspired me to dig deeper into firewall configuration topics :).
Question: Does zone change notification message count for opening a dialog, or notification from master and slave zone update request are two absolutely separate actions? If the latter is true, that, of course, explains why option #2 didn't work.
I'm trying to configure Iptables and I just want to block everything but http/https. However, my connection is pppoe, so I have the ppp0 interface. Pretty much every Iptables tutorial that I found don't teach how to deal with this kind of setup. I'm forwarding the ppp0 to eth0 and I could configure the input rules and they're working. After this, I need to configure the output but nothing seems to work.
The current working rules are:
Code:
Chain INPUT (policy ACCEPT 7858 packets, 5792K bytes)
pkts bytes target prot opt in out source destination
299 201K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
11 820 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 ppp0 anywhere anywhere
0 0 ACCEPT all -- ppp0 eth0 anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 10791 packets, 1951K bytes)
pkts bytes target prot opt in out source destination
I don't understand what those "state RELATED,ESTABLISHED" rules do. Also, I don't know if this rules are secure, because i'm very confused about the ppp0/eth0 interfaces.