Friends the following shall block a particular machine in the same network, what can be done if it is dynamic IP and from other network?
iptables -A INPUT -s 192.168.0.0/24 -m mac --mac-source 00:50:8D:FD:E6:32 -j DROP
I have two asterisk servers each one behind a linux firewall/gw. Linux is Centos 5.4, kernel 2.6.18-164.el5, iptables v1.3.5. Routes on the fws are ok and when iptables is stoped the servers are see each other, all good. But when I run iptables script in any fw, one server (not always the same) goes unreachable. I verify this with asterisk -r, then show sip trunk, and status becomes UNREACHABLE.
Iptables scripts is generated by fwbuilder. The weird part is I put only one rule to de script and it looks like Source=any, Destination=any, Service=any, Interface=any, Direction (Inbound,Outbound)=any, Time=Any, Action=ACCEPT. So as you can see I tried something like "Do not do anything at all". But anyway I run the script in any fw and one server becomes UNREACHABLE. I think the script does something wrong after all or maybe I have some missconfiguration in my asterisk conf files. The point is I am not so expert in iptables or shell scripting so I can't see anything in the iptables script. I have look for some issues like iptables blocking because of ip_conntrack table full, or "dont fragment" bit set in kernel problem, but nothing seems to be the right problem at all.
I want to block the icmp packets(ping) from the other computer to my RHEL-4 what's the syntax I should use to do so in IPTABLES.
View 2 Replies View RelatedWhen i was try to execute this command in my router device it will show error...
First execution:-
Second Execution:-
So I Need to block this kind of websites ...kindly tell me what i have to rectify & change..here i didnt execute this command...
I want to block all the outgoing ssh form my machine, i.e my machine will not be able to ssh to any outside machine using iptables. The distro is RHEL, I added the following entry in the iptables but unfortunately it didnt worked, -A OUTPUT -p tcp -m tcp --dport 22 -j DROP
View 13 Replies View Relatedi used the angry ip scan software and found alot of the public ip addresses on our network are accessable from outside when they are not suppose to, For eg printers/ pcs etc. to make a start on locking down the network i was wondering if anybody knew th iptables command to add a rule which blocked all incoming traffic to specific ip adresses on the network and to a range of ip addresses.
View 7 Replies View RelatedIs possible blocking web with content for adults with iptables?
View 3 Replies View RelatedI am setting up a iptables firewall on one of our servers, and I would like to block a range of addresses from getting into the system. I am using a script that does a BLACKIN and BLACKOUT methodology for specific addresses. One example is the following:
Code:
$IPTABLES -A BLACKIN -s 202.109.114.147 -j DROP
...
$IPTABLES -A BLACKOUT -d 202.109.114.117 -j DROP
What would be the correct syntax to use if I wanted to block an entire remote subnet from getting into the server?
I set up iptables but it is blocking my SSH set up. I did allow it by opening port 22 but it did not work. Here is my config:
Code:
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
### this should allow SSH traffic
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
How do you allow SSH through the iptables firewall?
I have a fiberoptic broadband 20MB synchronous pipe at my home. Over summer at my place of employment its pretty much dead for 3 months so when I'm not busy I play around on my home server. I have my 20mb pipe going directly into my wrt54gl, from there I have a wired connection going to my server (Centos 5.3 recently upgraded to 5.5 through updates.) It serves as a file server(Samba, SSH). My wrt54gl handles natting port 22 to my server. I have my wireless AP setup to hand out leases from .2-.20 and my server has a static of .100. Dyndns.org handles my name resolution via their free account method.
I have a Mac Pro, iMac, Macbook, and a Toshiba Laptop with 64bit 7 running off wireless along with our cell phones, and my XBOX 360 also is wired directly for the gaming speed. I use all of the computers around my home to access the samba shares via unc path for file sharing and or working on projects. I had originally planned to upgrade the wrt54gl with a cisco e3200 or an e3000 but unfortunately I've come to find out dyndns and the e lines of cisco wireless AP's dont work with dyndns and get banned. So I would have to install the daemon on my server and put it as a directly connected server to my WAN link and install a second ethernet card and pass traffic through my server for the rest of my home which I am not going to do.
All of the previous sentence because it would update dyndns with a 192.168.x.x address since its not directly connected. I use a combination of putty.exe and vnc viewer to tunnel 5900 through port 22 to my server. So from anywhere I am at I can access my screen securely and then rdp or vnc to the desktop of my local LAN computers. This allows me to only have port 22 open. I've been looking at my ssh logs and noticed I have been getting hit alot with ssh scans. I want to implement an iptables firewall on my linux machine just for the purpose of further securing port 22. I dont necessarily need natting on the iptables firewall but all I need is ssh in and out, web in, and samba out to local ip's only.
For SSH this is what I want. I want to allow SSH from any IP but if it tries to login more than 3 times in one minute I want to block that IP for a full minute before it can try 3 more attempts. I also would like log to a file but have been having issues getting that to work as well. That way when I review logs and I see that an ip tries three times and then waits a minute and tries three more, etc... I can permanently block that ip or range of ip's by adding it to the iptables script. Here is my current iptables script and it doesnt seem to be working for me. I have played with this and read for almost two weeks and still cannot get it to work correctly.
Code:
#!/bin/bash
# In order to use this iptables firewall script you must have iptables installed. You also must be using a 2.4.x series Kernel, with iptables suppport compiled into it, which is standard for most newer linux distributions.
# If you need help compiling iptables into your kernel, please see our kernel Compile/Upgrade Guide located at [URL]
# Once the script has been edited with all your relevant information (IP's Network Interfaces, etc..) simply make the script executable and run it as root.
# chmod 700 fw_rules.sh
# ./fw_rules.sh .....
# Our final trap. Everything on INPUT goes to the dropwall
# So we don't get silent drops.
$IPT -A INPUT -j dropwall
I am currently running Debian 6. I would like to know if there is a way and how i would go about blocking a certain IP range from connecting to my server within a certain port range. Say for example.
i want to block ip range 123.123.123.* from connecting to my server on the ports 33000 - 43000. But, i want to allow them to connect on any other port range, and i want to be able to allow connections from my server to the blocked ip range on those same ports. so, blocking incoming only on the above port range.
using iptables.
I am at a loss how to prevent Denial of Service attacks to port 25 and not block legitimate connections from 2 Barracuda 800(s) and block smart phones such as iPhones/Blackberrys/iPhones that use the server smtp.server.com for email.
Presently for port 25
RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
The 2 Barracuda 800(s) make port 25 connections all the time, plus users with smart_phones have the incoming server type:
IMAP
pop.server.com
smtp.server.com
Is there a way to keep Denial of Service attacks from happening with iptables rules without causing blocking to the Barracuda(s) that make constant port 25 connections & smart phones that poll? I was thinking if I allowed the Barracuda(s) in these lines
-s (barracuda)24.xx.xx.xx -d (emailserver)24.00.xx.xx -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
Where the source would be the Barracuda going to the email server. It would be allowed, then I am left with how to allow other connections like Smart_Phones that connect via Port 25. I am thinking if I put rules in place doing connection counts in a minute it would result in errors connecting to the server and people would start complaining. Plus any limiting may result in blocking real traffic. Then would I need to allow the ISP range in the above example to accept port 25, I am still left with how to drop a flood/denial of service attack.
I have a computer with two interfaces eth0(LAN) and eth1(WAN).I have followed some guides on the internet and came up with this iptables configuration:
# Generated by iptables-save v1.4.4 on Wed Apr 20 09:43:12 2011
*nat
:OUTPUT ACCEPT [0:0]
[code].....
I have a lifttime premium account at Megaupload.com. Recently I found that megaupload has blocked all IPs in my area. I have sent emails to their tech but nothing has returned!!I have tried to use proxies to download stuff from megaupload, however, none of them works for suspected bandwidth reason, not to mention that it might be slow too.
View 5 Replies View RelatedSo, let's say there was a website www.qwerty.com, which is completely appropriate if not necessary except for the asdfg subfolder (www.qwerty.com/asdfg), which contains,say, pornographic material I want blocked. Is there any way to block "asdfg" without blocking the entire domain (www.qwerty.com)? I already tried editing my hosts file, but apparently that only works for whole domains.Also, while we're at it, can the hosts file be used to actually block IP addresses, or just domain names (so if I wanted qwerty.com with IP of 128.127.126.125 to be completely blocked, but know my family or employees are little smarter than that, I could add the line "0.0.0.0 128.127.126.125" to prevent all access to that website)?
View 3 Replies View RelatedI have a VPS which is running HTTPD, and its getting blown to bits by a DOS Attack. Turns out mod_evasive is totally useless (due to not running a total - rather counting per child process) and the only way to stop the box from running at 100% on all cores is to term HTTPD. So, what rules can I implement on the iptables firewall to block multiple requests from an IP? I saw this: [URL] Where someone has posted some rules but these dont work ("unknown error 4294967295" on the 3rd line). This is what i'm after though - block multiple requests from a single IP for a certain period of time.
View 3 Replies View Related when I try to connect to internet SELinux give my a preventing NetworkManager here is what its say:
Code:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "getattr" to /dev/ppp
(ppp_device_t).
[Code]....
I can not stablish PPTP VPN because SELinux blocking Network Manager.
I get the following:
Summary: SELinux is preventing NetworkManager (NetworkManager_t) "unlink" to ./reso
Code:
I'm attaching complete alert.
For system calls, is blocking or non-blocking default in C? Simple question, just am not seeing the answer super quickly.
View 4 Replies View RelatedI am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
View 2 Replies View RelatedI have a device that is working on modbus protocol andI have written a small program(with block TCP read method ) to read its registers via modbus protocol.my program is working very well but except those times that I unplug the Ethernet cable or turning off the modbus gateway during programs work.at this time my program stops on recv system call (if it reach this system call exacly when I unplug Ethernet cable or turning off the modbus gateway during programs work).I changed my source to work in nonblock TCP method, at this time with the same situation my program does not stop/block on recv system call but after pluging back the Ethernet cable or resuming the connectivity situation back it reads data incorrectly .this is my code:Quote:
#define DEBUG
#include <fcntl.h>
#include <string.h>
[code]...
IPtables creates an error during startup as well as when I try to restart it: Here's the output of:
[Code]....
how to let iptables to allow dns & dhcp distributions from the server to the clients only w/out exposing the port dhcp port udp 67,68 and tcp port 67,68 as well from the outside world.DHCP only uses udp, but still I also allowed tcp ports as well just to be sure & also I already allow DNS ports in the firewall w/c is not inluded below. linux newbie here,
when i issued the command below to allow those ports only to the internal network the firewall still blocking it. what seems to be the problem?? #iptables -A INPUT -m iprange --src-range 192.168.0.1-192.168.0.254 -p udp --dport 67 -j ACCEPT
[Code]...
I've tried both the firewall interface that comes with Fedora and Firestarter, neither can configure as I want. So I think I'm going to have to do it by hand. In this laptop I have one 10/100 Nic and one wifi connection, at times either of them can be connected to the network. How can I configure IPtables so that any traffic is allowed out, nothing is allowed in (other than std stateful firewall replies), no icmp and that the fw logs any attempts to connect to the laptop?
View 5 Replies View RelatedI need to forward a port to use dtella. I'm using Fedora 10, using iptables for my firewall.
I'm currently trying to forward it from terminal with this command:
Code:
sudo iptables -t nat -A PREROUTING -p udp -i eth0 -d [ip address] --dport 11823 -j DNAT --to 192.168.0.2:80
this is what I get from iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
[Code].....
for quite a while inside of our organization we've been editing /etc/sysconfig/iptables directly without much issues. However it was suggested to us that by doing so we risk losing all those rules whenever some package decides to use lokkit or "system-config-firewal*"Doing a bit of analysis I can't really find any trace of code that would prevent us from maintaining iptables just the way we were (as long as *we* don't use lokkit or system-config-firewall*) since "service iptables save" is a valid technique and uses iptables-save script which is part of iptables package and *not* part of system-config-firewall*
So we've got some evidence that may confirm our usage as valid, however it would be nice to know if indeed this is *not* a recommended way of maintaining iptables and we should reconsider how we approach it.
I'd like to pass all traffic between bridge ports via the FORWARDING chain, so I changed following sysctl parameters:
Code:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
[code]...
I am trying solve a strange problem which ocurred after upgrading many packages including kernel and iptables.This is a Fedora 10 PC acting as a small home-server I've been using over a year without problems. Recently, I've run a yum upgrade and after that, connections outside home wouldn't work. No changes in IPtables (firewall) rules have been done. But connection through local network is working.Symptom is.I've connected to my second PC at home and connected to the server. It works fine on local network. I restart network services (service network restart) and outside connections could be established.I have disabled iptables and ip6tables and after reboots it works fine. But PC is running without firewall.
View 5 Replies View RelatedCurrently,i use Fedora 10 and get a follow trouble :My network:
route(10.11.10.2/24)----eth0----(10.11.10.105/24)Fedora10(172.16.239.1/24)----vmnet0----(172.16.239.2/24)Virtual Machine XP2.
I used : Vmware 6.5.1,Virtual Machine : Window XP SP2.
[code]...
I Need to know how to block this applications using iptables or ROPE scriptable Method..?..
1.Web navigation
2.Electronic mail
3.FTP transfers
4.Video traffic (multicast video stream and unicast video stream)
5.VoIP service
6.Instant Message (MSN and yahoo messenger�etc)
7.Management service (TR-069 and SNMP)