Fedora Security :: Iptables Masquerade, Can Ping But No Http Access?
Dec 13, 2009
I've got two routers, 10.0.0.0/23 and 192.168.2.0/24, which are joined by a Linux box with interfaces eth0 (10.0.0.2) and ra0 (192.168.2.2). I've got masquerading for ra0, and a route to 192.168.2.0/24 on 10.0.0.0's router. I CAN ping hosts on 192.168.2.0 from 10.0.0.0 just fine, but I CANNOT access web pages.Strangely, If I enable masquerading on eth0, and add a route to 192.168.2.0s router to 10.0.0.0, I can ping AND access web pages from 192.168.2.0Here is my current iptables
Code:
*filter
:INPUT ACCEPT [0:0]
[code]...
View 14 Replies
ADVERTISEMENT
Nov 26, 2010
The iptables has every rule set correctly, the users in the subnet works great, but I have the following issue.every user connect to a mysql running on the internet through the port 3306, the forward and masquerade do the job. Now I have a user in the outside, and he wants to connect to a mysql in a certain machine (Not the gateway), prerouting rules solve my problems, but all the packages from the inside users goes now to that certain machine. I would like something like if the package passed trough masquerade don't pass trough the prerouting rule, and if it come from the outside (Not a package that come from a petition from the inside) pass trough the prerouting rule.
View 6 Replies
View Related
Jun 1, 2011
i have set firewall for centos of 192.168.1.21 server like this.
it has a gateway of 192.168.1.2
iptables -P INPUT DROP
iptables -A INPUT --in-interface lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT
the mac source is my laptop's mac address. But when i try to ping from my laptop of 192.168.0.2 (my gateway is 192.168.0.1 but share the same server that has 3 network gateway including gateway for the centos)it failed. what i should do to enable this ping.i also cannot connect to the centos server unless i change my ip to 192.168.1.x and same gateway as centos.can someone suggest what should i modify my firewall to enable connection to centos server from my 192.168.0.2 laptop? is that related to nat and forward chain in firewall of centos?
View 2 Replies
View Related
Apr 5, 2011
Can I, with only the use of IPTABLES, limit the incoming bandwith for a protocol? We have for example servers that have a FTP and HTTP server running and whenever HTTP has a lot of connections open, the other uploads/downloads get a timeout. I know I can limit the number of connections but prefer to limit on protocol level. Is this possible using IPTABLES and if so, can someone indicate how to proceed or provide a link? If it's not possible can someone point me to the right tool for the job?
View 6 Replies
View Related
May 29, 2011
If I add a rule to iptables:
Code:
iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE
it does not get removed when I try to clear all the rules:
[code]...
View 4 Replies
View Related
Mar 31, 2010
Basically, I have a windows 2003 server virtual machine (vmware) inside Ubuntu 9.10.
The Ubuntu machine has IFconfig:
Code: sam@sam-laptop:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:15:c5:b8:c8:8b
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:17
Why can't I ping or simply access the internal server on my ubuntu machine from a another computer on the 192.168.1.0 (slash)25 physical network? Do I need a bridge? Iptables?
View 4 Replies
View Related
Aug 30, 2010
My company web access is behind proxy(http://abc.proxy). Network admin can get to check who is top10 user and web they access. I owned a centos server. I have a thought that create an encrypted tunnel within proxy so the admin cant detect my http address. This is how it going to works
client with OpenVPN -> OpenVPN server(centos with company proxy)-> proxy -> internet
My connectivity in my client are using OpenVPN server as bridge. Hence, no record for client is recorded in my Network admin monitoring list. OpenVPN server's activity can be traced by network monitoring tools, just assume that our ultimate goal is to hide client activity.
View 2 Replies
View Related
Mar 12, 2010
To get my Thunderbird email to work and to do FTP to my website I have to use TERMINAL and enter the following code in Root;
iptables -F
At one point weeks ago I got Gufw and I don't remember if that had any effect.
View 2 Replies
View Related
Nov 26, 2010
Currently,i use Fedora 10 and get a follow trouble :My network:
route(10.11.10.2/24)----eth0----(10.11.10.105/24)Fedora10(172.16.239.1/24)----vmnet0----(172.16.239.2/24)Virtual Machine XP2.
I used : Vmware 6.5.1,Virtual Machine : Window XP SP2.
[code]...
View 1 Replies
View Related
Feb 6, 2010
I am trying to configure my Linux router to restrict Internet access for one computer on my LAN. It needs to be restrictive based on the time of day and the days of the week. I am using the MAC address of the computer to single out the one computer that needs to be blocked. However, this is my first attempt at making any rules with iptables, and I am not sure if I am doing this right. If some one can take a look at this I would greatly appreciate it. This is what I have done so far.
Here is my thinking. Create a new target. Check the MAC address, if it is NOT the offending computer return to the default chain. If it is the offending computer check that we are between the allowed hours and dates and ACCEPT. If we are not within the time/date range then drop the packet.
Code:
Here I am trying to route all packets regardless of the computer on the LAN into the blocked_access chain for checking.
Code:
Is it a good idea to route all traffic through the blocked_access chain? I do run other servers that are accessible from the Internet, so I am not sure how this setup will affect that. I also use shorewall on the router to setup iptables for me. How would I integrate this with shorewall?
I am using squid to block access when he is using the web browser. However, he is still able to play games(World of Warcraft) and the like.
I am using Debian sid, iptable(1.4.6), shorewall(4.4.6), kernel 2.6.32-trunk-686.
View 7 Replies
View Related
Dec 23, 2010
I'm trying to limit access to port 8443 on our server to 2 specific IP addresses. For some reason, access is still being allowed even though I drop all packets that aren't from the named IP addresses. The default policy is ACCEPT on the INPUT chain and this is how we want to keep it for various reasons I wont get into here. Here's the output from iptables -vnL
[Code]...
Note the actual IP we are using is masked here with 123.123.123.123. Until I can get everything working properly, we're only allowing access from 1 IP instead of 2. We can add the other one once it all works right. I haven't worked with iptables very much. So I'm quite confused about why packets matching the DROP criteria are still being allowed.
View 10 Replies
View Related
Jun 6, 2011
I'm trying to open port 8080 on my application server. I've included it in my iptables; however I still cannot access through ssh nor putty and it doesn't show up when I netstat either.Here is my iptables-config:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -s xxx.xx.x.0/24 -j ACCEPT
[code].....
View 7 Replies
View Related
Feb 6, 2010
My problem is the following:I can only connect to the internet and download through the FTP, but not through HTTP.I am in a hospital at this moment and have a netbook (Lemote Yeelong). Also there is a computer here with internet access.I would like to access the internet by using the cable from the computer.I configured my netbook just like the local computer (same host name, same MAC address, DHCP), just to be sure.I can ping google.com and I also can download from ftp.debian.org though ftp.However, when I try to connect to google.com through epiphany, it just loads and loads without success
View 4 Replies
View Related
Apr 20, 2009
I need to install a program by using the address http://255.255.255.255. However, when I type this address in my browser, I get the following error: "Failed to connect. Firefox can't establish a connection to the server at 255.255.255.255. Though the site seems valid, the browser was unable to establish a connection." Is there an easy way to put this site into the air?
View 3 Replies
View Related
Nov 18, 2010
Rather new to Ubuntu. I was wondering for advice on a basic iptables configuration blocking all incoming/forward and just allowing outgoing to http(s) and dns of course.
View 5 Replies
View Related
Feb 18, 2010
Firewall disabled.Static IP addys given to each laptop, but makes no diff when dhcp derived IP addys.using wlan Cannot ping either laptop from a windows box, bit windows box pings other computers.Can access internet from either laptop and Samba works too.I can ping one laptop if I plug the LAN wire into it. In fact I can ping either the wlan IP addy or the LAN addy this way. WHen I remove the Lan wire I can still ping the wlan on the laptop, but restarting screws it all up again.I see that iptables and other files change when I plug the LAN cvable in and then remove it again.
View 1 Replies
View Related
Feb 1, 2009
I have been struggling with this for a very long time now. I have installed Fedora Core 9 on my computer. I have set it up as a caching-nameserver and this is working.
Then I wanted to secure my server with iptables, and I have so far made this script:
# Load the connection tracker kernel module
modprobe ip_conntrack
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
[Code]....
I can reach the dns server with ping. When trying Nslookup it says that it got SERVFAIL from 127.0.0.1 trying next server, and then it times out.
My resolv.conf file lists:
nameserver 127.0.0.1
nameserver DNS-server
View 13 Replies
View Related
Dec 14, 2009
Im pulling my hair out trying to get ftp to work through iptables.Im using vsftpd
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
View 3 Replies
View Related
Jan 23, 2011
Is there any tools in linux same as "http-ping. This tool shows for any request :
1-The HTTP return code (and its brief textual description)
2-The number of bytes returned by the server (excluding headers)
3-The time taken to complete the request (i.e. round-trip time)
View 5 Replies
View Related
Dec 21, 2010
Some time yesterday, I lost the ability to ssh my remote server, or even visit any webpages it hosts.
I've explored hosts.deny, /var/log/secure and even turned iptables off to see if it would fix anything. To no avail. Here's what my ssh login attempt looks like:
Quote:
localhost ~ $ ssh -vv x.x.x.x
OpenSSH_5.2p1, OpenSSL 0.9.8l 5 Nov 2009
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
[Code]....
View 5 Replies
View Related
Jan 14, 2009
I am trying to setup my webserver and I am trying to make a website to run under suexec but somehow I cannot start my apache it directly fails and SELinux is giving me errors and don't really know what to do with it, it is giving me some command to type but not sure if this will make my server less secure. The SELinux error is as follow:
Code:
Summary:
SELinux prevented httpd reading and writing access to http files.
Detailed Description:
SELinux prevented httpd reading and writing access to http files. Ordinarily httpd is allowed full access to all files labeled with http file context. This machine has a tightened security policy with the httpd_unified turned off, this requires explicit labeling of all files. If a file is a cgi script it needs to be labeled with httpd_TYPE_script_exec_t in order to be executed. If it is read-only content, it needs to be labeled httpd_TYPE_content_t, it is writable content. it needs to be labeled httpd_TYPE_script_rw_t or httpd_TYPE_script_ra_t. You can use the chcon command to change these contexts. Please refer to the man page "man httpd_selinux" or FAQ [URL] "TYPE" refers to one of "sys", "user" or "staff" or potentially other script types.
Allowing Access:
Changing the "httpd_unified" boolean to true will allow this access: "setsebool
-P httpd_unified=1"
Fix Command:
setsebool -P httpd_unified=1
I will write down how I did setup my server so maybe you can see a mistake I did. First I changed my Apache httpd.conf I added the following to it:
Code:
NameVirtualHost 192.168.1.2:80
<VirtualHost 192.168.1.2:80>
ServerName localhost
DocumentRoot /var/www/html
DirectoryIndex index.html index.html index.shtml index.php
</VirtualHost>
<VirtualHost 192.168.1.2:80>
SuexecUserGroup ulyaoth ulyaoth
ServerAdmin webmaster@ulyaoth.org
ServerName test.ulyaoth.org
DocumentRoot /var/www/ulyaoth/www/html
ErrorLog /var/www/ulyaoth/logs/error_log
CustomLog /var/www/ulyaoth/logs/access_log common
DirectoryIndex index.html index.htm index.shtml index.php
ScriptAlias /cgi-bin/ /var/www/ulyaoth/www/cgi-bin/
<Directory /var/www/ulyaoth/www/cgi-bin/>
AllowOverride none
Order allow,deny
Allow from all
Options +execCGI
AddHandler cgi-script .cgi .pl
</Directory>
</VirtualHost>
Then I created the username "ulyaoth" with the group "ulyaoth" as I specified with my suexec, then I created all the directories as specified in my httpd.conf and "chown ulyaoth:ulyaoth (dirname)" them to the right group and username.
View 10 Replies
View Related
Jun 15, 2010
How can I block all ports except
ssh (port 22)
httpd (port 80)
using iptables and iphains?
View 1 Replies
View Related
Aug 11, 2011
I am trying to configure iptables for only HTTP and HTTPS traffic. I start by blocking all traffic, which works, via:
Code:
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
I then try to allow HTTP and HTTPS on eth0 with these commands, which does not work:
Code:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
Code:
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT After these commands I should be able to access the internet. Does anyone know why this is not working?
View 4 Replies
View Related
Mar 17, 2009
What i wanted to do was block everything from getting in my pc but still be able to surf the web and still use instant messenger.
View 2 Replies
View Related
May 3, 2009
When I use system-config-firewall, it asks what interfaces to trust. Where does it store that information for iptables (or whatever uses that info)? How iptables knows at what interfaces to use the rules?There is not that kind of information in /etc/sysconf/iptables and iptables-config.
View 2 Replies
View Related
Dec 8, 2009
i've got a few questions about iptables. i know how to set up ip tables to only allow from an ip address or a subnetting ip addresses. question is how do i allow from 2 different networks? would i need to create 2 lines of entry in iptables to the same port? e: allow 10.168.1.1 and 196.168.1.1 on port 22 is there a way to put all that in 1 line or would i need to create to rules for the port? i know i can use the ssh allow or deny but i'd like to stop access even before it gets to the ssh. stop it at the source kinda thing.
View 4 Replies
View Related
Dec 19, 2009
Wondering if anyone knows what the range specification is meant to do for the colonHAIN at the top of the iptables file? e.g. what is the 1:76 range mean for :OUTPUT ACCEPT [1:76] ?
# Generated by iptables-save v1.4.1.1 on Sat Dec 19 12:28:00 2009
*filter
:INPUT ACCEPT [0:0]
[code]...
View 2 Replies
View Related
Jan 28, 2010
I found a behavior of iptables on FC12 to be different and suspect it's broken somehow. Here is what I did
# iptables -F
# iptables -A INPUT -s 127.0.0.1 -p tcp --dport 22 -j ACCEPT
I don't have a shell on FC12 with me to show the output of iptables -L -n but it looks good after above 2 commands. However, after issuing the following third command iptables -L -n gives "wrong" result
# iptables -R INPUT 1 -s 127.0.0.1 -p tcp --dport 22 -j ACCEPT
Namely iptables -L -n gives extra "/0" after 127.0.0.1 in the output I have checked on Ubuntu 9.10 and centos 5.4 and they don't give extra "/0"; iptables is not supposed to do that. Of course, I didn't invent these examples but they are abstracted from actual real life scenerio of trying to build rules on our servers.
View 3 Replies
View Related
May 15, 2011
i was hoping that someone in here could possibly help me out with my iptables rule set. First here is what i would like iptables to do, i want iptables to deny all packets or traffic from the outside coming in and for output allow the things i need like web and irc etc... Also, i would like iptables to deny access to all services like sendmail and ssh except i would like localhost to have access to everything. What i mean by localhost is that when i run my iptables script it loads fine except when i try ssh from localhost i get this output:ssh -l user localhostssh_exchange_identification: Connection closed by remote hostI know what most of you are thinking, why do i need to ssh into localhost from localhost just open another terminal, well i am getting myself familiar with iptables i want all services logged and blocked but not from localhost. I cant seem to figure out this problem and i have tried several different things. Here is my iptables script, I am hoping that someone out there can tell me what i am doing wrong...
#!/bin/bash
iptables -v -F;
iptables -v -A INPUT -i lo -j ACCEPT;
[code]....
View 5 Replies
View Related
Feb 10, 2010
i am learning security and firewalling. i want to know . where a linux firewall is sufficeint and where it is not sufficeint? if you can explain why or give a reference i will be glad. is that security or traffic handling problem? when i should select a cisco product? in tarms of traffic and sceutiry. do you have any good alternative recomendation to Cisco
View 1 Replies
View Related
