Fedora Security :: Iptables Non-standard Broken?

Jan 28, 2010

I found a behavior of iptables on FC12 to be different and suspect it's broken somehow. Here is what I did

# iptables -F
# iptables -A INPUT -s 127.0.0.1 -p tcp --dport 22 -j ACCEPT

I don't have a shell on FC12 with me to show the output of iptables -L -n but it looks good after above 2 commands. However, after issuing the following third command iptables -L -n gives "wrong" result

# iptables -R INPUT 1 -s 127.0.0.1 -p tcp --dport 22 -j ACCEPT

Namely iptables -L -n gives extra "/0" after 127.0.0.1 in the output I have checked on Ubuntu 9.10 and centos 5.4 and they don't give extra "/0"; iptables is not supposed to do that. Of course, I didn't invent these examples but they are abstracted from actual real life scenerio of trying to build rules on our servers.

View 3 Replies


ADVERTISEMENT

Security :: IPtables And FTP When Server Listening On Non-Standard Port?

Nov 9, 2009

I'm using iptables with modules ip_contrack_ftp to be able to use passive ftp. It works well as long as port 21 is being used as listening port. Is there any way to make it work when I configure my ftp server (vsftpd) to listen on an alternative port, lets say 21001 or something? The helper module only seems to be working properly with the standard port, so I was wondering whether there was a way to "tell it" that another port is being used? I mean, of course I make a rule in fw to allow traffic to the alternative port.

But once it's time to start passive connection, then the iptable module cannot handle it properly. I could solve the problem by making a range of passive ports in the ftp-server configuration and allow the incoming traffic to them, but then using helper modules doesn't make any sense. I just want to allow the traffic to the listening port and then want the ip_contrack_ftp module to take care of the rest. This is what I do today - but only port 21 seems to be working. Is there a way to do this with a non-standard ftp port?

View 5 Replies View Related

Ubuntu Security :: Cmd-owner Option In Iptables - Broken With SMP

Apr 26, 2011

The --cmd-owner option was removed in kernel 2.6.14 because was broken with SMP. Is any way to filtering by process name?

View 1 Replies View Related

Fedora :: Error - Courier-imap Standard Output: Broken Pipe

Jul 22, 2010

I'm following the "The Perfect Server - Fedora12 x86_64 [ISPConfig 3]" instructions and I am encountering an error when trying to build the rpm for courier-imap (from page 4 of the HOWTO).

The command I run is:

Code:

rpmbuild -ta courier-imap-4.6.0.tar.bz2

The error is below:

Code:

INFO: LOGIN, user=confmdtest, ip=[127.0.0.1], port=[0], protocol=SMAP1
INFO: LOGOUT, user=confmdtest, ip=[127.0.0.1], headers=0, body=0, rcvd=26, sent=610, time=0
sort: fflush failed: standard output: Broken pipe

[code]....

RPM build errors: Bad exit status from /var/tmp/rpm-tmp.85697 (%build)

View 3 Replies View Related

Fedora Security :: Allow DNS In Iptables

Feb 1, 2009

I have been struggling with this for a very long time now. I have installed Fedora Core 9 on my computer. I have set it up as a caching-nameserver and this is working.

Then I wanted to secure my server with iptables, and I have so far made this script:

# Load the connection tracker kernel module
modprobe ip_conntrack
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP

[Code]....

I can reach the dns server with ping. When trying Nslookup it says that it got SERVFAIL from 127.0.0.1 trying next server, and then it times out.

My resolv.conf file lists:

nameserver 127.0.0.1
nameserver DNS-server

View 13 Replies View Related

Fedora Security :: Can't Get FTP Through Iptables

Dec 14, 2009

Im pulling my hair out trying to get ftp to work through iptables.Im using vsftpd

Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

[code].....

View 3 Replies View Related

Fedora Security :: Iptables - Block Everything From Getting In My Pc

Mar 17, 2009

What i wanted to do was block everything from getting in my pc but still be able to surf the web and still use instant messenger.

View 2 Replies View Related

Fedora Security :: How Iptables Knows At What Interfaces To Use Rules

May 3, 2009

When I use system-config-firewall, it asks what interfaces to trust. Where does it store that information for iptables (or whatever uses that info)? How iptables knows at what interfaces to use the rules?There is not that kind of information in /etc/sysconf/iptables and iptables-config.

View 2 Replies View Related

Fedora Security :: Iptables Allowing Specific Ip's?

Dec 8, 2009

i've got a few questions about iptables. i know how to set up ip tables to only allow from an ip address or a subnetting ip addresses. question is how do i allow from 2 different networks? would i need to create 2 lines of entry in iptables to the same port? e: allow 10.168.1.1 and 196.168.1.1 on port 22 is there a way to put all that in 1 line or would i need to create to rules for the port? i know i can use the ssh allow or deny but i'd like to stop access even before it gets to the ssh. stop it at the source kinda thing.

View 4 Replies View Related

Fedora Security :: Iptables File Syntax?

Dec 19, 2009

Wondering if anyone knows what the range specification is meant to do for the colonHAIN at the top of the iptables file? e.g. what is the 1:76 range mean for :OUTPUT ACCEPT [1:76] ?

# Generated by iptables-save v1.4.1.1 on Sat Dec 19 12:28:00 2009
*filter
:INPUT ACCEPT [0:0]

[code]...

View 2 Replies View Related

Fedora Security :: Iptables To Deny All Except Localhost?

May 15, 2011

i was hoping that someone in here could possibly help me out with my iptables rule set. First here is what i would like iptables to do, i want iptables to deny all packets or traffic from the outside coming in and for output allow the things i need like web and irc etc... Also, i would like iptables to deny access to all services like sendmail and ssh except i would like localhost to have access to everything. What i mean by localhost is that when i run my iptables script it loads fine except when i try ssh from localhost i get this output:ssh -l user localhostssh_exchange_identification: Connection closed by remote hostI know what most of you are thinking, why do i need to ssh into localhost from localhost just open another terminal, well i am getting myself familiar with iptables i want all services logged and blocked but not from localhost. I cant seem to figure out this problem and i have tried several different things. Here is my iptables script, I am hoping that someone out there can tell me what i am doing wrong...

#!/bin/bash
iptables -v -F;
iptables -v -A INPUT -i lo -j ACCEPT;

[code]....

View 5 Replies View Related

Fedora Security :: Iptables Don't Suffices And Need A Cisco Product

Feb 10, 2010

i am learning security and firewalling. i want to know . where a linux firewall is sufficeint and where it is not sufficeint? if you can explain why or give a reference i will be glad. is that security or traffic handling problem? when i should select a cisco product? in tarms of traffic and sceutiry. do you have any good alternative recomendation to Cisco

View 1 Replies View Related

Fedora Security :: Add A Rule In Iptables On Squid Server?

Mar 4, 2011

I am using squid on my fedora box as a proxy server.By default the iptables (Firewall) service is on.To allow web pages to my client machines i stop the iptable service.

#service iptables stop

By doing it client computers start browsing.kindly how can I add a rule so that without stoping firewall client compter work fine.my perver IP address is 10.1.80.10

View 3 Replies View Related

Fedora Security :: SELinux Has Broken Bugzilla

Jul 19, 2010

I have recently upgraded from FC12 to FC13, and last week I updated all packages using YUM. The system is running as a VM inside CentOS 5.5 using KVM. SELinux is enforcing, using the targeted policy. Bugzilla is version 3.6.1 and was NOT installed using RPM or YUM.

Bugzilla was working OK on this machine until SELinux was upgraded last week from 3.7.19-28 to 3.7.19-33, and is still broken after testing 3.7.19-37 from the testing repo. With SELinux in enforcing mode, apache returns error 500 when I browse to the main bugzilla page. The apache error log shows this:-

Code:
[Mon Jul 19 13:15:08 2010] [error] [client 192.168.40.1] (13)Permission denied: exec of '/var/www/html/bugzilla/index.cgi' failed
Nothing, and I mean absolutely nothing, is recorded in /var/log/audit/audit.log, /var/log/messages or /var/log/secure.

[Code]....

View 5 Replies View Related

Fedora Security :: Iptables Masquerade, Can Ping But No Http Access?

Dec 13, 2009

I've got two routers, 10.0.0.0/23 and 192.168.2.0/24, which are joined by a Linux box with interfaces eth0 (10.0.0.2) and ra0 (192.168.2.2). I've got masquerading for ra0, and a route to 192.168.2.0/24 on 10.0.0.0's router. I CAN ping hosts on 192.168.2.0 from 10.0.0.0 just fine, but I CANNOT access web pages.Strangely, If I enable masquerading on eth0, and add a route to 192.168.2.0s router to 10.0.0.0, I can ping AND access web pages from 192.168.2.0Here is my current iptables

Code:
*filter
:INPUT ACCEPT [0:0]

[code]...

View 14 Replies View Related

Fedora :: Yum Dependency Checking Broken By Security Update?

Jun 22, 2011

The problem is that yum is refusing to install gcc on a new SL6 install. As far as I can make out, a security update that I applied prior to my attempt to install gcc has caused problems. I did a new SL6 install (x86_86) a couple of weeks ago. This was a minimal installation, and I didn't install any dev tools, as I intended to install them later from yum. Since then, I've done very little; I installed a few packages (samba, xemacs, etc), and I let the system update itself. The update installed 'kernel', and updated 'kernel-firmware' [URL]. I now need to install the dev tools (g++, and so on), but I can't. I've tried this from gpk-application, and directly from yum. The complete yum output is below, but the basic error is:

> Error: Package: glibc-2.12-1.7.el6.i686 (sl)
> Requires: glibc-common = 2.12-1.7.el6
> Installed: glibc-common-2.12-1.7.el6_0.5.x86_64 (@sl-security)

[code]....

View 4 Replies View Related

Security :: Iptables 1.4.1 Mac Module Doesn't Work (error Message) - Fedora Core 8

Nov 25, 2010

I use iptables firewall (v1.4.1) installed on FC8. I'm trying to limit the inflow traffic for the port 1723 to certain MAC addresses. To experiment with the mac option, I've written the following iptables rule:

Quote:

iptables -A INPUT -m -mac --mac-source 10:08:08:08:08:10 -j ACCEPT

It didn't work. It gave me this error message:

Quote:

iptables v1.4.1: Couldn't load match `-mac':/usr/local/libexec/xtables/libipt_-mac.so: cannot open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information. Does that mean the mac module wasn't installed/enabled?

View 4 Replies View Related

Fedora Security :: FC11 Is Set By Default To Reset The IPTables Firewall To ACCEPT Across The Board Each Restart?

Jul 16, 2009

How come FC11 is set by default to reset the IPTables firewall to ACCEPT across the board each restart?

View 4 Replies View Related

Security :: Does Samba ACL Take Precedence Over Standard Unix Permissions?

Apr 9, 2010

I have a folder in a Samba shared drive which I've done the following with (in Unix):

1. Changed owner to Administrator.
2. Changed group owner to Domain Users.
3. Granted 700 (drwx------) permissions
4. Connected to Windows server via remote desktop
5. Mapped the Samba network drive as administrator
6. Right clicked on the folder > properties > security tab > advanced, and added one person (let's call him Joe) who has rwx access on that folder and everything in it. (along with administrator)
7. Went back to check Unix permissions on the folder and found that they had changed from drwx to drwxrwx+. Same goes for everything inside it.
8. Checked the ACL.

View 1 Replies View Related

General :: Security Dangers Of Executing Malignant Code As A Standard User?

Jan 28, 2011

Slipping some (non-root) user a piece of malignant code that he or she executes might be considered as one of the highest security breaches possible. (The only higher I can see is actually accessing the root user) What can an attacker effectively do when he/she gets a standard, (let's say a normal Ubuntu user) to execute code? Where would an attacker go from there? What would that piece of code do?

Let's say that the user is not stupid enough to be lured into entering the root/sudo password into a form/program she doesn't know. Only software from trusted sources is installed. The way I see it there is not really much one could do, is there?

Addition: I partially ask this because I am thinking of granting some people shell (non-root) access to my server. They should be able to have normal access to programs. I want them to be able to compile programs with gcc. So there will definitely be arbitrary code run in user-space...

View 2 Replies View Related

Fedora Servers :: Unable To Restore My Iptables From Iptables-save After Upgrading

Nov 26, 2010

I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.

View 2 Replies View Related

Fedora :: IPtables Creates An Error During Startup - Applying Firewall Rules: Iptables-restore: Line 21 Failed

Jul 17, 2010

IPtables creates an error during startup as well as when I try to restart it: Here's the output of:

[Code]....

View 11 Replies View Related

Security :: Can't Zero Out Counters In Iptables

Feb 25, 2010

I have a problem with iptables, when I execute

[code]....

View 5 Replies View Related

Security :: Configure IPtables To Only Allow VNC Over SSH

Apr 4, 2010

I am trying to figure out how I can configure IPtables to only allow VNC traffic to an internal server over SSH.

My configuration is WAN < --- > Gateway (Ubuntu 9.10 Server) < --- > Internal Server (that I want to control with VNC over SSH)

View 12 Replies View Related

Security :: How To Keep Safe PC Using Iptables

Dec 5, 2010

I am using Fedora on my desktop pc. I want to know how can i protact my PC from outside world. What firewall policy should i implement in iptables to keep it more secure.

View 5 Replies View Related

Security :: Incorporate Into Iptables

Jan 5, 2010

I'm following an openvpn installtion how to and it says to add this to the iptables:

Quote:
# External Interface for VPN
# VPN Interface
VPNIF="tun0"
VPNNET="172.16.0.0/24"
VPNIP="172.16.0.1"
### OpenVPN
[Code]....

Any thoughts as the whole formatting is separate and has the addition of FORWARD rules, etc. I need the VPN running on the .199 address

View 16 Replies View Related

Security :: Iptables :everything Works Except Ftp

Jun 3, 2010

i set up a dmz to have a internet web server and ftp server, and ssh only from local network, so i wrote a iptables script to load during boot :

[Code]...

The problem is that everything works fine ( i have the same rules for other services such as samba, nfs, mysql on another server) BUT ftp there is no way to make it work. not even locally.when i try to connect, i log in, but while listing the directory i get MLSD ... and it hangs like this for a moment, then i get error message "connection time out" , "impossible to list directory". if i turn off the iptables script no problem,ftp works fine.. but why all services work and ftp no?

how do i have to modify the rules? what is strange also is that if i set as OUTPUT policy "accept", the server seems to be offline."host unknown" error message. I was thinking the rule INPUT is fine cause at least i can login, but the dir list is not going out, so gotta modify output rules. or state?

View 7 Replies View Related

Security :: IPTables - How To Set Default Allow

Mar 19, 2010

I've started a new job and have inherited a couple of RHEL4 64-bit servers. The firewall on them is currently disabled. I'm struggling to get them up and running as iptables is not the most user-friendly application. This lead me to downloading and trying a GUI front-end: Guarddog. Great app! But it doesn't have the default behavior I'm looking for. Here is what I need:

Default behavior: Firewall should be wide open, allowing ALL ports/IP's/TCP/UDP in and out of the server.
Blacklist: Oracle TCP port 1521 needs to be blocked in/out of the server.

This will help get us passed our company's security vulnerability scan. (We aren't able to patch/upgrade Oracle at this time because we'd lose vedor support with a legacy app). I will use these settings as a starting point, and then once I learn more and get more comfortable with iptables (or a GUI app) then I can fine tune things to make them more secure. As far as I know (correct me if I'm wrong) once I get a script I just copy it into /etc/rc.firewall and it will load when iptables starts.

View 14 Replies View Related

Security :: Iptables To Block Ip From Ftp?

Mar 6, 2010

Is this how I would do that?

iptables -A INPUT -p tcp --destination-port 21 -d ! 168.192.1.2 -j DROP

This should block all incoming connections on port 21 from 192.168.1.2, correct? Thus preventing that IP from logging into my FTP.

View 1 Replies View Related

Ubuntu Security :: How To Reset The Iptables

Jan 14, 2010

i ran this

Code:

iptables -N rate-limit
iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN
iptables -A rate-limit -j DROP
iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit

i am no longer able to ssh in to the machine , how can i reset iptables and firestarted back to default?

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved