General :: Properly Portforwarding The External IP With Iptables
Jul 2, 2011
I am trying to forward all the incoming internet/LAN requests on port 80 to my local machine (running Apache), current iptables work (forward incoming internet traffic to my desktop, but if I try to access it from my local network it won't work. Interface connecting my Ubuntu server to the internet is ppp0 (dialed DSL connection through my router that is in bridge mode) which is connected to the eth0 and eth1 is connected to my internal LAN.
[Code]...
what i was able to gather so far (via logs), is that accessing external server ip directly from the LAN goes directly to eth1 which is understandable (i think). So what i need now (i guess) is an rule that will forward the LAN traffic on eth1 without interfering with the ppp0 prerouting rule (as forwarding all the incoming traffic on eth1 to my local machine will break the internet connection)
I have an log monitoring application that is listening on port 514 to receive events only from certain hosts.In order to control this,I've tried set up iptables to define those hosts that are allowed to this application. Here is an example of the script that contain the commands:
i have some servers behind a server/router/firewall at [URL] that can be accessed using port forwarding. they are working quite well. [URL] gets you to the first server behind the server/router/firewall (the former link above).
i would want to make the server at the latter link accessible with its own domain name ie [URL]without having to add :<port> to the end of [URL] because ":" is disallowed for aliasing in the a and cname records at network solutions (my dns?). is port forwarding the best way to reach these servers behind my firewall? is it possible to assign them their own domain name? perhaps some method other than port forwarding should be used?
I want to portforward client connections from an ubuntu lts server to another external server. btw i am a noob on iptables. i have tryed using the basic commands for iptables with no success. For example:iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 7878 -j DNAT --to 91.23.45.67:7878iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 91.23.45.67 --dport 7878 -j ACCEPTso basically i just want a rediraction for from one ip to another. Example: A client tries to connect to ip 123.45.67.89 on port 7878 and the server forwards him to ip xx.xx.xx.xx on port 7878, meaning that xx.xx.xx.xx is the actual server with services. Server with ip 123.45.67.89 is only forwarding the client to external ip... how can this be done in a simple command?
I'm running Ubuntu 10.10 on a Zotac nettop. When I boot up normally, all my external USB drives are recognized and mounted properly in /media.
But when I boot up without Gnome (i.e. there's no monitor attached so Gnome doesn't start) they don't mount right: I see directories for them inside /media but normal users don't have access, and root only sees an empty directory.
So far this works perfectly. What I want to do now is to add another rule that only nats the machine in case it is NOT accessing subnet 1.
In other words, when this machine accesses any other machine in subnet 1, it should show up as 10.1.0.10. Whenever it accesses subnet 2 of anything else, it should appear as 172.16.0.10.
I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
I have an X-Station 25 synth, which has worked fine in the past on Ubuntu. Recently made a fresh install on Xubuntu, and for whatever reason, I'm getting no sound coming out when I just select USB audio.If I go into Sound Preferences, I can see the device. I can even select it for sound input. Hell, if I press some keys on the keyboard, I can see some of the squares on the input level go green.Evidently, there IS sound coming in via the USB connection, and Audacity is capable of recording it.
However, the only way of hearing it is by putting headphones directly into the unit and listening to the monitor output signal. The audio coming in, as detected, is not being played from my laptop speakers/headphones.Am I just missing something here, and that's MEANT to be the only way to hear the audio out?In alsamixer, there are no controls for the Xstation, and nothing seems to be muted. I've upgraded the firmware to the most recent version as well.
is there still a bug in qBittorent with portforwarding 6881? i forwarded it in my router and run nmap on localhost and shows its open yet it is always saying no direct connections on the bottom with that little yellow globe near the nodes
I've tried iptables save, iptables-save and iptables save active.
"iptables save" and "iptables save active" give me an invalid argument error. "iptables-save" isn't a valid command. "iptables --help" gives me a list of valid switches, none of which have to do with saving.
I have an external hard drive with an xfs partition on it. It was using an external journal, but in re-installing Slackware I removed the partition holding the external journal, forgetting what it was at the time. I didn't touch the contents of the external hard drive, but now I can't mount it and the various xfs programs seem to demand that it be mounted in order for them to change anything.Anyone have any ideas on how to change an xfs partition from external log to internal? Failing that, how do I get the information off it?
I plugged in my external dvd-r (asus) via usb. It showed me some message on shell, that it has detected the cdrom(although its dvd rom as well but nevermind) and its of ASUS. But how do i know which dev it was associated with in /dev/? Since i had to test something, i plugged it out, and save the output of ls /dev/ > ~/result.txt
after plugging the dvd-rom, i compared the results and was able to find that it was associated with simple cdrom i.e. /dev/cdrom. I wanted to know that is there any command that will tell me which /dev/ file was associated with external dvdrom? i tried to see in the following result
1) df -h ( no results, just the already mounted partitions) 2) fdisk -l ( same as above) 3) dmesg | tail (shown almost the same result as was shown on shell at the time of plugging the dvd)
I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
I recently installed a new Ubuntu PC that runs iptables and PSAD. I had the same script on another Ubuntu PC, but when I copied the script onto the new PC, I got this error. I don't remember where I found the tutorial for this, all I know is that this is the script (Edited for my usage):
Code:
#!/bin/bash # Script to check important ports on remote webserver # Copyright (c) 2009 blogama.org # This script is licensed under GNU GPL version 2.0 or above
root@NETWORK-SERVER:/var/ddosprotect# ./ipblock.sh ' not found.4.4: host/network `127.0.0.1 Try `iptables -h' or 'iptables --help' for more information. ' not found.4.4: host/network `192.168.1.8
To expand: I'm trying to set up a box with l7-filter, and I need to patch and compile iptables 1.4.1.1 as part of the process. I ./configured it with the prefix= argument so it would install into /sbin instead of /usr/sbin, and I did a yum remove iptables before installing it so as not to get in the way of the original iptables, but I'm wondering if this is really necessary - it's kind of annoying, because removing the original iptables removes the init.d script, deregisters the service, etc. If I don't, is it possible that iptables 1.4.1.1 might get overwritten in a system update or something, or will yum see that I've got a custom/newer version in there and leave it be?
I need to use hostnames in my iptables. When I go to restart iptables, it works fine but when I am rebooting the Linux server it fails during startup since the name service is started up after the iptables. Does anybody have recommendations to get around that? Should I set up a script to run the iptables after everything the server comes back up fully?
I have problems with setting my JAVA_HOME variable. I am using Slackware 12.0, bash shell. I have set JAVA_HOME in my /etc/profile, like this:
But when I login in with my user name and type env on the command line, I get for JAVA_HOME the following:
Also, in my /etc/profile I have put the path to my java in the PATH variable, like this:
And when I type env when I login, then the PATH variable contains correctly the path to the jdk (as I have put it into /etc/profile).
I expect that after I have set everything as I want in /etc/profile, and restart the computer then what I have set will be relevant and when I login and type env, I will get values to the variables equal to those I have set in /etc/profile. Why it does not happen?
I have particularly a problem with a Java application, which I want to run. When I type ant, I get: error: JAVA_HOME is not defined correctly.
Going by a tutorial found here ( see below quote ). Quote: Owner match The owner match extension is used to match packets based on the identity of the process that created them. The owner can be specified as the process ID either of the user who issued the command in question, that of the group, the process, the session, or that of the command itself. This extension was originally written as an example of what iptables could be used for. The owner match only works within the OUTPUT chain, for obvious reasons: It is pretty much impossible to find out any information about the identity of the instance that sent a packet from the other end, or where there is an intermediate hop to the real destination. Even within the OUTPUT chain it is not very reliable, since certain packets may not have an owner. Notorious packets of that sort are (among other things) the different ICMP responses. ICMP responses will never match.
Table 10-24. Owner match options Match--cmd-owner Kernel2.3, 2.4, 2.5 and 2.6 Exampleiptables -A OUTPUT -m owner --cmd-owner httpd Explanation
This is the command owner match, and is used to match based on the command name of the process that is sending the packet. In the example, httpd is matched. This match may also be inverted by using an exclamation sign, for example -m owner ! --cmd-owner ssh.
I tried to add a rule for my torrent client with Code: iptables -A OUTPUT -m owner --cmd-owner transmission -j ACCEPT However, iptables kicks it back with Code: iptables v1.4.4: unknown option `--cmd-owner' Try `iptables -h' or 'iptables --help' for more information. The mode isnt even referenced in the iptables man on my system. Am I missing something?
I am trying to do a NAT forward in iptables but get the following error:Quote:[root@server88-xxx-xxx-198 openvpn]# iptables -t nat -I POSTROUTING -i tun0 -o eiptables v1.3.5: Can't use -i with POSTROUTINGAny ideas on what to do?I have an OpenVON server running and I need the client to use the ports on the OpenVPN server
(Using Archlinux) I downloaded Ruby 1.8.7-174 a while ago and installed it via the tarball (not pacman). I was trying to update to 1.8.7-299, but I can't get it to work. Per the readme, I do the following steps, all of which complete without error:
./configure make make install
After install finishes however, I still have -174 installed instead of -299.
there are different methods for securing based on home versus professional computers. My questions generally pertains to securing home desktops, but professional protection is definitely welcome :) Knowledge is power. Ever since moving to the wonderful world of Linux a couple years ago, I never even really thought about security. Seeing as most low-life scum make viruses for Windows machines seeing as they're more abundant.But how do I know if I'm safe/secure from anyone who want's to get at me or my stuff. I know that anyone who is determined enough to get in will, there's no question about that. But what steps can I take to ensure I'm protected from things like rogue root shells and automatic attacks? Also, is there a sort of built-in firewall/antivirus in more Linux distros?
I know this question is quite broad seeing as there are tons of ways someone could compromise your system, but maybe you could share what you did to make sure you were safe.I decided to not allow root login via ssh and to change the port is listens on to something random. Hopefully this a step in the right direction. Currently looking at iptables and shutting down services.
I'm trying to use zenity and at to make a little reminder script. The problem is that while zenity --info works fine from bash (or sh), running echo "zenity --info" | at now + 1 min does nothing. The job shows up in my atq and then runs, but no zenity pop-up. What's going on?