General :: When Applied The Iptables Rule As Above Then The Mails Get Reject?
Mar 22, 2011
I have configured a sendmail MTA for incoming mails in a network and by using IPtables i have redirected the traffic internally to other port where one more SMTP by a application is running.Iptables rule:iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPTiptables -A PREROUTING -t nat -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 25000My sendmail config is as below.
Question (and Google results aren't making this clear): Ubuntu has both iptables & ip6tables installed. 1. If I set a rule in iptables, does that rule also apply to ipv6, or just ipv4?
2. If "no" to above, then it would be prudent to *also* set ip6tables rules as well if I want to maintain an active firewall, correct?
3. Does ip6tables rules have the same syntax and behavior (more or less) to iptables rules - i.e. can I just copy my iptables rules & change "iptables" to "ip6tables"?
4. Any gotchas or issues that I should be aware of?
Do I have to create a rule for: Code: $IPT -A fwalert -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW $RLIMIT -j LOG $LOGLIMIT --log-tcp-options --log-level 4 --log-prefix to drop rather than log if my table has a default policy of drop with : Code: $IPT -t fwalert -P DROP
i'm new in linux world i would like to know how can i add the rtp protocol to my iptables rule for Netfilter firewall,but without installing the asterisk server
Unsure about IP tables lingo, so excuse me for not looking this up:I have a server, running IP tables, that I do not want to allow any type of outgoing traffic to 192.168.1.21
I guess this is the right place to put questions about iptables, so forgive me if it is not.I have a MySQL database which I need to allow connections to: 1 - the internal network; 2 - the web server (Apache) connections;3 - A user who is out of this network in a range of dynamic IP.Let's suppose the range IP for this user is 179.4.247.0-179.4.247.254 and the server; where is MySQl and Apache is 60.22.30.232. This user will use the windows client MySQL tool to make connections into this database.
So I think these rule below allow connections to the internal network and apache: iptables -A INPUT -i eth0 -m state state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -m state state ESTABLISHED,RELATED -j ACCEPT
I'm looking for a way to add a rule that would whitelist my ip address when I login with SSH. I can grab the IP out of the SSH_CONNECTION variable, however I'm not sure how I could add it into iptables with my non-root privileged user. I've got root access, but I want the process to be automatic. I considered sudo, however I don't want normal users to be able to modify anything about iptables, though perhaps there is a trick about it that I don't know which would only allow it in the /etc/profile or the like
I am using squid on my fedora box as a proxy server.By default the iptables (Firewall) service is on.To allow web pages to my client machines i stop the iptable service.
#service iptables stop
By doing it client computers start browsing.kindly how can I add a rule so that without stoping firewall client compter work fine.my perver IP address is 10.1.80.10
This isn't exactly of critical importance, but is there any way to block two entirely different addresses in the one rule, rather than writing individual rules for each of them? For example, if the addresses were 1.1.1.1 and 8.8.8.8, and I only wanted to block these two.
Or alternatively, if I wanted to block two subnets, say 1.1.1.0/24 and 8.8.8.0/24? Can this be done in one rule?
my iptables Policy is Drop..my server ports is open just for httpd,ssh .Is there any rule which can allow all connection from a specific program for ex. i want to scan an ip Address ports.as you know nmap connect to every known port to see if that is open or not so, if i want to allow nmap to connect, i need to include all ports for that, or i can allow connection from localhost to outside in all ports .my server is very secure . i dont want other programs (probably a backdoor) use those ports to connect outside i want to know is there any ability in iptables which can rule connections by name of program like "Allow any Connection from /usr/bin/nmap to everywhere " ?
I am new to iptables. The setup tool on a VPS doesn't work. So, I am learning to insert rules. I have inserted so many and some of them show as duplicates now.
1- I want to know how to remove the duplicates. Is there a file that these rules are store in so I can go in and easily edit it?
2- Is there any other utility that handles firewall in Linux that I am unaware of? or is the iptables the ultimate door guard? This is a plain install of CentOS.
3- Since I believe I opened port 5090 but I think it still might be blocked, could SELINUX be the problem? How can I get my way around setting it to permissive or disable if I don't have access to "setup" command?
4- What is the order of iptables reading? does rule #1 supersede all other rules? or does the last rule supersede all rules prior to it?
5- Do the rules below make a fairly safe system? (except for the duplicates which should be remove) I understand that a safe system is dependent also on the applications that are allowed in this category and I am not talking about those. I am talking about dropping all other inquiries and in general is this how iptables are setup? This is what I currently have:
[root@tel ~]# service iptables status Table: filter Chain INPUT (policy ACCEPT) num target prot opt source destination
Code: Can't initialize iptables table 'NAT': Table does not exist (do you need to insmod?)
Looking at lsmod, it doesn't look like I have anything NAT related loaded ( I just have iptable_filter, ip_tables, and x_table ). Doing a locate nat, I find a module that looks like it should work. I'm running 10.04.1 LTS - Kernel is 2.6.32-25-generic #45-Ubuntu SMP and it is pretty much stock - haven't done anything fancy... this module looks promising:
Code: /lib/modules/2.6.32-25-generic/kernel/net/ipv4/netfilter/iptable_nat.ko but loading it and I get:
The iptables has every rule set correctly, the users in the subnet works great, but I have the following issue.every user connect to a mysql running on the internet through the port 3306, the forward and masquerade do the job. Now I have a user in the outside, and he wants to connect to a mysql in a certain machine (Not the gateway), prerouting rules solve my problems, but all the packages from the inside users goes now to that certain machine. I would like something like if the package passed trough masquerade don't pass trough the prerouting rule, and if it come from the outside (Not a package that come from a petition from the inside) pass trough the prerouting rule.
am using qmail and have webmin, all is running smoothly, but i have users spamming other staff accounts.The question: How do I block a user from sending out mails but still able to receive mails. Just denying access to sending mails?if anyone can guide me to do it via terminal as well as webmin.Why webmin you ask, because I have tried it once it works but sadly it block both incoming and outgoing mails.
br0 - 192.168.0.1 - Internet eth2 - 192.168.1.1 - LAN tun0 - 10.0.0.2 - VPN (via br0)
What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :
Code:
route del default route add default gw 10.0.0.2
Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :
Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80 ip route add table 300 default via 10.0.0.2 dev tun0 ip rule add fwmark 0x55 table 300
First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.
I was trying to install and configure freeradius server in centos 5.5 .I installed freeradius 2.1.7. I added a sigle line at the top of the users file like this. bob Cleartext-Password := "hello". when I tried to test using radtest command (radtest bob hello 127.0.0.1 0 testing123).but Igot access-reject mesage from radius server. first I was trying on the same pc with defferent terminal. I serched and tried lot of options but all the time I got the same access reject message. I put debug message in debug site. I can see lot of users posted the same error message in many forums. But I cant find any solutions. I installed ntradping in my laptop and tried but same error. Delaying reject of request 0 for 1 seconds. Going to the next request. Waking up in 0.9 seconds. Sending delayed reject for request 0. Sending Access-Reject of id 16 to 10.10.204.73 port 1619. Waking up in 4.9 seconds. Cleaning up request 0 ID 16 with timestamp +3. Ready to process requests.
The theme I have chosen in Ubuntu 10.04 (Ambiance with buttons in the upper right-hand corner) is not applied to the menu bars at boot/login. Menu and title bars should be very dark with a white font. When I boot the computer, the application title bar is correctly formatted, but the main menu bar of gnome and the menu bars of all applications are black font on gray background. When I open the theme selection (in German Einstellungen | Erscheinungsbild, in English likely something like Preferences | Appearance).
The correct theme is applied to menu bars without that I have to select the theme again; simply opening the Appearance dialog suffices. First I did not name my modified theme (showed up as first theme in the theme selection dialog, user modified). In trying to solve the above issue I gave the theme a name, but the strange behaviour persists. Where I can make the theme automatically and completely applied at boot.
As a beginner I installed Fedora 11 yesterday. Everything went well until I installed Evolution and Thunderbird. Incoming mails went well, but outgoing mails not.
I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
I'm using ArchLinux and I have an IP tables rule that I know works (from my other server), and it's in /etc/iptables/iptables.rules, it's the only rule set in that directory. I run, /etc/rc.d/iptables save, then /etc/rc.d/iptables/restart, but when I do "iptables --list", I get ACCEPTs on INPUT,FORWARD & OUTPUT.
# Generated by iptables-save v1.4.8 on Sat Jan 8 18:42:50 2011 *filter :INPUT DROP [0:0] :FORWARD DROP [0:0]
I've been a Windows user for many years. I began using Ubuntu/Linux only recently.I noticed that on Ubuntu, all manner of setting changes get applied instantly. In CompizConfig Settings Manager, for example. Almost everywhere in Ubuntu, settings seem to apply instantly, without having to click an Apply or OK.
I wonder how that is possible. I have never seen that in Windows. I tried searching for an answer on the net, but got nowhere. Can anyone give me an answer? I'm not looking for a technical answer. Just wondering if it is specific to Linux/Unix.
I'm running Ubuntu 9.10 (Karmic Koala) on a laptop and would like NumLock to automatically toggle depending on whether my USB keyboard is plugged in (numlock on) or unplugged (numlock off).
To accomplish this, I first installed the "numlockx" package. numlockx on and numlockx off works fine.
To hook into the device system, I thought I'd use udev. I have read "Writing udev rules", but I'm having trouble getting the udev rule to work.
First, here's an example of the dmesg output:
[20906.985102] usb 3-2: new low speed USB device using uhci_hcd and address 6 [20907.166403] usb 3-2: configuration #1 chosen from 1 choice [20907.192904] input: Microsoft Natural® Ergonomic Keyboard 4000 as /devices/pci0000:00/0000:00:1a.0/usb3/3-2/3-2:1.0/input/input20 [20907.193100] microsoft 0003:045E:00DB.000B: input,hidraw1: USB HID v1.11
I have created a new user define chain # iptanles -N blacklistNormally when we add a new rule it automatically insert in the default iptable but when we create a user define chain then how can I add my rules in this chain ?
