Is it possible to apply a rule to a specific local IP? For example lets say I have a two IP's assigned to my server, 1.1.1.1 and 2.2.2.2.;.I want to deny all connections going to 1.1.1.1 only asides from a couple of trusted IP's I will define.
View 1 Replies
I am booting centos 5.4 on machine. The system hangs at line "Applying iptables firewall rules".Is there any way to skip starting iptables service during boot or disable it during boot so the system finally reboots.
View 1 Replies View RelatedIPtables creates an error during startup as well as when I try to restart it: Here's the output of:
[Code]....
I'm hoping some of the Linux network experts can help me with this problem.
Situation: I have a technology which is a WebLogic JEE application that communicates to an Oracle database. Everything is installed in a single Linux virtual machine running in VirtualBox. Traffic from the JEE application goes via JDBC over TCP to the local running database. What I want to do is test a new database firewall server that wants all traffic destined for the database to flow via another virtual machine running the DB Firewall software.So therefore want I need to do is have DB traffic forced out over one interface only to return on another interface on the same VM listening on a different address.
JEE application running in WebLogic bound to 192.168.111.12 (eth1 a VirtualBox hostonly interface). Makes a request for 10.0.111.12 (eth2 a VirtualBox internal interface) which the database is listening on. Because both IPs are on local interfaces, Linux is going to handle the traffic and not route the 10.x traffic via the 192.x interface.I also have running the database firewall server which has a bridge (br0) between the HostOnly network and the Internal network.Both systems are running Oracle Enterprise Linux R5U4, which is basically the same as RedHat.What I want to do is have the request for 10.0.111.12 forced out via 192.168.111.12, bridged over the br0 connection and back into 10.0.111.12 and to the database. My networking knowledge is pretty good, but i'm stuck right now on the right way to do this. I'm pretty sure it is possible, I just need clear advice.
Reason for setup: Ideally I would build the system with the database on a separate machine so that I can easily route the traffic. Unfortunately we have many VirtualBox based demonstration systems with both the application and database installed on the same VM and therefore the amount of work to migrate these two dual VMs is going to be significant, also many of these VMs are demonstrated from laptops which have limited resources and creating a new database VM reduces overall performance. If I can create a way to force the traffic in this manner off and back onto the same VM via the other VM bridge, it would be fantastic.
can I deny the access to my server for a specific OS? I have one PC which I want to give it acces from winxp, but if it's boot into ubuntu I want to deny all access to my server, same IP, same ethernet card
View 8 Replies View RelatedPlease what will it take me to write a perl full functioning program to filter emails for specific rules? Will that be possible? The actual thing am trying to get is to write a perl program and attach to a mail server so that, when the mails come in, the perl script get call and then the perl program will let another external program that is not on the server run and check or filter the mails.
View 8 Replies View RelatedFor some purpose in my home network I want to get a specific ip to my localhost on that machine.Like say I typed 123.123.123.123 I want that go to localhost.
View 3 Replies View RelatedI have some beginner questions about DHCP, Avahi, and configuring a small home LAN.Suppose I have a dynamic IP address assigned by my ISP, which requires DHCP be enabled in my dsl modem/router/"firewall" [sic]. Suppose for simplicity I have just one PC behind the dsl modem.I think "enabling DHCP" in the modem/router means that a DHCP client runs on the router, which communicates with a DHCP server run by my ISP when I boot up a PC on my LAN. Is that guess correct? Can I get DHCP to assign a particular local IP, say 192.168.1.10 (which is not the one taken by the router--- for this discussion, let's say that is 192.168.1.0) to my PC each time I boot it up?
Now suppose I want to build a stand-alone firewall, so that my LAN will have the firewall and the first PC behind the modem, with the first PC virtually behind the firewall. By default, I think these will both have DHCP clients running which I need to configure properly. The firewall should also have a DHCP server which should control how local IP addresses are assigned, correct? I should try to arrange that the LAN has only DHCP server, only one NTP timeserver, only one DNS nameserver, correct?My first PC seems to have installed an autorun client called Avahi, which performs DNS multicast services and incorporates something called zeroconf which seems to have something to do with remote desktops, which I don't need and which is a potential security hazard. But it seems that Avahi is an intrinsic part of the KDE desktop and cannot be removed. Just want to be sure that Avahi can coexist comfortably with dhcp3-client, which is also installed on that PC. They perform different tasks, correct?If I can get the stand-alone firewall to work, I know I need to turn off the commercial firewall in the dslmodem/router/firewall device. Should I purchase a bridge and try to turn off the routing function also?
I have a directory on my server at /home/dave/www/images/site (ext3) which I want to mount directly to my Windows computer so that I can transfer data easily via command line tool. Is that something possible?
View 4 Replies View RelatedI need to create filename 70-android.rules in the directory /etc/udev/rules.d/I have Adm privileges in my user account properties, but when I use sudo to create this file the Ubuntu OS does not allow me the privilege... I am running Ubuntu 10.04 LTS and here's the Terminal output below:daddy@gatomon-laptop:/etc/udev/rules.d$ sudo cat > 70-android.rulesbash: 70-android.rules: Permission denieddaddy@gatomon-laptop:/etc/udev$ ls -ltotal 8drwxr-xr-x 2 root root 4096 2011-03-16 18:03 rules.d-rw-r--r-- 1 root root 218 2010-04-19 04:30 udev.conf
View 2 Replies View Relatedif an admin decides this is security feel free to move, at the moment I can't decide where so posted here...On my laptop (msi-u100) my bluetooth stack creates rfcomm0 but is not applying the correct context label to it so selinux is bitching.
View 2 Replies View RelatedI'd like a way to see all of the devices on my local network and what their local IP address is. I recall that I used wireshark to troubleshoot a similar problem a while back, but it doesn't seem to have a way to see all of the devices- only the traffic. (I'd like to do this without having to physically interface with my router if possible, and I am in an encrypted network if that matters)
View 6 Replies View RelatedI have installed a web server on my local network. Everything is well configured and web pages are shown correctly from Internet (outside the local network) using the domain or the public IP.The issue is if I try to see that web pages (using the domain or the public IP) from inside the local network. In that case the router config page (192.168.1.1) is shown instead of the web pages.From inside the local network I'm only able to see the web pages using the internal IP address (192.168.1.XX).
View 2 Replies View RelatedI've got an Ubuntu server hosting our websites and other various things here in our own home. We recently switched to a router that doesn't support loopback (abomination), so I've set up hosts files on our computers so we can access our own sites when on our home LAN.
However, we often take our laptops as we travel about, and I'm guessing due to the hosts files when we try to access our sites, it'll look on whatever local network we're connected to for our server, which won't work, obviously.
Is there a way to set up something like a hosts file that'll only try to look up the local IP of the server when we're on a specific network (our home one), or have one that tries to look for the local IP first, then proceeds to try and resolve the domain name and use the external IP if the local IP doesn't work?
I can't seem to get CBQ / tc working when I attempt to filter ip+port. It works when I just filter on IP though, I don't understand what the problem is. Here is my CBQ file.Quote:
DEVICE=ppp0,51200Kbit, 51200Kbit
RATE=512Kbit
WEIGHT=512Kbit
[code]....
I added a few rules to my /etc/iptables.rules file and then used sudo iptables-restore < /etc/iptables.rules but i got an error saying "iptables-restore: line 29 failed".But the only word on that line.
View 1 Replies View RelatedEven though I've set up HTTPS to be trusted, it still blocks my school's https site: "mnsu.edu/eservices" same with SAMBA and SSH.
If enter the GUI and authenticate as root, change anything and apply, then exit: it works fine and so does SAMBA. However, after restarting, everything stops working again.
yet secure firewall configuration that doesn't require any login or headaches.
I need with some iptables rules. I've done all I can, Googling all over, to cover as many exploits as possible and the following script is what I've come up with. The current set up works and I've checked with NMAP. I just need some sort of confirmation that this is pretty much what I can do.
Code:
LAN="eth0 eth1"
RANGE=10.1.0.0/17
WAN=eth2
# Delete all existing rules
[code]....
Also, if I wanted a broadcast to be relayed to all subnets within a defined range, how would such a iptables rule look like? I need this in order to find a networked Canon MP640 printer.
On my firewall I have DNAT for certain UDP streams. I have set up the DNAT and FORWARD rules:
Code:
#: Redirect port 6006 to TH2
$IPTABLES -A FORWARD -j ACCEPT -d $hst_stratus_th2 -p udp --dport $prt_mdi
[code]....
I just install 1 firewall using Iptables.
Firewall includes 2 NIC:
NIC1 <IP PUBLIC>
NIC2 192.168.10.1
I installed 1 web server IP: 192.168.10.2
I have some PC IP range: 192.168.10.10->20
I set rules NAT on firewall and PC & web server can connect internet good, but I have problems:
When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP Public. But outside internet, I can access to web server using IP Public.
Rules on IPTables
Code:
# Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010
*nat
:PREROUTING ACCEPT [950:126970]
:POSTROUTING ACCEPT [89:5880]
:OUTPUT ACCEPT [19:1342]
-A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124
*filter
:INPUT DROP [1599:157409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [232:34452]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
COMMIT
I am building a router and I wonder if I have some rules like this and
/proc/sys/net/ipv4/conf/all/accept_source_route is 0 will it work.
Code:
echo 1000 TEST >> /etc/iproute2/rt_tables
iptables -A PREROUTING -s 192.168.2.0/24 -t mangle -j MARK --set-mark 1
ip rule add fwmark 1 table TEST
ip route add default via 192.168.3.5 dev eth2 table TEST
I am not quite sure is it source routed packages at all. And also even if it works with my router will next firewall drop such packages. I have mentioned before that some things like:
Code:
ip route add default via 192.168.3.5 dev eth2 src 192.168.2.0/24
do not work
For some reason, Ubuntu keeps assigning my network interface wrong MAC address. This happens only after fresh boot (I have dual boot with WinXP, if I start Windows first and then restart to Ubuntu without switching computer off, the MAC is correct). Contents of /etc/udev/rules.d/70-persistent-net.rules:
Code:
# PCI device 0x10ec:0x8136 (r8169)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:22:19:ef:1c:3d", ATTR{type}=="1", KERNEL=="eth*", NAME="eth0"
# PCI device 0x168c:0x001c (ath5k_pci)
SUBSYSTEM=="net", ACTION=="add", DRIVERS=="?*", ATTR{address}=="00:17:c4:78:f4:f8", ATTR{type}=="1", KERNEL=="wlan*", NAME="wlan0"
[code]....
EDIT: I made a workaround by adding
Code:
auto eth0
iface eth0 inet dhcp
hwaddress ether 00:f3:f5:ef:fe:56
to /etc/network/interfaces and it works. However, I'd still like to know why Ubuntu ignores my udev rules, regardless whether the workaround happens to work or not...
I am trying solve a strange problem which ocurred after upgrading many packages including kernel and iptables.This is a Fedora 10 PC acting as a small home-server I've been using over a year without problems. Recently, I've run a yum upgrade and after that, connections outside home wouldn't work. No changes in IPtables (firewall) rules have been done. But connection through local network is working.Symptom is.I've connected to my second PC at home and connected to the server. It works fine on local network. I restart network services (service network restart) and outside connections could be established.I have disabled iptables and ip6tables and after reboots it works fine. But PC is running without firewall.
View 5 Replies View RelatedHow do I get ufw to refresh firewall rules after accidentally running iptables -F
View 3 Replies View RelatedDoes anyone have tips about iptables rules for filtering network traffice?
View 2 Replies View RelatedI am working on a Fedora 13 iso that will be used on some of the PC's at my work, the computers will have a varying amount of Ethernet ports, at least two onboard and up to 6 external. In order to ensure that the same physical port on the back of the computer is always used for the internet connection I have written a script to rearrange the contents of /etc/udev/rules.d/70-persistent-net.rules. The script ensures that the two Ethernet ports on the motherboard are listed as eth0 and eth1, without it they could end up as any port in the eth0-7 range.
The script works well however when its run I need to reboot the PC for the ifconfig to load the correct port as eth0/eth1. I have tried placing calls to my function through the rc.sysinit/rc.5d/rc.local and so on however nothing seems to work.Is there a way to make ifconfig check the mac/eth configuration files for changes (There appears to no longer be an ifprobe command which sounds like what I need). Alternatively is there somewhere I can place the script after udev has created the persistent-net.rules but before anything else loads the information. I have tried chkconfig --level 2345 network off and loading the service later but it still uses the wrong information, only a reboot seems to get it to work
every now and then Firewall Builder fails to open rules (*.fwb)and I have to use some old backup. it does load 'object libraries' but the main 'currently editing policy' panel is empty.(in gnome, debian testing amd64)
View 1 Replies View RelatedI'm trying to configure NFS sharing behind a firewall, I got it to work and all but I was caught by something that (to me anyways) seems odd.I've been able to mount the export on another computer and am transferring files over as we speak, but I'm just interested in knowing why the RELATED,ESTABLISHED rule seems to be catching almost all the traffic coming from the other node. Any ideas? Should I be concerned that my firewall isn't protecting anything or something?
View 1 Replies View RelatedWhenever I add a rule to iptables, all of the policy counters reset. The counters for each individual rule remain intact, however, the main counter resets. Here's what I mean:
Code:
[root] ~ # iptables -vL
Chain INPUT (policy ACCEPT 65M packets, 83G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 50M packets, 30G bytes)
pkts bytes target prot opt in out source destination .....
The following is my setup. wireless server (ip of this server is 192.168.1.1) -- target board ( wireless client [ip of this is got for wireless server is 192.168.1.3 ] , bridge (192.168.36.1) )-- linux pc ( 192.168.36.3) as show above i have target board for that i have a wireless interface and a linux pc is connected to target board.now the ips are like this for linux pc 192.168.36.3 and my target board bridge ip s 192.168.36.1
my wireless interface got ip from another server like 192.168.1.3 ,now if i do ping on my target board for 192.168.1.1 it goes through wireless interface to the 192.168.1.1 wireless server.but when i do the same from target board connected linux pc its not pinging from linux pc i could able to ping to 192.168.1.3 but not 192.168.1.1 .I think i need to write a iptable rule properly on my target board to forward the 192.168.1.* packtes to wireless interface.
