Networking :: Interesting Distribution Of Packets Over Iptables Rules
Mar 13, 2011
I'm trying to configure NFS sharing behind a firewall, I got it to work and all but I was caught by something that (to me anyways) seems odd.I've been able to mount the export on another computer and am transferring files over as we speak, but I'm just interested in knowing why the RELATED,ESTABLISHED rule seems to be catching almost all the traffic coming from the other node. Any ideas? Should I be concerned that my firewall isn't protecting anything or something?
I two servers set up: 192.168.1.150 and 192.168.1.160 Initially, I want all traffic to be served by server 150. So for this purpose I am leaving the IPTables on .150 empty. At a point in time, I want to forward all incoming traffic to be served by .160 instead. I have accomplished this using these commands (on .150):
My problem is that if I have an open SSH connection to .150 (prior to adding the rules), the packets are still handled by .150 after adding the rules.. e.g. my SSH session stays active. I want these packets to be forwarded to .160, which would effectively disconnect the SSH session. I do not want the packets flat out dropped, I just want them forwarded on in whatever state they are in. If I try a new SSH session, it is properly forwarded to .160
I added a few rules to my /etc/iptables.rules file and then used sudo iptables-restore < /etc/iptables.rules but i got an error saying "iptables-restore: line 29 failed".But the only word on that line.
I've been trying to redirect all outgoing packets (destined for a specified ip address) from my slack box back to itself. I thought this could be done with iptables, but if I fire up wireshark I can clearly see that the packets are getting out to the real server and I'm getting responses from it.
So here's what I tried:
All looks good and fine, and then I even try to visit 194.28.157.42 with firefox (by the way I am running a webserver, that is set to show a page when you visit 127.0.0.1) and I get an error page that reads: 502 Bad Gateway.
I ignored this message to see what the program I'm trying to interrupt does, and when I start wireshark and then start the program that is using that website, I can clearly see that the packets make it to the real 194.28.157.42 and get back responses.
I am running into trouble while trying to set-up a iptables routing policy. I have two machines on the same sub-network (xxx.xxx.153.0). One of the machines is used as a default gw for the other (xxx.xxx.153.250 is a gateway for xxx.xxx.153.142 and xxx.xxx.153.254 is a gw for xxx.xxx.153.250). There is no explanation for why the xxx.xxx.153.250 is in the middle -- xxx.xxx.153.142 can go straight to xxx.xxx.153.254, but is is like that for now.I am trying to find an iptable rule to be executed on the xxx.xxx.153.250 machine to route the packets.
I need with some iptables rules. I've done all I can, Googling all over, to cover as many exploits as possible and the following script is what I've come up with. The current set up works and I've checked with NMAP. I just need some sort of confirmation that this is pretty much what I can do.
Code:
LAN="eth0 eth1" RANGE=10.1.0.0/17 WAN=eth2 # Delete all existing rules
[code]....
Also, if I wanted a broadcast to be relayed to all subnets within a defined range, how would such a iptables rule look like? I need this in order to find a networked Canon MP640 printer.
I just install 1 firewall using Iptables. Firewall includes 2 NIC: NIC1 <IP PUBLIC> NIC2 192.168.10.1 I installed 1 web server IP: 192.168.10.2 I have some PC IP range: 192.168.10.10->20
I set rules NAT on firewall and PC & web server can connect internet good, but I have problems: When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP Public. But outside internet, I can access to web server using IP Public.
Rules on IPTables Code: # Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010 *nat :PREROUTING ACCEPT [950:126970] :POSTROUTING ACCEPT [89:5880] :OUTPUT ACCEPT [19:1342] -A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80 -A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124 *filter :INPUT DROP [1599:157409] :FORWARD DROP [0:0] :OUTPUT ACCEPT [232:34452] -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth1 -o eth0 -j ACCEPT -A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -i eth1 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -o eth1 -j ACCEPT COMMIT
I had been running my SMTP server with WINE, as the SMTP server software is a Windows-based program (MERCURY), but I cracked the shits with WINE and removed it. Now I am running my SMTP server in a Windows virtual machine.This virtual machine has a different IP address from my host machine, so what I need is for my computer (the host) to redirect incoming traffic on port 25 to the virtual machine at 192.168.56.101 on port 2525.Can someone please help me with it? I think its done with iptables.
I have a very weird case in my firewall.I have an asterisk server and some phones and between them there is a linux firewall based on iptables.With basic rules on iptables everything works ok, but when I put a single nat rule (no matter what rule I use) some packets from some phones misteriously disappear from interfase to interfase.
Clearer:The firewall has two interfases: eth0 (pointing to phones) and eth2 (pointing to asterisk).One problematic phone is 192.168.3.242, so I use tcpdump this way.
I am trying solve a strange problem which ocurred after upgrading many packages including kernel and iptables.This is a Fedora 10 PC acting as a small home-server I've been using over a year without problems. Recently, I've run a yum upgrade and after that, connections outside home wouldn't work. No changes in IPtables (firewall) rules have been done. But connection through local network is working.Symptom is.I've connected to my second PC at home and connected to the server. It works fine on local network. I restart network services (service network restart) and outside connections could be established.I have disabled iptables and ip6tables and after reboots it works fine. But PC is running without firewall.
Whenever I add a rule to iptables, all of the policy counters reset. The counters for each individual rule remain intact, however, the main counter resets. Here's what I mean:
Code: [root] ~ # iptables -vL Chain INPUT (policy ACCEPT 65M packets, 83G bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 50M packets, 30G bytes) pkts bytes target prot opt in out source destination .....
The following is my setup. wireless server (ip of this server is 192.168.1.1) -- target board ( wireless client [ip of this is got for wireless server is 192.168.1.3 ] , bridge (192.168.36.1) )-- linux pc ( 192.168.36.3) as show above i have target board for that i have a wireless interface and a linux pc is connected to target board.now the ips are like this for linux pc 192.168.36.3 and my target board bridge ip s 192.168.36.1
my wireless interface got ip from another server like 192.168.1.3 ,now if i do ping on my target board for 192.168.1.1 it goes through wireless interface to the 192.168.1.1 wireless server.but when i do the same from target board connected linux pc its not pinging from linux pc i could able to ping to 192.168.1.3 but not 192.168.1.1 .I think i need to write a iptable rule properly on my target board to forward the 192.168.1.* packtes to wireless interface.
I'm trying to build a firewall with IPTables: INTERNET <--------> (eth0) FIREWALL (eth1) <------------->FTP_srvI set all rules DROP by default.My rules for forwarding packet to FTP server:
I have set up a master DNS server at 192.168.50.9 and a slave DNS at 192.168.50.6. Both servers are BIND9.Machines are for testing/experimenting, hence the IP addresses. Initially, the zone transfer was blocked by the firewall on the master, as the slave uses randomly selected non-privileged ports for zone-transfer query. So, as far as I understand, there are two possible approaches:
1. Allow connections based on source, which should be Code: -A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -s 192.168.50.6 --sport 1024:65535 --dport 53 -j ACCEPT (and it works for me fine)
2. Allow ESTABLISHED and RELATED connections, which would be something like Code: -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT which was my initial idea but didn't work, but has inspired me to dig deeper into firewall configuration topics :).
Question: Does zone change notification message count for opening a dialog, or notification from master and slave zone update request are two absolutely separate actions? If the latter is true, that, of course, explains why option #2 didn't work.
I'm trying to configure Iptables and I just want to block everything but http/https. However, my connection is pppoe, so I have the ppp0 interface. Pretty much every Iptables tutorial that I found don't teach how to deal with this kind of setup. I'm forwarding the ppp0 to eth0 and I could configure the input rules and they're working. After this, I need to configure the output but nothing seems to work.
The current working rules are: Code: Chain INPUT (policy ACCEPT 7858 packets, 5792K bytes) pkts bytes target prot opt in out source destination 299 201K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www 0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https 11 820 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT all -- eth0 ppp0 anywhere anywhere 0 0 ACCEPT all -- ppp0 eth0 anywhere anywhere state RELATED,ESTABLISHED Chain OUTPUT (policy ACCEPT 10791 packets, 1951K bytes) pkts bytes target prot opt in out source destination
I don't understand what those "state RELATED,ESTABLISHED" rules do. Also, I don't know if this rules are secure, because i'm very confused about the ppp0/eth0 interfaces.
I am trying to do something outlandish with iptables (or so I think!).I have a source sending udp packets to a destination (say dst11). Using port mirroring I am able to get all these packets to a different machine (say dst22). I am able to see these packets on dst22 interface using tcpdump.I want to analyze the packets on dst22. So what I do is put dst22 interface in promiscuous mode (using ifconfig eth0 promisc). This in theory should get the packet through the MAC layer. Now using iptables I am trying to DNAT the packets in nat prerouting to change the packets destination IP to dst22's interface and change the destination port.
I've setup ufw rules on my system but noticed that the rule i created to allow traffic from my local network is still dropping some RST and ACK packets. here's part of the output of dmesg
I'd like to (if it's possible, of course) to redirect the packets originated within a linux box, and I've been tryin' to do it through the OUTPUT chain in nat table:
The policy for the rest is ACCEPT.This redirection didn't work this way. If I do lynx http://192.168.0.74:80 I reach 192.168.0.74 host, so there is no redirection.Could I achieve what I'm needing through with IPTABLES' OUTPUT chain (in nat table)?
br0 - 192.168.0.1 - Internet eth2 - 192.168.1.1 - LAN tun0 - 10.0.0.2 - VPN (via br0)
What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :
Code:
route del default route add default gw 10.0.0.2
Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :
Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80 ip route add table 300 default via 10.0.0.2 dev tun0 ip rule add fwmark 0x55 table 300
First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.
I have tried to google it around and couldn't find any good solution for it. What I want is to hook up to the kernel network hooks and for example investigate all of the packets (maybe keep some in the buffer and drop in the kernel so I could send them out lets say 10 minutes later) but from a C / C++ program perspective / level. I know it can be done via iptables but isn't there a way to do it from a program ?? I have found a library called ipq but apparently doesn't work with kernel 2.6.x anymore.
I am trying to program iptable rules for implementing a 1:1 NAT which does the following:
1. Forward all traffic from all ports on a public ip to a private ip 2. Forward traffic from a range of ports (x-->y) on a public ip, to a private ip
I did some google searches for the same, and came up with the following.
iptables -A FORWARD -t filter -o eth0 -m state state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -t filter -i eth0 -m state state ESTABLISHED,RELATED -j ACCEPT
Can someone please let me know strong iptables rules? Below entries are in iptables file.Here Y.Y.Y.Y is another branch public IP.This server acts as gateway+squid server.Further it will serve company's intranet page also using httpd.OS is CentOS 5.0.
I am setting my firewall rules using the command iptables.My question is i wanna know what command i can use that list rule 2 and 3 for instance in my table?i want to create rule that: The host is administered using SSH, scp and sftp so allow incoming SSH traffic and securing remote file copying and transferring.
i have a linux server runnig oracle applications. i need to access this server from putty using ssh through internet. i did by registering my static ip with the dnydns.org and i am able to connect to the server. but now there is no security to authenticate any user as any one knowing the password can login to it.
i thought of configuring the firewall of linux server but the client ip`s are not static and they change continiously. so thought of keeping one more pc between the server and the router which will do the work of authenticating. but i am confuse as how to configure it to allow the packets coming from the internet after authenticating and to by pass the packets generated from internal LAN?
