Is there a way to check older iptable rules that were loaded? I accidentally overwrote my iptables and that has killed internet access to all computers in the intranet. I must have accidentally deleted some line in the iptable rules and cannot figure how to get it back to how it was. I am using Debian 5.05 by the way.
View 1 Replies
wrote a network emulator program in c programming. It can run for ubuntu terminal with good performance.But i have to make it for web-based user configuration. So i had setup apache web server and write this program in cgi script and try to execute this program from web page.This program must be run in root privilege($sudo -s) and add the iptables rules such as (#iptables -A OUTPUT -j QUEUE). So my question is how to add iptables rules in my cgi scripts? How to set the superuser(root privilege) permission to access my program through web server?
View 2 Replies View RelatedExplain the following iptable rules for me?
I understand 1 and 2, 1 creates the new syn_flood chain and 2 redirects all SYN requests to the new syn_flood chain.
I'm having trouble understanding 3 and 4. can someone explain to me in laymen terms the --limit 1/s and --limit-burst 3?
I have a caching dns and SNMP ( MRTG ) both on the same server how can I permit dns and snmp traffic in INPUT chain?? I have tried the following:
iptables -A INPUT -p udp --sport 1024:65535 --dport 53 -j ACCEPT
iptables -A INPUT -p udp --sport 53 --dport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp --sport 1024:65535 --dport 161:162 -j ACCEPT
iptables -A INPUT -p udp --sport 161:162 --dport 1024:65535 -j ACCEPT
I don't know if FC15 has the iptable rules like the ones shown below by default or not but I wanted a second opinion about the safety they provide. Why is icmp accepted (INPUT rule 1) from/to all ip? and is it better to remove this rule? When the protocol is all (INPUT rule 2), does it mean from ip layer and above?? and is it required/safe to have this rule? The 3rd rule is to allow tcp-port 22 connections (ssh) to/from all ip. I think this is correctly set and required. The 4th rule in INPUT table rejects pings with the icmp-host-prohibited message; which I don't think is the best solution. Instead it can be set to silently drop icmp packets. Then, the FORWARD table uses reject instead of silent drop for forwarding icmp ping packets.
Code:
what do you think about the new rules and their order?
How would you remove all iptable rules and chains?
View 2 Replies View RelatedI've configured iptables to act as a stateful firewall, but instead of simply rejecting packets I'd like to waste a potenial hackers time by droping any packet that would otherwise be returned. Are my rules sufficient or have I somehow opened myself up to an attacker by trying to write these rules myself?
View 3 Replies View RelatedI'm trying to set up a firewall at the moment that allows access to my custom SSH port from only my friend's url (they have a static url but dynamic IP). I find iptables a bit of a nightmare and was hoping to use UFW for most of my day to day firewall maintenance and just make a few extra iptable rules to cover exceptional circumstances like this. Fortunately it seems UFW allows this with /etc/ufw/before.rules and /etc/ufw/after.rules. So at the moment I'm just trying to get the basic iptables rules right. As I say I'm not very good with iptables, does this look right?
Code:
## Drop Default SSH port access With Logging
iptables -N SSH_DEFAULT
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_DEFAULT
[code].....
I am having a Xen server xend daemon is taking care of giving interface names like vif1.0 or vif0.2 to the connected guest operating systems on it.I can not save the current IPTABLE rules since upon reboot the xend daemon gives different names to virtual ethernet interfaces i.e. vif1.0 or vif3.0 or vif9.0 like that.I have some rules that I want to be active upon subsequent reboots and not all.Say for example an SSH to external server at port 8000 should forward the request to a machine on LAN.Which I have done by port forwarding from IPTABLES.So I need to save some rules.I was thinking to make a script which on reboot activates those rules.
I am not clear on where to do that.I came across internet and found /etc/network/if-up.d/I am not clear with this directory my question is if I make a scrip which has IPTABLE rules as I want and save it in above folder will it work. I am not clear with what is /etc/network/if-up.dfor.Suppose my logic is wrong then how should I go for it.Also I want to know does a protocol uses two port to make a connection.I have forgotten that thing,i.e if I run an SMTP or ssh then do they use port 22 and 23 both in case of ssh or 25 and 26 both for SMTP like that or just specifying the rules for one port will be enough.I tested these rules in a secure environment where i had disabled firewall and ssh forwarding on router worked well
I recently set up a ftp server in my house running a dyndns service so I can get to it from the outside. I called my isp to get some help in setting up the router to forward port 21 from the outside to that box, and in short we had some problems. Long story short, they ended up bypassing the router itself, and now the line running to the box is its own fixed external ip. Naturally I want a pretty darn good iptables setup for this. The box runs proftpd and so far my iptables only accepts local loopback and port-21. (I left port 80 closed as its only purpose is to be a standalone ftp server) But I know there must be a safer rule for port 21, as right now its just wide open. Anyone have any ideas on how to make this a bit safer? Also would that command be fine for any of the linux machines im connecting to it from the outside too?
View 3 Replies View RelatedI have /var/log/audit and /var/log/audit.log owned by root and 600 permissions. I've also removed and made an empty /var/log/audit directory when that did not we work either. I can start the service after boot up, but it is not coming up automatically even when configured by chkconfig. I also get this after I attempt a restart...
Stopping auditd: [ OK ]
Error deleting rule (Operation not permitted)
Starting auditd: [ OK ]
The audit system is in immutable mode, no rules loaded
A tail of my /var/log/messages shows this...
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.524:73): item=1 name="/var/run/auditd.pid" inode=131143 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.618:74): arch=c000003e syscall=87 success=no exit=-2 a0=7fff730b2f85 a1=7fff730b2f85 a2=2 a3=0 items=1 ppid=6243 pid=6248 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.618:74): cwd="/"
Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.618:74): item=0 name="/var/run/auditd.pid" inode=131073 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.620:75): arch=c000003e syscall=87 success=yes exit=0 a0=7fff9b776f81 a1=7fff9b776f81 a2=2 a3=0 items=2 ppid=6243 pid=6249 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete"
Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.620:75): cwd="/"
Nov 23 16:45:18 hostname auditd[6260]: Started dispatcher: /sbin/audispd pid: 6262
Nov 23 16:45:18 hostname audispd: af_unix plugin initialized
Nov 23 16:45:18 hostname audispd: audispd initialized with q_depth=80 and 1 active plugins
Nov 23 16:45:18 hostname auditd[6260]: Init complete, auditd 1.7.17 listening for events (startup state enable)
I have linux firewall configured. I want to check the stress tecting on this firewall. is there any way to launch attack of DDOS or other attack which try to make the firewall busy ?
View 2 Replies View RelatedHowto check from the command line which modules were loaded after Lenny restart?
View 2 Replies View RelatedBecause the version of the microcode installed by the package intel-microcode in Testing (2009-03-30) is way older than the one currently offered by Intel (2010-02-09), I only installed the package microcode.ctl and let it fetch the microcode. However, after reading the Read Me files, manual pages and system logs, and checking the directory where the microcode is stored, I have not been able to find an option to check the version of the microcode in use.
This is the output of update-intel-microcode:
Local version:
Remote version:
could not extract the actual data of remote microcode
Is it possible to set up a udev rule that will check if a file exists on a USB drive?
I've got a few ubuntu servers in environments with some very not-techy peoples. Im hoping to get to the point where I can give them a few USB sticks with scripts on them, and if they plus one of these sticks in it will be mounted in, say, /media/special (rather than /media/usb0..7) and then the script would be run. But if a usb drive without special.sh is inserted, it should be mounted to /media/usb0..7 as normal.
I've been googeling for udev rules, and it seems simple enough to specify a mount point based on brand/model/serialnumber/etc... but i havent been able to find anything about checking for the existance of a file.
Tho the more i think about it, the more im starting to think its not going to be that straight forward. Can udev check for a file on a drive before that drive is mounted? Is it going to be a case of mounting every drive to /media/usb0..7 then having a script run that will check for the file, and if its there change the mount point before running special.sh?
i'd like to know how many rule can manage iptable. I'm asking that because i'd to drop all traffric from my localnet to porn site. I've a database of porn site witch contain about 900 000 domains. I know there are solutions like squidguard. But for my linux box i'd to use iptable to prevent users access to porn site and other blacklist site.
View 1 Replies View RelatedThis is what I have currently running.
Code:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
[code]...
How do I add this to the ruleset, without doing the whole thing over again?
Code:
iptables -A OUTPUT -d 10.3.0.0/16 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
I want to know how to add (ports to open)in firewall using command or scriptor any ather method
View 4 Replies View RelatedUsing iptables is there a way to switch the destination IP to become the new source IP and forward that connection.iptables store the src and dst IP in a variable for a particular connection?
View 2 Replies View RelatedHere's my setup: Slackware 13.1 External IFace = eth0 / DHCP (assigned from comcast) Internal IFace = eth1 / 192.168.0.0/24 I've made it connect/authenticate, but I can't get anything to route through it..
[Code]...
Really wanting to try and get this setup to where all computers on my lan are forced through the VPN, i've tried most of all things I've googled, and no real luck.
My internet gateway is 192.168.1.1 with a 255.255.255.0 subnet mask. I have a router connected to it running ddwrt with an ip 192.168.2.1/24 creating a second subnet behind it. I have a tenant moving in that will be wirelessly connecting to the ddwrt router, so to the 192.168.2.0/24 subnet. What I am looking for is a rule that will pass internet traffic to and from this client, but restrict him access from the 192.168.1.0/24 subnet otherwise. The ddwrt router is connected to the 192.168.1.1 gateway through its wan port, btw. For example, the client would get an ip address of 192.168.2.100 wirelessly from the ddwrt router. I want him to be able to surf the internet through the 192.168.1.1 gateway, but not to have any other access to the 192.168.1.0/24 subnet (ideally not have access to ANYTHING besides the internet).
View 4 Replies View RelatedI configure IPtable on RadHat as firewall and i want to allow for IP Phone using SIP protocol.I already allow port 5060 for IP Phone using SIP Protocol and I can call out.The problem is:
1. I can call out and in but when they pick up my call they hear what i'm saying but i can't hear they are saying.
I've been trying to add a redirect iptable record but each time I add it, it appears to add successfully (meaning it doesn't throw me any errors); yet when I run 'iptables -L' I can't see it listed:
iptables -t nat -A PREROUTING -p tcp --dport 82 -j REDIRECT --to-ports 8081
I also tried to do a DNAT redirection but this too, executed successfully but did not show in the list:
iptables -t nat -A PREROUTING -p tcp --dst 0.0.0.0/0 --dport 80 -j DNAT --to-destination 10.10.10.10
Am I missing something or am I not applying the rule correctly?
i have the following system in my lan.
firewall(iptables)
etho(private) - 192.168.2.1
eth1(public) -189.117.57.2
squid server at 192.168.2.10
my request is that i have to make all out bound internet connection should go from proxy server , not directly to firewall. Please specify a iptable rule for blocking direct internet access. my clients ip ranges from 192.168.2.20 to 192.168.2.47
I need to create filename 70-android.rules in the directory /etc/udev/rules.d/I have Adm privileges in my user account properties, but when I use sudo to create this file the Ubuntu OS does not allow me the privilege... I am running Ubuntu 10.04 LTS and here's the Terminal output below:daddy@gatomon-laptop:/etc/udev/rules.d$ sudo cat > 70-android.rulesbash: 70-android.rules: Permission denieddaddy@gatomon-laptop:/etc/udev$ ls -ltotal 8drwxr-xr-x 2 root root 4096 2011-03-16 18:03 rules.d-rw-r--r-- 1 root root 218 2010-04-19 04:30 udev.conf
View 2 Replies View RelatedThis is my first use of Ubuntu, but I have previous decent experience on Centos & Mandriva. I've just installed Natty 11.04 on a box that was running a mandriva 2010 - and the network is acting quite strange. When I define a static IP for eth0 through the gui, along with route & dns, it sort of works: ssh is fine, vnc too. However, I have an asterisk running on the box, and it is wild: some packets get lost in the box.
An ngrep shows the packets reaching the interface, but they dont show in asterisk !!! I've done a ufw disable, iptables is empty (why cant I service iptable restart btw ?). ip route list show decent routes (eth0 default); When I switch to DHCP, it is better, but unstable... If i plug a wifi usb stick, it seems to be better... Is there some known issues that could explain this behaviour ? The nic is a: Ethernet controller: Marvell Technology Group Ltd. 88E8001 Gigabit Ethernet Controller
I have problems with iptables :
[root@server7 ~]# iptables -I INPUT -p tcp --syn -m recent --set
[root@server7 ~]# iptables -I INPUT -p tcp --syn -m recent --update --seconds 10 --hitcount 30 -j DROP
iptables: Unknown error 18446744073709551615
[root@server7 ~]#
I need stopping a SYN ddos attack... but iptable rule don't work...
I can't seem to get CBQ / tc working when I attempt to filter ip+port. It works when I just filter on IP though, I don't understand what the problem is. Here is my CBQ file.Quote:
DEVICE=ppp0,51200Kbit, 51200Kbit
RATE=512Kbit
WEIGHT=512Kbit
[code]....
I added a few rules to my /etc/iptables.rules file and then used sudo iptables-restore < /etc/iptables.rules but i got an error saying "iptables-restore: line 29 failed".But the only word on that line.
View 1 Replies View RelatedI'll like to mark all packet coming from and going to an ip adresse. And I'd like to match that mark packet in an other rule. Ex :
Rule 1 : Mark all packet coming from 192.168.2.0/25 with number 1
Rule 2 : Drop all packets which has been mark with number 1
