i have the following system in my lan.
firewall(iptables)
etho(private) - 192.168.2.1
eth1(public) -189.117.57.2
squid server at 192.168.2.10
my request is that i have to make all out bound internet connection should go from proxy server , not directly to firewall. Please specify a iptable rule for blocking direct internet access. my clients ip ranges from 192.168.2.20 to 192.168.2.47
i'd like to know how many rule can manage iptable. I'm asking that because i'd to drop all traffric from my localnet to porn site. I've a database of porn site witch contain about 900 000 domains. I know there are solutions like squidguard. But for my linux box i'd to use iptable to prevent users access to porn site and other blacklist site.
View 1 Replies View RelatedThis is what I have currently running.
Code:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A INPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
[code]...
How do I add this to the ruleset, without doing the whole thing over again?
Code:
iptables -A OUTPUT -d 10.3.0.0/16 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
when I try to connect to internet SELinux give my a preventing NetworkManager here is what its say:
Code:
Summary:
SELinux is preventing NetworkManager (NetworkManager_t) "getattr" to /dev/ppp
(ppp_device_t).
[Code]....
I've setup ufw rules on my system but noticed that the rule i created to allow traffic from my local network is still dropping some RST packets.here's part of the output of dmesg
[43627.361500] [UFW BLOCK] IN=wlan0 OUT= MAC=00:16:ea:03:9c:3a:00:1f:a7:3d:d5:eb:08:00 SRC=192.168.0.4 DST=192.168.0.3 LEN=40 TOS=0x00 PREC=0x00 TTL=64 ID=2210 PROTO=TCP SPT=59521 DPT=9000 WINDOW=0 RES=0x00 RST URGP=0
[code]....
I have problems with iptables :
[root@server7 ~]# iptables -I INPUT -p tcp --syn -m recent --set
[root@server7 ~]# iptables -I INPUT -p tcp --syn -m recent --update --seconds 10 --hitcount 30 -j DROP
iptables: Unknown error 18446744073709551615
[root@server7 ~]#
I need stopping a SYN ddos attack... but iptable rule don't work...
In my new Centos i am not able to add iptable rule. iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128bash: iptables: command not foundI am getting this error. I use this rule to forward ports to squid.
View 5 Replies View RelatedI'll like to mark all packet coming from and going to an ip adresse. And I'd like to match that mark packet in an other rule. Ex :
Rule 1 : Mark all packet coming from 192.168.2.0/25 with number 1
Rule 2 : Drop all packets which has been mark with number 1
I need help creating an iptable rule. The iptables are installed on my router. My router also connects to a "hide my a**" vpn account
at 79.142.65.5:443 The goal is to somehow force the traffic to go through the vpn, because what sometimes happens is, the vpn connection drops (for what ever reason) and my real ip becomes exposed. Basically, I want to block "myself" from accessing the Internet when not connected to the vpn because of privacy concerns.
Below is my iptables. It has the 3 default chains and it also has many custom user chains. I need to know what kind of a rule to add, What interface to apply it to (lo,tun0,br-lan,eth1) and the correct chain to insert into.For example, you could tell me something like:
Quote:
FORWARD chain, change rule 1 to
iptables -R FORWARD 1 -j zone_wan_MSSFIX -p tcp --destination-port 443 -i eth1
Obviously, That was just a guess, I need someone that knows iptables to help me.
Code:
Chain INPUT (Policy: ACCEPT)
Rule # Traffic Target Prot In Out Source Destination Options
Rule 1 72.95 KB DROP all * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Rule 2 1.11 GB ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
I have installed squid as my proxy server in ubuntu 10.04 standalone system..Why i have installed squid in standalone sytem is, my friends used to access my system to browse sites and download files..So i have installed squid to block porn sites and downloads..But they simply bypass the proxy by disabling it..I know there is some way to force all browsers to go through proxy using iptables..But how to acheive it..? Is the below command suits my need..?If not what modification should i do..?
Code:
sudo iptables -t nat -A OUTPUT -p tcp --dport 80 -j REDIRECT --to-port 3128
I have samba running on 192.168.100.209 and I am trying to open samba ports only for hosts in 192.168.100.0/24 network.. I have added following rules to iptables. But still I am not able to connect from machines from 192.168.100.0/24 network
Code:
iptables -A INPUT -s 192.168.100.0/24 -p tcp --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.100.0/24 -p tcp --dport 445 -j ACCEPT
What's wrong with the above rules ?
tell me the command for iptable rule to add in Chain RH-Firewall-1 to block ftp port & the ftp server was configured in public ip address,i searched in google but i did'nt get the exact command for iptables rule in Chain RH-Firewall-1.
View 3 Replies View Relatedi am running a ad hoc wifi service from my laptop to share my internet connection with my other laptop
i am also running mobloqer on the first laptop.
but when i try to access internet in my other laptop, i cant do it unless i disable mobloquer in the first laptop,
but with mobloquer switched on(in the first laptop), i can use utorrent on the second laptop but cant browse any websites (using firefox or chrome !)
first laptop is running ubuntu 10.10 second laptop is running win xp sp2
i want to allow internet access in the second laptop while mobloquer is running on the first laptop, is it possible to do so ?
My internet gateway is 192.168.1.1 with a 255.255.255.0 subnet mask. I have a router connected to it running ddwrt with an ip 192.168.2.1/24 creating a second subnet behind it. I have a tenant moving in that will be wirelessly connecting to the ddwrt router, so to the 192.168.2.0/24 subnet. What I am looking for is a rule that will pass internet traffic to and from this client, but restrict him access from the 192.168.1.0/24 subnet otherwise. The ddwrt router is connected to the 192.168.1.1 gateway through its wan port, btw. For example, the client would get an ip address of 192.168.2.100 wirelessly from the ddwrt router. I want him to be able to surf the internet through the 192.168.1.1 gateway, but not to have any other access to the 192.168.1.0/24 subnet (ideally not have access to ANYTHING besides the internet).
View 4 Replies View Relatedwrote a network emulator program in c programming. It can run for ubuntu terminal with good performance.But i have to make it for web-based user configuration. So i had setup apache web server and write this program in cgi script and try to execute this program from web page.This program must be run in root privilege($sudo -s) and add the iptables rules such as (#iptables -A OUTPUT -j QUEUE). So my question is how to add iptables rules in my cgi scripts? How to set the superuser(root privilege) permission to access my program through web server?
View 2 Replies View RelatedI have 2 LANs in my network. They are:
LAN 1: 192.168.0.0
LAN 2: 192.168.1.0
Both LANs, communicate with each other. And both have an application server. In LAN1, I can access the web server, internal and external. At LAN2, only works on the internal network.The rule that I'm using is as follows: iptables -t nat -A PREROUTING -p tcp -d my_ip --dport 80 -j DNAT --to 192.168.1.254:80
This rule works for LAN1, but not for LAN2. Anyone know what that is can be lockin access?
I am in China, where some web sites(....., facebook, etc) are blocked. So I have to access these blocked site by VPN. But how can I access blocked sites by VPN and unblocked sites by my direct ADSL?
View 2 Replies View RelatedI bought a wired broadband dsl router to provide another layer of security for my computer running ubuntu. I just plugged it in without installing any software etc. It blocks the internet connection.
View 3 Replies View RelatedHow can one have direct access to key strikes. Normally the key strikes that collected by the concerned programme and access to the same is not available to any other user programs. I am trying to write a program to simultaneously catch the key strikes. Obviously for this would require a low-level access to the keyboard. How can one do it ?
View 2 Replies View RelatedI have a single board computer previously running DOS. I recently made Linux running on it. Now that the system is running Linux, I have to translate the code that was supported by DOS. The code has segments that allow direct access of memory mapped registers through the macro _MK_FP and do read/write. I have read that where DOS allows this kind of direct memory access, Linux does not. Is there a way to do this in Linux?
View 6 Replies View RelatedI managed to configure my W890i phone to get access to internet through an ubuntu-based computer. It's very easy to use the phone to give internet access to the computer, but the opposite is quite more tricky. For that I've done the following
----On the phone---
-Set the USB network option to "through computer", so that the phone uses the computer's internet connection and not the opposite.
-Decide and set "Shared Network" parameters: user, pasword and workgroup.
-In "conectivity-> internet connection" set "allow local network" to "yes"
----On Ubuntu 10.04---
-Install samba, samba-client, smbfs, smbclient, firestarter and dhcp3-server
-Configure Samba (System-> Administration-> Shared folders): same workgroup as in the phone, add new user (the phone), passwd this new user. In my case the user was called "w890i" and the password given was the same.
-Once the phone is connected to the computer through USB (then select "phone mode"), a new connection appears in NetworkManager: usb0.The aim is to create a shared network that gives internet access to this device. Edit the IPv4 parameters of this new connection, set them to Manual and give an IP adress (192.168.0.1) and a subnet mask (255.255.255.0); the rest of the fields are left empty.Connect this network.
-Set firestarter to use dhcp3: sudo ln -sf /etc/init.d/dhcp3-server /etc/init.d/dhcpd
-Launch firestarter and follow the wizard. Set "allow internet shared connection", choose the device for the primary internet access, and then the device for the shared network (usb0). Then change the settings for firestarter: activate DHCP for local network, set IP to the one we gave before (192.168.0.1).
-Open dhcp3-server config file sudo gedit /etc/default/dhcp3-server And set INTERFACES="usb0"
-Set the policies of firestarter: in incoming connections, allow connections from the IP adress given to the phone (192.168.0.1). Then add rules for the ports that need to be open for this connection. I opened HTTP, HTTPS, SMB, SMTP, POP3, IMAP, IMAPS, DHCP for all the connections in the local network.
-Apply policies and start the firewall.
------------
After all this, the phone can access the internet through the computer. Two problems appeared:
1. I couldn't get access to https sites, like webmails. The phone gave a "communication error". But then I tried with Opera instead of the browser built in the phone's firmware, and I could finally get to https sites.
2. I couldn't retrieve mail, neither POP nor IMAP nor IMAPS. I thought it was a firmware problem again, and I tried out several mobile phone email clients written in java, but none of them worked.
So this is at the moment the problem. If I connect from the phone to the internet directly through 3G, the email clients work for all my accounts. I don't think it's a firewall problem, because the ports are opened for this connection
I connected my laptop running with Ubuntu 11 in the LAN but I couldn't access internet.But I could ping to the other computers connected in the LAN. I tried the same thing with windows 7 in the same laptop and I could access internet.
View 1 Replies View RelatedRunning Ubuntu Netbook remix on a Toshiba NB500-upgraded to 2 Gigabytes RAM. Very slow opening applications via the side icons. 8-12 seconds. Is that normal for this distro?
- No 3D cube. Installed related compiz software, adjusted settings, ticked cubes etc. Not a peep.
- No direct desktop access. Only via side icons. Just find it fiddly re: using desktop and changing background via side icons.
Couple other items (MBB for one) but for another category.
Does a mailserver have to have direct access to WAN or can it be a LAN device with just one NIC ?
We have two WAN access points.
One is an adsl router joined to the switch and all seems fine for internet browsing.
The other is a wireless system with a linksys router joining by way of PPPoE and this appears to connect fine.
This PPPoE is direct to our ISP and where we need to downlod our mail to our pending mailserver.
When the linksys router is also joined to the switch all devices can use either the adsl or linksys to roam the net. 192.168.1.1 linksys & 192.168.1.10 is adsl.
When I join the linksys direct to the mailserver I will then need two NIC's. One for the Linksys and one for the LAN.
This is where the fun has started.
So.... Can I just have one NIC (connected to the switch) on the mailserver?
I've got an Hitachi Deskstar 164GB IDE drive which I've somehow managed to upset while attempting to swap distros. I'm guessing its lost the MBR as I can't get a PC to see it except in the BIOS. The BIOS tells me that the primary master has 164GB, Cylinders 65535, Head 16, Precomp 0, Landing zone 65534 and Sector 255. (my understanding of that info is very limited). The PC won't boot direct from the hdd and a live Knoppix disc can't see it. Trying fdisk -l produces no list. (Naturally, I can't install another distro on it either).
View 10 Replies View RelatedHow can I see which SELinux rule kicks in at a given point. Is there something like debug-mode for SELinux? The problem is that SELinux Troubleshooter does not show any errors at all when denial happens.
View 4 Replies View RelatedDid a quick search through the site and could not find the answer i was looking for. Currently i am running Fedora core 12.I would like to get amarok installed with all the mp3+ support with it.I do not have internet at home. just on my phone (so i can download and transfer small files), and at work with a jump drive.How would i go about getting this done?
View 1 Replies View RelatedI am using a Dell Inspiron 14R laptop that came with Windows 7 Home Basic. The partitions of my hard disk before installing Fedora 15 were:
Dell (OEM Partition)
OS (C: ) (Primary Partition)
RECOVERY (Primary Partition)
New Volume (E: ) (Logical Drive)
I tried shrinking my C: drive (which has Windows) but couldn't do so hence performed the procedure on E: instead. I did this to create a 15GB unformatted space to install Fedora in. While installing Fedora, I chose the option "Use Free space" under Disk Partitioning Setup but the OS got installed in E: drive. Currently, I am able to use both Windows and Fedora under dual-boot but the problem I am facing is that when working with Windows, I am unable to see drive E: in Computer.
Windows Disk Manager is able to detect the partition and is showing it to be healthy (1st screenshot). Its name now is New Volume and neither am I able to change its path or letter (Error: incorrect parameters) nor am I able to check it using "chkdsk" (Error: cannot open volume for direct access/ GUI doesn't work as well) (2nd screenshot). On the other hand, I am able to access both the partitions in Fedora.
Another point to mention is that after finishing the installation of Fedora, when I started Windows, the Disk Manager as well as Dell DataSafe showed that the Windows Recovery drive had been formatted (maybe inappropriate terminology!) and was no longer retrievable. To rectify this problem, I restored my Windows to before Fedora was installed and I seem to have got the Recovery drive back (1st screenshot) (before doing this, it was nameless and empty).
Normally all I/O goes through the kernel so that it can schedule the operations and prevent processes from stepping on each other. A few special user processes are allowed to slide around the kernel, usually by being given direct access to I/O ports. X servers are the most common example of this isn't it ? give examples for any other processes that are allowed to slide around the kernel ?
View 3 Replies View RelatedHow can we force an application which is using a direct Internet connection inherently to connect through a proxy server connection. Like redirecting the direct traffic generated to a proxy server.
View 5 Replies View Related