Networking :: Iptables REDIRECTing - All Outgoing Packets ?
Dec 6, 2010
I've been trying to redirect all outgoing packets (destined for a specified ip address) from my slack box back to itself. I thought this could be done with iptables, but if I fire up wireshark I can clearly see that the packets are getting out to the real server and I'm getting responses from it.
So here's what I tried:
All looks good and fine, and then I even try to visit 194.28.157.42 with firefox (by the way I am running a webserver, that is set to show a page when you visit 127.0.0.1) and I get an error page that reads: 502 Bad Gateway.
I ignored this message to see what the program I'm trying to interrupt does, and when I start wireshark and then start the program that is using that website, I can clearly see that the packets make it to the real 194.28.157.42 and get back responses.
I had been running my SMTP server with WINE, as the SMTP server software is a Windows-based program (MERCURY), but I cracked the shits with WINE and removed it. Now I am running my SMTP server in a Windows virtual machine.This virtual machine has a different IP address from my host machine, so what I need is for my computer (the host) to redirect incoming traffic on port 25 to the virtual machine at 192.168.56.101 on port 2525.Can someone please help me with it? I think its done with iptables.
Node A to Vlan Switch Node B to Vlan Switch Node C to Vlan Switch Node B is set up to be a middle man between A and C. All nodes have 1 NIC.
They are all linux boxes. Node B can ping Node C. When I try to ping Node C from Node A, the ping just hangs forever.
When I use Wireshark to sniff What's going on with Node B during a ping from Node A to Node C, I can see an ICMP request with src = Node A and dest = Node C. I'd like to know if that ICMP packet was received by B from A or if it is going out. If it's going out, that makes no sense since B knows how to send to C. If B is only getting the requests but not forwarding them, then I know there is something wrong with B's configuration.
So I'd like to be able to sniff incoming packets only, or outgoing packets only. Is there a way to do this?
On our webhosting servers, where is primary running apache, sometimes starts huge outgoing traffic to random IP addressess (each time of attack is it just one IP). It's always UDP,and according to my investigation tcpdump, it looks like p2p. The problem is in big outgoing traffic, and secondly in filling ip_conntract table /proc/net/ip_conntrack. I think, that one of our webhosting users has some virus uploaded on his FTP, which is time to time ran. I think, that if I can map outgoing traffic to particular process ID, it will be easy to find the PID in access log of webserver and than see what URL it causes.
What I have checked already:
- outgoing UDP connections are not listed in netstat - so cannot get PID from there - Apache with PHP is in safe mode - cannot exec binaries, cgi is disabled - I can see tons of records in tcpdump, but from the dump I'm not able to get PID - In time of attack I was trying to run `lsof`, but nothing to see - didn't found the attacker - I went through apache access log - I took time of attack -i.e. 02:22 am - grep from access log all hits between 02:20 and 02:29 am and try to call all them again - problem didn't occured - checked the POST records from access log - nothing - grepped all php files for keyword 'fsockopen' and 'torrent' - from iptables --log-uid I have found user nobody (under apache is ran)
I think that the key is able to match outgoing connection to PID, than it will be easy.
My server ended up on 1 (just 1) block list and I'm finding it very difficult to convince myself that it was just an error of some kind.Can anyone think of any giveaways at the packet or port level that some program is sending spam from my server without using the normal MTA (nothing suspicious is showing up in the sendmail logs)
In my Fedora13 machine, while in mobile broadband, i can ping and skype outside, but cannot browse/yum etc. Few output that may be of relevence are here:
$ netstat -s IP: 149468 total packets received 6 with invalid headers 16174 with invalid addresses 0 forwarded 0 incoming packets discarded 118821 incoming packets delivered 101331 requests sent out 124 outgoing packets dropped 866 dropped because of missing route .....
Unsure about IP tables lingo, so excuse me for not looking this up:I have a server, running IP tables, that I do not want to allow any type of outgoing traffic to 192.168.1.21
I am new to iptables. We have two Squid proxy servers running in "non-transparent mode" (172.16.0.1 and 172.16.0.2). Currently users have to configure the proxy server they want to use by configuring them in their browsers. Recently I saw an example for redirecting web traffic to a single transparent proxy server.
Can anyone modify this rule to accommodate my current setup of two proxy servers running in non-transparent mode. i.e Redirect web traffic to the 172.16.0.1-172.16.0.2 ip range.
it�s been several years since i played with iptables. I have setup like this:eth0 is the only physical device on box and eth0:0 is aliased. Traffic going out of the box to internet uses eth0eth0 116.55.58.1eth0:0 116.55.58.2I have a service listening on port 80 on 116.55.58.2Lets say my client connect to 116.55.58.2:80 through 116.55.58.1 , how do I force (mangle you name it) with iptables that the outgoing source address will be always 116.55.58.2?
I am running into trouble while trying to set-up a iptables routing policy. I have two machines on the same sub-network (xxx.xxx.153.0). One of the machines is used as a default gw for the other (xxx.xxx.153.250 is a gateway for xxx.xxx.153.142 and xxx.xxx.153.254 is a gw for xxx.xxx.153.250). There is no explanation for why the xxx.xxx.153.250 is in the middle -- xxx.xxx.153.142 can go straight to xxx.xxx.153.254, but is is like that for now.I am trying to find an iptable rule to be executed on the xxx.xxx.153.250 machine to route the packets.
I'm trying to configure NFS sharing behind a firewall, I got it to work and all but I was caught by something that (to me anyways) seems odd.I've been able to mount the export on another computer and am transferring files over as we speak, but I'm just interested in knowing why the RELATED,ESTABLISHED rule seems to be catching almost all the traffic coming from the other node. Any ideas? Should I be concerned that my firewall isn't protecting anything or something?
I have a very weird case in my firewall.I have an asterisk server and some phones and between them there is a linux firewall based on iptables.With basic rules on iptables everything works ok, but when I put a single nat rule (no matter what rule I use) some packets from some phones misteriously disappear from interfase to interfase.
Clearer:The firewall has two interfases: eth0 (pointing to phones) and eth2 (pointing to asterisk).One problematic phone is 192.168.3.242, so I use tcpdump this way.
I've got a box with 2 interfaces, with IP1 = 192.168.100.1 and IP2 = 10.1.1.1 respectively on them. I've got an iptables rule that looks like: Code: iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -d 10.0.0.0/8 -p udp -j SNAT --to-source 10.1.1.1 --random
If I get 2 consecutive packets from the same address and port from 192.168.100.0/24, they get SNAT-ed and come out of the same port on 10.1.1.1. If then I get another packet from the same address and port 10 minutes later, then it gets SNAT-ed, but comes out of a different port on 10.1.1.1. My question is: how can I set the time delay I would like iptables to remember its incoming address/port to outgoing port mappings?
My Ubuntu Box has 3 interfaces. eth0 (Internal 192.168.1.0/24)eth1 (External ISP DHCP)eth2 (External ISP Static IP)I need the outgoing traffic to internet for 1 of the internal pc (192.168.1.10) to only go only go through eth2
I two servers set up: 192.168.1.150 and 192.168.1.160 Initially, I want all traffic to be served by server 150. So for this purpose I am leaving the IPTables on .150 empty. At a point in time, I want to forward all incoming traffic to be served by .160 instead. I have accomplished this using these commands (on .150):
My problem is that if I have an open SSH connection to .150 (prior to adding the rules), the packets are still handled by .150 after adding the rules.. e.g. my SSH session stays active. I want these packets to be forwarded to .160, which would effectively disconnect the SSH session. I do not want the packets flat out dropped, I just want them forwarded on in whatever state they are in. If I try a new SSH session, it is properly forwarded to .160
I am trying to do something outlandish with iptables (or so I think!).I have a source sending udp packets to a destination (say dst11). Using port mirroring I am able to get all these packets to a different machine (say dst22). I am able to see these packets on dst22 interface using tcpdump.I want to analyze the packets on dst22. So what I do is put dst22 interface in promiscuous mode (using ifconfig eth0 promisc). This in theory should get the packet through the MAC layer. Now using iptables I am trying to DNAT the packets in nat prerouting to change the packets destination IP to dst22's interface and change the destination port.
i've got a software that uses a specific tcp port e.g 11111. i want to redirect all the traffic from 11111 to squid port 3128. i'm using the following commands to redirecting:
my ubuntu server has two interfaces. eth0 is for local network (dhcp assigns ips) and eth1 is for internet. my ubuntu server acts as a gateway and as an authentication server for users.
at squid also i have the following configuration regarding my port:
acl myport port 11111 http_access allow CONNECT myport. my squid installation is not transparent as users need to authenticate in order to access the web.
my application is a windows application and of course is not working. i examined the packets with wireshark and i noticed that when the program tries to access the internet, squid replies with err_invalid_request (the packet contains that data). the program is trying to send some plain text via port 11111 and as far as i can image, somehow squid declines the data. i cant get rid off squid as i want to pass the traffic from squid. what is the problem?
I'd like to (if it's possible, of course) to redirect the packets originated within a linux box, and I've been tryin' to do it through the OUTPUT chain in nat table:
The policy for the rest is ACCEPT.This redirection didn't work this way. If I do lynx http://192.168.0.74:80 I reach 192.168.0.74 host, so there is no redirection.Could I achieve what I'm needing through with IPTABLES' OUTPUT chain (in nat table)?
br0 - 192.168.0.1 - Internet eth2 - 192.168.1.1 - LAN tun0 - 10.0.0.2 - VPN (via br0)
What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :
Code:
route del default route add default gw 10.0.0.2
Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :
Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80 ip route add table 300 default via 10.0.0.2 dev tun0 ip rule add fwmark 0x55 table 300
First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.
I am setting up tomcat server on my Centos 5.5 machine. I've been advised to run tomcat on 8080 as non root user and redirect traffic to it from port 80.
I searched and found the following iptables commands for this:# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT -to-ports 8080 # iptables -I INPUT -p tcp --dport 8080 -j ACCEPTI have a doubt:
Tomcat is not accessible via port 80 without the second command. But the second command opens 8080 and makes it accessible over the internet (tomcat is accesible via both: www.<website>.com and http://<ip address>:8080). This doesn't seem right. Is there some simple (iptables) way to redirect traffic "internally" from port 80 to 8080 without having to open 8080 to the internet.
I want to block all outgoing traffic with iptables and only allow a few specific websites. I would like to get the code to do so and also to revert the changes in case I want to unblock them.
I want to block all the outgoing ssh form my machine, i.e my machine will not be able to ssh to any outside machine using iptables. The distro is RHEL, I added the following entry in the iptables but unfortunately it didnt worked, -A OUTPUT -p tcp -m tcp --dport 22 -j DROP
Rather new to Ubuntu. I was wondering for advice on a basic iptables configuration blocking all incoming/forward and just allowing outgoing to http(s) and dns of course.
I need to know what the Iptables "code" is to change the outgoing/Incoming IP for port 53 (DNS). I'm running CentOS on a dedicated server. I very familiar with Putty and SSH. So I don't need much details, I just can't figure this out. I asked my server providor but they deleted my ticket and didn't answer me.I tried this but am not sure if this correct of working?
I have tried to google it around and couldn't find any good solution for it. What I want is to hook up to the kernel network hooks and for example investigate all of the packets (maybe keep some in the buffer and drop in the kernel so I could send them out lets say 10 minutes later) but from a C / C++ program perspective / level. I know it can be done via iptables but isn't there a way to do it from a program ?? I have found a library called ipq but apparently doesn't work with kernel 2.6.x anymore.
