Networking :: Iptables Configuration On Debian Dmz Host?
Jul 6, 2010
I am trying to set up a DMZ host - that is, one multifunctional PC between the WAN and the LAN. I've started with a basic router, and expanding upon that as the need arises. I am currently trying to gain access (from the WAN) to a website hosted on one of the servers in the LAN, but I am having trouble accessing the host from the WAN; I think my iptables configuration may be too restrictive. On the DMZ host, I'm using Debian (Etch). I have setup dhcp3-server, a script to configure iptables and pound (reverse-proxy). The (virtual) machine has 4 network cards: eth0, eth1, eth2, eth3; eth0 is the WAN, eth1 through eth3 serve 3 different virtual LANs.
All machines in the LAN (except one windows 2008 server - I might want to address that problem later) get their IP adresses correctly via dhcp from the DMZ host. All machines on the LAN can access the internet (including the 2008 server if I configure it manually) as they should. If I access http://localhost on the DMZ host, pound reports "The service is not available. Please try again later." - as it should.
I can ping the DMZ host from the WAN on 10.0.0.79 However, if I try to access the DMZ host from the WAN (http://10.0.0.79) I get "Unable to connect" from firefox. I'm sure this is not a pound problem, so I think it's in the iptables, or maybe I should be installing some extra software that I'm unaware of.
[code]....
View 3 Replies
ADVERTISEMENT
Sep 20, 2010
I have a strange iptables issues. I have just built a new Debian install and starting adding some real basic rules (see below) the problem seems to be that the localhost itself can't get any returning traffic. That is, it seems to be allowed outgoing traffic but not the connected, returning traffic. Ordinarily allowing Established Connections would resolve this, see the rule below, but it hasn't. Why this doesn't work. Removing the last DROP in the INPUT chains obviously makes the traffic work!
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -s x.x.x.x
iptables -A INPUT -j ACCEPT -s x.x.x.x
iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 80
iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 8080
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -j DROP
View 3 Replies
View Related
Jun 6, 2011
Debian Testing host, Winduhs XP guest. Winduhs is not allowed to directly access The Internets, and I am not setting up bridging as that makes it possible for the guest to mount layer 2 attacks on the LAN. I need for the guest to tunnel through the host without being able to see anything on the host, so it can then get access to The Internets, while being protected by iptables (Shorewall).
Used to be with VMware I had host-only set and the guest in a different class c (192.168.2.1) from the host (192.168.1.1) I turned on ipforwarding, set Shorewall rules, and it all worked. Now I have everything set with VirtualBox, and it does not work. Guest can ping its interface but not host. Host can ping vboxnet0. Host is supposed to masquerade guest's 192.168.2.1 through to the default out at 192.168.1.1, but it's not. I think a clue is in routing, but I don't know what's wrong.
[code]....
View 2 Replies
View Related
Feb 16, 2011
I like to set in iptables to allow access from one host to my server on any ports.
Currently the iptables have been configured to deny all and to allow access only to those I've specified.
Can anyone advice on the command to achieve this?
View 1 Replies
View Related
Nov 15, 2010
Lets say i have two machines on public ips. If i get incoming traffic on machine #1 on port 55242 i would just like to forward it to machine #2 on port 35000.I would just like to use machine #1 same way as a dns server works. It just redirects the traffic and tells the client where to go.
View 6 Replies
View Related
Nov 18, 2010
I am having no luck configuring ProFTPd on a Debian Lenny production server we use to host our MySQL databases and a few websites. I had originally set it up so I could login and manage our internal sites, but I have the need to allow a few clients in to access their sites that we host. I am trying to root the users in their site directory, which would be "/sites/www.whatever.com/".
It just hit me while typing this. Is it possible to create a user without a shell to prevent login via SSH and set the home folder to /sites/whatever instead of /home/username? That would allow me to continue operating with my current configuration and root them in their site while preventing SSH logins.
View 6 Replies
View Related
Feb 15, 2011
I like to set in iptables to allow access from one host to my server on any ports.Currently the iptables have been configured to deny all and to allow access only to those I've specified.
View 2 Replies
View Related
Nov 3, 2010
I recently installed a new Ubuntu PC that runs iptables and PSAD. I had the same script on another Ubuntu PC, but when I copied the script onto the new PC, I got this error. I don't remember where I found the tutorial for this, all I know is that this is the script (Edited for my usage):
Code:
#!/bin/bash
# Script to check important ports on remote webserver
# Copyright (c) 2009 blogama.org
# This script is licensed under GNU GPL version 2.0 or above
[code]....
Safe.txt contains:
Code:
127.0.0.1
192.168.1.8
192.168.1.1
98.200.58.73
192.168.0.1
And the error message generated is:
Code:
root@NETWORK-SERVER:/var/ddosprotect# ./ipblock.sh
' not found.4.4: host/network `127.0.0.1
Try `iptables -h' or 'iptables --help' for more information.
' not found.4.4: host/network `192.168.1.8
[code]....
View 3 Replies
View Related
Nov 21, 2010
My Ubuntu Box has 3 interfaces. eth0 (Internal 192.168.1.0/24)eth1 (External ISP DHCP)eth2 (External ISP Static IP)I need the outgoing traffic to internet for 1 of the internal pc (192.168.1.10) to only go only go through eth2
View 4 Replies
View Related
Apr 28, 2011
I am configuring the iptables in the debain squeeze and then running the: iptables-save
View 4 Replies
View Related
Jul 11, 2011
I follow this instructions but after iptables-restore < /etc/iptables.test.rules I see this error # iptables-restore < /etc/iptables.test.rules Bad argument `#' Error occurred at line: 3 Try `iptables-restore -h' or 'iptables-restore --help' for more information. The line 3 is the same as the link - # Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
View 3 Replies
View Related
Nov 10, 2010
I've been trying to forward some ports using iptables for some time now, but still haven't figured out how to get it to work..What i'm trying to accomplish is to forward all traffic from port 80 to port 8080, and all traffic from port 443 to port 8443, this because i would like to run tomcat as a non-root user, and the original ports can only be used as root.. I've currently setup my iptables like this:
# Generated by iptables-save v1.4.2 on Wed Nov 10 16:44:45 2010
*nat
:PREROUTING ACCEPT [39350:6120333]
[code].....
View 2 Replies
View Related
Jul 8, 2011
For some reason my FTP packets are blocked by iptables even though I thought I allowed them through
My syslog errors are along this line:
And my iptables ruleset:
View 4 Replies
View Related
Jul 27, 2010
i have a question regarding iptables.i have a server running ubuntu server 10.04 with 2 nic's, i want to use it to filter the internet trafic of the people in my network ussing dansguardian and squid. they both work fine.the only problem is how to get iptables to deal with this the right way.
eth0 = LAN
eth1 = internet
View 1 Replies
View Related
Sep 19, 2015
I try to create some rules to detect an outgoing traffic from my debian jessie that is not from my IP or loop.
#!/bin/bash
/sbin/iptables -N C_OUT_N_LOCAL
/sbin/iptables -N C_OUT_N_LOCAL_LO
/sbin/iptables -A C_OUT_N_LOCAL -m limit --limit 2/min -j LOG --log-prefix "PK: output not local : " --log-level 4
LO_IP="127.0.0.1"
MY_IP="192.168.0.4"
/sbin/iptables -I OUTPUT -p ALL ! -s $LO_IP -j C_OUT_N_LOCAL_LO
/sbin/iptables -A C_OUT_N_LOCAL_LO -p ALL ! -s $MY_IP -j C_OUT_N_LOCAL
View 0 Replies
View Related
Dec 30, 2010
I'm having some trouble with the configuration of the iptables. I want to setup a network server to serve as Fail Over (for my 2 ISPs), DHCP and DNS. I have 3 network cards, 2 connected to ISP's routers and 1 that serves as UPLINK for my switch.
I want to add some Iptables rules so I can achieve what I want to do. The problem is that the rules I try to use, they have to effect.... they don't load, here are the rules I am trying to add:
#iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
#iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE
#iptables --table nat --append POSTROUTING --out-interface eth2 -j SNAT --to EXTIP
When I try to check to see if it loads, with the command:
#iptables -L
It returns empty
View 2 Replies
View Related
Jun 5, 2011
eth0 is configured through a dhcp server connected directly to it. [URL]...the answer of the server is a UDP to 255.255.255.255. Please tell me how can it pass through this iptables configuration, because it does.
Code:
iptables -nvL INPUT
(policy DROP)
3281 201K ACCEPT all -- eth1 * 192.168.69.0/24 0.0.0.0/0
0 0 ACCEPT all -- lo * 127.0.0.1 0.0.0.0/0
0 0 ACCEPT all -- lo * 192.168.69.1 0.0.0.0/0
0 0 ACCEPT all -- lo * 93.114.xx.xx 0.0.0.0/0
[Code]...
View 9 Replies
View Related
Feb 7, 2016
I managed to set up an openvpn server, ip-forwarding and a nat iptable rule for that.
Almost everything works as expected, but my problem is:
Smartphone -> VPN -> Internet ==> works (by ip and hostname)
Smartphone -> VPN -> machine in my local network by IP ==> works
Smartphone -> VPN -> machine in my local network by its hostname => DOES NOT WORK
Machine w/ VPN server -> ping to machine in local network by ip or hostname => works
So, i wonder why i cant access a local machine through the vpn by its hostname. I guess I'm missing a forwarding rule??
iptables dump:
# Generated by iptables-save v1.4.21 on Sun Feb 7 20:56:52 2016
*nat
:PREROUTING ACCEPT [786:59064]
:INPUT ACCEPT [728:53047]
:OUTPUT ACCEPT [19:1487]
:POSTROUTING ACCEPT [20:1576]
-A POSTROUTING -s 10.8.0.0/24 -j MASQUERADE
COMMIT
# Completed on Sun Feb 7 20:56:52 2016
View 0 Replies
View Related
Apr 4, 2010
a good IPTABLES protocol to reject all incoming ssh trafiic except for a single IP or IP range?
View 4 Replies
View Related
May 3, 2010
I'm intending to replace my current router (486DX2 w/16MB running FREESCO which has been faithfully working 24/7 for well over a decade) with a debian box with a bit more grunt and newer features. I'm currently setting up my iptables ruleset and am after a bit of advice re the FORWARD policy. A few example rulesets I have found set the default policy to DROP and the have two lines for each port forward, one to allow the traffic and one to direct the incoming packets to the correct machine.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 10.0.100.10:25
iptables -A FORWARD -i eth1 -p tcp --dport 25 -o eth0 -d 10.0.100.10 -m conntrack --ctstate NEW -j ACCEPT
I'm thinking of setting the default policy to ACCEPT to cut down on typing as my default INPUT policy is DROP and unless there is a valid FORWARD rule for a particular port, the packets aren't going anywhere anyway. Or have I misunderstood something. My googling returned heaps of example scripts & not much intelligent commentary. Alternatively, what do you all use to configure & maintain your debian gateways; hand rolled iptables rules, or any toolset recommendations?
View 4 Replies
View Related
May 9, 2010
After resetting a pc running lenny I get iptables errors at boot ("resource temporarily unavailable", "bad rule" etc). "setting up firewall" (Guarddog) is not followed by any errors and the firewall apparently operates ok.How can I restore my iptables to the default installation values?
View 2 Replies
View Related
Apr 14, 2016
my system keeps on telling me about an error:
Code: Select allsudo journalctl -p 0..3
Apr 14 10:36:11 debian ntpd_intres[682]: host name not found: ptbtime1.ptb.de
Apr 14 10:36:11 debian ntpd_intres[682]: host name not found: ptbtime2.ptb.de
Apr 14 10:36:11 debian ntpd_intres[682]: host name not found: ptbtime3.ptb.de
A quick check
Code: Select allsystemctl status ntp.service
ntp.service - LSB: Start NTP daemon
Loaded: loaded (/etc/init.d/ntp)
[code]...
3 packets transmitted, 0 received, 100% packet loss, time 1999ms.Same result when using the standard Debian ntp time servers like "server 0.debian.pool.ntp.org iburst" in /etc/ntp.conf.
View 13 Replies
View Related
Dec 21, 2010
I have setup a few machines within my house. The Debian Squeeze machines do not provide a host name in the DHCP client list on my router. Strangely, my Ubuntu, Android, and Blackberry machines do show host names. I have noticed the same behavior when wirelessly tethering my Debian laptop to my Android phone (which also uses DHCP). Is there something I need to enable to have the name show up on the router?
View 14 Replies
View Related
Aug 15, 2011
I am experimenting with installing a bare minimum, network capable installation of Debian Squeeze. Right now, I am having trouble getting proper host name resolution. I have provided the output of ping (which is able to resolve names), wget (which is unable to resolve names), and the contents of the files I believe to be relevant to the problem. When I installed Debian, I installed *only* the SSH Server from the list of available configurations. Since then, I have installed mdns4, dnsmasq, mdns-scan, and libnss-mdns to get name resolution to work with no success so far. All packages were installed with no recommends -- aptitude -R package name. What am I missing to get host name resolution working?
[Code]...
View 12 Replies
View Related
Dec 1, 2015
I'm trying to use these cookie cutter rules that I found. But every time I use them, after a few seconds my wifi connection goes dead. The exception was the first time I used then. Which lasted me a couple of minutes.
By dead I mean I can no longer open a webpage or ping google.
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables-Dropped: " --log-level 4
iptables -A LOGGING -j DROP
View 9 Replies
View Related
Aug 2, 2015
Having an issue with rsync
I launch the following
Code: Select allrsync -avz --remove-source-files --log-file=/home/pi/rsync.log --temp-dir
=/data/temp --partial --progress -e "ssh" 192.168.1.100://data/ext/downloads/File.ext /data/
Basically I download to main PC and rsync to my pi as the pi has a fraction of the speed for some reason when downloading form a source outside of my network.
The first few files will sync fine. Then I start getting errors like this
Code: Select allrsync: rename "/data/temp/.File.ext.y1716M" -> "File.ext": No such file or directory
(2)
The directory on the host has user and group ownership as pi. Rsync has been setup to login without a password.
View 0 Replies
View Related
Jun 11, 2010
Using Debian 5.0 Stable, with all current updates, if I type \192.168.0.249 I get samba access and can use all the shared files ok.if I go via the network the computer should be called \squ-eee-zeboxserver but instead comes up as \SQU-EEE-ZEBOXSERsqu-eee-zeboxserver which when clicked gives the attached error.
View 11 Replies
View Related
Oct 16, 2010
my server into the public internet and must have my webserver [2.2.9 (Debian)] act secure. But this does not look very easy [I am searching, reading and working on it already the whole day ]. I read the apache docs, but there is a lot of stuff, which is different in Debian [lenny, 5.0.6]. Apache ignores the host-header given by the browser: [URL] are all served, but should be blocked. I new new to apachy, but on my IIS this works as expected. All browsers act equal [so no browser header problem].I configured two VirtualHosts, an excerpt:
NameVirtualHost hugo:80
<VirtualHost hugo:80>
DocumentRoot /usr/share/doc
[code]....
The I go to my hosts file on any box, and add hugo's ip-address under the new name x. Then, x is served, although the host-header in apache Every user coming from the internet could make the same!
View 13 Replies
View Related
Mar 29, 2011
I've just installed Debian Squeeze from a live CD. When I open a web browser (be it iceweasel or epiphany) and try to go to google.com, it tells me it can't resolve the host name. [Edit: They do, however, allow me to go anywhere on debian.org, minus the search feature] I also get the same error when I try to go to my website running on a local server. However, when I type the server's IP address (192.168.0.10), it goes to the website fine. Basically, any program I run that needs to resolve a host name returns an error, with the exception of the host command:
I've tried changing my DNS server IP from 192.168.0.1 (my router, configured to provide DNS) to 192.168.1.254 (my internet modem, also configured to provide DNS). That didn't help any. Then I changed my DNS server IP to the same one used by the modem, and now everything works.
I've tried googling my way out of the issue, and I've found where someone had the same issue as I've got and fixed it by adding "blacklist ipv6" to their /etc/modprobe.d/blacklist.conf file, but that didn't work for me.
So, recap: Why does resolving domain names fail for certain applications (except the "host" program) when the DNS server IP is that of my router or modem (which works fine for all of my other computers), but suddenly works when I point the computer straight to my ISP's DNS servers, and how can I permanently fix the problem?
View 4 Replies
View Related
Mar 1, 2010
I'm using Debian 5 with Exim 4 on my VPS. My purpose is to make mailboxes for each virtual host on my server. What do I have: 1. Exim is set correctly - receiving mail from [URL]... is successfull. 2. Mail for [URL]... is delivered, and the mail for [URL]... too. But [URL]... is the site written to /etc/hosts (it's localhost), and [URL]... is virtual host. But mail from both boxes writes to /var/mail/mail. Now what do I need: 1. Make mail for [URL]... store in [URL].... and mail for [URL].. store in www/Maildir. 2. Make mailboxes like [URL].... to receive mail by Thunderbird. 3. Set passwords for [URL]... and [URL]... (I don't want to enter my system user/root passwords).
View 2 Replies
View Related
