Networking :: Iptables Outgoing Adress Using An Aliased Interface?
Dec 15, 2010
it�s been several years since i played with iptables. I have setup like this:eth0 is the only physical device on box and eth0:0 is aliased. Traffic going out of the box to internet uses eth0eth0 116.55.58.1eth0:0 116.55.58.2I have a service listening on port 80 on 116.55.58.2Lets say my client connect to 116.55.58.2:80 through 116.55.58.1 , how do I force (mangle you name it) with iptables that the outgoing source address will be always 116.55.58.2?
My Ubuntu Box has 3 interfaces. eth0 (Internal 192.168.1.0/24)eth1 (External ISP DHCP)eth2 (External ISP Static IP)I need the outgoing traffic to internet for 1 of the internal pc (192.168.1.10) to only go only go through eth2
I have three machines on three networks192.x.x.x10.x.x.x172.x.x.xThe routers are set to forward communication between 192. network and 10. network, and between the 10. network and the 172. network.However, there's not routing between 192. and 172.I want to fix that by using a machine on the 10. network to forward communication between the other two networks.The machine has one etherent connection eth0 whose address is 10.1.1.11I set up an aliased ip address eth0:0 to be 10.1.1.12 using Quote:ifconfig eth0:0 10.1.1.12Then I tried to set forwarding rules the 10. machine such that 10.1.1.12 address will provide access to the machine 172.1.1.55 as followsQuote:# iptables -t nat -A PREROUTING -d 10.1.1.12 -j DNAT --to-destination 172.1.1.55The default policies for all chains is ACCEPT.I then try to access 10.1.1.12 from 192.1.1.20 expecting it to actually access 172.1.1.55 ; it does not work
Unsure about IP tables lingo, so excuse me for not looking this up:I have a server, running IP tables, that I do not want to allow any type of outgoing traffic to 192.168.1.21
I've been trying to redirect all outgoing packets (destined for a specified ip address) from my slack box back to itself. I thought this could be done with iptables, but if I fire up wireshark I can clearly see that the packets are getting out to the real server and I'm getting responses from it.
So here's what I tried:
All looks good and fine, and then I even try to visit 194.28.157.42 with firefox (by the way I am running a webserver, that is set to show a page when you visit 127.0.0.1) and I get an error page that reads: 502 Bad Gateway.
I ignored this message to see what the program I'm trying to interrupt does, and when I start wireshark and then start the program that is using that website, I can clearly see that the packets make it to the real 194.28.157.42 and get back responses.
I've got a box with 2 interfaces, with IP1 = 192.168.100.1 and IP2 = 10.1.1.1 respectively on them. I've got an iptables rule that looks like: Code: iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -d 10.0.0.0/8 -p udp -j SNAT --to-source 10.1.1.1 --random
If I get 2 consecutive packets from the same address and port from 192.168.100.0/24, they get SNAT-ed and come out of the same port on 10.1.1.1. If then I get another packet from the same address and port 10 minutes later, then it gets SNAT-ed, but comes out of a different port on 10.1.1.1. My question is: how can I set the time delay I would like iptables to remember its incoming address/port to outgoing port mappings?
When I create virtual ethernet interface and do a ping -I <v_int> <host> the outgoing address is the one of the physical interface and NOT the virtual interface.Is there no chance that trafic will go out with virtual interface address??Incoming trafic is done well i.e. responds to the virtual interface have the virtual address.
My problem is that I have 2 modems and want to check both default gw behind the modems. If I do a "normal" ping both are reachable over default route even the modem which is not the default route will not work because ping goes over the working modem.So I have 2 routing tables and want to route the virtual interface to one modem the other to the other modem
I am establishing a VPN connection with a Cisco VPN server, but only want outgoing connections to a certain set of IP addresses to actually go through the VPN. I tried something like this:
Code: sudo iptables -A OUTPUT -t mangle -p tcp -d 111.222.0.0/16 -j ROUTE --oif tun0 but keep getting
The following is my setup. wireless server (ip of this server is 192.168.1.1) -- target board ( wireless client [ip of this is got for wireless server is 192.168.1.3 ] , bridge (192.168.36.1) )-- linux pc ( 192.168.36.3) as show above i have target board for that i have a wireless interface and a linux pc is connected to target board.now the ips are like this for linux pc 192.168.36.3 and my target board bridge ip s 192.168.36.1
my wireless interface got ip from another server like 192.168.1.3 ,now if i do ping on my target board for 192.168.1.1 it goes through wireless interface to the 192.168.1.1 wireless server.but when i do the same from target board connected linux pc its not pinging from linux pc i could able to ping to 192.168.1.3 but not 192.168.1.1 .I think i need to write a iptable rule properly on my target board to forward the 192.168.1.* packtes to wireless interface.
I want to block all outgoing traffic with iptables and only allow a few specific websites. I would like to get the code to do so and also to revert the changes in case I want to unblock them.
I want to block all the outgoing ssh form my machine, i.e my machine will not be able to ssh to any outside machine using iptables. The distro is RHEL, I added the following entry in the iptables but unfortunately it didnt worked, -A OUTPUT -p tcp -m tcp --dport 22 -j DROP
I am trying to do something outlandish with iptables (or so I think!).I have a source sending udp packets to a destination (say dst11). Using port mirroring I am able to get all these packets to a different machine (say dst22). I am able to see these packets on dst22 interface using tcpdump.I want to analyze the packets on dst22. So what I do is put dst22 interface in promiscuous mode (using ifconfig eth0 promisc). This in theory should get the packet through the MAC layer. Now using iptables I am trying to DNAT the packets in nat prerouting to change the packets destination IP to dst22's interface and change the destination port.
Rather new to Ubuntu. I was wondering for advice on a basic iptables configuration blocking all incoming/forward and just allowing outgoing to http(s) and dns of course.
When I do...# iptables -L...I see rules in my INPUT and OUTPUT chains that look scary:ACCEPT all -- anywhere anywhere...but these rules only apply to the loopback interface. I tested it and the server cannot be reached on open ports from the outside world. How can I make iptables show the interfaces that the rules apply to?Otherwise, every time I do iptables -L it will scare the crap out of me.
I need to know what the Iptables "code" is to change the outgoing/Incoming IP for port 53 (DNS). I'm running CentOS on a dedicated server. I very familiar with Putty and SSH. So I don't need much details, I just can't figure this out. I asked my server providor but they deleted my ticket and didn't answer me.I tried this but am not sure if this correct of working?
RHEL 5.5 won't accept specifying an aliased interface (e.g. eth1:0) when I add a new host route to the routing table of a machine with multiple Ethernet interfaces. I have read that this works with Ubuntu, but RHEL gives problems. It only understands the interface card (e.g. either eth0 or eth1, but does not understand the aliased virtual interfaces within say eth0 or eth1).
As such, when I try to reach a host in the same subnet with the aliased interface and after adding that route to the routing table, Redhat won't reach that host.
Okey I have a good start i know there is something I'm missing. After Following this great help tutorial.[URL]..And kinda guestimating and messing around with my Linksys creating a new router assigning a static ip "Lan and wireless" address. configuration for the router looks like this.
[Code]...
I think I might be messing up the interface config file at the "NETWORK" section but i don't know.
I'm not able to set up eth0 with a static ip adress.service network restart and it was okkay but when I try to turn off and turn on, the ip adress is set up with dhcp.
just installed ubuntu in 1 of my boxes is an old compaq presario v2000. Is running dual boot with XP, the problem is i dont have internet connection(wireless and wired) with Ubuntu but i do with XP. I read like hundreds of posts from diferent forums and i wrote all crazy commands in terminal but aint working. I tried directly trough the modem (motorolla 2210)and with the router(netgear wgr614) via wired and wireless and aint working either. For some reason ubuntu doesnt request an ip adress from the router or the router dont asign an ip adress to my linux box.
I run a local apache server, that has some virtual hosts running. Now I want to be able to locally connect to these virtual hosts, but when I try this, it puts www and .com behind the url and says it can't find it. On Windows I know the equivalent, editing the hosts file. Is there something similar in linux?
I have a server with 14 IP's on eth0. I'm using virtual interfaces to handle the IP's, but the iptables don't seem to work on the virtual interface. It blocks ports that I want open. I'm not that great with iptables, I use what I have because it works for me, but as far as tweaking it, I'm pretty lost.
My iptables: # Simple Firewall configuration # # Set default policies -------- *filter :INPUT ACCEPT [0:0] :FORWARD DROP [0:0] :OUTPUT ACCEPT [0:0] # # Internal Networks ----------- #-A INPUT -s <private.class.C>/24 -d <private.class.C>/24 -i eth1 -j ACCEPT # # Loopback -------------------- -A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT # # Accept established connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # # Services -------------------- # # For SSH gateway -A INPUT -p tcp -s 0/0 -d 0/0 --dport 22 -m state --state NEW -j ACCEPT # # For SMTP gateway -A INPUT -p tcp -s 0/0 -d 0/0 --dport 25 -m state --state NEW -j ACCEPT # # For FTP server -A INPUT -p tcp -s 0/0 -d 0/0 --dport 20 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 21 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 53 -m state --state NEW -j ACCEPT # # HTTP services -A INPUT -p tcp -s 0/0 -d 0/0 --dport 80 -m state --state NEW -j ACCEPT # # HTTPS services -A INPUT -p tcp -s 0/0 -d 0/0 --dport 443 -m state --state NEW -j ACCEPT # # POP-3 services #-A INPUT -p tcp -s 0/0 -d 0/0 --dport 110 -m state --state NEW -j ACCEPT # # IMAP services -A INPUT -p tcp -s 0/0 -d 0/0 --dport 143 -m state --state NEW -j ACCEPT # #PLESK #-A INPUT -p tcp -s 0/0 -d 0/0 --dport 8443 -m state --state NEW -j ACCEPT # #Games -A INPUT -p tcp -s 0/0 -d 0/0 --dport 28960 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 28960 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 27666 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 27666 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 28961 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 28961 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 28962 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 28962 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 27015 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 27015 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 27016 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 27016 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 27017 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 27017 -m state --state NEW -j ACCEPT -A INPUT -p tcp -s 0/0 -d 0/0 --dport 27020 -m state --state NEW -j ACCEPT -A INPUT -p udp -s 0/0 -d 0/0 --dport 27020 -m state --state NEW -j ACCEPT
# Disallow fragmented packets -A INPUT -f -j DROP # # Log & Block broadcast packets -A INPUT -d 255.255.255.255/0.0.0.255 -j LOG -A INPUT -d 255.255.255.255/0.0.0.255 -j DROP # Log & Block multicast packets -A INPUT -d 224.0.0.1 -j LOG -A INPUT -d 224.0.0.1 -j DROP # # Log and drop all other incoming packets -A INPUT -j LOG -A INPUT -j DROP # COMMIT
I just had an ATT Uverse RG installed. However my Smoothwall router that previously worked fine with the ADSL SpeedStream is no longer accepting an address assignment DHCP ip address from this new gateway. (3800HGV-B)Any thoughts ideas or experience working with this hardware? ATT only supports Windows and Mac
it is probably very basic but I'm new to linux and the shell "dev" is defined to take me to the newest version (some kind of an alias?), in this case to the directory v0.9 in fact if I go one directory up to /design/ libs/at77000 and I do "ll" I can see: dev -> v0.9/.I am using ocean scripts and for documentation it is important for me to print/show which version is been used in the simulation.how to show the current version directory "v0.9" instead of "dev", i.e. I need to print this:Version Used: /design/libs/at77000/ v0.9/ the version is changing from time to time and that's why the path is defined as "/design/libs/at77000/dev/"
I am testing my setup which will have 2 public servers. HTTP & MAIL both with reverse DNS established.
www.mydomain.no -> xxx.xxx.xxx.034 -> internal name server mail.mydomain.no -> xxx.xxx.xxx.035 -> internal name mail Both addresses are on the same NIC with 34 being the main address.
The system work fine except one thing. The IP address mail sends out from is the Firewall Address _FW. I can see why as the default gateway set on the mail server is the FW_IP (The main gateway ip)How can I get the MAIL server to send through it's own public IP.I understand I can change the Firewall public IP to that of the Mail server and that would cure the problem for now. If it's possible I would like to learn a little in the process.
