I'd like to set up an iptables configuration as follows:- Allow all traffic by default- For one user account (anonymous), block all traffic except:- All traffic on lo- All DNS requests, which should be redirected to 127.0.0.1Here's what I tried:
# Redirect
iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
[code]....
Is it possible to only view certain chains and more specifically certain chain policies with options when doing:
iptables -L
I would like for example view FORWARD ACCEPT rules instead of waiting for all of the drop rules to load when viewing a firewalled iptables.
On my diskless cluster, I want to open a port on the image that nodes use it.Here is what I get:
Code:
root@server:~# chroot /home/nfsroot/
root@server:/# iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 4949 -j ACCEPT
[code]...
i wanted to do bandwidth management/traffic shaping on my Internet link(have two internet connections), but i have some questions to ask: I want to know how could i for example filter some traffics using tc and iptables (e.g Peer-to-Peer,IM,Download Managers,Flash videos..) i can do filtering for known services like http,ssh,... but since these applications doesn't use one port, i am confused a little bit. I also want to do some bandwidth allocations (based on protocol) thats why i need filtering.
The other question is that currently i am using tc for bandwidth allocation and iptables for marking packets to send to these classes, am i doing it right? I mean it does work, but is it better to use for example "U32" filters for filtering? P.S: i tried to use ClearOS in gateway mode, but it doesn't have bandwidth allocation functionality. Does anyone know if i could do bandwidth allocation in ClearOS/Endian.
I have a virtual environment, RHEL6 minimal install. On that, I am trying to run Liferay6 on Tomcat6 for the purpose of writing prototype business portals. I used the Liferay+Tomcat bundle downloaded from the Liferay website.
For security reasons, the server can only be accessed through port 80, and Tomcat listens on 8080. (I know I can run it so that it listens on another port, but I'd like it on 8080)
Goal:
Use iptables to forward traffic destined for 80 to port 8080.
What I Did:
Configure nat to forward tcp packets from 80 to 8080:
Code:
List the nat iptable:
Code:
wget to 80 doesn't work:
Code:
What I Already Checked:
Tomcat did start normally. Logs show no errors, and specify that Coyote HTTP/1.1 is initialized on http-8080. I can provide this log if need be.
Tomcat is listening on port 8080:
Code:
Code:
I get the same negative result on the VM on the server as I get on a RHEL6 VM on my laptop.
The iptables method that I described above does in fact work with Liferay6 on Tomcat6 on Ubuntu 10.10.
I have looked at this thread. I appear to have tried everything that was mentioned there.
Actual Question: I would like to know how to effectively forward 80 to 8080 on RHEL6, so that I can access Liferay on Tomcat (listening on 8080) at 80.
I'm trying to redirect the requests from port 80 to ports 8080 and 8081 through iptables because I've got two services which need accept requests from the same port(80):
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080-8081
The problem is that the second port (8081) never gets a request, just the first one.
how to redirect network traffic to a new IP address using IPtables. I am using Baffalo router and the rtos used is DD-WRT. Basically, I want it so that any connection going through my router to a specific IP (say, 192.168.11.5) will be redirected to another IP (say, 192.168.11.7) so any outgoing connections made by a program that is attempting to connect to192.168.11.5 will instead connect to 192.168.11.7.
View 2 Replies View RelatedI have a very simple set up.With Network Manager I can have my laptop act as a router (sharing all connections).I also have apt-cacher-ng as a debian package cacher.I would like to set up iptables to filter only the urls that are meant for a debian package cacher.
For example:I could use a "forward all" rule:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3142
Except then I would get a bunch of error pages every time I tried to do normal navigating.My question (again) is: Can iptables handle forwarding only on a specific url? If so how?Or is there another solution? (prferably without full fledged software like squid)
Does anyone know the iptables statement that will block inbound SMTP messages that are NOT S/MIME encrypted?
View 1 Replies View RelatedI'm deploying new ubuntu server which should act as a router. I've already set up the NAT for local network, and also did some shaping for different groups of users, but now I'm facing new problem.I need to make a scheduled URL filter. I know it's not a problem with cron and simple script, but maybe there is existing way to do that? And also, I need to make statistics on web-traffic. I need to have list of URLs visited by users (source ip, destination url). Is it possible with iptables? or with any other software but without using proxy servers.
View 9 Replies View RelatedWe host a web server in which we are hoping to implement some form of traffic redirection based on source IP address, and I am wondering whether the squid proxy built on iptables would be capable of managing this task? Essentially we are trying to redirect traffic from specific set of source IP ranges to a "Your IP has been restricted" type of page at a different IP/FQDN.
View 2 Replies View RelatedI'm currently using a homemade Python script to parse script kiddie IP addresses from logfiles.To this point, I've simply been DROPping any requests from these IPs using iptables.I thought it might be fun to redirect their traffic back to them, but as I am not an expert at iptables, I was wondering if I should use FORWARD or PREROUTING.
View 7 Replies View RelatedI have an old FC2 box running Squid version 2.5. It has been running since 2003 so I am in the process of replacing it. I have a new machine with FC11, iptables, and Squid 3.0 installed.
On the old machine I use iptables to intercept Port 80 traffic and send it to Squid. By default I block all internet access and allow only sites that are in an Allowed_Sites.txt file. Within Squid I also have statements to allow certain users to bypass Squid based on their IP address.
I have set up the same thing on the new box. I have iptables intercepting the Port 80 traffic and sending it to Squid. That is working because if I remove the redirect statement from iptables all internet access is blocked.
The problem I am having is that Squid is not blocking any websites. It acts like the ACL is set to http_access allow all. I have worked on this for several hours and am stumped.
These are my Squid rules:
acl allowed_sites url_regex "/etc/squid/Allowed_Sites.txt"
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow Bypass_Users
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.1.0/24
http_access allow allowed_sites
http_access allow our_networks
http_access deny all
icp_access deny all
htcp_access deny all
http_port 192.168.1.254:3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname FC11.proxybox
icp_port 3130
coredump_dir /var/spool/squid
Can you show me how to block a domain from local access through URL Filter?ay be an example is a very good start.
View 10 Replies View Relatedntop installed on CentOS5 system running as squid using yum. Starting ntop on command line and not as daemon and gives error for illegal filter.
Code:
Fri Aug 20 14:10:12 2010 NOTE: Interface merge enabled by default
Fri Aug 20 14:10:12 2010 Initializing gdbm databases
[code]....
I have a problem here for which I am unable to find any relevant info on google. I have an openfiler server and another server which is running OEL(redhat5). When i give the following command iscsiadm -m discovery -t sendtargets -p 192.168.2.13it only gives me one line output which is:192.168.2.13:3260,1 iqn.2006-01.com.openfiler:tsn.03821172572cNone of the mapped LUNS gets identified neither it shows me any message that it is connecting. I have setup CHAP in openfiler to accept an incoming user plus gave access to my OEL server.Any feedback is helpful. If you need the contents of /etc/iscsi/iscsid.conf file let me know
View 1 Replies View RelatedI have a need to make a rather odd filter in tcpdump- I would like to capture only all those packages on interface eth0, that are outgoing(in other words from IP 192.168.1.1, which is IP for eth0 in this computer) and doesn't have src MAC address 11:22:33:44:55:66. However, fallowing command says, that syntax is wrong:
Code:
tcpdump -n -p -i eth0 src host 192.168.1.1 ether src not 11:22:33:44:55:66
Is this possible? If yes, then what is the correct command?
I am new comer in this forum and the beginner on freeBsdI have a problem on how to implement the spam filter program on mail server, the problem is i have no idea on how to implement and test the spam filter program on the mail server and where should i put the program? is it in pop3?
View 3 Replies View RelatedI use Centos 5.4, squid 2.6 stable21
I want to redirect only one url to another in a simpliest way.
I am trying to grep multiple numbers from file, grep does have the -f option for that.
Code: grep -f <`seq 500 520` /etc/passwd I know this could be done with
Code: for i in `seq 500 520`; do grep "$i" /etc/passwd; done But my question is fare more behind this example. It is possible to redirect one command output which will be treat as a content of file for another command ?
I am new to fedora and I've installed fedora 14, I want to know what are the steps to make my machine act as a transparent (IP-less) bridge? Second, after setting the bridge, I want to make all the packets that passes through the bridge execute a servlet filter (to make some tests and add cookies) is it possible? Is there a simpler way to do those tests on the packets and add cookies?
View 4 Replies View RelatedI'm using ubuntu server 10.04 with openvpn installed on it. My vpn is working fine, all the users can connect without any issue.My problem is that I'm unable to filter the VPN traffic using openvpn. I can't allow all users to be able to interact with other vpn users. I need to avoid this kind of traffic.I was trying to build an iptables firewall, but I just noticed that my openvpn traffic isn't being filtered by iptables.In FORWARD chain, no matter what rule I use openvpn would continue to allow traffic between my clients. It does appear that openvpn is skipping FORWARD chain?For example:
Code:
# iptables -L FORWARD -nv
Chain FORWARD (policy DROP 0 packets, 0 bytes)
[code]....
last friday my schools isp enabled iwsva - interscan web security virtual appliance from trendmicro. all traffic is now filtered, and slowed down. videos and other videostreams are now useless. after this we have had serious problems using our netbooks with ubuntu, and upgrading workstations with ubuntu has become very problematic, or almost impossible. i have to run the update process 6-8 times before all packages are updated.
what can i do to document the problem in a good way. the isp tells me that there are no problems, and that it has to be a linux problem. (ever heard that one before?) the ltsp-clients on my debian servers does not have the same problems, maybe because they are using the proxy on this server?
I've been trying for a couple days now to get netem rate limiting to work on a Fedora 12 i686 virtual machine (both on VMware Fusion and KVM), and have had no success.In order to do outbound rate limiting, I want to use the netem token bucket filter (TBF), as described here:[URL]Unfortunately, attempting to use the TBF results in this error:
Code:
[root@f12-build ~]# tc qdisc add dev eth1 parent 1:1 handle 10: tbf rate 256kbit buffer 1600 limit 3000
[code]...
where to look for setting up my web server A so that if I have to bring it down for maintenance, all web traffic will go to my backup server B. I thought about changing DNS entry but that will take time to update.
View 2 Replies View RelatedI work for a auto dealership, and they have a proxy server that is provided by toyota that does nothing other than route traffic some specific sites they use in the dealership. We are looking to put a local proxy server in place to filter web traffic of virus/inappropriate content. What I am looking to do is set everyone's proxy settings to point to our server but when someone puts in the toyota sites it will redirect them to toyota's proxy server and out. I am not sure if this is possible or not.
View 2 Replies View RelatedI have "Server A" with real internet ip 1.2.3.4 (eth0) and lan ip 192.168.1.1 (eth1) There's also "Server B" with lan ip 192.168.1.2 (eth0), I'm running an Apache Web server on "Server B", so I want to redirect all traffic from IP 1.2.3.4 port 80 (Server A) to 192.168.1.2 port 80 (Server B), using the following rule:
[Code]....
iptables -t nat -A PREROUTING -p tcp -d 1.2.3.4 --dport 80 -j DNAT --to 192.168.1.2:80 This actually works pretty good, from internet I can browse ttp://1.2.3.4 But the problem is that if I check the Apache logs, all incoming connections seems to come from 192.168.1.1 instead of showing the real source ip addresses (internet ip's) so this is screwing up all my web stats, I've been looking for hours and hours on how to make a transparent redirect, but can't find any info, I know there must be a way because my old WRT54G router which uses iptables could do it.
I have a bit of a strange scenario. I have a machine with a fixed IP (192.168.0.108), running Linux. It has an external IP 99.99.99.8 via a 1:1 NAT on a Cisco ASA/router. Port 3389 (MS RDP) is open for 99.99.99.8. I want my Linux machine to listen on port 3389 and redirect all traffic to that port to a Windows machine (192.168.0.100). In this way, my Linux box is able to respond to requests on all ports, but port 99.99.99.8:3389 connects to Remote desktop on the Windows PC. I do not have access to the Cisco NAT config. I was able to get this setup to work by using an SSH tunnel.
I ran this command on the linux box:
ssh -L 3389:192.168.0.100:3389 ergosteur@192.168.0.108
Any ideas? Perhaps using iptables or something?
I have recently just got another internet connection at home via cable as well as my exisiting DSL connection. I was wanting all my web browsing that I did via squid to be redirected down the cable connection. The box has a single nic at the moment and the default route sends it via the dsl connection for the mail server that is also running on the box.I was hoping that anything that hit squid would go down the cable connection that is plugged into a router and thus I can route to 172.16.2.251 and everything will go out via cable.
I was reading about iproute2 and marking the packets and is wondering whether this is the way to go?
Filter access server through the net only to authenticated users from domain controller (Win2k). Server (Centos)(Firewall with 2 nic), which makes access to the net, with only 196MB RAM (PIII500Mhz), so I do not want a solution based on proxy or what resources it uses large I want a solution with a script that runs at login on windows this check series HDD and to communicate with Linux server that's open accessor another simple solutionNow just use only MAC filtering on
View 1 Replies View Related