I've got a few systems which forward ports to one another all over the place, and somewhere along the line a port forward fails. I want to trace the route of a connection on a specific port to see where the connection hits a wall, to see what system is causing the problem. I've tried `tracetoure -T -p <port>` but it doesn't output anything about the ports it hits, stops when it hits the address I supplied even though it is forwarded elsewhere, and there doesn't seem to be a verbose mode. interstingly, if I specify a different source port via the '-s' option, the trace keeps hopping to * * * * and never get anywhere (at least to 27 hops then I CTRL+C)
I have to route some packages over the right interface.I default route everything for the target-network over one network-interface. That works perfectly. But i have to route packages for one specific host and one specific port over another network-interface. I tried many things with the route-command, but i think there's no possibility to route only one port? May i can do this with iptables? I only found ways to forward some packages, which are coming in over one interface. But in my case all packages go out over one interface.
I got this definition:"a process that replaces a series of related, specific routes in a route table with a more generic route." honestly I found it not so clear.. I want to know if this definition is correct and also more details about this subject..
So everything coming from the IAX-provider on port 4569 is forwarded to the Asterisk-server's WAN-interface (eth1). This needs then be routed to an internal SIP-phone (an IVR-system will define which one) via eth0. When a call is initiated from an internal SIP-phone (they register to the IP-address assigned to eth0) it needs to be routed via eth1 to the gateway (192.168.4.250). Asterisk will setup an IAX-channel on WAN-interface (eth1) to the IAX-provider (via gateway). So... will this work :
Code:
route add -net ip_IAXprovider netmask 255.255.255.0 gw 192.168.4.250 dev eth1
Code:
route add -net 192.168.4.0 netmask 255.255.255.0 dev eth0 (no gateway needed for the LAN-interface, communications to the gateway need to go via the WAN-interface !)
So everything coming from the IAX-provider on port 4569 is forwarded to the Asterisk-server's WAN-interface (eth1). This needs then be routed to an internal SIP-phone (an IVR-system will define which one) via eth0.
When a call is initiated from an internal SIP-phone (they register to the IP-address assigned to eth0) it needs to be routed via eth1 to the gateway (192.168.4.250). Asterisk will setup an IAX-channel on WAN-interface (eth1) to the IAX-provider (via gateway).
So... will this work :
route add -net ip_IAXprovider netmask 255.255.255.0 gw 192.168.4.250 dev eth1
I know this post isn't strictly linux based, but since the system in question appears to be using Linux and I am as well I decided to post this here. In doing other network playing with Ubuntu Sever 10.10 I noticed that on all traceroutes I did to any IP the second hop from my house jumped through a connection on IP 24.96.153.61 which I think should only be another dynamic IP Knology.net customer...
In scanning the IP I now know that its a Juniper Junos Router 9.2R1.10 (Probably running on some VMware based on googling?) Open ports show: 22 ssh openSSH 4.4 v. 1.99 23 telnet Openwall GNU/*/Linux telnetd
At first I thought this was just a legit Knology.net DNS server or something, but using such outdated versions and freeware... I feel suspiciously like this is something else. Also, why in the world would knology allow remote access to their mainframe equipment? Seems that if it were ever breached it would be beyond terrible for the ISP...
Finally, why can't people not SSH into my box from the outside if I have MAC address filtering on? Anyone know anything about this or am I just being paranoid? I'm a noob, so knowing too little about all this is probably more the problem?
I have a linux router with 2 physical ISPs and a VPN tunnel that all my traffic passes through. I would like to setup a rule to redirect all traffic from one internal IP address (10.0.0.x) through the physical link only. My current script is as follows.
I have be unable to access my bt homehub from another (external) ip address recently. I didtrace route to see what is happening to the connection and got the following.
It bounces around as it gets out my offices network and then seems to get to BT's servers and then I get stars. what that means?
1 - 8 bouncing round office network: 9 linx3.ukcore.bt.net (195.66.224.11) 19.405 ms 19.424 ms 19.381 ms 10 core2-pos0-1-5-0.ilford.ukcore.bt.net (62.6.201.121) 20.774 ms 21.099 ms 19.986 ms
I have two NIC, one is ethernet and second is via modem. On the eth0, most of no standard ports are blocked, so I need to connect to specified port on some IP, through ppp0 (modem), to use ssh connection on non standard port to that IP. For other ports on that IP and all other IPs I want to use eth0.
Recently I discovered that we were accidentally running a POP server (port 110), when we only should have been running the encrypted version thereof (port 995). This wouldn't have been a problem if the port was blocked in the first place. I had wrongly assumed that any port NOT specifically listed in one's firewall rules (CentOS 5 with default iptables installation) would be blocked. I thought you had to add a rule to /etc/sysconfig/iptables in order to open up a port. Apparently this is NOT the case. So is it true that if I install some random software that starts listening on any number of ports that I have not specifically mentioned in /etc/sysconfig/iptables that it will not be blocked - it will work right away?
Anyway, I guess two questions: 1) What's a generic way to block a specific port? I use rules like this to "open" ports (although is this not needed if they're open anyway?) -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 995 -j ACCEPT What's the analog of this kind of rule to *block* a port? 2) Is there a better way to configure iptables to block all ports that are not mentioned in its configuration? Is that dangerous? (will it block things that I don't want to block?)
br0 - 192.168.0.1 - Internet eth2 - 192.168.1.1 - LAN tun0 - 10.0.0.2 - VPN (via br0)
What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :
Code:
route del default route add default gw 10.0.0.2
Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :
Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80 ip route add table 300 default via 10.0.0.2 dev tun0 ip rule add fwmark 0x55 table 300
First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.
Is there a way to bind specific programs to specific network devices (not IPs, since I have dynamic IPs)?
For example, I wish for irssi to route through eth0 and w3m to route through eth1. Keep in mind these devices have dynamic IPs, so I cannot attached them to an IP.
The solution cannot be accomplished through route since route pivots on IPs not devices.
I need to instruct sendmail to accept mails that are destined to users that are not available on my server and then forward those emails to catchall@mydomain.tld.Please remember that i don't want to forward every single mail to catchall user. I just want to forward those emails which would be destined for users that do not exist on my server.i have used define(`LUSER_RELAY', `local:catchall@d.com')but it doesn't seems to work.
I have a server set up with a VPN (openVPN with DynDNS). My emails are located there and I can check them from home, office, where ever really, with different computers, no problem.However, due to restrictions of some ISPs I would have to change the SMTP server used, depending on where I am with my laptop.
Now, I thought about using the VPN to also tunnel the SMTP traffic through that. But how am I doing that?So far, when I'm connected to via VPN I simply have a local (from the server point of view) IP address to connect to my IMAP server. But how can I route the SMTP port 25 through the VPN?Is that possible to do, also in a way that I don't have to change anything depending on where I am, as in within the network of the server or outside? Since when I'm within the network the VPN obviously isn't connecting..
Having trouble getting my Netgear WNA1000 working thru wireless router. Have tried lots of suggestions from other threads to no avail. Someone suggested that th routing table isn't set correctly, so have been trying to use the follwing to make the proper entry in the routing table: sudo route add -net 192.168.0.1 netmask 255.255.255.0 dev wlan0
Result: error message stating with: "route: netmask does not match route address"
followed by "Usage" instructions which tell me to do what I just did. Any ideas on how I can populate my routing table with correct entry for my wireless card? Not to complicate matters, but I temporarily turned off encryption on my router to eliminate that as a possibility until I get connected. So maybe it'still trying to connect via encrypted mode - do I need to turn off encryption on my (client) end?
Yesterday I installed a RaLink RT2800 802.11n PCI on my squeeze system. Now I have a connection to Internet but I can not connect other systems in my home network. An ssh-try to a system in my home network results in: ssh: connect to host xxx.xxx.xxx.xxx port 22: No route to host If I use my eth0, I do not have connection to Internet, but I can connect other systems in my home network.
I want to do a simple port redirect, i.e. whatever comes trough whatever interface on port AAAA will get redirected to port BBBBI thought that iptables -t nat -I PREROUTING --source 0/0 --destination 0/0 -p tcp --dport AAAA -j REDIRECT --to-ports BBBBhowever it doesn't work, e.g. nc -v -w2 -z localhost AAAA gives:
nc: connect to localhost port AAAA (tcp) failed: Connection refused while nc -v -w2 -z localhost BBBB
I'm looking forward to know how to connect to a remote server through SSH but from a specific port, so I con drop connections from random ports that's not the one I choose. Is this possible?
I have tried by setting up an iptables entry to forward output through both, PREROUTING and OUTPUT (one at each time, flushing when I can see that it's not working), in NAT table, so I can connect doing ssh localhost
I want to do this because I think that doing this will enhace the security, dropping connections of clients that are trying to connect from not allowed ports. I have already set up fail2ban and created SSH keys, not allowing to login with password, only key allowed. Will only allowing connections from a specific port will enhance the security or not really?
Is it possible to setup SSH Daemon to listen on multiple ports and only accept specific groups to a given port? In the past I've created a second SSH Daemon by copying the config file and /etc/init.d/ daemon then configuring each port separately / rules however if I was able to maintain just the one Daemon that would be optimal. Is this possible?
I want to create VBR traffic,I created file which contain two 32 bit fields.But When I execute tcl program with this.No pkt transfer is shown.When same program I tried with example-trace ,i saw pkt transfer.Containt of my traffic trace file is as follows :
For some reason my DNS servers aren't able to resolve certain names. Most names resolve fine there are just a few that don't work. Nslookup doesn't work either of course, and curiously neither does "whois".
I am trying to create a socket to listen for a bootp response so I am using a PF_PACKET socket so that I get the response based on my mac. My problem is that I don't want to hear all traffic (as I do now) so would like to use a specific port number and bind to it.
