OpenSUSE Network :: Block All Ports But Port 80 With Iptables (DMZ)?
Jun 25, 2010
I have a Suse 10.3 router with 4 network cards. 1 is to connect to the big network and thereby also the internet, 2 are for 'client' subnets and I want to use the last one as a DMZ. In this DMZ will be a web server which has to be accessible from the other 2 subnets and from the big network. I could do it with a few simple clicks in Yast firewall, but I have some issues with this firewall and there for I want to use it as minimal as possible, using Iptables.
So now I'm struggling a bit with Iptables. Basicly what I'm looking for is how to block all ports but 80 in this last subnet with iptables.
I would like to allow incoming and outgoing connections when I'm connected to a wired connection, but drop it otherwise. I noticed that ufw can't block outgoing traffic because of will I give iptables a try. I'm unsure if dropping packages that are outgoing will work, the rule after the block rule will allow all outgoing connections.
This what the rules are intended to do, unsure if that is actually the case. Allow all loopback traffic. Allow ping replys Allow incoming on port 12345 if eth0, deny otherwise. Allow outgoing on port 12346 if eth0, deny otherwise.
Code: iptables -A FORWARD -j DROP iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p icmp --icmp-type 0 -s -m state --state ESTABLISHED,RELATED -j ACCEPT
In SuSE firewall0. I do have a openSuse 11.4 and multiple IP addresses on eth0 interface
I run (trying to/have to) multiple TOMCAT servers.
I am trying to have each tomcat instance listen to on separate IP address for example:
What i am trying to do is to redirect
a) tomcat 1 -
a) tomcat 2 -
And so on.
I know that it has to be possible.
I do have just eth0/
Is is it possible. Do I have to create "vittual interfaces"? eth0:1, .......... and do redirection ?
"Server" has got just single interface - just 1 ethernet calbe goes to that server. I am planning to have 10-15 tomcat's on that server (I have to unfortunatley) and each has to run on port 80
Is it possible to "grant" permissions to normal users to run app on port 80 - that would solve me lots of problems if impossible to redirect.
I tried to setcap 'cap_net_bind_service=+ep' /path/to/tomcat ...... but no luck
Is there any way to verify if packets being trafficked over a certain port are valid for the service you want to use this port for?
One obvious example that probably clarifies my question: When I open port 443 (outgoing or incoming) for https/ssl traffic, I don't want this port to be used for say openvpn traffic. Thus: when someone wants to surf to a website with https, it should be ok but if someone wants to connect to his home openvpn server over that same port, it should be blocked.
I'm using a Debian servers, as router/firwall.. I've two ethernet interfaces into the server, one for wan and one for lan. The i use SNAT so my LAN clients can access the internet throgh the debian router. That is working... Now i want to be able to access servers on the LAN site from the WAN site, and i wanna use port address translation (PAT). I have a FTP server running on a lan server, so i'm trying to portward port 21.
When people try to access my FTP from the WAN site, they are redirected to the local FTP server, and they are promted for crendentials, but when the credentials are typed, and the local ftp server should answer the wan request, the connections dies.
The wan clients are being promted for credentials, so they are redirected to the local lan server, but after that the connections dies, so i think there is some kind of nat problem, when the local lan server is trying to respond to the wan request..
If I forward port 80 to port 3128 for squid with an iptable rule, does port 3128 have to be open on the firewall or is this all routed behind the firewall?
I have a mail server on which I would like to block port 25 on my eth0 for everyone except our external spam filter. the problem is that I want our users to be able to connect via port 10025 which is forwarded to port 25, which then is blocked...
I was following the directions over on the page How to watch Hulu overseas without a proxy server and got to the section about blocking ports, which I need to block port 1935. I figured this would be easy, as the mac instructions are
Code: sudo ipfw add 0 deny tcp from any to any 1935 sudo ipfw add 0 deny udp from any to any 1935 and the Windows instructions are practically a book in itself. Since this page was lacking instructions on how to do it in Ubuntu, and ipfw seemingly doesn't exist in Ubuntu, how do I block the ports
I have a couple of openSUSE 11.2 machines and each is directly connected to the Internet (they are not behind a router, firewall, etc). I want them to be able to communicate without any firewall restrictions, but keep the firewall rules for all other IP addresses. Is this possible? the software package I'm trying to use randomly chooses a port to use in the range of 32768-61000 and I don't feel comfortable having a port range that wide open on both machines.
I'd like to have a port open for some streaming radio stations. However, I don't know if they are UDP or TCP or what "direction" to have them set up (inbound or outbound). I also don't know if they should be set up for "host" or "dynamic". The stations I'm interested in are the 181.fm channels mostly (shoutcast stations). We have a Westell A90 type modem/router from Verizon.
I am running a server with ssh and a vpn server set up. It is behind a debian router with a firewall which uses iptables. i have it set up to forward ports 22 and 443 to ssh on a computer within the LAN(so when on a restricted network i can still ssh into my network) and forward anything to 1723(for my vpn) to that box also. However, the only port that gets successfully forwarded is port 22. The other two appear closed. here is what the script looks like:
We do NOT support samba on our Unbuntu servers but still zillions of windows machines are constantly trying to connect on the SMB ports. I've added a rule that drops access to destination ports 137-138 and that seems to work. But it creates many many log entries documenting that the packet has been dropped. I've been researching and cannot come up with a way to suppress logging for these drops.
I'm using opensuse 11.3 32bit with LXDE. I have configured an apache tomcat server listening on port 8080. Yast was used to open udp 8080 and tcp 8080 in the firewall by manual entry under the advanced button of 'allowed services' menu.Another system was used to access the tomcat server via a firefox webbrowser. The attempt was unsuccessful. The url used was [URL]. firefox webbrowser keeps showing'connecting ...' until timeout. I'm assuming that inspite of the specified port openings in the firewall, it is somehow ignored. If I were to disable the firewall, then I can access the tomcat server with the firefox webbrowser.
I have a Opensuse 11.4 workstation that has two ethernet ports and I was wondering if there is the chance to use the other ethernet port as a switch to a Mac/PC?
I want to portforward client connections from an ubuntu lts server to another external server. btw i am a noob on iptables. i have tryed using the basic commands for iptables with no success. For example:iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 7878 -j DNAT --to 91.23.45.67:7878iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 91.23.45.67 --dport 7878 -j ACCEPTso basically i just want a rediraction for from one ip to another. Example: A client tries to connect to ip 123.45.67.89 on port 7878 and the server forwards him to ip xx.xx.xx.xx on port 7878, meaning that xx.xx.xx.xx is the actual server with services. Server with ip 123.45.67.89 is only forwarding the client to external ip... how can this be done in a simple command?
I am trying to open VNC ports(5901,5902) on my RHLinux machine using iptables. I am able to do it from GUI system-config-security. Go to the Administration > Security Level and Firewall, then select "other ports" at the bottom and enter the portNum 5901 to open and select tcp, then click OK and OK again to save your settings. From my windows m/n iam able to open vncsession using vncviewer on 5901 port.But when I am trying to do it from command line:#iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPTThis command added the entry in /etc/sysconfig/iptables and listed in iptables -L command.Then I saved and restarted the iptables.#service iptables save #service iptables restartWhen I am trying to open the VNC session from vncviewer, it is giving me error and session not opened.Is there some thing I missed here? where can I check the logs for this? I definetly need
I have troubels with internet, on different Linux x64 systems on my laptop(Lenovo ThinkPad sl510), but if I load WindowsPE all is OK ( what coud it be? where to search?There is an hardwere firewall/nat/gateway in my local network, it allows only connections to dst ports tcp 80 (http), udp 53 (dns) and no frags, no icmp, deny in and etc. But Windows Internet (the same Firefox) works fine , and under Linux sites doesn't loding full or "connetion timed out"...But if I have can start downloading any file it would be downloaded full (I have downloaded DVD iso of SuSe)Dns throu nslookup responce not evry time...Decreasing of MTU to 1372 didn't help (( Deactivating ip v6 also....What coud it be? What is different betwin Windows and Linux in DNS clients is any alternative dns client in SuSe? Is the trouble only in DNS?
I have a question about /etc/services file. If I open ports in firewall, do I need to alter /etc/services file in order for certain apps to work?
kpasswd 464/tcp # kpasswd kpasswd 464/udp # kpasswd # Theodore Ts'o <tytso&MIT.EDU> # 465 is illegal used by eMail Server smtps 465/tcp # eMail Server #urd 465/tcp # URL Rendesvous Directory for SSM igmpv3lite 465/udp # IGMP over UDP for SSM # Toerless Eckert <eckert&cisco.com> digital-vrc 466/tcp # digital-vrc digital-vrc 466/udp # digital-vrc
Above example shows if 465 tcp isn't altered, Postfix MTA fails to listen on 465 tcp port. What if there's a bigger span 3000:7000 TCP/UDP, is there a need to alter each line by hand?
I like to set in iptables to allow access from one host to my server on any ports.Currently the iptables have been configured to deny all and to allow access only to those I've specified.
