I am trying to setup a scenario where I am able to control the access to certain html files. I'd like forbid access to the URL: url
my iptables rule in "SuSEfirewall2-custom" looks like:
iptables -I INPUT -j DROP -p tcp -m string --string ".*test.*" -algo bm
--dport $port
As a result, I get:
#> rcSuSEfirewall2 start
Starting Firewall Initialization (phase 2 of 2) Bad argument `--string'
(same for "-string")
I recently installed a new Ubuntu PC that runs iptables and PSAD. I had the same script on another Ubuntu PC, but when I copied the script onto the new PC, I got this error. I don't remember where I found the tutorial for this, all I know is that this is the script (Edited for my usage):
Code:
#!/bin/bash
# Script to check important ports on remote webserver
# Copyright (c) 2009 blogama.org
# This script is licensed under GNU GPL version 2.0 or above
[code]....
Safe.txt contains:
Code:
127.0.0.1
192.168.1.8
192.168.1.1
98.200.58.73
192.168.0.1
And the error message generated is:
Code:
root@NETWORK-SERVER:/var/ddosprotect# ./ipblock.sh
' not found.4.4: host/network `127.0.0.1
Try `iptables -h' or 'iptables --help' for more information.
' not found.4.4: host/network `192.168.1.8
[code]....
I'm currently running 11.2 and I configured Proxy settings in the YaST module. It seems that when I use a proxy I have problems updating. It can retrieve some files, but while getting others it fails. Furthermore, I can't establish a connection with the timeserver in the YaST -> NTP configuration module.
My question is if there have been changes from this version to 11.3 regarding the Proxy settings.
I set up a squid transparent proxy and I have a problem with an iptable rules. I have a rule to redirect all request to port 80 to go on port 3128. To do so, I'm using this iptables command :
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
This command is working like a charm. The only problem is, for some unknown reasons, this rule will be dropped at some point. I did not manage to identify what is causing this to happen. It occurs during night, but I have nothing about that in my log files. messages / firewall / ...) The only way I managed to reproduce this 'dropping' is this one: I type the command like as root. The command is effective and working fine. I open yast, I go to the firewall module, the I do a simple "save changes and restart firewall" (without changing anything). As soon as this process is finished, the iptables rule is gone.
-How can I make this rule permanent ?
-Is there a place where I can launch a script executing this rule, after the yast firewall module is 'touched' or something ?
I have a Suse 10.3 router with 4 network cards. 1 is to connect to the big network and thereby also the internet, 2 are for 'client' subnets and I want to use the last one as a DMZ. In this DMZ will be a web server which has to be accessible from the other 2 subnets and from the big network. I could do it with a few simple clicks in Yast firewall, but I have some issues with this firewall and there for I want to use it as minimal as possible, using Iptables.
So now I'm struggling a bit with Iptables. Basicly what I'm looking for is how to block all ports but 80 in this last subnet with iptables.
I am in the process of enabling Samba client and server on my opensuse 11.3 32-bit workstation, and have just looked at the firewall rules (via iptables -L) prior to enabling these applications.I have used iptables a lot before and despite having my network interface defined as being in the External Zone (ie the least trusted, and therefore supposedly the most protected), the first rules in iptables are as follows:
INPUT
target=ACCEPT, prot=all, source=anywhere, dest=anywhere
OUTPUT
[code]....
I am trying to compile the Cisco vpnclient on my Opensuse 11.2 and (after some troubles) I got the module compiled and installed but when I try to load with insmod I got this error
<</etc/init.d/vpnclient_init start
Starting /opt/cisco-vpnclient/bin/vpnclient: insmod: error inserting '/lib/modules/2.6.31.12-0.2-default/CiscoVPN/cisco_ipsec.ko': -1 Invalid module format
Failed (insmod)>>
I am able to use the vpnclient forcing the module with modprobe -f cisco_ipsec but I'd prefer to solve the 'invalid format' original problem. I 'googled' around and it seems related with this warning during vpn_install script "WARNING: Symbol version dump /usr/src/linux-2.6.31.12-0.2/Module.symvers is missing; modules will have no dependencies and modversions." I have these rmps:........
The module e1000e is loaded into system. At addition VLAN the system hangs at a stop VLAN or configure other devices (sound, video). In OpenSuSe 11.3 it worked correctly.
MB: ASUS P5Q-ME DO / NetCard: Intel 82567LM-3
I recently installed OpenSuSE 11.4 including WebYast base system with all available modules. Status shows everything works fine. But the update module has some problems. It displays 21 updates, three of them security and 18 important. By clicking on any of the install buttons the mesages say please wait and then updating while the update time depends on the size of the file. It finishes and goes back to the list of updates without any error message. But after that never shows up any changes or messages that the update has actually installed. Since about ten days the list always remains the same.
View 5 Replies View RelatedI have an Acer 1551-4755 notebook with AR5B93 wireless chipset. ath9k is loaded and my card is detected as Atheros AR928X PCI-Express wireless network adapter. However, the ath9k driver is only allowing me to connect at 802.11g speed in spite of the fact that my WRT310N loaded with DD-WRT is in mixed mode. I am able to connect at wireless N speed with my D-Link DWA-130 usb dongle, but this is a rather backward solution. Is there a way to work around this issue, ie an updated ath9k or other madwifi driver? I would hate to resort to ndiswrapper for a natively supported chipset. I am using openSuSE 11.3 for the first time, long time Fedora user.
View 1 Replies View RelatedI'm a newbie in the world of netfilter/iptables. I've read an article about iptables and rate limit module:
Code: iptables -A INPUT -p ICMP --icmp-type echo-request -m limit --limit 1/minute --limit-burst 5 -j ACCEPT The firewall will let the first 5 packets in in the first minute, -limit-burst 5; this means, however, that the packets/minute now is 5, so any further packets are blocked until packets/minute = 1, i.e. 5 minutes later. In the sixth minute, packets/minute will be 5/6 < 1, so another ping request will be let in. When the extra ping request is admitted, the ratio becomes 6/6 = 1 again, and packets are DROPped again until the next minute.
Now I have some problems in understanding how it works.
For example: I want ping google.com in this way: the kernel firewall permits to send the first 5 packet to google.com (--limit-burst 5) and then it blocks the remaining packets for 5 minutes. At sixth minute (because I wish a limit rate equal to 1/minute: --limit 1/minute) one packet can send to google again. And so on.
So my rule should be:
Code: iptables -A OUTPUT -d url_of_google -p icmp --icmp-type echo-request -m limit --limit 1/minute --limit-burst 5 -j ACCEPT In this way, if i digit
Code: ping -f url_of_gogle I expect that the first 5 packets are accepted (and so zero '.' will print on the screen) and then for the remaining 5 minutes no one packets will be accepted (and so a long string of '.' will print). But it doesn't work...
In man pages of ping we read (about -f option):
-f Flood ping. Outputs packets as fast as they come back or one hundred times per second, whichever is more. For every ECHO_REQUEST sent a period ``.'' is printed, while for every ECHO_REPLY received a backspace is printed. This provides a rapid display of how many packets are being dropped.
How can I enable the statistic module in iptables?
I have
Fedora13 32 bits
iptables-1.4.7-2
kernel 2.6.18
I have iptables 1.3.5 on CentOS 5.5 32 bits. kernel 2.6.18
How to install statistic match module for iptables?
I've configured squid proxy server in a P4 desktop. I've 50 users in my network. I installed RHEL 4.4 (2.6.9-42 kernel) and the iptables version is 1.2.11-3.1. I've 2 NICs installed in the system. eth0 (192.168.100.99) for local lan and eth1 (192.168.1.2) for outgoing to internet. I've connected DSL broadband modem to eth1 (default ip of DSL modem is 192.168.1.1). All the clients except few has been forced to go through squid by user authentication to access internet. Those clients which were kept away from proxy are 192.168.100.253, 192.168.100.97, 192.168.100.95 and 192.168.100.165. Everything works fine but from last week I observed that one of some notorious user use the direct IPs (192.168.100.97 or 192.168.100.95) in the absense of the owner of these IPs to gain access to internet as we applied download/upload restrictions in squid.
I want to filter the packets of source hosts using MAC address in PREROUTING chain. I read somewhere that IPT_MAC module must be installed to make this happen. So that those notorious users can not change their ips to gain direct access to internet.
Below are the contents of my iptables file (I've ommited few entries for safty purpose).
# Generated by iptables-save v1.2.11 on Wed Nov 25 16:35:57 2009
*filter
:INPUT ACCEPT [14274:3846787]
:FORWARD ACCEPT [4460:1241297]
:OUTPUT ACCEPT [16825:4872475]
code....
I'm trying to limit the number of the ICMP packets reaching my server, so I'm using the limit module of iptables, unfortunately it seems the limit I set is totally ignored as I can easily send tens of ICMP packets and get a reply in less than 0.3 second Quote:
m3xican@m3xtop:~$ sudo ping -i0 -c20 x.x.x.x 20 packets transmitted, 20 received, 0% packet loss, time 230ms
rtt min/avg/max/mdev = 184.969/185.895/189.732/1.301 ms, pipe 16, ipg/ewma 12.138/186.232 ms This is the rule I'm using to accept ICMP packets (default setting is DROP)
Code:
iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
And these are the kernel modules related to iptables
Code:
Module Size Used by
xt_limit 1382 0
[Code]...
I'm encountering a known problem with IPtables. I set up rules and apply them, restarting firewall, then I get this message:
Flushing firewall rules: [ OK ]
Setting chains to policy ACCEPT: raw nat mangle filter [ OK ]
Applying iptables firewall rules: [ OK ]
Loading iptables additional modules: ip_conntrack_ftp ip_conntrack_netbios_ns [FAILED]
Recently, I decided to migrate from SuSE 11.2 to 11.4. My 11.2 installation was working fine with two VLANs and several VMs. I went the route of installing 11.4 from scratch rather than upgrading 11.2.
The installation went smoothly. Afterwards, I ran Yast and changed eth0 to a bonding interface. Then I added two VLANs that used the bonding interface. When I restarted the computer, I saw the following on the console: "Waiting for mandatory devices vlan3005 __NSC__". Then after a 30 second countdown:
"vlan3005 no interface found". The solution to that problem was to add "ETHERDEVICE='eth0'" to /etc/sysconfig/network/ifcfg-eth0.3005". Upon restarting the computer, I could see that DHCP started this time but didn't get an IP address and continued in the background while the rest of the console messages scrolled by. At the point where X kicks in and I should have gotten a GUI login window, the screen goes dark. I cannot get to a console (CTRL-ALT-F1 or F2) or any other GUI login window (CTRL-ALT-F7 F8 or F9).
The computer was completely unresponsive. I could not ssh in to it from another host nor could I ping it. I let it sit for a few minutes but nothing ever appeared on the console. There were no blinking lights on the keyboard. I had to power the computer off. I turned off VLAN trunking on the switch port and the computer booted up fine, without network access, of course. I checked the logs but could find no clues as to what happened. I suspect a kernel problem. However, before I proceed further, I thought I would post my problem here and see if anyone has had a similar problem and perhaps a solution.
I'm working on my iptables rules on a debian 8 vps and I tried to install iptables-persistent but I was told "Unable to locate package"...
Where can I get this so that I may save my rules for reboot?
Here is my problem:
I need to enable the statistic module in iptables.
I had Fedora 13 32 bits, iptables-1.4.7-2 and kernel 2.6.18
But kernel 2.6.18 does not support statistic module.
So, I upgraded from Fedora 13 to Fedora 14.
Now I have Fedora release 14 (Laughlin) and Kernel 2.6.18
I did this to upgrade: url
Also, I did this too.
# yum update kernel
No Packages marked for Update
How can I ugrade to newer kernel?
Trying to setup my box as a router on Ubuntu 10.04. When trying to setup a NAT rule in iptables 1.4.4 like so:
Code:
sudo iptables --table NAT --append POSTROUTING -o eth0 -j MASQUERADE
I keep getting:
Code:
Can't initialize iptables table 'NAT': Table does not exist (do you need to insmod?)
Looking at lsmod, it doesn't look like I have anything NAT related loaded ( I just have iptable_filter, ip_tables, and x_table ). Doing a locate nat, I find a module that looks like it should work. I'm running 10.04.1 LTS - Kernel is 2.6.32-25-generic #45-Ubuntu SMP and it is pretty much stock - haven't done anything fancy... this module looks promising:
Code:
/lib/modules/2.6.32-25-generic/kernel/net/ipv4/netfilter/iptable_nat.ko
but loading it and I get:
Code:
-1 Unknown symbol in module
installing and setting the iptables on U 8.04 LTS? currently iptables is not installed nor as package nor included as kernel module.
View 4 Replies View RelatedI use iptables firewall (v1.4.1) installed on FC8. I'm trying to limit the inflow traffic for the port 1723 to certain MAC addresses. To experiment with the mac option, I've written the following iptables rule:
Quote:
iptables -A INPUT -m -mac --mac-source 10:08:08:08:08:10 -j ACCEPT
It didn't work. It gave me this error message:
Quote:
iptables v1.4.1: Couldn't load match `-mac':/usr/local/libexec/xtables/libipt_-mac.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information. Does that mean the mac module wasn't installed/enabled?
copy string a to string b and change string b with toupper() and count the chars
View 3 Replies View RelatedI have a server that I can only access via SSH (it's located far away) and I would like to secure it by blocking all ports except the ones that I need (which are HTTP and SSH). I still want to be able to make outgoing connections to enable software updates and other things.This is my iptables -L -n :
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:21
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:79
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:65535
code....
In my opinion, this should block all incoming packets except the ones on port 80 and 22, but allow responses to outgoing connections. But a wget http://google.com does not work, it can't establish the connection.
Maybe this is not the best style for iptables rules, but I want to be absolutely sure to not accidently lock myself out from SSH, so I chose not to configure a "block-everything rule".
Does this configuration not enable incoming packets from connections initiated from inside?
I recently isntalled opensuse 11.3 and I was trying to get the juniper ssl vpn working. It connects and everything goes fine until it prompts me for the root password. Once I do that, it errors out saying: "Modprobe for tun module failed" or something of that nature.
View 8 Replies View RelatedI've installed openSuse 11.4 server-mode (text only) on my desktop, and I'm trying to configure IceWM so i'll eventually have it set up so it always boots into text only mode, but I could be able to quickly start icewm via the command line.using Yast, I installed the Xorg server, and icewm.when I type X, the screen goes black and it just doesn't seem to do anythingI found if I hit ctrl+alt+f1 it kinda puts me back into text only mode, but I can't put in commands anymore. The last thing it says on the screen is:
Failed to load module "fglrx" (module does not exist, 0)
I've goggled that error message and the discussions that popped up around it made no sense to me at all. I've never configured X from scratch before, can someone point me towards a tutorial or something?
OK Trying a fresh install of bnome openSuse, and I have certainly screwwed something up again and hope I don't have to reinstall again., arghhhh! Tomboy won't open, even after reinstallation, and below is the error, but first, as well I can't open my .odt file with openoffice writer!
now the error... #tomboy Gtk-Message: Failed to load module "canberra-gtk-module": libcanberra-gtk-module.so: cannot open shared object file: No such file or directory Gtk-Message: Failed to load module "gnomebreakpad": libgnomebreakpad.so: cannot open shared object file: No such file or directory ...and lots more
How can I add one more network to whis statement?iptables -A INPUT -s ! 10.0.0.0/8 -j DROPIt should be something likeiptables -A INPUT -s ! 10.0.0.0/8,192.168.1.0/24 -j DROP
View 2 Replies View RelatedI've been trying to understand pthread in C a little better. So I made a simple program that takes in a string from the command line and creates a thread to print the string. I've looked online and copied the basic concepts but there are something things I'm confused about. The programs works just fine, but I have questions. Here's what I have so far.
[Code]....
One thing I'd like to know is why the 3rd argument in the pthread_create function which is my SendMessage function needs to be typecasted to a void pointer and then send the address of the function. Also as for the 4th argument, I would see typecasting to void pointer in some of the pthread examples I saw online, but in my case I'm passing a char pointer, would this be correct? In which case would I ever want to pass a void pointer?
Do I need a pthread_exit(NULL) in my main and in the SendMessage function? If so, why? I added the sleep() function so that I could let the pthread_exit function in my SendMessage function execute first. I simply saw that the online examples on pthread had pthread_exit() in both locations.
I have a line in a text file that has 40 random characters within a tag and i want to change the characters to a new set of 40 random characters (alphanumeric a-z 0-9 etc)
The line in the text file looks like this:
Quote:
How would i go about doing that?
Also second question same as the above but how would i remove them instead of replacing them?