Security :: Best IPtables Configuration For Bind DNS Server?
Dec 23, 2010What is the best IPtables configuration for bind DNS server.
View 3 Replies
ADVERTISEMENT
Security :: Iptables Configuration Causes Web Content To Be Delivered 'slow'
Apr 26, 2011In December 2009 I switched my web-hosting package with 1and1 to their best VPS package. What a difference! At this time I knew absolutely NOTHING about Linux sys admin stuff. Now, I know a little more I now run 'several' VPS instances (all with 1and1). Back to the problem then... On all my boxes I run CentOS 5.5 (Linux 2.6.18-028stab070.4) with various different versions of Plesk (9.5.2 and 10.2.0) The VPS instances themselves are on Virtuozzo nodes. As you may know, Virtuozzo has a firewall GUI allowing modification of iptables. I only use this when I make a mistake and cannot SSH. My 'original' iptables: (the VZ chains are controlled by the Virtuozzo container)
Code:
Chain INPUT (policy DROP)
target prot opt source destination
VZ_INPUT all -- anywhere anywhere
Chain FORWARD (policy DROP)
[code]....
if this iptables chain limits the number of connections to 3 per second and 100 per second respectively, is this still secure or is there no point in having this rule? If the rule is a good one to have, then how can I allow http connections to bypass this chain/rule?
Server :: Hostname Configuration On BIND
Jan 2, 2010I have read a lot of documentation but it is still hard to find a proper answer to my doubts.About the hostnames in a domain, how is it associate to a determinated port?
For example, when I type on the browser webmail.sparc86.net and then I get redirected to the port of 20000 of this same domain. Fine, but how does it work that it knows it should be redirected to the port 20000? From where is this information (the association webmail-port 20000) taken? The apache will manage this, right? But what about other services like ftp?Another example, If I wrote my own software listening, let's say on the port 40000 and I want to have a domain like "mystuff.sparc86.net" how would I let it be redirected to the port 40000 ?
Server :: Manual Require For Bind Configuration?
Apr 17, 2010I really not successed to install Bind, I installed Rhl9, After installation, i want to confirm the name server using dig command also, prob to use dig command with different option
View 1 Replies View RelatedSecurity :: Iptables State Module - Configuration Error / Not Enable Incoming Packets From Connections Initiated From Inside?
Mar 30, 2011I have a server that I can only access via SSH (it's located far away) and I would like to secure it by blocking all ports except the ones that I need (which are HTTP and SSH). I still want to be able to make outgoing connections to enable software updates and other things.This is my iptables -L -n :
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:21
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:79
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:65535
code....
In my opinion, this should block all incoming packets except the ones on port 80 and 22, but allow responses to outgoing connections. But a wget http://google.com does not work, it can't establish the connection.
Maybe this is not the best style for iptables rules, but I want to be absolutely sure to not accidently lock myself out from SSH, so I chose not to configure a "block-everything rule".
Does this configuration not enable incoming packets from connections initiated from inside?
Server :: Iptables Configuration For UDP Flood?
Feb 21, 2011Banning the IP is the best way to protect your server but of course, attacker can use another IP and use a lot of your bandwidth until you find and ban the IP. So the only thing we can do to prevent this is, block the packets my iptables length module.
I check the bandwidth usage through "iftop". Incoming traffic is always like 120kb/second and that has to be that way because the traffic enters my server no doubt that it gets dropped by iptables later.
The actual thing what the Ddos ( UDP Flood ) does it that it causes an outbound traffic that eats up like 5mb/second easily and my servers lag. Only if the IP is banned, the outbound traffic comes to an end.
Now I want to use the length module to block it but it just won't work. I've tried the following and shuffled them too but no help.
Code:
iptables -I INPUT -p udp -m length --length 15 -j DROP
iptables -A INPUT -p udp -m length --length 15 -j DROP
Packet length is 15 according to tcpdump:
Code:
19:49:34.504864 IP fms-02.colt.net.belgamanagement.be.56413 > nyc.v1servers.com.20100: UDP, length 15
Security :: Iptables 192.168.1.x Server Can't Ping By 192.168.0.x
Jun 1, 2011i have set firewall for centos of 192.168.1.21 server like this.
it has a gateway of 192.168.1.2
iptables -P INPUT DROP
iptables -A INPUT --in-interface lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT
the mac source is my laptop's mac address. But when i try to ping from my laptop of 192.168.0.2 (my gateway is 192.168.0.1 but share the same server that has 3 network gateway including gateway for the centos)it failed. what i should do to enable this ping.i also cannot connect to the centos server unless i change my ip to 192.168.1.x and same gateway as centos.can someone suggest what should i modify my firewall to enable connection to centos server from my 192.168.0.2 laptop? is that related to nat and forward chain in firewall of centos?
General :: Bind Ip And Mac In Iptables?
Jul 28, 2010I want to bind ip and mac in iptables and the script i gathered and working on is as under:
#!/bin/sh
IPTAB = "/sbin/iptables"
macadds = "xx:xx:xx:xx:xx:xx yy:yy:yy:yy:yy:yy zz:zz:zz:zz:zz:zz"
ipadds = "aaa:aaa:a:a bbb:bbb:b:b ccc:ccc:c:c"
[code]....
When i run the above script, i get an error as "Bad argument yy:yy:yy:yy:yy:yy try iptables --for more information"
Fedora Security :: Add A Rule In Iptables On Squid Server?
Mar 4, 2011I am using squid on my fedora box as a proxy server.By default the iptables (Firewall) service is on.To allow web pages to my client machines i stop the iptable service.
#service iptables stop
By doing it client computers start browsing.kindly how can I add a rule so that without stoping firewall client compter work fine.my perver IP address is 10.1.80.10
Security :: IPtables And FTP When Server Listening On Non-Standard Port?
Nov 9, 2009I'm using iptables with modules ip_contrack_ftp to be able to use passive ftp. It works well as long as port 21 is being used as listening port. Is there any way to make it work when I configure my ftp server (vsftpd) to listen on an alternative port, lets say 21001 or something? The helper module only seems to be working properly with the standard port, so I was wondering whether there was a way to "tell it" that another port is being used? I mean, of course I make a rule in fw to allow traffic to the alternative port.
But once it's time to start passive connection, then the iptable module cannot handle it properly. I could solve the problem by making a range of passive ports in the ftp-server configuration and allow the incoming traffic to them, but then using helper modules doesn't make any sense. I just want to allow the traffic to the listening port and then want the ip_contrack_ftp module to take care of the rest. This is what I do today - but only port 21 seems to be working. Is there a way to do this with a non-standard ftp port?
CentOS 5 Server :: Port Configuration - Being Blocked - Iptables And Connection
Jul 4, 2009I have a fresh installation of CentOS 5 I'm using for a server, and I'm having issues with port configuration. I have iptables running, and it started with no /etc/sysconfig/iptables file. I added a few basic rules (port 53, port 10000 for webmin), saved the file, and restarted the service. I tried connecting to webmin, scanned ports, and traffic was blocked. I set iptables to allow all traffic and restarted the service, and it still showed basically every port as being blocked. It seems port 80 and port 22 work for some reason, even when I tell iptables to block all ports.
I'm not sure what's going on here. Iptables is reading the /etc/sysconfig/iptables file, and if I use lynx localhost:someport it responds as it should according to the file. However, if I try connecting by IP, it's like there's some other firewall or something running that does whatever it's configured to do.....
Server :: What Is Bind Vs Bind-chroot Vs Caching-nameserver?
Jul 8, 2011what is bind vs bind-chroot vs caching-nameserver ?what is the different between eatch others ?
View 7 Replies View RelatedSecurity :: Iptables - Limit Access To Port 8443 On Server To 2 Specific IP Addresses
Dec 23, 2010I'm trying to limit access to port 8443 on our server to 2 specific IP addresses. For some reason, access is still being allowed even though I drop all packets that aren't from the named IP addresses. The default policy is ACCEPT on the INPUT chain and this is how we want to keep it for various reasons I wont get into here. Here's the output from iptables -vnL
[Code]...
Note the actual IP we are using is masked here with 123.123.123.123. Until I can get everything working properly, we're only allowing access from 1 IP instead of 2. We can add the other one once it all works right. I haven't worked with iptables very much. So I'm quite confused about why packets matching the DROP criteria are still being allowed.
Debian Configuration :: Bind - Zone Configuration Error?
Apr 30, 2011I have a problem with the configuration of the NS zone. Looked through the logs, and there:
Apr 28 21:20:19 szewczyk named[18340]: /etc/bind/db.domain.pl:1: no current owner name
Apr 28 21:20:19 szewczyk named[18340]: zone domain.pl/IN: loading from master file /etc/bind/db.domena.pl failed: no owner
[code]....
General :: Can't Add Zones With BIND Configuration GUI
Jul 23, 2010why but on one of my boxes I am having trouble adding a new zone with the BIND Configuration GUI. When I click New->Zone, it'd pop up a long form for me to fill out various things like .....
Cache Time To Live
Authoritative Name Server
Responsible Person E-mail
etc
I notice that on the working box, it'd populate the output of the "hostname" command onto the "Authoritative Name Server" field. However, on the box that doesn't allow me to add new zones, it uses something like localhost.
Networking :: Bind 9.3.6 - P1 Installation And Configuration On OEL 5?
Feb 20, 2010I am trying to install Bind 9.3.6 - P1 on OEL 5 Update 4 which is running on Oracle VM Server as Oracle Template OVM_EL5U4_X86_PVM_4GB
Requirement :
We have two different domains
1. abc.com
2. abc.co.in
Some of the Servers are in :
abc.com
xyz.abc.com def.abc.com
... and more
code....
When I tried creating DNS Server : Dig worked on the server but when i am giving the IP of the DNS Server on another machine it cannot resolve any IP or Internet Address
Giving the following Messege on nslookup
DNS request time out
timeout was 2 seconds
***'Cant find server name for the address 192.168.1.x : Time Out
***Default Servers are not available
Default Server - Unkwoun
Address : 192.168.1.x
Debian Configuration :: Migration To Bind 9.10 In Wheezy 7.1
Nov 13, 2015I want to migrate to bind 9.10 in debian wheezy. I don't want to take the source code from debian Sid since its an experimental version. So I have taken source code from official bind forum and compiled in debian wheezy. The compilation is successful but I am having problem in running the binary in debian wheezy. It's not honoring the binary even though I run it. I am not getting error messages on console but still it is not running.
I want to know whether its feasible to do this Or is it dependent on any other system libraries to make it run ?
Last few lines from Strace Dump
==============================
capget(0x20080522, 0, NULL) = 0
capget(0x20080522, 0, {0, CAP_CHOWN|CAP_DAC_READ_SEARCH|CAP_SETGID|CAP_SETUID|CAP_NET_BIND_SERVICE|CAP_SYS_CHROOT|CAP_SYS_RESOURCE, 0}) = 0
getuid() = 1007
[Code] .....
Debian Configuration :: Bind A Port To Interface
Jan 31, 2016Is is possible, via iptables or something similar, to bind a service running on a specific port to a specific interface? My case: I use a VPN service for privacy. I would like to have all traffic except ftp and ssh to run over tun0. Ports 21 and 22 will need to be accessible to the outside world (eth0) while the VPN is running.
View 3 Replies View RelatedDebian Configuration :: Bind - DHCP And DDNS ?
Jul 14, 2011DHCP I have working, so is BIND.
I'm trying to get dynamic dns working and am having issues
I suspect this maybe a chroot issue.
I've tried to follow the chroot advise within the wiki for Bind but no joy.
General :: Bind Configuration File Not Exist
Oct 31, 2010I had installed BIND packages but /etc/named.conf file is missing as the packages are shown,
[root@nisserver ~]# yum list bind*
Loaded plugins: rhnplugin, security
This system is not registered with RHN.
[code]...
Software :: Weird Bind Configuration Error?
Mar 18, 2010a zone file (db.example.edu.br) starts like this:
Code:
; BIND version named 8.4.6-REL-NOESW Tue Jan 25 19:11:36 UTC 2005
; BIND version lamont@mix:/build/lamont/bind-8.4.6/src/bin/named
; zone 'example.edu.br' last serial 200806011
; from [201.138.35.4].53 (local [201.138.35.15].51183) using AXFR at Wed Mar 12 18:44:01 2008
; NOT TSIG verified
[Code]...
Ubuntu Security :: Use Ufw/gufw To Bind Vpn Connection?
Aug 20, 2010Is there a way to use the firewall to essentially lock certain programs like firefox and transmission to my vpn connection-so that in the event that my vpn connection goes down these programs do not use my default ISP Internet connection.
View 1 Replies View RelatedSecurity :: Racoon Address Bind Failure?
Mar 11, 2010I did not use below configuration in my racoon conf,
remote anonymous {
exchange_mode main;
lifetime time 1 hour;
proposal {
encryption_algorithm 3des;
hash_algorithm md5;
[Code]...
I've pruned your post from where you originally posted. In the future, please check the dates on threads which you're thinking about posting in. If you see they are dead (inactive for a few months or more) just let them rest in peace and start your own thread. You can always include links to reference the dead thread if you need to, as I've done here.
Debian Configuration :: Can't Bind Webcams To Exact Names
Jul 26, 2015uname
Linux cam01 3.16.0-4-686-pae #1 SMP Debian 3.16.7-ckt9-3~deb8u1 (2015-04-24) i686 GNU/Linux
debian_version
8.0
I have three webcams and after reboot they change their /dev/videoX names from time to time.
My attempt to add .rules file to /etc/udev/rules.d was unsuccessful.
Code: Select allSUBSYSTEM=="video4linux", ATTRS{ID_SERIAL}=="046d_0825_4EE37780", SYMLINK+="video10"
SUBSYSTEM=="video4linux", ATTRS{ID_SERIAL}=="046d_0825_4B2AC690", SYMLINK+="video11"
SUBSYSTEM=="video4linux", ATTRS{ID_SERIAL}=="HD_WebCam_HD_WebCam", SYMLINK+="video12"
SUBSYSTEM=="video4linux", ATTRS{ID_SERIAL}=="046d_0825_4EE37780", SYMLINK+="mvideo10"
ATTRS{ID_SERIAL}=="046d_0825_4B2AC690", SYMLINK+="mvideo11"
SUBSYSTEM=="video4linux", ATTRS{ID_SERIAL}=="HD_WebCam_HD_WebCam", SYMLINK+="mvideo12"
Debian Configuration :: Setup A NFS4 Server (no Security, Local Home Network Behind FW)?
May 30, 2010I'm trying to setup a NFS4 server (no security, local home network behind FW). It seems that I'm missing something because 'rpcinfo -p' does not list v4 for NFS: petit-pois:/home/eric# rpcinfo -p
[Code]...
Security :: SELinux Allow Non Root User Bind To Port <1024?
Oct 24, 2010My understanding is SELinux adds type enforcement to standard Linux. This means that both the standard Linux and enhanced SELinux access controls must be satisfied to access an object. Which means that thing that is prevented to do in the normal standard Linux will be also prevented in the SELinux System? Does SELinux make it possible to run a non-root software to bind to a port < 1024? something that standard Linux won't allow? If not, what other suggestions do you have for allowing a program to run as non-root but able to bind to privileged ports? I know all about using the port re-direction such as ipchains, iptables.
View 4 Replies View RelatedUbuntu Security :: Configure AppArmor And Add Ability To Bind - Failed To Set Capabilities On File
May 18, 2011A create an application which has to bind to port less than 1024 and must be launched under non-root user. OS: Ubuntu 10.04. Decision 1: Using a firewall to redirect packets. Problem: This decision is not good for me. I need simple way to solve the problem. Decision 2: Use CAP_NET_BIN_SERVICE. Problem: My execution file has 2,7G size. It is very big application with a lot of debug info. setcat command return an error:
[code]...
Fedora Security :: Allow DNS In Iptables
Feb 1, 2009I have been struggling with this for a very long time now. I have installed Fedora Core 9 on my computer. I have set it up as a caching-nameserver and this is working.
Then I wanted to secure my server with iptables, and I have so far made this script:
# Load the connection tracker kernel module
modprobe ip_conntrack
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
[Code]....
I can reach the dns server with ping. When trying Nslookup it says that it got SERVFAIL from 127.0.0.1 trying next server, and then it times out.
My resolv.conf file lists:
nameserver 127.0.0.1
nameserver DNS-server
Fedora Security :: Can't Get FTP Through Iptables
Dec 14, 2009Im pulling my hair out trying to get ftp to work through iptables.Im using vsftpd
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
Security :: Can't Zero Out Counters In Iptables
Feb 25, 2010I have a problem with iptables, when I execute
[code]....
