Security :: Iptables - Limit Access To Port 8443 On Server To 2 Specific IP Addresses

Dec 23, 2010

I'm trying to limit access to port 8443 on our server to 2 specific IP addresses. For some reason, access is still being allowed even though I drop all packets that aren't from the named IP addresses. The default policy is ACCEPT on the INPUT chain and this is how we want to keep it for various reasons I wont get into here. Here's the output from iptables -vnL

[Code]...

Note the actual IP we are using is masked here with 123.123.123.123. Until I can get everything working properly, we're only allowing access from 1 IP instead of 2. We can add the other one once it all works right. I haven't worked with iptables very much. So I'm quite confused about why packets matching the DROP criteria are still being allowed.

View 10 Replies


ADVERTISEMENT

Security :: IPtables Port 25 Connection Limit Without Blocking Barracudas

Jan 11, 2011

I am at a loss how to prevent Denial of Service attacks to port 25 and not block legitimate connections from 2 Barracuda 800(s) and block smart phones such as iPhones/Blackberrys/iPhones that use the server smtp.server.com for email.
Presently for port 25
RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT

The 2 Barracuda 800(s) make port 25 connections all the time, plus users with smart_phones have the incoming server type:
IMAP
pop.server.com
smtp.server.com

Is there a way to keep Denial of Service attacks from happening with iptables rules without causing blocking to the Barracuda(s) that make constant port 25 connections & smart phones that poll? I was thinking if I allowed the Barracuda(s) in these lines
-s (barracuda)24.xx.xx.xx -d (emailserver)24.00.xx.xx -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT

Where the source would be the Barracuda going to the email server. It would be allowed, then I am left with how to allow other connections like Smart_Phones that connect via Port 25. I am thinking if I put rules in place doing connection counts in a minute it would result in errors connecting to the server and people would start complaining. Plus any limiting may result in blocking real traffic. Then would I need to allow the ISP range in the above example to accept port 25, I am still left with how to drop a flood/denial of service attack.

View 4 Replies View Related

CentOS 5 :: After Updating To PHP53u - Cannot Access My Parallels Panel On Port 8443

Jul 21, 2011

After trying to upgrade to PHP53u on Centos 5.6 using the instruction here: [url], I've run into trouble.

I have 3 issues that I have identified so far:

1) After the upgrade I go this message:

2) This message when trying to access the site: Can't connect to local MySQL server through socket '/var/lib/mysql/mysql.sock' (2)

3) Cannot access my Parallels panel on port 8443.

View 1 Replies View Related

Server :: Internet Access Only For Specific IP Addresses In LAN

Feb 20, 2010

I have configured squid server and it is working fine. I want that only specific ip addresses in my LAN should be able to access internet and for that I have given these entries in access control lists in squid.conf file:

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl to_localhost dst 127.0.0.0/8
acl SSL_ports port 443
acl Safe_ports port 80
acl Safe_ports port 21
acl Safe_ports port 443
acl Safe_ports port 70
acl Safe_ports port 210
acl Safe_ports port 1025-65535
acl Safe_ports port 280
acl Safe_ports port 488
acl Safe_ports port 591
acl Safe_ports port 777
acl CONNECT method CONNECT
acl QUERY urlpath_regex cgi-bin ?
acl apache rep_header Server ^Apache
acl our_networks src 192.168.0.181/255.255.255.0 192.168.0.182/255.255.255.0

And in http access I have given this:
http_access allow our_networks
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost
http_access deny all

In this I want that only 192.168.0.181 and .182 should be able to access internet but Now the problem is that all the IPs in the LAN like 192.168.0.20 are also able to access internet. What changes I need to do to allow access to specific IP addresses. I am not using any firewall or iptables entries and i am manually changing in the firefox at client side to access internet.

View 3 Replies View Related

Security :: IPTABLES Port 8080 \ Still Cannot Access Through Ssh Nor Putty And It Doesn't Show Up When Netstat Either?

Jun 6, 2011

I'm trying to open port 8080 on my application server. I've included it in my iptables; however I still cannot access through ssh nor putty and it doesn't show up when I netstat either.Here is my iptables-config:

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -s xxx.xx.x.0/24 -j ACCEPT

[code].....

View 7 Replies View Related

Security :: IPtables And FTP When Server Listening On Non-Standard Port?

Nov 9, 2009

I'm using iptables with modules ip_contrack_ftp to be able to use passive ftp. It works well as long as port 21 is being used as listening port. Is there any way to make it work when I configure my ftp server (vsftpd) to listen on an alternative port, lets say 21001 or something? The helper module only seems to be working properly with the standard port, so I was wondering whether there was a way to "tell it" that another port is being used? I mean, of course I make a rule in fw to allow traffic to the alternative port.

But once it's time to start passive connection, then the iptable module cannot handle it properly. I could solve the problem by making a range of passive ports in the ftp-server configuration and allow the incoming traffic to them, but then using helper modules doesn't make any sense. I just want to allow the traffic to the listening port and then want the ip_contrack_ftp module to take care of the rest. This is what I do today - but only port 21 seems to be working. Is there a way to do this with a non-standard ftp port?

View 5 Replies View Related

Server :: Iptables PREROUTING \ User Via Internet Access LinuxA Tcp Port 1935?

Oct 20, 2010

LinuxA & LinuxB
linuxA:eth0(10.1.1.1) connected linuxB:eth0 (10.1.1.2)
linuxA:eth1(202.1.20.45) connected internet

[code]....

View 2 Replies View Related

Security :: IPTABLES Apply Certain Rules To Certain Mac Addresses

Jul 11, 2010

so the firewall rules I am currently using are displayed below.

Code:

# DROP ALL FORWARDED PACKETS
iptables -P FORWARD DROP # DROP ALL PACKETS
# ALLOW DHCP THROUGH THE FIREWALL

[code]....

View 6 Replies View Related

Ubuntu Security :: Resolving IP Addresses In Iptables Logs?

Jan 19, 2010

whether iptables logs can be set to automatically resolve IP addresses? I am running the firewall on a network with DDNS/DHCP, and this ability would really help quickly identify hosts with suspect traffic.Failing this, I guess the simplest solution will be to simply set static addresses!

View 1 Replies View Related

Security :: Iptables: Verify Traffic On Port To Check If It Is Legitimate For That Port?

Apr 18, 2011

Is there any way to verify if packets being trafficked over a certain port are valid for the service you want to use this port for?

One obvious example that probably clarifies my question:
When I open port 443 (outgoing or incoming) for https/ssl traffic, I don't want this port to be used for say openvpn traffic.
Thus: when someone wants to surf to a website with https, it should be ok but if someone wants to connect to his home openvpn server over that same port, it should be blocked.

View 5 Replies View Related

Ubuntu Security :: Iptables Limit Module Not Working?

May 14, 2011

I'm trying to limit the number of the ICMP packets reaching my server, so I'm using the limit module of iptables, unfortunately it seems the limit I set is totally ignored as I can easily send tens of ICMP packets and get a reply in less than 0.3 second Quote:

m3xican@m3xtop:~$ sudo ping -i0 -c20 x.x.x.x 20 packets transmitted, 20 received, 0% packet loss, time 230ms
rtt min/avg/max/mdev = 184.969/185.895/189.732/1.301 ms, pipe 16, ipg/ewma 12.138/186.232 ms This is the rule I'm using to accept ICMP packets (default setting is DROP)

Code:
iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
And these are the kernel modules related to iptables
Code:
Module Size Used by
xt_limit 1382 0

[Code]...

View 5 Replies View Related

Security :: IPtables Limit SSH From Local Network To Internet

Feb 24, 2010

I have a linux firewall. I want to limit a ssh connection number from local network to internet .

Example :
Internal pc (192.168.0.10) start a ssh scan to the external (internet) host.

I want that iptables limit that host (192.168.0.10) and block ssh connection from this host at 3 attempt.

View 2 Replies View Related

General :: Configure Tomcat On Port 8443?

Apr 27, 2010

I am trying to configure tomcat on port 8443 using the following document [URL] instead of changing the port to 433 i kept it as 8443.i set the ip tables as follows

/sbin/iptables -A INPUT -i eth0 -p tcp --destination-port 8443 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -s 10.200.2.0/24 -p tcp --destination-port 8443 -j ACCEPT
service iptables save

restarted the tomcat service tomcat works on http://10.200.2.191:8080/ but it doesn't on https://10.200.2.191:8443 i did a little investigation of my own using nmap and found that the port 8443 is not open instead of making changes in the firewall table

View 1 Replies View Related

Ubuntu Security :: Limit Login Attempts For Specific User?

Jan 15, 2011

I'd like to limit login attempts for specific user. I've found information in manpages: [URL]but I'm not sure if this '@' is purposly there, so would be that correct?

Code:
aparaho - maxlogins 4
or
Code:
@aparaho - maxlogins 4

Maybe '@' is a group syntax? I'm confused.

What happens after 4 failed loggins? Is it enough to restart system to get another login attempts?

Are there any other values that it is reasonable to limit for safety reasons?

View 4 Replies View Related

Security :: Limit Incoming HTTP Bandwidth Usage With IPtables

Apr 5, 2011

Can I, with only the use of IPTABLES, limit the incoming bandwith for a protocol? We have for example servers that have a FTP and HTTP server running and whenever HTTP has a lot of connections open, the other uploads/downloads get a timeout. I know I can limit the number of connections but prefer to limit on protocol level. Is this possible using IPTABLES and if so, can someone indicate how to proceed or provide a link? If it's not possible can someone point me to the right tool for the job?

View 6 Replies View Related

General :: Setting Up Iptables For Traffic Forwarding On Port 80 From Specific Sources?

Jun 1, 2010

Im running a web server on port80, but i want traffic coming from ip 212.333.111.222 on port 80 to be fowarded to port 9020 on the same server that my web server is rinning at that is my sshd port

View 1 Replies View Related

Ubuntu Security :: Firewall Can Install Only Let Certain MAC Addresses Through On Certain Port?

Jul 25, 2010

Is there a firewall I can install that will only let certain MAC addresses through on a certain port?

View 2 Replies View Related

Fedora Security :: Iptables Allowing Specific Ip's?

Dec 8, 2009

i've got a few questions about iptables. i know how to set up ip tables to only allow from an ip address or a subnetting ip addresses. question is how do i allow from 2 different networks? would i need to create 2 lines of entry in iptables to the same port? e: allow 10.168.1.1 and 196.168.1.1 on port 22 is there a way to put all that in 1 line or would i need to create to rules for the port? i know i can use the ssh allow or deny but i'd like to stop access even before it gets to the ssh. stop it at the source kinda thing.

View 4 Replies View Related

Security :: Setting Up A Specific Rule Using Iptables?

Apr 5, 2011

My firewall , wich is an Ubuntu server 10.10 , have 3 interfaces:

eth0(192.168.0.254):linked to the DMZ
eth1(192.168.1.254):linked to the LAN
eth3(212.217.0.1):linked to the Internet

-The DMZ have one web server with a static address (192.168.0.1).

-My LAN address range is (192.168.1.2-192.168.1.100) managed by a DHCP server in the same firwall machine.

There are some of the rules that I need to set up :

-Allow HTTP between the LAN and the internet

-Allow HTTP between the web server in the DMZ, and the internet.

Is there a way to tell the firewall , to redirect all incoming HTTP requests only to the web server in the DMZ ?

View 4 Replies View Related

Security :: Limit Number Of Connections For Single Ip On Port 80 To CentOS 5.5

Sep 5, 2010

How to number of connections for a single ip on port 80 to CentOS 5.5 with iptables? connlimit did not work on CentOS and nginx does not provide a module for that

View 4 Replies View Related

Server :: Bind Apache To Specific IP Addresses?

Nov 28, 2010

I have the following in my httpd.conf file

Code:
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, instead of the default. See also the <VirtualHost>
# directive. Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses.
#Listen 12.34.56.78:80 Listen 80

And when I try to start the server, I get the following

Code:
(98)Address already in use: make_sock: could not bind to address 0.0.0.0:80. I did have an Apache web server up and running about 6 or 7 years ago - but seem to have lost everything

View 4 Replies View Related

Server :: IPtables And TC - Limit To 1.5Mbps

Dec 27, 2010

Does anyone know a simple out of the box option to limit traffic by IP with iptables? Output to each connected IP should be limited to to 1.5Mbps but I don;t want to limit incoming connections from the web. Ideally something with a tutorial because the LARC papers and stuff are impossible to read. For example, the user connects by VPN and requests the webpage [URL]. This should be sent to them at 1.5Mbs but if user 2 connects to [URL], this should also be sent at 1.5Mbps but the incoming ..... connection needs to be allowed to be unlimited to prevent incoming throttling..

View 3 Replies View Related

Server :: If Forward A Port In Iptables, Does The Port Have To Be Open On The Firewall

Aug 5, 2009

If I forward port 80 to port 3128 for squid with an iptable rule, does port 3128 have to be open on the firewall or is this all routed behind the firewall?

View 4 Replies View Related

Server :: IPtables And TC To Limit Network Speed

May 14, 2010

I am trying to limit bandwidth of certain ip addresses on my server. I have been doing hours of reading and not getting very far... So far I believe the iptables command is

ptables -A PREROUTING -s 178.33.23.44 -t mangle -j MARK --set-mark 2
ptables -A PREROUTING -s 178.33.23.45 -t mangle -j MARK --set-mark 2
ptables -A PREROUTING -s 178.33.23.46 -t mangle -j MARK --set-mark 2
ptables -A PREROUTING -s 178.33.23.47 -t mangle -j MARK --set-mark 2

and now I just need the tc command to read those marks and limit bandwidth, I have a gigabit connection and would like to limit each of these ip addresses to 10mbit in and out.

View 2 Replies View Related

Server :: Limit User To Their Mailbox In Specific Size?

Sep 13, 2010

How can i limit user to their mailbox in specific size.

View 2 Replies View Related

Ubuntu Security :: Iptables Port 25 Is Open

Feb 28, 2011

I've recently installed 10.10 server edition, and I must say it was a pleasant suprise, it's just the way I like it. I use it as a squeezebox-server. But I've run into a problem with the firewall. I did a portscan, which told me there are more ports open then I've told UFW to open. Among which port 25 and 119, when I telnet from another PC to those ports, the connection gets accepted, although there is no answer to any commands (as expected, there's no mail server running). Iptables print-outs also don't mention anything about the respective ports or a daemon that could be responsable, and the same applies to "ps -e" or "ps aux".

Iptables seems to be working, when I remove the rules to allow samba to work, I can't reach the shares, and when I insert them again I can reach the shares. "sudo ufw deny from any" as last rule doesn't change anything either (deny incoming is default (although I never issued the command "ufw status verbose" says it is) so it shouldn't, but ports 25 and 119 shouldn't be open either).

View 2 Replies View Related

Security :: Iptables Not Opening Port On Centos?

Dec 24, 2010

I'm trying to open port 119. I already have a few ports open. I've used webmin to open both incoming and outgoing ports. iptables --list --numeric gives me:

Code:
...
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:10000

[code]....

View 4 Replies View Related

Security :: Port Mapping On A Machine Using Iptables?

Jan 9, 2010

I want to do port mapping on a linux machine using iptables.I have a service listeneing on port 2000 udp and I want to add iptables rule, which will map incoming packets on port 2001 to port 2000, so that service will accept the connections.The idea is that I don't want to change the default port for the service, but to make internal port redirection from (2001 to 2000), so the default service port will be filtered by iptables, and the other port will be open to the outside. The internet host connects to the linux machine on port 2001. The linux machine change destiation port from 2001 to 2000 and the service (on the same machine) process the packets and accepts the connection.I tried adding the following to my iptables rules, but it didn't work out:

$IPTABLES -A FORWARD -p udp --destination-port 2001 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2001 -j REDIRECT --to-port 2000

View 6 Replies View Related

Ubuntu Security :: Iptables Not Allowing Port Forwarding

Sep 5, 2010

I've got two virtual machines running, the first VM (VM1) has two network interfaces, one bridged with my real lan, one a private subnet. The second VM (VM2) has one nic, only on the private subnet.

I have VM1 acting as a router for VM2, giving access to my real lan for internet access. The problem I'm having is I cannot get VM1 to forward ports 80 (http) or 222 (ssh) to VM2 from my real lan.

Here is the script I've cobbled together from various (foreshadowing!) locations:

Code:

View 1 Replies View Related

Ubuntu Security :: Iptables, Block Port Except For Eth0

May 24, 2011

I would like to allow incoming and outgoing connections when I'm connected to a wired connection, but drop it otherwise. I noticed that ufw can't block outgoing traffic because of will I give iptables a try. I'm unsure if dropping packages that are outgoing will work, the rule after the block rule will allow all outgoing connections.

This what the rules are intended to do, unsure if that is actually the case. Allow all loopback traffic. Allow ping replys Allow incoming on port 12345 if eth0, deny otherwise. Allow outgoing on port 12346 if eth0, deny otherwise.

Code:
iptables -A FORWARD -j DROP
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 0 -s -m state --state ESTABLISHED,RELATED -j ACCEPT

[Code]....

View 3 Replies View Related







Copyrights 2005-15 www.BigResource.com, All rights reserved