Security :: Iptables Requirement \ Package Passed Through Masquerade Don't Pass Through The Prerouting Rule?
Nov 26, 2010
The iptables has every rule set correctly, the users in the subnet works great, but I have the following issue.every user connect to a mysql running on the internet through the port 3306, the forward and masquerade do the job. Now I have a user in the outside, and he wants to connect to a mysql in a certain machine (Not the gateway), prerouting rules solve my problems, but all the packages from the inside users goes now to that certain machine. I would like something like if the package passed trough masquerade don't pass trough the prerouting rule, and if it come from the outside (Not a package that come from a petition from the inside) pass trough the prerouting rule.
View 6 Replies
ADVERTISEMENT
Jul 16, 2010
Question (and Google results aren't making this clear): Ubuntu has both iptables & ip6tables installed. 1. If I set a rule in iptables, does that rule also apply to ipv6, or just ipv4?
2. If "no" to above, then it would be prudent to *also* set ip6tables rules as well if I want to maintain an active firewall, correct?
3. Does ip6tables rules have the same syntax and behavior (more or less) to iptables rules - i.e. can I just copy my iptables rules & change "iptables" to "ip6tables"?
4. Any gotchas or issues that I should be aware of?
View 9 Replies
View Related
Dec 13, 2009
I've got two routers, 10.0.0.0/23 and 192.168.2.0/24, which are joined by a Linux box with interfaces eth0 (10.0.0.2) and ra0 (192.168.2.2). I've got masquerading for ra0, and a route to 192.168.2.0/24 on 10.0.0.0's router. I CAN ping hosts on 192.168.2.0 from 10.0.0.0 just fine, but I CANNOT access web pages.Strangely, If I enable masquerading on eth0, and add a route to 192.168.2.0s router to 10.0.0.0, I can ping AND access web pages from 192.168.2.0Here is my current iptables
Code:
*filter
:INPUT ACCEPT [0:0]
[code]...
View 14 Replies
View Related
Dec 20, 2010
I guess this is the right place to put questions about iptables, so forgive me if it is not.I have a MySQL database which I need to allow connections to: 1 - the internal network; 2 - the web server (Apache) connections;3 - A user who is out of this network in a range of dynamic IP.Let's suppose the range IP for this user is 179.4.247.0-179.4.247.254 and the server; where is MySQl and Apache is 60.22.30.232. This user will use the windows client MySQL tool to make connections into this database.
So I think these rule below allow connections to the internal network and apache:
iptables -A INPUT -i eth0 -m state state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state state ESTABLISHED,RELATED -j ACCEPT
[code]....
View 8 Replies
View Related
Apr 5, 2011
My firewall , wich is an Ubuntu server 10.10 , have 3 interfaces:
eth0(192.168.0.254):linked to the DMZ
eth1(192.168.1.254):linked to the LAN
eth3(212.217.0.1):linked to the Internet
-The DMZ have one web server with a static address (192.168.0.1).
-My LAN address range is (192.168.1.2-192.168.1.100) managed by a DHCP server in the same firwall machine.
There are some of the rules that I need to set up :
-Allow HTTP between the LAN and the internet
-Allow HTTP between the web server in the DMZ, and the internet.
Is there a way to tell the firewall , to redirect all incoming HTTP requests only to the web server in the DMZ ?
View 4 Replies
View Related
Mar 4, 2011
I am using squid on my fedora box as a proxy server.By default the iptables (Firewall) service is on.To allow web pages to my client machines i stop the iptable service.
#service iptables stop
By doing it client computers start browsing.kindly how can I add a rule so that without stoping firewall client compter work fine.my perver IP address is 10.1.80.10
View 3 Replies
View Related
Feb 23, 2010
I'm not an iptables expert. Anybody know how to create a rule/chain that will log info similar to what tcpdump -s0 would do?
View 3 Replies
View Related
Jan 3, 2011
how can i drop igmp port 0 packets with iptables rule? my log file is full of this router advertisement.
View 2 Replies
View Related
Feb 18, 2010
I was trying to setup port forwarding on my setup. My network consists of:
Code:
[Server: xxx.xxx.xxx.15]
|
|
[ switch ]
[code]....
I ran the following 2 commands:
# iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination xxx.xxx.xxx.15:80
# iptables -A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
Yet I am unable to connect. Are these the correct commands? I am using IP Masquedering on the same box using the following commands:
Code:
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
[code]....
I don't think there is a hidden firewall in the switch but if these commands are correct, then I may need to contact my ISP and see if they are blocking the commands. I just wanted to make sure I was not doing some stupid mistake before I try to contact my ISP.
EDIT: Also, is it possible to forward Port 80 requests to different servers depending on the hostname used to connect, so say [URL] redirects to server xxx.xxx.xxx.15 while hhh.com redirects to xxx.xxx.xxx.16?
View 3 Replies
View Related
May 29, 2011
If I add a rule to iptables:
Code:
iptables -t nat -A POSTROUTING -o eth4 -j MASQUERADE
it does not get removed when I try to clear all the rules:
[code]...
View 4 Replies
View Related
Oct 31, 2009
Im new to fedora 11 and iptables, and i need to set the following set of instruction so VirtuaBox can accept request from lan, to the mailServer in the guest os, but after restart fedora i have to input it all again.How can it become permanent entry in iptables.
View 2 Replies
View Related
Oct 20, 2010
LinuxA & LinuxB
linuxA:eth0(10.1.1.1) connected linuxB:eth0 (10.1.1.2)
linuxA:eth1(202.1.20.45) connected internet
[code]....
View 2 Replies
View Related
May 26, 2010
I'm running IPF on solaris 10 Note :i believe the idea will be the same it doesn't matter either its linux or solaris
Code:
bash-3.00# ipf -V #display ipf version
ipf: IP Filter: v4.1.9 (592)
[code]....
View 9 Replies
View Related
Jul 29, 2009
i'm new in linux world i would like to know how can i add the rtp protocol to my iptables rule for Netfilter firewall,but without installing the asterisk server
View 1 Replies
View Related
Dec 7, 2010
Unsure about IP tables lingo, so excuse me for not looking this up:I have a server, running IP tables, that I do not want to allow any type of outgoing traffic to 192.168.1.21
View 3 Replies
View Related
Feb 23, 2010
I'm looking for a way to add a rule that would whitelist my ip address when I login with SSH. I can grab the IP out of the SSH_CONNECTION variable, however I'm not sure how I could add it into iptables with my non-root privileged user. I've got root access, but I want the process to be automatic. I considered sudo, however I don't want normal users to be able to modify anything about iptables, though perhaps there is a trick about it that I don't know which would only allow it in the /etc/profile or the like
View 3 Replies
View Related
Apr 20, 2010
Do I have to create a rule for:
Code:
$IPT -A fwalert -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW $RLIMIT -j LOG $LOGLIMIT --log-tcp-options --log-level 4 --log-prefix
to drop rather than log if my table has a default policy of drop with :
Code:
$IPT -t fwalert -P DROP
View 3 Replies
View Related
Jan 10, 2011
Loaded up Centos 5.5 final. Configured iptables to block regions of the world based on networks. An example would be:
-A INPUT -s 139.82.0.0/16 -j DROP
My /etc/sysconfig/iptables file contains about 10k entries like this. If I use this, the machine lags hardcore network wise.
View 3 Replies
View Related
May 18, 2010
This isn't exactly of critical importance, but is there any way to block two entirely different addresses in the one rule, rather than writing individual rules for each of them? For example, if the addresses were 1.1.1.1 and 8.8.8.8, and I only wanted to block these two.
Or alternatively, if I wanted to block two subnets, say 1.1.1.0/24 and 8.8.8.0/24? Can this be done in one rule?
View 2 Replies
View Related
Oct 29, 2010
my iptables Policy is Drop..my server ports is open just for httpd,ssh .Is there any rule which can allow all connection from a specific program for ex. i want to scan an ip Address ports.as you know nmap connect to every known port to see if that is open or not so, if i want to allow nmap to connect, i need to include all ports for that, or i can allow connection from localhost to outside in all ports .my server is very secure . i dont want other programs (probably a backdoor) use those ports to connect outside i want to know is there any ability in iptables which can rule connections by name of program like "Allow any Connection from /usr/bin/nmap to everywhere " ?
View 2 Replies
View Related
Mar 22, 2011
I have configured a sendmail MTA for incoming mails in a network and by using IPtables i have redirected the traffic internally to other port where one more SMTP by a application is running.Iptables rule:iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPTiptables -A PREROUTING -t nat -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 25000My sendmail config is as below.
Sendmail.mc
define(`SMART_HOST', `relay:host.subdomain.mydomain.com')dnl
dnl # define(`RELAY_MAILER',`esmtp')dnl
[code]...
View 11 Replies
View Related
Apr 7, 2010
When running MUTT on a RHEL 5.4 box, I get the message:
------------------------------------------------------
Server certificate has expired
This certificate belongs to:
localhost.localdomain
Unknown
SomeOrganization
SomeOrganizationalUnit
[URL]
I choose "accept always", but the same message appears next time. I do not wish to have a certificate requirement for MUTT and did not intentionally set the program up to include this feature. How can I get rid of it? My second choice would be to get a new certificate, but then I have to go through this every year. I have MUTT working on two other servers and this does not happen.
View 3 Replies
View Related
Jun 6, 2010
I am new to iptables. The setup tool on a VPS doesn't work. So, I am learning to insert rules. I have inserted so many and some of them show as duplicates now.
1- I want to know how to remove the duplicates. Is there a file that these rules are store in so I can go in and easily edit it?
2- Is there any other utility that handles firewall in Linux that I am unaware of? or is the iptables the ultimate door guard? This is a plain install of CentOS.
3- Since I believe I opened port 5090 but I think it still might be blocked, could SELINUX be the problem? How can I get my way around setting it to permissive or disable if I don't have access to "setup" command?
4- What is the order of iptables reading? does rule #1 supersede all other rules? or does the last rule supersede all rules prior to it?
5- Do the rules below make a fairly safe system? (except for the duplicates which should be remove) I understand that a safe system is dependent also on the applications that are allowed in this category and I am not talking about those. I am talking about dropping all other inquiries and in general is this how iptables are setup? This is what I currently have:
[root@tel ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
[Code]...
View 2 Replies
View Related
Nov 16, 2010
Trying to setup my box as a router on Ubuntu 10.04. When trying to setup a NAT rule in iptables 1.4.4 like so:
Code:
sudo iptables --table NAT --append POSTROUTING -o eth0 -j MASQUERADE
I keep getting:
Code:
Can't initialize iptables table 'NAT': Table does not exist (do you need to insmod?)
Looking at lsmod, it doesn't look like I have anything NAT related loaded ( I just have iptable_filter, ip_tables, and x_table ). Doing a locate nat, I find a module that looks like it should work. I'm running 10.04.1 LTS - Kernel is 2.6.32-25-generic #45-Ubuntu SMP and it is pretty much stock - haven't done anything fancy... this module looks promising:
Code:
/lib/modules/2.6.32-25-generic/kernel/net/ipv4/netfilter/iptable_nat.ko
but loading it and I get:
Code:
-1 Unknown symbol in module
View 1 Replies
View Related
Jul 19, 2010
Currently I'm looking into implementing mod_security on all our apache servers. The installation on CentOS 5.5 comes directly with the "Core Rule Set" by the mod_security devs (curiously Debian and Ubuntu do not carry these) They also offer the Enhanced Rule Set for mod_security in a commercial package [URL] The main point there in their info link is the first point
Quote:
Tracking Credit Card Usage as required by the Payment Card Industry Data Security Standard However acc. to this wiki article ( http://en.wikipedia.org/wiki/Payment...urity_Standard ) that specific requirement isn't stated anywhere, as well as my colleague who's working on the PCI-DSS compliance for our code/servers/etc. mentioned that he hasn't heard of this specific requirement either. So my question would be if anyone has any experience with their ERS package and if it's needed for the PCI-DSS compliance compared to the requirements given in bullet points @ wiki article.
View 2 Replies
View Related
Jul 23, 2011
after upgrading ClamAV to version 0.97.1 and run the command Code: clamscan -r -i / --exclude-dir=^/sys --exclude-dir=^/dev --exclude-dir=^/proc | mail -s "clamav scan report XYSERVER" xy@mail.com the following errors appeared:
[Code].....
View 3 Replies
View Related
May 8, 2011
I have 3 network interfaces on my Linux Router :
Interface - Gateway - Type
Code:
br0 - 192.168.0.1 - Internet
eth2 - 192.168.1.1 - LAN
tun0 - 10.0.0.2 - VPN (via br0)
What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :
Code:
route del default
route add default gw 10.0.0.2
Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :
Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80
ip route add table 300 default via 10.0.0.2 dev tun0
ip rule add fwmark 0x55 table 300
First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.
View 4 Replies
View Related
Jul 23, 2011
For example, can I write something to the effect: block all outbound UDP connections over port 53 except those going to IP 123.456.789. Or stated another way: Block outbound to port 53/udp NOT going to ip address 123.454.678Is it possible to do this? How would I write the argument?
View 3 Replies
View Related
Sep 1, 2011
I need help creating an iptable rule. The iptables are installed on my router. My router also connects to a "hide my a**" vpn account
at 79.142.65.5:443 The goal is to somehow force the traffic to go through the vpn, because what sometimes happens is, the vpn connection drops (for what ever reason) and my real ip becomes exposed. Basically, I want to block "myself" from accessing the Internet when not connected to the vpn because of privacy concerns.
Below is my iptables. It has the 3 default chains and it also has many custom user chains. I need to know what kind of a rule to add, What interface to apply it to (lo,tun0,br-lan,eth1) and the correct chain to insert into.For example, you could tell me something like:
Quote:
FORWARD chain, change rule 1 to
iptables -R FORWARD 1 -j zone_wan_MSSFIX -p tcp --destination-port 443 -i eth1
Obviously, That was just a guess, I need someone that knows iptables to help me.
Code:
Chain INPUT (Policy: ACCEPT)
Rule # Traffic Target Prot In Out Source Destination Options
Rule 1 72.95 KB DROP all * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Rule 2 1.11 GB ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
View 3 Replies
View Related
Nov 17, 2010
I'am using the explicit match 'quota' with iptables. I wonder how can I save quota between restart for every rule. All the quota resets at reboot.
View 1 Replies
View Related
