Security :: Setting Up A Specific Rule Using Iptables?
Apr 5, 2011
My firewall , wich is an Ubuntu server 10.10 , have 3 interfaces:
eth0(192.168.0.254):linked to the DMZ
eth1(192.168.1.254):linked to the LAN
eth3(212.217.0.1):linked to the Internet
-The DMZ have one web server with a static address (192.168.0.1).
-My LAN address range is (192.168.1.2-192.168.1.100) managed by a DHCP server in the same firwall machine.
There are some of the rules that I need to set up :
-Allow HTTP between the LAN and the internet
-Allow HTTP between the web server in the DMZ, and the internet.
Is there a way to tell the firewall , to redirect all incoming HTTP requests only to the web server in the DMZ ?
View 4 Replies
ADVERTISEMENT
Jul 16, 2010
Question (and Google results aren't making this clear): Ubuntu has both iptables & ip6tables installed. 1. If I set a rule in iptables, does that rule also apply to ipv6, or just ipv4?
2. If "no" to above, then it would be prudent to *also* set ip6tables rules as well if I want to maintain an active firewall, correct?
3. Does ip6tables rules have the same syntax and behavior (more or less) to iptables rules - i.e. can I just copy my iptables rules & change "iptables" to "ip6tables"?
4. Any gotchas or issues that I should be aware of?
View 9 Replies
View Related
Dec 20, 2010
I guess this is the right place to put questions about iptables, so forgive me if it is not.I have a MySQL database which I need to allow connections to: 1 - the internal network; 2 - the web server (Apache) connections;3 - A user who is out of this network in a range of dynamic IP.Let's suppose the range IP for this user is 179.4.247.0-179.4.247.254 and the server; where is MySQl and Apache is 60.22.30.232. This user will use the windows client MySQL tool to make connections into this database.
So I think these rule below allow connections to the internal network and apache:
iptables -A INPUT -i eth0 -m state state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state state ESTABLISHED,RELATED -j ACCEPT
[code]....
View 8 Replies
View Related
Mar 4, 2011
I am using squid on my fedora box as a proxy server.By default the iptables (Firewall) service is on.To allow web pages to my client machines i stop the iptable service.
#service iptables stop
By doing it client computers start browsing.kindly how can I add a rule so that without stoping firewall client compter work fine.my perver IP address is 10.1.80.10
View 3 Replies
View Related
Feb 23, 2010
I'm not an iptables expert. Anybody know how to create a rule/chain that will log info similar to what tcpdump -s0 would do?
View 3 Replies
View Related
Apr 21, 2010
Just wanted input for this script i have cobbeled together. Its not done yet. I am trying to think of ways to close up my outgoing while maintaining full functionality of my laptop ( irc, web stuff, a torrent or two, etc.) . Anyways, I have done some myself; as well as, pulling bits and pieces from other stuff out on the web. I am starting to wonder why i have to write a specific rule to check for spoofed packets if my default input is set top drop. wouldnt it be caught?
Code:
#!/bin/bash
### Laptop + Desktop: No Forwarding firewall ip4 / ip6
### Distro > Debian / Ubuntu.
### oliverteasley@gmail.com
[Code]....
View 12 Replies
View Related
Jan 3, 2011
how can i drop igmp port 0 packets with iptables rule? my log file is full of this router advertisement.
View 2 Replies
View Related
Nov 26, 2010
The iptables has every rule set correctly, the users in the subnet works great, but I have the following issue.every user connect to a mysql running on the internet through the port 3306, the forward and masquerade do the job. Now I have a user in the outside, and he wants to connect to a mysql in a certain machine (Not the gateway), prerouting rules solve my problems, but all the packages from the inside users goes now to that certain machine. I would like something like if the package passed trough masquerade don't pass trough the prerouting rule, and if it come from the outside (Not a package that come from a petition from the inside) pass trough the prerouting rule.
View 6 Replies
View Related
Jun 1, 2010
Im running a web server on port80, but i want traffic coming from ip 212.333.111.222 on port 80 to be fowarded to port 9020 on the same server that my web server is rinning at that is my sshd port
View 1 Replies
View Related
Dec 8, 2009
i've got a few questions about iptables. i know how to set up ip tables to only allow from an ip address or a subnetting ip addresses. question is how do i allow from 2 different networks? would i need to create 2 lines of entry in iptables to the same port? e: allow 10.168.1.1 and 196.168.1.1 on port 22 is there a way to put all that in 1 line or would i need to create to rules for the port? i know i can use the ssh allow or deny but i'd like to stop access even before it gets to the ssh. stop it at the source kinda thing.
View 4 Replies
View Related
Feb 21, 2011
After discovering that the firewall was wide open I decided to finally study the iptables docs and learn how to add rules. Now, I've not yet finished reading guides and documentation but I'd like some advice before I set the default policy on the input chain to deny. I have added a permissive rule for the loopback adapter so that programs that use it do not become mute suddenly. I will also use netstat to see what ports to open for each program that connects to the internet. I'm not that interested in what ports to open but how to find what ports to open.
View 3 Replies
View Related
Jan 27, 2011
I am setting my firewall rules using the command iptables.My question is i wanna know what command i can use that list rule 2 and 3 for instance in my table?i want to create rule that: The host is administered using SSH, scp and sftp so allow incoming SSH traffic and securing remote file copying and transferring.
View 2 Replies
View Related
Dec 23, 2010
I'm trying to limit access to port 8443 on our server to 2 specific IP addresses. For some reason, access is still being allowed even though I drop all packets that aren't from the named IP addresses. The default policy is ACCEPT on the INPUT chain and this is how we want to keep it for various reasons I wont get into here. Here's the output from iptables -vnL
[Code]...
Note the actual IP we are using is masked here with 123.123.123.123. Until I can get everything working properly, we're only allowing access from 1 IP instead of 2. We can add the other one once it all works right. I haven't worked with iptables very much. So I'm quite confused about why packets matching the DROP criteria are still being allowed.
View 10 Replies
View Related
May 26, 2011
can anyone advise the best practice of installing and setting the iptables on U 8.04 LTS? currently iptables is not installed nor as package nor included as kernel module.
View 2 Replies
View Related
Jun 30, 2010
I've read the instruction about setting up the iptables rules to filter all port except HTTP, SSH, FTP. I require first remove all default iptables rules and set default rules to all chains as DROP:
# Set default-deny policies for all three default chains
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
Then allow only some ports:
#Accept inbound packets that are part of previously-OK'ed sessions
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# Accept inbound packets which initiate SSH sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 22 -m state --state NEW
# Accept inbound packets which initiate FTP sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW
# Accept inbound packets which initiate HTTP sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
# Log anything not accepted above $IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default:"
But I hired a VPS from other country so the only mean I can manage it is via SSH. If I setup the default rule to DROP first, I afraid that I can no longer connect via SSH to tell iptables allow SSH
So my question is:
- Does the IP tables take effect immediately after I input a rule?
- Is there any mean to run this as a batch job (create a script and run all these rules one time).
- My VPS has a web control panel which have a terminal via web. Is this a native terminal or just a connection via port 80 or 22?
View 9 Replies
View Related
Jul 29, 2009
i'm new in linux world i would like to know how can i add the rtp protocol to my iptables rule for Netfilter firewall,but without installing the asterisk server
View 1 Replies
View Related
Dec 7, 2010
Unsure about IP tables lingo, so excuse me for not looking this up:I have a server, running IP tables, that I do not want to allow any type of outgoing traffic to 192.168.1.21
View 3 Replies
View Related
Feb 23, 2010
I'm looking for a way to add a rule that would whitelist my ip address when I login with SSH. I can grab the IP out of the SSH_CONNECTION variable, however I'm not sure how I could add it into iptables with my non-root privileged user. I've got root access, but I want the process to be automatic. I considered sudo, however I don't want normal users to be able to modify anything about iptables, though perhaps there is a trick about it that I don't know which would only allow it in the /etc/profile or the like
View 3 Replies
View Related
Apr 20, 2010
Do I have to create a rule for:
Code:
$IPT -A fwalert -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW $RLIMIT -j LOG $LOGLIMIT --log-tcp-options --log-level 4 --log-prefix
to drop rather than log if my table has a default policy of drop with :
Code:
$IPT -t fwalert -P DROP
View 3 Replies
View Related
Jan 10, 2011
Loaded up Centos 5.5 final. Configured iptables to block regions of the world based on networks. An example would be:
-A INPUT -s 139.82.0.0/16 -j DROP
My /etc/sysconfig/iptables file contains about 10k entries like this. If I use this, the machine lags hardcore network wise.
View 3 Replies
View Related
May 18, 2010
This isn't exactly of critical importance, but is there any way to block two entirely different addresses in the one rule, rather than writing individual rules for each of them? For example, if the addresses were 1.1.1.1 and 8.8.8.8, and I only wanted to block these two.
Or alternatively, if I wanted to block two subnets, say 1.1.1.0/24 and 8.8.8.0/24? Can this be done in one rule?
View 2 Replies
View Related
Oct 29, 2010
my iptables Policy is Drop..my server ports is open just for httpd,ssh .Is there any rule which can allow all connection from a specific program for ex. i want to scan an ip Address ports.as you know nmap connect to every known port to see if that is open or not so, if i want to allow nmap to connect, i need to include all ports for that, or i can allow connection from localhost to outside in all ports .my server is very secure . i dont want other programs (probably a backdoor) use those ports to connect outside i want to know is there any ability in iptables which can rule connections by name of program like "Allow any Connection from /usr/bin/nmap to everywhere " ?
View 2 Replies
View Related
Mar 22, 2011
I have configured a sendmail MTA for incoming mails in a network and by using IPtables i have redirected the traffic internally to other port where one more SMTP by a application is running.Iptables rule:iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPTiptables -A PREROUTING -t nat -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 25000My sendmail config is as below.
Sendmail.mc
define(`SMART_HOST', `relay:host.subdomain.mydomain.com')dnl
dnl # define(`RELAY_MAILER',`esmtp')dnl
[code]...
View 11 Replies
View Related
Jun 6, 2010
I am new to iptables. The setup tool on a VPS doesn't work. So, I am learning to insert rules. I have inserted so many and some of them show as duplicates now.
1- I want to know how to remove the duplicates. Is there a file that these rules are store in so I can go in and easily edit it?
2- Is there any other utility that handles firewall in Linux that I am unaware of? or is the iptables the ultimate door guard? This is a plain install of CentOS.
3- Since I believe I opened port 5090 but I think it still might be blocked, could SELINUX be the problem? How can I get my way around setting it to permissive or disable if I don't have access to "setup" command?
4- What is the order of iptables reading? does rule #1 supersede all other rules? or does the last rule supersede all rules prior to it?
5- Do the rules below make a fairly safe system? (except for the duplicates which should be remove) I understand that a safe system is dependent also on the applications that are allowed in this category and I am not talking about those. I am talking about dropping all other inquiries and in general is this how iptables are setup? This is what I currently have:
[root@tel ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
[Code]...
View 2 Replies
View Related
Apr 19, 2011
I have a trayless SATA hotswap bay that is really terrific for quickly attaching and removing SATA hard drives. I'm trying to write a udev rule to create a symbolic link to the device node for the drive that is attached through the hotswap bay (/dev/bay -> /dev/sdX). This eliminates any ambiguity when performing destructive tasks (fdisk, etc). I'm running squeeze amd64. I've read through several tutorials and have it working somewhat. Here's the output of udevadm info for a drive attached via the hotswap bay.
looking at device '/devices/pci0000:00/0000:00:11.0/host7/target7:0:0/7:0:0:0/block/sdb':
KERNEL=="sdb"
SUBSYSTEM=="block"
DRIVER==""
ATTR{range}=="16"
ATTR{ext_range}=="256"
ATTR{removable}=="0"
ATTR{ro}=="0"
ATTR{size}=="156301488"
ATTR{alignment_offset}=="0"
ATTR{capability}=="52" ....
Here is my udev rule
DEVPATH=="/devices/pci0000:00/0000:00:11.0/host7/*", SUBSYSTEM=="block", SYMLINK+="bay%n"
This produces the desired behavior and gives me an fdisk-able device node. The problem I am having is that the "host" component of the DEVPATH varies from bootup to bootup. I'm just using on onboard SATA, host2-7, specifically host7. There is also onboard PATA, host0-1. It seems to just be random which "host"s are assigned to which controller. For example, the next time I boot the system, the onboard SATA will be host0-5 and the onboard PATA will be host6-7. In this simple case, I could just write 2 rules, one for each possibility and it would still be correct because of the different PCI addresses of the two controllers. But on systems with more SCSI (uh... libata, actually) controllers, a "host" file can point to different physical ports between bootstraps. This would be bad. Does anyone know of a way to write a rule to tie a device node to a specific physical SATA port on the motherboard/hba?
View 1 Replies
View Related
Nov 16, 2010
Trying to setup my box as a router on Ubuntu 10.04. When trying to setup a NAT rule in iptables 1.4.4 like so:
Code:
sudo iptables --table NAT --append POSTROUTING -o eth0 -j MASQUERADE
I keep getting:
Code:
Can't initialize iptables table 'NAT': Table does not exist (do you need to insmod?)
Looking at lsmod, it doesn't look like I have anything NAT related loaded ( I just have iptable_filter, ip_tables, and x_table ). Doing a locate nat, I find a module that looks like it should work. I'm running 10.04.1 LTS - Kernel is 2.6.32-25-generic #45-Ubuntu SMP and it is pretty much stock - haven't done anything fancy... this module looks promising:
Code:
/lib/modules/2.6.32-25-generic/kernel/net/ipv4/netfilter/iptable_nat.ko
but loading it and I get:
Code:
-1 Unknown symbol in module
View 1 Replies
View Related
Jul 19, 2010
Currently I'm looking into implementing mod_security on all our apache servers. The installation on CentOS 5.5 comes directly with the "Core Rule Set" by the mod_security devs (curiously Debian and Ubuntu do not carry these) They also offer the Enhanced Rule Set for mod_security in a commercial package [URL] The main point there in their info link is the first point
Quote:
Tracking Credit Card Usage as required by the Payment Card Industry Data Security Standard However acc. to this wiki article ( http://en.wikipedia.org/wiki/Payment...urity_Standard ) that specific requirement isn't stated anywhere, as well as my colleague who's working on the PCI-DSS compliance for our code/servers/etc. mentioned that he hasn't heard of this specific requirement either. So my question would be if anyone has any experience with their ERS package and if it's needed for the PCI-DSS compliance compared to the requirements given in bullet points @ wiki article.
View 2 Replies
View Related
May 8, 2011
I have 3 network interfaces on my Linux Router :
Interface - Gateway - Type
Code:
br0 - 192.168.0.1 - Internet
eth2 - 192.168.1.1 - LAN
tun0 - 10.0.0.2 - VPN (via br0)
What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :
Code:
route del default
route add default gw 10.0.0.2
Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :
Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80
ip route add table 300 default via 10.0.0.2 dev tun0
ip rule add fwmark 0x55 table 300
First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.
View 4 Replies
View Related
Jul 23, 2011
For example, can I write something to the effect: block all outbound UDP connections over port 53 except those going to IP 123.456.789. Or stated another way: Block outbound to port 53/udp NOT going to ip address 123.454.678Is it possible to do this? How would I write the argument?
View 3 Replies
View Related
Sep 1, 2011
I need help creating an iptable rule. The iptables are installed on my router. My router also connects to a "hide my a**" vpn account
at 79.142.65.5:443 The goal is to somehow force the traffic to go through the vpn, because what sometimes happens is, the vpn connection drops (for what ever reason) and my real ip becomes exposed. Basically, I want to block "myself" from accessing the Internet when not connected to the vpn because of privacy concerns.
Below is my iptables. It has the 3 default chains and it also has many custom user chains. I need to know what kind of a rule to add, What interface to apply it to (lo,tun0,br-lan,eth1) and the correct chain to insert into.For example, you could tell me something like:
Quote:
FORWARD chain, change rule 1 to
iptables -R FORWARD 1 -j zone_wan_MSSFIX -p tcp --destination-port 443 -i eth1
Obviously, That was just a guess, I need someone that knows iptables to help me.
Code:
Chain INPUT (Policy: ACCEPT)
Rule # Traffic Target Prot In Out Source Destination Options
Rule 1 72.95 KB DROP all * * 0.0.0.0/0 0.0.0.0/0 state INVALID
Rule 2 1.11 GB ACCEPT all * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
View 3 Replies
View Related
