Security :: Use Of Iptables And Books For Indepth?
Jan 30, 2010proper use of iptables and tell me good books for indepth study
View 6 Replies
ADVERTISEMENT
Fedora Security :: Allow DNS In Iptables
Feb 1, 2009I have been struggling with this for a very long time now. I have installed Fedora Core 9 on my computer. I have set it up as a caching-nameserver and this is working.
Then I wanted to secure my server with iptables, and I have so far made this script:
# Load the connection tracker kernel module
modprobe ip_conntrack
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
[Code]....
I can reach the dns server with ping. When trying Nslookup it says that it got SERVFAIL from 127.0.0.1 trying next server, and then it times out.
My resolv.conf file lists:
nameserver 127.0.0.1
nameserver DNS-server
Fedora Security :: Can't Get FTP Through Iptables
Dec 14, 2009Im pulling my hair out trying to get ftp to work through iptables.Im using vsftpd
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
[code].....
Security :: Can't Zero Out Counters In Iptables
Feb 25, 2010I have a problem with iptables, when I execute
[code]....
Security :: Configure IPtables To Only Allow VNC Over SSH
Apr 4, 2010I am trying to figure out how I can configure IPtables to only allow VNC traffic to an internal server over SSH.
My configuration is WAN < --- > Gateway (Ubuntu 9.10 Server) < --- > Internal Server (that I want to control with VNC over SSH)
Security :: How To Keep Safe PC Using Iptables
Dec 5, 2010I am using Fedora on my desktop pc. I want to know how can i protact my PC from outside world. What firewall policy should i implement in iptables to keep it more secure.
View 5 Replies View RelatedSecurity :: Incorporate Into Iptables
Jan 5, 2010I'm following an openvpn installtion how to and it says to add this to the iptables:
Quote:
# External Interface for VPN
# VPN Interface
VPNIF="tun0"
VPNNET="172.16.0.0/24"
VPNIP="172.16.0.1"
### OpenVPN
[Code]....
Any thoughts as the whole formatting is separate and has the addition of FORWARD rules, etc. I need the VPN running on the .199 address
Security :: Iptables :everything Works Except Ftp
Jun 3, 2010i set up a dmz to have a internet web server and ftp server, and ssh only from local network, so i wrote a iptables script to load during boot :
[Code]...
The problem is that everything works fine ( i have the same rules for other services such as samba, nfs, mysql on another server) BUT ftp there is no way to make it work. not even locally.when i try to connect, i log in, but while listing the directory i get MLSD ... and it hangs like this for a moment, then i get error message "connection time out" , "impossible to list directory". if i turn off the iptables script no problem,ftp works fine.. but why all services work and ftp no?
how do i have to modify the rules? what is strange also is that if i set as OUTPUT policy "accept", the server seems to be offline."host unknown" error message. I was thinking the rule INPUT is fine cause at least i can login, but the dir list is not going out, so gotta modify output rules. or state?
Security :: IPTables - How To Set Default Allow
Mar 19, 2010I've started a new job and have inherited a couple of RHEL4 64-bit servers. The firewall on them is currently disabled. I'm struggling to get them up and running as iptables is not the most user-friendly application. This lead me to downloading and trying a GUI front-end: Guarddog. Great app! But it doesn't have the default behavior I'm looking for. Here is what I need:
Default behavior: Firewall should be wide open, allowing ALL ports/IP's/TCP/UDP in and out of the server.
Blacklist: Oracle TCP port 1521 needs to be blocked in/out of the server.
This will help get us passed our company's security vulnerability scan. (We aren't able to patch/upgrade Oracle at this time because we'd lose vedor support with a legacy app). I will use these settings as a starting point, and then once I learn more and get more comfortable with iptables (or a GUI app) then I can fine tune things to make them more secure. As far as I know (correct me if I'm wrong) once I get a script I just copy it into /etc/rc.firewall and it will load when iptables starts.
Security :: Iptables To Block Ip From Ftp?
Mar 6, 2010Is this how I would do that?
iptables -A INPUT -p tcp --destination-port 21 -d ! 168.192.1.2 -j DROP
This should block all incoming connections on port 21 from 192.168.1.2, correct? Thus preventing that IP from logging into my FTP.
Fedora Security :: Iptables - Block Everything From Getting In My Pc
Mar 17, 2009What i wanted to do was block everything from getting in my pc but still be able to surf the web and still use instant messenger.
View 2 Replies View RelatedUbuntu Security :: How To Reset The Iptables
Jan 14, 2010i ran this
Code:
iptables -N rate-limit
iptables -A rate-limit -p tcp -m conntrack --ctstate NEW -m limit --limit 3/min --limit-burst 3 -j RETURN
iptables -A rate-limit -j DROP
iptables -I INPUT 1 -p tcp --dport 22 -j rate-limit
i am no longer able to ssh in to the machine , how can i reset iptables and firestarted back to default?
Ubuntu Security :: Use Address Not Ip In Iptables?
Jul 24, 2010i need to open this address ftp.nai.com, is there a way to use address not ip in iptables?
View 7 Replies View RelatedUbuntu Security :: Iptables Configured By UFW ?
Sep 17, 2010I've recently moved from Firestarter to UFW/GUFW, and I wonder if someone could confirm if my iptables configuration is secure.
When I enter sudo iptables -L i get:
Code:
Ubuntu Security :: Iptables Allow Via Spesific NIC?
Dec 29, 2010eth1 has connection to the net via gateway ..eth0 on the same machine has users on a intranet and needs access to the internet, i need to allow internet connection and prevent packets which logically originate from the internet getting into the intranet
View 1 Replies View RelatedUbuntu Security :: How To Clear Iptables
Apr 21, 2011Installing a router, and I need to completely "wipe" iptables (flush I mean) on both computers, and I think I run ufw/gufw on both, so that would need to be uninstalled. The router is very secure, has NAT, etc, etc, and I'd rather setup all that side of things in one point, rather than on each computer.
View 2 Replies View RelatedUbuntu Security :: Both Ufw And Iptables Running Together?
May 23, 2011Can I have both ufw and iptables running together? My server is currently using ufw, if I add an iptables rule will it have any effect?
View 6 Replies View RelatedNetworking :: Configuring IPtables Security Of CPU
Mar 3, 2009I new in Linux, I have a Centos5 since sunday and well I have to configure the iptables security of this cpu, I read a lot of examples of iptables in the internet and also another Thread from here but Really a don't know what to do, I saw lots of codes but first of all I don't know where I have to write that and my teacher don't want to help me in this homework. I tried to write the codes in applications --> accessories --> Terminal
View 3 Replies View RelatedSecurity :: Setting Up IPTables For Kubuntu 10.4?
Feb 21, 2011After discovering that the firewall was wide open I decided to finally study the iptables docs and learn how to add rules. Now, I've not yet finished reading guides and documentation but I'd like some advice before I set the default policy on the input chain to deny. I have added a permissive rule for the loopback adapter so that programs that use it do not become mute suddenly. I will also use netstat to see what ports to open for each program that connects to the internet. I'm not that interested in what ports to open but how to find what ports to open.
View 3 Replies View RelatedSecurity :: Anyway To NOT Log Dropped Ports 137 / 138 In Iptables?
Mar 30, 2011We do NOT support samba on our Unbuntu servers but still zillions of windows machines are constantly trying to connect on the SMB ports. I've added a rule that drops access to destination ports 137-138 and that seems to work. But it creates many many log entries documenting that the packet has been dropped. I've been researching and cannot come up with a way to suppress logging for these drops.
View 4 Replies View RelatedSecurity :: Blocking Web Content With Iptables?
Aug 8, 2010Is possible blocking web with content for adults with iptables?
View 3 Replies View RelatedSecurity :: Cannot See Source On First SSH Entry In IPTables
Jul 23, 2010Now I managed to get iptables to work with my OpenVZ configurations and everything seems to work as it should. However when I run iptables -L I can only see source for the second SSH rule, why isn't the first ones source/IP shown? Also if you have any comments about the setup feel free. I'm running SSH, Apache and local MySQL
The xxx.xxx is simply to hide my IP's
Code:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -p tcp --dport 22 -s 77.213.xxx.xxx -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 62.198.xxx.xxx -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -j REJECT
iptables -A INPUT -j DROP
Security :: Detect Nmap With Iptables?
Apr 27, 2011i have a problem with iptables when i use nmap to scan ports then ports shown.this is my rules on my firewall.Quote:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1002:40080]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
[Code]...
Security :: How To Disable The Iptables Permanently
Mar 5, 2011I am using Fedora. I want to disable Linux iptables permanently. Normally when I reboot my pc the iptable service is on. how can I disable even I turn reboot the pc.
View 6 Replies View RelatedSecurity :: How To Set Iptables For IPSec Tunnel?
Jan 7, 2010I want to setup firewall protection with iptables to support IPSec tunnels. That is, the firewall will drop anything from any host if it is not from an established IPSec tunnel. And it will accept anything (any protocols) if it's from an IPSec tunnel.
That is, I need also to open up ping to make ping work. But if I open up icmp, I cannot prevent pings from hosts that's outside my IPSec tunnels. This defeats my purpose.So if my purpose is to allow "anything" within the tunnel and disallow/drop anything outside the IPSec tunnels, how should I setup the iptables rules?
Security :: Iptables 192.168.1.x Server Can't Ping By 192.168.0.x
Jun 1, 2011i have set firewall for centos of 192.168.1.21 server like this.
it has a gateway of 192.168.1.2
iptables -P INPUT DROP
iptables -A INPUT --in-interface lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT
the mac source is my laptop's mac address. But when i try to ping from my laptop of 192.168.0.2 (my gateway is 192.168.0.1 but share the same server that has 3 network gateway including gateway for the centos)it failed. what i should do to enable this ping.i also cannot connect to the centos server unless i change my ip to 192.168.1.x and same gateway as centos.can someone suggest what should i modify my firewall to enable connection to centos server from my 192.168.0.2 laptop? is that related to nat and forward chain in firewall of centos?
Security :: IPTables And SSH Rate Limiting
May 20, 2011I'd like to discourage the SSH bots that try to log into my system (CentOSv5), and among other things, I've changed my SSH port to someting other than 22. As well, I've been playing around with the idea of some iptables rules (note port 22 is used here as example):
Code:
# Allow SSH with a rate limit
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -m hashlimit --hashlimit 15/hour --hashlimit-burst 3 --hashlimit-htable-expire 600000 --hashlimit-mode srcip --hashlimit-name ssh -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -j LOG --log-prefix "[DROPPED SSH]: "
iptables -A INPUT -i ppp0 -p tcp --syn --dport 22 -j DROP
I am *NOT* an iptables expert. What do you all think about the above code snip?
Security :: Iptables Policies And Log Not Working?
Apr 12, 2009I am facing a problem when I tried to set policies on the firewall with following commands:
iptables -A INPUT -p TCP -s 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -p UDP -s 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -p TCP -s 0/0 -j REJECT
[code]....
Here, I want to deny all traffic except DNS traffic, it should be permitted. I tried to log the traffic but I did not find any update in /var/log/messages.
Security :: Programming Iptables Rules For 1:1 NAT?
Sep 16, 2010I am trying to program iptable rules for implementing a 1:1 NAT which does the following:
1. Forward all traffic from all ports on a public ip to a private ip
2. Forward traffic from a range of ports (x-->y) on a public ip, to a private ip
I did some google searches for the same, and came up with the following.
iptables -A FORWARD -t filter -o eth0 -m state
state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state
state ESTABLISHED,RELATED -j ACCEPT
Security :: What Are Strong Iptables Rules?
Mar 31, 2011Can someone please let me know strong iptables rules? Below entries are in iptables file.Here Y.Y.Y.Y is another branch public IP.This server acts as gateway+squid server.Further it will serve company's intranet page also using httpd.OS is CentOS 5.0.
View 1 Replies View Related