Server :: IPTables Setup For Symmetric NAT
Apr 14, 2011
I am having difficulties setting up Symmetric NAT through iptables.
First things first:
"A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host."
Need:
I am working on a SIP application and SIP apps face a problem with NATed networks. STUN is a solution to such a problem and my SIP application has an embedded STUN client functionality.
Scenario and Technical Details:
192.168.0.200
+-----------------+
| ClientA - My IP |
+-----------------+
|
|GW:
| eth0 eth1 (example public IP address)
| 192.168.0.1 | 123.123.123.123
+-------------|-------------+
| NAT1 |
+-------------|-------------+
|
|
|
stun.1und1.de |
+---------------------------+
| STUN Server |
+---------------------------+
I am using WinSTUN, which requires a STUN Server address (such as the one I specified above) to return my type of NAT. What I need to achieve is Symmetric NAT through iptables, on the GW server, only on my IP address (192.168.0.200). I don't want it to affect the whole network. I am running CentOS release 5.4 (Final), and iptables v1.4.10
View 1 Replies
ADVERTISEMENT
Apr 14, 2011
I am having difficulties setting up Symmetric NAT through iptables and I hope you can help me with this issue. First things first: "A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port.If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host."
Need: I am working on a SIP application and SIP apps face a problem with NATed networks. STUN is a solution to such a problem and my SIP application has an embedded STUN client functionality. Scenario and Technical Details:
[Code]...
View 2 Replies
View Related
Jan 25, 2011
How to Nat. I wanted to be able to resolve something like
ftp.myfirstdomain.com to 192.168.0.2
Then ftp.mysecond.com to 192.168.0.3
Just as a random example, I know these cannot be done using name based virtual hosts like in Apache. But I got this working internally using my LAN connection and the 2 IP addresses above, with Bind DNS pointing the dns's to those 2 ip addresses respectively. This worked, yet when I tried connecting from my work place to transfer some files, it kept going to the default user's home directory. Just wanted to get this project finished, 2 domains and one public facing IP address.
View 3 Replies
View Related
Apr 16, 2011
I am running Ubuntu server 10.10 and trying to setup iptables rules in /etc/if-up.d/iptables
Quote:
root@host# cat /etc/network/if-up.d/iptables
#!/bin/sh -e
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Problem is that iptables doesn't get updated and I don't see them when iptables -L is executed after reboot.
View 2 Replies
View Related
May 1, 2011
i have a program which have to encrypt data by using a symmetric block cipher with cbc encryption mode . it seems, that the IN data length must be a multiple of the cipher block length. is there a possibility to advice libgrypt to do the padding of the IN buffer automatically or must i do this manually? in case of manual padding: what is the recommended strategy to perform high security? fill with zeros or random numbers
View 1 Replies
View Related
Apr 28, 2010
I need to access a Linux box via SSH & Samba that is hidden/connected behind another one on its own local network.
Setup :-
Code:
A switch B C
|----| |---| |----| |----|
|eth0|<-->| |<-->|eth0| | |
|----| |---| |eth1|<-->|eth1|
|----| |----|
E.g., I need to SSH/Samba from A to C. How does one go about this? I was thinking that it cannot be done via IP alone? Or can it? Could B say "hi on eth0, if your looking for 192.168.0.2, its here on eth1"? Is this NAT? This is a large private network, so what about if another PC has that IP?! More likely it would be PAT?
A would say "hi 192.168.109.15:1234"
B would say "hi on eth0, traffic for port 1234 goes on here eth1"
How could that be done? And would the SSH/Samba demons see the correct packet header info and work??
IP info :-
Code:
A - eth0 - 192.168.109.2
B - eth0 - 192.168.109.15
- eth1 - 192.168.0.1
C - eth1 - 192.168.0.2
A, B & C are RHEL (RedHat)
But Windows computers can be connected to the switch. I configured the 192.168.0.* IPs, they are changeable. So I have read that this should be done via iptables? But what is the correct command line to do this? And where does one put permanent iptable config?
View 7 Replies
View Related
Mar 29, 2010
I'm working for a very poorly configured WISP currently using Traffic Inspector on windows(url).
Currently each client is manually given an IP address. I'd like to eventually change that, but for now I just want to migrate the server to linux.
I intend to use iptables to forward only those who's mac and ip match against my list:
Code:
# Davit
$IPTABLES -A INPUT -i $INTIF -m mac --mac-source 00:00:00:00:56:83 -s 192.168.0.4 -j ACCEPT
I intend to mark the packets by ip address to limit them to their plan( there are two plans 256kbps and 128kbps)
Code:
# Mark packets to route
code....
exit 0
Does this make any sense? My Major problem is that I don't know how to keep track of how much each client has downloaded. Any advice on how to do that?
View 2 Replies
View Related
May 31, 2010
I just upgraded to Fedora 13, with emacs 23.1. Now when I edit a .gpg (encrypted) file, emacs doesn't cache the passphrase, so when I save the file emacs demands that I repeat the passphrase twice.Previously, the following line in .emacs made it cache the passphrase:
Code:
(setq epa-file-cache-passphrase-for-symmetric-encryption t) This is supposed to work, according to the documentation [URL], but in Fedora 13 emacs it seems to have stopped working.
View 1 Replies
View Related
Oct 20, 2010
Can anyone suggest me any open Source Testing tool for testing SMP?
View 1 Replies
View Related
May 16, 2010
Recently I have been working on iptables and trying to understand how to use it. Here's a little script I have written to setup a basic firewall for myself:
Code:
#!/bin/bash
if [ `id -u` -ne 0 ]; then
echo "You need root privilege"
exit 1
fi
PROG=/sbin/iptables
$PROG -F
function sethttp {
echo "Opening http port..."
$PROG -A INPUT -p tcp --dport 80 -j ACCEPT
}
function sethttps {
echo "Opening https port..."
$PROG -A INPUT -p tcp --dport 443 -j ACCEPT
}
function settorrent {
echo "Opening torrent port..."
$PROG -A INPUT -p tcp --dport 52413 -j ACCEPT
}
while getopts "hst" option; do
case "$option" in
h) sethttp;;
s) sethttps;;
t) settorrent;;
*) echo "DOH!"
esac
done
$PROG -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$PROG -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$PROG -A INPUT -i lo -j ACCEPT
$PROG -A OUTPUT -o lo -j ACCEPT
$PROG -A INPUT -j DROP
$PROG -A FORWARD -j REJECT
echo "Done setting up the firewall! Enjoy :)"
exit 0
OK, this can take 3 arguments that open ports 80, 443 and 52413. And at the end, some default rules are applied. But here's the thing I don't understand:
if I don't give the argument for port 80, I can still view web pages... and also, when I remove the line:
Code:
$PROG -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Whether I say it to open port 80 or not, I can't view any web pages.
View 1 Replies
View Related
Feb 11, 2011
I set up iptables but it is blocking my SSH set up. I did allow it by opening port 22 but it did not work. Here is my config:
Code:
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
### this should allow SSH traffic
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
How do you allow SSH through the iptables firewall?
View 5 Replies
View Related
Jun 14, 2010
Here's my scenario:
I want it so any inbound traffic from dsl goes back out the dsl and same for rogers. I've been searching and playing with many docs with no luck.
Anyone know how I do this? The multiple routes are on the same device br0. (which I think is causing all my havoc)
View 1 Replies
View Related
Nov 27, 2008
We have a new Bussiness DSL line with 16 public addresses.What we want is to setup a DMZ to run some services and internet to the LAN. Here's a schematic of what we want:
Code:
Backup Internet Main Internet
connection connection
| |
| |
SDSL Modem BDSL Modem
[code]....
The webserver has the following settings:
IP: 12.34.56.125
subnet: 255.255.255.240
gateway: 12.34.56.126
What IPTABLES rules do i need to setup to "see" all IP's in the DMZ-2 from the internet?
View 2 Replies
View Related
May 26, 2011
I am trying to set up iptables, I get this error message and dont' know what to do.
[Code]...
EDIT. I did chmod 777 /etc/sysconfig/iptables.old and it still doesnt work
View 9 Replies
View Related
May 13, 2010
I'm new to linux, but enjoy using it very much, especially without a GUI, console is fun! I need to set up port forwarding. We have 3 servers, 1x running Ubuntu server 8.04 (used as transparent proxy), 1x server 2003, 1x windows xp.
The linux box has the following ips:
eth0 (internal) 192.168.1.5
eth1 (external) 192.168.0.7
Windows server 2003:
192.168.1.6
Windows XP:
192.168.1.9
Router:
192.168.0.1
The router automatically forwards specific ports to 196.168.0.7 (Linux eth0). From there I want to forward port 8585 to 192.168.1.6 and 3000 to 192.168.1.9. Is there a way that I can do this using iptables?
The commands that I think I'm gonna use look like this:
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 8585 -d 192.168.1.6 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 3000 -d 192.168.1.9 -j ACCEPT
Would this be a correct way of doing it? My biggest problem is that I can't test it without going live, and if I go live and something doesn't work, the entire building will be left without internet, people will hate me. Also, The proxy captures all data on port 80 and forwards it to 3128 so that the proxy can monitor the usage, and a few systems runs fine with it, others however can ping websites, and internet explorer says "website found, waiting for reply" but the webpages cannot be displayed.
View 9 Replies
View Related
Nov 16, 2010
Trying to setup my box as a router on Ubuntu 10.04. When trying to setup a NAT rule in iptables 1.4.4 like so:
Code:
sudo iptables --table NAT --append POSTROUTING -o eth0 -j MASQUERADE
I keep getting:
Code:
Can't initialize iptables table 'NAT': Table does not exist (do you need to insmod?)
Looking at lsmod, it doesn't look like I have anything NAT related loaded ( I just have iptable_filter, ip_tables, and x_table ). Doing a locate nat, I find a module that looks like it should work. I'm running 10.04.1 LTS - Kernel is 2.6.32-25-generic #45-Ubuntu SMP and it is pretty much stock - haven't done anything fancy... this module looks promising:
Code:
/lib/modules/2.6.32-25-generic/kernel/net/ipv4/netfilter/iptable_nat.ko
but loading it and I get:
Code:
-1 Unknown symbol in module
View 1 Replies
View Related
Jan 19, 2010
We are trying to set up a NIS server on a CentOS system. We need to have a NIS server which can provide NIS authentication to a couple of clients. We are practically new to all this stuff.
Just googled to find some ideas about installing ypserv and ypbind and portmapper. We did all that and also started them successfully. But now the clients are not able to join to the NIS domain . The error log states "YP_DOMAIN NOT BOUND".
I guess we have not entered the /etc/yp.conf, /etc/hosts files properly. Please let us know the detailed steps to setup a NIS server .
Also, please let us know what entries should go into the different /etc/<file_names>? What is meant by HOSTNAME in the /etc/hosts file?
Is there any other files which need to be changed? Are we missing any steps?
Also to add-on, while executing the ypinit command we faced the following error:
At this point, we have to construct a list of the hosts which will run NIS servers. localhost.localdomain is in the list of NIS server hosts. Please cont inue to add the names for the other hosts, one per line. When you are done with the list, type a <control D>. next host to add: localhost.localdomain next host to add:
The current list of NIS servers looks like this:
Is this correct? [y/n: y] y
Error running Makefile.
View 3 Replies
View Related
Apr 24, 2011
I want to setup a FAI server for which I was looking for the best method of mirroring the Debian Lenny. I want to setup a local mirror with the best method available for mirroring. If it is ftpsync, please provide me some best ways of doing it. I tried ftpsync mirroring but that was not getting properly working due to insufficient I want this mirror to be accessible in my FAI setup so that I can start the installation on multiple machines and start the updates and package installation to be done from the same local mirror.
View 1 Replies
View Related
Oct 22, 2010
How to setup a SMS server using Linux, also want to know the appropriate Linux distribution to setup a SMS server.
View 2 Replies
View Related
Jul 12, 2011
i have hosted a web server on cent os 5.6.i need to write the rules for that server.1. 1st how can i flush the iptables ?
i used this command
iptables -F
iptables -X
[code]...
View 7 Replies
View Related
Mar 31, 2010
I have a load balancer with 2 web servers behind it. The web servers rsync with cloud storage to update their apache directories 1 time every hour. Apache is just running php pages that pull/push data to a DB so they dont need to be updated that often. However I need to figure out how to implement a Master/Master MySQL setup to have my web servers point to for the PHP stuff. I need to implement it without having a single point of failure. The Load balancers are useless for failover as they only detect availability based on Ping request. So putting a master/master setup behind a Load Balancer is out. what is the best way to setup the master/master mysql in a HA setup without the use of a load balancer provided by the host?
View 2 Replies
View Related
Apr 6, 2010
Does anyone know how to make iptables log to a MySQL database?If you do, can you tell me where I can find a good tutorial?I hope that I didn't ask a question that I could have found easily using Google. I didn't find much or at least not very recent.I am using CentOS 5.4, iptabels 1.3.5 and MySQL 5.0.77.
View 2 Replies
View Related
Nov 26, 2010
I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
View 2 Replies
View Related
Sep 17, 2010
I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
[code]....
View 6 Replies
View Related
Feb 7, 2011
I'm trying to setup RAID 1 on a CentOS 5 server for a zimbra email server.I get a partion schema error. Can I do this?The server is a HP Proliant ML150 G3 server with two 80GB HDD.
View 1 Replies
View Related
Nov 3, 2010
I recently installed a new Ubuntu PC that runs iptables and PSAD. I had the same script on another Ubuntu PC, but when I copied the script onto the new PC, I got this error. I don't remember where I found the tutorial for this, all I know is that this is the script (Edited for my usage):
Code:
#!/bin/bash
# Script to check important ports on remote webserver
# Copyright (c) 2009 blogama.org
# This script is licensed under GNU GPL version 2.0 or above
[code]....
Safe.txt contains:
Code:
127.0.0.1
192.168.1.8
192.168.1.1
98.200.58.73
192.168.0.1
And the error message generated is:
Code:
root@NETWORK-SERVER:/var/ddosprotect# ./ipblock.sh
' not found.4.4: host/network `127.0.0.1
Try `iptables -h' or 'iptables --help' for more information.
' not found.4.4: host/network `192.168.1.8
[code]....
View 3 Replies
View Related
Jul 17, 2010
IPtables creates an error during startup as well as when I try to restart it: Here's the output of:
[Code]....
View 11 Replies
View Related
Dec 24, 2008
So here is my issue in a nutshell. I need to take FTP requests that hit Server_A and forward them to Server_B. Server_B is not natted...Server_B is another public server in a completely different location in the world. One thing to note is that I only have one NIC hence why you will see both in and out being eth0. This is what I have in my iptables on SERVER_A:iptables -A FORWARD -p tcp -i eth0 --sport 21 -o eth0 -d SERVER_B --dport 21 -m state --state NEW -j ACCEPTiptables -A FORWARD -p tcp -i eth0 --sport 20 -o eth0 -d SERVER_B --dport 20 -m state --state NEW -j ACCEPTI've also tried both of the above without the --sport option. When I FTP to SERVER_A (where the above iptables rule are) it connects to SERVER_A instead of forwarding them to SERVER_B.
View 1 Replies
View Related
Jun 1, 2011
i have set firewall for centos of 192.168.1.21 server like this.
it has a gateway of 192.168.1.2
iptables -P INPUT DROP
iptables -A INPUT --in-interface lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp --destination-port 22 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 80 -m mac --mac-source 00:0F:EB:91:00:01 -j ACCEPT
the mac source is my laptop's mac address. But when i try to ping from my laptop of 192.168.0.2 (my gateway is 192.168.0.1 but share the same server that has 3 network gateway including gateway for the centos)it failed. what i should do to enable this ping.i also cannot connect to the centos server unless i change my ip to 192.168.1.x and same gateway as centos.can someone suggest what should i modify my firewall to enable connection to centos server from my 192.168.0.2 laptop? is that related to nat and forward chain in firewall of centos?
View 2 Replies
View Related
Jan 3, 2011
After running iptables -F my server goes offline???
Isn't that suppose to flush the iptables, so it will allow all traffic?
View 7 Replies
View Related
