Server :: Iptable Rules Some To Save And Some Not To Upon Reboot?
Apr 17, 2010
I am having a Xen server xend daemon is taking care of giving interface names like vif1.0 or vif0.2 to the connected guest operating systems on it.I can not save the current IPTABLE rules since upon reboot the xend daemon gives different names to virtual ethernet interfaces i.e. vif1.0 or vif3.0 or vif9.0 like that.I have some rules that I want to be active upon subsequent reboots and not all.Say for example an SSH to external server at port 8000 should forward the request to a machine on LAN.Which I have done by port forwarding from IPTABLES.So I need to save some rules.I was thinking to make a script which on reboot activates those rules.
I am not clear on where to do that.I came across internet and found /etc/network/if-up.d/I am not clear with this directory my question is if I make a scrip which has IPTABLE rules as I want and save it in above folder will it work. I am not clear with what is /etc/network/if-up.dfor.Suppose my logic is wrong then how should I go for it.Also I want to know does a protocol uses two port to make a connection.I have forgotten that thing,i.e if I run an SMTP or ssh then do they use port 22 and 23 both in case of ssh or 25 and 26 both for SMTP like that or just specifying the rules for one port will be enough.I tested these rules in a secure environment where i had disabled firewall and ssh forwarding on router worked well
I recently set up a ftp server in my house running a dyndns service so I can get to it from the outside. I called my isp to get some help in setting up the router to forward port 21 from the outside to that box, and in short we had some problems. Long story short, they ended up bypassing the router itself, and now the line running to the box is its own fixed external ip. Naturally I want a pretty darn good iptables setup for this. The box runs proftpd and so far my iptables only accepts local loopback and port-21. (I left port 80 closed as its only purpose is to be a standalone ftp server) But I know there must be a safer rule for port 21, as right now its just wide open. Anyone have any ideas on how to make this a bit safer? Also would that command be fine for any of the linux machines im connecting to it from the outside too?
I don't know if FC15 has the iptable rules like the ones shown below by default or not but I wanted a second opinion about the safety they provide. Why is icmp accepted (INPUT rule 1) from/to all ip? and is it better to remove this rule? When the protocol is all (INPUT rule 2), does it mean from ip layer and above?? and is it required/safe to have this rule? The 3rd rule is to allow tcp-port 22 connections (ssh) to/from all ip. I think this is correctly set and required. The 4th rule in INPUT table rejects pings with the icmp-host-prohibited message; which I don't think is the best solution. Instead it can be set to silently drop icmp packets. Then, the FORWARD table uses reject instead of silent drop for forwarding icmp ping packets.
Code:
what do you think about the new rules and their order?
I've configured iptables to act as a stateful firewall, but instead of simply rejecting packets I'd like to waste a potenial hackers time by droping any packet that would otherwise be returned. Are my rules sufficient or have I somehow opened myself up to an attacker by trying to write these rules myself?
I'm trying to set up a firewall at the moment that allows access to my custom SSH port from only my friend's url (they have a static url but dynamic IP). I find iptables a bit of a nightmare and was hoping to use UFW for most of my day to day firewall maintenance and just make a few extra iptable rules to cover exceptional circumstances like this. Fortunately it seems UFW allows this with /etc/ufw/before.rules and /etc/ufw/after.rules. So at the moment I'm just trying to get the basic iptables rules right. As I say I'm not very good with iptables, does this look right?
Code:
## Drop Default SSH port access With Logging iptables -N SSH_DEFAULT iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_DEFAULT
Is there a way to check older iptable rules that were loaded? I accidentally overwrote my iptables and that has killed internet access to all computers in the intranet. I must have accidentally deleted some line in the iptable rules and cannot figure how to get it back to how it was. I am using Debian 5.05 by the way.
wrote a network emulator program in c programming. It can run for ubuntu terminal with good performance.But i have to make it for web-based user configuration. So i had setup apache web server and write this program in cgi script and try to execute this program from web page.This program must be run in root privilege($sudo -s) and add the iptables rules such as (#iptables -A OUTPUT -j QUEUE). So my question is how to add iptables rules in my cgi scripts? How to set the superuser(root privilege) permission to access my program through web server?
I am working on a Fedora 13 iso that will be used on some of the PC's at my work, the computers will have a varying amount of Ethernet ports, at least two onboard and up to 6 external. In order to ensure that the same physical port on the back of the computer is always used for the internet connection I have written a script to rearrange the contents of /etc/udev/rules.d/70-persistent-net.rules. The script ensures that the two Ethernet ports on the motherboard are listed as eth0 and eth1, without it they could end up as any port in the eth0-7 range.
The script works well however when its run I need to reboot the PC for the ifconfig to load the correct port as eth0/eth1. I have tried placing calls to my function through the rc.sysinit/rc.5d/rc.local and so on however nothing seems to work.Is there a way to make ifconfig check the mac/eth configuration files for changes (There appears to no longer be an ifprobe command which sounds like what I need). Alternatively is there somewhere I can place the script after udev has created the persistent-net.rules but before anything else loads the information. I have tried chkconfig --level 2345 network off and loading the service later but it still uses the wrong information, only a reboot seems to get it to work
I'm using RHEL 5 with the Enhanced Security. Using the suggest NISPOM Red Hat documented settings (located on the system; copy - paste) I have managed to audit failed file open accesses however, this setting only retained if I enter it at the command line (/sbin/auditctl -a ). If I reboot the system or restart the service all my -a (not -w) located in the /etc/audit/audit.rules are not retained.
I have a gentoo distribution and need to store the information of dmesg collected until a system crash. At present, after a reboot or a crash the information in dmesg are lost and are not available at the next reboot. How can I save all the information in dmesg until a crash and read them after the succeed reboot?I also checked for dmesg.x files in /var/log or similar files but with no success.
I change the audio channels to 6 in alsamixer by choosing my sound card and change the channels to '6ch'. But this setting is not preserved. I see that after a reboot the channels are again going back to 2ch. I have to manually change everytime to 6ch after each reboot. Is there a way to save the setting in alsamixer so that I will get 6ch everytime after reboot? I am not sure I have explained my problem in a way so that you can understand.
So I have a fresh updated install of 10.10 on dell dimension 4550
The pc connects to my monitor through a dlink KVM switch so I can switch back and forth between computers.
When I reboot my monitor settings disapear and everything is real real large.
If i disconnect from the KVM and connect Ubuntu directly to the monitor and detect monitor it will allow me to adjust settings so everything looks normal. Until I reboot and I am back to the same huge icons again. If I try to go back and adjust monitor settings there are only 2 settings options because it does not see my monitor through the kvm switch again.
use fedora system, and installed fedora 12 on my usb disk by live-usb creator.Now, the problem is everytime i reboot the computer, the user data and software i installed will disappear.When installing, i choose persistent space which is described for user data and software, but it seems not work now.What can i do if i want my fedora on usb disk is just like the system installed on hard disk
Anyone knows how to save the currently workspace settings on my desktop when logout/reboot/shutdown the old setting will resume? Currently, i have configured the multiple xterm sessions and placed them in each corner of workspace on dual monitors, but after the system rebooted the xterm sessions are resumed, but they display on one monitor instead of two monitor and overlapped each other. I followed to save the desktop setting at in the "startup Applications preferencesemember currently runnign application". This would not work as i wish. Littlery, i want each xterm session reopen and place in each corner of workspace
tell me the command for iptable rule to add in Chain RH-Firewall-1 to block ftp port & the ftp server was configured in public ip address,i searched in google but i did'nt get the exact command for iptables rule in Chain RH-Firewall-1.
I need to create filename 70-android.rules in the directory /etc/udev/rules.d/I have Adm privileges in my user account properties, but when I use sudo to create this file the Ubuntu OS does not allow me the privilege... I am running Ubuntu 10.04 LTS and here's the Terminal output below:daddy@gatomon-laptop:/etc/udev/rules.d$ sudo cat > 70-android.rulesbash: 70-android.rules: Permission denieddaddy@gatomon-laptop:/etc/udev$ ls -ltotal 8drwxr-xr-x 2 root root 4096 2011-03-16 18:03 rules.d-rw-r--r-- 1 root root 218 2010-04-19 04:30 udev.conf
The following is my setup. wireless server (ip of this server is 192.168.1.1) -- target board ( wireless client [ip of this is got for wireless server is 192.168.1.3 ] , bridge (192.168.36.1) )-- linux pc ( 192.168.36.3) as show above i have target board for that i have a wireless interface and a linux pc is connected to target board.now the ips are like this for linux pc 192.168.36.3 and my target board bridge ip s 192.168.36.1
my wireless interface got ip from another server like 192.168.1.3 ,now if i do ping on my target board for 192.168.1.1 it goes through wireless interface to the 192.168.1.1 wireless server.but when i do the same from target board connected linux pc its not pinging from linux pc i could able to ping to 192.168.1.3 but not 192.168.1.1 .I think i need to write a iptable rule properly on my target board to forward the 192.168.1.* packtes to wireless interface.
I'm curious but recently I was troubleshooting some iptables rules to allow nfs clients access to my nfs server. What was strange was that I setup a tcpdump session on my nfs server so that I can see which ports were being requested. I ran several tcpdump sessions with the following filters in place.
tcpdump -vv src ip_of_client and dst _ip_of_client tcpdump -vv src hostname_of_client and dst hostname_of_client
However, the only packet I ever saw come over the wire to me was the client host asking for a arp resolution. Anyhow, I finally just ran 'rcpinfo -p' and added those ports to my iptables rules and it worked great. However, I would like to understand how nfs works in case I need to troubleshoot it in the future. I do understand that nfs uses portmappers, would this explain the behavior?
i have just setup a firewall using iptables on centos 5.3 but there's an issue with ftp i can connect and i can login when i give command "ls" it says entering passive mode and afterwards it times out do you know why? i have port 21 open in my firewall but still....
I want a mail server that can work just like MDaemon. The reason is, I want to have an email content filter rule that does some thing like this.
1. If the To Header contains "support@thisdomain" then run a program. What this means is that, there is a program here in the office, and if some one sends an email to the support address, with an attachment of .exe and that person is a customer, then the program should be run. The only thing I need here is if there is a rule or script that can filter email header and run a program.
2. If the Exit Code from a previous 'Run program' rule is in the range of 1 to 100 and if the To Header contains "support@thisdomain" then send note1 "to<email address>" from <$SENDER$" "SUBJECT <AM ...> and delete this message.
3. If the EXIT CODE from a previous 'Run program' rule is =0 and if the TO HEADER contains "support@thisdomain" then send note1 "to<email address>" from <$SENDER$" "SUBJECT <AM ...> and delete this message.
I have set up a master DNS server at 192.168.50.9 and a slave DNS at 192.168.50.6. Both servers are BIND9.Machines are for testing/experimenting, hence the IP addresses. Initially, the zone transfer was blocked by the firewall on the master, as the slave uses randomly selected non-privileged ports for zone-transfer query. So, as far as I understand, there are two possible approaches:
1. Allow connections based on source, which should be Code: -A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -s 192.168.50.6 --sport 1024:65535 --dport 53 -j ACCEPT (and it works for me fine)
2. Allow ESTABLISHED and RELATED connections, which would be something like Code: -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT which was my initial idea but didn't work, but has inspired me to dig deeper into firewall configuration topics :).
Question: Does zone change notification message count for opening a dialog, or notification from master and slave zone update request are two absolutely separate actions? If the latter is true, that, of course, explains why option #2 didn't work.
I have /var/log/audit and /var/log/audit.log owned by root and 600 permissions. I've also removed and made an empty /var/log/audit directory when that did not we work either. I can start the service after boot up, but it is not coming up automatically even when configured by chkconfig. I also get this after I attempt a restart...
Stopping auditd: [ OK ] Error deleting rule (Operation not permitted) Starting auditd: [ OK ] The audit system is in immutable mode, no rules loaded
A tail of my /var/log/messages shows this... Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.524:73): item=1 name="/var/run/auditd.pid" inode=131143 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=user_u:object_r:var_run_t:s0 Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.618:74): arch=c000003e syscall=87 success=no exit=-2 a0=7fff730b2f85 a1=7fff730b2f85 a2=2 a3=0 items=1 ppid=6243 pid=6248 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete" Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.618:74): cwd="/" Nov 23 16:45:18 hostname kernel: type=1302 audit(1290548718.618:74): item=0 name="/var/run/auditd.pid" inode=131073 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0 Nov 23 16:45:18 hostname kernel: type=1300 audit(1290548718.620:75): arch=c000003e syscall=87 success=yes exit=0 a0=7fff9b776f81 a1=7fff9b776f81 a2=2 a3=0 items=2 ppid=6243 pid=6249 auid=1111 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm="rm" exe="/bin/rm" subj=user_u:system_r:unconfined_t:s0 key="delete" Nov 23 16:45:18 hostname kernel: type=1307 audit(1290548718.620:75): cwd="/" Nov 23 16:45:18 hostname auditd[6260]: Started dispatcher: /sbin/audispd pid: 6262 Nov 23 16:45:18 hostname audispd: af_unix plugin initialized Nov 23 16:45:18 hostname audispd: audispd initialized with q_depth=80 and 1 active plugins Nov 23 16:45:18 hostname auditd[6260]: Init complete, auditd 1.7.17 listening for events (startup state enable)
We have setup a Exchange server at remote location and while testing I am facing following issue:
1. While configuring Outlook, it's not able to reach the exchange server which hosted at third party and is reachable from everywhere except my Local Network. My Local network is as following:
Local Lan On Private subnet - Gate+Firewall(Iptables) with two interfaces(private and pubic)with natting-Internet Connectivity.
Where as Exchange server is setup at a Data Center and accessible from internet.
I need to know that what all rules are required for user's to configure outlook with Exchange 2010.
Rest of the things are working fine (Internet connectivity, Exchange OWA access).
I'm trying to set up my web server (nginx) as a catchall virtual host, as per an example that can be seen here: [URL].. (It's the Wildcard Subdomains in a Parent Folder example). Now, here's my issue. I use Wordpress on the coburndomain.org domain. I have pretty URLs enabled, that make my Wordpress articles look like this:[URL].. At the moment, nginx is reporting 500 Errors, saying that index.php is not a directory. What I want to do is make a rewrite rule that allows me to use the above URL example with nginx.
I followed this tutorial to do so: [URl].. , but I'm not sure how to apply it to my setup. Here's my configuration files from Debian Squeeze with Nginx onboard:
Please what will it take me to write a perl full functioning program to filter emails for specific rules? Will that be possible? The actual thing am trying to get is to write a perl program and attach to a mail server so that, when the mails come in, the perl script get call and then the perl program will let another external program that is not on the server run and check or filter the mails.
