Ubuntu Networking :: How To Use IPtables For Different NAT Implementation
May 6, 2010
IPtables, implementing each type of NAT
-Full Cone NAT
-Restricted Cone NAT
-Port Restricted Cone NAT
-Symmetric NAT
using IPTables.
Explanation:
Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.
Restricted Cone: A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.
Port Restricted Cone: A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.
Symmetric: A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.
On the netfilter mailinglist, Pedro Goncalves suggested the following:
192.168.2.170 is "public" address and 10.0.0.1 is "private" address
/-"Full Cone NAT", with the following rules:/
HTML Code:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.1
/-"Port Restricted Cone NAT", with just a single rule:/
HTML Code:
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170
View 1 Replies
ADVERTISEMENT
Oct 20, 2010
I am trying to understand the implementation of iptables and netfilters. Any good links or docs.
View 1 Replies
View Related
Mar 19, 2010
Subject of my school work:"Web interface for managing firewall and band on the access server (Linux)"I have a big problem because I do not know how to safely implement the change in the system and show the logs on the Web page.Unfortunately, the number of solutions for today is enormous and it is increasingly difficult to me to decide on the right.They are:
1. Launching a web server with root privileges (the default mode of miniserv'a Webmin)
2. CGI scripts on apache SUID (mode webmin on "foreign" server)
3. suPHP or suexec
4. Cron implements changes to the root
5. Daemon in C "periodically" implement changes in the configuration files created by PHP
6. Daemon in C to implement the changes requested in the configuration files created by PHP
7.Use SSH in PHP and after logging into the root of execution of commands in the configuration files created by PHP (the root password in the DB)
8.Use SSH in PHP and after logging into the root of execution of commands in the configuration files created by PHP (the root password, enter manually)
9. Like the above so that the use of sudo and user rights only to the necessary shell commands
10. Add the user apache in the /etc/sudoers can perform all the necessary applications shell commands
11. Seize the opportunity to command: shell_exec ( `sudo php-f / home /example/script.php`), and /etc/sudoers
View 1 Replies
View Related
Apr 10, 2009
How to implement Network Protocols.
View 1 Replies
View Related
Dec 9, 2010
Have any of the below TCP based applications are implemented over SCTP in Linux ?
1. ftp
2. telnet
3. HTTP
Or any other applications ?
View 1 Replies
View Related
Jan 20, 2011
I'm in need of some advise from you guys. I'm currently running a live production serverA, and last week it went down for a couple of hours which was really bad to say the least.
I've been thinking about building a mirror serverB that will rsync my data nightly. Now I don't want to load balance here, I just need to be able to switch to serverB when serverA goes down for any reason.
Would the best solution for this is to change my main nameserver entry when I want to switch ? I'm just curious if it will be a few hours or an instant change.
I thought I'd ask before attempting this live.
View 3 Replies
View Related
Feb 25, 2010
I need to optimize the implementation of DSR algo using NS-2. Now i need to identify the first of all "the parameters which i can change and which are effective in optimization point of view." I want to get into the c++ code as well as header files which are used to implement DSR algo.
View 4 Replies
View Related
Feb 5, 2011
not able to solve an error when i try to do a wireless scenario in ns2.
num_nodes is set 3
warning: Please use -channel as shown in tcl/ex/wireless-mitf.tcl
INITIALIZE THE LIST xListHead
View 2 Replies
View Related
Aug 2, 2010
Can I know the implemention of RSA(Encryption and decryption) algorithm in C / C++.
View 1 Replies
View Related
Apr 27, 2011
I have a copy of the MD5 algorithm and I'm taking a look at the source. It's pretty interesting but there are a few things that I'm curious about and I was wondering if anyone a bit more intuitive than I could help me out.The function declarations in the MD5 files are a bit unfamiliar to me. There is a macro used called PROTO_LIST, which I'm still not sure as to what this thing is doing exactly, but it's littered everywhere throughout the source.The signature here isn't too unfamiliar to me with the exception of the position of the PROTO_LIST macro. So here is a function with an unnamed argument of type MD5_CTX*.To me, this resembles an initializer list found in C++ with constructors but I certainly don't think that is the case here. So my questions about this are (1) how is this legal code in C and (2) what functionality has the PROTO_LIST macro provided for the function?
View 3 Replies
View Related
May 11, 2010
i have done everything that all the documentations have said and i still cant get this bloody thing working. some one give me the exact commands that removes all traces of all wine packages. and then can someone give me the exact commands to install.
which user i must be doing this under and exactly what i must configure in the config files. all that i want too accomplish by this is to successfully play games on my pc.
View 5 Replies
View Related
Aug 11, 2011
I am trying to find a leach protocol implementation for ns2.34 but all links available are dealing with ns2.27 Are the instructions valid for ns2.34?
View 4 Replies
View Related
Dec 7, 2010
I'm looking for linear hashing implementation in C language. PS: I have to implement this on Ubuntu 10.04 Linux on 64 bit machine.
View 2 Replies
View Related
Apr 6, 2011
I've implemented a program URL... which reads digital IF data from a radio receiver through a named pipe, measures power levels, and sends the result to stdout. The program is interactive; there is a thread that reads from stdin to watch for commands, a thread that constantly either reads data from the named pipe or throws data away, and an array of processing threads. The program uses GTK+extra to plot the signals. The IF data stream bandwidth exists at the limits of today's technology (is very very fast).
Problem Statement:The program works fine with a few bugs. I've learned since I've made it that using global state variables to coordinate threads isn't a good way of doing it. I also only had knowledge of mutexes and polled the state variable instead of using other methods.My reimplementation will use the following:
- One "Stdin Command Monitoring" thread
- One "Get data from named pipe" thread
- One post-processor thread
- N Processing threads
All threads are alive during the life of main()There are N buffers. Data will come in from the named pipe, and the "Get data" thread will write the data to an "available" buffer. When the buffer is full it will be marked as "full". There will be N processing threads, one for each buffer. When a processing threads' buffer is full, it will process the buffer and save the result to a final buffer. At the end of a number of averages, the post-processor thread will perform a final process on the final buffer and send the results to stdout.
View 2 Replies
View Related
Jun 9, 2011
I'm Redhat 5 user, and I want to implement Kernel-based Virtual Machine. I tried too much search in google but I cant find the perfect instruction regarding it.
View 3 Replies
View Related
Sep 15, 2010
I am new to this forum and to Networking as well. I have chosen to implement:
1) SIP Client using C' language
2) Platform: Windows
3)Its going to be on command line
my problem is that I need some reference like books, material or website where I can learn how to write the code from scratch or port the code according to my requirements. My implementation should serve the purpose like two SIP clients should communicate with each other for exchange of Audio data.
View 4 Replies
View Related
Aug 1, 2011
My network diagram is internet<---->dansguardian proxy(centos5)<--->my network i have blocked facebook for my network but now i want to give only 2 ips to get its access & i do not want to enter these ip in exceptioniplist as if i doo so then they will be able to access all the sites that i have blocked. and if i am giving this entry [URL] in bannedsite list it is also not working.....
View 1 Replies
View Related
Apr 6, 2011
I want to know the details about the implementation of distributed firewall in a local area network
View 5 Replies
View Related
Nov 3, 2010
I recently installed a new Ubuntu PC that runs iptables and PSAD. I had the same script on another Ubuntu PC, but when I copied the script onto the new PC, I got this error. I don't remember where I found the tutorial for this, all I know is that this is the script (Edited for my usage):
Code:
#!/bin/bash
# Script to check important ports on remote webserver
# Copyright (c) 2009 blogama.org
# This script is licensed under GNU GPL version 2.0 or above
[code]....
Safe.txt contains:
Code:
127.0.0.1
192.168.1.8
192.168.1.1
98.200.58.73
192.168.0.1
And the error message generated is:
Code:
root@NETWORK-SERVER:/var/ddosprotect# ./ipblock.sh
' not found.4.4: host/network `127.0.0.1
Try `iptables -h' or 'iptables --help' for more information.
' not found.4.4: host/network `192.168.1.8
[code]....
View 3 Replies
View Related
Feb 3, 2010
From this thread I've decided to try add a feature of removing local port forwardings in ssh.Here are some very ugly and not-yet working hacks what I made so far:
* Patch for channels.c
* Patch for channels.h
* Patch for clientloop.c
I was clearly expecting this to work without any troubles-everything seem to be logically correct, but I made a programming mistake somewhere: don't know where, maybe you will point me to this?Many sites say there is a WAY AROUND with -D param(starting socks proxy as a tunnel-generator), added since 5.2, but I don't need that way around. I need a way through. I use exact ports for exact services and if I want to change it runtime I'd like to have ability to do so.If you have other ideas or points instead of coding this, please share them here & here(original question).
View 2 Replies
View Related
Mar 17, 2010
My problem is to get postfix working with a smarthost, to send mails from home with dynamic IP, and which needs authentication. I did exactly the same with Slackware 12.2 (postfix 2.6.2) and it worked. Now I tried to do with 2.6.2 (actual running version is 2.7.0 with the same problem) on Slackware 13 64bit. Following error message occurs around every minute in the maillog:
[code]...
View 2 Replies
View Related
Apr 16, 2011
I am running Ubuntu server 10.10 and trying to setup iptables rules in /etc/if-up.d/iptables
Quote:
root@host# cat /etc/network/if-up.d/iptables
#!/bin/sh -e
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Problem is that iptables doesn't get updated and I don't see them when iptables -L is executed after reboot.
View 2 Replies
View Related
Nov 26, 2010
I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
View 2 Replies
View Related
Sep 17, 2010
I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
[code]....
View 6 Replies
View Related
Jul 17, 2010
IPtables creates an error during startup as well as when I try to restart it: Here's the output of:
[Code]....
View 11 Replies
View Related
Jul 27, 2010
i have a question regarding iptables.i have a server running ubuntu server 10.04 with 2 nic's, i want to use it to filter the internet trafic of the people in my network ussing dansguardian and squid. they both work fine.the only problem is how to get iptables to deal with this the right way.
eth0 = LAN
eth1 = internet
View 1 Replies
View Related
Aug 14, 2010
i'm having a weird issue on 10.04. I have a bash script I wrote to drop incoming connections that are faster than a specified rate (6 per second in the example). I've been using the script successfully on 8.04LTS and CentOS for 2-3 year but it doesnt seem to work on 10.04
Code:
INTERVAL="2"
HITCOUNT="6"
iptables -A INPUT -d 123.123.123.123 -m state --state NEW -m recent --set
iptables -A INPUT -d 123.123.123.123 -m state --state NEW -m recent --update --seconds $INTERVAL --hitcount $HITCOUNT -j DROP
View 1 Replies
View Related
Mar 10, 2011
I'm having a complicated iptables problem. I'm using a linux poweredge 1750 with 4 ethernet interfaces and 1 wireless interface as a router/firewall/wireless access point.
The Computers on the inside can connect and communicate just fine. The access the outside world and other internal devices with no problems.
DNAT from the outside works just fine for things like ssh, webmin and http. But some protocols and services (ftp with filezilla and runuo) use ports to connect. And then, it is like they hand off the rest of the communication to other seemingly randomly determined ports. And that is when the conversation gets dropped. How do I configure my router to notice these port changes and continue to DNAT the conversation?
View 2 Replies
View Related
Dec 9, 2010
I'm using a Ubuntu Server sharing the internet connection to my network. Currently I have two WANs. A DSL connection connected to eth1 (configured as ppp0) and a cable connection plugged into eth2. And only eth1 is being shared over eth0 (the local network). What I want to do:
- Some services I want to go only by the secondary WAN (eth2). On that case, forward specific ports to it.
- Failover. If ppp0 fails, goes to eth2.
- Some IPs from our internal network will ALWAYS use internet via eth2.
Is it possible to do using Ubuntu/IPTables? I already did it before using pfSense, but don't know even how to start doing it on Ubuntu.
View 1 Replies
View Related
Apr 28, 2009
To expand: I'm trying to set up a box with l7-filter, and I need to patch and compile iptables 1.4.1.1 as part of the process. I ./configured it with the prefix= argument so it would install into /sbin instead of /usr/sbin, and I did a yum remove iptables before installing it so as not to get in the way of the original iptables, but I'm wondering if this is really necessary - it's kind of annoying, because removing the original iptables removes the init.d script, deregisters the service, etc. If I don't, is it possible that iptables 1.4.1.1 might get overwritten in a system update or something, or will yum see that I've got a custom/newer version in there and leave it be?
View 4 Replies
View Related
