Ubuntu Networking :: Iptables: Natting A Machine Only On External Connections
Mar 22, 2011
I've got the following two subnets.
Code:
Subnet 1: 10.1.0.0/24
Subnet 2: 172.16.0.0/24
A machine in subnet 1 is natted to a static address in subnet 2. For instance 10.1.0.10 is natted to 172.16.0.10.
I have achieved this with the following iptables rule. (in addition to enabling forwarding)
Code:
iptables -t nat -A POSTROUTING -s 10.1.0.10 -j SNAT --to 172.16.0.10
So far this works perfectly. What I want to do now is to add another rule that only nats the machine in case it is NOT accessing subnet 1.
In other words, when this machine accesses any other machine in subnet 1, it should show up as 10.1.0.10. Whenever it accesses subnet 2 of anything else, it should appear as 172.16.0.10.
View 1 Replies
ADVERTISEMENT
May 23, 2011
I'd like to configure IPtables to make sure I can only access the internet through an openvpn connection (so when the connection is down I have no way to access the internet but to connect to the vpn again).
I know how to do this with Firestarter (restrictive outgoing policy and I only allow the vpn server IPs) but Firestarter seems to be stupid : for some reason eth0 was changed to eth1 and Firestarter can't work properly anymore, even though that probably can be fixed with Firestarter I'm no more interested in this program and I'd better like to know how to apply the same policy using IPtables.
I've tried a few things already but it failed each time ... how can I effectively allow my computer to connect to the VPN while everything else is blocked ?
View 3 Replies
View Related
Jun 3, 2010
I want to find out which server/service a streaming box connects to and maybe also take a look at some packets. The box connects to the Internet via a Linux gateway running Debian I have root access to. I have some basic knowledge about iptables, tcpdump, netstat etc. but couldn't yet figure out how to get this info.
My first approach was with netstat, but this traffic seems not to be visible (which somehow makes sense to me). My next guess was that with iptables it should be possible to log this connections, however I couldn't yet figure out how to.
View 1 Replies
View Related
Aug 28, 2010
I have a virtual machine in a natted interface vmnet2. Ports are forwarded correctly into the virtual machine, but my host does not forward correctly the ports to the outside world. for example, when checking if the port is open i sniffed on the phyisical interface and saw only the "syn" packet going to the virtual interface. Inside the virtual interface i saw the same "syn" packet. the virtual machine replied with "syn, ack" and then it got a "rst" from my host.what could go wrong? how come this "syn, ack" packet not going back to the physical interface?
View 2 Replies
View Related
Mar 17, 2011
I've forwarded incoming connections on port 25 to my virtual machine with the following commands:
sudo iptables -t nat -A PREROUTING -p tcp -i eth0 -d 10.1.1.3 --dport 25 -j DNAT --to 192.168.56.101:25
sudo iptables -A FORWARD -p tcp -i eth0 -d 192.168.56.101 --dport 25 -j ACCEPT
The strange thing is the connections coming through in the virtual machine seem to be getting dropped. A port scan from the internet says the port is closed, but it is not the case as I can see the connection coming through. As you've probably worked out, I am running a mail server. When I send myself test mail, the connections from the senders mail server also gets dropped.
View 1 Replies
View Related
Aug 2, 2011
I am new to Linux but not UNIX, I have been an HPUX SA in a previous life and now Oracle DBA. So I installed F15 (Gnome) onto an intel machine using LIVE USB from website. Install has gone fine but I have no external network access. I have tried for a couple of days to get this working but no luck. I can ping internally on our LAN but no external connections. I cannot ping external web sites from my PC either so guess work have locked it down in the firewall but I can browse from my PC so was hoping to be able to use Firefox and YUm etc from my F15 install. Which sort of leads onto my second issue which is setting up a remote X client session, I was trying to install VNC with YUm when I found this issue.
Here is some info:
[root@hrdevdba1 etc]# cat resolv.conf
# Generated by NetworkManager
domain hayshps.com
search hayshps.com
nameserver 10.190.27.14
nameserver 10.190.13.1
nameserver 10.190.13.13
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver 10.171.90.215
nameserver 10.175.151.236
[root@hrdevdba1 etc]# ifconfig .....
I should add that I have also attempted to disable IPv6.
View 2 Replies
View Related
May 29, 2011
I just upgraded to 15 and was wondering if it was possible to specify which devices to prioritize a route through. I have my machine, a laptop, connected to my family's router for an internet connection and a wired connection to a personal router for a faster and private connection between my other two computers and a network storage device. Whenever the laptop is connected to my personal router everything goes through it and it can't connect to any external web sites. But when I unplug it and go only on my family's wireless everything is fine, except I can't connect to the storage device since it has no external connections.
View 11 Replies
View Related
Jan 5, 2010
I have a machine that is like a firewall, I use iptables to route traffic through it, to the router. For ex
Host1 -> Middleman -> gateway -> Internet
Internet -> gateway -> middleman -> Host1
I have this working using these rules:
Code:
# 192.168.0.6 = host
# 192.168.0.8 = middleman
iptables -A PREROUTING -t nat -d 192.168.0.6/32 -j DNAT --to 192.168.0.8
iptables -A POSTROUTING -t nat -d 192.168.0.8/32 -j SNAT --to 192.168.0.6
On the middleman machine when I analyse the traffic using Wireshark, I can only see the outbound traffic, I don't see any traffic from gateway->host only host-gateway The traffic must be passing through both ways because the host has Internet access. How can I modify the iptables rules to see the traffic both ways?
View 13 Replies
View Related
Jun 30, 2011
I want to portforward client connections from an ubuntu lts server to another external server. btw i am a noob on iptables. i have tryed using the basic commands for iptables with no success. For example:iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 7878 -j DNAT --to 91.23.45.67:7878iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 91.23.45.67 --dport 7878 -j ACCEPTso basically i just want a rediraction for from one ip to another. Example: A client tries to connect to ip 123.45.67.89 on port 7878 and the server forwards him to ip xx.xx.xx.xx on port 7878, meaning that xx.xx.xx.xx is the actual server with services. Server with ip 123.45.67.89 is only forwarding the client to external ip... how can this be done in a simple command?
View 7 Replies
View Related
Jan 2, 2011
I have a strange problem where my machine will suddenly stop responding to connections while still remaining partially connectible. Here's an example sequence of events I have taken (numerous times). If anyone can spot something else I should check or has seen these symptoms before please let me know.1) System is using an Edimax 7318-usg, Ubuntu 10.042) Wifi connection is working, with power management turned off (iwconfig)3) Signal strength does not cause the connection to drop (confirmed with router logs)4) When in a ssh session on the problem machine suddenly the ssh session is dropped "host is down"5) When I attempt to re-initiate ssh it fails, no route to host...6) Pinging it fails, accessing a webpage hosted on it fails, all access fails7) The machine I'm pinging/sshing from still has a good network connection8 ) I check my routers DHCP leases, problem machine still has a valid lease.
9) Router still shows problem machine in routing & arp table & shows active traffic going to and from (I checked the routers states and bandwidth monitor for this)10) I try sshing and pinging the problem machine from the laptop on the local network, it still fails, no route to host, wtf?11) I go to the problem machine physically, wifi connection is up with decent signal12) ifconfig indicates it still holds an IP address13) I open a browser on the problem machine, any webpage loads fine14) I ping the laptop from the problem machine, ok15) I ssh from the problem machine to my laptop, it works16) At this point I ssh from the laptop to the problem machine, sometimes it works sometimes it fails(it seems that pinging/sshing the laptop FROM the problem machine sometimes makes it connectable again).
17) Usually if I wait a while the problem machine will randomly become connectable again at random intervals18 ) The only reliable way to make the problem machine connectable again is manually reconnecting it to the wireless network19) I tailed auth.log ufw.log, etc. nothing suspicious disallowing my ssh connection20) dmesg shows nothing unusual, as far as I can tell, just some activity negotiating WPA keys and suchBy looking at the timestamp for the WPA negotiation and cross referencing the router bandwidth monitor I can tell the WPAnegotiation doesn't make it drop the conectionSo that's it, lol.
View 6 Replies
View Related
Mar 16, 2011
I had been running my SMTP server with WINE, as the SMTP server software is a Windows-based program (MERCURY), but I cracked the shits with WINE and removed it. Now I am running my SMTP server in a Windows virtual machine.This virtual machine has a different IP address from my host machine, so what I need is for my computer (the host) to redirect incoming traffic on port 25 to the virtual machine at 192.168.56.101 on port 2525.Can someone please help me with it? I think its done with iptables.
View 1 Replies
View Related
Jul 16, 2011
I have tried to configure my iptables to allow only HTTPS connections to the internet. Unfortunately, I didn't get that to work. I configured it like this:
Quote:
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -t filter -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -t filter -p udp --dport 53 -j ACCEPT
[Code]....
Of course I am only trying to access websites via HTTPS Still, I was wondering if HTTPS somehow under the hood requires the HTTP port to be open or if my rules are in some other way wrong.
ps: I got the rules from that website: [URL]
View 9 Replies
View Related
Jun 4, 2010
I have two machines, a laptop and a desktop, both running Lucid. each works fine, but... I can't seem to mount the external drives attached to either machine over the network. I can share folders from the internal drives fine but when I try to access an external drive from either machine I get "unable to Mount volume". Is it possible to mount the external drives across the network? If so, How?
View 1 Replies
View Related
Sep 1, 2011
I have an apache server running on my ubuntu machine. I can view them using my local ip (192.168.1.6):80/. And my friends can view the things hosted on my server using my external ip (example http://123.123.123.123:80) but when a friend links back to me to show me what they are looking at and share the moment, I can't view the link, it simply redirects to my router login page.
I had an older linksys router and this could work fine. I could click on the links with my external IP and it routes back to my server for viewing.
Remember to note that I am on the machine that has the server, and I'd like to be redirected out and back to it so we can share pictures back and fourth without me having to replace the external IP address with my local one just to view that link in the browser.
View 3 Replies
View Related
Jul 8, 2011
For some reason my FTP packets are blocked by iptables even though I thought I allowed them through
My syslog errors are along this line:
And my iptables ruleset:
View 4 Replies
View Related
Apr 7, 2011
I'm trying to adjust the firewall to only inbound syn connections.
To Allow all home subnets access to port 53 both tcp/udp but deny the rest.
View 1 Replies
View Related
Jul 14, 2009
Have done a bit of Googling around this but got totally swamped so will try here. Basically we are running a CentOS server which hosts a number of virtual hosts under Apache. Recently I needed to set up a development environment for another site using Ubuntu and have this running and accessible on the LAN from a VMWare image. I'm using bridged networking so the VMWare machine has its own IP on the LAN subnet.
I've set up a DNS to point to the external IP of the physical host but can't figure out how to route traffic requested on this domain to the VMWare host. I've basically tried two approaches (configuring a proxy web server and reverse proxy in an httpd.conf file and mucking around with iptables forwarding rules but without success.
Ideally I'd like somesite.somewhere.com to point to the VMWare IP but I could live with a custom port on the end if thats whats required.
To throw further complication into the mix I need reliable communication between the VMWare machine and external mail relay servers in order to debug any issues with mail bouncebacks, embargos etc.
Any idea what's the easiest way to accomplish this?
View 4 Replies
View Related
Jul 23, 2010
I'm having problems with hackers from across the globe trying to get into our servers. Why? i have no clue. nothing of value in my servers worth getting.
Right now my service only does business with USA. So I'm trying to find a way to block all Non USA traffic. I called my hosting provider and they are unable to help. Said it was up to me to do this.
Well I've already taken care of the TCP Wrappers. by spawning a small C program i made that uses MaxMind's GeoIP system. to automatically deny access. Now i need to do something about all the other network connections that come in to services that do not use the TCP wrappers.
So i was wondering if IPTABLES have a way to spawn a sub proccess like TCP wrappers or if there was any other firewall software out there for linux that would let me achieve my goal.
View 10 Replies
View Related
Nov 11, 2010
I'd like high-availability feature to firewall (iptables) and openvpn service I'm running at my job. Mi project is two firewall boxes in a active/pasive configuration. And if it's possible sync connections' states. I started reading on heartbeat and I'd like to hear some advices and take away some doubts: For the config I'm planning heartbeat service is enough or it would require a CRM service such as pacemaker.
View 3 Replies
View Related
Mar 14, 2010
How can I configure Postfix to reject connections coming from anywhere except the local machine?
View 4 Replies
View Related
Mar 30, 2011
I have a server that I can only access via SSH (it's located far away) and I would like to secure it by blocking all ports except the ones that I need (which are HTTP and SSH). I still want to be able to make outgoing connections to enable software updates and other things.This is my iptables -L -n :
Code:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:1:21
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:23:79
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:81:65535
code....
In my opinion, this should block all incoming packets except the ones on port 80 and 22, but allow responses to outgoing connections. But a wget http://google.com does not work, it can't establish the connection.
Maybe this is not the best style for iptables rules, but I want to be absolutely sure to not accidently lock myself out from SSH, so I chose not to configure a "block-everything rule".
Does this configuration not enable incoming packets from connections initiated from inside?
View 3 Replies
View Related
May 25, 2011
I have exim setup on squeeze to run as an "internet site". Outgoing mail works fine but it seems to just ignore incoming smtp requests on port 25. I can see the incoming connection via tcpdump but exim doesn't seem to talk. If I connect via telnet it rather quickly says connection refused. Is there something additional I need in the Exim conf?
View 1 Replies
View Related
Jun 12, 2010
I run Fc11 on my desktop and Fc11 in virtual machine to test the connections that could be established between two linux machine, all the connection from virtual machine to the physical machine are refused the only thing that answer is ping to default gateway.
View 7 Replies
View Related
Feb 7, 2011
have a problem with my network-manager in ubuntu 10.10.when I dial one of my vpn connections, my other vpn connections be disabled and I can't use them!I tried to restart network-manager and gnome-panel, but it does't seem to solve this problem.
View 1 Replies
View Related
Jul 2, 2011
I am trying to forward all the incoming internet/LAN requests on port 80 to my local machine (running Apache), current iptables work (forward incoming internet traffic to my desktop, but if I try to access it from my local network it won't work. Interface connecting my Ubuntu server to the internet is ppp0 (dialed DSL connection through my router that is in bridge mode) which is connected to the eth0 and eth1 is connected to my internal LAN.
[Code]...
what i was able to gather so far (via logs), is that accessing external server ip directly from the LAN goes directly to eth1 which is understandable (i think). So what i need now (i guess) is an rule that will forward the LAN traffic on eth1 without interfering with the ppp0 prerouting rule (as forwarding all the incoming traffic on eth1 to my local machine will break the internet connection)
View 1 Replies
View Related
Jan 9, 2010
I want to do port mapping on a linux machine using iptables.I have a service listeneing on port 2000 udp and I want to add iptables rule, which will map incoming packets on port 2001 to port 2000, so that service will accept the connections.The idea is that I don't want to change the default port for the service, but to make internal port redirection from (2001 to 2000), so the default service port will be filtered by iptables, and the other port will be open to the outside. The internet host connects to the linux machine on port 2001. The linux machine change destiation port from 2001 to 2000 and the service (on the same machine) process the packets and accepts the connection.I tried adding the following to my iptables rules, but it didn't work out:
$IPTABLES -A FORWARD -p udp --destination-port 2001 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -i eth0 -p udp --dport 2001 -j REDIRECT --to-port 2000
View 6 Replies
View Related
Sep 21, 2010
I have task to do configure a two httpd service in a same linux machine using iptables.
For example: Run primary httpd instance on 80 and 443 port if primary instance is down switch to second instance running on 8080 and 4443 this can be achieved using iptables.
View 5 Replies
View Related
Mar 17, 2010
I am having following problem. If I try to change my SMB password, it throws following error >
Quote:
~>smbpasswd
Old SMB password:
New SMB password:
Retype new SMB password:
Server did not provide 'target information', required for NTLMv2
rpc_pipe_bind: rpc_send_auth_reply failed.
machine 127.0.0.1 does not support SAMR connections, but LANMAN password changed are disabled
Failed to change password for user1
View 1 Replies
View Related
Mar 8, 2011
I have two machines sitting in different offices.
Machine A is an ubuntu server box which does not have an external IP address, but is connected to the internet.
Machine B is an ubuntu server box which does have an external IP address (and is connected to the internet).
As it stands, machine B cannot ssh into machine A, only the other way around. What I was wondering is is it possible for machine A to setup some sort of tunnel which machine B can then use to connect back to machine A? I only need SSH access, and I only need it from Machine B to Machine A.
View 4 Replies
View Related
Dec 7, 2010
Anyone knows the difference between a socket and TCP connection for connecting to an external system?
View 1 Replies
View Related
