I am establishing a VPN connection with a Cisco VPN server, but only want outgoing connections to a certain set of IP addresses to actually go through the VPN. I tried something like this:
Code:
sudo iptables -A OUTPUT -t mangle -p tcp -d 111.222.0.0/16 -j ROUTE --oif tun0
but keep getting
[code]...
I am running into trouble while trying to set-up a iptables routing policy. I have two machines on the same sub-network (xxx.xxx.153.0). One of the machines is used as a default gw for the other (xxx.xxx.153.250 is a gateway for xxx.xxx.153.142 and xxx.xxx.153.254 is a gw for xxx.xxx.153.250). There is no explanation for why the xxx.xxx.153.250 is in the middle -- xxx.xxx.153.142 can go straight to xxx.xxx.153.254, but is is like that for now.I am trying to find an iptable rule to be executed on the xxx.xxx.153.250 machine to route the packets.
View 3 Replies View RelatedI have an Untangle Box - which for those that don't know is a modified Debian Lenny used as a router, proxy, filter and much more - It has three physical interfaces on it eht0 (incoming traffic), eth1 (Outgoing to LAN after traffic filtered), and eth2 (Called a DMZ NIC, as Untangle can be used as a router). There is also a tun0 interface setup by Untangle for VPN (Not using the Openvpn in Untangle because I need bridged a bridged VPN and this is not an option in Untangles offering), a br0.eth setup by untangle to bridge eth0 and eth1 for traffic flow through as it is inline from router to switch and not acting as the router itself, and a br0 interface that I have setup by bridge script bridging eth2 and tap0 to run OpenVPN as a bridged VPN.
The routes on the machine are as follow:
Code:
untangle:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 br.eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.0.2.0 * 255.255.255.0 U 0 0 0 dummy0
192.0.2.0 * 255.255.255.0 U 0 0 0 utun
untangle:~#
I don't see a default route listed here, however, I do have Internet connectivity on the Untangle box itself. I also know that by script to bridge the tap0 and eth2 interfaces adds a default route through the gateway on the network that eth2 is connected to. So the lack of a default route is somewhat puzzling to me, I do have the gateway set through the web based admin interface Untangle offers.
The iptables rules are as follow:
Code:
untangle:~# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N alpaca-firewall .....
There was an addition output rule in the alpaca-nat-firewall rule that said DROP outgoing interface eth2, I removed that rule with no change. I can ping out from the Untangle server to the eth2 LAN, I can access resources in the eth2 subnet. But I cannot get any reply from the server from anything either in that subnet or not. If I run iftop I can see the incoming traffic form my ping but the Server sends out no reply. I think this is a firewall issue. I can access the server by connecting to the IP assigned to the eth0/br0.eth interface which is in my main LAN. I am also attaching a crude diagram of the previous setup and the new setup (Previous setup used a different server for my bridged VPN).
Is there a rule I can add to ensure that traffic coming in on an interface goes out the same interface? Do I have a rule blocking incoming traffic to eth2/br0? Do I have one blocking sending out on eth2/br0? Do I have a default rule that is killing the traffic on eth2/br0 and I need to add an accept rule for traffic coming in on eth2/br0? I tried adding an accept rule for traffic coming in on br0, but it didn't work. I tried an output rule, but that didn't work, but I may have been bungling these rules as I do not fully understand the syntax and function and body of an iptables rule. The exact original iptables information before I modified anything can be viewed at [URL].
I'm trying to configure Iptables and I just want to block everything but http/https. However, my connection is pppoe, so I have the ppp0 interface. Pretty much every Iptables tutorial that I found don't teach how to deal with this kind of setup. I'm forwarding the ppp0 to eth0 and I could configure the input rules and they're working. After this, I need to configure the output but nothing seems to work.
The current working rules are:
Code:
Chain INPUT (policy ACCEPT 7858 packets, 5792K bytes)
pkts bytes target prot opt in out source destination
299 201K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
11 820 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 ppp0 anywhere anywhere
0 0 ACCEPT all -- ppp0 eth0 anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 10791 packets, 1951K bytes)
pkts bytes target prot opt in out source destination
I don't understand what those "state RELATED,ESTABLISHED" rules do. Also, I don't know if this rules are secure, because i'm very confused about the ppp0/eth0 interfaces.
I need to make some solution for my home network, I have a linux server which is: Linux Centos 5.5. So, what I need to do is to make a virtual interface for my clients which set its bandwidth up to 1Mb/s shared to them, but my real bandwidth is 2Mb/s. Also, after that, I have two questions:
1. How to set this rate limitation to that interface?
2. How to edit this interface to let it work and route the client data to my ADSL router?
I'm already generate the virtual interface using webmin managment tool, so I need to set its rate and route data.
it�s been several years since i played with iptables. I have setup like this:eth0 is the only physical device on box and eth0:0 is aliased. Traffic going out of the box to internet uses eth0eth0 116.55.58.1eth0:0 116.55.58.2I have a service listening on port 80 on 116.55.58.2Lets say my client connect to 116.55.58.2:80 through 116.55.58.1 , how do I force (mangle you name it) with iptables that the outgoing source address will be always 116.55.58.2?
View 1 Replies View RelatedThe following is my setup. wireless server (ip of this server is 192.168.1.1) -- target board ( wireless client [ip of this is got for wireless server is 192.168.1.3 ] , bridge (192.168.36.1) )-- linux pc ( 192.168.36.3) as show above i have target board for that i have a wireless interface and a linux pc is connected to target board.now the ips are like this for linux pc 192.168.36.3 and my target board bridge ip s 192.168.36.1
my wireless interface got ip from another server like 192.168.1.3 ,now if i do ping on my target board for 192.168.1.1 it goes through wireless interface to the 192.168.1.1 wireless server.but when i do the same from target board connected linux pc its not pinging from linux pc i could able to ping to 192.168.1.3 but not 192.168.1.1 .I think i need to write a iptable rule properly on my target board to forward the 192.168.1.* packtes to wireless interface.
I am trying to do something outlandish with iptables (or so I think!).I have a source sending udp packets to a destination (say dst11). Using port mirroring I am able to get all these packets to a different machine (say dst22). I am able to see these packets on dst22 interface using tcpdump.I want to analyze the packets on dst22. So what I do is put dst22 interface in promiscuous mode (using ifconfig eth0 promisc). This in theory should get the packet through the MAC layer. Now using iptables I am trying to DNAT the packets in nat prerouting to change the packets destination IP to dst22's interface and change the destination port.
View 2 Replies View RelatedMy Ubuntu Box has 3 interfaces. eth0 (Internal 192.168.1.0/24)eth1 (External ISP DHCP)eth2 (External ISP Static IP)I need the outgoing traffic to internet for 1 of the internal pc (192.168.1.10) to only go only go through eth2
View 4 Replies View RelatedWhen I do...# iptables -L...I see rules in my INPUT and OUTPUT chains that look scary:ACCEPT all -- anywhere anywhere...but these rules only apply to the loopback interface. I tested it and the server cannot be reached on open ports from the outside world. How can I make iptables show the interfaces that the rules apply to?Otherwise, every time I do iptables -L it will scare the crap out of me.
View 3 Replies View RelatedI have a firewall, this consists of three NIC's:
Code: eth0[192.168.0.2] eth1[192.168.1.2] and eth2[10.10.165.2]
I am trying to ping eth0 from eth2, but I am not able to succesfully get a response from pinging the device, I am using:
Code: ping 192.168.0.2 -I eth2
I have tried to insert routing data into the routing table, but it still doesn't work
I'm facing a strange networking problem here. I'm running Debian Lenny in an OpenVZ container and my network setup is as follows:
link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
[code]...
i want to view my iptables log on web interface, with chart (in option, but this is not my priority).
View 1 Replies View RelatedI have a server with 14 IP's on eth0. I'm using virtual interfaces to handle the IP's, but the iptables don't seem to work on the virtual interface. It blocks ports that I want open. I'm not that great with iptables, I use what I have because it works for me, but as far as tweaking it, I'm pretty lost.
My iptables:
# Simple Firewall configuration
#
# Set default policies --------
*filter
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
#
# Internal Networks -----------
#-A INPUT -s <private.class.C>/24 -d <private.class.C>/24 -i eth1 -j ACCEPT
#
# Loopback --------------------
-A INPUT -s 0/0 -d 0/0 -i lo -j ACCEPT
#
# Accept established connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Services --------------------
#
# For SSH gateway
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 22 -m state --state NEW -j ACCEPT
#
# For SMTP gateway
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 25 -m state --state NEW -j ACCEPT
#
# For FTP server
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 20 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 21 -m state --state NEW -j ACCEPT
-A INPUT -p udp -s 0/0 -d 0/0 --dport 53 -m state --state NEW -j ACCEPT
#
# HTTP services
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 80 -m state --state NEW -j ACCEPT
#
# HTTPS services
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 443 -m state --state NEW -j ACCEPT
#
# POP-3 services
#-A INPUT -p tcp -s 0/0 -d 0/0 --dport 110 -m state --state NEW -j ACCEPT
#
# IMAP services
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 143 -m state --state NEW -j ACCEPT
#
#PLESK
#-A INPUT -p tcp -s 0/0 -d 0/0 --dport 8443 -m state --state NEW -j ACCEPT
#
#Games
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 28960 -m state --state NEW -j ACCEPT
-A INPUT -p udp -s 0/0 -d 0/0 --dport 28960 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 27666 -m state --state NEW -j ACCEPT
-A INPUT -p udp -s 0/0 -d 0/0 --dport 27666 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 28961 -m state --state NEW -j ACCEPT
-A INPUT -p udp -s 0/0 -d 0/0 --dport 28961 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 28962 -m state --state NEW -j ACCEPT
-A INPUT -p udp -s 0/0 -d 0/0 --dport 28962 -m state --state NEW -j ACCEPT
-A INPUT -p udp -s 0/0 -d 0/0 --dport 27015 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 27015 -m state --state NEW -j ACCEPT
-A INPUT -p udp -s 0/0 -d 0/0 --dport 27016 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 27016 -m state --state NEW -j ACCEPT
-A INPUT -p udp -s 0/0 -d 0/0 --dport 27017 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 27017 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -s 0/0 -d 0/0 --dport 27020 -m state --state NEW -j ACCEPT
-A INPUT -p udp -s 0/0 -d 0/0 --dport 27020 -m state --state NEW -j ACCEPT
# Disallow fragmented packets
-A INPUT -f -j DROP
#
# Log & Block broadcast packets
-A INPUT -d 255.255.255.255/0.0.0.255 -j LOG
-A INPUT -d 255.255.255.255/0.0.0.255 -j DROP
# Log & Block multicast packets
-A INPUT -d 224.0.0.1 -j LOG
-A INPUT -d 224.0.0.1 -j DROP
#
# Log and drop all other incoming packets
-A INPUT -j LOG
-A INPUT -j DROP
#
COMMIT
I just had an ATT Uverse RG installed. However my Smoothwall router that previously worked fine with the ADSL SpeedStream is no longer accepting an address assignment DHCP ip address from this new gateway. (3800HGV-B)Any thoughts ideas or experience working with this hardware? ATT only supports Windows and Mac
View 2 Replies View RelatedI have a ppp0 entry with post-up options like this
mapping ppp0
map none photon-plus motorola
map timeout: 12
[code]...
i know exactly what i need to do, im just not familiar enough with command line to do it properly.i have 7 computers.the first 4 are connected to a router via wireless at one end of the house. of the last 3 only 1 will be able to access the router via wireless, so it needs to share it's one wireless connection via ethernet. this computer i'm going to call 'server'server will have two IP'swlan0 192.168.1.6 this connects to the router that has internet access.eth0 i intend to have the following settingsip:192.168.0.1sub: 255.255.0eth0 will connect to a second router, where the cat5 cable goes from the server, into the internet port of the router where i will define the router's static IP:IP: 192.168.0.100sub: 255.255.255.0gateway 192.168.0.1i have then set the router IP for LAN handling as 192.168.27.1 and all ethernet connections will have a 192.168.27.x IP.
so i need to know how to, without a gui application, use the terminal to assign server eth0 a proper IP address, and tell the server to take the connection it has and share it through eth0 to supply internet for the last 2 computers via ethernet.i had it set up in this way with a windows machine being the one that had the wifi access, but i'd rather have it setup for the ubuntu server to do this task. security is imperative for these 3 remaining machines, so just getting 2 more wifi adapters for a connection to the initial router isn't an option.the 2 that connect to server do so through SSH and though server IS connected via wireless it only makes outward connections through
I have a network routing problem that I need to fix using a PC with ubuntu installed.
Here are the details of my problem:
- I have two networks.
- The first network is an ADSL router with subnet 192.168.1.x. I do not have access to the router nor change any of its configuration.
- The second network has a subnet 172.26.x.x and connect via a wireless access point. Some of the devices connected to the network require to have static IPs.
- I have a PC with ubuntu installed and two ethernet cards: one connected to the first network and the other connected to the access point.
- I need to share the internet connection between the two networks using ubuntu. I already tried before on windows and the sharing worked when both networks were configured to use the same subnet. Once I changed the subnet of the second network, internet sharing stopped working.
My Laptop is connected to 2 different network (Wireless "gateway 10.170.8.1" ;cable wired "gateway 192.168.1.1")the gateway 192.168.1.1 is the default i want all application like firefox that connect via http and https port 80 and 443 to use the gateway 10.170.8.1)
else to use the default gateway
I've got an Ubuntu web server running 9.04 & Apache2. Ive got 2 NICs, one with an internal address for the LAN and one with and external address for the WAN to host the websites. My IP configuration is as follows (/etc/network/interfaces):
# The loopback network interface
auto lo eth0 eth1
iface lo inet loopback
# The primary network interface (WAN)
iface eth0 inet static
[Code]...
When i do a traceroute from a LAN PC and it makes it all the way to the router and then just stops. I'm probably missing something very simple, its been probably 10 years since i took a class in this.
I need to be able to do the following: Physical Router located at 192.168.40.1
On Ubuntu 10.04 Lucid machine:
eth0 with static ip 192.168.40.2
eth1 with static ip 192.168.40.3
eth2 with static ip 192.168.40.4
Associate a virtual address to eth1 with an entirely different network address such as 192.168.50.1 Do the same (virtual address) for eth2 -- e.g. 192.168.60.1 In the application:
register phone number A at 192.168.40.1 (The application will automatically use eth0 for this)
register phone number B at 192.168.50.1
register phone number C at 192.168.60.1
Somehow forward all traffic (including the register request) sent to 192.168.50.1 to 192.168.40.1 as if the register had been made directly to 192.168.40.1. In other words, the app "sends" registration and traffic to 192.168.50.1 but then Ubuntu forwards it to 192.168.40.1 (but the app does not know that). Similarly, forward all traffic sent to 192.168.60.1 to the router at 192.168.40.1.
Do the same for the reverse, forward all traffic that the router sends back to 192.168.40.3 (eth1) to 192.168.50.1 (within the Ubuntu machine) so that the app knows it is for phone B. Similarly forward all traffic that the router sends back to 192.168.40.4 (eth2) to 192.168.60.1 so that the app knows it is for phone C. Thus, the application believes that it is registering at 3 completely separate routers on 3 completely separate networks via 3 separate network interfaces but in fact is really registering all three to the same router (but does not know that). Similarly, the router believes that it is receiving 3 separate registrations because it receives each registration request and traffic from 3 separate interfaces and thus 3 separate mac addresses (i.e., of eth0, eth1, and eth2). Traffic sent to and from the router for each of the 3 phone numbers (via eth0, eth1, and eth2) are not mixed because the translation happens in both directions.
How can I find the IP of a router wirelessly so I can use the second router for a better signal? (A farther reaching wireless card is what im trying to make it do)
also how can I find the subnetmask this way?
I have a server that has two NIC cards installed eth0 and eth1 we use a linksys router (192.168.2.1) which runs DNS for our LAN. I have installed Squid on the server which runs Ubuntu server (8.04 Hardy) w/ GUI. I can surf the net on the server with google chrome configured to use proxy server localhost:3128...works good. The router is wire directly to eth0. I have my laptop (running Ubuntu Hardy) wired to eth1 and I want to be able to surf the Internet through my server. From my laptop, I can ping 192.168.2.100 which is the IP address assigned to eth1[?] by my router. I assume I need to establish a route from my laptop to my server. I would like to archive this via the CLI and I am not having any luck thus far. If I add static IP addresses to eth1on the server and eth0 on my laptop will this simplify the process? How can I add a route which will allow me access to the Internet via my laptop?
Server:
Code:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.2.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth1
0.0.0.0 192.168.2.1 0.0.0.0 UG 100 0 0 eth1
0.0.0.0 0.0.0.0 0.0.0.0 U 1000 0 0 eth0
ifconfig eth1 on the server:
Code:
eth1 Link encap:Ethernet HWaddr 00:30:48:85:cc:1b
inet addr:192.168.2.100 Bcast:192.168.2.255 Mask:255.255.255.0
inet6 addr: fe80::230:48ff:fe85:cc1b/64 Scope:Link
Up Broadcast running Multicast MTU:1500 Metric:1
RX packets:7701 errors:0 dropped:0 overruns:0 frame:0
TX packets:7898 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:5572718 (5.3 MB) TX bytes:1506869 (1.4 MB)
Base address:0x9000 Memory:ef400000-ef420000
My setup is...I have a wireless access point using laptop as a gateway. The AP is also connected to a switch as is the laptop. So the laptop has two interfaces one wireless and one wired. A third device is using the AP to connect to a server on the internet. The AP sends the packets to my laptop where they are dropped. I've been looking for a solution to this problem without success. Basically is there a way for my laptop to forward all packets it sees from a certain IP address to whatever destination address they have?To clarify, my laptop is just the gateway of the AP and none of the packets are addressed to it at all, it just picks them up using a sniffer or similar tool.
View 1 Replies View RelatedI have a pc with debian 6 (without GUI) installed on it and want to use it as server at home. It has 2 ethernet nics. Now i want to configure the routing process. Searched internet for a long time found something but couldn't get it work.
View 8 Replies View RelatedWhen setting up an SSH proxy, I know you can configure Firefox to route DNS requests through the proxy. Is this possible from linux directly? I'm trying to use wget through the proxy, including DNS lookups.
View 3 Replies View RelatedI have two subnets which I am interested in connecting.
Some basic network details:
Subnet A:
Subnet B:
I am trying to think of any further relevant details, but that seems to be it to me. If I forgot anything, please tell me.
Ok the question. WHAT do I type? (Explicitly!) And WHERE do I type it? In order to reach ubuntu-01.tec.lan, or ubuntu-02.tec.lan from perpetrator.tec.lan or rapine.tec.lan?
I'm interested in using actuall ROUTES. I can already achieve results similair to this with either a NAT firewall, or with VPN.. but that's not what I am interested in.
From what I have found out so far, I should need something like the following:
On Gateway 1B:
Code:
And on Gateway 1A:
Code:
I'm newbie to Wireless. Currently I try to implement EAP-TLS but firstly I need to get the hardware work, allow Access Point to Route from Wireless to Wire (LAN DNS server).
View 4 Replies View RelatedI am having some trouble setting up routing on my Ubuntu 9.10 Server. I have the GUI installed with Webmin and OpenVPN Heres the setup :
1 NIC - WAN - eth0 - IP: 146.231.x.x SUBNET: 255.255.252.0
1 NIC - LAN - eth1 - IP: 192.168.1.1 SUBNET: 255.255.255.0
1 NIC - ADSL - eth2 - dynamic
What I need to do is the following.
All users are connected to the LAN.
All requests for IP range "146.231.x.x", and "domain.com" need to be routed from LAN (eth1) to WAN (eth0).
All other internet requests need to be routed to ADSL (eth2).
-> I have the masquerading in the linux firewall working for NAT, but all traffic goes to ADSL (eth2).
-> I am using OPEN-VPN over the ADSL also.
-> DHCP and DNS work fine.
I also need all ports opened with the route (from eth1 to eth0)
my local clients connected to the IPv6 internet.
I've already designated a machine to act as the router to the hurricane electric tunnel. I created a he-ipv6 device on it and can ping ipv6.google.com. No problem.
The problem happens when I want clients to use that router. That is, I can't ping ipv6.google.com from other machines on my LAN.
I setup /etc/radvd.conf, which seemed to successfully give out addresses to my clients:
interface eth0
{
AdvSendAdvert on;
prefix MY:HEREFIX::/64
[Code]....
I start the daemon and check that my clients have new ip6 addresses. So far so good. On my router, I do a sysctl -p and see that /proc/sys/net/ipv6/conf/all/forwarding = 1. I haven't touched ip6tables/iptables yet. Both are in a flushed state.
My ipv6 router is actually inside the LAN which gets internet from another machine which has let ipv6 packets through using protocol 41. I figure I don't have to worry about anything else because if my router can ping6 ipv6.google.com, the failure point would be there.
So my clients get ip6 addresses, but can't ping6 the router nor the ipv6.google.com. They do resolve ipv6.google.com however and I checked the traffic on the router over he-ipv6 from ifconfig and RX and TX bytes were changing during the ping.
My router has only one physical device for forwarding, eth0 and the tunnel device he-ipv6. Do I need to add some kind of ip6tables to see a simple ping from my clients?
