I'm having a complicated iptables problem. I'm using a linux poweredge 1750 with 4 ethernet interfaces and 1 wireless interface as a router/firewall/wireless access point.
The Computers on the inside can connect and communicate just fine. The access the outside world and other internal devices with no problems.
DNAT from the outside works just fine for things like ssh, webmin and http. But some protocols and services (ftp with filezilla and runuo) use ports to connect. And then, it is like they hand off the rest of the communication to other seemingly randomly determined ports. And that is when the conversation gets dropped. How do I configure my router to notice these port changes and continue to DNAT the conversation?
I have been trying to achieve something through iptables but something is going wrong. I want connection/packets arriving to a specific computer (let's call it "server") from another specific computer ("client") inside the same network to be automatically redirected to a remote computer in the internet and vice-versa. I tried doing that using iptables with these commands on the "server" PC:
Client which uses an ISP with a Linux machine (Server 1) with two network cards. Eth0 with ip 1.1.1.2 and gateway 1.1.1.1 these ip's is not public ip's and falls unders the isp's internal range, eth1 with the internal ip range. OpenVPN listen on eth0 for incoming connections. We want to connect to Server1 from external networks. Due to different reasons the isp could not get the routing sorted and give us an public ip on his network. We had to setup another bos (Server2) with eth0 2.2.2.5 and gateway 2.2.2.1 which is public ip's and eth1 with ip 3.3.3.5. Server 2 can communicate via the ISP internal network with server 1. I use DNAT to forward all incoming connections on server 2 to server 1 but the problem I have is that server uses its default gateway for the return packages and does not sent the reply back to server 2. My iptables rules looks as follows on server 2.
I'd like to (if it's possible, of course) to redirect the packets originated within a linux box, and I've been tryin' to do it through the OUTPUT chain in nat table:
The policy for the rest is ACCEPT.This redirection didn't work this way. If I do lynx http://192.168.0.74:80 I reach 192.168.0.74 host, so there is no redirection.Could I achieve what I'm needing through with IPTABLES' OUTPUT chain (in nat table)?
I am trying to simply address translate TCP packets from one destination IP to another destination IP (DNAT?) without getting the initial SYN packet. Is this possible? I do not think it is with DNAT since the conntrack needs SYN first.
I have given the command:
The problem is that the first packet that matches this rule will be the SYN-ACK and I suspect it is simply DROPPED.
I am sparing you the gory details of why I would do such a silly thing, but simply put; I need to intercept client-to-server packets through a tunnel, but allow server-to-client packets to follow through the regular network.
I have been working on this for many days w/o success and my learning curve is still steep. I can provide more details as needed.
I'm having problems with NX, it's doing strange things, trying to connect to some IP host in timbuktoo because my DNS provider's DNS sucks AND because NX is looking up the host "localhost" without first consulting my hosts file (which nsswitch explicitly tells it to do). THAT's all beside the point.
To work around this apparent bug in NX I tried creating an iptables rule to redirect traffic destin for a certain IP (10.x.x.x) to localhost (127.0.0.1) with the following rule: iptables -t nat -I PREROUTING -d 10.x.x.x -j DNAT --to 127.0.0.1. After adding the above rule, my attempts to connect to that host continued to get routed right off into the internet where I DIDN't want them to go. Instead of being redirected to the localhost/loopback address.
It seems DNAT to localhost is not supported? A Google search reveals many other people having this issue but blaming it on everything but iptables. I'm proposing that it's not supported, by design or not, to redirect traffic from a NIC to the loopback network?
I'm trying to understand and set up port forwarding with iptables. So far I've read a lengthy tutorial on iptables, and I've Googled for hours, searched this forum, but I've been unable to come up with a solution that works for me.The situation I would like to achieve is the following: on one machine, there is a TCP server running bound to its external IP, port 9999. I would like to let another machine connect to this TCP server on port 9000 by forwarding port 9000 to 9999.All the policies of the iptables chains are set to ACCEPT; and I have set net.ipv4.ip_forward = 1. I have no problems using SNAT/MASQUERADE on the same server machine.I have tried the following:
In order to test this rule, I started a TCP echo server on port 9999. I can connect to it on port 9999, but not on port 9000- this gives me 'connection timed out'. When I do 'iptables -t nat -L -v', I can see that the rule does get matched once per connection attempt.
I recently installed a new Ubuntu PC that runs iptables and PSAD. I had the same script on another Ubuntu PC, but when I copied the script onto the new PC, I got this error. I don't remember where I found the tutorial for this, all I know is that this is the script (Edited for my usage):
Code:
#!/bin/bash # Script to check important ports on remote webserver # Copyright (c) 2009 blogama.org # This script is licensed under GNU GPL version 2.0 or above
root@NETWORK-SERVER:/var/ddosprotect# ./ipblock.sh ' not found.4.4: host/network `127.0.0.1 Try `iptables -h' or 'iptables --help' for more information. ' not found.4.4: host/network `192.168.1.8
I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
IPtables, implementing each type of NAT -Full Cone NAT -Restricted Cone NAT -Port Restricted Cone NAT -Symmetric NAT using IPTables.
Explanation: Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.
Restricted Cone: A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.
Port Restricted Cone: A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.
Symmetric: A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.
On the netfilter mailinglist, Pedro Goncalves suggested the following: 192.168.2.170 is "public" address and 10.0.0.1 is "private" address
/-"Full Cone NAT", with the following rules:/
HTML Code: iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170 iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.1
/-"Port Restricted Cone NAT", with just a single rule:/
HTML Code: iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170
i have a question regarding iptables.i have a server running ubuntu server 10.04 with 2 nic's, i want to use it to filter the internet trafic of the people in my network ussing dansguardian and squid. they both work fine.the only problem is how to get iptables to deal with this the right way.
i'm having a weird issue on 10.04. I have a bash script I wrote to drop incoming connections that are faster than a specified rate (6 per second in the example). I've been using the script successfully on 8.04LTS and CentOS for 2-3 year but it doesnt seem to work on 10.04
Code: INTERVAL="2" HITCOUNT="6" iptables -A INPUT -d 123.123.123.123 -m state --state NEW -m recent --set iptables -A INPUT -d 123.123.123.123 -m state --state NEW -m recent --update --seconds $INTERVAL --hitcount $HITCOUNT -j DROP
I'm using a Ubuntu Server sharing the internet connection to my network. Currently I have two WANs. A DSL connection connected to eth1 (configured as ppp0) and a cable connection plugged into eth2. And only eth1 is being shared over eth0 (the local network). What I want to do:
- Some services I want to go only by the secondary WAN (eth2). On that case, forward specific ports to it.
- Failover. If ppp0 fails, goes to eth2.
- Some IPs from our internal network will ALWAYS use internet via eth2.
Is it possible to do using Ubuntu/IPTables? I already did it before using pfSense, but don't know even how to start doing it on Ubuntu.
To expand: I'm trying to set up a box with l7-filter, and I need to patch and compile iptables 1.4.1.1 as part of the process. I ./configured it with the prefix= argument so it would install into /sbin instead of /usr/sbin, and I did a yum remove iptables before installing it so as not to get in the way of the original iptables, but I'm wondering if this is really necessary - it's kind of annoying, because removing the original iptables removes the init.d script, deregisters the service, etc. If I don't, is it possible that iptables 1.4.1.1 might get overwritten in a system update or something, or will yum see that I've got a custom/newer version in there and leave it be?
I am establishing a VPN connection with a Cisco VPN server, but only want outgoing connections to a certain set of IP addresses to actually go through the VPN. I tried something like this:
Code: sudo iptables -A OUTPUT -t mangle -p tcp -d 111.222.0.0/16 -j ROUTE --oif tun0 but keep getting
I would like to set up a logging system for rtorrent, the only way that i could think of this would be to set up bandwidth moniters in the ip tables but im not sure how to go around this.
I have set up OpenVPN for my connection. I'm using this to connect to the internet from different locations using tunnelling.
Right now I have a few IP's : on eth0 I have IP from my ISP, on eth0:1 I have my own IP.I set up MASQUERADE to eth0 - but in this case when I try to access my restricted resources IP address from ISP is visible. What I want is to use my own IP address from eth0:1 - could somebody help me to build good working redirect entry for that? I want to redirect all connections to that IP assigned on eth0:1... - just to access Internet using my IP.
We are stuck big time with IP forwarding where we have to use IP tables. Any advice will be appreciated.
Setup Machine A --> Machine B -->Machine C
- Machine A connects with Machine B on "internal network" - Machine B has 2 NIC (and two IP address) , one connected to Machine A (internal network) and one connected to Machine C (External Network)
We need all traffic coming from Machine A which flows to Machine B on port 60 to be directed/forwaded to Machine C (port 60). Not allowed to configure Machine B as a gateway . Things work with rinetd program when we do a tcp redirect from Machine B port 60 to Machine C (port 60).
But just unable to make it work with IP tables rules. We tried following,but in vain
I have 2 Linux boxes one acting as a router with a direct connection to the internet, second as a server using the first box as a gateway to the internet. I need to forward requests that I get from the outside to port 8400 to my internal server box at 192.168.0.7:8400
Router IP 192.168.0.5 Server IP 192.168.0.7 iptables -t nat -A PREROUTING -p tcp -d [internet ip] --dport 8400 -j DNAT
[code]...
These rules are on the router (192.168.0.5) I've been trying to find a solution for hours with no success. Basically the problem is I can forward ports on the same box but not to a different ip.
iptables -A INPUT -p udp --dport -j ACCEPT iptables -A INPUT -p tcp --dport -j ACCEPT iptables -A FORWARD -p udp --dport -j ACCEPT iptables -A FORWARD -p tcp --dport -j ACCEPT
and the rules are placed in iptables, i can see them when I do iptables -L. But when I do netstat -an | grep 161 I can see that port 161 (SNMP) is not listening. Why?
