Ubuntu Networking :: Iptables Do Not Work The Way It Should On 10.04?
Aug 14, 2010
i'm having a weird issue on 10.04. I have a bash script I wrote to drop incoming connections that are faster than a specified rate (6 per second in the example). I've been using the script successfully on 8.04LTS and CentOS for 2-3 year but it doesnt seem to work on 10.04
Code:
INTERVAL="2"
HITCOUNT="6"
iptables -A INPUT -d 123.123.123.123 -m state --state NEW -m recent --set
iptables -A INPUT -d 123.123.123.123 -m state --state NEW -m recent --update --seconds $INTERVAL --hitcount $HITCOUNT -j DROP
iptables -A FORWARD -p udp -m length --length 39 -m u32 --u32 '27&0x8f=7' --u32 '31=0x527c4833' -j DROP iptables: No chain/target/match by that name.
So I re-compiled the kernel enabling WAN Router, and all the subsections. Downloaded latest iptables, removed the RPM one, installed the iptables from source.. Guess what, same error!
PS: iptables -m u32 -h works, it displays a page of info.
I've been beating myself over the head with iptables and CANNOT get port forwarding to work. Here's my situation: Static LAN IP on eth0 Static internet IP on eth1 ip_forward is turned on by uncommenting in sysctl.conf Here's the output of iptables-save:
Code: # Generated by iptables-save v1.4.4 on Tue Mar 8 10:34:12 2011 *nat :PREROUTING ACCEPT [2443:347058]
[Code]...
Edit: by the way, the intended purpose of this machine is to server as a gateway and firewall. MASQUERADE is working, for whatever that is worth. And the host behind the firewall that is serving up http is definitely working too. All that is not working is getting hosts on the internet talking to hosts behind the firewall.
my problem is following: I'm running a bridged OpenVPN on my Debian. If the service is running, everything works fine: local and Internet, ftp, mailing from in and outside etc. But, when stopping OpenVPN, sending mails from inside (LAN) fails: I cannot reach smtp (postfix) listening on port 465. And even reaching mailboxes using IMAP gets horribly slow eg. in Thunderbird. Here is my firewall.sh script.
Quote:
#!/bin/sh echo " IPTABLES FIREWALL inicializalasa - szures" # Enter the designation for the Internal Interface's INTIF="eth0"
I am using putty in my windows machine to access my Linux server terminal.
Code:
Putty works fine if I disable my Linux IPTABLES. My Windows machine IP is 192.168.1.249 Linux server IP address is 192.168.1.200 I don't know how to allow it through IPTABLES.The port which putty is using is 22.
I'm trying to build a firewall with IPTables: INTERNET <--------> (eth0) FIREWALL (eth1) <------------->FTP_srvI set all rules DROP by default.My rules for forwarding packet to FTP server:
I setup squid with transparent proxy and its working, however, when I reboot the server, the proxy server doesnt work unless I run the following.
Code: # squid server IP SQUID_SERVER="192.168.1.1" # Interface connected to Internet INTERNET="eth0" # Interface connected to LAN LAN_IN="eth1" # Squid port SQUID_PORT="3128" [Code]...
Everything works except on Fedora port 110 cannot be opened no matter how hard we try, we run REH (Redhat Linux) on a colocated server, now we run Fedora in a cloud
I have 2 different networks: the first one is gateway machine (eth0), and the second is a private machine (eth1). So, I've configured the iptables and forwarding stuff and when I try to ping [URL]... on the gateway machine, it works, while it doesn't work on the private network.
I have 2 different networks: the first one is gateway machine (eth0), and the second is a private machine (eth1). So, I've configured the iptables and forwarding stuff and when I try to ping google.com on the gateway machine, it works, while it doesn't work on the private network. Note: I am using VmWare 7. I need your quick assistance about this issue.
I use iptables firewall (v1.4.1) installed on FC8. I'm trying to limit the inflow traffic for the port 1723 to certain MAC addresses. To experiment with the mac option, I've written the following iptables rule:
Quote:
iptables -A INPUT -m -mac --mac-source 10:08:08:08:08:10 -j ACCEPT
It didn't work. It gave me this error message:
Quote:
iptables v1.4.1: Couldn't load match `-mac':/usr/local/libexec/xtables/libipt_-mac.so: cannot open shared object file: No such file or directory
Try `iptables -h' or 'iptables --help' for more information. Does that mean the mac module wasn't installed/enabled?
I recently installed a new Ubuntu PC that runs iptables and PSAD. I had the same script on another Ubuntu PC, but when I copied the script onto the new PC, I got this error. I don't remember where I found the tutorial for this, all I know is that this is the script (Edited for my usage):
Code:
#!/bin/bash # Script to check important ports on remote webserver # Copyright (c) 2009 blogama.org # This script is licensed under GNU GPL version 2.0 or above
root@NETWORK-SERVER:/var/ddosprotect# ./ipblock.sh ' not found.4.4: host/network `127.0.0.1 Try `iptables -h' or 'iptables --help' for more information. ' not found.4.4: host/network `192.168.1.8
I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
IPtables, implementing each type of NAT -Full Cone NAT -Restricted Cone NAT -Port Restricted Cone NAT -Symmetric NAT using IPTables.
Explanation: Full Cone: A full cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Furthermore, any external host can send a packet to the internal host, by sending a packet to the mapped external address.
Restricted Cone: A restricted cone NAT is one where all requests from the same internal IP address and port are mapped to the same external IP address and port. Unlike a full cone NAT, an external host (with IP address X) can send a packet to the internal host only if the internal host had previously sent a packet to IP address X.
Port Restricted Cone: A port restricted cone NAT is like a restricted cone NAT, but the restriction includes port numbers. Specifically, an external host can send a packet, with source IP address X and source port P, to the internal host only if the internal host had previously sent a packet to IP address X and port P.
Symmetric: A symmetric NAT is one where all requests from the same internal IP address and port, to a specific destination IP address and port, are mapped to the same external IP address and port. If the same host sends a packet with the same source address and port, but to a different destination, a different mapping is used. Furthermore, only the external host that receives a packet can send a UDP packet back to the internal host.
On the netfilter mailinglist, Pedro Goncalves suggested the following: 192.168.2.170 is "public" address and 10.0.0.1 is "private" address
/-"Full Cone NAT", with the following rules:/
HTML Code: iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170 iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 10.0.0.1
/-"Port Restricted Cone NAT", with just a single rule:/
HTML Code: iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.2.170
i have a question regarding iptables.i have a server running ubuntu server 10.04 with 2 nic's, i want to use it to filter the internet trafic of the people in my network ussing dansguardian and squid. they both work fine.the only problem is how to get iptables to deal with this the right way.
I'm having a complicated iptables problem. I'm using a linux poweredge 1750 with 4 ethernet interfaces and 1 wireless interface as a router/firewall/wireless access point.
The Computers on the inside can connect and communicate just fine. The access the outside world and other internal devices with no problems.
DNAT from the outside works just fine for things like ssh, webmin and http. But some protocols and services (ftp with filezilla and runuo) use ports to connect. And then, it is like they hand off the rest of the communication to other seemingly randomly determined ports. And that is when the conversation gets dropped. How do I configure my router to notice these port changes and continue to DNAT the conversation?
I'm using a Ubuntu Server sharing the internet connection to my network. Currently I have two WANs. A DSL connection connected to eth1 (configured as ppp0) and a cable connection plugged into eth2. And only eth1 is being shared over eth0 (the local network). What I want to do:
- Some services I want to go only by the secondary WAN (eth2). On that case, forward specific ports to it.
- Failover. If ppp0 fails, goes to eth2.
- Some IPs from our internal network will ALWAYS use internet via eth2.
Is it possible to do using Ubuntu/IPTables? I already did it before using pfSense, but don't know even how to start doing it on Ubuntu.
To expand: I'm trying to set up a box with l7-filter, and I need to patch and compile iptables 1.4.1.1 as part of the process. I ./configured it with the prefix= argument so it would install into /sbin instead of /usr/sbin, and I did a yum remove iptables before installing it so as not to get in the way of the original iptables, but I'm wondering if this is really necessary - it's kind of annoying, because removing the original iptables removes the init.d script, deregisters the service, etc. If I don't, is it possible that iptables 1.4.1.1 might get overwritten in a system update or something, or will yum see that I've got a custom/newer version in there and leave it be?
I am establishing a VPN connection with a Cisco VPN server, but only want outgoing connections to a certain set of IP addresses to actually go through the VPN. I tried something like this:
Code: sudo iptables -A OUTPUT -t mangle -p tcp -d 111.222.0.0/16 -j ROUTE --oif tun0 but keep getting
I would like to set up a logging system for rtorrent, the only way that i could think of this would be to set up bandwidth moniters in the ip tables but im not sure how to go around this.
I have set up OpenVPN for my connection. I'm using this to connect to the internet from different locations using tunnelling.
Right now I have a few IP's : on eth0 I have IP from my ISP, on eth0:1 I have my own IP.I set up MASQUERADE to eth0 - but in this case when I try to access my restricted resources IP address from ISP is visible. What I want is to use my own IP address from eth0:1 - could somebody help me to build good working redirect entry for that? I want to redirect all connections to that IP assigned on eth0:1... - just to access Internet using my IP.
