Ubuntu Security :: Traffic To Specific Sites Throttled?
Sep 14, 2010
I want to check if traffic to a specific URL is being throttled by a hospital acting as an ISP. A client is having great trouble accessing a hosted web-app from inside the hospital, but access is fine from outside. The hospital IT dept are not interested as the rest of the Internet is fine. I need to trace where the latency is creeping in or where the throttling is happening, if I can do that, the hospital will remove it. Traffic is standard http to a specific URL.
In the past week or so I've noticed some weird network behaviour. I find accessing some sites such as Amazon, Paypal, and Bigstockphoto really slow. Sometimes the page will not load at all. Other sites are fine. The problem sites are not a problem for others on my LAN at home. When I try to open the problem sites, I can see in Firestarter blocked connections coming from 2.1(8/9).xxx.xxx on various ports such as 36007. This only happens for the problem sites. I attached a typical output from firestarter.
This happens with Firfeox or Chrome. Using Ubuntu 10.10
I got to establish an OpenVPN connection between two server and I have dhcpd on the client server which feeds a few SIP phones. All these phones are supposed to the register server through the tunnel.Here is the network structure:
Client CentOS: eth0: 192.168.0.0/24 eth1:192.168.100.0/24 tun0:172.15.0.0/24 DHCPD: feeding above eth1 and all the phones with 192.168.100.0/24
If I ping 172.15.0.1 from the the Client CentOS it works all fine. Everything pings and I can even do SSH. However, the phones which obtain their ip through eth1 on the same server can not reach the 172.15.0.1. I think it's a route issue here. Can you please guide me to the right direction as to how to forward certain traffic through tun0 and leave the rest of the traffic to go through eth0?
I don't want to turn on IPTABLES as this is time consuming for me now and there is VPN setup. It has to do with setting up the routing but I am not sure.
eth0 192.168.2.100 (internal Web, Mail) eth1 192.168.3.100 (Default Gateway nic for clients) eth2 192.168.3.110 (should be default Gateway for all outgoing traffic not belonging to 192.168.2.100 and 192.168.3.100)
They are all on the same machine
i cannot set eth1 or eth2 as default gateway, as outside requests to eth0 would be handled in a false manner (somehow)
is there an easy iptables-rule to say, that outgoing traffic, not belonging to my networks can be redirected to a specific NIC (eth2)?
I am running Debian Squeeze on an old pc (AMD K62-500) which serves as my multiwan router and torrent box. Internet uplink is provided via a dsl line and 2 wireless canopy modules.
Setup has been generally fine except when connecting/downloading as free user from sites like rapidshare, hotfile, filesonic, etc. The problem arises when I am connected to these sites using the wireless uplinks because of the shared public ip. I don't really download that much using direct download methods so I don't really see myself being a premium user from these sites.
If these sites are on a specific ip or ip range, an entry on the static routing table would have been fine but when I tried using ping, a different ip would appear to reply each time.
I wonder if there can be a solution like using iptables where in traffic to and from these sites will only use the NIC connected to the dsl line.
I'm hoping some of the Linux network experts can help me with this problem.
Situation: I have a technology which is a WebLogic JEE application that communicates to an Oracle database. Everything is installed in a single Linux virtual machine running in VirtualBox. Traffic from the JEE application goes via JDBC over TCP to the local running database. What I want to do is test a new database firewall server that wants all traffic destined for the database to flow via another virtual machine running the DB Firewall software.So therefore want I need to do is have DB traffic forced out over one interface only to return on another interface on the same VM listening on a different address.
JEE application running in WebLogic bound to 192.168.111.12 (eth1 a VirtualBox hostonly interface). Makes a request for 10.0.111.12 (eth2 a VirtualBox internal interface) which the database is listening on. Because both IPs are on local interfaces, Linux is going to handle the traffic and not route the 10.x traffic via the 192.x interface.I also have running the database firewall server which has a bridge (br0) between the HostOnly network and the Internal network.Both systems are running Oracle Enterprise Linux R5U4, which is basically the same as RedHat.What I want to do is have the request for 10.0.111.12 forced out via 192.168.111.12, bridged over the br0 connection and back into 10.0.111.12 and to the database. My networking knowledge is pretty good, but i'm stuck right now on the right way to do this. I'm pretty sure it is possible, I just need clear advice.
Reason for setup: Ideally I would build the system with the database on a separate machine so that I can easily route the traffic. Unfortunately we have many VirtualBox based demonstration systems with both the application and database installed on the same VM and therefore the amount of work to migrate these two dual VMs is going to be significant, also many of these VMs are demonstrated from laptops which have limited resources and creating a new database VM reduces overall performance. If I can create a way to force the traffic in this manner off and back onto the same VM via the other VM bridge, it would be fantastic.
I have a linux router with 2 physical ISPs and a VPN tunnel that all my traffic passes through. I would like to setup a rule to redirect all traffic from one internal IP address (10.0.0.x) through the physical link only. My current script is as follows.
Im running a web server on port80, but i want traffic coming from ip 212.333.111.222 on port 80 to be fowarded to port 9020 on the same server that my web server is rinning at that is my sshd port
I need a simple traffic monitor for Linux, that counts the traffic in a specific wireless network because I have volume restrictions on that one.I tried it using the following iptables rule:
[code]...
iptables -m mac -A INPUT -p all --mac-source <mac-address> ! -s 10.0.0.0/8
where <mac-address> is the router's one. 10.0.0.0/8 is the local subnet. What I actually want is something like --routed-through <mac-address>. Also, is there some way to gather iptables's statistics? Or is there maybe another tool that does what I want (reliable)?
Recently I notice that when I'm connected to an vpn server (pptpd) and I'm using it as a default gateway my download and upload speed decreases almost to the half of the usual speed. I made a test using iptables in order to count how much GRE packets are generated (except the real traffic itself) in that way:
Code: iptables -I INPUT -p gre -j ACCEPT iptables -I OUTPUT -p gre -j ACCEPT
iptables -I FORWARD -s 172.16.10.101 -j ACCEPT iptables -I FORWARD -d 172.16.10.101 -j ACCEPT The first 2 rules match all GRE packets between the pptpd server and client, and the next rules - the traffic between the server and the client.
When I turn the counters to zero and begin to generate traffic (to browse, to download etc.) I see that the GRE packets are even more than these in the FORWARD chain.
So, my question is first of all is my test correct and is it true that so much gre traffic is being generated during the browsing (it becames clear that the traffic is double than if the pptpd wasn't used as a gateway) and if yes - can that traffic be reduced?
How do you know if a site is safe to download from ? Have only been using Mint 11 for 3 days after 7 years with windows and the usual safety nets there were the https headings and firewalls blocking stuff but how do you know something is safe in Linux ? In short how do you know it's a trusted site ?
I have a problem with sites or domain blocking by squid proxy server in rehl 5. I have trying lots of time but i'm not succed.pls help me how to block sites or domain in rhel 5.
what rules I need to use to only allow traffic between 2 interfaces (which are part of a linux bridge) using ebtables?
So let's say I have if0, if1, if2. I want if1 to communicate with if0. I also want if2 to be able to communicate with if0. But I don't want if1 and if2 to communicate with each other.
Is there a program that monitors and displays 'who' is on your wireless Internet signal that one may not be aware of? Like, the ability to see when someone that you don't know is accessing your locked wireless?
We use a squid proxy server for all http traffic. Is there any way to configure squid so that all traffic which squid and workstation communicates is SSL and encrypted ?
Where I work we have a lan, it is almost 100% windows machines except for 2 CentOS machines in which some clients connect to, via VPN. (very small network, <50 ip's used)
I would like to know if there is a way to block access from that machines to others in the network. I'm already logging traffic (with IPTraff) to see if they're accessing other machines in the network others than the ones they should connect.
I have Ubuntu 8.04 as virtual host. On this host I have installed VirtualBox virtualization software. I have installed Windows XP as virtual machine and installed HTTP server.I would like temporally disable all network connections to host and virtual machine.So on Ubuntu host I have set firewall settings:
Code: sudo iptables -F (to flush - delete all firewall settings) sudo iptables -P INPUT DROP (to disable all input traffic)
I was reading a magazine article today which was a discussion of internet detective work for tracking down ip addresses which attempt an ssh login to your machine. I have never really paid much attention to network security since I only run a small home network. I have WPA encryption and a firewall on my router. But while reading this article, I remembered that I myself has seen log files in the past that inidicated someone somewhere had attempted to log into my machine (attempts all failed). This had happened a few times, but I never really considered it a threat.
But, the more I read about home computers becoming "zombies" for criminals, I guess I am getting a little paranoid in my old age, particularly since my wife does quite a bit of business on the net with credit cards. I have four computers connected to the net and each other on this network, and would like to be able to easily detect attempted log ins and deal with them quickly.
So my reason for posting is to ask if someone could recommend a novice-friendly application for monitoring traffic to check this intermittently. I have read bodhi.zazen's excellent tutorial on snort, but I it appears to be written for large lan's or web servers and is over-kill for a small home network.
I understand the difference between Reject vs Drop for incoming traffic, but are there any differences between reject and drop for Outbound Traffic? Are there reasons to pick one over the other or are they functionally identical when talking about Outbound traffic?
Last night my old Sony Vaio laptop which connects via wired Ethernet and runs Ubuntu 10.10 started hammering the network out onto the Internet. Fired up Wireshark and found lots of traffic between my machine and 174.129.193.12 which I did a whois on and found belonged to Amazon EC2 Cloud Server. The port on my machine was an unknown 5000+ but the port on the remote system was 443 the port used by https, however no browser was running. Did a search and put together a couple of iptable commands to block this IP address which stopped the traffic. I then used nmap and netstat and found port 3000 open and another connection to IP address 91.189.89.76 which I also blocked. Unusually no info exists on this IP when you do a whois. At first I thought it might be some sort of sync as this machine has Ubuntu One running on it, however it could also be something else.
I'm currently using a homemade Python script to parse script kiddie IP addresses from logfiles.To this point, I've simply been DROPping any requests from these IPs using iptables.I thought it might be fun to redirect their traffic back to them, but as I am not an expert at iptables, I was wondering if I should use FORWARD or PREROUTING.
I get all my traffic from my router, as this computer seldom moves. So is there a use for a firewall?I am not sure, because when I scan my IP address with nmap, no matter what the changes I make in the firewall, it is always the same scan...cannot fingerprint OS...and all closed ports.The all closed ports thing only changes when i torrent, then i get a wide open port.
