Ubuntu Security :: Modify The Iptables Rules In Any Way?
Jul 9, 2011what do the following two commands do? Do they modify the iptables rules in any way?
sudo /sbin/iptables -L -n
sudo /sbin/ip6tables -L -n
ADVERTISEMENT
Security :: Programming Iptables Rules For 1:1 NAT?
Sep 16, 2010I am trying to program iptable rules for implementing a 1:1 NAT which does the following:
1. Forward all traffic from all ports on a public ip to a private ip
2. Forward traffic from a range of ports (x-->y) on a public ip, to a private ip
I did some google searches for the same, and came up with the following.
iptables -A FORWARD -t filter -o eth0 -m state
state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state
state ESTABLISHED,RELATED -j ACCEPT
Security :: What Are Strong Iptables Rules?
Mar 31, 2011Can someone please let me know strong iptables rules? Below entries are in iptables file.Here Y.Y.Y.Y is another branch public IP.This server acts as gateway+squid server.Further it will serve company's intranet page also using httpd.OS is CentOS 5.0.
View 1 Replies View RelatedSecurity :: Setting Iptables Rules
Jan 27, 2011I am setting my firewall rules using the command iptables.My question is i wanna know what command i can use that list rule 2 and 3 for instance in my table?i want to create rule that: The host is administered using SSH, scp and sftp so allow incoming SSH traffic and securing remote file copying and transferring.
View 2 Replies View RelatedFedora Security :: How Iptables Knows At What Interfaces To Use Rules
May 3, 2009When I use system-config-firewall, it asks what interfaces to trust. Where does it store that information for iptables (or whatever uses that info)? How iptables knows at what interfaces to use the rules?There is not that kind of information in /etc/sysconf/iptables and iptables-config.
View 2 Replies View RelatedNetworking :: Verifying Iptables Rules For Security?
Mar 10, 2011I need with some iptables rules. I've done all I can, Googling all over, to cover as many exploits as possible and the following script is what I've come up with. The current set up works and I've checked with NMAP. I just need some sort of confirmation that this is pretty much what I can do.
Code:
LAN="eth0 eth1"
RANGE=10.1.0.0/17
WAN=eth2
# Delete all existing rules
[code]....
Also, if I wanted a broadcast to be relayed to all subnets within a defined range, how would such a iptables rule look like? I need this in order to find a networked Canon MP640 printer.
Security :: IPTables Rules And Output Filters
Aug 25, 2010I put together the following filter set :
Code:
#!/bin/sh
#To understand this script, reference the No Starch Press Linux Firewalls Book.
MODPROBE=/sbin/modprobe
IPT=/sbin/iptables
IPTSV=/sbin/iptables-save
IPT6=/sbin/ip6tables
IPT6SV=/sbin/ip6tables-save
### flush / drop policy sets
echo "[+] Flushing existing rules with DEFAULT of DROP [+]"
echo "[+] IPv4 [+]"
$IPT -F
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "[+] IPv6 [+]"
$IPT6 -F
$IPT6 -F -t nat
$IPT6 -X
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP .....
###OUTPUT rules: LOG rule
$IPT -A OUTPUT -o ! lo -j LOG --log-prefix "DROPED OUTBOUND" --log-ip-options --log-tcp-options
I wanted to know how to allow certain applications through the outbound tables. For example, I wish to be able to use tools such as nmap,tracepath, and traceroute. However, I am not sure where to look to understand the ports to open. I was starting to think that maybe rather than ports to open it would need to be somehthing like tcp flags that would ned to be allowed. Any way, I have tried google and am still haing problems. I started wanting to use these tools due to getting ready for my network+ and security+ certs.
Security :: IPTABLES Apply Certain Rules To Certain Mac Addresses
Jul 11, 2010so the firewall rules I am currently using are displayed below.
Code:
# DROP ALL FORWARDED PACKETS
iptables -P FORWARD DROP # DROP ALL PACKETS
# ALLOW DHCP THROUGH THE FIREWALL
[code]....
Security :: IPTABLES Auto Expire Rules
Jul 19, 2010I have been trying to figure out how to makes rules in iptables that expire after a certain amount of time. From what I have found online you want to use the recent module with --rcheck and --seconds. I have found a few examples and have given them a shot but I can't seem to get it right. Would anyone mind posting an example of a rule that will auto expire?
View 3 Replies View RelatedSecurity :: IPTABLES Rules Using Ipt_mac Module?
Feb 20, 2010I've configured squid proxy server in a P4 desktop. I've 50 users in my network. I installed RHEL 4.4 (2.6.9-42 kernel) and the iptables version is 1.2.11-3.1. I've 2 NICs installed in the system. eth0 (192.168.100.99) for local lan and eth1 (192.168.1.2) for outgoing to internet. I've connected DSL broadband modem to eth1 (default ip of DSL modem is 192.168.1.1). All the clients except few has been forced to go through squid by user authentication to access internet. Those clients which were kept away from proxy are 192.168.100.253, 192.168.100.97, 192.168.100.95 and 192.168.100.165. Everything works fine but from last week I observed that one of some notorious user use the direct IPs (192.168.100.97 or 192.168.100.95) in the absense of the owner of these IPs to gain access to internet as we applied download/upload restrictions in squid.
I want to filter the packets of source hosts using MAC address in PREROUTING chain. I read somewhere that IPT_MAC module must be installed to make this happen. So that those notorious users can not change their ips to gain direct access to internet.
Below are the contents of my iptables file (I've ommited few entries for safty purpose).
# Generated by iptables-save v1.2.11 on Wed Nov 25 16:35:57 2009
*filter
:INPUT ACCEPT [14274:3846787]
:FORWARD ACCEPT [4460:1241297]
:OUTPUT ACCEPT [16825:4872475]
code....
Security :: Regional IP Blocks For IPtables Rules?
Aug 23, 2010I was wondering if there is a way to find out IP blocks based on a given region. I know there are IP Lookups that will tell you what Country and possibly City a given IP is from. What I want is the following:
- I would like to set up a IPTABLES rule that implements something like:
=> ALLOW VPN connections FROM THIS ISP/IP BLOCKS THAT ARE IN CITY XYZ
Basically, I want to limit my incoming VPN connections FROM my ISP in the surrounding area. So, for example, I can go to my friends house who also has the same ISP. I should be able to connect from his home to mine because we have 1) same ISP 2) IP blocks is confined to a particular local location.
Ubuntu Security :: Automatically Load Some Iptables Rules By Adding The Script ?
Jun 11, 2010I'm trying to automatically load some iptables rules by adding the below script in the /etc/network/if-up.d directory:
Code:
#!/bin/sh
IPTABLES=/sbin/iptables[code]...............
Ubuntu Security :: IPTables - Setting Default Rules To All Chains As DROP
Jun 30, 2010I've read the instruction about setting up the iptables rules to filter all port except HTTP, SSH, FTP. I require first remove all default iptables rules and set default rules to all chains as DROP:
# Set default-deny policies for all three default chains
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
Then allow only some ports:
#Accept inbound packets that are part of previously-OK'ed sessions
$IPTABLES -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
# Accept inbound packets which initiate SSH sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 22 -m state --state NEW
# Accept inbound packets which initiate FTP sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 21 -m state --state NEW
# Accept inbound packets which initiate HTTP sessions
$IPTABLES -A INPUT -p tcp -j ACCEPT --dport 80 -m state --state NEW
# Log anything not accepted above $IPTABLES -A INPUT -j LOG --log-prefix "Dropped by default:"
But I hired a VPS from other country so the only mean I can manage it is via SSH. If I setup the default rule to DROP first, I afraid that I can no longer connect via SSH to tell iptables allow SSH
So my question is:
- Does the IP tables take effect immediately after I input a rule?
- Is there any mean to run this as a batch job (create a script and run all these rules one time).
- My VPS has a web control panel which have a terminal via web. Is this a native terminal or just a connection via port 80 or 22?
Security :: How To Write Iptables Rules To Control Drop All Connection
Feb 23, 2010I have setup my linux fedora server and i want to restrict access to my server.Basically i control using iptables.I'm not sure how to write an iptables rules to control drop all connection to port 8080 and allow only certain ip can access the instance on port 8080 example ip=10.254.14.16,192.168.1.10.
View 3 Replies View RelatedSecurity :: Correct/safe Iptables Rules For Redirecting Port 80 To 8080?
Jul 13, 2010I am setting up tomcat server on my Centos 5.5 machine. I've been advised to run tomcat on 8080 as non root user and redirect traffic to it from port 80.
I searched and found the following iptables commands for this:# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT -to-ports 8080
# iptables -I INPUT -p tcp --dport 8080 -j ACCEPTI have a doubt:
Tomcat is not accessible via port 80 without the second command. But the second command opens 8080 and makes it accessible over the internet (tomcat is accesible via both: www.<website>.com and http://<ip address>:8080). This doesn't seem right. Is there some simple (iptables) way to redirect traffic "internally" from port 80 to 8080 without having to open 8080 to the internet.
Security :: IPTables Layered Chains - Create Rules For Certain Services Like Xmpp / Web
Jan 16, 2010I want to simplify some of my rules, so I want to create rules for certain services like xmpp, web, etc. since some of them use multiple ports, and I toggle them on/off a lot. Can I simply put the jump to rule clauses in the Input chain, and once the sub chains run, does it return to the input chain after the jump to rule clause? I want to do this so I don't have a ton of rules in the input chain. I think that if I simply make a list of all the rules to jump to in the input chain, it will work itself through all of them until it finds a matching filter in one of them correct?
View 9 Replies View RelatedUbuntu Servers :: Setup Iptables Rules In /etc/if-up.d/iptables?
Apr 16, 2011I am running Ubuntu server 10.10 and trying to setup iptables rules in /etc/if-up.d/iptables
Quote:
root@host# cat /etc/network/if-up.d/iptables
#!/bin/sh -e
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Problem is that iptables doesn't get updated and I don't see them when iptables -L is executed after reboot.
Fedora :: IPtables Creates An Error During Startup - Applying Firewall Rules: Iptables-restore: Line 21 Failed
Jul 17, 2010IPtables creates an error during startup as well as when I try to restart it: Here's the output of:
[Code]....
Networking :: Can't APPLY Iptables Rules
May 22, 2011I added a few rules to my /etc/iptables.rules file and then used sudo iptables-restore < /etc/iptables.rules but i got an error saying "iptables-restore: line 29 failed".But the only word on that line.
View 1 Replies View RelatedUbuntu Servers :: Iptables Rules Loading On Boot?
Jun 22, 2010I have a clean install of Ubuntu server Lucid Lynx with the virt-host task installed. I need to find the location of the iptables rules that are being loaded when the system boots. These are the rules for the virbr0 interface.
View 1 Replies View RelatedUbuntu Networking :: Rebuild Ufw Rules After Flushing Iptables?
Jul 20, 2010How do I get ufw to refresh firewall rules after accidentally running iptables -F
View 3 Replies View RelatedUbuntu Servers :: Ufw And Safe To Use Iptables Only For ICMP Rules?
Aug 5, 2010In Lucid I have some ufw rules but I figured that I need to limit the ICMP messages that the box responds to and also limit their number. There are iptables rules to accomplish this but since I already have ufw rules it is safe to use iptables only for ICMP rules ?
View 4 Replies View RelatedUbuntu Security :: Snort Not Starting - ERROR: "/etc/snort/rules/exploit.rules(264) => 'fast_pattern' Does Not Take An Argument"
May 12, 2011I need assistance with my Snort Installation. I used Bodhi Zazen's Network Intrusion Detection System post and found it easier than the previous time I had done it. I am currently running Ubuntu 10.04 server and Snort 2.8.6.1 with BASE 1.4.5. I followed Bodhi Zazen's instructions and when I tested snort it ended with a Fatal Error due to ERROR: /etc/snort/rules/exploit.rules(264) => 'fast_pattern' does not take an argument
Fatal Error, Quitting.. Here is the entire output once I ran the test command: snort -c /etc/snort/snort.con -T Running in Test mode
[Code]...
Networking :: Firewall Installed Using IPtables - NAT Rules?
Apr 7, 2010I just install 1 firewall using Iptables.
Firewall includes 2 NIC:
NIC1 <IP PUBLIC>
NIC2 192.168.10.1
I installed 1 web server IP: 192.168.10.2
I have some PC IP range: 192.168.10.10->20
I set rules NAT on firewall and PC & web server can connect internet good, but I have problems:
When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP Public. But outside internet, I can access to web server using IP Public.
Rules on IPTables
Code:
# Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010
*nat
:PREROUTING ACCEPT [950:126970]
:POSTROUTING ACCEPT [89:5880]
:OUTPUT ACCEPT [19:1342]
-A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124
*filter
:INPUT DROP [1599:157409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [232:34452]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
COMMIT
Debian Configuration :: Lenny Not Loading Iptables Rules
Dec 30, 2010I'm having some trouble with the configuration of the iptables. I want to setup a network server to serve as Fail Over (for my 2 ISPs), DHCP and DNS. I have 3 network cards, 2 connected to ISP's routers and 1 that serves as UPLINK for my switch.
I want to add some Iptables rules so I can achieve what I want to do. The problem is that the rules I try to use, they have to effect.... they don't load, here are the rules I am trying to add:
#iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
#iptables --table nat --append POSTROUTING --out-interface eth2 -j MASQUERADE
#iptables --table nat --append POSTROUTING --out-interface eth2 -j SNAT --to EXTIP
When I try to check to see if it loads, with the command:
#iptables -L
It returns empty
Fedora Networking :: IPtables Rejects Rules Upon First Boot
Jan 25, 2010I am trying solve a strange problem which ocurred after upgrading many packages including kernel and iptables.This is a Fedora 10 PC acting as a small home-server I've been using over a year without problems. Recently, I've run a yum upgrade and after that, connections outside home wouldn't work. No changes in IPtables (firewall) rules have been done. But connection through local network is working.Symptom is.I've connected to my second PC at home and connected to the server. It works fine on local network. I restart network services (service network restart) and outside connections could be established.I have disabled iptables and ip6tables and after reboots it works fine. But PC is running without firewall.
View 5 Replies View RelatedOpenSUSE Network :: Make The Iptables Rules Permanent?
Apr 23, 2010I set up a squid transparent proxy and I have a problem with an iptable rules. I have a rule to redirect all request to port 80 to go on port 3128. To do so, I'm using this iptables command :
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
This command is working like a charm. The only problem is, for some unknown reasons, this rule will be dropped at some point. I did not manage to identify what is causing this to happen. It occurs during night, but I have nothing about that in my log files. messages / firewall / ...) The only way I managed to reproduce this 'dropping' is this one: I type the command like as root. The command is effective and working fine. I open yast, I go to the firewall module, the I do a simple "save changes and restart firewall" (without changing anything). As soon as this process is finished, the iptables rule is gone.
-How can I make this rule permanent ?
-Is there a place where I can launch a script executing this rule, after the yast firewall module is 'touched' or something ?
Networking :: Iptables Rules For Filtering Network Traffice?
Jan 26, 2010Does anyone have tips about iptables rules for filtering network traffice?
View 2 Replies View RelatedRed Hat / Fedora :: Getting Error While Adding Rules To Iptables / Sort It?
Dec 22, 2010I am using a kernel of version 2.6.32 . I installed iptables of version 1.4.2 and it got installed successfully.
but while adding some rule to the iptable i faced an error like the following
iptables v1.4.2: Couldn't load target `standard':/usr/local//libexec/xtables/libipt_standard.so: cannot open shared object file: No such file or directory
i basically want to add a rule like the following
iptables -A INPUT -p icmp -j QUEUE
one more thing i would like to add post is tat
i did not find a library called libipt_standard.so in iptables folder(/usr/local/libexec/xtables)
instead i found a library libxt_standard.so
i tried renaming libxt_standard.so to libipt_standard.so
but even then i found the same error.
Networking :: Interesting Distribution Of Packets Over Iptables Rules
Mar 13, 2011I'm trying to configure NFS sharing behind a firewall, I got it to work and all but I was caught by something that (to me anyways) seems odd.I've been able to mount the export on another computer and am transferring files over as we speak, but I'm just interested in knowing why the RELATED,ESTABLISHED rule seems to be catching almost all the traffic coming from the other node. Any ideas? Should I be concerned that my firewall isn't protecting anything or something?
View 1 Replies View Related