Ubuntu Servers :: Iptables Allow Ports To A Specific Ip Or Domain Name?
Jul 23, 2010How to configure iptables to allow only 22,80,3306 ports for only a dynamic public ip/dyn dns domain name on a ubuntu server?
View 9 RepliesHow to configure iptables to allow only 22,80,3306 ports for only a dynamic public ip/dyn dns domain name on a ubuntu server?
View 9 RepliesI like to set in iptables to allow access from one host to my server on any ports.Currently the iptables have been configured to deny all and to allow access only to those I've specified.
View 2 Replies View RelatedI like to set in iptables to allow access from one host to my server on any ports.
Currently the iptables have been configured to deny all and to allow access only to those I've specified.
Can anyone advice on the command to achieve this?
I am trying to figure this out and it seems I can't So, I have a server which hosts various domains, each domain with multiple subdomains. All websites are set up with "VirtualHost" and they all work properly.The problem I'm having is that if I enter any subdomain of the main domain, I can still reach the webpage.Is there some way of telling apache to DROP / display a forbidden message for all subdomains which are not listed in the VirtualHosts?
View 14 Replies View RelatedI'm working on a Linux (fedora) based arcade dance machine using a game called Stepmania. I've got it all up and running and i'm trying to get it to work with two dance pads.
It detects the dance pads fine and they work well, the only issue is that when the machine is turned on it seems to randomly pick which pad is /dev/input/js0 and which is /dev/input/js1
What this leads to is the pad on the left controlling the character on the right & vice-versa. So I was wondering if there is any way to tie or map the joystick to a particular USB port so they always stay where they should ? Or is there another way this could be accomplished ?
I'm working on a Fedora 14 based arcade dance machine using a game called Stepmania. I've got it all up and running and i'm trying to get it to work with two dance pads.
It detects the dance pads fine and they work well, the only issue is that when the machine is turned on it seems to randomly pick which pad is /dev/input/js0 and which is /dev/input/js1
What this leads to is the pad on the left controlling the character on the right & vice-versa. So I was wondering if there is any way to tie or map the joystick to a particular USB port so they always stay where they should ? Or is there another way this could be accomplished ?
Since there was no response on my other post which i spent about a hour writing, ill go for something simpler. I run this on my server
Code:
# set default policy for the NAT table
iptables -t nat -P PREROUTING ACCEPT
[code]...
I am running a server with ssh and a vpn server set up. It is behind a debian router with a firewall which uses iptables. i have it set up to forward ports 22 and 443 to ssh on a computer within the LAN(so when on a restricted network i can still ssh into my network) and forward anything to 1723(for my vpn) to that box also. However, the only port that gets successfully forwarded is port 22. The other two appear closed. here is what the script looks like:
Code:
#!/bin/sh
#
[code]...
We do NOT support samba on our Unbuntu servers but still zillions of windows machines are constantly trying to connect on the SMB ports. I've added a rule that drops access to destination ports 137-138 and that seems to work. But it creates many many log entries documenting that the packet has been dropped. I've been researching and cannot come up with a way to suppress logging for these drops.
View 4 Replies View Relatedhow to block all ports except pop,pop3,smtp in nat using iptables in squid on redhat A3
View 2 Replies View Relatedi have registered two domain names that i want to use to connect to my ubuntu server. I was wondering how to do this i was looking at bind9 but that didn't work that great. The server is behind a router with firewall i can connect to it using the external IP address but i like to use the two domain names if that is possible.
View 3 Replies View RelatedI'd like to pass all traffic between bridge ports via the FORWARDING chain, so I changed following sysctl parameters:
Code:
net.bridge.bridge-nf-call-ip6tables = 1
net.bridge.bridge-nf-call-iptables = 1
[code]...
I want to portforward client connections from an ubuntu lts server to another external server. btw i am a noob on iptables. i have tryed using the basic commands for iptables with no success. For example:iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 7878 -j DNAT --to 91.23.45.67:7878iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 91.23.45.67 --dport 7878 -j ACCEPTso basically i just want a rediraction for from one ip to another. Example: A client tries to connect to ip 123.45.67.89 on port 7878 and the server forwards him to ip xx.xx.xx.xx on port 7878, meaning that xx.xx.xx.xx is the actual server with services. Server with ip 123.45.67.89 is only forwarding the client to external ip... how can this be done in a simple command?
View 7 Replies View RelatedI have a mail server with IPTABLES enabled.I want to allow access to:
41.0.0.0/8
58.0.0.0/8
61.0.0.0/8
[code]....
I am trying to open VNC ports(5901,5902) on my RHLinux machine using iptables. I am able to do it from GUI system-config-security. Go to the Administration > Security Level and Firewall, then select "other ports" at the bottom and enter the portNum 5901 to open and select tcp, then click OK and OK again to save your settings. From my windows m/n iam able to open vncsession using vncviewer on 5901 port.But when I am trying to do it from command line:#iptables -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5901 -j ACCEPTThis command added the entry in /etc/sysconfig/iptables and listed in iptables -L command.Then I saved and restarted the iptables.#service iptables save
#service iptables restartWhen I am trying to open the VNC session from vncviewer, it is giving me error and session not opened.Is there some thing I missed here? where can I check the logs for this? I definetly need
Perhaps it is my misinterpretation of AppArmor, how can it be configured to restrict TCP or UDP traffic to/from specific ports?
The profile "abstractions/nameservice", under the section "# TCP/UDP network access", doesn't seem to lock the application to port 53. What am I missing? Restriction to specific ports is something that systrace can do so I'd expect nothing less from AppArmor.
So unfortunately I live in a place that will not let me have a static IP, so I have been setting up access to my home computer via reverse SSH tunnels that run on an micro amazon ec2 instance. I have gotten SSH to work fine, but I cannot figure out port forwards.Here is a small infographic I made to help illustrate (i felt the question was clearer with a diagram of what I was trying to do. Here are the commands listed in the graphic:I the following on my home computer: ssh -R 1337:localhost:22 -i .ssh/tokyoMinekey.pem ec2-user@ec2serveraddressand I run this on the ec2 server: ssh -L6600:localhost:6600 -Nf localhost -p 1337
View 2 Replies View RelatedI have a Suse 10.3 router with 4 network cards. 1 is to connect to the big network and thereby also the internet, 2 are for 'client' subnets and I want to use the last one as a DMZ. In this DMZ will be a web server which has to be accessible from the other 2 subnets and from the big network. I could do it with a few simple clicks in Yast firewall, but I have some issues with this firewall and there for I want to use it as minimal as possible, using Iptables.
So now I'm struggling a bit with Iptables. Basicly what I'm looking for is how to block all ports but 80 in this last subnet with iptables.
How can I block all ports except
ssh (port 22)
httpd (port 80)
using iptables and iphains?
Because my ISP is blocking every IP port under 1000, I'd like my local nat'ed server to be able to translate incoming and outgoing traffic from some port above 1000 to the default server port locally.Example :
To connect to my IMAP server (default port : 143) from the outside,I'd connect to my public IP, port 1143 (opened and nat'ed to the right server on my router) and the server would translate this port to 143 on the same machine.I wish I could simply configure my router to do that but sadly Linksys doesn't permit such setting... I also could modify the listening port of my server but I prefear to keep the default port inside my network.I think that iptables is the right tool to do that and I never used it and I must say that this tool is not so easy to configure at first sigh
The company I work for, as usual, is Microsoft-centric. I'm attempting to integrate my Ubuntu server into the domain to allow domain users to authenticate to the server and access file shares using Samba. Here's my current configuration:
[Code].....
I'm having some issues settings up a transparent proxy server, which should allow only regular web browsing (port 80), any other port (including HTTPS (443)) has to be blocked, as well as any other port. Right now, I'm using Debian 6 and Squid3. The server only has one NIC. The topology is like this:
Clients <-> Proxy Server + DHCP Server <-> Internet
With this setup, the network does have internet access and the websites I whitelisted are the only ones accesible via browser, however port block is not working, every port is open, hence why trying to access blacklisted websites through HTTPS is possible. Seems to me Squid3 is doing it's job fine, however IPTABLES for some reason seems to be redirecting all the trafic to port 3128 (Squid3 port). I could be wrong, but I've been unable to do anything related to ports with squid3 (either whitelisting or blacklisting).
For Iptables I used:
Code:
iptables -A PREROUTING -t nat -i eth0 -p tcp -j REDIRECT --dport 80 --to-port 3128
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 3128 -j ACCEPT
iptables -A INPUT -i eth0 -m tcp -p tcp --dport 443 -j DROP
Squid3 config:
Code:
acl manager proto cache_object
acl localhost src 127.0.0.1/32 ::1
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 ::1
acl Safe_ports port 80 # http
acl whitelist dstdomain "/etc/squid3/whitelist"
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny !whitelist
http_access allow localhost
http_access allow all
http_port 3128 intercept
hierarchy_stoplist cgi-bin
I am trying to edit the iptables to include some ports/ip for openfire server. The problem is the computer is very locked down with permissions...I logged in as ROOT with ID 0.Now the iptables has ROOT for permission BUT ID 1 which reflects BIN.As root i cant edit or chmod/chown the iptables. Here is what i tried:
1. change password of BIN - successfully changed with no errors BUT still cant su BIN with the new password...
2. tried changing the ID of ROOT to 1 but I dont have permission to use the command....
so anything i can do here??? I dont have permission with Shadow either...
I am running Ubuntu server 10.10 and trying to setup iptables rules in /etc/if-up.d/iptables
Quote:
root@host# cat /etc/network/if-up.d/iptables
#!/bin/sh -e
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Problem is that iptables doesn't get updated and I don't see them when iptables -L is executed after reboot.
I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
View 2 Replies View RelatedIs there a way to force a domain to resolve to a specific IP using .htaccess?
View 1 Replies View Relatedmy company is a small company!and it only have one public ip,but my company have a lot of websites to access!now i use Reverse Proxy Server -- apahce to solve temporary!it is not convenience for me !So i think out whether iptables can not be used to forward according to the domain!!it is the test as follows:
public ip :10.0.0.1
privite ip1 :192.168.1.1
matching website domain:www1.test.com
privite ip2:192.168.1.2
matching website domain:www2.test.com
and if someone access [URL] the iptables will know they want to access 192.168.1.1 and it will forward to the server 192.168.1.1!!
I use the DynDNS service to keep track of my home server IP. The problem here is that when I try to access my web server via my domain name, the connection is refused. If I first obtain the ip adress (via nslookup), I can get access. I checked the reverse dns lookup and the results dont match. Perhaps this can be a problem browsing. Does the browser or the OS perform the rdns check? Is there a way to whitelist some specific domain in order to skip that check, so I dont have to find out the IP address every time i want to access my home server.
View 1 Replies View RelatedI m using sendmail-8.13.8-2.el5 along with MailScanner-4.79.11-1
i want to set a rule so that user1@mydomain.com can send only to anotherdomain.com domain. sending mail to any other domain will be rejected. can it be done by sendmail or MailScanner ??
how to allow mount in iptables for specific ip?
View 9 Replies View Related