I'm coming from a RHEL/CentOS background where I'm used to editing /etc/sysconfig/iptables for host-based firewall stuff. I can't find a direct equivalent on Ubuntu and I'm pretty surprised. What I've found is the ufw utility which seems to do some of what I want and some things I may not want, but it seems pretty cumbersome to type "ufw allow proto tcp from <address> to any port <number>" etc over and over again, compared to just copying and pasting and editing a largely canned set of iptables rules on RHEL.
Is that how experienced ubuntu server sysadmins do things? Do you really use the ufw front end, or do you do a preup script in /etc/network/interfaces that calls a iptables --restore, etc?
Is there another way that I'm missing? I want to do things the most standard, ubuntu-like way that's consistent with repeatability and quality, basically.
I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
When I try to run anything that uses iptables, even just iptables -L, I get:
Code:
1+drm33.2/modules.dep: No such file or directory iptables v1.4.4: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded. This is on a fresh Ubuntu minimal install, using my VPS hosts image (so they could have messed something up). I know there have been issues in the past with iptables on Ubuntu on xen. Is this a Ubuntu bug? Is there a solution?
incidentally depmod -a gives:
Code:
WARNING: Couldn't open directory /lib/modules/2.6.32.11+drm33.2: No such file or directory FATAL: Could not open /lib/modules/2.6.32.11+drm33.2/modules.dep.temp for writing: No such file or directory
I am having a little trouble setting up a NAT firewall using iptables. I have 1 PC dedicated to being the firewall running Ubuntu 10.04 LTS. There are 2 NICs in this PC. One NIC is connected to the modem & the other is hooked into my router, sharing the connection through to the other PC on my LAN. Thing is that I am having troubles setting this up using iptables. I have it sharing the connection, but can't seem to make it forward 2 ports through to my webserver on the LAN. I am also wanting to setup init.d to control iptables. I have been trying to google this, but haven't found anything useful to get this accomplished. I put the following into rc.local to make the forwarding work:
/sbin/iptables -F /sbin/iptables -N block /sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A block -m state --state NEW -i ! eth0 -j ACCEPT /sbin/iptables -A block -j LOG /sbin/iptables -A block -j DROP /sbin/iptables -A INPUT -j block /sbin/iptables --table nat -A POSTROUTING -o eth0 -j MASQUERADE
I am configuring an internal only IMAP server for archival emails. I am absolutely baffled why my connection is being refused. UFW is disabled and IPTABLES has a rule to allow all connections on 143 and 993. When I telnet this response is given:
Code: telnet localhost 143 Trying 127.0.0.1... telnet: Unable to connect to remote host: Connection refused Even nmap shows the port closed. Here is my iptables rule: HTML Code: -A ufw-user-input -p udp -m udp --dport 143 -j ACCEPT
I have a clean install of Ubuntu server Lucid Lynx with the virt-host task installed. I need to find the location of the iptables rules that are being loaded when the system boots. These are the rules for the virbr0 interface.
In Lucid I have some ufw rules but I figured that I need to limit the ICMP messages that the box responds to and also limit their number. There are iptables rules to accomplish this but since I already have ufw rules it is safe to use iptables only for ICMP rules ?
I'm using Ubuntu server 9.10 with 2 NICS (Internet-router-eth0, eth1-LAN). I use iptables to generate rules for 20 computers, but when I execute the script, ALL TRAFFIC DROPS, including the server. What am I doing wrong?
Code: #!/bin/sh #eth0 192.168.0.50 - connected to Internet #eth1 192.168.1.51 - connected to LAN #192.168.1.52 - workstation1 #set default policies iptables -P INPUT DROP
[Code]...
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -s 192.168.1.52 -j ACCEPT. The reason I'm doing this is, I just want to open necessary ports in the server and restrict LAN usage.
Why would this iptables cause this mail delivery error? I think it's to do with dns lookups not being routed properly... if remove the last rule, mail works fine.
ssh is also very slow to connect when the last rule is enabled.
postfix mail error:
Code: Jan 24 11:32:18 xxxx postfix/smtp[15065]: 9F2162C519: to=<xxxxx@hotmail.com>, relay=none, delay=1005, delays=965/0.01/40/0, dsn=4.4.3, status=deferred (Host or domain name not found. Name service error for name=hotmail.com type=MX: Host not found, try again) iptables
I'm deploying new ubuntu server which should act as a router. I've already set up the NAT for local network, and also did some shaping for different groups of users, but now I'm facing new problem.I need to make a scheduled URL filter. I know it's not a problem with cron and simple script, but maybe there is existing way to do that? And also, I need to make statistics on web-traffic. I need to have list of URLs visited by users (source ip, destination url). Is it possible with iptables? or with any other software but without using proxy servers.
I am trying to make start an iptables.cf script on my server.
I have copied it into /etc/init.d/ And try to make it load with /etc/init.d/iptables.cf start Then "not permission" (I was the root then). So, sudo /etc/init.d/iptables.cf start Then, "command not found".
I have eth0 for administration, and vlans eth0.2 eth0.3 and br0 for resource seperation. My esternal interface is ra0.each internal interface is on a seperate subnet, and I have dhcpd giving connecting devices ip addresses out of their assigned network. I want all of the devices to be able to access the internet through NAT, I need to allow them to communicate with port 80 on eth0's subnet
I'm new to linux, but enjoy using it very much, especially without a GUI, console is fun! I need to set up port forwarding. We have 3 servers, 1x running Ubuntu server 8.04 (used as transparent proxy), 1x server 2003, 1x windows xp.
The linux box has the following ips: eth0 (internal) 192.168.1.5 eth1 (external) 192.168.0.7
Windows server 2003: 192.168.1.6
Windows XP: 192.168.1.9
Router: 192.168.0.1
The router automatically forwards specific ports to 196.168.0.7 (Linux eth0). From there I want to forward port 8585 to 192.168.1.6 and 3000 to 192.168.1.9. Is there a way that I can do this using iptables?
The commands that I think I'm gonna use look like this: iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 8585 -d 192.168.1.6 -j ACCEPT iptables -A FORWARD -s 192.168.0.0/24 -p tcp --dport 3000 -d 192.168.1.9 -j ACCEPT
Would this be a correct way of doing it? My biggest problem is that I can't test it without going live, and if I go live and something doesn't work, the entire building will be left without internet, people will hate me. Also, The proxy captures all data on port 80 and forwards it to 3128 so that the proxy can monitor the usage, and a few systems runs fine with it, others however can ping websites, and internet explorer says "website found, waiting for reply" but the webpages cannot be displayed.
I have a set of iptables I have downloaded and modified for my use. I had it working for 1 lan and wan access. I now would like to have: wan access, 1 lan, and 1 wlan. I need to administer the entire network from my wireless laptop on the wlan network so I need to be able to access the lan from the wlan network, and have the wlan access the lan network. Here are my rules:
#!/bin/sh # IPTABLES FIREWALL script for the Linux 2.6 kernel. # This script is a derivitive of the script presented in # the IP Masquerade HOWTO page at: [URL] # It was simplified to coincide with the configuration of the sample system presented in the Guides section of [URL] # This script is presented as an example for testing only and should not be used on a production firewall ..... echo -e " Firewall server rule loading complete "
I have an ubuntu server virtual machine with a webhost. I am trying to configure the firewall. I am having a problem with sendmail and the required firewall configuraiton If I type the command:
iptables -F
Then sendmail works perfectly. I can see the emails sent in my googlemail inbox. I then configure my firewall as follows:
iptables -F iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -p tcp --dport 2252 -j ACCEPT iptables -A INPUT -p tcp --dport 80 -j ACCEPT [Code]....
(I have moved SSH to a diffrent port) Once this is setup sendmail no longer works. I had assumed that sendmail will establish a tcp connection and the first rule will allow all established connections to pass. why this iptables/netfilter config stops sendmail from working.
Two servers, one is RHEL 4, and the other is RHEL 5. They are both on the same subnet, one is 10 the other is 11. I added the Webmin rule to the iptables config file but for some reason, the RHEL 4 server, I can access Webmin but the RHEL 5 server I can not. I checked the iptables file and they are the same for both servers, except two rules which are for other ports.
I'm reading about the iptables and had a problem when I manually added the port 10000 entry after the REJECT entry, but wondering if I need to move it up higher or maybe there's another possible block?
I have a SSH server set up at home listening on port 22. I have hardened the server so it is pretty secure but I want to make it even safer by editing my iptables to rate-limit incoming connections and DROP false login attempts. I have tried these tutorials but I just cant get it to work:[URL]I want the debian-administration.org tutorial to work but when I try to add the first rule in terminal:sudo iptables -I INPUT -p tcp --dport 22 -i eth0 -m state --state NEW -m recent --setI get the following:Bad argument --set'I am new to iptables and I'm not sure if I'm doing something wrong when I try to set it up. I'm using Ubuntu 10.04.1 LTS with iptables v1.4.4.
Strange issue here when trying to verify firewall on Server 8.04. No ftp service running at all on server, but both nmap and netcat report port 21 as being open, even though it isn't.I am 100% sure that port 21 is not actually accessible and iptables rules are fine. Trying to connect to the port fails, yet nmap and netcat seem to report a "false positive"?Have also checked on a number of other servers I'm running, and this "false positive" seems to apply to all of them.
I recently installed a new Ubuntu PC that runs iptables and PSAD. I had the same script on another Ubuntu PC, but when I copied the script onto the new PC, I got this error. I don't remember where I found the tutorial for this, all I know is that this is the script (Edited for my usage):
Code:
#!/bin/bash # Script to check important ports on remote webserver # Copyright (c) 2009 blogama.org # This script is licensed under GNU GPL version 2.0 or above
root@NETWORK-SERVER:/var/ddosprotect# ./ipblock.sh ' not found.4.4: host/network `127.0.0.1 Try `iptables -h' or 'iptables --help' for more information. ' not found.4.4: host/network `192.168.1.8
I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
To expand: I'm trying to set up a box with l7-filter, and I need to patch and compile iptables 1.4.1.1 as part of the process. I ./configured it with the prefix= argument so it would install into /sbin instead of /usr/sbin, and I did a yum remove iptables before installing it so as not to get in the way of the original iptables, but I'm wondering if this is really necessary - it's kind of annoying, because removing the original iptables removes the init.d script, deregisters the service, etc. If I don't, is it possible that iptables 1.4.1.1 might get overwritten in a system update or something, or will yum see that I've got a custom/newer version in there and leave it be?
I've tried iptables save, iptables-save and iptables save active.
"iptables save" and "iptables save active" give me an invalid argument error. "iptables-save" isn't a valid command. "iptables --help" gives me a list of valid switches, none of which have to do with saving.
I've got a machine on my network that's just running default Ubuntu 9.10, but I was considering setting up a network dhcp service on it to manage my machines. As such I was just wondering about configuring the iptables for it.
Reading about, I believe all incoming connections are dropped by default in a standard installation of Ubuntu anyway. If so, is it simply a case of enabling UFW and using it to allow the appropriate port for the dhcpd service and not touching anything else and everything should remain secure?
I started to use ufw instead of iptables on the terminal, but was wondering if ufw could be installed on a redhat based system? I'm asking, because my office has a mix systems and would prefer to use ufw on these rpm based systems.