Networking :: Filter Chain And Policy For Iptables -L?
Mar 26, 2010
Is it possible to only view certain chains and more specifically certain chain policies with options when doing:
iptables -L
I would like for example view FORWARD ACCEPT rules instead of waiting for all of the drop rules to load when viewing a firewalled iptables.
View 3 Replies
ADVERTISEMENT
Mar 3, 2010
When I reboot my computer, my iptables sets itself to a policy of dropping everything, adds a bunch of rules, and a bunch of extra chains, to the effect that (due to everything being set to drop) I can't do anything. I know how to fix this from the terminal to the extent of just clearing most of it and changing the policies back. However, what I don't know is how to make it stay that way. I have a file with the iptables rules I want, so every time I start up I just run iptables-restore, but I don't want to have to do this every time, particularly since others use this computer who do not have admin privileges.
I've tried changing /etc/network/interfaces with the added code pre-up iptables-restore < (etc) But that never does anything, or if it does it just makes stuff work even less. I've tried changing init.d before based on similar info elsewhere, still no luck. I don't know how to get it to stick, and I don't know why it is defaulting to the rules it is, other than that I used a firewall app a while ago and afterwards this was the result, for which I uninstalled that app after no success using it to reverse the damage.
View 2 Replies
View Related
Feb 19, 2010
I have set the iptables INPUT policy to DROP. As I have expected tcpdump wasn't showing any packages... for a while. Suddenly it begun to show UDP syslog packages being sent by a remote host. It is conform with the configuration of syslog, but since the INPUT policy was set to DROP, with no exceptions, it is not conform with configuration of iptables. Why after setting INPUT policy to DROP, with no exceptions most of the packets recieved before are being dropped and some not, as tcpdump shows?
View 7 Replies
View Related
Apr 9, 2010
I'd like to set up an iptables configuration as follows:- Allow all traffic by default- For one user account (anonymous), block all traffic except:- All traffic on lo- All DNS requests, which should be redirected to 127.0.0.1Here's what I tried:
# Redirect
iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
[code]....
View 3 Replies
View Related
Apr 29, 2011
On my diskless cluster, I want to open a port on the image that nodes use it.Here is what I get:
Code:
root@server:~# chroot /home/nfsroot/
root@server:/# iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 4949 -j ACCEPT
[code]...
View 12 Replies
View Related
Jan 1, 2011
i wanted to do bandwidth management/traffic shaping on my Internet link(have two internet connections), but i have some questions to ask: I want to know how could i for example filter some traffics using tc and iptables (e.g Peer-to-Peer,IM,Download Managers,Flash videos..) i can do filtering for known services like http,ssh,... but since these applications doesn't use one port, i am confused a little bit. I also want to do some bandwidth allocations (based on protocol) thats why i need filtering.
The other question is that currently i am using tc for bandwidth allocation and iptables for marking packets to send to these classes, am i doing it right? I mean it does work, but is it better to use for example "U32" filters for filtering? P.S: i tried to use ClearOS in gateway mode, but it doesn't have bandwidth allocation functionality. Does anyone know if i could do bandwidth allocation in ClearOS/Endian.
View 1 Replies
View Related
May 3, 2010
I'm intending to replace my current router (486DX2 w/16MB running FREESCO which has been faithfully working 24/7 for well over a decade) with a debian box with a bit more grunt and newer features. I'm currently setting up my iptables ruleset and am after a bit of advice re the FORWARD policy. A few example rulesets I have found set the default policy to DROP and the have two lines for each port forward, one to allow the traffic and one to direct the incoming packets to the correct machine.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 10.0.100.10:25
iptables -A FORWARD -i eth1 -p tcp --dport 25 -o eth0 -d 10.0.100.10 -m conntrack --ctstate NEW -j ACCEPT
I'm thinking of setting the default policy to ACCEPT to cut down on typing as my default INPUT policy is DROP and unless there is a valid FORWARD rule for a particular port, the packets aren't going anywhere anyway. Or have I misunderstood something. My googling returned heaps of example scripts & not much intelligent commentary. Alternatively, what do you all use to configure & maintain your debian gateways; hand rolled iptables rules, or any toolset recommendations?
View 4 Replies
View Related
Oct 8, 2010
I have a very simple set up.With Network Manager I can have my laptop act as a router (sharing all connections).I also have apt-cacher-ng as a debian package cacher.I would like to set up iptables to filter only the urls that are meant for a debian package cacher.
For example:I could use a "forward all" rule:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3142
Except then I would get a bunch of error pages every time I tried to do normal navigating.My question (again) is: Can iptables handle forwarding only on a specific url? If so how?Or is there another solution? (prferably without full fledged software like squid)
View 3 Replies
View Related
Jul 10, 2011
Does anyone know the iptables statement that will block inbound SMTP messages that are NOT S/MIME encrypted?
View 1 Replies
View Related
Dec 16, 2010
I'm deploying new ubuntu server which should act as a router. I've already set up the NAT for local network, and also did some shaping for different groups of users, but now I'm facing new problem.I need to make a scheduled URL filter. I know it's not a problem with cron and simple script, but maybe there is existing way to do that? And also, I need to make statistics on web-traffic. I need to have list of URLs visited by users (source ip, destination url). Is it possible with iptables? or with any other software but without using proxy servers.
View 9 Replies
View Related
Feb 28, 2011
whats the different between Chain RH-Firewall-1-INPUT (2 references) and Chain INPUT (policy ACCEPT)?
View 1 Replies
View Related
Mar 25, 2010
Seems like this should be a simple question, but I've looked around and have not found an obvious location to keep custom policy based routing rules in Ubuntu./etc/network/if-up.d comes to mind, but I was wondering is that was a "standard" spot. Also it doesn't seem like these rules really need to run each time an interface is up'ed or down'ed.
View 4 Replies
View Related
Nov 27, 2010
I want to implement bandwidth shaping policy in a virtual environment. So i have 2mbps link, which i want to distribute it among Email,http(s),ssh,... and some other traffic. I want to do this in a virtual environment, for testing purpose. I want to run this script on a virtualbox virtual machine, which has ubuntu installed on it. and then use that as the router.
(a) is there any software that could simulate email,http,... traffic so that i could test it?
(b) my second question is (though not related to networking) how do i set a (virtual) machine as a router? or is it even possible?
View 1 Replies
View Related
May 6, 2010
Can you show me how to block a domain from local access through URL Filter?ay be an example is a very good start.
View 10 Replies
View Related
Aug 20, 2010
ntop installed on CentOS5 system running as squid using yum. Starting ntop on command line and not as daemon and gives error for illegal filter.
Code:
Fri Aug 20 14:10:12 2010 NOTE: Interface merge enabled by default
Fri Aug 20 14:10:12 2010 Initializing gdbm databases
[code]....
View 1 Replies
View Related
Jan 18, 2011
I have a problem here for which I am unable to find any relevant info on google. I have an openfiler server and another server which is running OEL(redhat5). When i give the following command iscsiadm -m discovery -t sendtargets -p 192.168.2.13it only gives me one line output which is:192.168.2.13:3260,1 iqn.2006-01.com.openfiler:tsn.03821172572cNone of the mapped LUNS gets identified neither it shows me any message that it is connecting. I have setup CHAP in openfiler to accept an incoming user plus gave access to my OEL server.Any feedback is helpful. If you need the contents of /etc/iscsi/iscsid.conf file let me know
View 1 Replies
View Related
May 6, 2010
I have a need to make a rather odd filter in tcpdump- I would like to capture only all those packages on interface eth0, that are outgoing(in other words from IP 192.168.1.1, which is IP for eth0 in this computer) and doesn't have src MAC address 11:22:33:44:55:66. However, fallowing command says, that syntax is wrong:
Code:
tcpdump -n -p -i eth0 src host 192.168.1.1 ether src not 11:22:33:44:55:66
Is this possible? If yes, then what is the correct command?
View 3 Replies
View Related
Feb 8, 2010
I am new comer in this forum and the beginner on freeBsdI have a problem on how to implement the spam filter program on mail server, the problem is i have no idea on how to implement and test the spam filter program on the mail server and where should i put the program? is it in pop3?
View 3 Replies
View Related
Feb 26, 2011
I am new to fedora and I've installed fedora 14, I want to know what are the steps to make my machine act as a transparent (IP-less) bridge? Second, after setting the bridge, I want to make all the packets that passes through the bridge execute a servlet filter (to make some tests and add cookies) is it possible? Is there a simpler way to do those tests on the packets and add cookies?
View 4 Replies
View Related
May 13, 2011
I'm using ubuntu server 10.04 with openvpn installed on it. My vpn is working fine, all the users can connect without any issue.My problem is that I'm unable to filter the VPN traffic using openvpn. I can't allow all users to be able to interact with other vpn users. I need to avoid this kind of traffic.I was trying to build an iptables firewall, but I just noticed that my openvpn traffic isn't being filtered by iptables.In FORWARD chain, no matter what rule I use openvpn would continue to allow traffic between my clients. It does appear that openvpn is skipping FORWARD chain?For example:
Code:
# iptables -L FORWARD -nv
Chain FORWARD (policy DROP 0 packets, 0 bytes)
[code]....
View 3 Replies
View Related
Feb 8, 2011
last friday my schools isp enabled iwsva - interscan web security virtual appliance from trendmicro. all traffic is now filtered, and slowed down. videos and other videostreams are now useless. after this we have had serious problems using our netbooks with ubuntu, and upgrading workstations with ubuntu has become very problematic, or almost impossible. i have to run the update process 6-8 times before all packages are updated.
what can i do to document the problem in a good way. the isp tells me that there are no problems, and that it has to be a linux problem. (ever heard that one before?) the ltsp-clients on my debian servers does not have the same problems, maybe because they are using the proxy on this server?
View 5 Replies
View Related
Jun 17, 2010
I am trying to configure my live install of fedora so a PC on the same intranet can access it by hostname instead of by IP address.After I installed bind, I realized the man pages recommended against bind and said instead to enable SELinux named. I tried to guess what variables to set after googling and studying the documentation and coming up empty. I used getsebool -a, and tried turning one and all on.I test using:nslookup myhostname on the linux box, since if that is working it isnt surprising that the windows box cant see it. what buttons to push to enable SELinux named, as described in fedora 13 man page for bin slight correction, the man page is for named. It says to remove the bind-chroot and use SElinux to enable named. I think I also have to create a new zone. This seems akin to proving fermats last theorem but less rewarding. anyone know what keys to push for either. I did get system-config-selinux running. I thought it was in an infinite loop but it does *eventually* load a gui. Also if you set a boolean it will grab all CPU for a couple of minutes. (used top in another terminal).
View 5 Replies
View Related
Apr 3, 2010
I've been trying for a couple days now to get netem rate limiting to work on a Fedora 12 i686 virtual machine (both on VMware Fusion and KVM), and have had no success.In order to do outbound rate limiting, I want to use the netem token bucket filter (TBF), as described here:[URL]Unfortunately, attempting to use the TBF results in this error:
Code:
[root@f12-build ~]# tc qdisc add dev eth1 parent 1:1 handle 10: tbf rate 256kbit buffer 1600 limit 3000
[code]...
View 1 Replies
View Related
Aug 27, 2009
This one has been driving me nuts for some days now:My Gentoo box which is acting as an internet gateway has two point-to-point interfaces, ppp0 (PPPoE to my ISP) and ppp1 (PPTP VPN link to IPREDator). Packets from my local network are just routed through ppp0 and now the fun part starts: I want to MARK (netfilter...) all packets originating from one specific user on that box in order to use another routing table that will contain a default route via the ppp1 interface.Marking seems to work fine as does the second routing table. But quite mysteriously (at least for me), the packets sent out on ppp1 contain the wrong source IP address, namely the address associated with ppp0.So here is what ifconfig and friends tell me:Network interfaces:
Code:
# ifconfig ppp0
ppp0 Protokoll:Punkt-zu-Punkt Verbindung
[code]...
View 9 Replies
View Related
Jul 17, 2009
Filter access server through the net only to authenticated users from domain controller (Win2k). Server (Centos)(Firewall with 2 nic), which makes access to the net, with only 196MB RAM (PIII500Mhz), so I do not want a solution based on proxy or what resources it uses large I want a solution with a script that runs at login on windows this check series HDD and to communicate with Linux server that's open accessor another simple solutionNow just use only MAC filtering on
View 1 Replies
View Related
Apr 25, 2010
I got a digital picture key chain and it comes with windows software. I plugged it in and it's detected as a read only usb storage, so I can't upload any pictures in it
View 3 Replies
View Related
Aug 4, 2010
I am trying to install the Tool chain for avr following this link:[URL]
I get an error that I need gmp and other things so I try to install them as pointed out in the same web page lower:
Build GMP for MinGW
* Version 4.2.3
* <http://gmplib.org/>
* Build script:
[Code].....
the point is that I have no idea in which directory to install the gmp.
View 1 Replies
View Related
Jul 10, 2010
I've recently installed Ubuntu 10.04 it installed and chain-loaded correctly however I installed it on partition that was too small so I used gParted to copy the files 1:1 to a freed up partition.The result was it copied fine but the Grub file became messed up.
I had to manually reinstall Grub2 from the LiveCD and the Linux was starting up fine, however now I'm unable to boot to Windows.Is there an easy way to reinstall/re-chain the Windows bootloader so its able to chain-load from Grub.
View 9 Replies
View Related
Jan 18, 2011
For some reason I get two requests for key chain unlocks when I boot? I only have to "sign" one of them but the second one still appears.
View 1 Replies
View Related
Sep 10, 2010
1. I need to use clock_gettime(), in <time.h> it is: extern int clock_gettime (clockid_t __clock_id, struct timespec *__tp) __THROW; and in a successful build .so it is unsolved. In final app to lonk to this .so it is also unsolved. which lib missed in .so or app build?
2. libc include several libs, which are liked by default? say stdc++, rt? rt1/rt2 what does they do?
3. How to find which libc is used or linked?
View 2 Replies
View Related