Is it possible to only view certain chains and more specifically certain chain policies with options when doing:
iptables -L
I would like for example view FORWARD ACCEPT rules instead of waiting for all of the drop rules to load when viewing a firewalled iptables.
When I reboot my computer, my iptables sets itself to a policy of dropping everything, adds a bunch of rules, and a bunch of extra chains, to the effect that (due to everything being set to drop) I can't do anything. I know how to fix this from the terminal to the extent of just clearing most of it and changing the policies back. However, what I don't know is how to make it stay that way. I have a file with the iptables rules I want, so every time I start up I just run iptables-restore, but I don't want to have to do this every time, particularly since others use this computer who do not have admin privileges.
I've tried changing /etc/network/interfaces with the added code pre-up iptables-restore < (etc) But that never does anything, or if it does it just makes stuff work even less. I've tried changing init.d before based on similar info elsewhere, still no luck. I don't know how to get it to stick, and I don't know why it is defaulting to the rules it is, other than that I used a firewall app a while ago and afterwards this was the result, for which I uninstalled that app after no success using it to reverse the damage.
I have set the iptables INPUT policy to DROP. As I have expected tcpdump wasn't showing any packages... for a while. Suddenly it begun to show UDP syslog packages being sent by a remote host. It is conform with the configuration of syslog, but since the INPUT policy was set to DROP, with no exceptions, it is not conform with configuration of iptables. Why after setting INPUT policy to DROP, with no exceptions most of the packets recieved before are being dropped and some not, as tcpdump shows?
View 7 Replies View RelatedI'd like to set up an iptables configuration as follows:- Allow all traffic by default- For one user account (anonymous), block all traffic except:- All traffic on lo- All DNS requests, which should be redirected to 127.0.0.1Here's what I tried:
# Redirect
iptables -A OUTPUT -p udp -m owner --uid-owner anonymous -m udp --dport 53 -j REDIRECT --to-ports 53
[code]....
On my diskless cluster, I want to open a port on the image that nodes use it.Here is what I get:
Code:
root@server:~# chroot /home/nfsroot/
root@server:/# iptables -A INPUT -p tcp -d 0/0 -s 0/0 --dport 4949 -j ACCEPT
[code]...
i wanted to do bandwidth management/traffic shaping on my Internet link(have two internet connections), but i have some questions to ask: I want to know how could i for example filter some traffics using tc and iptables (e.g Peer-to-Peer,IM,Download Managers,Flash videos..) i can do filtering for known services like http,ssh,... but since these applications doesn't use one port, i am confused a little bit. I also want to do some bandwidth allocations (based on protocol) thats why i need filtering.
The other question is that currently i am using tc for bandwidth allocation and iptables for marking packets to send to these classes, am i doing it right? I mean it does work, but is it better to use for example "U32" filters for filtering? P.S: i tried to use ClearOS in gateway mode, but it doesn't have bandwidth allocation functionality. Does anyone know if i could do bandwidth allocation in ClearOS/Endian.
I'm intending to replace my current router (486DX2 w/16MB running FREESCO which has been faithfully working 24/7 for well over a decade) with a debian box with a bit more grunt and newer features. I'm currently setting up my iptables ruleset and am after a bit of advice re the FORWARD policy. A few example rulesets I have found set the default policy to DROP and the have two lines for each port forward, one to allow the traffic and one to direct the incoming packets to the correct machine.
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 10.0.100.10:25
iptables -A FORWARD -i eth1 -p tcp --dport 25 -o eth0 -d 10.0.100.10 -m conntrack --ctstate NEW -j ACCEPT
I'm thinking of setting the default policy to ACCEPT to cut down on typing as my default INPUT policy is DROP and unless there is a valid FORWARD rule for a particular port, the packets aren't going anywhere anyway. Or have I misunderstood something. My googling returned heaps of example scripts & not much intelligent commentary. Alternatively, what do you all use to configure & maintain your debian gateways; hand rolled iptables rules, or any toolset recommendations?
I have a very simple set up.With Network Manager I can have my laptop act as a router (sharing all connections).I also have apt-cacher-ng as a debian package cacher.I would like to set up iptables to filter only the urls that are meant for a debian package cacher.
For example:I could use a "forward all" rule:
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3142
Except then I would get a bunch of error pages every time I tried to do normal navigating.My question (again) is: Can iptables handle forwarding only on a specific url? If so how?Or is there another solution? (prferably without full fledged software like squid)
Does anyone know the iptables statement that will block inbound SMTP messages that are NOT S/MIME encrypted?
View 1 Replies View RelatedI'm deploying new ubuntu server which should act as a router. I've already set up the NAT for local network, and also did some shaping for different groups of users, but now I'm facing new problem.I need to make a scheduled URL filter. I know it's not a problem with cron and simple script, but maybe there is existing way to do that? And also, I need to make statistics on web-traffic. I need to have list of URLs visited by users (source ip, destination url). Is it possible with iptables? or with any other software but without using proxy servers.
View 9 Replies View Relatedwhats the different between Chain RH-Firewall-1-INPUT (2 references) and Chain INPUT (policy ACCEPT)?
View 1 Replies View RelatedSeems like this should be a simple question, but I've looked around and have not found an obvious location to keep custom policy based routing rules in Ubuntu./etc/network/if-up.d comes to mind, but I was wondering is that was a "standard" spot. Also it doesn't seem like these rules really need to run each time an interface is up'ed or down'ed.
View 4 Replies View RelatedI want to implement bandwidth shaping policy in a virtual environment. So i have 2mbps link, which i want to distribute it among Email,http(s),ssh,... and some other traffic. I want to do this in a virtual environment, for testing purpose. I want to run this script on a virtualbox virtual machine, which has ubuntu installed on it. and then use that as the router.
(a) is there any software that could simulate email,http,... traffic so that i could test it?
(b) my second question is (though not related to networking) how do i set a (virtual) machine as a router? or is it even possible?
Can you show me how to block a domain from local access through URL Filter?ay be an example is a very good start.
View 10 Replies View Relatedntop installed on CentOS5 system running as squid using yum. Starting ntop on command line and not as daemon and gives error for illegal filter.
Code:
Fri Aug 20 14:10:12 2010 NOTE: Interface merge enabled by default
Fri Aug 20 14:10:12 2010 Initializing gdbm databases
[code]....
I have a problem here for which I am unable to find any relevant info on google. I have an openfiler server and another server which is running OEL(redhat5). When i give the following command iscsiadm -m discovery -t sendtargets -p 192.168.2.13it only gives me one line output which is:192.168.2.13:3260,1 iqn.2006-01.com.openfiler:tsn.03821172572cNone of the mapped LUNS gets identified neither it shows me any message that it is connecting. I have setup CHAP in openfiler to accept an incoming user plus gave access to my OEL server.Any feedback is helpful. If you need the contents of /etc/iscsi/iscsid.conf file let me know
View 1 Replies View RelatedI have a need to make a rather odd filter in tcpdump- I would like to capture only all those packages on interface eth0, that are outgoing(in other words from IP 192.168.1.1, which is IP for eth0 in this computer) and doesn't have src MAC address 11:22:33:44:55:66. However, fallowing command says, that syntax is wrong:
Code:
tcpdump -n -p -i eth0 src host 192.168.1.1 ether src not 11:22:33:44:55:66
Is this possible? If yes, then what is the correct command?
I am new comer in this forum and the beginner on freeBsdI have a problem on how to implement the spam filter program on mail server, the problem is i have no idea on how to implement and test the spam filter program on the mail server and where should i put the program? is it in pop3?
View 3 Replies View RelatedI am new to fedora and I've installed fedora 14, I want to know what are the steps to make my machine act as a transparent (IP-less) bridge? Second, after setting the bridge, I want to make all the packets that passes through the bridge execute a servlet filter (to make some tests and add cookies) is it possible? Is there a simpler way to do those tests on the packets and add cookies?
View 4 Replies View RelatedI'm using ubuntu server 10.04 with openvpn installed on it. My vpn is working fine, all the users can connect without any issue.My problem is that I'm unable to filter the VPN traffic using openvpn. I can't allow all users to be able to interact with other vpn users. I need to avoid this kind of traffic.I was trying to build an iptables firewall, but I just noticed that my openvpn traffic isn't being filtered by iptables.In FORWARD chain, no matter what rule I use openvpn would continue to allow traffic between my clients. It does appear that openvpn is skipping FORWARD chain?For example:
Code:
# iptables -L FORWARD -nv
Chain FORWARD (policy DROP 0 packets, 0 bytes)
[code]....
last friday my schools isp enabled iwsva - interscan web security virtual appliance from trendmicro. all traffic is now filtered, and slowed down. videos and other videostreams are now useless. after this we have had serious problems using our netbooks with ubuntu, and upgrading workstations with ubuntu has become very problematic, or almost impossible. i have to run the update process 6-8 times before all packages are updated.
what can i do to document the problem in a good way. the isp tells me that there are no problems, and that it has to be a linux problem. (ever heard that one before?) the ltsp-clients on my debian servers does not have the same problems, maybe because they are using the proxy on this server?
I am trying to configure my live install of fedora so a PC on the same intranet can access it by hostname instead of by IP address.After I installed bind, I realized the man pages recommended against bind and said instead to enable SELinux named. I tried to guess what variables to set after googling and studying the documentation and coming up empty. I used getsebool -a, and tried turning one and all on.I test using:nslookup myhostname on the linux box, since if that is working it isnt surprising that the windows box cant see it. what buttons to push to enable SELinux named, as described in fedora 13 man page for bin slight correction, the man page is for named. It says to remove the bind-chroot and use SElinux to enable named. I think I also have to create a new zone. This seems akin to proving fermats last theorem but less rewarding. anyone know what keys to push for either. I did get system-config-selinux running. I thought it was in an infinite loop but it does *eventually* load a gui. Also if you set a boolean it will grab all CPU for a couple of minutes. (used top in another terminal).
View 5 Replies View RelatedI've been trying for a couple days now to get netem rate limiting to work on a Fedora 12 i686 virtual machine (both on VMware Fusion and KVM), and have had no success.In order to do outbound rate limiting, I want to use the netem token bucket filter (TBF), as described here:[URL]Unfortunately, attempting to use the TBF results in this error:
Code:
[root@f12-build ~]# tc qdisc add dev eth1 parent 1:1 handle 10: tbf rate 256kbit buffer 1600 limit 3000
[code]...
This one has been driving me nuts for some days now:My Gentoo box which is acting as an internet gateway has two point-to-point interfaces, ppp0 (PPPoE to my ISP) and ppp1 (PPTP VPN link to IPREDator). Packets from my local network are just routed through ppp0 and now the fun part starts: I want to MARK (netfilter...) all packets originating from one specific user on that box in order to use another routing table that will contain a default route via the ppp1 interface.Marking seems to work fine as does the second routing table. But quite mysteriously (at least for me), the packets sent out on ppp1 contain the wrong source IP address, namely the address associated with ppp0.So here is what ifconfig and friends tell me:Network interfaces:
Code:
# ifconfig ppp0
ppp0 Protokoll:Punkt-zu-Punkt Verbindung
[code]...
Filter access server through the net only to authenticated users from domain controller (Win2k). Server (Centos)(Firewall with 2 nic), which makes access to the net, with only 196MB RAM (PIII500Mhz), so I do not want a solution based on proxy or what resources it uses large I want a solution with a script that runs at login on windows this check series HDD and to communicate with Linux server that's open accessor another simple solutionNow just use only MAC filtering on
View 1 Replies View RelatedI got a digital picture key chain and it comes with windows software. I plugged it in and it's detected as a read only usb storage, so I can't upload any pictures in it
View 3 Replies View RelatedI am trying to install the Tool chain for avr following this link:[URL]
I get an error that I need gmp and other things so I try to install them as pointed out in the same web page lower:
Build GMP for MinGW
* Version 4.2.3
* <http://gmplib.org/>
* Build script:
[Code].....
the point is that I have no idea in which directory to install the gmp.
I've recently installed Ubuntu 10.04 it installed and chain-loaded correctly however I installed it on partition that was too small so I used gParted to copy the files 1:1 to a freed up partition.The result was it copied fine but the Grub file became messed up.
I had to manually reinstall Grub2 from the LiveCD and the Linux was starting up fine, however now I'm unable to boot to Windows.Is there an easy way to reinstall/re-chain the Windows bootloader so its able to chain-load from Grub.
For some reason I get two requests for key chain unlocks when I boot? I only have to "sign" one of them but the second one still appears.
View 1 Replies View Related1. I need to use clock_gettime(), in <time.h> it is: extern int clock_gettime (clockid_t __clock_id, struct timespec *__tp) __THROW; and in a successful build .so it is unsolved. In final app to lonk to this .so it is also unsolved. which lib missed in .so or app build?
2. libc include several libs, which are liked by default? say stdc++, rt? rt1/rt2 what does they do?
3. How to find which libc is used or linked?