This isn't exactly of critical importance, but is there any way to block two entirely different addresses in the one rule, rather than writing individual rules for each of them? For example, if the addresses were 1.1.1.1 and 8.8.8.8, and I only wanted to block these two.
Or alternatively, if I wanted to block two subnets, say 1.1.1.0/24 and 8.8.8.0/24? Can this be done in one rule?
Question (and Google results aren't making this clear): Ubuntu has both iptables & ip6tables installed. 1. If I set a rule in iptables, does that rule also apply to ipv6, or just ipv4?
2. If "no" to above, then it would be prudent to *also* set ip6tables rules as well if I want to maintain an active firewall, correct?
3. Does ip6tables rules have the same syntax and behavior (more or less) to iptables rules - i.e. can I just copy my iptables rules & change "iptables" to "ip6tables"?
4. Any gotchas or issues that I should be aware of?
i'm new in linux world i would like to know how can i add the rtp protocol to my iptables rule for Netfilter firewall,but without installing the asterisk server
View 1 Replies View RelatedUnsure about IP tables lingo, so excuse me for not looking this up:I have a server, running IP tables, that I do not want to allow any type of outgoing traffic to 192.168.1.21
View 3 Replies View RelatedLoaded up Centos 5.5 final. Configured iptables to block regions of the world based on networks. An example would be:
-A INPUT -s 139.82.0.0/16 -j DROP
My /etc/sysconfig/iptables file contains about 10k entries like this. If I use this, the machine lags hardcore network wise.
my iptables Policy is Drop..my server ports is open just for httpd,ssh .Is there any rule which can allow all connection from a specific program for ex. i want to scan an ip Address ports.as you know nmap connect to every known port to see if that is open or not so, if i want to allow nmap to connect, i need to include all ports for that, or i can allow connection from localhost to outside in all ports .my server is very secure . i dont want other programs (probably a backdoor) use those ports to connect outside i want to know is there any ability in iptables which can rule connections by name of program like "Allow any Connection from /usr/bin/nmap to everywhere " ?
View 2 Replies View RelatedI am new to iptables. The setup tool on a VPS doesn't work. So, I am learning to insert rules. I have inserted so many and some of them show as duplicates now.
1- I want to know how to remove the duplicates. Is there a file that these rules are store in so I can go in and easily edit it?
2- Is there any other utility that handles firewall in Linux that I am unaware of? or is the iptables the ultimate door guard? This is a plain install of CentOS.
3- Since I believe I opened port 5090 but I think it still might be blocked, could SELINUX be the problem? How can I get my way around setting it to permissive or disable if I don't have access to "setup" command?
4- What is the order of iptables reading? does rule #1 supersede all other rules? or does the last rule supersede all rules prior to it?
5- Do the rules below make a fairly safe system? (except for the duplicates which should be remove) I understand that a safe system is dependent also on the applications that are allowed in this category and I am not talking about those. I am talking about dropping all other inquiries and in general is this how iptables are setup? This is what I currently have:
[root@tel ~]# service iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
[Code]...
Trying to setup my box as a router on Ubuntu 10.04. When trying to setup a NAT rule in iptables 1.4.4 like so:
Code:
sudo iptables --table NAT --append POSTROUTING -o eth0 -j MASQUERADE
I keep getting:
Code:
Can't initialize iptables table 'NAT': Table does not exist (do you need to insmod?)
Looking at lsmod, it doesn't look like I have anything NAT related loaded ( I just have iptable_filter, ip_tables, and x_table ). Doing a locate nat, I find a module that looks like it should work. I'm running 10.04.1 LTS - Kernel is 2.6.32-25-generic #45-Ubuntu SMP and it is pretty much stock - haven't done anything fancy... this module looks promising:
Code:
/lib/modules/2.6.32-25-generic/kernel/net/ipv4/netfilter/iptable_nat.ko
but loading it and I get:
Code:
-1 Unknown symbol in module
I have 3 network interfaces on my Linux Router :
Interface - Gateway - Type
Code:
br0 - 192.168.0.1 - Internet
eth2 - 192.168.1.1 - LAN
tun0 - 10.0.0.2 - VPN (via br0)
What I'd like to do is to route all TCP packets coming from eth2 to tun0 where a VPN client is running on 10.0.0.2. If I delete all default routes and if I add a new route to tun0 like :
Code:
route del default
route add default gw 10.0.0.2
Everything is fine, and everyone on eth2 can reach the Internet using the VPN access. Now the problem is that my VPN client does not allow any other protocols other than TCP. And I also want to allow VPN access only to eth2, no other LAN nor the router itself. use iptables to filter any TCP packets and mark them, so they can be sent to tun0, while any other packets can reach the Internet via br0 (192.168.0.1). I found on the Internet that we can mark packets before they get routed. Using the following commands :
Code:
iptables -t mangle -A PREROUTING -j MARK --set-mark 85 -i eth2 -p tcp --dport 80
ip route add table 300 default via 10.0.0.2 dev tun0
ip rule add fwmark 0x55 table 300
First of all, --dport 80 never work... :/ I wanted to filter TCP 80 packets coming from eth2, but none of them seems to be HTTP packets... oO (very strange...). Nevermind, I decided to forget about the --dport option. I use the "iptables -L -v -t mangle" command to see how many packets are marked, and it is working fine, all TCP packets coming from eth2 are marked. Now the problem is that none of them are routed to tun0 they are all respecting the "route -n" rules... and not the "table 300" rule I have created.
I am new to iptables. We have two Squid proxy servers running in "non-transparent mode" (172.16.0.1 and 172.16.0.2). Currently users have to configure the proxy server they want to use by configuring them in their browsers. Recently I saw an example for redirecting web traffic to a single transparent proxy server.
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
Can anyone modify this rule to accommodate my current setup of two proxy servers running in non-transparent mode. i.e Redirect web traffic to the 172.16.0.1-172.16.0.2 ip range.
I guess this is the right place to put questions about iptables, so forgive me if it is not.I have a MySQL database which I need to allow connections to: 1 - the internal network; 2 - the web server (Apache) connections;3 - A user who is out of this network in a range of dynamic IP.Let's suppose the range IP for this user is 179.4.247.0-179.4.247.254 and the server; where is MySQl and Apache is 60.22.30.232. This user will use the windows client MySQL tool to make connections into this database.
So I think these rule below allow connections to the internal network and apache:
iptables -A INPUT -i eth0 -m state state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -m state state ESTABLISHED,RELATED -j ACCEPT
[code]....
I'm looking for a way to add a rule that would whitelist my ip address when I login with SSH. I can grab the IP out of the SSH_CONNECTION variable, however I'm not sure how I could add it into iptables with my non-root privileged user. I've got root access, but I want the process to be automatic. I considered sudo, however I don't want normal users to be able to modify anything about iptables, though perhaps there is a trick about it that I don't know which would only allow it in the /etc/profile or the like
View 3 Replies View RelatedI have a computer with two interfaces (eth0 and eth1), eth0 is connected with a local network and eth1 is connected to the internet, also it implements a NAT in the interface eth1. Nevertheless, I'm trying to create spoofed packets with sockets raw in the computer that runs the NAT and send the packets to the interface eth1. The problem is that the NAT is changing the IP source to the real one before send the packets. So, anyone have any idea how can I implements the NAT in eth1 but only apply the NAT to the packets that are from/to eth0? I was thinking in something like (I am really newbie with iptables):
iptables -t nat -A POSTROUTING -o eth1 -i eth0 -j MASQUERADE
Well, it didn't work.
Do I have to create a rule for:
Code:
$IPT -A fwalert -p tcp --tcp-flags SYN,ACK SYN,ACK -m conntrack --ctstate NEW $RLIMIT -j LOG $LOGLIMIT --log-tcp-options --log-level 4 --log-prefix
to drop rather than log if my table has a default policy of drop with :
Code:
$IPT -t fwalert -P DROP
My firewall , wich is an Ubuntu server 10.10 , have 3 interfaces:
eth0(192.168.0.254):linked to the DMZ
eth1(192.168.1.254):linked to the LAN
eth3(212.217.0.1):linked to the Internet
-The DMZ have one web server with a static address (192.168.0.1).
-My LAN address range is (192.168.1.2-192.168.1.100) managed by a DHCP server in the same firwall machine.
There are some of the rules that I need to set up :
-Allow HTTP between the LAN and the internet
-Allow HTTP between the web server in the DMZ, and the internet.
Is there a way to tell the firewall , to redirect all incoming HTTP requests only to the web server in the DMZ ?
Here is a glimpse of my IPTABLES
http://pastebin.com/WvHAC46A
I see in the column of sources the addresses being resolved to domain names is there a way I can stop this?
I am using squid on my fedora box as a proxy server.By default the iptables (Firewall) service is on.To allow web pages to my client machines i stop the iptable service.
#service iptables stop
By doing it client computers start browsing.kindly how can I add a rule so that without stoping firewall client compter work fine.my perver IP address is 10.1.80.10
I have configured a sendmail MTA for incoming mails in a network and by using IPtables i have redirected the traffic internally to other port where one more SMTP by a application is running.Iptables rule:iptables -A INPUT -i eth0 -p tcp --dport 25 -j ACCEPTiptables -A PREROUTING -t nat -i eth0 -p tcp --dport 25 -j REDIRECT --to-port 25000My sendmail config is as below.
Sendmail.mc
define(`SMART_HOST', `relay:host.subdomain.mydomain.com')dnl
dnl # define(`RELAY_MAILER',`esmtp')dnl
[code]...
I'm not an iptables expert. Anybody know how to create a rule/chain that will log info similar to what tcpdump -s0 would do?
View 3 Replies View Relatedhow can i drop igmp port 0 packets with iptables rule? my log file is full of this router advertisement.
View 2 Replies View RelatedThe iptables has every rule set correctly, the users in the subnet works great, but I have the following issue.every user connect to a mysql running on the internet through the port 3306, the forward and masquerade do the job. Now I have a user in the outside, and he wants to connect to a mysql in a certain machine (Not the gateway), prerouting rules solve my problems, but all the packages from the inside users goes now to that certain machine. I would like something like if the package passed trough masquerade don't pass trough the prerouting rule, and if it come from the outside (Not a package that come from a petition from the inside) pass trough the prerouting rule.
View 6 Replies View RelatedNow I managed to get iptables to work with my OpenVZ configurations and everything seems to work as it should. However when I run iptables -L I can only see source for the second SSH rule, why isn't the first ones source/IP shown? Also if you have any comments about the setup feel free. I'm running SSH, Apache and local MySQL
The xxx.xxx is simply to hide my IP's
Code:
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -X
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -d 127.0.0.0/8 -j REJECT
iptables -A INPUT -p tcp --dport 22 -s 77.213.xxx.xxx -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -s 62.198.xxx.xxx -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j REJECT
iptables -A INPUT -j REJECT
iptables -A INPUT -j DROP
I think I'll need to install a newer version of IPtables for my CentOS 5.6 since I updated the kernel to 2.6.32.41 and iptables-1.4.6 seems to be the older version that matches this kernel but CentOS 5.6 is shipped with 1.3.5 (this distro and it's 10 years old packages is starting to bore me...).
So I need to update iptables but I don't find good howtos on this subject...
So my question would be : how to build iptables from source and does it change anything to the procedure that I already have 1.3.5 installed ?
I'm calling a function defined in "uart.c" from "main.c"
But on "make" using cygwin bash, it's giving an error:"Unreferenced function"...
Pls help me to overcome this problem.
If i'm putting the definition of that function in "main.c" itself, its working.
So pls tell me how to write the make file for it?
Is cento open source ? if yes, where i can download source code of CentOS x.y Single ServerCD i386 ?
View 1 Replies View RelatedMy laptop is frequently shutting down while using Google Earth 7.1.2.2041-r0. It uses 100% CPU, but only on one CPU core, and the problem happens at random.
I don't believe it is related to the CPU temperature, because I created a script that saves the current temperature every two seconds, so when the system shuts down I can see the last, and the highest I got from all the times was 62 °C, while the average from all the times it shut down was 57 °C from /sys/devices/platform/coretemp.0/hwmon/hwmon1/temp*_input and 51 °C from /sys/devices/virtual/thermal/thermal_zone0/temp and /sys/devices/virtual/hwmon/hwmon0/temp1_input. From my research, I understand that coretemp-0 is the temperature of the CPU itself, while the others (acpitz-virtual-0) are from underneath the base of the CPU.
The files under /sys and the command `sensors' tell me that only 80° would trigger a shutdown. I bought this laptop in 2013, and I have never seen it go beyond 6-°C:
Code: Select allsensors
acpitz-virtual-0
Adapter: Virtual device
temp1: +41.0°C (crit = +104.0°C)
coretemp-isa-0000
Adapter: ISA adapter
Core 0: +48.0°C (high = +80.0°C, crit = +90.0°C)
Core 2: +47.0°C (high = +80.0°C, crit = +90.0°C)
I have done a simple stress test by running `cat /dev/zero >/dev/null' on 8 terminals, together with `glxgears' and `supertuxkart' for half an hour, and my system did not shutdown, neither the temperature went beyond 6-°C. The HD temperature lives around 42 °C, according to `sudo smartctl -l scttemp /dev/sda'.
The output from `inxi -F':
Code: Select allSystem: Host: localhost Kernel: 3.15.10-zen-686-pae i686 (32 bit) Desktop: Xfce 4.10.2
Distro: Debian GNU/Linux 7.6
Machine: System: Evolute (portable) product: SFX-65
Mobo: Evolute model: SFX-65 Bios: American Megatrends v: 1.07.007 Test Only date: 04/12/2011
CPU: Dual core Intel Core i3 M 370 (-HT-MCP-) cache: 3072 KB
clock speeds: max: 2394 MHz 1: 2394 MHz 2: 1862 MHz 3: 1729 MHz 4: 1995 MHz
[Code] .....
While trying to install a new copy of my distro today, I paid attention for the first time to the installer asking what the /home partition will be (presumably meaning I can put my /home partition of a partition separate from the operating system). Can I safely install /home on the partition where I keep all my non-Linux-related data? Will that be deleted or otherwise disturbed? (Space is not a problem.)
View 6 Replies View RelatedI'm currently using a homemade Python script to parse script kiddie IP addresses from logfiles.To this point, I've simply been DROPping any requests from these IPs using iptables.I thought it might be fun to redirect their traffic back to them, but as I am not an expert at iptables, I was wondering if I should use FORWARD or PREROUTING.
View 7 Replies View Relatedi'd like to know how many rule can manage iptable. I'm asking that because i'd to drop all traffric from my localnet to porn site. I've a database of porn site witch contain about 900 000 domains. I know there are solutions like squidguard. But for my linux box i'd to use iptable to prevent users access to porn site and other blacklist site.
View 1 Replies View RelatedI'm trying to set my network interfaces so that they don't get random every boot.(eg assign eth0 to a network interface with a given MAC addr, and eth1 to the other one)I trew in a udev rule (in fact just modified the rules that was automatically generated and set the ethX in it) but the system ignores my udev rule.What am I missing ?Here is all the info :
Code:
$cat /etc/udev/rules.d/70-persistent-net.rules
# This file maintains persistent names for network interfaces.
[code]....
