Networking :: Preventing Access Through Iptables?
Jul 9, 2010
I am trying to lock down our application and server with iptables. Anybody have any idea how to prevent accesses to the application from another application? Basically I opened up the ports 80 and 443 for the application server. However, the application points to other apps (ie. database, ldap). I want to limit what it can connect to or who can connect to it. Bascially I can limit who connects to the server itself but the application can still get input from outside servers.
View 4 Replies
ADVERTISEMENT
Apr 25, 2010
Just wondering if it is possible to block web access on a certain ip address with iptables.
Iv seen guides for blocking web traffic on a whole network but i want to just block a single host from accessing the web.
View 14 Replies
View Related
Feb 27, 2009
At first I installed debian 5 and I want enter on my workgroup using windows XP PCs, in same time I want use firewall now when I stop firewall I can access on the pcs but when I start iptables and open port for samba such as 137,138,138 and 445 I can't access on any PC on work group this is the output of iptables - L command:
Code:
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:netbios-ns state NEW
ACCEPT udp -- anywhere anywhere udp dpt:netbios-dgm state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:netbios-ssn state NEW
ACCEPT tcp -- anywhere anywhere tcp dpt:microsoft-ds state NEW
Chain FORWARD (policy DROP)
target prot opt source destination
Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
View 6 Replies
View Related
Mar 31, 2010
Basically, I have a windows 2003 server virtual machine (vmware) inside Ubuntu 9.10.
The Ubuntu machine has IFconfig:
Code: sam@sam-laptop:~$ ifconfig
eth0 Link encap:Ethernet HWaddr 00:15:c5:b8:c8:8b
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:17
Why can't I ping or simply access the internal server on my ubuntu machine from a another computer on the 192.168.1.0 (slash)25 physical network? Do I need a bridge? Iptables?
View 4 Replies
View Related
Jan 24, 2010
I'm running an own PPTP Server, but I can't get it to access the internet. All my PCs at home run in the 192.168.0.0/24 net, the PPTP Server has local IP192.168.0.5 and remote IP 192.168.0.80-99. The router to the internet is at 192.168.0.1, and the IP of eth0 on the machine where the pptpd runs is 192.168.0.4. I want to be able to connect to the internet trough that VPN and access my local LAN servers (which works fine so far). I can ping internet and local IPs successfully, but can not access them with a browser, or connect to them in any other way. I have 'accepted' all in/output and forwards.
I am running a Squid proxy on the same machine, and if I do:
iptables -t nat -A PREROUTING -j REDIRECT -i ppp0 -s 192.168.0.0/24 -p tcp --dport 80 --to-port 3128
I can access the internet through Squid, but of course Jabber/ICQ etc. Won't work then because it just refers port 80. But I want the PPTP Clients to connect to the internet directly, if I don't use that rule it's not possible to load any pages. But pinging works all the time. DNS is also working fine, but I can't even access webpages via IP directly. How can I allow the PPTP IPs 192.168.0.80-99 to get direct access to the Internet with Iptables?
View 3 Replies
View Related
Jan 14, 2010
I have a small home network with a router to the outside world and an ubuntu server through which traffic passes first.My ISP limits my download usage during the day, which traditionally has not been an issue, but now the children come in from school, boot up the internet and up goes my usage!Ideally I would like to be able to restrict them to IM and maybe certain specified URLs (I think the latter probably needs to use Squid though?). Once the download limits are lifted, I would like my iptables to allow HTTP, etc, but pretty much block most other things.
I have two sets of iptables currently to approach this issue, with a cron job that runs to swap between one and the other.Chains run in order, so if rule A says allow x, and rule B says drop all, then X should still be allowed. However, try as I may, this is not what happens in practice. I have even tried changing the overall order from ALLOW to DROP in FORWARD and then approach from the other angle. That didn't work either. *IS* it actually possible to block all but http / https and IM? These are myrules:
Code:
# Generated by iptables-save v1.4.4 on Sat Jan 9 19:15:49 2010
*nat
:PREROUTING ACCEPT [583:45175]
:POSTROUTING ACCEPT [694:60887]
:OUTPUT ACCEPT [143:18642]
[code]....
View 14 Replies
View Related
Jan 13, 2011
I'd like to grant /usr/sbin/sendmail.sendmail "connectto" access to the unix_stream_socket /var/lib/imap/socket/lmtp.How do I do that?I want to eliminate error messages that keep appearing in my message log:
/var/log/messages:Jan 13 11:45:29 e setroubleshoot: SELinux is preventing /usr/sbin/sendmail.sendmail from connectto access on the unix_stream_socket /var/lib/imap/socket/lmtp. For complete SELinux messages. run sealert -l 05df828f-4402-
[code]....
View 1 Replies
View Related
Jul 26, 2011
I just downloaded Fedora 15 desktop to a USB device. I am able to boot to the device and load the desktop with errors.I receive the following:
SeLinus is preventing /usr/Libexec/colord from getting access on the blk_file /dev/dm-0
Plugin: catchall
Source Process: /usr/libexec/colord
Attempted: getattr
On this blk_file: /dev/dm-0
I also am not able to use my wireless network. This is being booted on a Dell Inspiron 1545 Vista Sp2 system with 4 gb or RAM.The wireless network connection works fine with Vista.
View 2 Replies
View Related
Mar 13, 2009
I went to print something and I get this message: Summary: SELinux is preventing access to files with the default label, default_t.
Detailed Description: SELinux permission checks on files labeled default_t are being denied. These files/directories have the default label on them. This can indicate a labeling problem, especially if the files being referred to are not top level directories. Any files/directories under standard system directories, /usr, /var. /dev, /tmp, ..., should not be labeled with the default label. The default label is for files/directories which do not have a label on a parent directory. So if you create a new directory in / you might legitimately get this label.
View 3 Replies
View Related
Jun 11, 2010
I have an old FC2 box running Squid version 2.5. It has been running since 2003 so I am in the process of replacing it. I have a new machine with FC11, iptables, and Squid 3.0 installed.
On the old machine I use iptables to intercept Port 80 traffic and send it to Squid. By default I block all internet access and allow only sites that are in an Allowed_Sites.txt file. Within Squid I also have statements to allow certain users to bypass Squid based on their IP address.
I have set up the same thing on the new box. I have iptables intercepting the Port 80 traffic and sending it to Squid. That is working because if I remove the redirect statement from iptables all internet access is blocked.
The problem I am having is that Squid is not blocking any websites. It acts like the ACL is set to http_access allow all. I have worked on this for several hours and am stumped.
These are my Squid rules:
acl allowed_sites url_regex "/etc/squid/Allowed_Sites.txt"
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl SSL_ports port 443
acl CONNECT method CONNECT
http_access allow manager localhost
http_access deny manager
http_access allow Bypass_Users
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
acl our_networks src 192.168.1.0/24
http_access allow allowed_sites
http_access allow our_networks
http_access deny all
icp_access deny all
htcp_access deny all
http_port 192.168.1.254:3128 transparent
hierarchy_stoplist cgi-bin ?
access_log /var/log/squid/access.log squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|?) 0 0% 0
refresh_pattern . 0 20% 4320
visible_hostname FC11.proxybox
icp_port 3130
coredump_dir /var/spool/squid
View 2 Replies
View Related
Dec 31, 2009
I receive the message "SELinux is preventing /usr/sbin/vsftpd "net_raw" access" many times. Found this bug at redhat but really do not understand what i should do about it ((( Kindly let me know how to change this to normal. Shut down Selinux is not the way out.
View 14 Replies
View Related
Aug 25, 2009
I have a virtualbox installation on top of CentOS, and I need fairly high security separation between host and guest traffic. The university network the box hangs off uses statically-allocated ip addresses, allocated to fixed MAC addresses (i.e. it eats any traffic with mismatched ip and MAC addresses).
Host OS: CentOS 5.3 64bit
VBox: 3.0.4
Guest OS: Fedora 11 64bit
Hardware: dual NIC, Intel server
Bridged networking, with separate NICs for host and guest
I'm aiming for high-security separation between host and guest traffic. To do this, I would like to to run all host traffic through one NIC, H, and all guest traffic through the other, G. The host and guest have separate, statically allocated, IP addresses, IPH and IPG. The network forces these to be mapped to specific MAC addresses, MACH (the address of NIC H) and MACG (the address of NIC G).
So it's not too hard to write host firewall rules to enforce this policy. The rules just have to state that traffic coming into H must have a destination compatible with IPH, and traffic going out must have IPH as source - and vv for G and IPG. There also don't seem to be any trouble telling the guest to only use NIC G. As a result, turning off NIC G (or equivalently, firewalling it off from host traffic) crashes the network, I have to reboot it to get networking working.
But I can't figure how to tell the host (i.e. CentOS) to _only_ use NIC H for anything else except the guest. Even though we don't see any IPH traffic coming into NIC G from outside, I don't seem to be able to stop the host from starting connections on NIC G. Does anyone know any way to do this - to tell the host that it can only use IPH as its IP address unless traffic is coming from a guest process, and that it can only use address MACH and NIC H?
View 5 Replies
View Related
Aug 26, 2009
I have a virtualbox installation, and I need fairly high security separation between host and guest traffic. The university network the box hangs off uses statically-allocated ip addresses, allocated to fixed MAC addresses (i.e. it eats any traffic with mismatched ip and MAC addresses).
VBox: 3.0.4
Guest OS: Fedora 11 64bit
Hardware: dual NIC, Intel server
Bridged networking, with separate NICs for host and guest
I'm aiming for high-security separation between host and guest traffic. To do this, I would like to to run all host traffic through one NIC, H, and all guest traffic through the other, G. The host and guest have separate, statically allocated, IP addresses, IPH and IPG. The network forces these to be mapped to specific MAC addresses, MACH (the address of NIC H) and MACG (the address of NIC G). So it's not too hard to write host firewall rules to enforce this policy. The rules just have to state that traffic coming into H must have a destination compatible with IPH, and traffic going out must have IPH as source - and vv for G and IPG. There also don't seem to be any trouble telling the guest to only use NIC G. As a result, turning off NIC G (or equivalently, firewalling it off from host traffic) crashes the network, I have to reboot it to get networking working.
But I can't figure how to tell the host to _only_ use NIC H for anything else except the guest. Even though we don't see any IPH traffic coming into NIC G from outside, I don't seem to be able to stop the host from starting connections on NIC G. Does anyone know any way to do this - to tell the host that it can only use IPH as its IP address unless traffic is coming from a guest process, and that it can only use address MACH and NIC H? I've been reading route and arp manuals all day, but I can't seem to figure anything on this - mainly because arp and route don't know about host/guest processes, and I guess weren't designed with this in mind...
View 4 Replies
View Related
Jul 3, 2010
Does anyone know if it is possible to filter/block network traffic between internal hosts on a lan?
Eg. : Linux firewall/router ( 192.168.0.1) - LAN Default G/W - all internal > external traffic gets filtered.
How would you filter tcp/ICMP/UDP traffic from internal host a ( 192.168.0.2 ) to host b ( 192.168.0.3)
All the internal hosts have the linux f/w as the default gateway, and are all on the same /24 subnet.
I would like to know if I can filter traffic between internal hosts.
View 3 Replies
View Related
Mar 12, 2010
To get my Thunderbird email to work and to do FTP to my website I have to use TERMINAL and enter the following code in Root;
iptables -F
At one point weeks ago I got Gufw and I don't remember if that had any effect.
View 2 Replies
View Related
Aug 3, 2011
I have a server located remotely that I'd like to protect by allowing access to only my IP address (on any port). Currently anyone can access the server using ssh, http, and any other services that my server is running. (The reason I need to protect it for now is that it's a test/development server and really only needs to be accessed by me.)
The downside of doing this is every time my desktop IP address changes (from where I access the remote server), I would need to update the iptables configuration. (This could be a hassle, but based on my limited knowledge it seems to be the best way to allow access from only myself.)
Could anyone share how to allow access to my server using iptables from only my IP address and on any port?
View 4 Replies
View Related
Jan 20, 2011
I'm curious but recently I was troubleshooting some iptables rules to allow nfs clients access to my nfs server. What was strange was that I setup a tcpdump session on my nfs server so that I can see which ports were being requested. I ran several tcpdump sessions with the following filters in place.
tcpdump -vv src ip_of_client and dst _ip_of_client
tcpdump -vv src hostname_of_client and dst hostname_of_client
However, the only packet I ever saw come over the wire to me was the client host asking for a arp resolution. Anyhow, I finally just ran 'rcpinfo -p' and added those ports to my iptables rules and it worked great. However, I would like to understand how nfs works in case I need to troubleshoot it in the future. I do understand that nfs uses portmappers, would this explain the behavior?
View 1 Replies
View Related
Sep 23, 2010
I have configured my squid that have a limited access to websites but still some website were accessable vis https so I removed transparent from squid. Now what changes do I have to make in iptbles
View 1 Replies
View Related
Apr 8, 2010
Two servers, one is RHEL 4, and the other is RHEL 5. They are both on the same subnet, one is 10 the other is 11. I added the Webmin rule to the iptables config file but for some reason, the RHEL 4 server, I can access Webmin but the RHEL 5 server I can not. I checked the iptables file and they are the same for both servers, except two rules which are for other ports.
I'm reading about the iptables and had a problem when I manually added the port 10000 entry after the REJECT entry, but wondering if I need to move it up higher or maybe there's another possible block?
View 2 Replies
View Related
May 4, 2011
I just installed webmin, then added the line for port 10000 into my iptables. I restarted iptables, but I still can't get to the webmin page on my server. If i stop iptables, i can connect to it. did i edit iptables wrong? could something else be blocking it?
# Firewall configuration written by redhat-config-securitylevel
# Manual customization of this file is not recommended.
*filter
[code]...
View 5 Replies
View Related
Dec 13, 2009
I've got two routers, 10.0.0.0/23 and 192.168.2.0/24, which are joined by a Linux box with interfaces eth0 (10.0.0.2) and ra0 (192.168.2.2). I've got masquerading for ra0, and a route to 192.168.2.0/24 on 10.0.0.0's router. I CAN ping hosts on 192.168.2.0 from 10.0.0.0 just fine, but I CANNOT access web pages.Strangely, If I enable masquerading on eth0, and add a route to 192.168.2.0s router to 10.0.0.0, I can ping AND access web pages from 192.168.2.0Here is my current iptables
Code:
*filter
:INPUT ACCEPT [0:0]
[code]...
View 14 Replies
View Related
Feb 17, 2010
We have setup a Exchange server at remote location and while testing I am facing following issue:
1. While configuring Outlook, it's not able to reach the exchange server which hosted at third party and is reachable from everywhere except my Local Network.
My Local network is as following:
Local Lan On Private subnet - Gate+Firewall(Iptables) with two interfaces(private and pubic)with natting-Internet Connectivity.
Where as Exchange server is setup at a Data Center and accessible from internet.
I need to know that what all rules are required for user's to configure outlook with Exchange 2010.
Rest of the things are working fine (Internet connectivity, Exchange OWA access).
View 4 Replies
View Related
Feb 6, 2010
I am trying to configure my Linux router to restrict Internet access for one computer on my LAN. It needs to be restrictive based on the time of day and the days of the week. I am using the MAC address of the computer to single out the one computer that needs to be blocked. However, this is my first attempt at making any rules with iptables, and I am not sure if I am doing this right. If some one can take a look at this I would greatly appreciate it. This is what I have done so far.
Here is my thinking. Create a new target. Check the MAC address, if it is NOT the offending computer return to the default chain. If it is the offending computer check that we are between the allowed hours and dates and ACCEPT. If we are not within the time/date range then drop the packet.
Code:
Here I am trying to route all packets regardless of the computer on the LAN into the blocked_access chain for checking.
Code:
Is it a good idea to route all traffic through the blocked_access chain? I do run other servers that are accessible from the Internet, so I am not sure how this setup will affect that. I also use shorewall on the router to setup iptables for me. How would I integrate this with shorewall?
I am using squid to block access when he is using the web browser. However, he is still able to play games(World of Warcraft) and the like.
I am using Debian sid, iptable(1.4.6), shorewall(4.4.6), kernel 2.6.32-trunk-686.
View 7 Replies
View Related
Dec 23, 2010
I'm trying to limit access to port 8443 on our server to 2 specific IP addresses. For some reason, access is still being allowed even though I drop all packets that aren't from the named IP addresses. The default policy is ACCEPT on the INPUT chain and this is how we want to keep it for various reasons I wont get into here. Here's the output from iptables -vnL
[Code]...
Note the actual IP we are using is masked here with 123.123.123.123. Until I can get everything working properly, we're only allowing access from 1 IP instead of 2. We can add the other one once it all works right. I haven't worked with iptables very much. So I'm quite confused about why packets matching the DROP criteria are still being allowed.
View 10 Replies
View Related
Jun 6, 2011
I'm trying to open port 8080 on my application server. I've included it in my iptables; however I still cannot access through ssh nor putty and it doesn't show up when I netstat either.Here is my iptables-config:
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -s xxx.xx.x.0/24 -j ACCEPT
[code].....
View 7 Replies
View Related
Oct 20, 2010
LinuxA & LinuxB
linuxA:eth0(10.1.1.1) connected linuxB:eth0 (10.1.1.2)
linuxA:eth1(202.1.20.45) connected internet
[code]....
View 2 Replies
View Related
Feb 10, 2011
I've set up Ubuntu 9.04 (desktop) at home in a lab environment (workgroup rather than domain) and have configured Squid. Everything works fine but, when I took it to the next level and made the proxy transparent, my problems began. I can still access sites (having pointed the XP Pro client to the squid box as the DG) and the sites are logged in /var/log/squid/access.log but I am unable to use Outlook to access my SMTP and POP3. I guess that the setup is blocking ports 25 and 110 and I'll need to configure iptables to forward packets destined for these ports directly to the "real" DG, rather than the Squid box. Here's the set up:
A single NIC (eth0) on 172.19.0.250 / 16 (static) ADSL router ("real" DG) on 172.19.0.1 I executed iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 My squid.conf:
Code:
acl all src all
acl manager proto cache_object
acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8
acl localnet src 10.0.0.0/8# RFC1918 possible internal network
acl localnet src 172.16.0.0/12# RFC1918 possible internal network
acl mynet src 172.19.0.0/16
[Code]....
View 6 Replies
View Related
Nov 26, 2010
I am unable to restore my iptables from iptables-save after upgrading Fedora. I cannot get iptables-restore to work, and I have resorted to entering rules manually using the GUI.
View 2 Replies
View Related
Sep 17, 2010
I am facing a strange problem witht my iptables as there are some firewall entries stored somewhere which is displaying the below firewall entries even after flushing the iptables & when I restart the iptables service then the firewall entries are again shown in my iptables as shown below,
[root@myhome ~]# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
[code]....
View 6 Replies
View Related
Nov 3, 2010
I recently installed a new Ubuntu PC that runs iptables and PSAD. I had the same script on another Ubuntu PC, but when I copied the script onto the new PC, I got this error. I don't remember where I found the tutorial for this, all I know is that this is the script (Edited for my usage):
Code:
#!/bin/bash
# Script to check important ports on remote webserver
# Copyright (c) 2009 blogama.org
# This script is licensed under GNU GPL version 2.0 or above
[code]....
Safe.txt contains:
Code:
127.0.0.1
192.168.1.8
192.168.1.1
98.200.58.73
192.168.0.1
And the error message generated is:
Code:
root@NETWORK-SERVER:/var/ddosprotect# ./ipblock.sh
' not found.4.4: host/network `127.0.0.1
Try `iptables -h' or 'iptables --help' for more information.
' not found.4.4: host/network `192.168.1.8
[code]....
View 3 Replies
View Related