When i was try to execute this command in my router device it will show error...
First execution:-
Second Execution:-
So I Need to block this kind of websites ...kindly tell me what i have to rectify & change..here i didnt execute this command...
first of all I am sorry about the mess in the question, I hope I am being clear enough.
I am using VectorLinux 6.0 standard, kernel 2.6.27.12.
iptables v1.4.0
Deluge v1.18
the problem is that as soon as I do
Code:
iptables -A INPUT -j DROP
Deluge hangs and stops responding.
I am trying to make iptables to drop everything except tcp,udp 6887 (for torrent) and except established and related. iptables -L looks like so:
[Code]...
Edit:
Now I see that Firefox also hangs if I try to right click a tab when I have iptables -A INPUT -j DROP.
I was just wondering if using a non-smp kernel would be ok on a older p4 system with no x. I am wondering due to some functionality in IPTABLES that is broken in the SMP kernels ( -m owner --sid.pid,cmd-owner).
Could someone that is running a NON-SMP kernel advise as to whether the support for -m owner --cmd-owner is working in iptables with those kernels? Also, could someone advise me if running a NON-SMP kernel is even advisable? The machine will not have x.
I've done some research on the issue of blocking bittorrent traffic. What I've come up with is that it is very difficult to detect the data traffic. Tools such us ipp2p fall short because of encryption of the data between peers. What I'm thinking of (and starting to test at the same time) is to block the "single poit of failure" - the trackers. My idea is to collect a list of IP addresses of the most used trackers and block all traffic to them:
Code:
# bittorrent trackers
# # tracker.prq.to
$IPTABLES -A INPUT -d 85.17.80.0/24 -j DROP
# # tracker.openbittorrent.com
$IPTABLES -A INPUT -d 188.126.64.0/24 -j DROP
# # free.btr.kz
$IPTABLES -A INPUT -d 195.210.47.0/24 -j DROP
# # tracker.mightynova.com
[Code]....
What do you think about this? Is this going to work? Where could I get a bigger list of bittorrent tracker addresses?
Friends the following shall block a particular machine in the same network, what can be done if it is dynamic IP and from other network?
iptables -A INPUT -s 192.168.0.0/24 -m mac --mac-source 00:50:8D:FD:E6:32 -j DROP
I have two asterisk servers each one behind a linux firewall/gw. Linux is Centos 5.4, kernel 2.6.18-164.el5, iptables v1.3.5. Routes on the fws are ok and when iptables is stoped the servers are see each other, all good. But when I run iptables script in any fw, one server (not always the same) goes unreachable. I verify this with asterisk -r, then show sip trunk, and status becomes UNREACHABLE.
Iptables scripts is generated by fwbuilder. The weird part is I put only one rule to de script and it looks like Source=any, Destination=any, Service=any, Interface=any, Direction (Inbound,Outbound)=any, Time=Any, Action=ACCEPT. So as you can see I tried something like "Do not do anything at all". But anyway I run the script in any fw and one server becomes UNREACHABLE. I think the script does something wrong after all or maybe I have some missconfiguration in my asterisk conf files. The point is I am not so expert in iptables or shell scripting so I can't see anything in the iptables script. I have look for some issues like iptables blocking because of ip_conntrack table full, or "dont fragment" bit set in kernel problem, but nothing seems to be the right problem at all.
I want configure open source firewall on my office for websites blocking and bandwidth monitoring.
which is the beast free open source firewall..
I want to block the icmp packets(ping) from the other computer to my RHEL-4 what's the syntax I should use to do so in IPTABLES.
View 2 Replies View RelatedI want to block all the outgoing ssh form my machine, i.e my machine will not be able to ssh to any outside machine using iptables. The distro is RHEL, I added the following entry in the iptables but unfortunately it didnt worked, -A OUTPUT -p tcp -m tcp --dport 22 -j DROP
View 13 Replies View Relatedi used the angry ip scan software and found alot of the public ip addresses on our network are accessable from outside when they are not suppose to, For eg printers/ pcs etc. to make a start on locking down the network i was wondering if anybody knew th iptables command to add a rule which blocked all incoming traffic to specific ip adresses on the network and to a range of ip addresses.
View 7 Replies View RelatedIs possible blocking web with content for adults with iptables?
View 3 Replies View RelatedI'm using a 3G modem whilst o2 transfer over adsl. trouble is no websites load but I can resolve domains. I enabled masquerade on the PPP0 ( modem) interface. added the server as default route for all workstations.
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
net.ipv4.ip_forward = 1″ to /etc/sysctl.conf
I am setting up a iptables firewall on one of our servers, and I would like to block a range of addresses from getting into the system. I am using a script that does a BLACKIN and BLACKOUT methodology for specific addresses. One example is the following:
Code:
$IPTABLES -A BLACKIN -s 202.109.114.147 -j DROP
...
$IPTABLES -A BLACKOUT -d 202.109.114.117 -j DROP
What would be the correct syntax to use if I wanted to block an entire remote subnet from getting into the server?
I set up iptables but it is blocking my SSH set up. I did allow it by opening port 22 but it did not work. Here is my config:
Code:
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
### this should allow SSH traffic
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
How do you allow SSH through the iptables firewall?
I have a fiberoptic broadband 20MB synchronous pipe at my home. Over summer at my place of employment its pretty much dead for 3 months so when I'm not busy I play around on my home server. I have my 20mb pipe going directly into my wrt54gl, from there I have a wired connection going to my server (Centos 5.3 recently upgraded to 5.5 through updates.) It serves as a file server(Samba, SSH). My wrt54gl handles natting port 22 to my server. I have my wireless AP setup to hand out leases from .2-.20 and my server has a static of .100. Dyndns.org handles my name resolution via their free account method.
I have a Mac Pro, iMac, Macbook, and a Toshiba Laptop with 64bit 7 running off wireless along with our cell phones, and my XBOX 360 also is wired directly for the gaming speed. I use all of the computers around my home to access the samba shares via unc path for file sharing and or working on projects. I had originally planned to upgrade the wrt54gl with a cisco e3200 or an e3000 but unfortunately I've come to find out dyndns and the e lines of cisco wireless AP's dont work with dyndns and get banned. So I would have to install the daemon on my server and put it as a directly connected server to my WAN link and install a second ethernet card and pass traffic through my server for the rest of my home which I am not going to do.
All of the previous sentence because it would update dyndns with a 192.168.x.x address since its not directly connected. I use a combination of putty.exe and vnc viewer to tunnel 5900 through port 22 to my server. So from anywhere I am at I can access my screen securely and then rdp or vnc to the desktop of my local LAN computers. This allows me to only have port 22 open. I've been looking at my ssh logs and noticed I have been getting hit alot with ssh scans. I want to implement an iptables firewall on my linux machine just for the purpose of further securing port 22. I dont necessarily need natting on the iptables firewall but all I need is ssh in and out, web in, and samba out to local ip's only.
For SSH this is what I want. I want to allow SSH from any IP but if it tries to login more than 3 times in one minute I want to block that IP for a full minute before it can try 3 more attempts. I also would like log to a file but have been having issues getting that to work as well. That way when I review logs and I see that an ip tries three times and then waits a minute and tries three more, etc... I can permanently block that ip or range of ip's by adding it to the iptables script. Here is my current iptables script and it doesnt seem to be working for me. I have played with this and read for almost two weeks and still cannot get it to work correctly.
Code:
#!/bin/bash
# In order to use this iptables firewall script you must have iptables installed. You also must be using a 2.4.x series Kernel, with iptables suppport compiled into it, which is standard for most newer linux distributions.
# If you need help compiling iptables into your kernel, please see our kernel Compile/Upgrade Guide located at [URL]
# Once the script has been edited with all your relevant information (IP's Network Interfaces, etc..) simply make the script executable and run it as root.
# chmod 700 fw_rules.sh
# ./fw_rules.sh .....
# Our final trap. Everything on INPUT goes to the dropwall
# So we don't get silent drops.
$IPT -A INPUT -j dropwall
I have configured my squid that have a limited access to websites but still some website were accessable vis https so I removed transparent from squid. Now what changes do I have to make in iptbles
View 1 Replies View RelatedI am currently running Debian 6. I would like to know if there is a way and how i would go about blocking a certain IP range from connecting to my server within a certain port range. Say for example.
i want to block ip range 123.123.123.* from connecting to my server on the ports 33000 - 43000. But, i want to allow them to connect on any other port range, and i want to be able to allow connections from my server to the blocked ip range on those same ports. so, blocking incoming only on the above port range.
using iptables.
I am at a loss how to prevent Denial of Service attacks to port 25 and not block legitimate connections from 2 Barracuda 800(s) and block smart phones such as iPhones/Blackberrys/iPhones that use the server smtp.server.com for email.
Presently for port 25
RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 25 -j ACCEPT
The 2 Barracuda 800(s) make port 25 connections all the time, plus users with smart_phones have the incoming server type:
IMAP
pop.server.com
smtp.server.com
Is there a way to keep Denial of Service attacks from happening with iptables rules without causing blocking to the Barracuda(s) that make constant port 25 connections & smart phones that poll? I was thinking if I allowed the Barracuda(s) in these lines
-s (barracuda)24.xx.xx.xx -d (emailserver)24.00.xx.xx -p tcp -m tcp --dport 25 -m state --state NEW -j ACCEPT
Where the source would be the Barracuda going to the email server. It would be allowed, then I am left with how to allow other connections like Smart_Phones that connect via Port 25. I am thinking if I put rules in place doing connection counts in a minute it would result in errors connecting to the server and people would start complaining. Plus any limiting may result in blocking real traffic. Then would I need to allow the ISP range in the above example to accept port 25, I am still left with how to drop a flood/denial of service attack.
IPtables creates an error during startup as well as when I try to restart it: Here's the output of:
[Code]....
I'm trying to redirect the requests from port 80 to ports 8080 and 8081 through iptables because I've got two services which need accept requests from the same port(80):
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080-8081
The problem is that the second port (8081) never gets a request, just the first one.
I would like to allow multi users to access P2P networks, so I wonder if there's a way to tracking these kind of protocols with netfilter, and also compatibility with nat, like the module conntrack_ftp seems to do with the FTP protocol.
View 3 Replies View Relatedusing fedora 9 i've problems getting bittorent to work. i have an external kerio firewall but my messages seem not to get thrue. I read about port forwarding, as a way to speed up bittorent I interprete that as bundling the port series 6881 till 6999 to ferdora:6881 so all the ports are channeld to the bittorent machine and 1 port.(tcp and Udp)
that how I did set it up, but i seem not to get a lot of throughput i guess Maybe 1kb per week, I do not know if this is what is seen as a slow bittorent.... on the firewall i see a lot of messages running arround but nothing seems to advance
what can I do, verify to get this running. (I temporarly switched off fedora's firewall( internal) is there a way to structuraly test bittorent? is my forwarding rule correct? (input multiple ports to single port?
I know, that this thread is old one, but I am having the same issue. It does not seem to me to be the problem of single torrent. It is more the way how much do I use my connection. If I have only 1-2 torrents, everything is ok. If I have 10, I get this problem. It is also followed by aprox. 30 secs of no internet connection. I use Deluge for downloading and my limits are set like this:
max connections: 200
max upload: 300 KiB/s
max upload slots: 5
max connection attempts per sec: 20
The connection outage is really annoying.
For system calls, is blocking or non-blocking default in C? Simple question, just am not seeing the answer super quickly.
View 4 Replies View RelatedI'm trying to use VNC on my headless desktop server that's running lucid, but I can only use SSH because a pop asking me to unlock the keyring shows up every time I try to use VNC. I don't have a monitor for that desktop, so I was wondering, is there any way to remove the keyring/to automatically unlock it during autologin? I don't remember what a site I found it on, but I used this to remove my keyring yesterday. It's no longer working today.
View 4 Replies View RelatedI want to block all websites except desired websites.
View 3 Replies View RelatedI noticed my Internet slows to a crawl when I'm running bittorrent, but when I look at my torrent app (Transmission), the upload/download speeds are mere kilobytes per second, and my Internet has much higher bandwidth capabilities than that.So I tested it:No torrent running
(ping: 13 ms, down: 11.39 mb/s, up: 2.80 mb/s)
Torrent running
(ping: 752 ms, down: 4.30 mb/s, up: 0.19 mb/s)
[code]....
I don't know what's wrong with my Ubuntu but everytime I open Transmission BitTorrent Client, the internet connection become unstable from time to time. Internet access run smooth without it but I need it to download file from torrent...
I used Dual-boot with XP and Ubuntu and I got no problem with 9.10 Karmic Koala but just got this problem after upgrading to 10.04 Lucid Lynx.
I tried Ubuntu, Kubuntu and now Xubuntu, all 11.04. I've also tried Deluge, Transmission and Ktorrent. With 10.10 everything worked fine (all variants). Also, in Windows 7 it's working fine. But now it drives me crazy. As soon as I start a torrent, the download starts but after 30 seconds or so the download drops to a zero. Also, I'm not able to browse anymore. The networkmanager tells me I still have a connection.
Some say it has something to do with the number of peers the client connects to, or it's my router. My router isn't the problem, as it's working fine with 10.10 and windows. So maybe it's the number of peers right? Question. Why can I connect with over 200 peers at the same time while I'm using 10.10 or windows, but can't do it with 11.04? Better put, what should I do to get this working fine again? Going back to 10.10?
I have an internal network behind a server <10.0.0.1> connected to the internet that NATs my ip <10.17.11.88> only. NAT is not allowed to any other ip addresses. When I use Transmission Bittorrent client to download torrents, The thing is that this 10.20.0.244 is not my machine and doesn't have access to the internet at all. What is happening here? Can anyone help me?
View 8 Replies View Related
