Networking :: Iptables Rules For Filtering Network Traffice?
Jan 26, 2010Does anyone have tips about iptables rules for filtering network traffice?
View 2 Replies
ADVERTISEMENT
Networking :: Iptables And PPTP VPN Filtering?
May 4, 2011I have a question regarding the use of iptables as sort of a firewall I suppose? Using a linux router which has a server machine connected to it. The router is also acting as a PPTP VPN server, which I would like to allow some friends to connect to so that they can VPN to my LAN.
The question I have is how I might be able to use iptables to apply restrictions to the VPN traffic to only access 1 IP? The server is on the LAN with an IP of lets say 192.168.1.25, and the VPN given IP range is 192.168.1.51-55. The router has the .1 IP, but the PPTP server on that router uses an IP of 192.168.1.50. How might I restrict the traffic from the VPN connections to only be able to access the .25 server, and possibly only on certain ports? I don't want to allow the VPN connections full access to everything on the LAN and especially not to WAN.
OpenSUSE Network :: Make The Iptables Rules Permanent?
Apr 23, 2010I set up a squid transparent proxy and I have a problem with an iptable rules. I have a rule to redirect all request to port 80 to go on port 3128. To do so, I'm using this iptables command :
Code:
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
This command is working like a charm. The only problem is, for some unknown reasons, this rule will be dropped at some point. I did not manage to identify what is causing this to happen. It occurs during night, but I have nothing about that in my log files. messages / firewall / ...) The only way I managed to reproduce this 'dropping' is this one: I type the command like as root. The command is effective and working fine. I open yast, I go to the firewall module, the I do a simple "save changes and restart firewall" (without changing anything). As soon as this process is finished, the iptables rule is gone.
-How can I make this rule permanent ?
-Is there a place where I can launch a script executing this rule, after the yast firewall module is 'touched' or something ?
Networking :: Iptables + Squid + Dansguardian - Boxes Will Act As A INTERNET Firewall + Filtering?
Jan 14, 2011is this possible on 2 Linux boxes will act as a INTERNET Firewall + Filtering: 1st PC = CENTOS 5.5 functions as a firewall using iptables with two NICS 1=ETH0 connected to internet with a public ip and 1=ETH1 with ip address of 10.0.0.1 connected to the 2nd PC Centos 5.5 with squid/dansguardian with ip address of 10.0.0.2
2nd PC = Centos 5.5 functions as a squid + dansguardian internet filtering with 2 NICS 1=ETH0 with ip address of 10.0.0.2 connected to the ETH1 of the 1st PC with ip address of 10.0.0.1 and 2nd ETH1=connected to LAN (172.16.1.0/24)
does this make sense? this might be confusing but I just want to try this, to protect incoming ssh from our previous Sys admins who intended to enter the LAN 172.16.1.0/24 network. And also to confuse them that they have to pass through 10.0.0.1 - 2.
Ubuntu Servers :: IPTables Rules To Administer Entire Network Via Wireless
Jul 7, 2010I have a set of iptables I have downloaded and modified for my use. I had it working for 1 lan and wan access. I now would like to have: wan access, 1 lan, and 1 wlan. I need to administer the entire network from my wireless laptop on the wlan network so I need to be able to access the lan from the wlan network, and have the wlan access the lan network. Here are my rules:
#!/bin/sh
# IPTABLES FIREWALL script for the Linux 2.6 kernel.
# This script is a derivitive of the script presented in
# the IP Masquerade HOWTO page at: [URL]
# It was simplified to coincide with the configuration of the sample system presented in the Guides section of [URL]
# This script is presented as an example for testing only and should not be used on a production firewall .....
echo -e " Firewall server rule loading complete "
Networking :: Can't APPLY Iptables Rules
May 22, 2011I added a few rules to my /etc/iptables.rules file and then used sudo iptables-restore < /etc/iptables.rules but i got an error saying "iptables-restore: line 29 failed".But the only word on that line.
View 1 Replies View RelatedNetworking :: Verifying Iptables Rules For Security?
Mar 10, 2011I need with some iptables rules. I've done all I can, Googling all over, to cover as many exploits as possible and the following script is what I've come up with. The current set up works and I've checked with NMAP. I just need some sort of confirmation that this is pretty much what I can do.
Code:
LAN="eth0 eth1"
RANGE=10.1.0.0/17
WAN=eth2
# Delete all existing rules
[code]....
Also, if I wanted a broadcast to be relayed to all subnets within a defined range, how would such a iptables rule look like? I need this in order to find a networked Canon MP640 printer.
Networking :: Firewall Installed Using IPtables - NAT Rules?
Apr 7, 2010I just install 1 firewall using Iptables.
Firewall includes 2 NIC:
NIC1 <IP PUBLIC>
NIC2 192.168.10.1
I installed 1 web server IP: 192.168.10.2
I have some PC IP range: 192.168.10.10->20
I set rules NAT on firewall and PC & web server can connect internet good, but I have problems:
When PC access to web server with IP 192.168.10.2 that ok, but PC can't access to web server when using IP Public. But outside internet, I can access to web server using IP Public.
Rules on IPTables
Code:
# Generated by iptables-save v1.3.5 on Sun Mar 7 21:01:16 2010
*nat
:PREROUTING ACCEPT [950:126970]
:POSTROUTING ACCEPT [89:5880]
:OUTPUT ACCEPT [19:1342]
-A PREROUTING -d 209.99.242.124 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.10.2:80
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j SNAT --to-source 209.99.242.124
*filter
:INPUT DROP [1599:157409]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [232:34452]
-A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth1 -o eth0 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -d 192.168.10.2 -p tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -i eth1 -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -o eth1 -j ACCEPT
COMMIT
Fedora Networking :: IPtables Rejects Rules Upon First Boot
Jan 25, 2010I am trying solve a strange problem which ocurred after upgrading many packages including kernel and iptables.This is a Fedora 10 PC acting as a small home-server I've been using over a year without problems. Recently, I've run a yum upgrade and after that, connections outside home wouldn't work. No changes in IPtables (firewall) rules have been done. But connection through local network is working.Symptom is.I've connected to my second PC at home and connected to the server. It works fine on local network. I restart network services (service network restart) and outside connections could be established.I have disabled iptables and ip6tables and after reboots it works fine. But PC is running without firewall.
View 5 Replies View RelatedUbuntu Networking :: Rebuild Ufw Rules After Flushing Iptables?
Jul 20, 2010How do I get ufw to refresh firewall rules after accidentally running iptables -F
View 3 Replies View RelatedNetworking :: Interesting Distribution Of Packets Over Iptables Rules
Mar 13, 2011I'm trying to configure NFS sharing behind a firewall, I got it to work and all but I was caught by something that (to me anyways) seems odd.I've been able to mount the export on another computer and am transferring files over as we speak, but I'm just interested in knowing why the RELATED,ESTABLISHED rule seems to be catching almost all the traffic coming from the other node. Any ideas? Should I be concerned that my firewall isn't protecting anything or something?
View 1 Replies View RelatedNetworking :: IPtables Resets Counter When Rules Added
May 19, 2011Whenever I add a rule to iptables, all of the policy counters reset. The counters for each individual rule remain intact, however, the main counter resets. Here's what I mean:
Code:
[root] ~ # iptables -vL
Chain INPUT (policy ACCEPT 65M packets, 83G bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 50M packets, 30G bytes)
pkts bytes target prot opt in out source destination .....
Networking :: Iptables Rules - Wireless Interface Got Ip From Another Server ?
Jun 18, 2010The following is my setup. wireless server (ip of this server is 192.168.1.1) -- target board ( wireless client [ip of this is got for wireless server is 192.168.1.3 ] , bridge (192.168.36.1) )-- linux pc ( 192.168.36.3) as show above i have target board for that i have a wireless interface and a linux pc is connected to target board.now the ips are like this for linux pc 192.168.36.3 and my target board bridge ip s 192.168.36.1
my wireless interface got ip from another server like 192.168.1.3 ,now if i do ping on my target board for 192.168.1.1 it goes through wireless interface to the 192.168.1.1 wireless server.but when i do the same from target board connected linux pc its not pinging from linux pc i could able to ping to 192.168.1.3 but not 192.168.1.1 .I think i need to write a iptable rule properly on my target board to forward the 192.168.1.* packtes to wireless interface.
Fedora Networking :: IPtables Passive Ftp Rules Donot Work?
Aug 15, 2011I'm trying to build a firewall with IPTables: INTERNET <--------> (eth0) FIREWALL (eth1) <------------->FTP_srvI set all rules DROP by default.My rules for forwarding packet to FTP server:
#iptables -t nat -A PREROUTING -i eth1 -d $FIREWALL_EX_ADDR -p tcp --dport 21 -j DNAT --to-destination $FTP_ADDR:21
#iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 21 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
[code]....
Networking :: IPTables / SSH Connection To .150 - The Packets Are Still Handled By .150 After Adding The Rules
Jul 2, 2010I two servers set up: 192.168.1.150 and 192.168.1.160 Initially, I want all traffic to be served by server 150. So for this purpose I am leaving the IPTables on .150 empty. At a point in time, I want to forward all incoming traffic to be served by .160 instead. I have accomplished this using these commands (on .150):
iptables -t nat -A PREROUTING -j DNAT --to 192.168.1.160
iptables -t nat -I POSTROUTING -j MASQUERADE
My problem is that if I have an open SSH connection to .150 (prior to adding the rules), the packets are still handled by .150 after adding the rules.. e.g. my SSH session stays active. I want these packets to be forwarded to .160, which would effectively disconnect the SSH session. I do not want the packets flat out dropped, I just want them forwarded on in whatever state they are in. If I try a new SSH session, it is properly forwarded to .160
Networking :: IPtables Rules For Master DNS Server To Allow Zone Transfer
Oct 24, 2010I have set up a master DNS server at 192.168.50.9 and a slave DNS at 192.168.50.6. Both servers are BIND9.Machines are for testing/experimenting, hence the IP addresses. Initially, the zone transfer was blocked by the firewall on the master, as the slave uses randomly selected non-privileged ports for zone-transfer query. So, as far as I understand, there are two possible approaches:
1. Allow connections based on source, which should be
Code:
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW,ESTABLISHED -s 192.168.50.6 --sport 1024:65535 --dport 53 -j ACCEPT
(and it works for me fine)
2. Allow ESTABLISHED and RELATED connections, which would be something like
Code:
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
which was my initial idea but didn't work, but has inspired me to dig deeper into firewall configuration topics :).
Question: Does zone change notification message count for opening a dialog, or notification from master and slave zone update request are two absolutely separate actions? If the latter is true, that, of course, explains why option #2 didn't work.
Networking :: IPTables Rules On PPPOE Connection - Forwarding / Routing
Sep 23, 2010I'm trying to configure Iptables and I just want to block everything but http/https. However, my connection is pppoe, so I have the ppp0 interface. Pretty much every Iptables tutorial that I found don't teach how to deal with this kind of setup. I'm forwarding the ppp0 to eth0 and I could configure the input rules and they're working. After this, I need to configure the output but nothing seems to work.
The current working rules are:
Code:
Chain INPUT (policy ACCEPT 7858 packets, 5792K bytes)
pkts bytes target prot opt in out source destination
299 201K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:www
0 0 ACCEPT tcp -- any any anywhere anywhere tcp dpt:https
11 820 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- eth0 ppp0 anywhere anywhere
0 0 ACCEPT all -- ppp0 eth0 anywhere anywhere state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 10791 packets, 1951K bytes)
pkts bytes target prot opt in out source destination
I don't understand what those "state RELATED,ESTABLISHED" rules do. Also, I don't know if this rules are secure, because i'm very confused about the ppp0/eth0 interfaces.
Fedora :: IPtables Creates An Error During Startup - Applying Firewall Rules: Iptables-restore: Line 21 Failed
Jul 17, 2010IPtables creates an error during startup as well as when I try to restart it: Here's the output of:
[Code]....
Ubuntu Servers :: Setup Iptables Rules In /etc/if-up.d/iptables?
Apr 16, 2011I am running Ubuntu server 10.10 and trying to setup iptables rules in /etc/if-up.d/iptables
Quote:
root@host# cat /etc/network/if-up.d/iptables
#!/bin/sh -e
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
Problem is that iptables doesn't get updated and I don't see them when iptables -L is executed after reboot.
Networking :: Filtering Traffic On Network Interfaces?
Feb 8, 2010I am manually capturing and injecting Ethernet traffic (using lib_net/lib_pcap libraries) for an application. At the moment , both capturing and injecting are done on the same physical interface (e.g. eth0). The problem is that all the traffic that I inject, are captured again by my application causing an unwanted feedback of injected traffic. This caused that I had to implement traffic filtering when capturing traffic, which is consuming resources and eventually will become too complicated to support.
I have tried using virtual interfaces to separate the capturing and injecting streams, but that also presented the same problem as all the traffic from eth0 is forwarded to both eth0:1 and eth0:2. If possible I would like both streams to go through 1 physical device, using more PDs will be the last resort. I am also looking at using TUN/TAP devices to try and separate the two streams, maybe writing a user-space program that lies between the physical device and the TUN/TAP devices to do the routing of traffic.
Slackware :: Use Mac Filtering Options Of Iptables?
Feb 18, 2010I have slackware 13.0 on my HP 520 laptop.My machine is connected to the internet and it also act as a gateway for other machine of mine.
I want to use mac filtering options of iptables.But i am getting following error
iptables v1.4.3.2: Couldn't load match `ac-source':/usr/libexec/xtables/libipt_ac-source.so: cannot open shared object file: No such file or directory
Ubuntu Security :: Iptables: MAC Filtering With A File?
Jul 2, 2011I'm wanting to use mac filtering to restrict access to certain machines. I already know that I can just add MACs line by line, but is there a way to specify a list of MACs? That way it would be much simpler to maintain a list of acceptable/unacceptable hosts.
I'm not going to rely only on this list because of spoofing, but it would be nice as another "layer" of protection.
Ubuntu Security :: Filtering Connection Strings With Iptables?
Mar 12, 2011I have several CS servers running on ubuntu server, and sometimes someone is trying to brute server's RCON password with the program called HLBrute. I've found the following rules to prevent such hack attacks, but they don't work What can be wrong in these rules?
Quote:
iptables -A INPUT -p udp -m multiport --dport 26000:30000 -m string --algo kmp --string "HLBrute" -m limit --limit 1/hour --limit-burst 5 -j LOG --log-prefix " HLBrute_Ataka "
iptables -A INPUT -p udp -m multiport --dport 26000:30000 -m string --algo kmp --string "HLBrute" -j DROP
Networking :: Firewall Rules To Add VPN Network Into LAN Network
Jun 4, 2010I greet you at the same time ask me to help with a problem I have and I could not solve. Within the requirements I have is to connect a network that is connected by VPN to my LAN.The detail is I could have connection to the network by adding a network card (eth3) on the firewall and connect to the VPN router (DLINK) cable network, but I can not reach the other estin that are in the VPN.
It should be noted if I add a station within the network: 10.30.1.X/24 has no problems connecting with the other destinations.Physically this router is inside my 10.30.1.X DATA CENTER another wan.
Security :: Programming Iptables Rules For 1:1 NAT?
Sep 16, 2010I am trying to program iptable rules for implementing a 1:1 NAT which does the following:
1. Forward all traffic from all ports on a public ip to a private ip
2. Forward traffic from a range of ports (x-->y) on a public ip, to a private ip
I did some google searches for the same, and came up with the following.
iptables -A FORWARD -t filter -o eth0 -m state
state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i eth0 -m state
state ESTABLISHED,RELATED -j ACCEPT
Security :: What Are Strong Iptables Rules?
Mar 31, 2011Can someone please let me know strong iptables rules? Below entries are in iptables file.Here Y.Y.Y.Y is another branch public IP.This server acts as gateway+squid server.Further it will serve company's intranet page also using httpd.OS is CentOS 5.0.
View 1 Replies View RelatedSecurity :: Setting Iptables Rules
Jan 27, 2011I am setting my firewall rules using the command iptables.My question is i wanna know what command i can use that list rule 2 and 3 for instance in my table?i want to create rule that: The host is administered using SSH, scp and sftp so allow incoming SSH traffic and securing remote file copying and transferring.
View 2 Replies View RelatedFedora Security :: How Iptables Knows At What Interfaces To Use Rules
May 3, 2009When I use system-config-firewall, it asks what interfaces to trust. Where does it store that information for iptables (or whatever uses that info)? How iptables knows at what interfaces to use the rules?There is not that kind of information in /etc/sysconf/iptables and iptables-config.
View 2 Replies View RelatedUbuntu Security :: Modify The Iptables Rules In Any Way?
Jul 9, 2011what do the following two commands do? Do they modify the iptables rules in any way?
sudo /sbin/iptables -L -n
sudo /sbin/ip6tables -L -n
Security :: IPTables Rules And Output Filters
Aug 25, 2010I put together the following filter set :
Code:
#!/bin/sh
#To understand this script, reference the No Starch Press Linux Firewalls Book.
MODPROBE=/sbin/modprobe
IPT=/sbin/iptables
IPTSV=/sbin/iptables-save
IPT6=/sbin/ip6tables
IPT6SV=/sbin/ip6tables-save
### flush / drop policy sets
echo "[+] Flushing existing rules with DEFAULT of DROP [+]"
echo "[+] IPv4 [+]"
$IPT -F
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
echo "[+] IPv6 [+]"
$IPT6 -F
$IPT6 -F -t nat
$IPT6 -X
$IPT6 -P INPUT DROP
$IPT6 -P OUTPUT DROP
$IPT6 -P FORWARD DROP .....
###OUTPUT rules: LOG rule
$IPT -A OUTPUT -o ! lo -j LOG --log-prefix "DROPED OUTBOUND" --log-ip-options --log-tcp-options
I wanted to know how to allow certain applications through the outbound tables. For example, I wish to be able to use tools such as nmap,tracepath, and traceroute. However, I am not sure where to look to understand the ports to open. I was starting to think that maybe rather than ports to open it would need to be somehthing like tcp flags that would ned to be allowed. Any way, I have tried google and am still haing problems. I started wanting to use these tools due to getting ready for my network+ and security+ certs.