Fedora Networking :: Configuring IPTables To Allow Traffic Out
Apr 26, 2009
I've tried both the firewall interface that comes with Fedora and Firestarter, neither can configure as I want. So I think I'm going to have to do it by hand. In this laptop I have one 10/100 Nic and one wifi connection, at times either of them can be connected to the network. How can I configure IPtables so that any traffic is allowed out, nothing is allowed in (other than std stateful firewall replies), no icmp and that the fw logs any attempts to connect to the laptop?
View 5 Replies
ADVERTISEMENT
Jan 23, 2011
I did some playing around changing up the configuration of my server and now cannot pass traffic through to port 22. I have since restored everything back to the way it was but am still not able to ssh into the server.
nmap only shows port 80 and 5222 open. Both ports that I want open. However I am unable to get 22 to pass.
iptables -nL shows
http://www.theprepared.com/images/tech/iptables_nL.PNG
netstat -an |grep 22 shows
http://www.theprepared.com/images/tech/netstat.PNG
I've tried clearing the routing table with the following which did no good.
ip route flush table main
Can somone point me in the right direction?
View 1 Replies
View Related
Aug 20, 2010
I have an Untangle Box - which for those that don't know is a modified Debian Lenny used as a router, proxy, filter and much more - It has three physical interfaces on it eht0 (incoming traffic), eth1 (Outgoing to LAN after traffic filtered), and eth2 (Called a DMZ NIC, as Untangle can be used as a router). There is also a tun0 interface setup by Untangle for VPN (Not using the Openvpn in Untangle because I need bridged a bridged VPN and this is not an option in Untangles offering), a br0.eth setup by untangle to bridge eth0 and eth1 for traffic flow through as it is inline from router to switch and not acting as the router itself, and a br0 interface that I have setup by bridge script bridging eth2 and tap0 to run OpenVPN as a bridged VPN.
The routes on the machine are as follow:
Code:
untangle:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.100.0 * 255.255.255.0 U 0 0 0 br.eth0
192.168.1.0 * 255.255.255.0 U 0 0 0 br0
192.0.2.0 * 255.255.255.0 U 0 0 0 dummy0
192.0.2.0 * 255.255.255.0 U 0 0 0 utun
untangle:~#
I don't see a default route listed here, however, I do have Internet connectivity on the Untangle box itself. I also know that by script to bridge the tap0 and eth2 interfaces adds a default route through the gateway on the network that eth2 is connected to. So the lack of a default route is somewhat puzzling to me, I do have the gateway set through the web based admin interface Untangle offers.
The iptables rules are as follow:
Code:
untangle:~# iptables --list-rules
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-N alpaca-firewall .....
There was an addition output rule in the alpaca-nat-firewall rule that said DROP outgoing interface eth2, I removed that rule with no change. I can ping out from the Untangle server to the eth2 LAN, I can access resources in the eth2 subnet. But I cannot get any reply from the server from anything either in that subnet or not. If I run iftop I can see the incoming traffic form my ping but the Server sends out no reply. I think this is a firewall issue. I can access the server by connecting to the IP assigned to the eth0/br0.eth interface which is in my main LAN. I am also attaching a crude diagram of the previous setup and the new setup (Previous setup used a different server for my bridged VPN).
Is there a rule I can add to ensure that traffic coming in on an interface goes out the same interface? Do I have a rule blocking incoming traffic to eth2/br0? Do I have one blocking sending out on eth2/br0? Do I have a default rule that is killing the traffic on eth2/br0 and I need to add an accept rule for traffic coming in on eth2/br0? I tried adding an accept rule for traffic coming in on br0, but it didn't work. I tried an output rule, but that didn't work, but I may have been bungling these rules as I do not fully understand the syntax and function and body of an iptables rule. The exact original iptables information before I modified anything can be viewed at [URL].
View 4 Replies
View Related
Feb 21, 2011
I need to set OUTPUT to DROP, and add the outgoing traffic one by one, but I couldn't do it. My current config is as follows:
Code:
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
:RH-Firewall-1-OUTPUT - [0:0]
-A INPUT -j RH-Firewall-1-OUTPUT
#previously ESTABLISHED,RELATED comm is ok
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#80 is ok from all
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
If I change OUTPUT to DROP in :OUTPUT ACCEPT [0:0], I don't get any response from a server running in that box. I am using RHEL 5.5. Now, asking Red Hat is not an option: I have the license but I don't have support license.
View 3 Replies
View Related
Mar 3, 2009
I new in Linux, I have a Centos5 since sunday and well I have to configure the iptables security of this cpu, I read a lot of examples of iptables in the internet and also another Thread from here but Really a don't know what to do, I saw lots of codes but first of all I don't know where I have to write that and my teacher don't want to help me in this homework. I tried to write the codes in applications --> accessories --> Terminal
View 3 Replies
View Related
Jan 6, 2011
I need to configure iptables to block incoming traffic (except specific ports), but allows all outgoing traffic.
I am able to block incoming traffic, but doing so also prevents outgoing traffic (tested by telnet [URL] 80)
The following was used:
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -j DROP
Also, even allowing NOT SYN requests still prevents outgoing traffic.
iptables -I INPUT 1 -p tcp ! --syn -j ACCEPT
Another point:
# modinfo ipt_state
modinfo: could not open /lib/modules/2.6.18-028stab070.14/modules.dep
How to install ipt_state module on ubuntu?
View 2 Replies
View Related
Jun 19, 2011
how to redirect network traffic to a new IP address using IPtables. I am using Baffalo router and the rtos used is DD-WRT. Basically, I want it so that any connection going through my router to a specific IP (say, 192.168.11.5) will be redirected to another IP (say, 192.168.11.7) so any outgoing connections made by a program that is attempting to connect to192.168.11.5 will instead connect to 192.168.11.7.
View 2 Replies
View Related
Jul 31, 2010
I was just wondering if using a non-smp kernel would be ok on a older p4 system with no x. I am wondering due to some functionality in IPTABLES that is broken in the SMP kernels ( -m owner --sid.pid,cmd-owner).
Could someone that is running a NON-SMP kernel advise as to whether the support for -m owner --cmd-owner is working in iptables with those kernels? Also, could someone advise me if running a NON-SMP kernel is even advisable? The machine will not have x.
View 14 Replies
View Related
Mar 25, 2010
I am new to iptables. We have two Squid proxy servers running in "non-transparent mode" (172.16.0.1 and 172.16.0.2). Currently users have to configure the proxy server they want to use by configuring them in their browsers. Recently I saw an example for redirecting web traffic to a single transparent proxy server.
-A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3128
Can anyone modify this rule to accommodate my current setup of two proxy servers running in non-transparent mode. i.e Redirect web traffic to the 172.16.0.1-172.16.0.2 ip range.
View 2 Replies
View Related
Apr 27, 2011
Because my ISP is blocking every IP port under 1000, I'd like my local nat'ed server to be able to translate incoming and outgoing traffic from some port above 1000 to the default server port locally.Example :
To connect to my IMAP server (default port : 143) from the outside,I'd connect to my public IP, port 1143 (opened and nat'ed to the right server on my router) and the server would translate this port to 143 on the same machine.I wish I could simply configure my router to do that but sadly Linksys doesn't permit such setting... I also could modify the listening port of my server but I prefear to keep the default port inside my network.I think that iptables is the right tool to do that and I never used it and I must say that this tool is not so easy to configure at first sigh
View 5 Replies
View Related
Nov 21, 2010
My Ubuntu Box has 3 interfaces. eth0 (Internal 192.168.1.0/24)eth1 (External ISP DHCP)eth2 (External ISP Static IP)I need the outgoing traffic to internet for 1 of the internal pc (192.168.1.10) to only go only go through eth2
View 4 Replies
View Related
Nov 8, 2010
I have an log monitoring application that is listening on port 514 to receive events only from certain hosts.In order to control this,I've tried set up iptables to define those hosts that are allowed to this application. Here is an example of the script that contain the commands:
iptables.sh -> Code: iptables -I INPUT -p tcp -s 192.168.0.10/24 --dport 514 -j ACCEPT
iptables -I INPUT -p tcp -s 192.168.0.15/24 --dport 514 -j ACCEPT
...
[code]....
View 1 Replies
View Related
Mar 17, 2010
i used the angry ip scan software and found alot of the public ip addresses on our network are accessable from outside when they are not suppose to, For eg printers/ pcs etc. to make a start on locking down the network i was wondering if anybody knew th iptables command to add a rule which blocked all incoming traffic to specific ip adresses on the network and to a range of ip addresses.
View 7 Replies
View Related
Feb 11, 2011
I set up iptables but it is blocking my SSH set up. I did allow it by opening port 22 but it did not work. Here is my config:
Code:
iptables -F
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
### this should allow SSH traffic
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
How do you allow SSH through the iptables firewall?
View 5 Replies
View Related
Jul 6, 2010
I do $ sudo iptables -A INPUT -p TCP -i eht0 --destination-port 80 -j ACCEPT
and then $ sudo ufw enable but I still get no internet traffic. What is wrong? Shouldn't opening port 80 to TCP allow the packets though my firewall?
View 2 Replies
View Related
Feb 25, 2010
I'm looking to use Linux (Ubuntu 9.10) as a network bridge between two subnets. I can configure iptables to permit all traffic on eth0 (subnet 1) to pass to eth1 (subnet 2) but before transmitting that traffic I want to perform further analysis. Is it possible within iptables or via a third-party product such a pyroman, to write a "hook" that then directs that traffic to another application installed on the same host?
View 2 Replies
View Related
Aug 11, 2011
I am trying to configure iptables for only HTTP and HTTPS traffic. I start by blocking all traffic, which works, via:
Code:
iptables -F
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
I then try to allow HTTP and HTTPS on eth0 with these commands, which does not work:
Code:
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
Code:
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT After these commands I should be able to access the internet. Does anyone know why this is not working?
View 4 Replies
View Related
Jan 13, 2010
We host a web server in which we are hoping to implement some form of traffic redirection based on source IP address, and I am wondering whether the squid proxy built on iptables would be capable of managing this task? Essentially we are trying to redirect traffic from specific set of source IP ranges to a "Your IP has been restricted" type of page at a different IP/FQDN.
View 2 Replies
View Related
Apr 4, 2010
a good IPTABLES protocol to reject all incoming ssh trafiic except for a single IP or IP range?
View 4 Replies
View Related
Sep 20, 2010
I have a strange iptables issues. I have just built a new Debian install and starting adding some real basic rules (see below) the problem seems to be that the localhost itself can't get any returning traffic. That is, it seems to be allowed outgoing traffic but not the connected, returning traffic. Ordinarily allowing Established Connections would resolve this, see the rule below, but it hasn't. Why this doesn't work. Removing the last DROP in the INPUT chains obviously makes the traffic work!
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -j ACCEPT -p tcp --dport 22
iptables -A INPUT -j ACCEPT -s x.x.x.x
iptables -A INPUT -j ACCEPT -s x.x.x.x
iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 80
iptables -A INPUT -j ACCEPT -s x.x.x.x -p tcp --dport 8080
iptables -I INPUT 1 -i lo -j ACCEPT
iptables -A INPUT -j DROP
View 3 Replies
View Related
Jan 11, 2010
I'm using Ubuntu server 9.10 with 2 NICS (Internet-router-eth0, eth1-LAN). I use iptables to generate rules for 20 computers, but when I execute the script, ALL TRAFFIC DROPS, including the server. What am I doing wrong?
Code:
#!/bin/sh
#eth0 192.168.0.50 - connected to Internet
#eth1 192.168.1.51 - connected to LAN
#192.168.1.52 - workstation1
#set default policies
iptables -P INPUT DROP
[Code]...
iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -s 192.168.1.52 -j ACCEPT. The reason I'm doing this is, I just want to open necessary ports in the server and restrict LAN usage.
View 2 Replies
View Related
May 3, 2011
I'm currently using a homemade Python script to parse script kiddie IP addresses from logfiles.To this point, I've simply been DROPping any requests from these IPs using iptables.I thought it might be fun to redirect their traffic back to them, but as I am not an expert at iptables, I was wondering if I should use FORWARD or PREROUTING.
View 7 Replies
View Related
Sep 29, 2010
I need to set up my centOS computer as a firewall in my home network. Ive got 2 interfaces, eth0 and eth1. I want to allow and forward all traffic on eth0 and block all traffic on eth1 except ssh, ping(icmp) and DNS. How do I do this? Ive tried some editing in /etc/sysconfig/iptables but no luck.
View 1 Replies
View Related
Jun 20, 2010
I'm running Ubuntu 10.04 LTS as a VM in Hyper-V, and accessing it via VNC with a machine in the same broadcast domain. I'm using OpenVPN to connect to XeroBank. I have instructions for configuring iptables to permit establishing and using the XeroBank connection, while blocking all other traffic on eth0. I've followed them successfully. I need to also permit the VNC connection, and haven't managed that. FWIW, the VM is at 192.168.111.12::5900 and the workstation is 192.168.111.2.
The attachment to this post lists the recommended contents for each Shorewall file. Which files need changed, and what do I add to each?
View 3 Replies
View Related
Jun 1, 2010
Im running a web server on port80, but i want traffic coming from ip 212.333.111.222 on port 80 to be fowarded to port 9020 on the same server that my web server is rinning at that is my sshd port
View 1 Replies
View Related
Nov 11, 2009
I've been tasked with setting up a RHEL FTP server to mirror one we currently have. From what I've read, I need to install and configure VSFTPD and then configure IPTables. From what I've been able to come up with, I need to follow the steps in this article to install and setup VSFTPD. Is this a good complete article to follow you think?Also, how do I copy the iptables config from that server to my new one? I think that iptables on our current server only allows certain IPs or blocks certain IPs (not sure which), so I need to have it do that on my new server as well
View 14 Replies
View Related
Mar 15, 2011
I wanted to tell my server to block all traffic but US only traffic. So i followed this guide:[URL].. Now I know, it's the best way to help prevent hackers/crackers (doesn't matter to me what they are called. I just have to stop them). My server only deals with US clients anyways so might as well just start right there for my server's security before getting into the brute force and injection preventions. So I got it all done compiled everything moved to the proper directory. I then started to setup my iptables. Like so
Code: iptables -F INPUT
iptables -F OUTPUT
iptables -I INPUT 1 -s *.*.*.* -p tcp --dport 22 -j ACCEPT
iptables -I INPUT 2 -s *.*.*.* -p tcp -j ACCEPT
[Code]...
After seeing that i went digging in the code and figured it was something todo with memory allocation.
View 1 Replies
View Related
Sep 27, 2009
Recently I notice that when I'm connected to an vpn server (pptpd) and I'm using it as a default gateway my download and upload speed decreases almost to the half of the usual speed. I made a test using iptables in order to count how much GRE packets are generated (except the real traffic itself) in that way:
Code:
iptables -I INPUT -p gre -j ACCEPT
iptables -I OUTPUT -p gre -j ACCEPT
iptables -I FORWARD -s 172.16.10.101 -j ACCEPT
iptables -I FORWARD -d 172.16.10.101 -j ACCEPT
The first 2 rules match all GRE packets between the pptpd server and client, and the next rules - the traffic between the server and the client.
When I turn the counters to zero and begin to generate traffic (to browse, to download etc.) I see that the GRE packets are even more than these in the FORWARD chain.
So, my question is first of all is my test correct and is it true that so much gre traffic is being generated during the browsing (it becames clear that the traffic is double than if the pptpd wasn't used as a gateway) and if yes - can that traffic be reduced?
View 3 Replies
View Related
Mar 9, 2009
Is there a nice easy to use tool that displays (in KB/s) the internet traffic from every IP on a network?
Currently I'm using iptraf, but it's very hard to understand at times.
A little info on my network:
I'm using SNAT for internet sharing.
View 4 Replies
View Related
Apr 12, 2009
I am running Fedora 9 and KDE 4.2.1. I want to set up some traffic shaping on my machine to prevent my torrent client from hogging my entire bandwidth. I.e., I want KTorrent to download and upload to the best of its ability, but still be able to browse the net freely in spite of the torrents. I have done some reading about traffic shaping in Linux. There is lots of material about it, but most of it (such as the lartc.org "howto") is very complex and comprehensive and looks extremely intimidating. Furthermore, most of it addresses situations where you want to distribute traffic between multiple computers in a network. I just want to manage processes on a single machine. I am hoping for a piece of software that lets me assign each a "priority" to each application, or something like that. Like cFosSpeed for Windows.
View 6 Replies
View Related
