Am using a port map for my container and opened the necessary port in iptables for the same. When the iptables is enabled, the application is not connectable from another server. Have tried to add a rule in the DOCKER chain, but not helped. Any suggestion?
Docker-compose file:
version: "3"
services:
testing-app:
image: "${DOCKER_REGISTRY_URI}/testing-app-${ENV}:${COMMIT_ID}"
container_name: test
ports:
- 8087:80
restart: always
Iptables rules:
-A INPUT -p tcp -m tcp --dport 8087 -m conntrack --ctstate NEW -m comment --comment "ANSIBLE_FIREWALL_COMMENT - Allow tcp for 8087" -j ACCEPT
-A INPUT -p udp -m udp --dport 8087 -m conntrack --ctstate NEW -m comment --comment "ANSIBLE_FIREWALL_COMMENT - Allow udp port for 8087" -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -m comment --comment "ANSIBLE_FIREWALL_COMMENT - Allow tcp for 80" -j ACCEPT
-A INPUT -p udp -m udp --dport 80 -m conntrack --ctstate NEW -m comment --comment "ANSIBLE_FIREWALL_COMMENT - Allow udp port for 80" -j ACCEPT
Iptables list:
iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 738 packets, 177K bytes)
pkts bytes target prot opt in out source destination
348 20880 DOCKER all -- * * 0.0.0.0/0 0.0.0.0/0 ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT 243 packets, 14580 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 2804 packets, 170K bytes)
pkts bytes target prot opt in out source destination
2407 144K DOCKER all -- * * 0.0.0.0/0 !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT 2804 packets, 170K bytes)
pkts bytes target prot opt in out source destination
0 0 MASQUERADE all -- * !br-40940e3fd969 172.18.0.0/16 0.0.0.0/0
0 0 MASQUERADE all -- * !docker0 172.17.0.0/16 0.0.0.0/0
0 0 MASQUERADE tcp -- * * 172.18.0.2 172.18.0.2 tcp dpt:80
Chain DOCKER (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- br-40940e3fd969 * 0.0.0.0/0 0.0.0.0/0
0 0 RETURN all -- docker0 * 0.0.0.0/0 0.0.0.0/0
105 6300 DNAT tcp -- !br-40940e3fd969 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:8087 to:172.18.0.2:80
Netstat:
netstat -plant | grep 8087
tcp6 0 0 :::8087 :::* LISTEN 5665/docker-proxy
[root#idev-staging-micro-2 ~]#
service
ps -Af | grep proxy
root 5665 24269 0 May05 ? 00:00:02 /usr/bin/docker-proxy -proto tcp -host-ip 0.0.0.0 -host-port 8087 -container-ip 172.18.0.2 -container-port 80
root 24106 23979 0 16:47 pts/1 00:00:00 grep --color=auto proxy
sysctl:
sysctl -a | grep net.ipv4.conf.all.route_localnet
net.ipv4.conf.all.route_localnet = 0
Related
I am having some difficulties setting a default iptables script as it won't run. It shows the error: iptables: Index of deletion too big
I have tried re-ordering the rules, attempting to delete all first before adding, etc. but it doesn't seem to be helping. What am I doing wrong?
Here is the script:
#!/bin/bash
iptables -P FORWARD DROP
iptables -D FORWARD 1
iptables -P INPUT DROP
iptables -D INPUT 5
iptables -D INPUT 4
iptables -I INPUT -p tcp --dport 22 -j ACCEPT
iptables -D INPUT 3
iptables -I INPUT -p icmp -j ACCEPT
the original IP tables looks like this:
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
119 13723 ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT icmp -- any any anywhere anywhere
0 0 ACCEPT all -- lo any anywhere anywhere
1 60 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- any any anywhere anywhere reject-with icmp-host-prohibited
I am trying to host my Spring Boot application on Arvixe's VPS Lite. No CPanel, just command line.
When I spin up my Spring Boot app and navigate to the server's IP address, I see the ERR_CONNECTION_REFUSED error.
Here is my iptables configuration. I followed the steps found here http://crm.vpscheap.net/knowledgebase.php?action=displayarticle&id=29
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
-A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
-A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
-A INPUT -j DROP
COMMIT
Here are the policies that the above creates
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT udp -- anywhere anywhere udp spt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:http limit: avg 25/min burst 100
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp spt:http state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:https state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp spt:ssh state ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,ESTABLISHED
ACCEPT tcp -- anywhere anywhere tcp dpt:http state NEW,ESTABLISHED
ACCEPT udp -- anywhere anywhere udp dpt:domain
In your iptables config you are opening up ports 80 and 443 but spring-boot applications are starting on port 8080 per default. So you have two options:
Start the app listing on port 80 by adding --server.port=80 to the start up params or set server.port=80 in the application.properties. This will work but you'll have to start the app as root since it trying to bind to a well known port. I wouldn't recommend this.
Use iptables to redirect the external port 80 to be forwarded internally to port 8080 by adding a line like the following to your iptables config
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
I have a dedicated server Kimsufi Ks-3 with stock kernel and KVM virtualization.
I have installed windows server on a kvm guest, and I'm trying to redirect a port from host machine to the rdp windows port (3389). For do than I have used iptables with this commands:
root#ns370482:~# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2222 -j DNAT --to-destination 192.168.100.208:3389
root#ns370482:~# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2222 -j DNAT --to-destination 192.168.100.208:3389
192.168.100.208 is the guest Windows Server.
When I try to connect trough host machine with remmina to te private ip it works, but when I try from the public IP of the server with publicip:2222, it doesn't work.
root#ns370482:~# iptables -t nat -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:2222 to:192.168.100.208:3389
DNAT udp -- anywhere anywhere udp dpt:2222 to:192.168.100.208:3389
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE tcp -- anywhere anywhere tcp dpt:3389
MASQUERADE udp -- anywhere anywhere udp dpt:3389
What I'm doing wrong?
I want to forward udp packets coming to port 10500 to 10600, but its not working with the following config.
My iptables looks like this,
[root#mymachine ~]# service iptables status
Table: filter
Chain INPUT (policy DROP)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
2 LOG all -- 224.0.0.0/4 0.0.0.0/0 LOG flags 0 level 4 prefix `IP DROP MULTICAST D: '
3 LOG all -- 240.0.0.0/5 0.0.0.0/0 LOG flags 0 level 4 prefix `IP DROP SPOOF E: '
4 LOG all -- 0.0.0.0/0 127.0.0.0/8 LOG flags 0 level 4 prefix `IP DROP LOOPBAK: '
Chain FORWARD (policy DROP)
num target prot opt source destination
1 RH-Firewall-1-INPUT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10600 state NEW
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
num target prot opt source destination
1 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
2 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
3 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
4 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
5 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
6 ACCEPT udp -- 0.0.0.0/0 224.0.0.251 udp dpt:5353
7 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
8 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:22
9 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 state NEW udp dpt:53
10 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:53
11 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:69
12 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:514
13 DROP all -- 0.0.0.0/0 0.0.0.0/0
14 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10500
15 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:10600
Table: nat
Chain PREROUTING (policy ACCEPT)
num target prot opt source destination
1 DNAT udp -- 0.0.0.0/0 192.168.80.128 udp dpt:10500 to:192.168.80.128:10600
Chain POSTROUTING (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
also since it is CentOS , I've added the following.
net.ipv4.ip_forward = 1
Tell me where I've gone wrong.
To achieve what you're aiming for, you must add a rule for INPUT filter-table. And add REDIRECTION in nat-table
Example:
iptables -A INPUT -p tcp --dport 10600 -j ACCEPT
iptables -A PREROUTING -t nat -p tcp --dport 10500 REDIRECT --to-port 10600
How it works:
First table is NAT PREROUTING. The traffic to tcp:10500 will be REDIRECTed to tcp:10600. After that this traffic will go to table filter INPUT, and firewall ACCEPTs it.
Try use REDIRECT.
Example: iptables -t nat -I PREROUTING 1 -s 0.0.0.0/0 -d 192.168.75.128 -p udp -m udp --dport 10500 -j REDIRECT --to-ports 10600
In Chain RH-Firewall-1-INPUT
line 13 DROP all -- 0.0.0.0/0 0.0.0.0/0 is rejecting everythihg not allowed before it. Place all your ALLOWED rules before "DROP of everything" or they will be ignored. (Line 14 - 15 must be before line 13 in Chain RH-Firewall-1-INPUT)
This is my iptables config:
sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
859 103K ACCEPT all -- any any anywhere anywhere ctstate RELATED,ESTABLISHED
5 260 ACCEPT tcp -- any any anywhere anywhere tcp dpt:ssh
3 230 ACCEPT tcp -- any any anywhere anywhere tcp dpt:27017
4 208 ACCEPT tcp -- any any anywhere anywhere tcp dpt:28017
0 0 ACCEPT all -- any any localhost anywhere
0 0 ACCEPT all -- any any 111.111.111.111 anywhere
0 0 ACCEPT all -- any any 222.222.222.222 anywhere
64 3844 DROP all -- any any anywhere anywhere
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 764 packets, 227K bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any localhost anywhere
0 0 ACCEPT all -- any any 111.111.111.111 anywhere
0 0 ACCEPT all -- any any 222.222.222.222 anywhere
If I write in browser the ip if my mongodb server with port 28017, I can see a promt to enter username and password:
#ip mongodb server
000.000.000.000:28017
I want close mongodb ports to anyone except to these 2 ips:
111.111.111.111
222.222.222.222
How can I do it?
Can you try the following iptables rules
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 111.111.111.111 -j ACCEPT
-A INPUT -m state --state NEW -p tcp --destination-port 27017 -s 222.222.222.222 -j ACCEPT
Looks like you forgot to put in the source IP flag.
I have removed of my iptables these two line:
-A INPUT -p tcp -m tcp --dport 27017 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 28017 -j ACCEPT
and now it's not possible access to mongdb ports from any ip.
Thanks
The rules I use for limiting external access to mongo are:
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- localhost anywhere tcp dpt:27017
ACCEPT tcp -- localhost anywhere tcp dpt:28017
ACCEPT tcp -- 111.111.111.111 anywhere tcp dpt:27017
ACCEPT tcp -- 222.222.222.222 anywhere tcp dpt:27017
ACCEPT tcp -- 111.111.111.111 anywhere tcp dpt:28017
ACCEPT tcp -- 222.222.222.222 anywhere tcp dpt:28017
DROP tcp -- anywhere anywhere tcp dpt:27017
DROP tcp -- anywhere anywhere tcp dpt:28017
You can add them with
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 127.0.0.1 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 111.111.111.111 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -s 222.222.222.222 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 27017 -j DROP
sudo iptables -A INPUT -p tcp -m tcp --dport 28017 -j DROP