Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last year.
Improve this question
I'm struggling with the Linux tool "iptables".
Following situation:
I have a RaspberryPi running with HASS (Home Assistant) connected via ethernet.
Now I want to add my inverter to home assistant, but this needs to be done by using his own WiFi network. So I need to forward requests to IP 11.11.11.1 (only this IP, not all trafic) to the wifi network.
Is that doable with iptables? Meaning defining a rule which says "target is 11.11.11.1, so lets put this to the wifi network".
I'm actually not sure whether iptables can do that or not. I read soming about nginx, but not sure how this would work.
iptables -A FORWARD -i eth0 -o wlan0 -p tcp --destination 11.11.11.1
That command did the trick. Now all TCP requests to 11.11.11.1 are forwarded to Wifi (wlan0) interface.
If someone sees any mistakes in that, please reply as I'm not really familiar with networks settings and Linux commands. Thx.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 11 months ago.
Improve this question
When using raw sockets to create raw ethernet frames, the resulting packets are not traversing the iptables, even if the frames created represent valid ethernet + ip + upd packets. In my case this happens with the ISC-DHCP-client. I can understand why this happens and this is fine so far.
Thant being said, what additional infrastructure could I nevertheless put in place to get a chance to process those packets in iptables.
I'd be fine with stuff like (additional) virtual interfaces, bridges, or something like that. But so far I couldn't find the right combination of them.
I had a similar problem in a previous project where I had to man-in-the-middle a TCP session inside a LAN. To do so, on my gateway laptop I needed to route incoming traffic to a local process running the MITM attack. I used iptables but of course it was not working since the communications between the 2 hosts inside the LAN was happening at L2 not triggering the iptables. After A LOT of struggling I solved it in this way:
I created a bridge between the 2 interfaces that the attacked hosts used for communicate (say eth0 and eth1). Then you can use ebtables (man page ebtables) which allows to force frames matching a specific rule to go through iptables. E.g in my case:
ebtables −t broute −A BROUTING −i eth0 −p ipv4 −−ip−proto tcp --ip-dport 8009 −j redirect −−redirect−target DROP
The above rule is basically saying that: frames coming into eth0, carrying TCP packets destined to port 8009, should be sent to iptables.
Quoting the man page:
Making it DROP in the BROUTING chain will let the frames be routed.
If you want a good reference about the interaction iptables/ebtables, I used this one ebtables/iptables. Hope it can help.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I am trying to setup openvpn on a server so that I have 2 different tap interfaces (tap0 and tap1) and then a bridge connecting those interfaces. The idea is that a client on tap0 will be able to talk to a client on tap1 and vice-versa.
There is no physical NIC involved in the bridge and the Bridge interface is setup with no ip/netmask/broadcast.
I am able to ping between the 2 when they are both connected however I see no traffic when trying to tcpdump the bridge interface.
I am a bit confused on some things:
Do I need to have an ip configured on the bridge interface at all? I don't quite see the reason for it as all it will do is to make to virtual interfaces talk to each other
Is the fact that the bridge interface does not have an assigned ip/netmask/broadcast the reason I am not able to see the ping traffic on the bridge interface when tcpdumping that interface?
If the answer to number 2 is Yes, I assume that it is not either possible to use iptables to block/allow traffic on that interface, correct? If so is there any other way to accomplish what one would do with iptables on an interface like that?
I guess this wasn't the proper place to put this question but I thought I'd put an update anyway to close the issue.
Turns out that you do not need an assigned ip address on the bridge and it is possible to tcpdump. I happened to be working in containers which made the traffic go outside the vpn when pinging.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
i have 2 interfaces on linux instance. both have static IPs . i have traffic from outside world coming to eth0(208.67.x.x) and inside my server i want the traffic to be redirected to eth1(192.168.X.x) to talk to any application inside.
Please help me on the route configs ..and can I do that on linux instance?
You can use a simple package called Firestarter. Firestarter internally edits iptables which are the actual rules to forward packets from source to destinations inside the linux kernel. Please follow the following guidelines to solve your problem. Note that I have given command line examples below but there is also a gui to help you with the setup.
Install firestarter on ubuntu using the command in the shell
sudo apt-get install firestarter
Define the external and internal interfaces in the /etc/firestarter/configuration file at appropriate places.
Select dhcp server on/off if you wish to run dhcp server on internal network interface.
You can also define rules for inbound and outbound traffic as firestarter is also a firewall. The rules can be defined in /etc/firestarter/inbound and /etc/firestarter/outbound folders.
For more information on iptables and firestarter visit :
https://help.ubuntu.com/community/IptablesHowTo
Hope this helps you with your problem. Thanks!
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I'm looking to block all ips from my server and it's ports with the exception of a partial ip 198.55..*. I'd like to limit access to an ISP region do to the fact my personal ip isn't static with our ISP. How would I go about this? Our server was compromised this evening and I'm trying to kill all other traffic to it.
The code below seems to allow a specific ip, but does it block every other IP? Also if I use the x will that act like a wildcard?
iptables -A INPUT -s 74.231.64.xx -j ACCEPT
If you need to block all incomming traffic except an specific range, you should first change the default policy of the INPUT chain to DROP:
iptables --policy INPUT DROP
Then, you should give a netmask to iptables to allow many IP addresses altogether exceptionally. For example, if you need to only allow 74.231.64.1, 74.231.64.2, to 74.231.64.255, you can use following command:
iptables -A INPUT -s 74.231.64.0/24 -j ACCEPT
74.231.64.0/24 tells to iptables to apply the same role to all varying IPs between 74.231.64.1 to 74.231.64.255. Similarly, you can widen this range by passing 74.231.0.0/16 or 74.0.0.0/8 instead.
IMPORTANT NOTE: Before applying this change, you better have a direct access to the system, not an over-network access. This is because a miss type may block you from the server.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
Hi All :) I have a simple question for who is strong in networking and iptables :)
I setup a test Apache server on 192.168.0.1, very simple, and want to concentrate all tcp/ip requests to it.. but unfortunately I cant find the working list options for iptables myself, something keeps not working..
So here what I need: I need to forward all eth0 frames TCP/IP requests directed to external IPs, instead towards the local 192.168.0.1:80 .
E.g. if my browser sends a HTTP request to external ip 1.2.3.4, the kernel has to "rewrite" the destination ip from 1.2.3.4 to 192.168.0.1:80, and send it to my Apache.
And of course the browser has to receive the answer back.
What is the list of rules? Thanks :)
Everything depends on where you want to apply that rule. On the machines generating the traffic? On the gateway? Somewhere else?
The solution for the machine making the request is:
iptables -t nat -A OUTPUT -m tcp -p tcp ! -d 192.168.0.1 -j DNAT --to-destination 192.168.0.1:80