In my Linux device port 5080 is open which accepts all packets. I want to block only telnet packets.
I tried to add iptable rule but i am not sure how to specifically mention telnet packets only because adding iptable rule with protocol tcp blocks all the tcp packets and telnet but I want to block only telnet packets.
iptables -I INPUT 1 -p tcp --dport 5080 -j DROP
I don't think you can do that with iptables.
You'll need some application layer aware IPS (maybe suricata?)
Related
On a Linux-based system I need data incoming on a TCP port to be automatically redirected to other 50 local ports without going through user-space's send/recv. Each port needs to receive a copy of all incoming traffic. All ports are local to the same machine.
I've discarded the splice syscall due to the limit of one endpoint being a file. I guess that iptables is the right tool for this purpose, but I can't figure out the right syntax for this purpose. It should be something similar to:
iptables -t nat -A PREROUTING -p tcp --dport <in_port> -j REDIRECT --to-ports <out_port1>-<out_port50>
I wonder e.g. if the option -m multiport is needed.
I want to drop incoming traffic of my Linux host based on TCP option field.
Like TCP option 30 Multi path TCP.
If packet contain multi-path tcp notation or option field 30, then my Linux host needs drop the connection or packet.
My setup is host 1 <-> host 2 <-> host 3.
Host 1 sends packet via host 2 to host 3.
Host 2 have two interfaces eth0 and eth1.
eth0 connects host 1 and eth1 connects host 3.
When incoming eth 0 packets contains option field 30, I just want to cancel the connection or drop the packets.
I tried iptables string compare, but it didn't works.
The command is,
sudo iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --string "Multipath TCP" --algo bm.
But above rule doesnot stop the multipath TCP to send and receive via host 2 eth0, eth1.
host 2 not able to drop the multi-path TCP (option field 30) traffic.
Is it possible to drop a specif TCP packet based on option field.
First, you need to add the rule in FORWARDING chain on host2 (the reason is the packets are not targeted to host2 and will not hit the INPUT chain).
There is an option available in iptables to match the TCP options. Please try the following iptables command:
iptables -I FORWARD -p tcp --tcp-option 30 -j DROP
so say for instance i have an iptables rule that is of the sort
iptables -I PREROUTING 1 -p udp 1000 -j DNAT --to-dest 192.168.1.10:1010
is there a way that i can midway through the connection based on say a u32 match or a string match further redirect the incoming ports connection to another ip
so in laymans terms i have forwarded port 1000 to an internal ip and port, and upon transmission of a packet that meets a certain criteria "re DNAT" that connection to another internal ip
I would think that I could insert this rule before hand and effectuate what i want but it consistently just skips over the rule
iptables -I PREROUTING 1 -p udp 1000 -m string --algo bm "stringtomatch" -j DNAT --to-dest 192.168.1.100:1010
should it maybe be after... and should i change the port on the secondary rule to the changed port address?
would be technically possible block a website with a specific iptables rule and in the same time returning to the user browser an error page?
iptables -t nat -A PREROUTING -s 192.168.1.19 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.20:80
thanks
If you totally block port 80 traffic from an IP address with iptables, your web server will never get any request from that client and thus be unable to serve an error page. So in short, no.
To achieve what you are asking, one solution would be to port forward to another port or host that serves only error pages. The iptables rules for doing that will be specific to your situation. But in doing so, the packets will still be traversing your network.
You may be better off asking this question over at ServerFault...
Background Info: I have rooted an android phone and installed droidwall to get access to iptables. The kernel version is 2.6.35.7-perf.
Objective: Test the efficiency of a proxy (on port 8080) from a comparison of the traffic flow with and without the proxy.
I am able to get a test without going through the proxy with the rules from here
Method: I have creating a test website on a single IP address. I am using an application that monitors how many packets/bytes have been transmitted and recieved by the phone.
Problem: Due to unknown background traffic, unwanted packets are being sent and recieved.
Solution: Use iptables to only allow a connection to one website so I can properly monitor the traffic.
How would I go about this?
Try the following:
iptables -t nat -A PREROUTING -p tcp -s 1.2.3.4 -j REDIRECT --to-port 8080
iptables -A INPUT -p tcp -s 1.2.3.4 --dport 8080 -j ACCEPT
The first rule should redirect al traffic from 1.2.3.4 to the port 8080, while the second states to accept such packet.
Now you should set on DROP the default policy for INPUT so that every other packet is discarded:
iptables -P INPUT DROP
Be careful. This is a very restrictive rule.