Server for test:
Server based in China can't access Gooogle,Facebook,Instagram,Twitter, but you can try to use it test connection to stackoverflow
ip: 132.232.70.189
account: yunaqi
password: qishi
What I did on my server:
install pptp
sudo yum -y install pptpd
edit sysctl.conf
vi /etc/sysctl.conf
net.ipv4.ip_forward=1
edit pptpd.conf
vi /etc/pptpd.conf
localip 192.168.0.1
remoteip remoteip 192.168.0.234-238,192.168.0.245
edit chap-secrets
vi /etc/ppp/chap-secrets
yuanqi * qishi *
config iptables
sudo iptables -A INPUT -p gre -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 1723 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 47 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s 192.168.0.1/24 -o eth0 -j MASQUERADE
start pptp
systemctl enable pptpd.service
systemctl start pptpd.service
That's all, I don't kown which step is wrong.Please help me.
Related
After working a long time on why i don't have any internet access into Docker i had to ask here, i read a lot of solutions which posted in this site, my problem don't resolve
what i did before asking here:
1:
pkill docker
iptables -t nat -F
ifconfig docker0 down
brctl delbr docker0
sudo service docker restart
2:
OTHER_BRIDGE=br-b0b70e352d8c
service docker stop
ip link set dev $OTHER_BRIDGE down
ip link set dev docker0 down
ip link delete $OTHER_BRIDGE type bridge
ip link delete docker0 type bridge
service docker start && service docker stop
iptables -t nat -A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
iptables -t nat -A POSTROUTING ! -o docker0 -s 172.18.0.0/16 -j MASQUERADE
service docker start
3: stopping iptables and docker daemon:
sudo service iptables stop
sudo service docker restart
4:forwarding rules in iptables:
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 8080
iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080
and then adding DNS into /etc/default/docker:
DOCKER_OPTS="--dns 208.67.222.222 --dns 208.67.220.220"
is another solution to fix this problem? i also tested internet access after rebooting system
CONTEXT:
I wanted to have a shell script that would block all Inbound/Outbound traffic to my computer, UNLESS I decide I want to use the browser or some other application, in which case I would summon it and only those applications would run.
I have researched previous scripts made by smart individuals (links to sources at the end), as well as invested the time to learn to use iptables myself (still working on this front).
Here is the result of the work done:
RESULTS:
before the shell script is run, a group called internet is created:
sudo groupadd internet
Shell Script:
#!/bin/sh
#only allow apps run from "internet" group to run
# clear previous rules
sudo iptables -F
# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
# also allow local connections
sudo iptables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
# reject packets for other users
sudo iptables -A OUTPUT -j REJECT
# same process for IPv6:
sudo ip6tables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -p tcp -d 127.0.0.1 -j ACCEPT
sudo ip6tables -A OUTPUT -p tcp -d 192.168.0.1/24 -j ACCEPT
sudo ip6tables -A OUTPUT -j REJECT
this is the other part of the shell that I'm currently working on and not 100% confident with:
#DROPS ALL INPUT and FORWARD
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP
#ONLY ACCEPTS INPUT THAT WAS INITIATED BY SOME OUTPUT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#SAME REPEATED FOR IPv6
sudo ip6tables -A INPUT -j DROP
sudo ip6tables -A FORWARD -j DROP
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
after the whole script above is executed, the following command would open a terminal that would be part of the internet group, and hence any application (like firefox for instance) that were open by that terminal would have internet access, while all other INPUT/OUTPUT would be stopped
sudo -g internet -s
QUESTION:
Is the previous logic in order? Currently I am working on testing out all the features, by installing network monitoring software (nethogs), testing each line of code and seeing if the result is as expected, BUT at the same time, I only started learning about iptables 2 days ago, so even though the sources of the original code is done by experienced coders, I am not 100% confident in my ability to put it all together to produced the desired result. Thanks to anyone who took the time to read all this and participate in the discussion !!!
sources:
https://plus.google.com/+TobyKurien/posts/YZhZJCZmGgm
https://serverfault.com/questions/429400/iptables-rule-to-allow-all-outbound-locally-originating-traffic
P.S.: Thanks to #dirkt for previously helping me understand a lot of the fundamental concepts of iptables as well as answering some of my questions regarding the source code.
UPDATE:
So after having run the code, there seems to be something wrong. What happens is as follows. I run the shell script:
bash myscript
I get 2 errors as follows:
ip6tables v1.6.0: host/network 127.0.0.1 not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.6.0: host/network 198.168.0.1 not found
Try `ip6tables -h' or 'ip6tables --help' for more information.
but everything else ran well, and when doing sudo iptables -L I did confirm all the other rules are in place. AFTER that, I tried the following:
Run firefox by manually double-clicking the icon. The result was as expected, right away I got a Server not found error, which was a good sign
After that I ran the command sudo -g internet -s in the terminal, and then firefox. NOW... when I tried loading a website, it didn't show me Server not found, but it keep loading for a long period of time, very long. This leads me to believe that maybe the output response was sent, BUT the input was being blocked.
If anyone knows why this might be happening, I would love to know your feedback!
I only started learning about iptables 2 days ago, so even though the sources of the original code is done by experienced coders, I am not 100% confident in my ability to put it all together to produced the desired result.
Coincidentally, I'm looking for the same solution around the same time and saw your post. Just sign-up SO, hope this could help you and others. I'm still learning and open to suggestion and advice :)
A few change to the code. I need to open all port to local connections to make it work.
Also changed 192.168.0.1/24 to 192.168.0.0/16. This range allowed wifi/usb tether to be included.
# also allow local connections
#TODO. Use log to see which port are actually needed.
sudo iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
Is the previous logic in order?
Change the order for/to this code.
#ONLY ACCEPTS INPUT THAT WAS INITIATED BY SOME OUTPUT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#DROPS ALL INPUT and FORWARD
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP
Also add this code on top of previous code. These are taken from default firewall. Originally it contained specific interface.
sudo iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
I get 2 errors as follows:
ip6tables v1.6.0: host/network 127.0.0.1 not found Try `ip6tables -h' or 'ip6tables --help' for more information.
ip6tables v1.6.0: host/network 198.168.0.1 not found Try `ip6tables -h' or 'ip6tables --help' for more information.
Probably because you are using IP4 address.
Change 127.0.0.1 to ::1/128 and 198.168.0.1 to fe80::/10.
Can't help much about IPv6. I have no idea how it work and I don't think mine using IPv6 at all.
Complete Script:
#!/bin/sh
#only allow apps run from "internet" group to run
# clear previous rules
sudo iptables -F
# accept packets for internet group
sudo iptables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo iptables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
#Some application need more port. Such as ping.
sudo iptables -A OUTPUT -p icmp -m owner --gid-owner internet -j ACCEPT
#Less secure. Open all port.
#sudo iptables -A OUTPUT -m owner --gid-owner internet -j ACCEPT
# also allow local connections
#TODO. Use log to see which port are actually needed.
sudo iptables -A OUTPUT -d 127.0.0.1 -j ACCEPT
sudo iptables -A OUTPUT -d 192.168.0.0/16 -j ACCEPT
# reject packets for other users
sudo iptables -A OUTPUT -j REJECT
#Taken from default rules.
sudo iptables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo iptables -A INPUT -p udp -m udp --dport 67 -j ACCEPT
sudo iptables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
#ONLY ACCEPTS INPUT THAT WAS INITIATED BY SOME OUTPUT
sudo iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#DROPS ALL INPUT and FORWARD
sudo iptables -A INPUT -j DROP
sudo iptables -A FORWARD -j DROP
#IPv6 Section
# Flush ip6tables too
sudo ip6tables -F
# same process for IPv6:
sudo ip6tables -A OUTPUT -p tcp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -p udp -m owner --gid-owner internet -j ACCEPT
sudo ip6tables -A OUTPUT -d ::1/128 -j ACCEPT
sudo ip6tables -A OUTPUT -d fe80::/10 -j ACCEPT
sudo ip6tables -A OUTPUT -j REJECT
sudo ip6tables -A INPUT -p udp -m udp --dport 53 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 53 -j ACCEPT
sudo ip6tables -A INPUT -p udp -m udp --dport 67 -j ACCEPT
sudo ip6tables -A INPUT -p tcp -m tcp --dport 67 -j ACCEPT
sudo ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
sudo ip6tables -A INPUT -j DROP
sudo ip6tables -A FORWARD -j DROP
After running this scripts
!/bin/bash
iptables -F
iptables -X
set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
accept everything no matter port on localhost
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
allow input on port 22 (established connections auto accepted
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
allow traffic going to specified outbound ports
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6667 -j ACCEPT
iptables -A OUTPUT -p tcp --dport 6697 -j ACCEPT
drop anything that doesn't match the rules above
iptables -A INPUT -j DROP
iptables -A OUTPUT -j DROP
then when I typed on terminal yum -y update or anything when I using yum I got this messages
Loaded plugins: langpacks, product-id, rhui-lb, search-disabled-repos
Could not contact CDS load balancer southeastasia-cds2.cloudapp.net, tring others.
Could not contact CDS load balancer southeastasia-cds3.cloudapp.net, tring others.
Could not contact CDS load balancer southeastasia-cds1.cloudapp.net, tring others.
Could not contact any CDS load balancers: southeastasia-cds2.cloudapp.net, southeastasia-cds3.cloudapp.net, southeastasi
a-cds1.cloudapp.net, eastasia-cds4.cloudapp.net.
what are the ports for these load balancers for me to allow this in my firewall on redhat??
i REALLY need some help before my laptop goes through the wall.
I want to run a virtual machine through tor middlebox. I want the entire VM`s connection to go through the tor network. (Im wanting to setup my hidden service and for my needs this will work best)
I started by looking here - http://www.howtoforge.com/how-to-set-up-a-tor-middlebox-routing-all-virtualbox-virtual-machine-traffic-over-the-tor-network
I know this is old but i figured i`d give it a go anyway.
For reference my Host machine is running Ubuntu 13.04 and the VM will be running 12.04LTS. On virtualbox
Well i have tor installed as per the guide, i have gone though the setup steps. But it didnt work. My VM will not connect to the net. I checked ifconfig and i am recieving an ip address, but i cant get a connection to the web to check i am running through tor.
I`ve spent a good few hours on this but i cant get it working, im just at point and click mode now. Looked at so many sites, and almost all of them point back to the original. I have tried tweaking the settings, and looked at numerous forums. But i cant get this working.
If i try using the tor browser bundle, it refuses to start tor, stating the it hasn`t got permission or cant listen on 172.16.0.1:53. tried using vidalia bundle for the tor install but that refuses to find the tor exec (not really an issue)
Here are the settings i am trying to run with...
/etc/network/interfaces
as stated in guide
/etc/dnsmasq.conf
interface=vnet0
listen-address=192.168.1.1
dhcp-range=172.16.0.2,172.16.0.254,1h
/etc/tor/torrc
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.16.0.1
TransListenAddress 192.168.1.1
DNSPort 53
DNSListenAddress 172.16.0.1
DNSListenAddress 192.168.1.1
middlebox.sh
#!/bin/sh
# destinations you don't want routed through Tor
NON_TOR="192.168.1.0/24 192.168.0.0/24"
# the UID Tor runs as
TOR_UID="109"
# Tor's TransPort
TRANS_PORT="9040"
# your internal interface
INT_IF="vnet0"
iptables -F
iptables -t nat -F
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
for NET in $NON_TOR; do
iptables -t nat -A OUTPUT -d $NET -j RETURN
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -A FORWARD -i $INT_IF -p udp -j DROP
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for NET in $NON_TOR 127.0.0.0/8; do
iptables -A OUTPUT -d $NET -j ACCEPT
done
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT
Does this article help you? http://www.mike-warren.com/articles/routing-vm-traffic-through-tor.html
The short version is:
host runs a tun/tap device
host runs a VDE switch (which puts packets from the VM into the tap device)
host has iptables NAT rules to shovel tap device traffic into Tor
host runs Tor as transparent proxy
VM has static IP, connected to VDE switch
Instead of all that, you could run TAILS instead. https://tails.boum.org/
Consider running tails as vm guest.
Use a vm snapshot to avoid booting from tails live dvd (iso)
I tried this solution:
iptables -I OUTPUT -p tcp --dport 2195 -j ACCEPT
/etc/init.d/iptables stop
/etc/init.d/iptables start
but still can't access the port.
If there are more ports that I have to open for APNS let me know.
How about:
iptables -A INPUT -p tcp --dport 2195 -j ACCEPT
service iptables restart
This may help too.
It didn't work for me completely, since my last rule was DROP ALL which basically negated all I added to iptables after.
It might be useful to use the -I switch:
iptables -I INPUT 1 -p tcp --dport 2195 -j ACCEPT
The INPUT 1 - means 1st Input rule instead of appending, to put rule in front of drop all
See my anwser here: https://stackoverflow.com/a/25229943/1472048
For CentOS 7, you should use "firewall-cmd" command like so:
firewall-cmd --add-port=2195/tcp --permanent
iptables is not recommended if you use the firewalld service.
Try the following command, it worked for me:
$ sudo iptables -A INPUT -p tcp --jport 2195 -j ACCEPT
$ sudo /etc/init.d/iptables save