Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I added packet forwarding rule in my iptable
sudo iptables -t nat -A PREROUTING -p tcp --dport 1111 -j DNAT --to-destination 10.0.3.126:80
and I can see that the packet coming to port 1111 is correctly forwarded to 10.0.3.126:80. However if I list up the rules, I cannot see the rule that I added.
sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:domain
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT tcp -- anywhere anywhere tcp dpt:bootps
ACCEPT udp -- anywhere anywhere udp dpt:bootps
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
How can I view the rule I added?
Thank you in advance.
Use iptables -L -n -t nat command Because PREROUTING chain is a part of NAT rules
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I need help to exclude a single Ip address from a prerouting rule on all ports.
Anybody who connects to my access point, gets redirected to my Captive Portal(Landing Page). Therefore I want to make a new rule, I don't want my existing prerouting rule to be modified/deleted.
The prerouting rule I already made, routs incoming ports, except port 22(SSH) to the captive portal. Therefore I use this rule:
sudo iptables -t nat -A PREROUTING -p tcp --match multiport ! --dport 22 ! -s 192.168.42.19 -j DNAT --to-destination 192.168.42.1:8080
What I want is to make an exclusion for specific users, therefore I want to stop certain ip addresses from being forwarded.
I tried different things, but I can't get anything to work.
I tried different INPUT and OUTPUT rules, but no luck. I think I should do something with PREROUTING, but how?
If you're just trying to prevent some traffic from hitting a specific rule, you could put a RETURN or ACCEPT rule for that traffic before the rule you're trying to avoid.
For example, you could change your current rule to three rules:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.42.19 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination 192.168.42.1:8080
Note the difference between ACCEPT and RETURN (from iptables(8) man page):
ACCEPT means to let the packet through.
RETURN means stop traversing this chain and resume at
the next rule in the previous (calling) chain.
Using this approach, you could leave your current rule alone and preceded it with an arbitrary number of rules that describe the different types of traffic that you don't want to hit your NAT rule.
Looking at iptables counters is a good way to tell whether your traffic is hitting the rules that you expect (e.g. iptables -t nat -L PREROUTING -vn).
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I am trying to figure out how to add a 1:1 NAT with IPTables but only on a single port, I know how to forward all traffic, but can't seem to find anything on a single port such as
192.168.1.1:21 -> 172.16.1.1:21
192.168.1.2:21 -> 172.16.1.2:21
192.168.1.3:21 -> 172.16.1.3:21
192.168.1.4:21 -> 172.16.1.4:21
I cant do this by say allowing only one port because there are other applications also doing traffic redirections on other ports.
All I have so far is something like this, but it doesn't specify the IP it originally landed on as a parameter.
sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport port -j DNAT --to-destination ip:port
iptables -t nat -A POSTROUTING -j MASQUERADE
Use the -d flag to specify original destination.
iptables -t nat -A PREROUTING -d <external-ip> -p tcp --dport port -j DNAT --to-destination <internal-ip>:port
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
with the following rules, php can't make a redirect to another file. it's freezes at the point when it gets toheader("Content-type: video/x-flv");
header("Location:" . $VIDEO);
or could be get_headers(); on my php script.
my iptables:
iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:22151
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT tcp -- anywhere anywhere tcp spt:webcache
ACCEPT tcp -- anywhere anywhere tcp spt:http
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
what i've tried
iptables -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
as soon as i remove the DROP all -- anywhere anywhere everything works fine.
When you use get_headers(), your script makes an outgoing HTTP connection. You need to allow the reply traffic back in, by allowing established sessions.
sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
See here for more info
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
How to allow outgoing trafic only for http and ssh?
i've tried:
iptables -A OUTPUT -p tcp --dport ssh -j ACCEPT
iptables -A OUTPUT -p tcp --dport http -j ACCEPT
but as soon as i add
iptables -A OUTPUT -j DROP
nothing works, it blocks everything.
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere tcp dpt:22151
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT tcp -- anywhere anywhere tcp dpt:sso-service
ACCEPT all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere
Try with --sport instead of --dport.
First of all, the output of your iptables configuration does not matches the rules you have typed. Did you restarted iptable service? Second, you will need to allow udp on port 53 to get DNS working as well:
iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
I'm writing a bash script to add simple firewalling for Xen.
Here's the actual firewall configuration :
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT udp -- anywhere anywhere state NEW udp dpt:ha-cluster
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
I'd like to add a new chain for each of my virtual machines (each of them has a virtual interface called vif1.0, vif2.0, etc). Output interface (bridge) is xenbr0.
Here's what I do (for example to block ping 'in'to domU1, vif1.0) :
iptables -N domUFirewall
iptables -I FORWARD -j domUFirewall
iptables -I INPUT -j domUFirewall
iptables -A domUFirewall -i vif1.0 -p icmp -j DROP
But .. it doesn't work, i'm still able to ping in/out the domU.
Must be something really 'dumb' but I can't find out what's wrong.
Any clues ?
Thx
Since you're using XEN with bridged networking, packets are being intercepted at a level before ordinary iptables commands can influence them. Thus, you'll probably need to use the ebtables command to influence packet routing in the way that you want to.
ebtables/iptables interaction on a Linux-based bridge
ebtables(8) - Linux man page
Xen Wiki * XenNetworking
Original answer left below that will work for other configurations, but not for XEN with bridged networking.
I am going to pretend for the sake of example that the IP address of vif1.0 is 192.168.1.100.
I would redo the logic to not check the input device, but to instead check by IP Address. At the input chain, the packet is coming from (say) device eth0, not from vif1.0. Thus, this rule:
iptables -I INPUT -i vif1.0 -j domUFirewall
that I previously proposed will never match any packets. However, if you do the following, it should do what you want:
iptables -I INPUT -d 192.168.1.100 -j domUFirewall
where in this case the chain domUFirewall is set up by:
iptables -N domUFirewall
iptables -F domUFirewall
iptables -A domUFirewall -p icmp -j DROP
If a given chain is for a single device, then you want to make this check before jumping into the chain, on a rule with the "-j chainName" action. Then, in the chain itself, you never have to check for the device or IP Address.
Second, I would always flush (empty) the chain in your script, just in case you're re-running the script. Note that when you rerun the script, you may get complaints on the -N line. That's OK.
There are other ways you could do this, but to give a different example, I would need to know specifically how your VM is set up -- bridged networking? NAT? Etc. But the example I gave here should work in any of these modes.
Here are some useful links for the future:
Quick HOWTO, Ch14: Linux Firewalls Using iptables
Sandbox a VMware Virtual Machine With iptables