I have an embedded Linux firmware running on a home router. When I run the following commands one by one from the terminal as root, it works without any errors and serves my purpose. I know this is not a secure policy. This is only to test something.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
However, when this is run in a bash script as root as below,
#!/bin/bash
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
it gives the following error:
iptables: Bad policy name. Run `dmesg' for more information.
iptables: Bad policy name. Run `dmesg' for more information.
iptables: Bad policy name. Run `dmesg' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
I have confirmed that the last line of bash script executes without errors and the entry can be seen in iptables. However, all the other lines throw an error. What am I doing wrong? Surprisingly, the same batch script works fine on my Ubuntu machine.
Did you create the script in Windows, or in some other way that gave it Windows line endings (CRLF) where the router is expecting Unix line endings (LF)?
That would lead to the interpreter reading an extra unprintable character on the end of each of the commands, which would give the errors shown.
You can check by running cat -v myScript.sh. Incorrect Windows line endings will show as:
iptables -P INPUT ACCEPT^M
iptables -P FORWARD ACCEPT^M
iptables -P OUTPUT ACCEPT^M
iptables -F^M
iptables -X^M
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
Related
I am using RHEL8 and want to change the context port. Does anyone know how to do it?
Thanks
You'll want to use semanage assuming your custom type for port 2658 exists, and you're deploying to a vanilla RHEL server.
semanage port -a -t <custom_type_here> -p <protocol> <port_here>
Assuming protocol is tcp based:
semanage port -a -t my_2658_t -p tcp 2658
More complicated deployments should probably customize corenetwork.te directly.
I am running a docker image of Linux and trying to achieve following:
Run a docker
Create a user test
Stop the user test from internet access
1 and 2 work but I am stuck at #3.
What I tried?
Run iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 501 -j DROP. This command failed with error message "getsockopt failed strangely: Operation not permitted". I was unable to find the root cause
Change the sudoer file and add an entry test ALL=!/bin/ping. This was to see if I am able to stop user test from running ping command. However, this change in sudoer file had no affect and user test was able to run ping command. Assuming this would work, my intent was to play around with sudoer to achieve my goal
Is there a recommendation or suggestion to solve this problem?
To block all internet access for a certain users using iptables command.
sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
If you want this command to run when the system starts up, you should add it to the end of your /etc/rc.local file.
command to reverse above:
sudo iptables -D OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
or you can reboot. Unless you've added the line to /etc/rc.local, it's not persistent, and if you have, then you can just remove that line.
you can read more
I'm trying to test how our app handles when the Docker registry becomes unavailable for it to pull Docker images, and want to mimic the situation.
I don't have any control over the firewall rule of the network or DNS of the servers. The only changes I can make are on the VM I'm using, like VM configurations and Docker configurations. Wondering what I can do to make it as if Dockerhub is down?
You can use the iptables to filter the output on your VM and dropping packet
For example :
# iptables -A OUTPUT -d 192.168.12.34 -j DROP
or
# iptables -A OUTPUT -p tcp -d 192.168.12.34 --dport 80,443 -j DROP
I am trying to add iptable rules from a rules file rather than shell. This is what I have tried, but it doesn't seem to take any sort of effect. Is there something wrong with the way I am setting it up?
iptables.rules
IPT="/sbin/iptables"
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
iptables
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
Shell commands
ln -s $HOME/config/iptables.rules /etc/iptables.up.rules
ln -s $HOME/config/init/iptables /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
See the post by miguimon at https://bbs.archlinux.org/viewtopic.php?pid=636996
This is basically a shell script that you can use to enable/disable the firewall rules in the script. Then, you can run the script from the command line, or from /etc/rc.local.
I got the task of converting some iptables rules into puppet firewall. I am currently stuck on this:
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j DROP -m comment --comment "drop new not syn"
I can't find a method to use neither --match or --ctstate in Puppet Firewall. How can I do this?
The git repository now contains the ctstate option.
You have to either use git version or wait for a new release on the puppet forge.
Hope this helps.