Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I need help to exclude a single Ip address from a prerouting rule on all ports.
Anybody who connects to my access point, gets redirected to my Captive Portal(Landing Page). Therefore I want to make a new rule, I don't want my existing prerouting rule to be modified/deleted.
The prerouting rule I already made, routs incoming ports, except port 22(SSH) to the captive portal. Therefore I use this rule:
sudo iptables -t nat -A PREROUTING -p tcp --match multiport ! --dport 22 ! -s 192.168.42.19 -j DNAT --to-destination 192.168.42.1:8080
What I want is to make an exclusion for specific users, therefore I want to stop certain ip addresses from being forwarded.
I tried different things, but I can't get anything to work.
I tried different INPUT and OUTPUT rules, but no luck. I think I should do something with PREROUTING, but how?
If you're just trying to prevent some traffic from hitting a specific rule, you could put a RETURN or ACCEPT rule for that traffic before the rule you're trying to avoid.
For example, you could change your current rule to three rules:
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -s 192.168.42.19 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -j DNAT --to-destination 192.168.42.1:8080
Note the difference between ACCEPT and RETURN (from iptables(8) man page):
ACCEPT means to let the packet through.
RETURN means stop traversing this chain and resume at
the next rule in the previous (calling) chain.
Using this approach, you could leave your current rule alone and preceded it with an arbitrary number of rules that describe the different types of traffic that you don't want to hit your NAT rule.
Looking at iptables counters is a good way to tell whether your traffic is hitting the rules that you expect (e.g. iptables -t nat -L PREROUTING -vn).
Related
Closed. This question is not about programming or software development. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 days ago.
Improve this question
By the following commands, I forward the incoming traffic to the server to another IP
sudo sysctl net.ipv4.ip_forward=1
sudo iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination <ip1>
sudo iptables -t nat -A PREROUTING -j DNAT --to-destination <ip2>
sudo iptables -t nat -A POSTROUTING -j MASQUERADE
I want to create a limit on the ports, that is, only 2 connections can be connected on each port.
How can I do this?
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
I inherited a complex iptables script acting as our gateway/router. It handles everything well, including NAT and harpin nat. It also does port forwarding. However, the port forwarding can't be specified by source IP. So if the port 25 is forwarded, every IP can connect to that port.
The FORWARD chain policy is ACCEPT. I tried to change it to DROP and built some rules. It seems that there are too much on specifying rules for every allow scenario.
What I am looking for is to specify things like this:
iptables -A FORWARD -p tcp -i $WAN_IFACE --dport 25 -s (!(1.1.1.1 and
1.1.1.2)) -j DROP
But iptables does not support and and or.
Is there any way to implement this?
You can create a new chain for all packets going to Port 25 and then do more specific filtering there:
iptables -N port25
iptables -A FORWARD -p tcp -i $WAN_IFACE --dport 25 -j port25
iptables -A port25 -s 1.1.1.1 -j ACCEPT
iptables -A port25 -s 1.1.1.2 -j ACCEPT
iptables -A port25 -j DROP
The creation of user-defined chains is the way to implement and and or rules.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 7 years ago.
Improve this question
I am trying to apply these firewall rules over SSH. When I run the script with ./script.sh, the terminal will hang and I am forced to quit using ~ . Enter. The rules are applied, but my SSH connection is dropped and my terminal hangs. However, when I do bash -x ./script.sh, it runs the script while outputting debug information and doesn't interrupt my session.
My firewall rules are simple. Allow incoming/outgoing SSH and allow outgoing DNS and HTTP/S for updates.
This behavior was witnessed on Red Hat, Debian, and Ubuntu machines.
I consider you are running the scripts on a ssh session established on default port 22
then please replace the ssh rules
iptables -A INPUT -p tcp -m tcp --dport 22 -m limit --limit 5/minute --limit-burst 15 -m state --state NEW -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
for a less restrictive set i.e.
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp --sport 22 -j ACCEPT
once you get it working you can add to these now simpler rules the more restrictive parameters one at the time.
please consider if your input rule includes
--state NEW
only new ssh connections will be accepted; already established will not.
Move this rule to the top and test again:
iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I am trying to figure out how to add a 1:1 NAT with IPTables but only on a single port, I know how to forward all traffic, but can't seem to find anything on a single port such as
192.168.1.1:21 -> 172.16.1.1:21
192.168.1.2:21 -> 172.16.1.2:21
192.168.1.3:21 -> 172.16.1.3:21
192.168.1.4:21 -> 172.16.1.4:21
I cant do this by say allowing only one port because there are other applications also doing traffic redirections on other ports.
All I have so far is something like this, but it doesn't specify the IP it originally landed on as a parameter.
sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport port -j DNAT --to-destination ip:port
iptables -t nat -A POSTROUTING -j MASQUERADE
Use the -d flag to specify original destination.
iptables -t nat -A PREROUTING -d <external-ip> -p tcp --dport port -j DNAT --to-destination <internal-ip>:port
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 7 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I have a linux server that gets an time offset for some strange reason
I set up cron job to run and update the time using the following command
/usr/sbin/ntpdate pool.ntp.org
The problem is the command would not run because I have a firewall (iptables)
I have always use IP to allow traffic in my network:
iptables -A INPUT -p tcp -m tcp -i eth0 -s 11.11.11.11 --dport 5060 -j ACCEPT
I would like to know how to do it using a domain name in this case would be pool.ntp.org
Or maybe someone could tell me a better way to keep the clocks in sync
Please advice
Typically, iptables is setup to restrict incoming TCP and UDP connections initiated by remote hosts to the server except as needed. But, all outgoing TCP and UDP connections initiated by the server to remote hosts are allowed, and state is kept so that replies are allowed back in, like so:
# Allow TCP/UDP connections out. Keep state so conns out are allowed back in.
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
If your iptables is setup like so, it will allow ntpdate to make an outgoing connection to pool.ntp.org, and it will allow the reply back in. And, you can still block down incoming connections to the server initiated by other hosts.