so say for instance i have an iptables rule that is of the sort
iptables -I PREROUTING 1 -p udp 1000 -j DNAT --to-dest 192.168.1.10:1010
is there a way that i can midway through the connection based on say a u32 match or a string match further redirect the incoming ports connection to another ip
so in laymans terms i have forwarded port 1000 to an internal ip and port, and upon transmission of a packet that meets a certain criteria "re DNAT" that connection to another internal ip
I would think that I could insert this rule before hand and effectuate what i want but it consistently just skips over the rule
iptables -I PREROUTING 1 -p udp 1000 -m string --algo bm "stringtomatch" -j DNAT --to-dest 192.168.1.100:1010
should it maybe be after... and should i change the port on the secondary rule to the changed port address?
Related
Daily once, the following IP range is sending multiple requests per second. During the attack a strange browser is being used that is mentioned below:
IP Range: 192.168.1.100-192.168.1.200
Port: 80 (Apache web server)
Browser Name: X11: Crawler
In other times, I receive legitimate traffic (with other browsers) from mentioned IP rage. Therefore, I can't block this IP range completely.
I would like to limit the aggregate connections (of the mentioned IP range only) to 15/minute. Is the following iptable rule correct?
iptables -A INPUT -p tcp --syn --dport 80
-m string --algo bm --string "X11: Crawler" \
-m iprange --src-range 192.168.1.100-192.168.1.200 \
-m connlimit --connlimit-above 15/minute --connlimit-mask 32 \
-j REJECT --reject-with tcp-reset
i think this working
iptables -A INPUT -p tcp --destination-port 80 -m iprange --src-range 192.168.1.100-192.168.1.200 -j ACCEPT
if you want banned IP range change ACCEPT with DROP
I have network setup like this with external and internal network.
I have successfully got squid running with proxy for internal browser and now I want to set up as transparent but having some problem.
network
First, I did change "http_port 8080 intercept" but having trouble with setting up correct Iptables on the external server as the packet is not getting back to squid box.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -0 lo -j ACCEPT
iptables -t nat -A POSTROUTING -o enpos3 (this is NAT) -j MASQUERADE
iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 80 -j DNAT --to-destination 10.10.1.254:8080
iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 80 -j REDIRECT --to-port 8080
This is far as I got and internet works fine on internal pc but I'm not sure how to redirect http 80 packet to Squid box (10.10.1.254:8080)
Couple of things.
From the diagram it is not clear where is the Squid Box. Considering you are setting up a Transparent proxy it will be in between your internal network and WAN connection which I believe you might have taken care of. Please check
Considering this a dual homed box you need to set Default Gateway to point to your Squid Box WAN interface.
You do need Reverse Path Forwarding enabled.
Last but least IP packet forwarding enabled.
I can't seem to find the right combination of search terms to google for this answer, but what would I have to do if I wanted to create my own elastic ip that I could point to any other up address using my own private hosting? What would some of the bottlenecks be?
To add more detail: Amazon's Elastic is not simply a server that you pass requests too and it then makes the requests for you and passes back the data that's returned like some sort of VPN. Their service allows you to make a request to one IP address and have it be as if you made that request to another IP address entirely. How do they do this?
tI believe this can be done via simple iptables rules and Network Address Translation (NAT), I am unsure how AWS does it on their backend.
A simple rule
iptables -t nat -I PREROUTING -d 99.99.99.99 -j DNAT --to-destination 12.34.56.78
In this rule, we will be adding a rule to the top of the NAT Prerouting table, this will be the first rule evaluate by every packet - be weary, many rules will slow down your packet flow - you should study up on iptables if you go down this route.
Here, we will be taking a packet destined to 99.99.99.99 - and the DNAT rule will simply rewrite the destination IP of the packet, and send it on its way.
To delete the rule, simply change the -I to -D.
A basic failover of the above rule to a new server
iptables -t nat -D PREROUTING -d 99.99.99.99 -j DNAT --to-destination 12.34.56.78 # Delete existing forward
iptables -t nat -I PREROUTING -d 99.99.99.99 -j DNAT --to-destination 87.65.43.21 # Add new forward
Note that you will also need to have rules in the Filter Forward table as well for each destination you plan to send packets to.
iptables -t filter -I FORWARD -d 12.34.56.78 -j ACCEPT
iptables -t filter -I FORWARD -d 87.65.43.21 -j ACCEPT
edit
You have asked about load balancing, so here is this as well, load balancing connections between 3 hosts.
iptables -t nat -I PREROUTING -d 99.99.99.99 --mode nth --every 1 --packet 0 -j DNAT --to-destination x.y.z.1
iptables -t nat -I PREROUTING -d 99.99.99.99 --mode nth --every 2 --packet 0 -j DNAT --to-destination x.y.z.2
iptables -t nat -I PREROUTING -d 99.99.99.99 --mode nth --every 3 --packet 0 -j DNAT --to-destination x.y.z.3
If you wanted to restrict this to either HTTP / HTTPS, you would filter those ports accordingly:
iptables -t nat -I PREROUTING -d 99.99.99.99 -p tcp --dport 80 -j DNAT --to-destination 12.34.56.78:80
It may help, it may just be even more confusing, but here is a page with some useful rules.
need to test an application which uses the UDP port range from 5000 to 60,000 in. i want to test the boundary value condition for ports. so i want to block UDP ports range from 5000 to 59999.
Using iptables:
iptables -A INPUT -p udp --dport 5000:59999 -j DROP
or, better,
iptables -A INPUT -p udp --dport 5000:59999 -j REJECT --reject-with icmp-port-unreachable
I want to drop incoming traffic of my Linux host based on TCP option field.
Like TCP option 30 Multi path TCP.
If packet contain multi-path tcp notation or option field 30, then my Linux host needs drop the connection or packet.
My setup is host 1 <-> host 2 <-> host 3.
Host 1 sends packet via host 2 to host 3.
Host 2 have two interfaces eth0 and eth1.
eth0 connects host 1 and eth1 connects host 3.
When incoming eth 0 packets contains option field 30, I just want to cancel the connection or drop the packets.
I tried iptables string compare, but it didn't works.
The command is,
sudo iptables -I INPUT -j DROP -p tcp -s 0.0.0.0/0 -m string --string "Multipath TCP" --algo bm.
But above rule doesnot stop the multipath TCP to send and receive via host 2 eth0, eth1.
host 2 not able to drop the multi-path TCP (option field 30) traffic.
Is it possible to drop a specif TCP packet based on option field.
First, you need to add the rule in FORWARDING chain on host2 (the reason is the packets are not targeted to host2 and will not hit the INPUT chain).
There is an option available in iptables to match the TCP options. Please try the following iptables command:
iptables -I FORWARD -p tcp --tcp-option 30 -j DROP