I was trying to reject a specific IP from connecting to my web server, so I used the following command:
# iptables -A INPUT -s 65.55.44.100 -j DROP
# service iptables save
After killing all httpd processes and restarting httpd, the IP is still showing up in netstat in the follwing format:
::ffff:65.55.44.100:port
Shouldn't the new iptable rule deny this IP from connecting?
That is IPv6 and it is managed via ip6tables.
ip6tables -A INPUT -s ::ffff:65.55.44.100 -j DROP
Related
I'm using Ubuntu and I have my subversion server running as you can see below:
root 31422 1 0 06:45 ? 00:00:00 /usr/bin/svnserve -d -r /var/svn/repos --log-file=/var/log/svnserve.log
I want to whitelist my subversion server, in other words, I want to allow only my IP address to checkout, commit, log, etc. Does svnserve support that?
NOTE: I'm not using Apache to access my subversion.
svnserve listens on TCP port 3690 by default, so you can use any firewalling solution the restrict access to this port. For example with iptables:
# Let the internal network access it
iptables -A INPUT -s 192.168.0.0/8 -p tcp --dport 3690 -j ACCEPT
# Let a specific external IP access it
iptables -A INPUT -s 1.1.1.1 -p tcp --dport 3690 -j ACCEPT
# Drop all the rest
iptables -A INPUT -p tcp --dport 3690 -j DROP
It would however be better security-wise if you would switch to apache + dav_svn as you get SSL encryption and user authentication and it's not too complicated to setup: http://svnbook.red-bean.com/en/1.7/svn.serverconfig.httpd.html
I am confused about situation in my NATed network. I start dnsmasq on router, with listen-address=192.168.100.1 and -p 5353 option for DNS port. Afterwards, i add iptables rule for hosts inside that network:
iptables -t nat -I PREROUTING -s 192.168.100.0/24 \
-d 192.168.100.1 -p udp --dport 53 -j REDIRECT --to-ports 5353
But this didn't work first time, since my INPUT policy is DROP: when i add this rule, everything starts to work:
iptables -I INPUT -p udp --dport 53 -d 127.0.0.53 -j ACCEPT
I discovered this address with help of -j LOG on my INPUT chain, where i saw packets dropped like SRC=127.0.0.1 DST=127.0.0.53 ..., when NATed host is trying to resolve hostname.
As i am writing automated script that generates correct netfilter rules for situation, i need to know from where this 127.0.0.53 could come from.
I see the same address in /etc/resolv.conf. But i don't understand who's routing this packet to this address when it is "redirected", if even close to understanding what happens.
systemd-resolved sets up a stub listener for dns requests locally on 127.0.0.53:53
try disabling it to proceed sudo systemctl disable systemd-resolved
My first server blocked my second server IP and I haven't access now.
Command iptables -L -n | grep xx.xxx.xxx.xx
give me result like:
ACCEPT all -- xx.xxx.xxx.xx 0.0.0.0/0
REJECT all -- xx.xxx.xxx.xx 0.0.0.0/0 reject-with icmp-port-unreachable
The xx.xxx.xxx.xx is the same IP and it is my server IP.
I have two rules like ACCEPT AND REJECT for this IP.
How can I give access to my server IP from iptables and prevent blocking my IP ?
Many thanks for help.
To recreate your issue
iptables -A INPUT -s 10.64.7.109 -j ACCEPT
iptables -A INPUT -s 10.64.7.109 -j REJECT
iptables -P INPUT DROP
but that will not block 10.64.7.109 and the first rule hit will be the accept
you are only sharing the output that specifically has the IP you are interested in so i can not see what rules above these 2 would be blocking it.
you can allow this IP by inserting a rule in position 1 which will resolve your issue but without seeing all your rules I can not say it is the most appropriate way to resolve the issue.
iptables -I INPUT 1 -s 10.64.7.109 -j ACCEPT
I have an apache web server where most of my content is hosted, and then I have a node.js server I'm using for various tasks as well. I want users to be able to get information from my node.js server only through reverse proxy from my apache server. I understand how to set up a reverse proxy using mod_proxy on the apache side, but how can I restrict access to the node server except through an apache virtual host? One option I'm sure would work is to host my node server on a separate box and block any ip address except the apache server. Is there a way though that I could have them both running on the same machine and configure node to reject requests except from the apache server?
You could have the running on the same box. In the Node server have something like the following:
if(req.socket.remoteAddress !== '127.0.0.1'){
res.writeHead(403, {"Content-Type": "text/plain"});
res.write('403 Access Denied');
res.end();
} else {
// allow access
doSomething();
}
Of course, that allows other processes on the same box to connect to the Node server.
I've done this using iptables, allowing incoming connections to port 80 for the webserver. Access to port 3000 from the webserver is allowed because it's coming from the same host.
Here's an example rule file:
*filter
# Allows all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0
-A INPUT -i lo -j ACCEPT
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
# Accepts all established inbound connections
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allows all outbound traffic
# You could modify this to only allow certain traffic
-A OUTPUT -j ACCEPT
# Allows connections for HTTP
-A INPUT -p tcp --dport 80 -j ACCEPT
# Allows SSH connections
-A INPUT -p tcp -m state --state NEW --dport 22 -j ACCEPT
# Now you should read up on iptables rules and consider whether ssh access
# for everyone is really desired. Most likely you will only allow access from certain IPs.
# Allow ping
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
# log iptables denied calls (access via 'dmesg' command)
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7
# Reject all other inbound - default deny unless explicitly allowed policy:
-A INPUT -j REJECT
-A FORWARD -j REJECT
COMMIT
Put this file on your server (e.g. /etc/iptables.up.rules), and run the iptables command to update your iptables rules.
iptables-restore < /etc/iptables.up.rules
i REALLY need some help before my laptop goes through the wall.
I want to run a virtual machine through tor middlebox. I want the entire VM`s connection to go through the tor network. (Im wanting to setup my hidden service and for my needs this will work best)
I started by looking here - http://www.howtoforge.com/how-to-set-up-a-tor-middlebox-routing-all-virtualbox-virtual-machine-traffic-over-the-tor-network
I know this is old but i figured i`d give it a go anyway.
For reference my Host machine is running Ubuntu 13.04 and the VM will be running 12.04LTS. On virtualbox
Well i have tor installed as per the guide, i have gone though the setup steps. But it didnt work. My VM will not connect to the net. I checked ifconfig and i am recieving an ip address, but i cant get a connection to the web to check i am running through tor.
I`ve spent a good few hours on this but i cant get it working, im just at point and click mode now. Looked at so many sites, and almost all of them point back to the original. I have tried tweaking the settings, and looked at numerous forums. But i cant get this working.
If i try using the tor browser bundle, it refuses to start tor, stating the it hasn`t got permission or cant listen on 172.16.0.1:53. tried using vidalia bundle for the tor install but that refuses to find the tor exec (not really an issue)
Here are the settings i am trying to run with...
/etc/network/interfaces
as stated in guide
/etc/dnsmasq.conf
interface=vnet0
listen-address=192.168.1.1
dhcp-range=172.16.0.2,172.16.0.254,1h
/etc/tor/torrc
VirtualAddrNetwork 10.192.0.0/10
AutomapHostsOnResolve 1
TransPort 9040
TransListenAddress 172.16.0.1
TransListenAddress 192.168.1.1
DNSPort 53
DNSListenAddress 172.16.0.1
DNSListenAddress 192.168.1.1
middlebox.sh
#!/bin/sh
# destinations you don't want routed through Tor
NON_TOR="192.168.1.0/24 192.168.0.0/24"
# the UID Tor runs as
TOR_UID="109"
# Tor's TransPort
TRANS_PORT="9040"
# your internal interface
INT_IF="vnet0"
iptables -F
iptables -t nat -F
iptables -t nat -A OUTPUT -o lo -j RETURN
iptables -t nat -A OUTPUT -m owner --uid-owner $TOR_UID -j RETURN
iptables -t nat -A OUTPUT -p udp --dport 53 -j REDIRECT --to-ports 53
for NET in $NON_TOR; do
iptables -t nat -A OUTPUT -d $NET -j RETURN
iptables -t nat -A PREROUTING -i $INT_IF -d $NET -j RETURN
done
iptables -t nat -A OUTPUT -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -t nat -A PREROUTING -i $INT_IF -p udp --dport 53 -j REDIRECT --to-ports 53
iptables -A FORWARD -i $INT_IF -p udp -j DROP
iptables -t nat -A PREROUTING -i $INT_IF -p tcp --syn -j REDIRECT --to-ports $TRANS_PORT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
for NET in $NON_TOR 127.0.0.0/8; do
iptables -A OUTPUT -d $NET -j ACCEPT
done
iptables -A OUTPUT -m owner --uid-owner $TOR_UID -j ACCEPT
iptables -A OUTPUT -j REJECT
Does this article help you? http://www.mike-warren.com/articles/routing-vm-traffic-through-tor.html
The short version is:
host runs a tun/tap device
host runs a VDE switch (which puts packets from the VM into the tap device)
host has iptables NAT rules to shovel tap device traffic into Tor
host runs Tor as transparent proxy
VM has static IP, connected to VDE switch
Instead of all that, you could run TAILS instead. https://tails.boum.org/
Consider running tails as vm guest.
Use a vm snapshot to avoid booting from tails live dvd (iso)