I am trying to add iptable rules from a rules file rather than shell. This is what I have tried, but it doesn't seem to take any sort of effect. Is there something wrong with the way I am setting it up?
iptables.rules
IPT="/sbin/iptables"
# Flush old rules, old custom tables
$IPT --flush
$IPT --delete-chain
# Set default policies for all three default chains
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
iptables
#!/bin/bash
/sbin/iptables-restore < /etc/iptables.up.rules
Shell commands
ln -s $HOME/config/iptables.rules /etc/iptables.up.rules
ln -s $HOME/config/init/iptables /etc/network/if-pre-up.d/iptables
chmod +x /etc/network/if-pre-up.d/iptables
See the post by miguimon at https://bbs.archlinux.org/viewtopic.php?pid=636996
This is basically a shell script that you can use to enable/disable the firewall rules in the script. Then, you can run the script from the command line, or from /etc/rc.local.
Related
I need to execute this command on Linux server.
string command = $"sudo iptables -I INPUT -m state --state NEW -m tcp -p tcp --dport {port} -j ACCEPT";
When I run the app in VirtulBox, the terminal asks me for a password.
Will this also happen on the server? I can't login to the server and don't know the password.
How can I run the command so that it does not ask for password?
Login to the terminal as root. Make a backup of your /etc/sudoers file.
# cp /etc/sudoers /root/sudoers.bak
Then edit this file by using the visudo command:
# visudo
Edit or append this line, replacing username with the user that will be running your script:
username ALL = NOPASSWD: /usr/sbin/iptables
Save and exit the file.
Test it by executing sudo, from your user account:
$ sudo iptables -V
Now your user can use sudo to execute the iptables command.
If you whant to do this from Linux machine:
You can writ a script with:
sshpass -p "PASSWORD" user#server
and give only execute premition.
I am trying to link a window from another session by specifying target session using format variable. In that way I hope to get it always linked next to the current active window.
The hard coded version of the working command:
:link-window -a -s 1:remote -t 0:2
in which case I specify a target pane literaly. When I try any of:
:link-window -a -s 1:remote -F -t "#{session_name}":"#{window_index}"
:link-window -a -s 1:remote -F "#{session_name}":"#{window_index}"
:link-window -a -s 1:remote -t "#{session_name}":"#{window_index}"
I got an error. The notable part here is that when I do use -F flag, the usage for link-window command is displayed. And when I omit it and use only -t, the error is cann't find window #{session_name}
Does it mean that link-window command simply doesn't support format variables?
-t does not support format variables and link-window does not support -F. run-shell will expand so you can do it by doing, for example:
run "tmux linkw -t '#{session_name}'"
I am running a docker image of Linux and trying to achieve following:
Run a docker
Create a user test
Stop the user test from internet access
1 and 2 work but I am stuck at #3.
What I tried?
Run iptables -t mangle -A OUTPUT -o eth0 -m owner --uid-owner 501 -j DROP. This command failed with error message "getsockopt failed strangely: Operation not permitted". I was unable to find the root cause
Change the sudoer file and add an entry test ALL=!/bin/ping. This was to see if I am able to stop user test from running ping command. However, this change in sudoer file had no affect and user test was able to run ping command. Assuming this would work, my intent was to play around with sudoer to achieve my goal
Is there a recommendation or suggestion to solve this problem?
To block all internet access for a certain users using iptables command.
sudo iptables -A OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
If you want this command to run when the system starts up, you should add it to the end of your /etc/rc.local file.
command to reverse above:
sudo iptables -D OUTPUT -m owner --uid-owner {USERNAME} -j REJECT
or you can reboot. Unless you've added the line to /etc/rc.local, it's not persistent, and if you have, then you can just remove that line.
you can read more
I have an embedded Linux firmware running on a home router. When I run the following commands one by one from the terminal as root, it works without any errors and serves my purpose. I know this is not a secure policy. This is only to test something.
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
However, when this is run in a bash script as root as below,
#!/bin/bash
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -X
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
it gives the following error:
iptables: Bad policy name. Run `dmesg' for more information.
iptables: Bad policy name. Run `dmesg' for more information.
iptables: Bad policy name. Run `dmesg' for more information.
iptables: No chain/target/match by that name.
iptables: No chain/target/match by that name.
I have confirmed that the last line of bash script executes without errors and the entry can be seen in iptables. However, all the other lines throw an error. What am I doing wrong? Surprisingly, the same batch script works fine on my Ubuntu machine.
Did you create the script in Windows, or in some other way that gave it Windows line endings (CRLF) where the router is expecting Unix line endings (LF)?
That would lead to the interpreter reading an extra unprintable character on the end of each of the commands, which would give the errors shown.
You can check by running cat -v myScript.sh. Incorrect Windows line endings will show as:
iptables -P INPUT ACCEPT^M
iptables -P FORWARD ACCEPT^M
iptables -P OUTPUT ACCEPT^M
iptables -F^M
iptables -X^M
iptables -A INPUT -p tcp -i eth1 --dport 4444 -j ACCEPT
I'm trying to test how our app handles when the Docker registry becomes unavailable for it to pull Docker images, and want to mimic the situation.
I don't have any control over the firewall rule of the network or DNS of the servers. The only changes I can make are on the VM I'm using, like VM configurations and Docker configurations. Wondering what I can do to make it as if Dockerhub is down?
You can use the iptables to filter the output on your VM and dropping packet
For example :
# iptables -A OUTPUT -d 192.168.12.34 -j DROP
or
# iptables -A OUTPUT -p tcp -d 192.168.12.34 --dport 80,443 -j DROP