Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 9 years ago.
Improve this question
Hi All :) I have a simple question for who is strong in networking and iptables :)
I setup a test Apache server on 192.168.0.1, very simple, and want to concentrate all tcp/ip requests to it.. but unfortunately I cant find the working list options for iptables myself, something keeps not working..
So here what I need: I need to forward all eth0 frames TCP/IP requests directed to external IPs, instead towards the local 192.168.0.1:80 .
E.g. if my browser sends a HTTP request to external ip 1.2.3.4, the kernel has to "rewrite" the destination ip from 1.2.3.4 to 192.168.0.1:80, and send it to my Apache.
And of course the browser has to receive the answer back.
What is the list of rules? Thanks :)
Everything depends on where you want to apply that rule. On the machines generating the traffic? On the gateway? Somewhere else?
The solution for the machine making the request is:
iptables -t nat -A OUTPUT -m tcp -p tcp ! -d 192.168.0.1 -j DNAT --to-destination 192.168.0.1:80
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed last year.
Improve this question
I'm struggling with the Linux tool "iptables".
Following situation:
I have a RaspberryPi running with HASS (Home Assistant) connected via ethernet.
Now I want to add my inverter to home assistant, but this needs to be done by using his own WiFi network. So I need to forward requests to IP 11.11.11.1 (only this IP, not all trafic) to the wifi network.
Is that doable with iptables? Meaning defining a rule which says "target is 11.11.11.1, so lets put this to the wifi network".
I'm actually not sure whether iptables can do that or not. I read soming about nginx, but not sure how this would work.
iptables -A FORWARD -i eth0 -o wlan0 -p tcp --destination 11.11.11.1
That command did the trick. Now all TCP requests to 11.11.11.1 are forwarded to Wifi (wlan0) interface.
If someone sees any mistakes in that, please reply as I'm not really familiar with networks settings and Linux commands. Thx.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 11 months ago.
Improve this question
When using raw sockets to create raw ethernet frames, the resulting packets are not traversing the iptables, even if the frames created represent valid ethernet + ip + upd packets. In my case this happens with the ISC-DHCP-client. I can understand why this happens and this is fine so far.
Thant being said, what additional infrastructure could I nevertheless put in place to get a chance to process those packets in iptables.
I'd be fine with stuff like (additional) virtual interfaces, bridges, or something like that. But so far I couldn't find the right combination of them.
I had a similar problem in a previous project where I had to man-in-the-middle a TCP session inside a LAN. To do so, on my gateway laptop I needed to route incoming traffic to a local process running the MITM attack. I used iptables but of course it was not working since the communications between the 2 hosts inside the LAN was happening at L2 not triggering the iptables. After A LOT of struggling I solved it in this way:
I created a bridge between the 2 interfaces that the attacked hosts used for communicate (say eth0 and eth1). Then you can use ebtables (man page ebtables) which allows to force frames matching a specific rule to go through iptables. E.g in my case:
ebtables −t broute −A BROUTING −i eth0 −p ipv4 −−ip−proto tcp --ip-dport 8009 −j redirect −−redirect−target DROP
The above rule is basically saying that: frames coming into eth0, carrying TCP packets destined to port 8009, should be sent to iptables.
Quoting the man page:
Making it DROP in the BROUTING chain will let the frames be routed.
If you want a good reference about the interaction iptables/ebtables, I used this one ebtables/iptables. Hope it can help.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 6 years ago.
Improve this question
I am working in a windows 7 corporate environment with a proxy and I need to run a application which uses ping to check a connection.
www.google.com is accessible from the browser but when I try to run ping www.google.com from the command prompt I get host unreachable.
PS: I tried telnet www.google.es 80/443 and it doesn't work, I already tried attacking the IP but it doesn't work (timeout).
Unfortunately this is not possible, web proxies understand specific set of protocols HTTP, HTTPS, TCP , some streaming protocols, whatever they support would be either TCP or UDP based. But ping is ICMP. You can't pipe ICMP through a web proxy.
However, you have some alternatives:
1- Ask your IT team to open ICMP for you from firewall, assume routing exist.
2- Recode the application to test connectivity using HTTP requests instead of ping.
3- Add whatever host the application is testing the connectivity with to the windows hosts file and map it to 127.0.0.1:
127.0.0.1 www.somehost.com
This will make the application thinking connectivity exist.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Closed 6 years ago.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Improve this question
I have the following configuration:
ServerA: 192.168.168.200
ServerB: 172.23.10.10
They are separated by a RedHat box I'm trying to configure as a NAT device.
The box is configured as follows:
eth0: 172.23.10.1
eth1: 192.168.168.254
eth1:0: 192.168.168.10
I am trying to allow ServerA to only communicate with ServerB using the 192.168.168.10 address which should map via NAT to the 172.23.10.10 address.
ServerA (192.168.168.x) <-NAT ServerB (172.23.10.x)
I have configured the following iptables rule only on the RedHat box:
iptables -t nat -A PREROUTING -d 192.168.168.10 -j DNAT --to-destination 172.23.10.10
This appears to successfully implement the NAT translation. For example, when I ping 192.168.168.10 from ServerA it successfully reaches ServerB on it's 172.23.10.10 interface (and receives the response).
THE PROBLEM is that ServerA is still able to reach ServerB directly over 172.23.10.10, which I want to disallow.
How can I keep this NAT mapping in place, while blocking access to the actual destination address?
You didn't paste your full iptables output (iptables -vL -n nat), so this is a guess, but I'm betting, since it's RHEL, that your PREROUTING table has the default "ACCEPT" policy, so the traffic is skipping the NAT line, hitting the policy, and being accepted.
try:
iptables -n nat -P PREROUTING DROP
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 8 years ago.
Improve this question
I'm looking to block all ips from my server and it's ports with the exception of a partial ip 198.55..*. I'd like to limit access to an ISP region do to the fact my personal ip isn't static with our ISP. How would I go about this? Our server was compromised this evening and I'm trying to kill all other traffic to it.
The code below seems to allow a specific ip, but does it block every other IP? Also if I use the x will that act like a wildcard?
iptables -A INPUT -s 74.231.64.xx -j ACCEPT
If you need to block all incomming traffic except an specific range, you should first change the default policy of the INPUT chain to DROP:
iptables --policy INPUT DROP
Then, you should give a netmask to iptables to allow many IP addresses altogether exceptionally. For example, if you need to only allow 74.231.64.1, 74.231.64.2, to 74.231.64.255, you can use following command:
iptables -A INPUT -s 74.231.64.0/24 -j ACCEPT
74.231.64.0/24 tells to iptables to apply the same role to all varying IPs between 74.231.64.1 to 74.231.64.255. Similarly, you can widen this range by passing 74.231.0.0/16 or 74.0.0.0/8 instead.
IMPORTANT NOTE: Before applying this change, you better have a direct access to the system, not an over-network access. This is because a miss type may block you from the server.