I'm using Shorewall.
How do I enable ping to a specific IP address where the zone containing that IP has ping disabled?
in etc/rules....
Suppose you have a zone dmz and in that zone you have the
external ip address of 67.89.164.199 and the internal ip of 10.0.99.10.
That is the external ip DNAT's to 10.0.99.10
The dmz zone doesn't allow pings from the outside.
Here's what to do:
1) DNAT net dmz:10.0.99.10 icmp 8 - 67.89.164.199
or in other words, send all pings "icmp 8" that come to 67.89.164.199 to 10.0.99.10
2) Ping/ACCEPT net dmz:10.0.99.10
i.e. accept Ping
Allow single ip using
iptables -A INPUT -s x.x.x.x -p ICMP --icmp-type 8 -j ACCEPT
Reference http://www.trickylinux.net/ping-single-ip-linux/
Related
I am trying to implement wireless access point on my embedded platform. I have implemented some parts like running wireless card as access point, dhcp server and some forwarding rules (via iptables).
I have tried several iptables commands. results of all are the same. The last one I decided to use is:
iptables -t nat -F
iptables -F
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
echo '1' > /proc/sys/net/ipv4/ip_forward
Access point runs successfully, clients can connect to it and get ip address. However there is DNS problem. Clients could not resolve the hostnames but they can connect via ip addresses.
DHCP configuration is as below:
interface wlan0
start 192.168.7.11
end 192.168.7.20
max_leases 10
option subnet 255.255.255.0
option router 192.168.7.1
#option dns 192.168.7.2 192.168.7.4
option domain local
option lease 864000
lease_file /conf/udhcpd.leases
#pidfile /tmp/udhcpd.pid
For this configuration, If I use 'option dns 8.8.8.8 8.8.4.4' I can resolve the problem but I need to use the dns of the network. Is there any way to forward the dns address 192.168.7.2 to the dns address of the wired network (eg. 192.168.0.2).
I could not find the DNS routing (eg. 192.168.7.2 to 192.168.0.2). But I have found a way to use the DNS address of the embedded platform on clients.
in DHCP server configuration, I used this option:
option dns 192.168.0.2 192.168.0.4 (conf file are generated when access point is started, so the dns addresses are obtained from the system )
after DHCP server is run, I have run these commands to forward dns addresses:
iptables -A FORWARD --in-interface eth1 -m tcp --sport 53 -j ACCEPT
iptables -A FORWARD --in-interface eth1 -m udp --sport 53 -j ACCEPT
trying to setup a Proxmox machine that is running 3 vms. it has 3 public ips but these ips are on a single interface (eth0).
the 3 vms are on a bridge (vmbr0) with an address of 172.16.0.1/24
I have enable ip masquerading and forwarding. but I cannot figure out how to make each of the 3 vms (172.16.0.2, 172.16.0.3, 172.16.0.4) route out through a specific one of the public ips.
I have tried the standard iproute with 3 tables setting the gateways and rules but no matter what rule i set the vms still route out through the primary ip.
trouble is the 3 public ips are on complete seperate networks so they each have a different gateway. I know how to use iproute to do this if each public ip was on a seperate physical interface but this machine has all 3 on a single interface and iproute doesn't seem to like that because if I do ip route add default via 23.92.26.1 dev eth0:2 table node2 and then later list everything it shows via eth0. so aparently iproute doesn't like psuedo interfaces. I don't know a lot about iptables and I'm sure theres a way to do this with pure iptables but haven't found anything. all my google searches come up with iproute tables wich like i said don't seem to work with a signle interface.
Thank you in advance
considering ProxMox is running Debian try adding something like the following to your /etc/network/interfaces for each of the extra links
post-up route add -net <network identifier> netmask <netmask> gw <links gateway>
pre-down route del -net <network identifier> netmask <netmask> gw <links gateway>
and then with iptables if you want 172.16.0.2 to go through the second ip do like the following: (this is called Source NAT or SNAT) the --to-source specifies what ip you want the outgoing connections remapped to.
iptables -t nat -A POSTROUTING -s 172.16.0.2/24 -j SNAT --to-source <ip address you want it to go out of>
if you want all incoming connections on the same ip to go to 172.16.0.2 then you would also add the following (this is called Destination NAT or DNAT)
iptables -t nat -A PREROUTING -d <ip/mask bit> -j DNAT --to-destination 172.16.0.2
Question:
(1)3VM - 172.16.0.2, 172.16.0.3, 172.16.0.4
(2)Gateway - 172.16.0.1/24
(3)3 publicIP: $IP_A(gateway $IP_A_G), $IP_B(gateway $IP_B_G), $IP_C(gateway $IP_C_G)
(4)Your aim is every VM use the different public IP to visit outsite , suck as:
VM1(172.16.0.2) ----> $IP_A
VM2(172.16.0.3) ----> $IP_B
VM3(172.16.0.4) ----> $IP_C
So , I think you can use ip route to do this:
(1)In Promox(172.16.0.1)
echo "200 IPA" >> /etc/iproute2/rt_tables
echo "201 IPB" >> /etc/iproute2/rt_tables
echo "202 IPC" >> /etc/iproute2/rt_tables
Reboot Promox once .
(2)Create router
ip route del default table IPA
ip route add default via $IP_A_G table IPA
ip route del default table IPB
ip route add default via $IP_B_G table IPB
ip route del default table IPC
ip route add default via $IP_C_G table IPC
(3)Add route for each VM
ip rule add from 172.16.0.2 lookup IPA pref 200
ip rule add from 172.16.0.3 lookup IPB pref 201
ip rule add from 172.16.0.4 lookup IPC pref 202
ip route flush cache
DONE
My server has apache2 on a single interface with multiple IPs on sub-interfaces. I want to reject an icmp echo request from all external IPs to a specific IP assigned to one of my sub interfaces but allow the icmp to the other IPs on the same interface:
eth2 - 10.128.20.252
eth2:1 - 10.128.20.11
eth2:2 - 10.128.20.12
eth2:3 - 10.128.20.13 <-want to block icmp to only this IP
eth2:4 - 10.128.20.14
Edit the /etc/ufw/before.rules file and change the Ip to suit your needs. Then do:
# ufw reload
put this before the icmp ok codes section, it works
drop icmp to specific IP
-A ufw-before-input -p icmp --icmp-type echo-request -d 10.128.20.13 -j REJECT
I have a question regarding Linux NAT-ing on my own IP address.
Suppose I have an network interface, say eth0. It is given an IP address of 127.0.0.2. Now I apply a NAT rule in Linux saying that:
Any traffic with a source IP of 127.0.0.2 should be changed to a source IP of 192.168.0.2.
What source IP will I see in the packets sent out of eth0? In other words, will the NAT rule be applied to the packets originating from my own machine?
Thanks!
Jin
you can use postrouting for the same
iptables -t nat -A POSTROUTING -s 127.0.0.2 -o eth0 -j SNAT --to 192.168.0.2
I'm trying to test a gateway I wrote(see What's the easiest way to test a gateway? for context). Due to an issue I'd rather not get into, the gateway and "sender" have to be on the same machine. I have a receiver(let's say 9.9.9.9) which the gateway is able to reach.
So I'll run an application ./sendStuff 9.9.9.9 which will send some packets to that IP address.
The problem is: how do I get the packets destined for 9.9.9.9 to go to the gateway on localhost? I've tried:
sudo route add -host 9.9.9.9 gw 127.0.0.1 lo
sudo route add -host 9.9.9.9 gw <machine's external IP address> eth0
but neither of those pass packets through the gateway. I've verified that the correct IPs are present in sudo route. What can I do?
Per request, here is the route table, after running the second command(IP addresses changed to match the question. x.y.z.t is the IP of the machine I'm running this on):
Destination Gateway Genmask Flags Metric Ref Use Iface
9.9.9.9 x.y.z.t 255.255.255.255 UGH 0 0 0 eth0
x.y.z.0 0.0.0.0 255.255.254.0 U 0 0 0 eth0
0.0.0.0 <gateway addr> 0.0.0.0 UG 100 0 0 eth0
127.0.0.1 is probably picking up the packets, then forwarding them on their merry way if ipv4 packet forwarding is enabled. If it's not enabled, it will drop them.
If you are trying to forward packets destined to 9.9.9.9 to 127.0.0.1, look into iptables.
Edit: try this:
iptables -t nat -A OUTPUT -d 9.9.9.9 -j DNAT --to-destination 127.0.0.1
That should redirect all traffic to 9.9.9.9 to localhost instead.