I want to filter all Http/Https in 192.168.1.1(wifiserver,Linux base) , and without proxy setting in 192.168.1.99(My PC)
PC --> WiFi router --> LinuxServer(2 network adapter) --> WLAN(3G,ADSL, etc...)
192.168.2.99 --> 192.168.2.1 --> 192.168.1.1/201.190.12.13 --> Internet
I wish to running a nginx in 192.168.1.1 ,and listern on 9000. Reject or forward http/https to WLAN.
I try to use iptables,but seem not working:
iptables -t nat -A PREROUTING -p tcp –dport 80 -j DNAT –to 192.168.1.1
iptables -t nat -A PREROUTING -p tcp –dport 443 -j DNAT –to 192.168.1.1
Thank you for any suggestion!!
OK,I find out the way:
iptables -t nat -i wlan0 -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 192.168.10.1:8999
iptables -t nat -i wlan0 -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 192.168.10.1:8999
Related
I'm new to iptables and Linux-firewall in general. Can somebody help me with it?
I want to write a table using iptables that will log outgoing TCP connections to a specific IP address, except these that go through port 80 (HTTP).
Her is what I have so far:
iptables -N LOGGING
iptables -A OUTPUT -j LOGGING
iptables -A LOGGING -p tcp -m tcp --dport 80 -j DROP
iptables -A LOGGING -p tcp -m tcp -d 149.20.4.69 -j LOG --log-prefix "My logging: " --log-level 4
Here is my previous try. This should log all outgoing connections to the chosen IP but I don't know how to filter out port 80 (HTTP).
iptables -A OUTPUT -p tcp -s 149.20.4.69 -j LOG —log-prefix 'OUTPUT TCP: ' —log-level 4
You could just use a not condition to exclude port 80
# Log TCP traffic to x.x.x.x for all destination ports except 80
iptables -A OUTPUT -p tcp -d x.x.x.x ! --dport 80 -j LOG
I have network setup like this with external and internal network.
I have successfully got squid running with proxy for internal browser and now I want to set up as transparent but having some problem.
network
First, I did change "http_port 8080 intercept" but having trouble with setting up correct Iptables on the external server as the packet is not getting back to squid box.
iptables --policy INPUT DROP
iptables --policy OUTPUT DROP
iptables --policy FORWARD ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -0 lo -j ACCEPT
iptables -t nat -A POSTROUTING -o enpos3 (this is NAT) -j MASQUERADE
iptables -I INPUT -s 192.168.1.0/24 -p tcp --dport 8080 -j ACCEPT
iptables -t nat -A PREROUTING -i enp0s3 -p tcp --dport 80 -j DNAT --to-destination 10.10.1.254:8080
iptables -t nat -A PREROUTING -i enp0s8 -p tcp --dport 80 -j REDIRECT --to-port 8080
This is far as I got and internet works fine on internal pc but I'm not sure how to redirect http 80 packet to Squid box (10.10.1.254:8080)
Couple of things.
From the diagram it is not clear where is the Squid Box. Considering you are setting up a Transparent proxy it will be in between your internal network and WAN connection which I believe you might have taken care of. Please check
Considering this a dual homed box you need to set Default Gateway to point to your Squid Box WAN interface.
You do need Reverse Path Forwarding enabled.
Last but least IP packet forwarding enabled.
I am trying to connect my android app to server, using TCP connection.
for that, i am using HAProxy server. below is the configuration for same.
frontend fe-plain-cs
bind xx.xx.xx.xx:8443 transparent
default_backend be-plain-cs
backend be-plain-cs
fullconn 50000
balance roundrobin
source 0.0.0.0 usesrc clientip
server k010 xx.xx.xx.xx:8443 check inter 10m fall 1 rise 1 maxconn 25000
server k011 xx.xx.xx.xx:8443 check inter 10m fall 1 rise 1 maxconn 25000
if you need more info let me know.
below is my iptable rules:
:PREROUTING ACCEPT [2:230]
:INPUT ACCEPT [2:230]
:OUTPUT ACCEPT [3:370]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -s 10.13.0.0/16 ! -d xx.xx.xx.xx/32 -j ACCEPT
-A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination :8080
-A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination :8443
-A PREROUTING -p tcp -m tcp --dport 843 -j DNAT --to-destination :8843
-A POSTROUTING -s xx.xx.xx.xx/32 -j ACCEPT
-A POSTROUTING -s 10.13.0.0/16 -j MASQUERADE
COMMIT
below is my sys
/etc/sysctl.conf
net.ipv4.ip_forward = 1
net.ipv4.ip_nonlocal_bind = 1
net.ipv4.conf.default.rp_filter = 1
Stop your iptables service and Selinux should be disabled.
service iptables stop
Vi etc/selinux/config
selinux=disabled
In my CentOS 6 i added a IPtables rules like DROP all the policy like
iptables -P INPUT DROP
Then I allow Port NO 22,80,443 with this command,
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
Now can access SSH with putty. But i can't access Internet. I have to know the exact problem of this.? Please help me.
Ofcourse you cannot access the Internet. You just added a rule that drops all incoming traffic (except for traffic coming in to ports 22, 80 and 443).
When you try to access the internet (if you're using a browser), your machine establishes a connection from
<local IP>:<port1> <----> <remote IP>:80
When the remote server responds to you, it will respond back to the same port1 that you sent the request from (which will NOT be 22, or 80, or 443. It will be a number usually higher than 32768), so it will get dropped by iptables.
Try these rules instead:
iptables -P INPUT DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
The second rule tells IP tables to ACCEPT traffic that is coming to us, if it's coming to a port that we used to send outgoing traffic. This will allow you to see the response from the server, which you were dropping.
However, there's still a problem with DNS traffic, since it uses UDP not TCP. You can work around that by changing the first rule to:
iptables -P INPUT -p tcp DROP
so it only drops TCP traffic but not UDP traffic. There may be other ways to work around the DNS problem, depending on what exactly you want to do.
So your final ruleset should look like this:
iptables -P INPUT -p tcp DROP
iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --dport 443 -j ACCEPT
I am trying to do port forwarding with iptables
I am having the problem 'Unknown arg `--to-destination' when trying to execute this command
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.2:80
Any ideas ?
You can redirect the traffic?
If yes
on prerouting use -j REDIRECT --to 192.168.1.2:80
If no
Sorry.