Questions tagged [iptables]

0

votes
0

answer
2

Views

Iptables blocks out going connetion some times

There was a wierd problem with iptables recently, hopes somebody can help me. I haved installed Centos 7.2.1511 on a baremetal Dell server these days, disabled firewalld and enabled iptables.services, and setup a group of very simple rules, as the following: # iptables-save # Generated by iptables...
Kun Li
1

votes
1

answer
382

Views

How to MASQUERADE tap interface traffic

I am currently developing a VPN server in Java, at least as much in Java as possible, and I am planning to perform routing of client packets through tap devices. Currently, I am able to write ethernet frames to the tap device and I can observe these packets through tcpdump. However they are not rout...
ram
1

votes
1

answer
225

Views

Can't add rules to iptables, nothing gets committed

According to the documentation:rules, doing the following should add a simple rule to the iptables list of rules: rule = iptc.Rule() rule.src = '127.0.0.1' rule.protocol = 'udp' rule.target = rule.create_target('ACCEPT') match = rule.create_match('comment') match.comment = 'this is a test comment' c...
Torxed
1

votes
2

answer
243

Views

Protection against possible syn-flood DDoS attack

I'm running a service at a given port (let's say 1234). From time to time it's not reachable. When I check dmesg I see: TCP: Possible SYN flooding on port 1234. Sending cookies. Check SNMP counters net.ipv4.tcp_max_syn_backlog is set to 1024 When I check netstat I see: tcp 0 0 exampledom...
user994612
1

votes
0

answer
19

Views

Nmap port closing

I am trying to close unused ports using Nmap in a shell script. If I hard code the port number the shell script works fine but I want to pass on a variable to the command where the variable contains the port number. Example: iptables -A INPUT -p tcp --destination-port $portNumber -j DROP Error:Try `...
Lisha
1

votes
0

answer
883

Views

Docker Container No route to host error

I have the following docker: docker --version Docker version 17.12.0-ce, build c97c6d6 And when I do a CURL to an external URL, it fails: inside-container$> curl -u username -p https://countries.c1.com/countries/v1/countries curl: (7) Failed to connect to 10.10.20.30 port 443: No route to host insid...
Saffik
1

votes
0

answer
63

Views

Prerouting marked packets to the loopback interface inside a docker container

Before I describe my question or more particulary my problem in more detail, I want to first depict my basic approach: Basicly what I'm trying to do is to create an inline on a linux bridge inside a docker container (operation system is alpine). For that I created a testing environment containing an...
UniXBRO
1

votes
2

answer
44

Views

How to redirect and load balance locally generated packets through iptables?

Here is the scenario I am working on. I have sslh listening on 443 which redirects https traffic to 445 and TURN traffic to 3478. I also have 6 TURN servers listening on 3478 to 3483. I wish to load balance the incoming TURN traffic across all these ports. I tried load balancing through the PREROUTI...
Mystic monk
1

votes
0

answer
35

Views

Can't correctly configure iptables for nodemailer

I stuck on an issue for send mail... I have a server running Ubuntu 16.04, and on this server, I run (with pm2) a node.js server. This server must send me an email when I ask for. That worked fine but then I configured iptables and now the nodejs server can't send mail anymore... I configured iptabl...
Steve VE
1

votes
0

answer
73

Views

Python-iptables, rule with interface does not match ipv6 packets

We are using python-iptables v0.12.0 in production within a dockerized environment orchestrated by kubernetes. The container application that uses python-iptables library consists of the following networking: Two internal interfaces exist eth0 and eth1 (used for communication within containers), wit...
GGechetlaios
1

votes
0

answer
27

Views

iptables: block incomming but allow outgoing

i use an ubuntu server to power my home network. the server is directly connected to the internet via the interface wan0. on the intranet site it uses a bridge br0 (which joins lan0 and wlan0). to block incomming requests from the internet i use iptables. it works fine to block incomming requests, b...
Daniel Messner
1

votes
0

answer
23

Views

Is there a smart way to allow a program to change IPTable without giving it cap_net_admin capabilities?

I want to use Istio's envoy proxy (load balancer) along my kubernetes env, but I have one small problem with it. The init container in Istio requires cap_net_admin privileges to install IPtables rules. Is there a smart way I can redirect a program's iptable installation request - one that I do not...
user3026388
1

votes
1

answer
418

Views

Is there a way to customize iptables rules in filter table on kubernetes master/worker node?

I'm working on a project where we're attempting to transition legacy product (deployed as a standalone VM) to kubernetes infrastcurture. I'm using KUBEROUTER as CNI provider. To protect the VM against DoS(and log the attempt) we've added different chains in iptables filter table. (These include rule...
user3925269
1

votes
0

answer
29

Views

Docker container hits iptables to proxy

I have two VPSs, first machine (proxy from now) is for proxy and second machine (dock from now) is docker host. I want to redirect all traffic generated inside a docker container itself over proxy, to not exposure dock machines public IP. As connection between VPSs is over internet, no local connect...
teeper
1

votes
0

answer
51

Views

iptables TPROXY gets hit but doesn't redirect to port

I'm running Debian 8 with iptables. I have the following rule: iptables -t mangle -A PREROUTING -p tcp --dport 5000 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 4000 I simply want to redirect all traffic going with destination port 5000 to port 4000. The standard iptables REDIRECT is not usable in my c...
Alfred Balle
1

votes
0

answer
147

Views

Docker container can't resolve host server IP

I see lot of similar network issues for docker but nothing that helps me understand what's wrong here and how to solve it. Basically I do a curl to the public IP from the container and is not able to reach the server: from the host (I've replaced the IP by XXX for security reasons): [email protected] ~]# c...
Rodrigo.C
1

votes
1

answer
585

Views

How to setup FirewallD to filter traffic to docker exposed port

I have setup a pi-hole docker container and exposed the dns ports and port 80 on CentOS7. However the ports are available for all sources now which is not very handy since its running on a VPS. So I am trying to have firewallD filter the traffic going to my docker container. So my docker container i...
Warsenius
1

votes
0

answer
84

Views

AWS|Traffic mirroring by using iptables

I am trying to achieve Network Traffic Mirroring with iptables,In my scenario, i am mirroring the traffic on Server 1 to Server 2's IP address. Apparently configurations are straight foreword as follow Server 1 echo '1' > /proc/sys/net/ipv4/ip_forward iptables -t mangle -I POSTROUTING -j TEE --gate...
Mudasar Yasin
1

votes
0

answer
49

Views

Wordpress Docker image error - refused to connect - during plugin details preview

Just noticed that when I click 'View Details' in my plugins list I get this error: I don't see any errors while tailing nginx/php-fpm logs while clicking this link. Any suggestions on what the culprit can be? I'm using docker-compose to run MariaDB/Wordpress/Nginx stack.
dzhi
1

votes
0

answer
383

Views

iptables port forward rule to route traffic from WireGuard TUN interface to eth0

I am using WireGuard (WG) as a VPN and only routing certain port based traffic over it. On the ingress side of the tunnel the traffic first hits eth0 then goes on to the WG TUN interface, wg0, so the following rule works for forwarding on ingress: -A PREROUTING -d 192.#.#.# -i eth0 -p tcp -m tcp --...
Hobbit-42
1

votes
0

answer
24

Views

Iptables Rules for Internet Access

Having System with 2 network cards. Anyone helps for iptables rules. WAN interface IP address 192.168.1.10 and LAN interface IP address 192.168.10.1
Hmanshu
1

votes
1

answer
206

Views

Ansible: Failed to reload sysctl: sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory

I'm setting up kubernetes cluster with ansible. I get the following error when trying to enable kernel IP routing: Failed to reload sysctl: sysctl: cannot stat /proc/sys/net/bridge/bridge-nf-call-iptables: No such file or directory Is this a bug in ansible or is there something wrong with my playboo...
Tuomas Toivonen
1

votes
1

answer
77

Views

Allow traffic from localhost to docker container

I'm trying to host my backend services on a Ubuntu 16.04 server with docker. There is an nginx handling all HTTP requests and proxy-passing them to backend services. With iptables INPUT and OUTPUT ACCEPT - everything works perfectly, however if I try to restrict any access except HTTP/HTTPS to ngin...
Andrew Kovalenko
1

votes
0

answer
34

Views

Do docker and podman iptables rules conflict?

I've installed both Docker and Podman on the same machine. Is that my first problem? Maybe. But my goal is run both and I'd like to continue anyway. My problem is this: there seems to be an iptables conflict between Docker's rules and Podman's rules, and my working solution doesn't make any sense to...
The Spartan
1

votes
0

answer
29

Views

Good example of multi-vendor & multi-location & multi-type inventory for Ansible

I wonder if there are any good example of multi-vendor & multi-location & multi-type inventory for the network automation with Ansible. i.e. we have a heterogenous network, which includes Juniper firewalls, Cisco switches, and Linux firewalls&VPN servers. the idea behind the automation - to have a s...
epiq sty
1

votes
1

answer
441

Views

iptables - how to set class by ip address instead of port?

i want to set a specific class to any packets that come from a specific computer in my network using --set-class, how can i achieve that ?
ufk
1

votes
2

answer
449

Views

strange behaviour of git

i have strange behaviour of git - push is working, but clone is not :( alec$ git clone git://host/repo.git Initialized empty Git repository in /Users/alec/Temp/repo/.git/ host[0: x.x.x.x]: errno=Connection refused fatal: unable to connect a socket (Connection refused) whats wrong?
Alexey Poimtsev
1

votes
0

answer
28

Views

Customized captive portal with external DHCP server

I am stuck in one issue for which I need your help on this. Actually its bit complex to explan about my situatuion but I will try my best. I am working on customized captive portal on arm processor board with embedded linux os. For which I need to run this captive portal server on my arm board. I go...
Dhruv Patel
1

votes
2

answer
2.2k

Views

Access RMI Port from remote using iptables

I want to access an RMI-Service from a remote Server. Locally everything works fine. But from the remote side i get the following exception: java.net.ConnectException: Connection timed out I used IP-Tables, that the server believes the request comes to 127.0.0.1 and not to the public ip address xx...
markus
1

votes
1

answer
678

Views

How to Deny/Blacklist Unauthorized IP Write Access Attempts on LAMP Server?

Recently, Spammers found world-writable folders (such as those needed by certain wordpress plugins) and uploaded rogue .htaccess/.php files to use my (Ubuntu Linux 11.04) unmanaged VPS (Linode) as a proxy where from spam message links would arrive for redirection to other servers. What I noticed wa...
Faisal Humayun
1

votes
1

answer
1.1k

Views

Looking for iptables binary for Android 2.3 ARM platform?

I am trying to setup a proxy on an Android device using iptables. We are using Androd 2.3. I don't see iptables in emulator or in our platform build. Where can I download a prebuilt iptables binary (and all supporting libs it needs) for setting up a NAT like rule? I like to run it like this eventual...
videoguy
1

votes
1

answer
521

Views

Restricting Internet access to a domain

I'm trying to achieve some sort of proxying in android I want to route every TCP call in phone to a particulay domain, say example.com For example if the user tries to load android.com in the default web browser or any other browser like opera mini, it shout show the examle.com home page Also if use...
Mithun Sreedharan
1

votes
1

answer
1.4k

Views

How to configure Apache to reject (example) http://192.168.1.1 and accept only virtual hosts like http://www.example.com

I tried to search for a solution on this but didn't know how to frame the query to get my answer. I want to block anyone from probing my server by IP urls (like http://192.168.1.1 -- any public IP address) while allowing properly URLs to my server (proper like http://www.example.com). I feel there...
Ray Dev
1

votes
1

answer
11k

Views

iptables on busybox

I have busybox installed as a 'starter' package on my embedded linux board and I also need to use iptables to configure some firewall rules. Is there a way to get access to iptables from the busybox shell? Otherwise, how can I exit busybox shell to get to the iptables command? Thank you.
user1108249
1

votes
1

answer
2.4k

Views

Iptables filtering performance: TCP and UDP

i am writting to ask about iptables performance in TCP and UDP filtering. I was testing it with large number of iptables rules. When in FORWARD chain is 10 000 mixed TCP and UDP rules i get TCP throughput 35.5 Mbits/sec and UDP throughput 25.2 Mbits/sec I am confused why TCP throughput is bigger...
sider
1

votes
2

answer
3.8k

Views

marking packet for sending over raw socket

I have the following function which send packets over raw socket. #include #include #include #include #include #include 'pkt-types.h' #include 'pkt-log.h' #include 'pkt-utils.h' int send_packet_raw (void *data, int size) { log_message (LOG_DEBUG, ' inside send_packet_raw'); int sd; struct iphd...
Aftnix
1

votes
1

answer
361

Views

Logging packets dropped with nfq_set_verdict2(NF_DROP)

In my application, I take the packets from netfilter to userspace with NFQUEU, and then I compare it with my criteria and drop or accept packets through NF_DROP or NF_ACCEPT in nfq_set_verdict2 function.I want to log the dropped packets in regular iptables log format.How can I achieve this?
barp
1

votes
1

answer
3.2k

Views

bind port 80 to non root user. CentOS

I need to Allow port 80 access to non privileged User on my CentOs. I am running Shoutcast, and Centova Cast on my server to host audio streams. I have been using port 80 for the last few months now without a problem using the following..... iptables -A PREROUTING -t nat -p tcp -d 5.10.69.104 --dpor...
Bob Swaggerty
1

votes
1

answer
12.2k

Views

Script to Block and Unblock a Port

[email protected]:~# iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere multiport dports iscsi-target Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (...
Joe Camel
1

votes
1

answer
575

Views

Prevent UDP forwarding

I've noticed my server is being used to relay UDP traffic as part of a DDOS. Various source IPs send UDP datagrams with TARGET_IP set as the destination. My server's IP is not TARGET_IP so I'm just forwarding the attack. So far, I'm DROPing all UDP traffic to the TARGET_IP thanks to iptables but I w...
Dee50

View additional questions