Search Results

Search found 1249 results on 50 pages for 'iptables'.

Page 3/50 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12 | Next Page >

Foraward Traffic from local machine to proxy server using iptables

- by Vaibhav

I am using Ubuntu Server 12.04. My IP is 192.168.4.160. I want to route the HTTP traffic generated locally from my system destined to a particular URL (say x.x.x.x) to pass through proxy server. My proxy server is 192.168.0.13:3128. I added following rule in iptables sudo iptables -t nat -A OUTPUT -p tcp -d x.x.x.x --dport 80 -j DNAT --to 192.168.0.13:3128 However, this rule does not seem to work for me. I captured packet in wireshark and I saw that packet is still going to x.x.x.x I am not very much familiar with iptables, so please try to be specific. Thanks in advance

Read the article
Internet slowed down because of SQUID Server setup

- by Ranjith Kumar

Recently I have setup a squid server for our office. I have computer (A) with two ethernet cards, one for internet and the second one for local networkIt has Ubuntu server OS with squid-server and dhcp3-server installedI have added few iptable rules to work like a router and redirect all http traffic to 3128 port This link is my reference. Everything worked fine for 2 days. All of a sudden internet speed went down drastically. When I connected the internet cable to my laptop to test the internet speed it was fine. Again when I reconnected it back to computer A everything was normal. This happened 4 times in a week. Could anyone here please help me why the internet speed is going down and it becomes normal when I reconnect the cable. EDIT: Rebooting the system (computer A) didn't make a difference. I have changed iptables so that http traffic doesn't redirect to 3128 port any further, still no change in the internet speed. I think the problem is not with squid but with something else. Here are my iptable rules SQUID_SERVER="10.1.1.1" INTERNET="eth1" LAN_IN="eth0" SQUID_PORT="3128" PROXYSERVERS=(Atlanta Baltimore Boston Chicago Dallas Denver Houston KansasCity LosAngeles Miami NewYork Philadelphia Phoenix SanAntonio SanDiego SanJose Seattle Washington) SERVERLEN=${#PROXYSERVERS[*]} I=0 iptables -F iptables -X iptables -t nat -F iptables -t nat -X iptables -t mangle -F iptables -t mangle -X modprobe ip_conntrack modprobe ip_conntrack_ftp echo 1 /proc/sys/net/ipv4/ip_forward iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT iptables -A INPUT -i $LAN_IN -j ACCEPT iptables -A OUTPUT -o $LAN_IN -j ACCEPT while [ $I -lt $SERVERLEN ]; do iptables -t nat -A PREROUTING -i $LAN_IN -p tcp -d ${PROXYSERVERS[$I]}.wonderproxy.com --dport 80 -j ACCEPT let I++ done iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT iptables -A INPUT --protocol tcp --dport 80 -j ACCEPT iptables -A INPUT --protocol tcp --dport 443 -j ACCEPT iptables -A INPUT --protocol tcp --dport 22 -j ACCEPT iptables -A INPUT -j LOG iptables -A INPUT -j DROP

Read the article
Can't connect to website after altering IPTables

- by user2833135

I attempted to open up a port on my VPS, but I can't connect to my website after opening up that port. Below are the commands I issued to open the port. I didn't get an error or anything after setting this up. I just can't connect to my website after doing this. [root@vps ~]# iptables -F [root@vps ~]# iptables -A INPUT -i lo -j ACCEPT [root@vps ~]# iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT [root@vps ~]# iptables -A INPUT -p tcp --dport 25765 -j ACCEPT [root@vps ~]# iptables -P INPUT DROP [root@vps ~]# iptables -P FORWARD DROP [root@vps ~]# iptables -P OUTPUT ACCEPT [root@vps ~]# iptables -L -v Just a side note, but I am running CentOS 6 (64 bit) Thank you in advance.

Read the article
Karmic iptables missing kernel moduyles on OpenVZ container

- by luison

After an unsuccessful p2v migration of my Ubuntu server to an OpenVZ container which I am stack with I thought I would give a try to a reinstall based on a clean OpenVZ template for Ubuntu 9.10 (from the OpenVZ wiki) When I try to load my iptables rules on the VM machine I've been getting errors which I believe are related to kernel modules not being loaded on the VM from the /vz/XXX.conf template model. I've been testing with a few post I've found but I was stack with the error: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Could not load /lib/modules/2.6.24-10-pve/modules.dep: No such file or directory iptables-restore v1.4.4: iptables-restore: unable to initialize table 'raw' Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. I read about the template not loading all iptables modules so I added modules to the XXX.conf of the VZ virtual machine like this: IPTABLES="ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc" As the error remained I read that I should build dependencies again on the virtual machine: depmod -a but this returned an error: WARNING: Couldn't open directory /lib/modules/2.6.24-10-pve: No such file or directory FATAL: Could not open /lib/modules/2.6.24-10-pve/modules.dep.temp for writing: No such file or directory So I read again about creating the directory empty and redoing "depmod -a" it. I now don't get the dependancies error but get this and I don't have a clue how to proceed: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Module ip_tables not found. iptables-restore v1.4.4: iptables-restore: unable to initialize table 'raw' Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. I understand that iptables rules have to be different on the VM machine and perhaps some of the rules we are trying to apply (from our physical server) are not compatible but these are just source IP and destination port checks that I would like to be able to have available . I've heard that on the CentOS template there are no issues with this, so I understand is to do with VM config. Any help would be greatly appreciated.

Read the article
How to drop all subnets outside of the US using iptables

- by Jim

I want to block all subnets outside the US. I've made a script that has all of the US subnets in it. I want to disallow or DROP all but my list. Can someone give me an example of how I can start by denying everything? This is the output from -L Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp dpt:ftp state NEW DROP icmp -- anywhere anywhere Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination And these are the rules iptables --F iptables --policy INPUT DROP iptables --policy FORWARD DROP iptables --policy OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -i eth0 --dport 21 -m state --state NEW -j ACCEPT iptables -A INPUT -p icmp -j DROP Just for clarity, with these rules, I can still connect to port 21 without my subnet list. I want to block ALL subnets and just open those inside the US.

Read the article
Karmic iptables missing kernel moduyles on OpenVZ container

- by luison

After an unsuccessful p2v migration of my Ubuntu server to an OpenVZ container which I am stack with I thought I would give a try to a reinstall based on a clean OpenVZ template for Ubuntu 9.10 (from the OpenVZ wiki) When I try to load my iptables rules on the VM machine I've been getting errors which I believe are related to kernel modules not being loaded on the VM from the /vz/XXX.conf template model. I've been testing with a few post I've found but I was stack with the error: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Could not load /lib/modules/2.6.24-10-pve/modules.dep: No such file or directory iptables-restore v1.4.4: iptables-restore: unable to initialize table 'raw' Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. I read about the template not loading all iptables modules so I added modules to the XXX.conf of the VZ virtual machine like this: IPTABLES="ip_tables iptable_filter iptable_mangle ipt_limit ipt_multiport ipt_tos ipt_TOS ipt_REJECT ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_LOG ipt_length ip_conntrack ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_state ipt_helper iptable_nat ip_nat_ftp ip_nat_irc" As the error remained I read that I should build dependencies again on the virtual machine: depmod -a but this returned an error: WARNING: Couldn't open directory /lib/modules/2.6.24-10-pve: No such file or directory FATAL: Could not open /lib/modules/2.6.24-10-pve/modules.dep.temp for writing: No such file or directory So I read again about creating the directory empty and redoing "depmod -a" it. I now don't get the dependancies error but get this and I don't have a clue how to proceed: WARNING: Deprecated config file /etc/modprobe.conf, all config files belong into /etc/modprobe.d/. FATAL: Module ip_tables not found. iptables-restore v1.4.4: iptables-restore: unable to initialize table 'raw' Error occurred at line: 2 Try `iptables-restore -h' or 'iptables-restore --help' for more information. I understand that iptables rules have to be different on the VM machine and perhaps some of the rules we are trying to apply (from our physical server) are not compatible but these are just source IP and destination port checks that I would like to be able to have available . I've heard that on the CentOS template there are no issues with this, so I understand is to do with VM config. Any help would be greatly appreciated.

Read the article
iptables block everything except http

- by arminb

I'm trying to configure my iptables to block any network traffic except HTTP: iptables -P INPUT DROP #set policy of INPUT to DROP iptables -P OUTPUT DROP #set policy of OUTPUT to DROP iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT The iptables output (iptables -L -v) gives me: Chain INPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 4 745 ACCEPT tcp -- any any anywhere anywhere tcp spt:http state RELATED,ESTABLISHED Chain FORWARD (policy ACCEPT 0 packets, 0 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 2 330 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http state NEW,ESTABLISHED When I try to wget 127.0.0.1 (yes i do have a web server and it works fine) i get: --2012-11-14 16:29:01-- http://127.0.0.1/ Connecting to 127.0.0.1:80... The request never finishes. What am I doing wrong? I'm setting iptables to DROP everything by default and add a rule to ACCEPT HTTP.

Read the article
Secure NAT setup with iptables

- by TheBigB

I have Debian running device that needs to act as an internet-gateway. On top of that I want to provide a firewall that not only blocks inbound traffic, but also outbound traffic. And I figured iptables should be able to do the job. The problem: I've configured NAT properly (I think?), but once I set the default policy to DROP and add rules to for instance allow HTTP traffic from inside the LAN, HTTP is not going through. So basically my rules don't seem to work. Below is the initialization script that I use for iptables. The device has two NICs, respectively eth0 (the WAN interface) and eth1 (the LAN interface). echo 1 > /proc/sys/net/ipv4/ip_forward # Flush tables iptables -F iptables -t nat -F # Set policies iptables -P INPUT DROP iptables -P OUTPUT DROP # NAT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT # Allow outbound HTTP from LAN? iptables -A FORWARD -i eth1 -o eth0 -p tcp --dport 80 -j ACCEPT iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT Can anyone shed some light on this?

Read the article
iptables (DNAT)

- by user1126425

I have a host that acts as a gateway for other hosts. The configuration is such that eth0(192.168.1.3) is connected to internet via a router and eth1(172.16.2.50) is connected to internal network via switch. Given that, this host is also running a service that is bound to eth1 and serves the internal network. I want to extend this service to the outside world as well and was trying to manipulate iptables so that any request that comes to this host via eth0 and is directed to 192.168.1.3:80 is send to 172.16.2.50 and internet users can also make use of the service. Here are my iptable rules for setting up the host as gateway (and these work fine): sudo iptables -t nat -A POSTROUTING -s 172.16.2.0/16 -o eth0 -j MASQUERADE sudo iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 -j MASQUERADE sudo iptables -A FORWARD -s 172.16.2.0/16 -o eth0 -j ACCEPT sudo iptables -A FORWARD -d 172.16.2.0/16 -m state --state ESTABLISHED,RELATED -i eth0 -j ACCEPT And these are the rules that I am trying to add to the iptables to achieve my ends: sudo iptables -A INPUT -d 192.168.1.3 -p tcp -dport 80 -i eth0 -j ACCEPT sudo iptables -t nat -A PREROUTING -d 192.168.1.3 -p tcp -dport 80 -j DNAT --to-destination 172.16.2.50:80 sudo iptables -t nat -A PREROUTING -s 172.16.2.50 -p tcp -sport 80 -j SNAT --to-source 192.168.1.3:80 sudo iptables -A FORWARD -d 192.168.1.3 -p tcp -dport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT When I do so, I get error like : "multiple -d flags not allowed" ... Can someone tell me how to resolve this error... and do the entries that I want to add will serve my purpose ? Thanks!

Read the article
Set generic iptables rules?

- by tftd

This may be a really dumb question but how can you open a port on multiple interfaces without defining the interfaces? For example how do I open port 22 on all interfaces? On my machine I have some interfaces that are dynamic and may or may not be available so I have to set "generic" rules. This code is not working for me but I can't figure out why: # My default policy is to drop the input. # The other policies are required like that. $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t mangle -P OUTPUT ACCEPT $IPTABLES -t mangle -P PREROUTING ACCEPT #Open port 22 on all interfaces ? $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT So apparently there's something wrong with the last line... but I can't see it?

Read the article
iptables allow dyndns domain name and auto update rules

- by user3215

I have registered with dyndns domain for my dynamically changing public ip address to use with iptable rules. On a server I've allowed some ports for this domain in the iptables configuration like the below entries: -A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -s mycompany.dyndns.com -p tcp -m tcp --dport 21 -j ACCEPT But when ever my modem restarts, I couldn't connect to these allowed ports as public ip changes with modem restart and are not updated in the iptables on the server. Is there any option to automatically update iptable rules on server.

Read the article
keep getting added to hosts.deny + iptables

- by Sc0rian

I am confused to why this has started to happen. On my local network, if I click 10-20 apache/http links my server will decide to add me hosts.deny file and block me on iptables. Its not just apache, it seems to happen with any kinda of traffic, that comes in on a flood method. Like I use subsonic, if I change tracks 10-20 times, it will do it. I would assume I have some sort of firewall which is sitting on the server which is doing this. However I do not have fail2ban or any denyhosts in /var/lib. I cannot work out why I keep getting added to hosts.deny/iptables. Thanks

Read the article
Lot's of errors by insserv on apt-get operations after trying to install tomcat

- by yankee

I wanted to install tomcat on my Debian 6.0.4 machine. I tried apt-get install tomcat6-user which worked fine. But then I changed my mind about the user installation and wanted to install the package tomcat6. This resulted in a bunch of errors (see below). Now whatever I try to do with apt-get or with aptitude (trying to remove tomcat6-user, trying to remove tomcat6, trying to perform an apt-get upgrade,...) just results in the same list of errors. How did I manage that? And how can I fix it? # apt-get install tomcat6 Reading package lists... Done Building dependency tree Reading state information... Done The following extra packages will be installed: authbind Suggested packages: tomcat6-docs tomcat6-admin tomcat6-examples libtcnative-1 The following NEW packages will be installed: authbind tomcat6 0 upgraded, 2 newly installed, 0 to remove and 32 not upgraded. Need to get 56.6 kB of archives. After this operation, 442 kB of additional disk space will be used. Do you want to continue [Y/n]? Get:1 http://mirror.hetzner.de/debian/packages/ squeeze/main authbind amd64 1.2.0 [17.3 kB] Get:2 http://mirror.hetzner.de/debian/security/ squeeze/updates/main tomcat6 all 6.0.35-1+squeeze2 [39.3 kB] Fetched 56.6 kB in 0s (441 kB/s) Preconfiguring packages ... Selecting previously deselected package authbind. (Reading database ... 34717 files and directories currently installed.) Unpacking authbind (from .../authbind_1.2.0_amd64.deb) ... Selecting previously deselected package tomcat6. Unpacking tomcat6 (from .../tomcat6_6.0.35-1+squeeze2_all.deb) ... Processing triggers for man-db ... Setting up authbind (1.2.0) ... Setting up tomcat6 (6.0.35-1+squeeze2) ... Creating config file /etc/default/tomcat6 with new version Adding system user `tomcat6' (UID 108) ... Adding new user `tomcat6' (UID 108) with group `tomcat6' ... Not creating home directory `/usr/share/tomcat6'. insserv: warning: script 'S99iptables-custom' missing LSB tags and overrides insserv: warning: script 'iptables-custom' missing LSB tags and overrides insserv: There is a loop at service iptables-custom if started insserv: There is a loop between service rmnologin and mountnfs if started insserv: loop involving service mountnfs at depth 6 insserv: loop involving service networking at depth 5 insserv: loop involving service kbd at depth 9 insserv: There is a loop between service rmnologin and mountall-bootclean if started insserv: loop involving service mountall-bootclean at depth 5 insserv: loop involving service mountall at depth 4 insserv: There is a loop between service iptables-custom and lvm2 if started insserv: loop involving service lvm2 at depth 2 insserv: loop involving service udev at depth 1 insserv: There is a loop at service rmnologin if started insserv: There is a loop between service iptables-custom and checkroot if started insserv: loop involving service checkroot at depth 2 insserv: loop involving service keyboard-setup at depth 1 insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Max recursions depth 99 reached insserv: loop involving service courier-imap-ssl at depth 1 insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: loop involving service hwclockfirst at depth 2 insserv: loop involving service mountoverflowtmp at depth 9 insserv: loop involving service checkfs at depth 6 insserv: loop involving service mdadm-raid at depth 4 insserv: loop involving service hostname at depth 3 insserv: There is a loop between service iptables-custom and ifupdown-clean if started insserv: loop involving service ifupdown-clean at depth 5 insserv: There is a loop between service rmnologin and mountall if started insserv: There is a loop between service iptables-custom and mountdevsubfs if started insserv: loop involving service mountdevsubfs at depth 1 insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: loop involving service mtab at depth 6 insserv: There is a loop between service rmnologin and mountoverflowtmp if started insserv: Starting iptables-custom depends on rmnologin and therefore on system facility `$all' which can not be true! insserv: exiting now without changing boot order! update-rc.d: error: insserv rejected the script header dpkg: error processing tomcat6 (--configure): subprocess installed post-installation script returned error exit status 1 configured to not write apport reports Errors were encountered while processing: tomcat6 E: Sub-process /usr/bin/dpkg returned an error code (1)

Read the article
iptables rules to allow HTTP traffic to one domain only

- by Emily

Hi everyone, I need to configure my machine as to allow HTTP traffic to/from serverfault.com only. All other websites, services ports are not accessible. I came up with these iptables rules: #drop everything iptables -P INPUT DROP iptables -P OUTPUT DROP #Now, allow connection to website serverfault.com on port 80 iptables -A OUTPUT -p tcp -d serverfault.com --dport 80 -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #allow loopback iptables -I INPUT 1 -i lo -j ACCEPT It doesn't work quite well: After I drop everything, and move on to rule 3: iptables -A OUTPUT -p tcp -d serverfault.com --dport 80 -j ACCEPT I get this error: iptables v1.4.4: host/network `serverfault.com' not found Try `iptables -h' or 'iptables --help' for more information. Do you think it is related to DNS? Should I allow it as well? Or should I just put IP addresses in the rules? Do you think what I'm trying to do could be achieved with simpler rules? How? I would appreciate any help or hints on this. Thanks a lot!

Read the article
iptables rules to allow HTTP traffic to one domain only

- by Zenet

I need to configure my machine as to allow HTTP traffic to/from serverfault.com only. All other websites, services ports are not accessible. I came up with these iptables rules: #drop everything iptables -P INPUT DROP iptables -P OUTPUT DROP #Now, allow connection to website serverfault.com on port 80 iptables -A OUTPUT -p tcp -d serverfault.com --dport 80 -j ACCEPT iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT #allow loopback iptables -I INPUT 1 -i lo -j ACCEPT It doesn't work quite well: After I drop everything, and move on to rule 3: iptables -A OUTPUT -p tcp -d serverfault.com --dport 80 -j ACCEPT I get this error: iptables v1.4.4: host/network `serverfault.com' not found Try `iptables -h' or 'iptables --help' for more information. Do you think it is related to DNS? Should I allow it as well? Or should I just put IP addresses in the rules? Do you think what I'm trying to do could be achieved with simpler rules? How? I would appreciate any help or hints on this. Thanks a lot!

Read the article
Iptables - forward email ports?

- by Emmet Brown

im trying to open some local ports (LAN) and then re-direct them to another server (WAN) using iptables. Here is my config: #WAN allow-hotplug eth1 auto eth1 iface eth1 inet static #Tarjeta red WAN address 192.168.2.2 gateway 192.168.2.1 netmask 255.255.255.0 #LAN allow-hotplug eth0 auto eth0 iface eth0 inet static address 192.168.16.6 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 I try this: iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 110 -j DNAT --to 200.40.30.218:110 iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 200.40.30.218 --dport 110 -j ACCEPT iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 25 -j DNAT --to 200.40.30.218:25 iptables -A FORWARD -p tcp -i eth0 -o ethq -d 200.40.30.218 --dport 25 -j ACCEPT but, it did not work. i also try changeing eth0 to eth1 (and eth1 to eth0) but nothing happened. Starting Nmap 5.00 ( http://nmap.org ) at 2011-10-03 14:44 UYST Interesting ports on 192.168.16.6: Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 8080/tcp open http-proxy Im running debian. Can u guys help me to check what is happening? edit: IPTABLES-SAVE # Generated by iptables-save v1.4.8 on Mon Oct 3 15:43:14 2011 *mangle :PREROUTING ACCEPT [139993:77867651] :INPUT ACCEPT [139385:77761761] :FORWARD ACCEPT [186:12071] :OUTPUT ACCEPT [173556:74341650] :POSTROUTING ACCEPT [173734:74352988] COMMIT # Completed on Mon Oct 3 15:43:14 2011 # Generated by iptables-save v1.4.8 on Mon Oct 3 15:43:14 2011 *nat :PREROUTING ACCEPT [1649:190626] :POSTROUTING ACCEPT [6729:339646] :OUTPUT ACCEPT [6697:337660] -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 200.40.30.218:110 -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 200.40.30.218:25 COMMIT # Completed on Mon Oct 3 15:43:14 2011 # Generated by iptables-save v1.4.8 on Mon Oct 3 15:43:14 2011 *filter :INPUT ACCEPT [138307:77066136] :FORWARD ACCEPT [168:11207] :OUTPUT ACCEPT [172288:73655708] -A FORWARD -d 200.40.30.218/32 -i eth0 -o eth1 -p tcp -m tcp --dport 110 -j ACCEPT -A FORWARD -d 200.40.30.218/32 -i eth0 -o ethq -p tcp -m tcp --dport 25 -j ACCEPT COMMIT # Completed on Mon Oct 3 15:43:14 2011 Regards

Read the article
iptables rules keep showing up

- by Omriko

I just installed an ubuntu precise server, after a few weird communications issues I checked the iptables list and found: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- 10.0.0.0/24 anywhere tcp spts:1024:65535 dpt:ssh state NEW ACCEPT icmp -- anywhere anywhere state NEW ACCEPT icmp -- anywhere anywhere state NEW ACCEPT icmp -- anywhere anywhere state NEW ACCEPT icmp -- anywhere anywhere state NEW DROP tcp -- anywhere anywhere tcp dpt:10520 state NEW DROP udp -- anywhere anywhere udp spts:1:65535 dpt:31337 state NEW DROP udp -- anywhere anywhere udp spts:1:65535 dpt:31338 state NEW DROP udp -- anywhere anywhere udp spts:1:65535 dpt:54320 state NEW DROP udp -- anywhere anywhere udp spts:1:65535 dpt:54321 state NEW DROP tcp -- anywhere anywhere tcp dpt:12345 state NEW DROP tcp -- anywhere anywhere tcp dpt:12346 state NEW DROP tcp -- anywhere anywhere tcp dpt:20034 state NEW DROP tcp -- anywhere anywhere tcp dpt:16600 state NEW DROP tcp -- anywhere anywhere tcp dpt:16660 state NEW DROP tcp -- anywhere anywhere tcp dpt:65000 state NEW DROP udp -- anywhere anywhere udp dpt:34555 state NEW DROP udp -- anywhere anywhere udp dpt:35555 state NEW DROP udp -- anywhere anywhere udp spts:netbios-ns:netbios-dgm dpts:netbios-ns:netbios-dgm state NEW DROP tcp -- anywhere anywhere tcp spts:1024:65535 dpt:netbios-ssn state NEW DROP tcp -- anywhere anywhere tcp spts:1024:65535 dpt:microsoft-ds state NEW DROP udp -- anywhere anywhere udp spt:microsoft-ds dpt:microsoft-ds state NEW DROP udp -- anywhere anywhere udp spts:1024:65535 dpt:microsoft-ds state NEW DROP tcp -- anywhere anywhere tcp spts:1024:65535 dpt:loc-srv state NEW DROP tcp -- anywhere anywhere tcp spts:1024:65535 dpt:5000 state NEW DROP tcp -- anywhere anywhere tcp spts:1024:65535 dpts:1025:1029 state NEW DROP udp -- anywhere anywhere udp spts:1:65535 dpt:loc-srv state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:28082 state NEW DROP all -- anywhere anywhere state NEW Chain FORWARD (policy DROP) target prot opt source destination Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere tcp spts:tcpmux:65535 dpts:tcpmux:65535 state NEW ACCEPT udp -- anywhere anywhere udp dpts:1:65535 state NEW ACCEPT icmp -- anywhere anywhere state NEW ACCEPT tcp -- anywhere anywhere tcp spts:1024:65535 dpt:28082 state NEW DROP all -- anywhere anywhere state NEW I tried to wipe the rules, I disabled UFW, Ive rewritten and saved iptables rules according to this guide, but every minute or so the old rules return.... I checked crontab for scheduled tasks, there is nothing in there but still these rules appear every minute... please help!

Read the article
iptables unresolved dependencies

- by tertle

I'm trying to setup OpenVPN Access Server on a VPS running ubuntu 9.10 for a friend so she can play games from her uni campus. The problem is I keep running into this error when trying to start openvpn. Service deferred error: IPTablesServiceBase: failed to run iptables-restore [status=1]: ['FATAL: Could not load /lib/modules/2.6.18-028stab070.14/modules.dep: No such file or directory', 'FATAL: Could not load /lib/modules/2.6.18-028stab070.14/modules.dep: No such file or directory', 'iptables-restore: line 46 failed']: internet/base:1175,internet/base:752,internet/process:45,internet/process:306,internet/_baseprocess:48,internet/process:775,internet/_baseprocess:60,svc/pp:116,svc/svcnotify:26,internet/defer:238,internet/defer:307,internet/defer:323,sagent/ipts:105,sagent/ipts:39,util/error:52,util/error:32 service failed to start due to unresolved dependencies: set(['user', 'iptables_openvpn']) service failed to start due to unresolved dependencies: set(['user', 'iptables_openvpn']) service failed to start due to unresolved dependencies: set(['iptables_openvpn']) Now I've already got my provider to enabled the TUN/TAP device driver and I checked this using # cat /dev/net/tun Which returned “File descriptor in bad state” Which I believe means it's enabled. After extensive searching, I've been unable to find any solution other than people suggesting to make sure TUN/TAP device driver is enabled. Any ideas on how to solve my issue? I'm not very experience with linux and I feel in over my head here so any advice is greatly appreciated. --edit-- Just stumbled across this Not sure how I missed it earlier. I believe I need to get modprobe ipt_mark & modprobe ipt_MARK run on the hostnode by my provider. Is this correct and something I should try get done.

Read the article
Iptables working strangely

- by user109985

I have Ubuntu 12.04 x64 installed in my laptop. I'm quite new to linux, and I wanted to specify certain rules for the iptables firewall. This is the saved config of my iptables: *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.1.100:3306 -A PREROUTING -p tcp -m tcp --dport 11002 -j DNAT --to-destination 192.168.1.100:11002 -A PREROUTING -p tcp -m tcp --dport 13000 -j DNAT --to-destination 192.168.1.100:13000 -A PREROUTING -p tcp -m tcp --dport 13001 -j DNAT --to-destination 192.168.1.100:13001 -A PREROUTING -p tcp -m tcp --dport 13002 -j DNAT --to-destination 192.168.1.100:13002 -A PREROUTING -p tcp -m tcp --dport 13003 -j DNAT --to-destination 192.168.1.100:13003 -A PREROUTING -p tcp -m tcp --dport 13004 -j DNAT --to-destination 192.168.1.100:13004 -A PREROUTING -p tcp -m tcp --dport 13061 -j DNAT --to-destination 192.168.1.100:13061 -A PREROUTING -p tcp -m tcp --dport 13099 -j DNAT --to-destination 192.168.1.100:13099 -A POSTROUTING -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i eth0 -p tcp -m tcp --dport 3306 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT COMMIT In theory, what it does is to drop all connections in all ports except for http, mysql and few other ports. Moreover, it redirects all mysql and 13000-13004..etc port connections to a specific local ip in the same port, which is 192.168.1.100. But what I find strange is that when my firewall is active, it blocks absolutely all the input connections, even those which must not block (http, mysql). In fact, I'm literally blocked and I can't establish any external connection. What am I doing wrong? PS: I tested the firewall without those redirections, and it still block all inputs, so I suppose it's not the problem.

Read the article
Samba server NETBIOS name not resolving, WINS support not working

- by Eric

When I try to connect to my CentOS 6.2 x86_64 server's samba shares using address \\REPO (NETBIOS name of REPO), it times out and shows an error; if I do so directly via IP, it works fine. Furthermore, my server does not work correctly as a WINS server despite my samba settings being correct for it (see below for details). If I stop the iptables service, things work properly. I'm using this page as a reference for which ports to use: http://www.samba.org/samba/docs/server_security.html Specifically: UDP/137 - used by nmbd UDP/138 - used by nmbd TCP/139 - used by smbd TCP/445 - used by smbd I really really really want to keep the secure iptables design I have below but just fix this particular problem. SMB.CONF [global] netbios name = REPO workgroup = AWESOME security = user encrypt passwords = yes # Use the native linux password database #passdb backend = tdbsam # Be a WINS server wins support = yes # Make this server a master browser local master = yes preferred master = yes os level = 65 # Disable print support load printers = no printing = bsd printcap name = /dev/null disable spoolss = yes # Restrict who can access the shares hosts allow = 127.0.0. 10.1.1. [public] path = /mnt/repo/public create mode = 0640 directory mode = 0750 writable = yes valid users = mangs repoman IPTABLES CONFIGURE SCRIPT # Remove all existing rules iptables -F # Set default chain policies iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # Allow incoming SSH iptables -A INPUT -i eth0 -p tcp --dport 22222 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22222 -m state --state ESTABLISHED -j ACCEPT # Allow incoming HTTP #iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT #iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT # Allow incoming Samba iptables -A INPUT -i eth0 -p udp --dport 137 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --sport 137 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp --dport 138 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p udp --sport 138 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 139 -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p tcp --dport 445 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 445 -m state --state ESTABLISHED -j ACCEPT # Make these rules permanent service iptables save service iptables restart**strong text**

Read the article
iptables -L lags on non localhost or anywhere address

- by DazSlayer

I am trying to configure iptables for ubuntu 10.04 and I have a problem with iptables -L lagging on rows where the destination or source address is not localhost or anywhere. The following entries will cause lag on their row: iptables -A INPUT -p tcp --dport 111 -s 192.168.1.14 -j ACCEPT iptables -A INPUT -p tcp --dport 90 -d 192.168.1.14 -j ACCEPT while this does not: iptables -A INPUT -p tcp --dport localhost -s 192.168.1.14 -j ACCEPT iptables -A INPUT -p tcp --dport localhost -d 192.168.1.14 -j ACCEPT I feel like this might be due to iptables checking to see if the ip is reachable. If not, what is the cause, if it is how can I disable it?

Read the article
How iptables behaves on timezone change?

- by pradipta

I have doubt how iptables keep changing the info in iptables when timezone is change. I am using iptables s v 1.4.8 I have blocked one IP with following details # date Thu Jun 6 12:46:42 IST 2013 #iptables -A INPUT -s 10.0.3.128 -m time --datestart 2013-6-6T12:0:00 --datestop 2013-6-6T13:0:00 -j DROP # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 10.0.3.128 anywhere TIME starting from 2013-06-06 12:00:00 until date 2013-06-06 13:00:00 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination But after I change the timezone following things happened automatically . AFTER TIME ZONE CHANGE +++++++++++++++++++++++ #date Thu Jun 6 15:17:48 HKT 2013 # iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination DROP all -- 10.0.3.128 anywhere TIME starting from 2013-06-06 14:30:00 until date 2013-06-06 15:30:00 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination # The time value is changed in the rule . It is changing with the timezone how. Where iptables keeps track of timezone. Kindly explain me.

Read the article
iptables configuration under ubuntu

- by aioobe

I'm following a tutorial on setting up a dns-tunnel. I've run into the following instruction: Now you need to enable forwarding on this server. I use iptables to implement masquerading. There are many HOWTOs about this (a simple one, for example). On Debian, the configuration file for iptables is in /var/lib/iptables/active. The relevant bit is: *nat :PREROUTING ACCEPT [6:1596] :POSTROUTING ACCEPT [1:76] :OUTPUT ACCEPT [1:76] -A POSTROUTING -s 10.0.0.0/8 -j MASQUERADE COMMIT Restart iptables: /etc/init.d/iptables restart The problem is that I don't have any /var/lib/iptables/active. (I'm on ubuntu.) How can I accomplish this? I suspect that I should just interact with the iptables command somehow but I have no clue what to write. Best would probably be if I could put the commands in a script somehow I suppose. (A side-note. If I execute a few iptables-commands it wont be there for ever, right? The rules will be discarded on reboot?)

Read the article
iptables to block non-VPN-traffic if not through tun0

- by dacrow

I have a dedicated Webserver running Debian 6 and some Apache, Tomcat, Asterisk and Mail-stuff. Now we needed to add VPN support for a special program. We installed OpenVPN and registered with a VPN provider. The connection works well and we have a virtual tun0 interface for tunneling. To archive the goal for only tunneling a single program through VPN, we start the program with sudo -u username -g groupname command and added a iptables rule to mark all traffic coming from groupname iptables -t mangle -A OUTPUT -m owner --gid-owner groupname -j MARK --set-mark 42 Afterwards we tell iptables to to some SNAT and tell ip route to use special routing table for marked traffic packets. Problem: if the VPN failes, there is a chance that the special to-be-tunneled program communicates over the normal eth0 interface. Desired solution: All marked traffic should not be allowed to go directly through eth0, it has to go through tun0 first. I tried the following commands which didn't work: iptables -A OUTPUT -m owner --gid-owner groupname ! -o tun0 -j REJECT iptables -A OUTPUT -m owner --gid-owner groupname -o eth0 -j REJECT It might be the problem, that the above iptable-rules didn't work due to the fact, that the packets are first marked, then put into tun0 and then transmitted by eth0 while they are still marked.. I don't know how to de-mark them after in tun0 or to tell iptables, that all marked packet may pass eth0, if they where in tun0 before or if they going to the gateway of my VPN provider. Does someone has any idea to a solution? Some config infos: iptables -nL -v --line-numbers -t mangle Chain OUTPUT (policy ACCEPT 11M packets, 9798M bytes) num pkts bytes target prot opt in out source destination 1 591K 50M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1005 MARK set 0x2a 2 82812 6938K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1005 CONNMARK save iptables -nL -v --line-numbers -t nat Chain POSTROUTING (policy ACCEPT 393 packets, 23908 bytes) num pkts bytes target prot opt in out source destination 1 15 1052 SNAT all -- * tun0 0.0.0.0/0 0.0.0.0/0 mark match 0x2a to:VPN_IP ip rule add from all fwmark 42 lookup 42 ip route show table 42 default via VPN_IP dev tun0

Read the article
iptables to block VPN-traffic if not through tun0

- by dacrow

I have a dedicated Webserver running Debian 6 and some Apache, Tomcat, Asterisk and Mail-stuff. Now we needed to add VPN support for a special program. We installed OpenVPN and registered with a VPN provider. The connection works well and we have a virtual tun0 interface for tunneling. To archive the goal for only tunneling a single program through VPN, we start the program with sudo -u username -g groupname command and added a iptables rule to mark all traffic coming from groupname iptables -t mangle -A OUTPUT -m owner --gid-owner groupname -j MARK --set-mark 42 Afterwards we tell iptables to to some SNAT and tell ip route to use special routing table for marked traffic packets. Problem: if the VPN failes, there is a chance that the special to-be-tunneled program communicates over the normal eth0 interface. Desired solution: All marked traffic should not be allowed to go directly through eth0, it has to go through tun0 first. I tried the following commands which didn't work: iptables -A OUTPUT -m owner --gid-owner groupname ! -o tun0 -j REJECT iptables -A OUTPUT -m owner --gid-owner groupname -o eth0 -j REJECT It might be the problem, that the above iptable-rules didn't work due to the fact, that the packets are first marked, then put into tun0 and then transmitted by eth0 while they are still marked.. I don't know how to de-mark them after in tun0 or to tell iptables, that all marked packet may pass eth0, if they where in tun0 before or if they going to the gateway of my VPN provider. Does someone has any idea to a solution? Some config infos: iptables -nL -v --line-numbers -t mangle Chain OUTPUT (policy ACCEPT 11M packets, 9798M bytes) num pkts bytes target prot opt in out source destination 1 591K 50M MARK all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1005 MARK set 0x2a 2 82812 6938K CONNMARK all -- * * 0.0.0.0/0 0.0.0.0/0 owner GID match 1005 CONNMARK save iptables -nL -v --line-numbers -t nat Chain POSTROUTING (policy ACCEPT 393 packets, 23908 bytes) num pkts bytes target prot opt in out source destination 1 15 1052 SNAT all -- * tun0 0.0.0.0/0 0.0.0.0/0 mark match 0x2a to:VPN_IP ip rule add from all fwmark 42 lookup 42 ip route show table 42 default via VPN_IP dev tun0

Read the article

Search Results

Search found 1249 results on 50 pages for 'iptables'.

Page 3/50 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12 | Next Page >

- by Vaibhav

- by Ranjith Kumar

- by user2833135

- by luison

- by Jim

- by luison

- by arminb

- by TheBigB

- by user1126425

- by tftd

- by user3215

- by Sc0rian

- by yankee

- by Emily

- by Zenet

- by Emmet Brown

- by Omriko

- by tertle

- by user109985

- by Eric

- by DazSlayer

- by pradipta

- by aioobe

- by dacrow

- by dacrow

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12 | Next Page >