• RELEVANCY SCORE 6.35

    DB:6.35:Iptables: Invalid Argument Error While Starting Apf dm







    Hello,

    I am getting the following error while starting apf on my Virtuozzo VPS:



    [root@testvps ~]# apf -s
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument

    DB:6.35:Iptables: Invalid Argument Error While Starting Apf dm







    Originally posted by barmaley
    dont be afraid, weve got plenty of
    diskspace here
    Please notice - I didnt tell that the output immediately will show you where apf fails, only that it should give you an idea whats going on. sh -x runs shell script with debug, and apf is just a bunch of shell scripts. Bunch is important here - main binary might not show you an exact point of failure and its entirely possible that it would be necessary to add set -x to the script(s) it is calling.
    Maybe even into the functions inside these scripts because these functions could easily suppress the debugging info.

  • RELEVANCY SCORE 5.78

    DB:5.78:Iptables: No Chain/Target/Match By That Name pa







    APF / IPTABLES problem:

    Aug 19 15:01:20 apf: Starting APF:
    Aug 19 15:01:22 apf: iptables: No chain/target/match by that name
    Aug 19 15:01:22 apf: iptables: No chain/target/match by that name

    More info:

    [root@localhost ~]# service iptables stop
    Flushing firewall rules: [ OK ]
    Setting chains to policy ACCEPT: nat mangle filter [ OK ]
    Unloading iptables modules: [FAILED]
    [root@localhost ~]# service iptables start
    Flushing firewall rules: [ OK ]
    Setting chains to policy ACCEPT: nat mangle filter [ OK ]
    Unloading iptables modules: [FAILED]
    Applying iptables firewall rules: [ OK ]
    Loading additional iptables modules: ip_tables ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_helper ip_nat_irc ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mange_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ip[FAILED] ipt_REDIRECT ipt_state iptable_nat ip_nat_ftp

    /etc/sysconfig/iptables-config

    # Additional iptables modules (nat helper)
    # ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length
    # Save current firewall rules on stop.
    # Value: yes|no, default: no
    #IPTABLES_SAVE_ON_STOP=no

    # Save current firewall rules on restart.
    # Value: yes|no, default: no
    #IPTABLES_SAVE_ON_RESTART=no

    # Save (and restore) rule counter.
    # Value: yes|no, default: no
    #IPTABLES_SAVE_COUNTER=no

    # Numeric status output
    # Value: yes|no, default: no
    #IPTABLES_STATUS_NUMERIC=no

    IPTABLES_MODULES=ip_tables ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_helper ip_nat_irc ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mange_mange_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_REDIRECT ipt_state iptable_nat ip_nat_ftp

    More info:

    [root@localhost ~]# vzctl set 103 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_REDIRECT --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save Bad parameter for --iptables: ipt_REDIRECT

    [root@localhost ~]# vzctl set 103 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save Bad parameter for --iptables: --iptables

    [root@localhost ~]# vzctl set 103 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save Saved parameters for VPS 103

    DB:5.78:Iptables: No Chain/Target/Match By That Name pa




    APF / IPTABLES problem:

    Aug 19 15:01:20 apf: Starting APF:
    Aug 19 15:01:22 apf: iptables: No chain/target/match by that name
    Aug 19 15:01:22 apf: iptables: No chain/target/match by that name

    More info:

    [root@localhost ~]# service iptables stop
    Flushing firewall rules: [ OK ]
    Setting chains to policy ACCEPT: nat mangle filter [ OK ]
    Unloading iptables modules: [FAILED]
    [root@localhost ~]# service iptables start
    Flushing firewall rules: [ OK ]
    Setting chains to policy ACCEPT: nat mangle filter [ OK ]
    Unloading iptables modules: [FAILED]
    Applying iptables firewall rules: [ OK ]
    Loading additional iptables modules: ip_tables ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_helper ip_nat_irc ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mange_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ip[FAILED] ipt_REDIRECT ipt_state iptable_nat ip_nat_ftp

    /etc/sysconfig/iptables-config

    # Additional iptables modules (nat helper)
    # ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length
    # Save current firewall rules on stop.
    # Value: yes|no, default: no
    #IPTABLES_SAVE_ON_STOP=no

    # Save current firewall rules on restart.
    # Value: yes|no, default: no
    #IPTABLES_SAVE_ON_RESTART=no

    # Save (and restore) rule counter.
    # Value: yes|no, default: no
    #IPTABLES_SAVE_COUNTER=no

    # Numeric status output
    # Value: yes|no, default: no
    #IPTABLES_STATUS_NUMERIC=no

    IPTABLES_MODULES=ip_tables ip_conntrack_ftp ip_conntrack_irc ipt_conntrack ipt_helper ip_nat_irc ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mange_mange_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_REDIRECT ipt_state iptable_nat ip_nat_ftp

    More info:

    [root@localhost ~]# vzctl set 103 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_REDIRECT --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save Bad parameter for --iptables: ipt_REDIRECT

    [root@localhost ~]# vzctl set 103 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save Bad parameter for --iptables: --iptables

    [root@localhost ~]# vzctl set 103 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save Saved parameters for VPS 103

  • RELEVANCY SCORE 5.76

    DB:5.76:Iptable-Filter Problem z9





    I am having trouble using iptables on my computer.

    When I try to start the iptables service, it fails with the error
    iptables-restore v1.4.19.1: iptables-restore: unable to initialize table filter

    DB:5.76:Iptable-Filter Problem z9


    I think I will be resetting the computer installation to see if this fixes the problem. I appreciate the help.

  • RELEVANCY SCORE 5.56

    DB:5.56:[Solved] Iptables - Inverting Ip Match xd



    Hi all,

    Im raising traffic accounting and have faced a nasty problem with iptables. I need to count forwarded traffic, but not from certain subnets. I wrote the following in firewall script:
    iptables -N TRAFFIC_FWD

    for i in $LOCAL_ADDR ; do
    iptables -A FORWARD ! -d $i -j TRAFFIC_FWD
    iptables -A FORWARD ! -s $i -j TRAFFIC_FWD
    done

    iptables -A TRAFFIC_FWD -s $TARGET_IP
    iptables -A TRAFFIC_FWD -d $TARGET_IP

    iptables -A TRAFFIC_FWD -j RETURN

    DB:5.56:[Solved] Iptables - Inverting Ip Match xd


    Great thanks for detailed explanation of my mistake! At first, havent noticed such a fault in algo.

  • RELEVANCY SCORE 5.55

    DB:5.55:[Solved] Gufw Iptables Settings Not Restored mp



    My iptables settings in gufw are only set once I manually start with gksudo gufw and then click enable.

    How can I make my gufw, ufw, iptables settings restore on startup?

    My daemons array if it helps!

    DAEMONS=(syslog-ng iptables hal fam @network @netfs @crond @alsa @mpd @openntpd)

    Last edited by roybot (2009-12-04 13:15:14)

  • RELEVANCY SCORE 5.42

    DB:5.42:Lms4.2.1 Using Iptables In Soft Applience To Control Access To Server j8



    Hello,

    I have LMS on a public IP, and need a way to limit access port by port. As I know how to get aroung in linux, I thought I'll use iptables. But I loose all my iptables rules after every reboot, and this is not a standard linux (RHEL) bahavior.

    If i do "service iptables restart" after the server boots, my rules are loaded succesfully.

    I googled for answers.

    This is what I checked:

    There are no errors in messages log.

    This seems ok:

    [prime/root-ade log]# chkconfig --list | grep tables

    ip6tables       0:off   1:off   2:on    3:on    4:on    5:on    6:off

    iptables        0:off   1:off   2:on    3:on    4:on    5:on    6:off

    [prime/root-ade log]# ls -l /etc/rc3.d/ | grep iptables

    lrwxrwxrwx 1 root root      18 Jul 18  2011 S08iptables - ../init.d/iptables

    Tried "service iptables save". iptables and iptables.save holds my custom rules:

    [prime/root-ade log]# ls -l /etc/sysconfig/ | grep tables

    -rw------- 1 root gadmin 1136 Aug 11 14:58 iptables

    -rw------- 1 root root   1740 May 19  2009 iptables-config

    -rw------- 1 root gadmin 1138 Aug 11 14:58 iptables.save

    Putting "/sbin/service iptables restart" in /etc/rc.local doesn't help either.

    Anyone?

    DB:5.42:Lms4.2.1 Using Iptables In Soft Applience To Control Access To Server j8


    Workaround: backup "firewall" executable and create an empty bash script with the same name instead. Then use iptables.

  • RELEVANCY SCORE 5.34

    DB:5.34:Apf Giving Iptables: Invalid Argument as





    I am running Debian Sarge on my Virtuozzo VPS.

    conf.apf looks like:
    IFACE_IN=venet0
    IFACE_OUT=venet0
    SET_MONOKERN=1
    IG_TCP_CPORTS=21,22,53,80,443,25,465,110,995,143,993,137,139,445,10000,3306
    IG_UDP_CPORTS=53

    /etc/apf/firewall gives iptables: Invalid arguments on these calls to iptables:

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL NONE -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags SYN,RST SYN,RST -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags FIN,RST FIN,RST -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,FIN FIN -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,URG URG -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,PSH PSH -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL FIN,URG,PSH -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL ALL -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL FIN -j IN_SANITY

    Any thoughts?

    DB:5.34:Apf Giving Iptables: Invalid Argument as




    I am running Debian Sarge on my Virtuozzo VPS.

    conf.apf looks like:
    IFACE_IN=venet0
    IFACE_OUT=venet0
    SET_MONOKERN=1
    IG_TCP_CPORTS=21,22,53,80,443,25,465,110,995,143,993,137,139,445,10000,3306
    IG_UDP_CPORTS=53

    /etc/apf/firewall gives iptables: Invalid arguments on these calls to iptables:

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL NONE -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags SYN,RST SYN,RST -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags FIN,RST FIN,RST -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,FIN FIN -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,URG URG -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ACK,PSH PSH -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL FIN,URG,PSH -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL ALL -j IN_SANITY

    /sbin/iptables -A INPUT -i venet0 -p tcp --tcp-flags ALL FIN -j IN_SANITY

    Any thoughts?

  • RELEVANCY SCORE 5.27

    DB:5.27:Internet Connection Sharing - Mtu Problems [Solved] pf



    So, Ive recently come into an XBox 360, and Im trying to connect it to the internet. It can have a wired connection, but we have a wireless router and its too far away to run a wire. Theres a dongle available, but anything a 70 dollar dongle can do, so can my HP Pavilion dv8000, right?

    So, I looked online at http://wiki.archlinux.org/index.php/Internet_Share and http://wiki.archlinux.org/index.php/Sim … AT_gateway and from this, Ive created this script/set of commands (I know its not all necessary, but I figured I might as well just follow the entirety of the second link and prune it down later; I also threw in some things myself just to see what the tables look like at the time):
    iptables -nvL
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -F
    iptables -X
    iptables -nvL
    iptables -N open
    iptables -N interfaces
    iptables -N fw-interfaces
    iptables -N fw-open
    iptables -A INPUT -p icmp -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -j interfaces
    iptables -A INPUT -j open
    iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
    iptables -P INPUT DROP
    iptables -A interfaces -i lo -j ACCEPT
    iptables -A interfaces -i eth0 -j fw-interfaces
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    iptables -A INPUT -f -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    #iptables -I INPUT -i wlan0 -s 10.0.0.0/8 -j DROP
    #iptables -I INPUT -i wlan0 -s 172.16.0.0/12 -j DROP
    #iptables -I INPUT -i wlan0 -s 192.168.0.0/16 -j DROP
    #iptables -I INPUT -i wlan0 -s 127.0.0.0/8 -j DROP
    /etc/rc.d/iptables save
    iptables -L FORWARD
    iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
    iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -j fw-interfaces
    iptables -A FORWARD -j fw-open
    iptables -A FORWARD -j REJECT --reject-with icmp-host-unreachable
    iptables -P FORWARD DROP
    iptables -A fw-interfaces -i eth0 -j ACCEPT
    iptables -t nat -A POSTROUTING -s 192.168.39.163/255.255.255.0 -o wlan0 -j MASQUERADE
    echo 1 /proc/sys/net/ipv4/ip_forward
    iptables -A fw-open -d 192.168.39.163 -p tcp --dport 2074 -j ACCEPT
    iptables -A fw-open -d 192.168.39.163 -p udp --dport 2074 -j ACCEPT
    iptables -A fw-open -d 192.168.39.163 -p udp --dport 3074 -j ACCEPT
    iptables -A fw-open -d 192.168.39.163 -p tcp --dport 3074 -j ACCEPT
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2074 -j DNAT --to 192.168.39.163
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3074 -j DNAT --to 192.168.39.163
    iptables -t nat -A PREROUTING -i eth0 -p udp --dport 3074 -j DNAT --to 192.168.39.163
    iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2074 -j DNAT --to 192.168.39.163
    iptables -A fw-open -d 192.168.39.163 -p udp --dport 88 -j ACCEPT
    iptables -t nat -A PREROUTING -i eth0 -p udp --dport 88 -j DNAT --to 192.168.39.163
    /etc/rc.d/iptables save

    ifconfig down
    ifconfig eth0 192.168.39.1 netmask 255.255.255.0
    ifconfig up

    DB:5.27:Internet Connection Sharing - Mtu Problems [Solved] pf


    Hrm, I just noticed this problem with my Xbox trying to run a xbox live test. This had been working fine until I moved and received a new modem/bunch of package upgrades for my router. I as well use the opendns servers. Though the MTU on my router showed 536 on one and 1500 on the other.

    I can manually set the MTU to 1500 on the interface, but it gets set back to 536 after a reboot..Strange...

    Edit: Just found my problem, it was the Cable modem supplied by my ISP. Supposedly it has problems with MTU. Time to bring another one back!

    Last edited by brenix (2009-09-14 17:06:30)

  • RELEVANCY SCORE 5.27

    DB:5.27:Iptables Doesn`T Work After Boot 9k



    I am using firehol to setup my firewall with NAT.

    After generating the rules I save them to /etc/iptables/iptables.rules with /etc/rc.d/iptables save

    also added iptables to the daemon array:
    DAEMONS=(syslog-ng hotplug dbus hal !pcmcia network hplip cups alsa netfs crond xinetd sshd samba httpd iptables kdm)

    after boot iptables is started but I do not have access to the internet in the other computers of the LAN (that use the arch server as a router).

    Running iptables restart manually after boot everything works fine again.

    Any suggestions?
    Thanks in advance

    DB:5.27:Iptables Doesn`T Work After Boot 9k


    You were absolutely right.sunnemer and lanrat, many thanks for your help.

    Alfonso

  • RELEVANCY SCORE 5.21

    DB:5.21:Iptables / Passive Ftp Problem m3





    I know theres been a few posts about this in the past, but theyve been of no help to me. Im trying to get proftpd and iptables to use passive FTP properly (right now the FTP is not functioning so quickly). Here is my IPTables file (/etc/sysconfig/iptables):

    Code:

    DB:5.21:Iptables / Passive Ftp Problem m3




    Click on System Modules (left-hand sidebar) and the Firewall module should be listed there. All it does is generate an iptables firewall script. It allows you to configure simple allow/deny rules for each protocol, and thats about it.

  • RELEVANCY SCORE 5.18

    DB:5.18:Nat On Public Address cj



    Hi

    i have problem with NanoStation5 Loco - when any client in network set gateway as public ip of NanoStation he have a internet ...

    I try add iptables rules:
    iptables -A FORWARD -i ath0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A FORWARD -i eth0 -o ath0 -j ACCEPT
    But have error ... system having connection tracking?

    My config dump:
    aaa.1.status=disabled
    aaa.status=disabled
    bridge.1.devname=br0
    bridge.1.fd=1
    bridge.1.port.1.devname=eth0
    bridge.1.port.1.status=enabled
    bridge.1.port.2.devname=ath0
    bridge.1.port.2.status=enabled
    bridge.status=disabled
    dhcpc.1.devname=br0
    dhcpc.1.status=disabled
    dhcpc.status=disabled
    dhcpd.1.devname=eth0
    dhcpd.1.dnsproxy=enabled
    dhcpd.1.end=192.168.11.15
    dhcpd.1.lease_time=3600
    dhcpd.1.netmask=255.255.255.0
    dhcpd.1.start=192.168.11.5
    dhcpd.1.status=enabled
    dhcpd.status=enabled
    dnsmasq.1.devname=eth0
    dnsmasq.1.status=disabled
    dnsmasq.status=disabled
    ebtables.1.cmd=-t nat -A PREROUTING --in-interface ath0 -j arpnat --arpnat-target ACCEPT
    ebtables.1.status=enabled
    ebtables.2.cmd=-t nat -A POSTROUTING --out-interface ath0 -j arpnat --arpnat-target ACCEPT
    ebtables.2.status=enabled
    ebtables.3.cmd=-t broute -A BROUTING --protocol 0x888e --in-interface ath0 -j DROP
    ebtables.3.status=disabled
    ebtables.status=disabled
    gui.language=pl_PL
    httpd.port=80
    httpd.status=enabled
    igmpproxy.1.downstream.devname=ath0
    igmpproxy.status=disabled
    igmpproxy.upstream.1.netmask=0.0.0.0
    igmpproxy.upstream.1.network=0.0.0.0
    igmpproxy.upstream.devname=eth0
    iptables.1.cmd=-t nat -I POSTROUTING -o ath0 -j MASQUERADE
    iptables.1.status=enabled
    iptables.10.cmd=-A FORWARD -i ath0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables.10.status=enabled
    iptables.11.cmd=-A FORWARD -i eth0 -o ath0 -j ACCEPT
    iptables.11.status=enabled
    iptables.2.status=disabled
    iptables.200.status=disabled
    iptables.3.status=disabled
    iptables.4.cmd=-t nat -N PORTFORWARD
    iptables.4.status=disabled
    iptables.5.cmd=-t nat -I PREROUTING -i ath0 -j PORTFORWARD
    iptables.5.status=disabled
    iptables.50.cmd=-N FIREWALL
    iptables.50.status=enabled
    iptables.51.cmd=-A INPUT -j FIREWALL
    iptables.51.status=enabled
    iptables.52.cmd=-A FORWARD -j FIREWALL
    iptables.52.status=enabled
    iptables.53.cmd=
    iptables.53.comment=test
    iptables.53.status=disabled
    iptables.54.cmd=
    iptables.54.comment=
    iptables.54.status=disabled
    iptables.55.cmd=
    iptables.55.comment=
    iptables.55.status=disabled
    iptables.56.cmd=
    iptables.56.comment=
    iptables.56.status=disabled
    iptables.57.cmd=
    iptables.57.comment=
    iptables.57.status=disabled
    iptables.58.cmd=
    iptables.58.comment=
    iptables.58.status=disabled
    iptables.59.cmd=
    iptables.59.comment=
    iptables.59.status=disabled
    iptables.60.cmd=
    iptables.60.comment=
    iptables.60.status=disabled
    iptables.61.cmd=
    iptables.61.comment=
    iptables.61.status=disabled
    iptables.62.cmd=
    iptables.62.comment=
    iptables.62.status=disabled
    iptables.63.cmd=
    iptables.63.comment=
    iptables.63.status=disabled
    iptables.64.cmd=
    iptables.64.comment=
    iptables.64.status=disabled
    iptables.65.cmd=
    iptables.65.comment=
    iptables.65.status=disabled
    iptables.66.cmd=
    iptables.66.comment=
    iptables.66.status=disabled
    iptables.67.cmd=
    iptables.67.comment=
    iptables.67.status=disabled
    iptables.68.cmd=
    iptables.68.comment=
    iptables.68.status=disabled
    iptables.69.cmd=
    iptables.69.comment=
    iptables.69.status=disabled
    iptables.70.cmd=
    iptables.70.comment=
    iptables.70.status=disabled
    iptables.71.cmd=
    iptables.71.comment=
    iptables.71.status=disabled
    iptables.72.cmd=
    iptables.72.comment=
    iptables.72.status=disabled
    iptables.status=enabled
    netconf.1.autoip.status=enabled
    netconf.1.devname=eth0
    netconf.1.ip=192.168.11.134
    netconf.1.netmask=255.255.255.0
    netconf.1.promisc=enabled
    netconf.1.status=enabled
    netconf.1.up=enabled
    netconf.2.allmulti=disabled
    netconf.2.autoip.status=enabled
    netconf.2.devname=ath0
    netconf.2.ip=192.168.0.54
    netconf.2.netmask=255.255.252.0
    netconf.2.status=enabled
    netconf.2.up=enabled
    netconf.3.alias.1.status=disabled
    netconf.3.alias.2.status=disabled
    netconf.3.alias.3.status=disabled
    netconf.3.alias.4.status=disabled
    netconf.3.alias.5.status=disabled
    netconf.3.alias.6.status=disabled
    netconf.3.alias.7.status=disabled
    netconf.3.alias.8.status=disabled
    netconf.3.devname=br0
    netconf.3.ip=192.168.1.20
    netconf.3.netmask=255.255.255.0
    netconf.3.status=disabled
    netconf.3.up=enabled
    netconf.status=enabled
    netmode=router
    ppp.1.password=
    ppp.1.status=disabled
    ppp.status=disabled
    radio.1.ack.auto=enabled
    radio.1.ackdistance=600
    radio.1.acktimeout=25
    radio.1.ani.status=disabled
    radio.1.chanshift=0
    radio.1.clksel=0
    radio.1.countrycode=616
    radio.1.devname=ath0
    radio.1.dfs.status=
    radio.1.ext_antenna=disabled
    radio.1.frag=off
    radio.1.ieee_mode=a
    radio.1.mcastrate=6M
    radio.1.mode=managed
    radio.1.rate.auto=enabled
    radio.1.rate.max=54M
    radio.1.rts=off
    radio.1.rx_antenna=2
    radio.1.rx_antenna_diversity=disabled
    radio.1.status=enabled
    radio.1.thresh62a=28
    radio.1.thresh62b=28
    radio.1.thresh62g=28
    radio.1.tx_antenna=2
    radio.1.tx_antenna_diversity=disabled
    radio.1.txpower=14
    radio.countrycode=616
    radio.ratemodule=ath_rate_minstrel
    radio.status=enabled
    resolv.host.1.name=xxx
    resolv.host.1.status=enabled
    resolv.nameserver.1.ip=194.204.159.1
    resolv.nameserver.1.status=enabled
    resolv.nameserver.2.ip=208.67.222.222
    resolv.nameserver.2.status=enabled
    resolv.status=enabled
    route.1.devname=br0
    route.1.gateway=192.168.0.1
    route.1.ip=0.0.0.0
    route.1.netmask=0
    route.1.status=enabled
    route.status=enabled
    sshd.status=enabled
    tshaper.status=disabled
    users.1.name=admin
    users.1.password=FfCY6ExkxH13Q
    users.1.status=enabled
    users.status=enabled
    wireless.1.addmtikie=enabled
    wireless.1.ap=
    wireless.1.authmode=1
    wireless.1.compression=disabled
    wireless.1.devname=ath0
    wireless.1.fastframes=disabled
    wireless.1.frameburst=disabled
    wireless.1.hide_ssid=disabled
    wireless.1.l2_isolation=enabled
    wireless.1.macclone=disabled
    wireless.1.scan_list.status=disabled
    wireless.1.security=none
    wireless.1.signal_led1=94
    wireless.1.signal_led2=80
    wireless.1.signal_led3=73
    wireless.1.signal_led4=65
    wireless.1.sper=disabled
    wireless.1.ssid=sector_R
    wireless.1.status=enabled
    wireless.1.wds=disabled
    wireless.1.wmm=disabled
    wireless.1.wmmlevel=-1
    wireless.status=enabled
    wpasupplicant.device.1.status=disabled
    wpasupplicant.status=disabled

    DB:5.18:Nat On Public Address cj

    Shouldn't gateway be internal address of Nano for network clients? You should assign out of DHCP.-- Fizz

  • RELEVANCY SCORE 5.08

    DB:5.08:Use Iptables Instead Of Esxcfg-Firewall ? cd



    I could not find a way to specify source or destination ip for esxcfg-firewall and some other features available in iptables. I also have some well designed iptables template to use.

    So can I disable it by using "chkconfig firewall off" and enable iptables instead?

    Any pros and cons?

    Thanks!

    DB:5.08:Use Iptables Instead Of Esxcfg-Firewall ? cd

    Eric,

    As rightly said by Greg, the link is no longer active.

    Can you also please email me the file or another copy of the link?

    Thanks,

    Archie

    agcastle2000@yahoo.com

  • RELEVANCY SCORE 5.08

    DB:5.08:Iptables Error Allocating Memory fa





    I am getting iptables: error allocating memory when inserting more than 20 or so rules, ie:
    iptables -I INPUT -s xxx.xxx.xxx.xxx/24 -j DROP
    iptables -I INPUT -s xxx.xxx.xxx.xxx/24 -j DROP
    iptables -I INPUT -s xxx.xxx.xxx.xxx/24 -j DROP
    etc..

    Using iptables 1.2.4 on PSA 2.5. Should I upgrade to 1.2.8? It scares me to upgrade anything kernel related. I dont want to bring down my server!

    Thanks,
    Jeff

    DB:5.08:Iptables Error Allocating Memory fa




    I am getting iptables: error allocating memory when inserting more than 20 or so rules, ie:
    iptables -I INPUT -s xxx.xxx.xxx.xxx/24 -j DROP
    iptables -I INPUT -s xxx.xxx.xxx.xxx/24 -j DROP
    iptables -I INPUT -s xxx.xxx.xxx.xxx/24 -j DROP
    etc..

    Using iptables 1.2.4 on PSA 2.5. Should I upgrade to 1.2.8? It scares me to upgrade anything kernel related. I dont want to bring down my server!

    Thanks,
    Jeff

  • RELEVANCY SCORE 5.08

    DB:5.08:[Solved]No Net After Upgrade To Kernel 2.6.20.4, Iptables Related ca



    Hi,compiled and installed 2.6.20.4 today (from 2.6.19.4). After rebooting the computer I cant access the internet without disabling the firewall! Im using firestarter, it gives these errors on boot
    :: Starting Firestarter firewall [BUSY]
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    Firewall started [DONE]

    DB:5.08:[Solved]No Net After Upgrade To Kernel 2.6.20.4, Iptables Related ca


    Hi,compiled and installed 2.6.20.4 today (from 2.6.19.4). After rebooting the computer I cant access the internet without disabling the firewall! Im using firestarter, it gives these errors on boot
    :: Starting Firestarter firewall [BUSY]
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    iptables: Invalid argument
    Firewall started [DONE]

  • RELEVANCY SCORE 5.08

    DB:5.08:Cannot Activate Firewall - Virtuozzo 2.6.2, Plesk 7.5.4, Rhas3 Template 3z





    Tried setting some custom rules in the Plesk firewall module, getting:

    cannot activate firewall configuration
    iptables v1.2.8: cant initialize iptables table `filter: iptables who? (do you need to insmod?)

    Is there something Im missing? The node has iptables installed, I checked via lsmod.

    Regards

  • RELEVANCY SCORE 5.05

    DB:5.05:Firewall Installation Arnos Iptables Script kc



    Hello

    I have installed the arno-iptables-script from aur (yaourt -S aur/arno-iptables-firewall) and added eth0 to the configuration file
    EXT_IF=eth0

    DB:5.05:Firewall Installation Arnos Iptables Script kc


    Thanks for the link. I called my isps technical support and they said my dsl router cant block icmp/ping requests and the firewall cant be disabled either so i have to get another one in order to use iptables as software based firewall.

  • RELEVANCY SCORE 5.05

    DB:5.05:Iptables Gateway c1



    hi, ive this lan : eth0 eth1Internet router - gateway - switch - pc1, pc2, pc3

    I want that my gateway works like a firewall, so ive modifyd an iptables script :
    # first set the default behaviour = accept connections
    iptables -P INPUT ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD ACCEPT

    # Create 2 chains, it allows to write a clean script
    iptables -N FIREWALL
    iptables -N TRUSTED

    # Allow ESTABLISHED and RELATED incoming connection
    iptables -A FIREWALL -m state --state ESTABLISHED,RELATED -j ACCEPT
    # Allow loopback traffic
    iptables -A FIREWALL -i lo -j ACCEPT
    # Send all package to the TRUSTED chain
    iptables -A FIREWALL -j TRUSTED
    # DROP all other packets if any rules are satisfied
    iptables -A FIREWALL -j DROP

    # Send all INPUT packets to the FIREWALL chain
    iptables -A FORWARD -j FIREWALL

    # Allow https
    iptables -A TRUSTED -p udp -m udp --sport 443 -j ACCEPT
    iptables -A TRUSTED -p tcp -m tcp --sport 443 -j ACCEPT

    DB:5.05:Iptables Gateway c1


    i dont have x or gnome, i wont install them...

  • RELEVANCY SCORE 4.98

    DB:4.98:Iptables Making Ftp Slow? 9m





    When I add some good iptables lines.. my ftp is going slow like á....

    In the search I saw something with edit proftpd.conf but thats something els now..?

    DB:4.98:Iptables Making Ftp Slow? 9m







    Originally posted by jimroe
    This line is wrong:

    # Allow DNS
    iptables -A INPUT -p udp -i eth0 -s $NAMESERVER_1 --sport 53 -j ACCEPT
    iptables -A INPUT -p udp -i eth0 -s $NAMESERVER_2 --sport 53 -j ACCEPT

    You are creating two rules that both allow udp connections - you must allow udp AND tcp so change the udp in one line to tcp.

    Also, make sure that you have defined the variables NAMESERVER_1 and NAMESERVER_2 at the top as the real IP addresses of your nameservers on the server - these cant be left blank.

  • RELEVANCY SCORE 4.95

    DB:4.95:Vmware-Cmd -L Is Not Display Any Instance After Iptables Is Enable f1



    hi,

    I will like to ask is that the iptables will block the vmware-cmd,currently on the iptables the first line is iptables -P INPUT DROP

    Kindly advise

    DB:4.95:Vmware-Cmd -L Is Not Display Any Instance After Iptables Is Enable f1


    hi,

    I will like to ask is that the iptables will block the vmware-cmd,currently on the iptables the first line is iptables -P INPUT DROP

    Kindly advise

  • RELEVANCY SCORE 4.92

    DB:4.92:Fail2ban: Error Iptables 8s





    I have installed Fail2ban via the Plesk add-on packages. When I run fail2ban after few hours I see a lot of error messages in the `/var/log/messages`.

    Code:

    DB:4.92:Fail2ban: Error Iptables 8s




    NOT tested... please choose to do it on your own risk ( please read both articles, before starting to fix ):

    http://osdir.com/ml/centos/2014-08/msg00579.html

    http://www.cyberciti.biz/faq/iptables-multi-ip6tables-multi-incorrect-selinux-labels/

  • RELEVANCY SCORE 4.92

    DB:4.92:Wats The Most Secure Script For Iptables?? xj



    Hi..im new here..i was askin u which o dis iptabless scripts dat i found look more secure??
    #!/bin/bash
    #
    # Firewall personale by Benjamin (Mizar)
    # Modifyed by Ptah 16 Dec 2006
    #
    #########################################################
    # Di default DROP su INPUT e FORWARD, tutto il traffico
    # in uscita consentito
    #########################################################
    # ATTENZIONE alle righe 114, 115 e 180. In queste righe
    # ho abilitato alcuni servizi (ftp, www, ssh) in modo
    # che siano accessibili solo da rete interna. Se non
    # usate questi servizi, non avete una rete interna
    # o volete che siano raggiungibili ANCHE da esterno
    # dovete modificare le regole o commentarle
    #########################################################

    #########################
    # Definizione Variabili #
    #########################
    IPTABLES=/sbin/iptables
    IFLO=lo
    IFEXT=eth0 # Da sostituire con la propria interfaccia: $IFEXT, eth1, ppp0, etc

    case $1 in
    start)
    ########################
    # Attivazione Firewall #
    ########################
    echo -n Attivazione Firewall:

    #################################
    # Caricamento Moduli del Kernel #
    #################################
    modprobe ip_tables
    modprobe iptable_nat
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    modprobe ip_nat_ftp
    modprobe ipt_LOG
    modprobe ipt_MARK
    modprobe ipt_MASQUERADE
    modprobe ipt_REDIRECT
    modprobe ipt_REJECT
    modprobe ipt_TOS
    modprobe ipt_limit
    modprobe ipt_mac
    modprobe ipt_mark
    modprobe ipt_multiport
    modprobe ipt_state
    modprobe ipt_tos
    modprobe iptable_mangle
    #modprobe ipt_psd

    ############################
    # Reset delle impostazioni #
    ############################
    $IPTABLES -F
    $IPTABLES -F -t nat
    $IPTABLES -F -t mangle
    $IPTABLES -X
    $IPTABLES -X -t nat
    $IPTABLES -X -t mangle

    ################################
    # Impostazione Policy standard #
    ################################
    $IPTABLES -P INPUT DROP
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P OUTPUT ACCEPT

    #################################
    # Abilitazione traffico interno #
    #################################
    $IPTABLES -A INPUT -i $IFLO -j ACCEPT
    $IPTABLES -A OUTPUT -o $IFLO -j ACCEPT

    ############################
    # creo una catena per ICMP #
    ############################
    $IPTABLES -N icmp_in

    ########################################################
    # se il pacchetto icmp non è un ping allora lo accetta #
    # altrimenti (6-7 riga) logga e droppa #
    ########################################################
    $IPTABLES -A icmp_in -i $IFEXT -p icmp -m icmp --icmp-type 0 -j REJECT --reject-with icmp-host-unreachable
    $IPTABLES -A icmp_in -i $IFEXT -p icmp -m icmp --icmp-type 8 -j REJECT --reject-with icmp-host-unreachable
    $IPTABLES -A icmp_in -i $IFEXT -p icmp -m icmp --icmp-type 3 -j REJECT --reject-with icmp-host-unreachable
    $IPTABLES -A icmp_in -i $IFEXT -p icmp -m icmp --icmp-type 5 -j REJECT --reject-with icmp-host-unreachable
    $IPTABLES -A icmp_in -i $IFEXT -p icmp -m icmp --icmp-type 11 -j REJECT --reject-with icmp-host-unreachable
    $IPTABLES -A icmp_in -p icmp -j LOG --log-prefix ICMP drop:
    $IPTABLES -A icmp_in -p icmp -j DROP

    #######################################
    # Istruisco iptable a usare la catena #
    # creata precedentemente #
    #######################################
    $IPTABLES -A INPUT -i $IFEXT -p icmp -j icmp_in

    ###########################
    # creo una catena per TCP #
    # pacchetti pericolosi #
    ###########################
    $IPTABLES -N bad_tcp

    ######################################
    # Regole di controllo PORTSCAN TCP #
    # sono commentate perchè non #
    # ho il modulo psd disponibile. Se #
    # lo avete potete abilitarle. Sono #
    # regole aggiuntive per gli attacchi #
    # di tipo PORTSCAN #
    ######################################
    #$IPTABLES -A bad_tcp -p tcp -m psd -j LOG --log-prefix PORTSCAN TCP:
    #$IPTABLES -A bad_tcp -p tcp -m psd -j REJECT --reject-with icmp-net-unreachable

    ###########################################
    # Regole di controllo su alcune porte TCP #
    # Servizi che voglio rendere disponibili #
    # solo ai computer della rete interna #
    ###########################################
    $IPTABLES -A bad_tcp -p tcp -m multiport --dports 80,21,22,10000 -i $IFEXT -m state -s ! 10.1.1.0/24 --state NEW -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m multiport --dports 445,3306 -i $IFEXT -m state -s ! 10.1.1.0/24 --state NEW -j REJECT --reject-with icmp-net-unreachable

    ####################################
    # Regole di controllo sui flag TCP #
    ####################################
    $IPTABLES -A bad_tcp -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix Nuova non syn:
    $IPTABLES -A bad_tcp -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m state --state INVALID -j LOG --log-prefix Invalida:
    $IPTABLES -A bad_tcp -p tcp -m state --state INVALID -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix ScanPort NMAP-XMAS:
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix ScanPort SYN/RST:
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix ScanPort SYN/FIN:
    $IPTABLES -A bad_tcp -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 137:139 -m limit --limit 5/min -j LOG --log-prefix Tentativo SMB:
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 137:139 -m limit --limit 5/min -j LOG --log-prefix Tentativo SMB:
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 137:139 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 137:139 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 2049 -m limit --limit 5/min -j LOG --log-prefix Tentativo NFS:
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 2049 -m limit --limit 5/min -j LOG --log-prefix Tentativo NFS:
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 2049 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 2049 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 6000:6063 -m limit --limit 5/min -j LOG --log-prefix Tentativo X:
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 6000:6063 -m limit --limit 5/min -j LOG --log-prefix Tentativo X:
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 6000:6063 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 6000:6063 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 20034 -m limit --limit 5/min -j LOG --log-prefix Tentativo NetBus2:
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 20034 -m limit --limit 5/min -j LOG --log-prefix Tentativo NetBus2:
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 20034 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 20034 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 12345:12346 -m limit --limit 5/min -j LOG --log-prefix Tentativo NetBus:
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 12345:12346 -m limit --limit 5/min -j LOG --log-prefix Tentativo NetBus:
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 12345:12346 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 12345:12346 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 27374 -m limit --limit 5/min -j LOG --log-prefix Tentativo SubSeven:
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 27374 -m limit --limit 5/min -j LOG --log-prefix Tentativo SubSeven:
    $IPTABLES -A bad_tcp -p tcp -m tcp --dport 27374 -j REJECT --reject-with icmp-net-unreachable
    $IPTABLES -A bad_tcp -p tcp -m tcp --sport 27374 -j REJECT --reject-with icmp-net-unreachable

    ########################################
    # Istruisco iptable a usare la catena #
    # per il TCP maligno #
    ########################################
    $IPTABLES -A INPUT -i $IFEXT -p tcp -j bad_tcp

    ###########################
    # creo una catena per TCP #
    # pacchetti validi #
    ###########################
    $IPTABLES -N ok_tcp

    #############################################################################
    # Abilitazione traffico in entrata solo se relativo a pacchetti in risposta #
    #############################################################################
    $IPTABLES -A ok_tcp -p tcp -m multiport --dports 80,21,22,10000 -i $IFEXT -m state -s 10.1.1.0/24 --state NEW -j ACCEPT
    $IPTABLES -A ok_tcp -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j ACCEPT
    $IPTABLES -A ok_tcp -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -A ok_tcp -i $IFEXT -p tcp -j LOG --log-prefix ok_tcp drop:
    $IPTABLES -A ok_tcp -p tcp -j REJECT --reject-with icmp-net-unreachable

    ##################################################
    # Abilitazione del traffico in entrata per aMule #
    ##################################################
    $IPTABLES -A INPUT -p tcp --dport 4662 -j ACCEPT
    $IPTABLES -A INPUT -p udp --dport 4665 -j ACCEPT
    $IPTABLES -A INPUT -p udp --dport 4672 -j ACCEPT

    ###########################
    # creo una catena per UDP #
    # pacchetti pericolosi #
    ###########################
    $IPTABLES -N bad_udp

    ######################################
    # Regole di controllo PORTSCAN #
    # sono commentate perchè non #
    # ho il modulo psd disponibile. Se #
    # lo avete potete abilitarle. Sono #
    # regole aggiuntive per gli attacchi #
    # di tipo PORTSCAN #
    ######################################
    #$IPTABLES -A bad_udp -p udp -m psd -j LOG --log-prefix PORTSCAN UDP:
    #$IPTABLES -A bad_udp -p udp -m psd -j REJECT --reject-with icmp-net-unreachable

    ########################################
    # Istruisco iptable a usare la catena #
    # per il UDP maligno #
    ########################################
    $IPTABLES -A INPUT -i $IFEXT -p udp -j bad_udp

    ###########################
    # creo una catena per UDP #
    # pacchetti validi #
    ###########################
    $IPTABLES -N ok_udp

    #############################################################################
    # Abilitazione traffico in entrata solo se relativo a pacchetti in risposta #
    #############################################################################
    $IPTABLES -A ok_udp -p udp -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -A ok_udp -i $IFEXT -p udp -j LOG --log-prefix ok_udp drop:
    $IPTABLES -A ok_udp -p udp -j REJECT --reject-with icmp-net-unreachable

    #####################################
    # Aggiungo le catene personalizzate #
    #####################################
    $IPTABLES -A INPUT -i $IFEXT -p tcp -j ok_tcp
    $IPTABLES -A INPUT -i $IFEXT -p udp -j ok_udp

    ################################
    # Regole finali di paranoia ;) #
    ################################
    $IPTABLES -A INPUT -i $IFEXT -j LOG --log-prefix Default drop:
    $IPTABLES -A INPUT -i $IFEXT -j DROP

    echo ok
    ;;

    stop)
    ###########################
    # Disattivazione Firewall #
    ###########################
    echo -n Disattivazione Firewall:

    $IPTABLES -F
    $IPTABLES -F -t nat
    $IPTABLES -F -t mangle
    $IPTABLES -X
    $IPTABLES -X -t nat
    $IPTABLES -X -t mangle

    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    $IPTABLES -P OUTPUT ACCEPT

    echo ok
    ;;

    status)
    ##############################
    # Display stato del Firewall #
    ##############################
    echo -n Regole attuali nel Firewall:

    $IPTABLES -L
    ;;

    restart|reload)
    $0 stop
    $0 start
    ;;

    *)
    echo Utilizzo: firewall {start|stop|restart|reload|status} 2
    exit 1
    ;;

    esac

    exit 0

    DB:4.92:Wats The Most Secure Script For Iptables?? xj

    Sjoden wrote:
    Glad to here what Im using should keep me pretty safe, but I dont want to take credit for what I didnt do. Here is a pretty good discussion about iptables and security

    http://bbs.archlinux.org/viewtopic.php?id=50366

  • RELEVANCY SCORE 4.88

    DB:4.88:Mse(Vm) Not Discoverable By Prime Infrastructure x9



                       upon bootup and stopping the mse server, I receive the following error messages:

    iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

    Perhaps iptables or your kernel needs to be upgraded.

    iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

    Perhaps iptables or your kernel needs to be upgraded.

    looking at the interface: ifconfig -aeth0      Link encap:Ethernet  HWaddr 00:50:56:BA:15:71          inet addr:10.24.109.14  Bcast:10.24.109.255  Mask:255.255.255.0          inet6 addr: fe80::250:56ff:feba:1571/64 Scope:Link          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1          RX packets:3777 errors:0 dropped:0 overruns:0 frame:0          TX packets:129673 errors:0 dropped:0 overruns:0 carrier:0          collisions:0 txqueuelen:1000          RX bytes:290408 (283.6 KiB)  TX bytes:18890381 (18.0 MiB)

    eth0:1    Link encap:Ethernet  HWaddr 00:50:56:BA:15:71          inet addr:10.24.109.16  Bcast:10.24.109.255  Mask:255.255.255.0          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1

      parts removed to shorten post

    I've tried flushing the iptables, but that command is not accepted:

    iptables -F

    iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)

    Perhaps iptables or your kernel needs to be upgraded. iptables -Fiptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)Perhaps iptables or your kernel needs to be upgraded.

    Any suggestions?  Thanks

    DB:4.88:Mse(Vm) Not Discoverable By Prime Infrastructure x9


    hi Rollin Kibbe 

    I have the same problem on new installation for MSE 7.4 ?

    please advice 

  • RELEVANCY SCORE 4.88

    DB:4.88:[Solved] Iptables Doesnt Allow Pacman -S(Y) Anymore... dz



    Hi there, First of all, sorry for my english .

    Ive just configured my firewall, but now i cant get pacman working great. Nowatime I cant synchronise, and i cant install anything. So, I think that pacman use port number 80, but iam not sure. I did make some searches but could not find anything on the port used.

    So here are my rules :
    #!/bin/sh

    # Flush and delete all rules
    sudo iptables -F
    sudo iptables -X
    sudo iptables -t nat -F

    # Keep connections open
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    ##INPUT
    # Allow ssh
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    # Allow ping
    #iptables -A INPUT -p icmp -j ACCEPT

    # Allow HTTP
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    # Allow SMTP POP
    iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    iptables -A INPUT -p tcp --dport 993 -j ACCEPT

    # Allow NNTPS
    iptables -A INPUT -p tcp --dport 563 -j ACCEPT

    # Allow JABBER
    #iptables -A INPUT -p tcp --dport 5222 -j ACCEPT
    #iptables -A INPUT -p tcp --dport 8000 -j ACCEPT
    #iptables -A INPUT -p udp --dport 8000 -j ACCEPT
    #iptables -A INPUT -p tcp --dport 21 -j ACCEPT

    ##Default rules
    # Block all INPUT FORWARD
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    # block all OUTPUT
    iptables -P OUTPUT DROP

    ##LOOPBACK
    # Allow loopback
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT

    ##OUTPUT
    # Allow FTP, DNS, HTTP, HTTPS
    iptables -A OUTPUT -p tcp --dport 20 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 21 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 443 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 563 -j ACCEPT

    # Allow SMTP, POP IMAP
    iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 110 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 143 -j ACCEPT

    # Allow NTP
    iptables -A OUTPUT -p tcp --dport 123 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 123 -j ACCEPT

    # Allow SSH
    iptables -A OUTPUT -p tcp --dport 22 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 22 -j ACCEPT

    # Allow WHOIS
    iptables -A OUTPUT -p tcp --dport 43 -j ACCEPT

    # Allow USENET
    #iptables -A OUTPUT -p tcp --dport 119 -j ACCEPT
    #iptables -A OUTPUT -p tcp --dport 8000 -j ACCEPT
    #iptables -A OUTPUT -p udp --dport 8000 -j ACCEPT

  • RELEVANCY SCORE 4.88

    DB:4.88:Iptables 9f



    Greetings,

    IPTABLES and IPCHAINS are available on the latest VMWare ESX ISO.

    Does anyone have a good reason as to why one would not use it if a external firewall was not an option?

    Someone was going to post an IPTABLES sample file geared specificly for ESX. I cannot find the post. Would someone please post a recommended sample file for IPTABLES or did I miss the one that may be part of the RPM?

    Thanks,

    Stan

    DB:4.88:Iptables 9f


    iptables in the SC would only cover the SC, not the VMs.

    FYI, ESX3 will have a pre-configured firewall running in the SC.

  • RELEVANCY SCORE 4.85

    DB:4.85:[Iptables] Strange Error In My Firewall Script //Solved x8



    Here is my (humble) script :
    #Flush
    iptables -F INPUT
    iptables -F OUTPUT
    iptables -F FORWARD

    #Default policy
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    #Loopback interface
    iptables -A INPUT -i lo -j ACCEPT

    #We can ping us
    iptables -A INPUT -i eth0 -p icmp -j ACCEPT

    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    DB:4.85:[Iptables] Strange Error In My Firewall Script //Solved x8


    I would suspect it is your last rule. It doesnt have any source or destination delimiters. Try commenting out that line, and rerun the script..just to see.

  • RELEVANCY SCORE 4.85

    DB:4.85:May I Run Iptables Script On Linux Installed Oracle 10g? 8j


    This is my iptables script in this linux server:

    #!/bin/sh
    iptables -F INPUT
    iptables -F FORWARD
    iptables -F OUTPUT
    iptables -F POSTROUTING -t nat
    iptables -F PREROUTING -t nat

    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    iptables -A INPUT -p tcp --dport 1521 -j ACCEPT

    iptabls -A INPUT -p tcp --dport 5560 -j ACCEPT

    iptales -A INPUT -p tc --dpot 22 -j ACCEPT

    ---------------------------------------------------------------------
    After run this script, does Oracle 10g can running normally?

    DB:4.85:May I Run Iptables Script On Linux Installed Oracle 10g? 8j

    In this case configuration file is located in: /etc/sysconfig/SuSEfirewall2

  • RELEVANCY SCORE 4.82

    DB:4.82:[Solved] Iptables Conntrack Problems 1f



    Hello

    I like to set up a simple host firewall. I followed several tutorials but it doesnt work. Ive no more ideas to try.

    Here I simplified my iptables script and added some comments to show my problem:
    # Clear all Chains
    $IPTABLES -F INPUT
    $IPTABLES -F OUTPUT
    $IPTABLES -F FORWARD

    # Default = Drop
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP

    # Localhost OK
    $IPTABLES -A INPUT -i lo -j ACCEPT
    $IPTABLES -A OUTPUT -o lo -j ACCEPT

    # Input Rules
    $IPTABLES -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # CORRECT?; I use conntrack instead of state

    # Output Rules
    $IPTABLES -A OUTPUT -p udp --dport 53 -m conntrack --ctstate NEW -j ACCEPT # WORKS
    $IPTABLES -A OUTPUT -p tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT # DONT WORK!

  • RELEVANCY SCORE 4.80

    DB:4.80:Iptables In Solaris, Like In Linux dk


    Hello!
    I wanted to check that like in Linux, is there any command like iptables, or any other adjacent command, performing the same function as of implementing a security firewall....??

    DB:4.80:Iptables In Solaris, Like In Linux dk

    You only have ipfilter, aka ipf wich is the default FreeBSD network filter.
    You also have SunScreen from solaris, but I didn't like it.

    Go for ipfilter, it's different from iptables, but similar and quite nice.

  • RELEVANCY SCORE 4.78

    DB:4.78:Iptables Netfilter - The Same Thing? zm



    Ive been tryign to setup a local firewall for laptop when I drag it off to school. However, Im a bit confused by the whole iptables netfilter nomeclature in the 2.6.x series kernels. Is Netfilter the same thing as iptables? if it is why is there a seperate iptables package in the repositories?

    DB:4.78:Iptables Netfilter - The Same Thing? zm


    Uhm.... thats nice, but lets put it another way.....

    Do I need the iptables userspace package to run a netfilter firewall with firestarter?

    If not, is there any benefit to using the iptables pkg with firestarter netfilter?

  • RELEVANCY SCORE 4.77

    DB:4.77:Iptables Wont Start [Solved] zd



    Hello,

    I recently installed ArchLinux and updated it with pacman -Syu

    I went to (among other things) install some firewall rules from iptables, in what I hope was the correct way...
    iptables-save /etc/iptables/iptables.rules
    /etc/rc.d/iptables restart

  • RELEVANCY SCORE 4.77

    DB:4.77:Fail2ban Error zm





    Hello,

    When I click on the Change settings button for any of my jails a page opens showing the following error message:



    Message f2bmng failed: ERROR:f2bmng:File contains parsing errors: /etc/fail2ban/action.d/iptables-multiport-log.conf [line 24]: iptables -N fail2ban-name-log\n [line 26]: iptables -A fail2ban-name-log -j DROP\n [line 33]: iptables -F fail2ban-name\n [line 34]: iptables -F fail2ban-name-log\n [line 35]: iptables -X fail2ban-name\n [line 36]: iptables -X fail2ban-name-log\n
    File Agent.php
    Line 243
    Type PleskUtilException

    DB:4.77:Fail2ban Error zm




    Restarted Fail2Ban once more and issue disappeared.

    Thank you for your attention.

  • RELEVANCY SCORE 4.77

    DB:4.77:Iptables ak


    Hi,
    Within SUSE, in "/sbin" folder, here are the iptables files that I can see in there
    [oracle@webserver sbin]$ dir ipta*
    iptables iptables-multi iptables-restore iptables-save

    It seems "iptables" file is not editable. Any advice for this?

    Best Regards,
    HuaMin

    DB:4.77:Iptables ak

    /sbin/iptables is used to set up, maintain, and inspect the tables of IP packet filter rules in the Linux kernel. Why do you want to edit the administration tool? It's a command line program that you will need to execute as root.

  • RELEVANCY SCORE 4.75

    DB:4.75:Revised Iptables Script sk





    This is a revised edition of the script I posted earlier. Issues arose with the use of webmail, probably related to the negation of the icmp protocol.

    #!/bin/sh
    SERVER_IP=111.111.111.111
    ADMIN_IP=222.222.222.222
    IPTABLES=/sbin/iptables

    # Configure default policies (-P), meaning default rule to apply if no
    # more specific rule below is applicable. These rules apply if a more
    # specific rule below is not applicable. Defaults are to DROP anything
    # sent to firewall or internal network, permit anything going out.
    iptables -P INPUT ACCEPT
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    # Flush (-F) all specific rules
    iptables -F INPUT
    iptables -F FORWARD
    iptables -F OUTPUT

    # Permit packets in to firewall itself that are part of existing and
    # related connections.
    iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Deny any packet coming in on the public internet interface eth0
    # which has a spoofed source address from our local networks:
    iptables -A INPUT -i eth0 -s $SERVER_IP/32 -j DROP
    iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
    iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

    # Accept all tcp SYN packets for protocols SMTP:
    # (SMTP connections are further audited by our SMTP server)
    iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP/32 --destination-port smtp --syn -j ACCEPT
    iptables -A INPUT -p tcp -s 0/0 -d $SERVER_IP/32 --destination-port smtps --syn -j ACCEPT

    # Accept HTTP, HTTPS, POP3, POP3S
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port http --syn -j ACCEPT
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port https --syn -j ACCEPT
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port pop3 --syn -j ACCEPT
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port pop3s --syn -j ACCEPT
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port poppassd --syn -j ACCEPT

    # IMAP Entry
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port imap --syn -j ACCEPT
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port imaps --syn -j ACCEPT

    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 8443 --syn -j ACCEPT

    # SSH should only b accepted from SBCTEC
    iptables -A INPUT -p tcp -s $ADMIN_IP/32 -d $SERVER_IP/32 --destination-port ssh --syn -j ACCEPT

    # Permit my DNS server to honor requests from the public internet:
    iptables -A INPUT -p udp -s 0/0 -d 0/0 --destination-port domain -j ACCEPT
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port domain -j ACCEPT

    # For FTP server, restricted to specific local hosts (and see /etc/xinetd.conf):
    # iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port ftp-data --syn -j ACCEPT
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port ftp --syn -j ACCEPT
    # Use the IANA registered ephemeral port range
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 49152:65534 --syn -j ACCEPT

    # Horde WebMail

    # Miscellaneous $H!T that I dont know what it does yet.
    # iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port ipp --syn -j ACCEPT
    # iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port rndc --syn -j ACCEPT
    # iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port sunrpc --syn -j ACCEPT

    # MySQL Ports
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port mysql --syn -j ACCEPT

    # Deny Everything else
    iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
    iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

    # Save Configuration
    service iptables save

    # Restart Configuration
    service iptables restart
    service iptables status

    DB:4.75:Revised Iptables Script sk




    NICE CONFIG

    Well

    i reconfig the iptables from this http://www.sbctec.com/firewall/iptables.txt

    and it realy works great until now,

    i will check every thing to be sure i have no problems,,,,

    thanks to the editor

  • RELEVANCY SCORE 4.75

    DB:4.75:Iptables And Webmail 8s





    Hello all,

    Ive been implementing my iptables rules, and testing I found that webmail doesnt work when the rules are active...

    In general, I open these ports (both tcp and udp)

    iptables -A INPUT -p tcp --dport domain -j ACCEPT # DNS
    iptables -A INPUT -p tcp --dport ftp -j ACCEPT
    iptables -A INPUT -p tcp --dport ftp-data -j ACCEPT
    iptables -A INPUT -p tcp --dport http -j ACCEPT
    iptables -A INPUT -p tcp --dport https -j ACCEPT
    iptables -A INPUT -p tcp --dport imap -j ACCEPT
    iptables -A INPUT -p tcp --dport imaps -j ACCEPT
    iptables -A INPUT -p tcp --dport mysql -j ACCEPT
    iptables -A INPUT -p tcp --dport pop3 -j ACCEPT
    iptables -A INPUT -p tcp --dport pop3s -j ACCEPT
    iptables -A INPUT -p tcp --dport postgres -j ACCEPT
    iptables -A INPUT -p tcp --dport rndc -j ACCEPT # DNS
    iptables -A INPUT -p tcp --dport smtp -j ACCEPT
    iptables -A INPUT -p tcp --dport smtps -j ACCEPT
    iptables -A INPUT -p tcp --dport ssh -j ACCEPT
    iptables -A INPUT -p tcp --dport 783 -j ACCEPT # spamd
    iptables -A INPUT -p tcp --dport 8443 -j ACCEPT # Plesk
    iptables -A INPUT -p tcp --dport 51781:51811 -j ACCEPT # ftp passive

    I have - of course - http, and imap, but it still doesnt work.

    Any ideas on what ports or configuration is necesary for webmail to work?

    Thanks!

    DB:4.75:Iptables And Webmail 8s




    If some people are having trouble with FTP, then it is likely because of my comment above:

    In addition, you must allow some ports between 1024-65535 for passive mode FTP, but which ones would depend on how you have ProFTPD configured.

    You must do this for passive mode to work, and have probably not. You should read the manual on the proftpd site about how to configure proftpd to use ports YOU select for passive mode connections, and then open those same ports in your firewall and passive mode works great.

    Or, you can tell those having trouble with FTP to configure their clients NOT to attempt to go into passive mode.

  • RELEVANCY SCORE 4.75

    DB:4.75:Need Help Reviewing Iptables Rules a8



    Im setting up my router with iptables and I was wondering if I could get somebody more experienced with this to review my setup. Its running a nubmer of services (printer, NAS, wireless) but mostly for my own benefit, so I just want to be able to acces them from my laptop and not for internet users to see them. With the exception of it also running rtorrent (ports 51777:51780) and my laptops still trying to finish off a couple of transmission torrents on 51413. Does this look reasonable? Any glaring holes? I have been wondering a bit why I need to allow established/related for INPUT (I can log in to the router without it but no internet - DNS?)
    # FORWARD
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -p tcp -m multiport --dport 21,25,80,443 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 51413 -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # INPUT
    iptables -P INPUT DROP
    iptables -F INPUT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 51777:51780 -j ACCEPT
    iptables -A INPUT -p tcp -i ! vlan1 -j ACCEPT
    iptables -A INPUT -p udp -i ! vlan1 -j ACCEPT

    DB:4.75:Need Help Reviewing Iptables Rules a8


    Im setting up my router with iptables and I was wondering if I could get somebody more experienced with this to review my setup. Its running a nubmer of services (printer, NAS, wireless) but mostly for my own benefit, so I just want to be able to acces them from my laptop and not for internet users to see them. With the exception of it also running rtorrent (ports 51777:51780) and my laptops still trying to finish off a couple of transmission torrents on 51413. Does this look reasonable? Any glaring holes? I have been wondering a bit why I need to allow established/related for INPUT (I can log in to the router without it but no internet - DNS?)
    # FORWARD
    iptables -P FORWARD DROP
    iptables -F FORWARD
    iptables -A FORWARD -p tcp -m multiport --dport 21,25,80,443 -j ACCEPT
    iptables -A FORWARD -p tcp --dport 51413 -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # INPUT
    iptables -P INPUT DROP
    iptables -F INPUT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -p tcp --dport 51777:51780 -j ACCEPT
    iptables -A INPUT -p tcp -i ! vlan1 -j ACCEPT
    iptables -A INPUT -p udp -i ! vlan1 -j ACCEPT

  • RELEVANCY SCORE 4.75

    DB:4.75:Iptables ?? 8s





    Hi,

    i try to add an IP then got an error from Iptables i dont know why... Dont understand realy..

    /sbin/iptables -I INPUT -s_168.95.84.0/24 -j DROP
    iptables v1.2.4: host/network `-s_168.95.84.0 not found
    Try `iptables -h or iptables --help for more information.

    Then this host exist.., why i got this ?

    Thanks !

  • RELEVANCY SCORE 4.69

    DB:4.69:Iptables Management On Oel sz


    Are there any good gui tools for managing iptables on OEL?

    DB:4.69:Iptables Management On Oel sz

    How about "system-config-securitylevel-tui" text interface, or "system-config-securitylevel" GUI, available also from the "Security Level and Firewall" option from the Application menu at the servers console?

  • RELEVANCY SCORE 4.69

    DB:4.69:Nano Dhcp Problem - Address Pool Size = 1 cm


    I'm trying to configure a NanoStation to provide one specific IP address to the connected device via DHCP. In the network tab I configured both the start and end addresses to the address I want it to provide. This works fine on my office computer but when I connect it to another computer the nano won't provide an address. It seems like it is remembering the first MAC address and only providing the address to that computer. If I default the nano and re-load the configuration file, it will then give the second computer the IP by DHCP. Any ideas how I can make this work so it will provide the address to any computer? Here is the config file: aaa.1.status=disabled aaa.1.wpa.key.1.mgmt=WPA-PSK aaa.1.wpa.psk=***************** aaa.status=disabled bridge.1.devname=br0 bridge.1.fd=1 bridge.1.port.1.devname=eth0 bridge.1.port.1.prio=10 bridge.1.port.1.status=enabled bridge.1.port.2.devname=ath0 bridge.1.port.2.prio=30 bridge.1.port.2.status=enabled bridge.1.port.3.devname=eth1 bridge.1.port.3.prio=20 bridge.1.port.3.status=enabled bridge.1.stp.status=disabled bridge.status=disabled dhcpc.1.devname=br0 dhcpc.1.status=disabled dhcpc.status=disabled dhcpd.1.devname=eth0 dhcpd.1.dnsproxy=disabled dhcpd.1.end=10.2.3.6 dhcpd.1.lease_time=3600 dhcpd.1.netmask=255.255.255.252 dhcpd.1.start=10.2.3.6 dhcpd.1.status=enabled dhcpd.status=enabled dnsmasq.1.devname=eth0 dnsmasq.1.status=disabled dnsmasq.status=disabled ebtables.1.cmd=-t nat -A PREROUTING --in-interface ath0 -j arpnat --arpnat-target ACCEPT ebtables.1.status=enabled ebtables.2.cmd=-t nat -A POSTROUTING --out-interface ath0 -j arpnat --arpnat-target ACCEPT ebtables.2.status=enabled ebtables.3.cmd=-t broute -A BROUTING --protocol 0x888e --in-interface ath0 -j DROP ebtables.3.status=enabled ebtables.50.status=disabled ebtables.51.status=disabled ebtables.52.status=disabled ebtables.status=disabled gpio.1.direction=1 gpio.1.line=8 gpio.1.status=enabled gpio.1.value=disabled gpio.status=enabled gui.language=en_US httpd.port.http=80 httpd.status=enabled igmpproxy.status=disabled iptables.1.cmd=-t nat -I POSTROUTING -o ath0 -j MASQUERADE iptables.1.status=disabled iptables.2.status=disabled iptables.200.status=disabled iptables.3.status=disabled iptables.4.status=disabled iptables.5.status=disabled iptables.50.cmd=-N FIREWALL iptables.50.status=disabled iptables.51.cmd=-A INPUT -j FIREWALL iptables.51.status=disabled iptables.52.cmd=-A FORWARD -j FIREWALL iptables.52.status=disabled iptables.53.cmd=-A FIREWALL -i eth+ --protocol 0 --src 10.2.0.0/24 --dst ! 10.0.0.1 -j DROP iptables.53.comment= iptables.53.status=enabled iptables.54.cmd= iptables.54.comment= iptables.54.status=disabled iptables.55.cmd= iptables.55.comment= iptables.55.status=disabled iptables.56.cmd= iptables.56.comment= iptables.56.status=disabled iptables.57.cmd= iptables.57.comment= iptables.57.status=disabled iptables.58.cmd= iptables.58.comment= iptables.58.status=disabled iptables.59.cmd= iptables.59.comment= iptables.59.status=disabled iptables.60.cmd= iptables.60.comment= iptables.60.status=disabled iptables.61.cmd= iptables.61.comment= iptables.61.status=disabled iptables.62.cmd= iptables.62.comment= iptables.62.status=disabled iptables.63.cmd= iptables.63.comment= iptables.63.status=disabled iptables.64.cmd= iptables.64.comment= iptables.64.status=disabled iptables.65.cmd= iptables.65.comment= iptables.65.status=disabled iptables.66.cmd= iptables.66.comment= iptables.66.status=disabled iptables.67.cmd= iptables.67.comment= iptables.67.status=disabled iptables.68.cmd= iptables.68.comment= iptables.68.status=disabled iptables.69.cmd= iptables.69.comment= iptables.69.status=disabled iptables.70.cmd= iptables.70.comment= iptables.70.status=disabled iptables.71.cmd= iptables.71.comment= iptables.71.status=disabled iptables.72.cmd= iptables.72.comment= iptables.72.status=disabled iptables.status=disabled netconf.1.alias.1.status=disabled netconf.1.alias.2.status=disabled netconf.1.alias.3.status=disabled netconf.1.alias.4.status=disabled netconf.1.alias.5.status=disabled netconf.1.alias.6.status=disabled netconf.1.alias.7.status=disabled netconf.1.alias.8.status=disabled netconf.1.autoip.status=enabled netconf.1.autoneg=enabled netconf.1.devname=eth0 netconf.1.duplex=enabled netconf.1.ip=10.2.3.5 netconf.1.netmask=255.255.255.252 netconf.1.promisc=enabled netconf.1.speed=100 netconf.1.status=enabled netconf.1.up=enabled netconf.2.alias.1.status=disabled netconf.2.alias.2.status=disabled netconf.2.alias.3.status=disabled netconf.2.alias.4.status=disabled netconf.2.alias.5.status=disabled netconf.2.alias.6.status=disabled netconf.2.alias.7.status=disabled netconf.2.alias.8.status=disabled netconf.2.allmulti=enabled netconf.2.autoip.status=enabled netconf.2.devname=ath0 netconf.2.ip=10.1.3.5 netconf.2.netmask=255.0.0.0 netconf.2.promisc=enabled netconf.2.status=enabled netconf.2.up=enabled netconf.3.alias.1.status=disabled netconf.3.alias.2.status=disabled netconf.3.alias.3.status=disabled netconf.3.alias.4.status=disabled netconf.3.alias.5.status=disabled netconf.3.alias.6.status=disabled netconf.3.alias.7.status=disabled netconf.3.alias.8.status=disabled netconf.3.autoip.status=enabled netconf.3.devname=br0 netconf.3.ip=192.168.1.20 netconf.3.netmask=255.255.255.0 netconf.3.status=disabled netconf.3.up=enabled netconf.status=enabled netmode=router ppp.1.password= ppp.1.status=disabled ppp.status=disabled radio.1.ack.auto=enabled radio.1.ackdistance=600 radio.1.acktimeout=25 radio.1.ampdu.bytes=50000 radio.1.ampdu.frames=32 radio.1.ampdu.status=enabled radio.1.chanshift=0 radio.1.clksel=2 radio.1.countrycode=840 radio.1.cwm.enable=0 radio.1.cwm.mode=0 radio.1.devname=ath0 radio.1.dfs.status= radio.1.forbiasauto=1 radio.1.frag=off radio.1.ieee_mode=11nght20 radio.1.mcastrate= radio.1.mode=managed radio.1.obey=disabled radio.1.polling=disabled radio.1.pollingnoack= radio.1.pollingpri=3 radio.1.rate.auto=enabled radio.1.rate.mcs=15 radio.1.rts=off radio.1.status=enabled radio.1.subsystemid=0xe012 radio.1.thresh62a= radio.1.thresh62b= radio.1.thresh62g= radio.1.txpower=28 radio.countrycode=840 radio.status=enabled resolv.host.1.name=UBNT resolv.host.1.status=enabled resolv.nameserver.1.ip=10.0.0.1 resolv.nameserver.1.status=enabled resolv.nameserver.2.status=disabled resolv.status=enabled route.1.devname=ath0 route.1.gateway=10.0.0.1 route.1.ip=0.0.0.0 route.1.netmask=0 route.1.status=enabled route.status=enabled sshd.port=22 sshd.status=enabled tshaper.in.1.devname=eth0 tshaper.in.burst=0 tshaper.in.cburst=0 tshaper.in.rate=1060 tshaper.out.1.devname=ath0 tshaper.out.burst=0 tshaper.out.cburst=0 tshaper.out.rate=145 tshaper.status=disabled users.1.name=ubnt users.1.password=ubnt users.1.status=enabled users.2.status=disabled users.status=enabled wireless.1.addmtikie=enabled wireless.1.ap= wireless.1.authmode=1 wireless.1.compression=0 wireless.1.devname=ath0 wireless.1.fastframes=0 wireless.1.frameburst=0 wireless.1.hide_ssid=disabled wireless.1.l2_isolation=disabled wireless.1.macclone=disabled wireless.1.scan_list.status=disabled wireless.1.security=none wireless.1.signal_led1=94 wireless.1.signal_led2=80 wireless.1.signal_led3=73 wireless.1.signal_led4=65 wireless.1.ssid=******* wireless.1.status=enabled wireless.1.wds=disabled wireless.1.wmm=enabled wireless.1.wmmlevel= wireless.status=enabled wpasupplicant.device.1.devname=ath0 wpasupplicant.device.1.driver=madwifi wpasupplicant.device.1.profile=WPA-PSK wpasupplicant.device.1.status=enabled wpasupplicant.profile.1.name=WPA-PSK wpasupplicant.profile.1.network.1.bssid= wpasupplicant.profile.1.network.1.eap.1.status=dis abled wpasupplicant.profile.1.network.1.key_mgmt.1.name= WPA-PSK wpasupplicant.profile.1.network.1.pairwise.1.name= CCMP wpasupplicant.profile.1.network.1.proto.1.name=RSN wpasupplicant.profile.1.network.1.psk=****** wpasupplicant.profile.1.network.1.ssid=****** wpasupplicant.status=enabled

    DB:4.69:Nano Dhcp Problem - Address Pool Size = 1 cm

    I understand that it's normal behavior. I had assumed the nano would forget it's leases on power cycle, but I understand why it does not. I decided to just allocate a /28 for each customer. Solves the DHCP problem, helps if they have multiple machines so they don't need to do a second layer of NAT on a home router, and keeps the Nano in router mode to block broadcast traffic from the network. Thanks for the advice.

  • RELEVANCY SCORE 4.66

    DB:4.66:Iptables Question. ms



    Im currently trying to get a little better understanding of iptables, and I am reading through the wiki page for Simple Stateful Firewall athttps://wiki.archlinux.org/index.php/Si … l_firewall , which is full of great examples.

    On this wiki, they create two user-defined chains, TCP, and UDP:
    iptables -N TCP
    iptables -N UDP

    DB:4.66:Iptables Question. ms


    That makes sense. Thanks for your answer.

  • RELEVANCY SCORE 4.66

    DB:4.66:Asa5550 Import Iptables z3



    I'm new to ASA, we'er migrating from IPTables, is there any easy way to import iptables rules as our rulebase is large.

    DB:4.66:Asa5550 Import Iptables z3


    IPtables is the linux firewall solution.

    I don't think there's anything that can do this...write a script? got PERL?

  • RELEVANCY SCORE 4.66

    DB:4.66:Iptables Reinstall Shuts Down All Services 79





    My hosting service suggested that we reinstall the iptables. Well that doesnt seem to such a great idea now. With iptables running all the web, mail and ftp connections are refused. Appears that plesk and iptables are not working together any longer. Does plesk add entries to the iptables or does changing the iptables from ssh break plesk? This is very frustrating can someone please give me a clue as to how we can enable iptables and not break the server services with the reinstalled iptables. And enable passive ProFtpd functionality??

    software installed: Plesk 7.5 Reloaded Fedora Core2

    Thanks in advance

    hedge

    DB:4.66:Iptables Reinstall Shuts Down All Services 79







    Originally posted by hedge
    Seems that the firewall mod doesnt allow the input of port ranges like those needed for ProFtpd to enable passive ftp transfers. Or does it?

  • RELEVANCY SCORE 4.66

    DB:4.66:Trying To Put A Firewalling Script Together zk



    OK - based partly on Mork IIs firewall script that I found floating around here and another iptables how to I put together a script to create a firewall. I have two NICs: eth0, which is connected to the internet, and eth1 which is connected to my local network. My aims are:

    1) eth1 should be 100% trusted - anything coming from that direction should go through2) eth0 should only accept solicited connections - in other words, if Ive asked for it (i.e. web page, email or ftp connection) then give it to me - otherwise everything should be denied

    I ended up writing the following script:
    #!/bin/sh
    #
    # /etc/rc.d/firewall: start/stop firewall
    #

    IPTABLES=$IPTABLES

    EXTIF=eth0
    INTIF=eth1

    if [ $1 = start ]; then
    $IPTABLES -F
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD DROP
    $IPTABLES -P INPUT DROP
    $IPTABLES -A INPUT -i $EXTIF -m state
    --state ESTABLISHED,RELATED -j ACCEPT

    #forward LAN traffic from $INTIF to internet interface $EXTIF
    $IPTABLES -A forward -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED-j ACCEPT

    #enable ip forwarding
    /bin/echo 1 /proc/sys/net/ipv4/ip_forward

    #enable masquerading
    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

    elif [ $1 = stop ]; then

    #flush rules and delete chains
    $IPTABLES -F
    $IPTABLES -X
    killall -q $IPTABLES
    else
    echo usage: $0 start|stop
    fi

    #End of file

    DB:4.66:Trying To Put A Firewalling Script Together zk


    Its all sorted now - I have a firewall set up exactly how Id like it now - using arnos firewall

    Odlly the port 113 was xinetd doing something odd everytime I tried to connect - its been sorted out server side now, so my firewall is still rock solid and DENYing everything

  • RELEVANCY SCORE 4.66

    DB:4.66:Firewall Problem 9a





    hi

    How could the original placings be returned...

    now the firewall will hinder all traffic to the firewall

    my firewall config one now looks like this

    #!/bin/sh
    #
    # Automatically generated by Plesk netconf
    #

    set -e

    echo 0 /proc/sys/net/ipv4/ip_forward
    ([ -f /var/lock/subsys/ipchains ] /etc/init.d/ipchains stop) /dev/null 21 || true
    (rmmod ipchains) /dev/null 21 || true
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -Z
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A INPUT -m state --state INVALID -j DROP
    /sbin/iptables -P OUTPUT DROP
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -o lo -j ACCEPT
    /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
    /sbin/iptables -t mangle -F
    /sbin/iptables -t mangle -X
    /sbin/iptables -t mangle -Z
    /sbin/iptables -t mangle -P PREROUTING ACCEPT
    /sbin/iptables -t mangle -P OUTPUT ACCEPT
    /sbin/iptables -t mangle -P INPUT ACCEPT
    /sbin/iptables -t mangle -P FORWARD ACCEPT
    /sbin/iptables -t mangle -P POSTROUTING ACCEPT
    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -X
    /sbin/iptables -t nat -Z
    /sbin/iptables -t nat -P PREROUTING ACCEPT
    /sbin/iptables -t nat -P OUTPUT ACCEPT
    /sbin/iptables -t nat -P POSTROUTING ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 5224 -j ACCEPT
    /sbin/iptables -A INPUT -p udp --dport 5224 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 9008 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 9080 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
    /sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT

    /sbin/iptables -A INPUT -j ACCEPT

    echo 1 /proc/sys/net/ipv4/ip_forward
    echo 1 /opt/psa/var/modules/firewall/ip_forward.active
    chmod 644 /opt/psa/var/modules/firewall/ip_forward.active
    #
    # End of script
    #

    DB:4.66:Firewall Problem 9a




    hi

    How could the original placings be returned...

    now the firewall will hinder all traffic to the firewall

    my firewall config one now looks like this

    #!/bin/sh
    #
    # Automatically generated by Plesk netconf
    #

    set -e

    echo 0 /proc/sys/net/ipv4/ip_forward
    ([ -f /var/lock/subsys/ipchains ] /etc/init.d/ipchains stop) /dev/null 21 || true
    (rmmod ipchains) /dev/null 21 || true
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -Z
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A INPUT -m state --state INVALID -j DROP
    /sbin/iptables -P OUTPUT DROP
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -o lo -j ACCEPT
    /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
    /sbin/iptables -t mangle -F
    /sbin/iptables -t mangle -X
    /sbin/iptables -t mangle -Z
    /sbin/iptables -t mangle -P PREROUTING ACCEPT
    /sbin/iptables -t mangle -P OUTPUT ACCEPT
    /sbin/iptables -t mangle -P INPUT ACCEPT
    /sbin/iptables -t mangle -P FORWARD ACCEPT
    /sbin/iptables -t mangle -P POSTROUTING ACCEPT
    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -X
    /sbin/iptables -t nat -Z
    /sbin/iptables -t nat -P PREROUTING ACCEPT
    /sbin/iptables -t nat -P OUTPUT ACCEPT
    /sbin/iptables -t nat -P POSTROUTING ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 5224 -j ACCEPT
    /sbin/iptables -A INPUT -p udp --dport 5224 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 9008 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 9080 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
    /sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT

    /sbin/iptables -A INPUT -j ACCEPT

    echo 1 /proc/sys/net/ipv4/ip_forward
    echo 1 /opt/psa/var/modules/firewall/ip_forward.active
    chmod 644 /opt/psa/var/modules/firewall/ip_forward.active
    #
    # End of script
    #

  • RELEVANCY SCORE 4.63

    DB:4.63:Firewall - Iptables 33





    is there a way to edit the firewall using iptables from within plesk

    basically we want to allow ICMP etc

  • RELEVANCY SCORE 4.60

    DB:4.60:[Solved] Iptables Load Balancing Help - Nth Mode sx



    I was wondering if someone can help me figure out what is wrong with my rules, I am completely stuck.I am trying to create a load balancer host (192.168.32.67) that will load balance DNS queries (port 53 tcp and udp) round robin fashion to 192.168.2.197 and 192.168.2.252 via nth mode from the statistic module. The problem is that when I try and do nth balancing every 1 to 4 queries gets stuck, as in dig hangs, I see nothing logged in iptables and iptraf mentions something about ICMP destn port unreachable which doesnt make much sense. Below are my rules:
    # enable forwarding
    echo 1 | /proc/sys/net/ipv4/ip_forward
    # clear rules
    iptables -t filter -F
    iptables -t filter -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t filter -P INPUT ACCEPT
    iptables -t filter -P OUTPUT ACCEPT
    iptables -t filter -P FORWARD ACCEPT

    # marks for restoring existing connections
    iptables -t mangle -N RESTOREMARK
    iptables -t mangle -A RESTOREMARK -j CONNMARK --restore-mark
    iptables -t mangle -A RESTOREMARK -j LOG --log-prefix restore-mark: --log-level info

    # snat
    iptables -t nat -N SNAT1
    iptables -t nat -A SNAT1 -j LOG --log-prefix snat-source-192.168.32.67: --log-level info
    iptables -t nat -A SNAT1 -p all -j SNAT --to-source 192.168.32.67

    # dnats
    iptables -t nat -N DNAT1
    iptables -t nat -A DNAT1 -j LOG --log-prefix dnat-to-192.168.2.197: --log-level info
    iptables -t nat -A DNAT1 -p udp --dport 53 -j DNAT --to-destination 192.168.2.197:53
    iptables -t nat -A DNAT1 -p tcp --dport 53 -j DNAT --to-destination 192.168.2.197:53
    iptables -t nat -A DNAT1 -j MARK --set-mark 1
    iptables -t nat -A DNAT1 -j CONNMARK --save-mark

    iptables -t nat -N DNAT2
    iptables -t nat -A DNAT2 -j LOG --log-prefix dnat-to-192.168.2.252: --log-level info
    iptables -t nat -A DNAT2 -p udp --dport 53 -j DNAT --to-destination 192.168.2.252:53
    iptables -t nat -A DNAT2 -p tcp --dport 53 -j DNAT --to-destination 192.168.2.252:53
    iptables -t nat -A DNAT2 -j MARK --set-mark 2
    iptables -t nat -A DNAT2 -j CONNMARK --save-mark

    # restore existing connections
    iptables -t mangle -A PREROUTING -p udp --dport 53 -m state --state ESTABLISHED,RELATED -j RESTOREMARK
    iptables -t mangle -A PREROUTING -p tcp --dport 53 -m state --state ESTABLISHED,RELATED -j RESTOREMARK

    # round robin balance DNAT requests
    iptables -t nat -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 0 -j DNAT1
    iptables -t nat -A PREROUTING -m state --state NEW -m statistic --mode nth --every 2 --packet 1 -j DNAT2

    # allow DNATS back through
    iptables -t nat -A POSTROUTING -j SNAT1

    DB:4.60:[Solved] Iptables Load Balancing Help - Nth Mode sx

    T-Dawg wrote:
    Now there is no global counter and it is reset per rule.

  • RELEVANCY SCORE 4.60

    DB:4.60:[Solved] Did The Iptables Tutorial - Ssh Doesnt Work 83



    Hi

    I followed the https://wiki.archlinux.org/index.php/Si … l_Firewall tutorial and added
    iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j ACCEPT

    DB:4.60:[Solved] Did The Iptables Tutorial - Ssh Doesnt Work 83


    thestinger Thank you very much for your answer!It works and I finally understand the whole iptables thing.

    My SSH didnt work earlier, because the custom rule was AFTER
    REJECT tcp -- anywhere anywhere reject-with tcp-reset

  • RELEVANCY SCORE 4.60

    DB:4.60:[Solved] Iptables Chains Bytes Counting Problem f1



    Can somebody explain me what is wrong? Ive got this code:
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -F
    iptables -X

    iptables -N traffic-output
    iptables -F traffic-output
    iptables -N all-traffic
    iptables -F all-traffic
    iptables -N ssh-traffic
    iptables -F ssh-traffic
    iptables -N www-traffic
    iptables -F www-traffic
    iptables -N smb139-traffic
    iptables -F smb139-traffic
    iptables -N smb445-traffic
    iptables -F smb445-traffic

    iptables -A INPUT -j all-traffic
    iptables -A OUTPUT -j all-traffic
    iptables -A all-traffic -j traffic-output

    iptables -A INPUT -p tcp --dport 22 -j ssh-traffic
    iptables -A OUTPUT -p tcp --sport 22 -j ssh-traffic
    iptables -A ssh-traffic -j traffic-output

    iptables -A INPUT -p tcp --dport 80 -j www-traffic
    iptables -A OUTPUT -p tcp --sport 80 -j www-traffic
    iptables -A www-traffic -j traffic-output

    iptables -A INPUT -p tcp --dport 139 -j smb139-traffic
    iptables -A OUTPUT -p tcp --sport 139 -j smb139-traffic
    iptables -A smb139-traffic -j traffic-output

    iptables -A INPUT -p tcp --dport 445 -j smb445-traffic
    iptables -A OUTPUT -p tcp --sport 445 -j smb445-traffic
    iptables -A smb445-traffic -j traffic-output

    DB:4.60:[Solved] Iptables Chains Bytes Counting Problem f1


    Interesting. Well both work generally but they have built that tool on the rules you setup. The marking according to the texts www-traffic etc would not be necessary (the tool could just parse the log lines with the correct --sport and --dport parms for that). But the question that matters (for a server) behind it is which way the processing of the rules is most efficient for the machine. Yet thats maybe negligible for such simple rules. Have fun setting it up.

  • RELEVANCY SCORE 4.57

    DB:4.57:Does The Iptables Module Ipt_Owner Work Under Virtuozzo ff





    Is the ipt_owner module supposed to work properly under Virtuozzo?

    # modprobe ipt_owner
    FATAL: Module ipt_owner not found.

    DB:4.57:Does The Iptables Module Ipt_Owner Work Under Virtuozzo ff




    Well, if you want security and state-of-the-art
    packets filtering - switch to OpenBSD

    If I were you, Id play with permissions
    of critical binaries. Of course its not
    a replacement for ipt_owner - but still
    is better than nothing.

  • RELEVANCY SCORE 4.56

    DB:4.56:Iptables And Plesk 9k





    i want to block a LOT of country with ip tables.

    i have to insert something like 3000 lines of iptables commands.

    i tried manually with a bash script and iptables crashed. (even if it would have not crashed it would have been unuseful because plesk would have then overwritten the tables).

    i have seen that plesk store in mysql db all the datas about the iptables rules.

    may i have a SQL script to insert in the mysql psa db the rules i want (3000 of them) without having iptables crash and without any problem?

    is there not a way to use iptables-save/restore with plesk iptables?

    thanks

    stefano

    DB:4.56:Iptables And Plesk 9k




    thanks.. i was also thinking about another solution. inserting directly the rules in the psa database. but i see that the rules seem encrypted...

    INSERT INTO `module_firewall_rules` (`id`, `configuration_id`, `direction`, `priority`, `object`) VALUES
    (19, 1, 0, 0, 0x613a343a7b733a343a2274797065223b733a383a226361746368616c6c223b733a353a22636c617373223b733a383a226361746368616c6c223b733a393a22646972656374696f6e223b733a353a22696e707574223b733a363a22616374696f6e223b733a353a22616c6c6f77223b7d),

    is it object the rule? how to encrypt it like that?

  • RELEVANCY SCORE 4.45

    DB:4.45:Plesk Wont Work With Iptables f7





    I have installed Plesk to try it on a Fedora Core 2 server. I am behind a router and dont know quite how to configure iptables. If I turn iptables off I can get to the admin section but cannot if I turn on the iptables. Any help and/or adivce would be appreciated. Thank you.

    DB:4.45:Plesk Wont Work With Iptables f7




    Obviously the risks are much higher if you are not filtering on the server, and do not have a real firewall between it and the internet. That being said, a firewall in and of itself wont protect your server. It is just another layer of security. Your server will most likely be compromised through a port that you must allow through the firewall anyway (http, dns, smtp, etc). However, if used in conjunction with something like BFD, and/or mod_evasive you can at least mitigate such attacks. BFD is cool because it works in conjunction with APF. You set a threshold, and it watches the ports you tell it to. When someone tries to brute force attack a port/service, it will automatically inject a rule into your iptables for the offending IP.

    There are a lot of things you can do to help secure your server, but as it has been said in the past, the only way to secure a server is to turn it off.

  • RELEVANCY SCORE 4.45

    DB:4.45:Securing Iptables a9



    I think I understand some basic concepts of iptables, but there are a few things im unsure about. So far, I setup my iptables rules as per the HowTo on the ArchWiki with one small change to block ICMP. I am connected to a LAN via eth0 and ip is assigned by DHCP:
    # iptables -P INPUT ACCEPT
    # iptables -P FORWARD ACCEPT
    # iptables -P OUTPUT ACCEPT
    # iptables -F
    # iptables -X

    # iptables -N open
    # iptables -N interfaces
    # iptables -A INPUT -p icmp -j [b]REJECT[/b]
    # iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    # iptables -A INPUT -j interfaces
    # iptables -A INPUT -j open
    # iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    # iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable

    # iptables -P INPUT DROP
    # iptables -P FORWARD DROP
    # iptables -P OUTPUT ACCEPT

    # iptables -A interfaces -i lo -j ACCEPT

    # /etc/rc.d/iptables save

    DB:4.45:Securing Iptables a9


    Thanks cactus, that clears it up!

    I think im going to try and restrict outgoing connections now. I see youve setup logging - something im probably going to avoid for the minute until I finish setting up all the rules I want.

    Many thanks.

  • RELEVANCY SCORE 4.45

    DB:4.45:[Solved] Iptables -I Lo Weird Behavoiur kk



    Hi,

    I was just reviewing my iptables rules, and saw that a rule exists on the INPUT chain that grants access to everything.
    ACCEPT all -- anywhere anywhere

    DB:4.45:[Solved] Iptables -I Lo Weird Behavoiur kk


    Thank you for the wiki, this is great!I especially liked the Protection against common attacks section. I always liked to setup my own rules but was not aware of these things.For my own scripts I use iptables-save / iptables-restore. So as an alternative to calling iptables something like this is possible also
    #!/bin/sh
    LoopbackInterface=lo

    TheRules=\
    *filter
    :INPUT DROP [0:0]
    :FORWARD DROP [0:0]
    :OUTPUT DROP [0:0]
    :InputProtection - [0:0]
    -A INPUT -j InputProtection
    -A INPUT -i $LoopbackInterface -j ACCEPT
    -A OUTPUT -o $LoopbackInterface -j ACCEPT
    -A InputProtection -p tcp ! --syn -m state --state NEW -j DROP
    COMMIT

    echo $TheRules | sudo iptables-restore
    echo $TheRules | sudo ip6tables-restore

  • RELEVANCY SCORE 4.45

    DB:4.45:Got 2.6test9 Working, But Cant Use Iptables. 7d



    I got my 2.6test 9 working, but when I try to run the script to share internet, y gives me an error, of some chains not identified. This script worked in 2.4
    This is it.
    #!/bin/sh

    EXTIF=eth0
    INTIF=eth1
    IPTABLES=/usr/sbin/iptables
    echo 1 /proc/sys/net/ipv4/ip_forward

    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -F INPUT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -F OUTPUT
    $IPTABLES -P FORWARD DROP
    $IPTABLES -F FORWARD
    $IPTABLES -t nat -F

    $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
    $IPTABLES -A FORWARD -j LOG

    $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

    DB:4.45:Got 2.6test9 Working, But Cant Use Iptables. 7d


    I think so, Ive read in other forum that this is a problem in 2.6test9

  • RELEVANCY SCORE 4.45

    DB:4.45:Easy And Working Firewall. ps



    Someone may find this one useful, it is a little script that configure the iptables with easy.No need of fancy GUIs and dead easy.

    A nice simple script.chown it root:rootchmod it 744Edit, run the script, repeat when needed.
    #!/bin/sh
    # firewall.sh

    if [ `/usr/bin/id -u` != 0 ]
    then
    echo `basename $0`: you need to be root to do that.
    exit 1
    fi

    iptables --policy INPUT DROP
    iptables --policy FORWARD DROP
    iptables --flush # Flush all rules, but keep policies
    iptables --delete-chain

    ### Basic firewall rules ###
    iptables --policy FORWARD DROP
    iptables --policy INPUT DROP
    iptables --append INPUT -i lo --source 127.0.0.1 --destination 127.0.0.1 -j ACCEPT
    iptables --append INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    ### icmp services ###
    #iptables --append INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
    #iptables --append INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
    #iptables --append INPUT -p icmp --icmp-type echo-request -j ACCEPT
    #iptables --append INPUT -p icmp --icmp-type echo-reply -j ACCEPT

    ### Open ports ###
    #Bittorrent, ten downloads at time
    #iptables --append INPUT -p tcp --dport 6881:6890 -j ACCEPT

    #aDonkey nerwork
    #iptables --append INPUT -p tcp --dport 4662 -j ACCEPT
    #iptables --append INPUT -p udp --dport 4672 -j ACCEPT

    #http server
    #iptables --append INPUT -p tcp --dport 80 -j ACCEPT

    #https server
    #iptables --append INPUT -p tcp --dport https -j ACCEPT

    ### Limits the logging to 40 entries per minute ###
    iptables --append INPUT -j LOG -m limit --limit 40/minute
    ### Everything other is dropped ###
    iptables --append INPUT -j DROP
    echo `basename $0`: Done.

    DB:4.45:Easy And Working Firewall. ps


    It is quite shameful since I posted this thread, but I need help...

    ATM I have to recall this script everytime after connecting, or the iptables I made are lost.

    Do someone know of pppoe-start work? I tried reading it, but I do not understand how it sets the iptables.
    After a cold reboot, I noticed iptables-save displays nothing, after pppoe-start iptables-save shows the masquerade default settings. How can I asking pppoe-start to use my firewall rules?
    thanks.

  • RELEVANCY SCORE 4.45

    DB:4.45:Simple Firewall For A Desktop (Mostly) User md


    # cat /etc/rc.d/myfirewall
    #!/bin/bash

    . /etc/rc.conf
    . /etc/rc.d/functions

    case $1 in
    start)
    rc=0
    stat_busy Starting Firewall
    iptables -F
    iptables -X
    iptables -P OUTPUT ACCEPT
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -p tcp --destination-port 4662 -m state --state NEW -j ACCEPT
    iptables -A INPUT -p udp --destination-port 4672 -m state --state NEW -j ACCEPT
    iptables -A INPUT -p udp --destination-port 53 -m state --state NEW -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    echo 0 /proc/sys/net/ipv4/ip_forward
    ;;
    stop)
    rc=0
    stat_busy Stopping Firewall
    iptables -F
    iptables -X
    iptables -P OUTPUT ACCEPT
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -A INPUT -i lo -j ACCEPT
    ;;
    restart)
    $0 stop
    sleep 1
    $0 start
    ;;
    *)
    echo usage: $0 {start|stop|restart}
    esac
    exit 0

    DB:4.45:Simple Firewall For A Desktop (Mostly) User md

    bauerber wrote:
    Im wondering, why cant you sleep cause of that

  • RELEVANCY SCORE 4.45

    DB:4.45:Iptables Script Run On Boot-Up 9d



    Hi - at present I manually run my iptables script by su to root, cd into script directory then ./scriptname - this works fine and I then check it with:

    # iptables -L -v

    No problems - now - is there a standard way with Arch for your iptables script to be run automatically on boot ?

    Thanks.

    DB:4.45:Iptables Script Run On Boot-Up 9d


    Cheers guys - Ive sorted it - ran the script then checked it was active with:

    # iptables -L

    then saved the active ruleset with:

    # /etc/rc.d/iptables save

    then added:

    iptables

    to the daemons list in /etc/rc.conf

    rebooted - and checked its active, and it is

    Thanks again everyone

  • RELEVANCY SCORE 4.45

    DB:4.45:[Solved] Iptables Script Output Question jp



    I wrote up a simple script to clear, then reapply my firewall settings. It seems to work fine, but I am receiving the following output:
    sudo ./fwreset
    iptables v1.4.16.2: no command specified
    Try `iptables -h or iptables --help for more information.
    iptables v1.4.16.2: no command specified
    Try `iptables -h or iptables --help for more information.
    Active: active (exited) since Wed, 2012-11-14 03:19:55 PST; 5h 16min ago
    Main PID: 279 (code=exited, status=0/SUCCESS)
    Stateful firewall has been reset

    DB:4.45:[Solved] Iptables Script Output Question jp

    foppe wrote:
    From the output it looks like two of your commands have a flaw.Easy debug: change the comment lines to echo:
    echo Reset Iptables
    iptables-restore /etc/iptables/empty.rules;
    ...

  • RELEVANCY SCORE 4.45

    DB:4.45:Iptables To Asa Conversion d8



    Hi Folks,

    does anyone knows about how can I convert a script from IPTABLES to Cisco ASA?

    thanks a lot

    DB:4.45:Iptables To Asa Conversion d8


    Folks,

    does anyone help me about a sintaxe used by IPTABLES?

    What's this command means?

    A FORWARD -i vlan227 -j CTG-to-WAN

    -A FORWARD -i eth2 -j CTG-to-WAN

    -A FORWARD -d 12.10.1.0/255.255.255.0 -i eth1 -j MTBrazil-to-SN

    -A FORWARD -j PCBrazil

    thanks

  • RELEVANCY SCORE 4.43

    DB:4.43:Logging Firewall xa





    hello,

    is there a way to log dropped packets ?

    I can not see on web interface the way to do it.
    I tryed directly on my linux (debia sqeeze) server by creating a chain LOGGING and add:

    iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix IPTables-Dropped: --log-level 4

    but I received an error :

    iptables: No chain/target/match by that name.

    I want to do something like

    iptables -N LOGGING
    iptables -A INPUT -j LOGGING
    iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix IPTables-Dropped: --log-level 4
    iptables -A LOGGING -j DROP

    thank you for your help

    DB:4.43:Logging Firewall xa




    yes Virtuozzo.

    My bad. really annoying to not being able to log FW traffics.

    btw,

    thanks for taking times to answer me.

    Best regards

  • RELEVANCY SCORE 4.43

    DB:4.43:Problems With Https Web Pages And My Iptables Scripts 1k



    [root@Arch root]# iptables -A INPUT -p tcp -i eth0 --sport https -j ACCEPTiptables v1.2.10: invalid TCP port/service `https specifiedTry `iptables -h or iptables --help for more information.

    Why?

    In others distro it works perfectly ...

    DB:4.43:Problems With Https Web Pages And My Iptables Scripts 1k


    the iptables comparison is performed on the packet itself, and its contents. If you sniffed the packet, you would see that the source for the packet is the machine of the person requesting the website, and the destination of the packet would be your server. Since the packet is allowed in the the rule, it gets to the box. The outgoing return data is either allowed by default (some people let anything out, but only filter incoming) or allowed via connection tracking (since it is part of a message that was allowed in, it gets allowed out).

    You can do a man iptables to find all kinds of other info, and searching google helps too. Best thing of all to do is just fire up a packet sniffer and watch... 8)

  • RELEVANCY SCORE 4.43

    DB:4.43:Saving Iptables Changes kc



    Greetings,

    In ESX 2.5x I was able to run iptables-save and pipe the output

    to a file called iptables in the sysconfig directory. That saved any

    changes I made.

    Unfortunately this broke in ESX 3.0. How does one save

    changes made using the IPTABLES command?

    Thanks,

    Stan

    DB:4.43:Saving Iptables Changes kc


    I took a look and I can't seem to find exactly where the config file gets loaded from. You can look at that script and see that they are using iptables and associated scripts for some of the work. Maybe you can divine where the config is being loaded from by looking at that.

  • RELEVANCY SCORE 4.39

    DB:4.39:Iptables And Fw-Interfaces Fails Me k3



    iptables -A FORWARD -j fw-interfacesiptables -A FORWARD -j fw-open

    Those two fails me.
    iptables v1.3.8: Couldnt load target `fw-interfaces:/usr/lib/iptables/libipt_fw-interfaces.so: cannot open shared object file: No such file or directory

    Try `iptables -h or iptables --help for more information.

    iptables v1.3.8: Couldnt load target `fw-open:/usr/lib/iptables/libipt_fw-open.so: cannot open shared object file: No such file or directory

    Try `iptables -h or iptables --help for more information.

    DB:4.39:Iptables And Fw-Interfaces Fails Me k3


    *sigh*

    I forgot to create the chainsiptables -N fw-interfacesiptables -N fw-open

    I guess i solved it

  • RELEVANCY SCORE 4.39

    DB:4.39:[Solved] Steam And Iptables a8



    Im trying to get Steam work with my iptables rules but even though I allow all traffic Steam needs I cant log in to it.

    The only problem with my iptables rules is the OUTPUT chain. If I let it open Steam works. If I close it and open the ports Steam said its needed, it doesnt.

    My OUTPUT chain:
    iptables -P OUTPUT DROP

    iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

    iptables -A OUTPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

    iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
    iptables -A OUTPUT -p tcp --dport 25 -j ACCEPT
    iptables -A OUTPUT -p udp --dport 53 -j ACCEPT

    iptables -A OUTPUT -p udp -m udp --sport 27000:27015 -j ACCEPT
    iptables -A OUTPUT -p udp -m udp --sport 27015:27030 -j ACCEPT

    iptables -A OUTPUT -p tcp -m tcp --sport 27014:27050 -j ACCEPT

    iptables -A OUTPUT -p udp -m udp --dport 27015 -j ACCEPT

    iptables -A OUTPUT -p udp -m udp --dport 3478 -j ACCEPT
    iptables -A OUTPUT -p udp -m udp --dport 4379 -j ACCEPT
    iptables -A OUTPUT -p udp -m udp --dport 4380 -j ACCEPT
    iptables -A OUTPUT -p udp -m udp --dport 4380 -j ACCEPT

    iptables -A OUTPUT -m conntrack --ctstate INVALID -j drop_invalid

    iptables -A OUTPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK,PSH,URG SYN -m state --state NEW -j DROP
    #drop everything else.
    iptables -N RULE_13
    iptables -A OUTPUT -j RULE_13
    iptables -A INPUT -j RULE_13
    iptables -A FORWARD -j RULE_13
    iptables -A RULE_13 -j LOG --log-level info --log-prefix RULE 13 -- DENY
    iptables -A RULE_13 -j DROP

  • RELEVANCY SCORE 4.39

    DB:4.39:Iptables With Webserver pp



    i want to open the port 80 in iptables for eth0 but not eth1, how do i go about doing that..im currently using iptables for routering.

    nevermind i seem to have fix my problem..

    # iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT# /etc/rc.d/iptables save

    did the trick

    Last edited by eldamar (2008-02-12 16:50:23)

  • RELEVANCY SCORE 4.39

    DB:4.39:Iptables: Memory Allocation Problem 7z





    Hello,

    It seems that there is a limit of rules in chains of iptables on VPS. I have only 189 records in filter table, but I can add new rule only if I delete the old one.

    root@server [~]# iptables -I INPUT -s 123.123.123.123 -j DROP
    iptables: Memory allocation problem
    root@server [~]#
    root@server [~]# iptables -D INPUT 4
    root@server [~]# iptables -I INPUT -s 123.123.123.123 -j DROP
    root@server [~]#
    root@server [~]# iptables -I INPUT -s 123.123.123.124 -j DROP
    iptables: Memory allocation problem
    root@server [~]#

    Any idea?

  • RELEVANCY SCORE 4.39

    DB:4.39:Stopping Iptables And Restarting Failing 9d



    I was asked today to temporarily disable the firewall on ESX 3.5. Used command

    service iptables stop

    Problem is now I can't get the service restarted:

    service iptables start

    Any ideas?

  • RELEVANCY SCORE 4.39

    DB:4.39:Servers Are Inaccessible Via Some Wifi f7



    So Ive set up two different Arch64 servers in two different locations on a college campus, and Ive used the same set of iptables rules for each (it was a set of rules I recorded from reading through the arch wiki). I find that if iptables is running on one of the servers, it will be accessible via ssh and http from any wired or wireless connection off campus, and any wired connection on campus - however, it will be unaccessible by a wireless connection on campus using either ssh or http. I know its weird... If I use /etc/rc.d/iptables stop to stop the service, the problem is resolved. However, I would like to be able to run iptables, and access the servers via wifi on campus. Does anyone have any ideas what is going on? Below is the set of commands I issued (as root) on each server to set up the iptables rules...
    nano /etc/conf.d/iptables (set IPTABLES_FORWARD=0)
    iptables -N open
    iptables -N interfaces
    iptables -A INPUT -p icmp -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -j interfaces
    iptables -A INPUT -j open
    iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    iptables -A interfaces -i lo -j ACCEPT
    iptables -A interfaces -i eth0 -j ACCEPT
    iptables -A open -p tcp --dport 22 -j ACCEPT
    iptables -A open -i ppp0 -p tcp --dport 80 -j ACCEPT
    iptables -A open -i foo -p tcp --dport 65000:65005 -j ACCEPT
    iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
    iptables -A INPUT -f -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
    iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
    iptables -I INPUT -i eth0 -s 10.0.0.0/8 -j DROP
    iptables -I INPUT -i eth0 -s 172.16.0.0/12 -j DROP
    iptables -I INPUT -i eth0 -s 192.168.0.0/16 -j DROP
    iptables -I INPUT -i eth0 -s 127.0.0.0/8 -j DROP
    /etc/rc.d/iptables save

    DB:4.39:Servers Are Inaccessible Via Some Wifi f7


    I think Im trying to connect over normal ports...One of the servers has a domain name (namely http://norpass.com) and what fails on campus is...

    - ping norpass.com- ssh (username)@norpass.com- accessing norpass.com on Firefox

    If Im off campus or on the campus wired network the three things above work perfectly fine...

    The issue with the other server (which does not have a domain name but does have its own externally accessible IP address) is exactly the same.

    Last edited by tony5429 (2009-10-11 22:28:23)

  • RELEVANCY SCORE 4.39

    DB:4.39:Another Iptables Thread 7j



    Hi all,

    first of all the situation.I have a lan with several clients (192.168.15.x)and one of them is an Exchange Server.

    As an Router i am trying to setup ubuntu server.Which works in some disciplines but not in others.I got an dhcp and internet routing workingfor the lan clients.

    But i cannot access the internal exchange serverfrom the outside. So what i need is a routing toport 80, 443 and 25 from the ubuntu server to theexchange client.

    I tried several iptable scripts, but nothing did help.

    Here are the relevant parts of the script:iptables -A FORWARD -p tcp -m multiport --dports 20,21,80 -j ACCEPTiptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to -destination 192.168.15.1:80

    iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.15.1:443

    #iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.15.1

    #iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 80 -j ACCEPT

    #iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 80 -j SNAT --to-source $LAN_IP

    As you can see i tried every combination i found on theinternet and it seems to work a bit.When i try to access my lan with my external ipit always takes ages until i get the page load error.I just cannot figure out what is exactly wrong.

    Some advice would be great.

    Below is the whole script just if somebodyneeds it.

    Thanks in AdvanceSven

    #!/bin/bash# ---------------------------------------------------------------------# Linux-iptables-Firewallskript, Copyright (c) 2008 under the GPL# Autogenerated by iptables Generator v1.22 (c) 2002-2008 by Harald Bertram # Please visit http://harry.homelinux.org for new versions of# the iptables Generator (c).# # This Script was generated by request from:# sssssrichter@gmx.de on: 2008-11-19 17:12.41 MET.# # If you have questions about the iptables Generator or about# your Firewall-Skript feel free to take a look at out website or# send me an E-Mail to webmaster@harry.homelinux.org.# # My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)# who made lots of Beta-Testing and gave me lots of well qualified# Feedback that made me able to improve the iptables Generator.# --------------------------------------------------------------------

    case $1 in start) echo Starte IP-Paketfilter

    # iptables-Modul modprobe ip_tables # Connection-Tracking-Module modprobe ip_conntrack # Das Modul ip_conntrack_irc ist erst bei Kerneln = 2.4.19 verfuegbar modprobe ip_conntrack_irc modprobe ip_conntrack_ftp

    # Tabelle flushen iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X

    # Default-Policies setzen iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP

    # MY_REJECT-Chain iptables -N MY_REJECT

    # MY_REJECT fuellen iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix REJECT TCP iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix REJECT UDP iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix DROP ICMP iptables -A MY_REJECT -p icmp -j DROP iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix REJECT OTHER iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable

    # MY_DROP-Chain iptables -N MY_DROP iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix PORTSCAN DROP iptables -A MY_DROP -j DROP

    # Alle verworfenen Pakete protokollieren iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix INPUT INVALID iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix OUTPUT INVALID iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix FORWARD INVALID

    # Korrupte Pakete zurueckweisen iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP

    # Stealth Scans etc. DROPpen # Keine Flags gesetzt iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP

    # SYN und FIN gesetzt iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP

    # SYN und RST gleichzeitig gesetzt iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP

    # FIN und RST gleichzeitig gesetzt iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP

    # FIN ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP

    # PSH ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP

    # URG ohne ACK iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP

    # Loopback-Netzwerk-Kommunikation zulassen iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

    # Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

    # Connection-Tracking aktivieren iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ! eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -dports 1024:65536 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    # SSH iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 22 -j ACCEPT

    # OPENVPN_V1 iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 5000 -j ACCEPT

    # OPENVPN_V2 iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 1194 -j ACCEPT

    # ICMP Echo-Request (ping) zulassen und beantworten iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT

    # IP-Adresse des LAN-Interfaces ermitteln LAN_IP=$(ifconfig eth2 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d -f 1)

    # NAT fuer HTTP# iptables -A FORWARD -p tcp -m multiport --dports 20,21,80 -j ACCEPT iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.15.1:80 iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.15.1:443

    #iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.15.1 #iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 80 -j ACCEPT # Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN #iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 80 -j SNAT --to-source $LAN_IP

    # NAT fuer HTTPS #iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to-destination 192.168.15.1 #iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 443 -j ACCEPT # Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN #iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 443 -j SNAT --to-source $LAN_IP

    # NAT fuer SMTP iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 192.168.15.1 iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 25 -j ACCEPT # Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 25 -j SNAT --to-source $LAN_IP

    # LAN-Zugriff auf eth2 iptables -A INPUT -m state --state NEW -i eth2 -j ACCEPT

    # Default-Policies mit REJECT iptables -A INPUT -j MY_REJECT iptables -A OUTPUT -j MY_REJECT iptables -A FORWARD -j MY_REJECT

    # Forwarding/Routing echo Aktiviere IP-Routing echo 1 /proc/sys/net/ipv4/ip_forward 2 /dev/null

    # SYN-Cookies echo 1 /proc/sys/net/ipv4/tcp_syncookies 2 /dev/null

    # Stop Source-Routing for i in /proc/sys/net/ipv4/conf/*; do echo 0 $i/accept_source_route 2 /dev/null; done

    # Stop Redirecting for i in /proc/sys/net/ipv4/conf/*; do echo 0 $i/accept_redirects 2 /dev/null; done

    # Reverse-Path-Filter for i in /proc/sys/net/ipv4/conf/*; do echo 2 $i/rp_filter 2 /dev/null; done

    # Log Martians for i in /proc/sys/net/ipv4/conf/*; do echo 1 $i/log_martians 2 /dev/null; done

    # BOOTP-Relaying ausschalten for i in /proc/sys/net/ipv4/conf/*; do echo 0 $i/bootp_relay 2 /dev/null; done

    # Proxy-ARP ausschalten for i in /proc/sys/net/ipv4/conf/*; do echo 0 $i/proxy_arp 2 /dev/null; done

    # Ungültige ICMP-Antworten ignorieren echo 1 /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2 /dev/null

    # ICMP Echo-Broadcasts ignorieren echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2 /dev/null

    # Max. 500/Sekunde (5/Jiffie) senden echo 5 /proc/sys/net/ipv4/icmp_ratelimit

    # Speicherallozierung und -timing für IP-De/-Fragmentierung echo 262144 /proc/sys/net/ipv4/ipfrag_high_thresh echo 196608 /proc/sys/net/ipv4/ipfrag_low_thresh echo 30 /proc/sys/net/ipv4/ipfrag_time

    # TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen echo 30 /proc/sys/net/ipv4/tcp_fin_timeout

    # Maximal 3 Antworten auf ein TCP-SYN echo 3 /proc/sys/net/ipv4/tcp_retries1

    # TCP-Pakete maximal 15x wiederholen echo 15 /proc/sys/net/ipv4/tcp_retries2

    ;;

    stop) echo Stoppe IP-Paketfilter # Tabelle flushen iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X echo Deaktiviere IP-Routing echo 0 /proc/sys/net/ipv4/ip_forward

    # Default-Policies setzen iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT ;;

    status) echo Tabelle filter iptables -L -vn echo Tabelle nat iptables -t nat -L -vn echo Tabelle mangle iptables -t mangle -L -vn ;;

    *) echo Fehlerhafter Aufruf echo Syntax: $0 {start|stop|status} exit 1 ;;

    esac

    DB:4.39:Another Iptables Thread 7j


    Hm, sry i didnt find time to try earlier.

    I did what you suggested and just used a small script:

    # iptables-Modul modprobe ip_tables # Connection-Tracking-Module modprobe ip_conntrack # Das Modul ip_conntrack_irc ist erst bei Kerneln = 2.4.19 verfuegbar modprobe ip_conntrack_irc modprobe ip_conntrack_ftp

    # Tabelle flushen iptables -F iptables -t nat -F iptables -t mangle -F iptables -X iptables -t nat -X iptables -t mangle -X

    # Default-Policies setzen iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP

    # Alle verworfenen Pakete protokollieren iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix INPUT INVALID iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix OUTPUT INVALID iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix FORWARD INVALID

    # Loopback-Netzwerk-Kommunikation zulassen iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT

    # Connection-Tracking aktivieren iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ! eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.15.1 iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.15.1

    # ICMP Echo-Request (ping) zulassen und beantworten iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT

    # IP-Adresse des LAN-Interfaces ermitteln LAN_IP=$(ifconfig eth2 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d -f 1)

    # LAN-Zugriff auf eth2 iptables -A INPUT -m state --state NEW -i eth2 -j ACCEPT

    # Forwarding/Routing echo Aktiviere IP-Routing echo 1 /proc/sys/net/ipv4/ip_forward 2 /dev/null

    And i cannot get it working. Phew, this really drives me insane.I achieved a lot of things in the last years, learned a lot ofthings by doing it myself. But this seems to stop me.I already tried out so much that i dont know what else ican do.

    I am lost in my lan between all the packages flooding around

  • RELEVANCY SCORE 4.39

    DB:4.39:Mse Kernel Upgrade After New Installation dd


              upon bootup and stopping the mse server, I receive the following error messages:
     
    iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    also when trying to ping the server, it not reply ???
    this is new installation of cisco MSE 7.4
    please any advice
    ?

    DB:4.39:Mse Kernel Upgrade After New Installation dd

              upon bootup and stopping the mse server, I receive the following error messages:
     
    iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    iptables v1.3.5: can't initialize iptables table `filter': iptables who? (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.
    also when trying to ping the server, it not reply ???
    this is new installation of cisco MSE 7.4
    please any advice
    ?

  • RELEVANCY SCORE 4.37

    DB:4.37:Someone Update Iptables Wiki Entry? ks



    i would do it myself but honestly i never have updated a wiki entry before, and i couldnt find any button that would let me do so.

    this is what im referring to.

    following the install steps

    #pacman -S iptables

    then

    # systemctl enable iptables# systemctl start iptables

    on

    # systemctl start iptables

    i ran into an error, the problem was that i needed to do

    # iptables-save /etc/iptables/iptables.rulesand for ip6tables# ip6tables-save /etc/iptables/ip6tables.rules

    With some googling (and also mentioned in the wiki entry, but not as a part of the installation) i found out about the former command, but i had to guess with the ip6tables and luckily it seems to have worked.

    someone should add these commands to the installation part of the iptable wiki entry.

    Last edited by rabcor (2013-02-24 01:20:48)

    DB:4.37:Someone Update Iptables Wiki Entry? ks


    I dont think so. You read through the first few lines and just kind of blindly put the commands listed into your machine. But what good does starting iptables do if you have no configuration for it? If you read further, it gives a brief intorduction on how to set it up, and included in that portion is
    Arch Wiki wrote:
    For systemd users, after adding rules via command-line: # iptables-save /etc/iptables/iptables.rulesFinally: # systemctl restart iptablesAnd to ensure there were no problems: $ systemctl status iptables

  • RELEVANCY SCORE 4.29

    DB:4.29:Iptables On Vcs 3x



    It#039;s possible to create iptables on Cisco vcs 7.2.2?

    DB:4.29:Iptables On Vcs 3x


    The inegrated firewall of the VCS is based on iptables, but you shall not interact with it on the root console.

    Check out the vcs web interface:

    System Firewall rules Configuration

    (see also the admin guide page 62ff)

    http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/admin_guide/Cisco_VCS_Administrator_Guide_X7-2.pdf

    Please remember to rate helpful responses and identify helpful or correct answers.

  • RELEVANCY SCORE 4.29

    DB:4.29:Auth And 127.0.1.51 zs





    Hello,

    I found this entry in my LogWatch.

    --------------------- Connections (secure-log) Begin ------------------------

    Connections:
    Service auth:
    127.0.1.51: 1 Time(s)

    I have port 113 - Auth locked down via the Plesk Firewall module. Here is the information.

    ********************

    #!/bin/sh
    #
    # Automatically generated by Plesk netconf
    #

    set -e

    echo 0 /proc/sys/net/ipv4/ip_forward
    ([ -f /var/lock/subsys/ipchains ] /etc/init.d/ipchains stop) /dev/null 21 || true
    (rmmod ipchains) /dev/null 21 || true
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -Z
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A INPUT -m state --state INVALID -j DROP
    /sbin/iptables -P OUTPUT DROP
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -o lo -j ACCEPT
    /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
    /sbin/iptables -t mangle -F
    /sbin/iptables -t mangle -X
    /sbin/iptables -t mangle -Z
    /sbin/iptables -t mangle -P PREROUTING ACCEPT
    /sbin/iptables -t mangle -P OUTPUT ACCEPT
    /sbin/iptables -t mangle -P INPUT ACCEPT
    /sbin/iptables -t mangle -P FORWARD ACCEPT
    /sbin/iptables -t mangle -P POSTROUTING ACCEPT
    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -X
    /sbin/iptables -t nat -Z
    /sbin/iptables -t nat -P PREROUTING ACCEPT
    /sbin/iptables -t nat -P OUTPUT ACCEPT
    /sbin/iptables -t nat -P POSTROUTING ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 8443 -s 220.225.128.155 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 23 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 23 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 113 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 143 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 465 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 631 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 953 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 993 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 995 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 3000 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 8443 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -s 216.40.228.128/25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 21 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 21 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 22 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 22 -s 216.40.228.128/25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 143 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 993 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 143 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 993 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 106 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 3306 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP

    /sbin/iptables -A INPUT -p udp --dport 137 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 138 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP

    /sbin/iptables -A INPUT -p udp --dport 1194 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP

    /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j DROP

    /sbin/iptables -A INPUT -j ACCEPT

    /sbin/iptables -A OUTPUT -j ACCEPT

    /sbin/iptables -A FORWARD -j DROP

    echo 1 /proc/sys/net/ipv4/ip_forward
    echo 1 /usr/local/psa/var/modules/firewall/ip_forward.active
    chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active
    #
    # End of script
    #

    *******************

    I have two questions.

    1. Is this a sign of a hacker in my system?

    2. Is there anything else I can do to strengthem my firewall rules?

    Thanks,

    Randal

    DB:4.29:Auth And 127.0.1.51 zs




    Hello,

    I found this entry in my LogWatch.

    --------------------- Connections (secure-log) Begin ------------------------

    Connections:
    Service auth:
    127.0.1.51: 1 Time(s)

    I have port 113 - Auth locked down via the Plesk Firewall module. Here is the information.

    ********************

    #!/bin/sh
    #
    # Automatically generated by Plesk netconf
    #

    set -e

    echo 0 /proc/sys/net/ipv4/ip_forward
    ([ -f /var/lock/subsys/ipchains ] /etc/init.d/ipchains stop) /dev/null 21 || true
    (rmmod ipchains) /dev/null 21 || true
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -Z
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A INPUT -m state --state INVALID -j DROP
    /sbin/iptables -P OUTPUT DROP
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp ! --syn -j REJECT --reject-with tcp-reset
    /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -o lo -j ACCEPT
    /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
    /sbin/iptables -t mangle -F
    /sbin/iptables -t mangle -X
    /sbin/iptables -t mangle -Z
    /sbin/iptables -t mangle -P PREROUTING ACCEPT
    /sbin/iptables -t mangle -P OUTPUT ACCEPT
    /sbin/iptables -t mangle -P INPUT ACCEPT
    /sbin/iptables -t mangle -P FORWARD ACCEPT
    /sbin/iptables -t mangle -P POSTROUTING ACCEPT
    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -X
    /sbin/iptables -t nat -Z
    /sbin/iptables -t nat -P PREROUTING ACCEPT
    /sbin/iptables -t nat -P OUTPUT ACCEPT
    /sbin/iptables -t nat -P POSTROUTING ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 8443 -s 220.225.128.155 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 23 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 23 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 113 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 143 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 465 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 631 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 953 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 993 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 995 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 3000 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 8443 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -s 216.40.228.128/25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8443 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 21 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 21 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 22 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 22 -s 216.40.228.128/25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 22 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 143 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 993 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 143 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 993 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 106 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 106 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 3306 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP

    /sbin/iptables -A INPUT -p udp --dport 137 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 138 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP

    /sbin/iptables -A INPUT -p udp --dport 1194 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP

    /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 69.34.35.58 -j ACCEPT
    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j DROP

    /sbin/iptables -A INPUT -j ACCEPT

    /sbin/iptables -A OUTPUT -j ACCEPT

    /sbin/iptables -A FORWARD -j DROP

    echo 1 /proc/sys/net/ipv4/ip_forward
    echo 1 /usr/local/psa/var/modules/firewall/ip_forward.active
    chmod 644 /usr/local/psa/var/modules/firewall/ip_forward.active
    #
    # End of script
    #

    *******************

    I have two questions.

    1. Is this a sign of a hacker in my system?

    2. Is there anything else I can do to strengthem my firewall rules?

    Thanks,

    Randal

  • RELEVANCY SCORE 4.28

    DB:4.28:Wsa + Linux Iptables 7d



    I have a firewall with Iptables where my machines are behind the same. I'm with the WSA configured in the same transparent LAN iptables, I wonder if I forward all traffic tcp/80 and TCP/443 for IronPort, I can make it work seamlessly. Is this possible? I did some testing in an isolated environment, but without success.

    DB:4.28:Wsa + Linux Iptables 7d


    Hi Maiquel,

    forwarding (redirecting) the packet to the WSA via L2 is what the WSA User Guide specifis as L2 transparent mode. This should just work as expected. WCCP would be a different protocol which controls more the redirection progress and can be used also to failover. While "plain" L2 transparent forwarding doesn't have any reiablility, WCCP will let you have troubelshooting/alerting when things go wrong.

    However, in most cases you go with WCCP together with a IOS Router.

    -Stephan

  • RELEVANCY SCORE 4.24

    DB:4.24:Iptables Via Telnet jf


    I want to be able to setup some custom iptables entries via telnet. The first time I tried it I got the error:iptables --listiptables v1.3.5: can't initialize iptables table 'filter': iptables who? (do you need to insmod?)Perhaps iptables or your kernel needs to be upgraded.However I found another post telling me to use:insmod ip_tablesinsmod iptable_filterinsmod iptable_mangleNow iptables --list works and shows no entries. But when I try to add an entry to block broadcasts:iptables -A INPUT -p udp -d 255.255.255.255 -j DROPthen do iptables --list it locks up. I can delete the above entry and then it works fine again.Are there some features of iptables that aren't supported? Or am I doing something else wrong?Thanks for any help.

    DB:4.24:Iptables Via Telnet jf

    I want to be able to setup some custom iptables entries via telnet. The first time I tried it I got the error:iptables --listiptables v1.3.5: can't initialize iptables table 'filter': iptables who? (do you need to insmod?)Perhaps iptables or your kernel needs to be upgraded.However I found another post telling me to use:insmod ip_tablesinsmod iptable_filterinsmod iptable_mangleNow iptables --list works and shows no entries. But when I try to add an entry to block broadcasts:iptables -A INPUT -p udp -d 255.255.255.255 -j DROPthen do iptables --list it locks up. I can delete the above entry and then it works fine again.Are there some features of iptables that aren't supported? Or am I doing something else wrong?Thanks for any help.

  • RELEVANCY SCORE 4.23

    DB:4.23:Configuring Iptables To Allow Nfs c8



    Hi

    Im trying to configure iptables to let through nfs, currently Ive got these iptables rules:
    iptables -N open
    iptables -N interfaces

    iptables -A INPUT -p icmp -j ACCEPT
    iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

    iptables -A INPUT -j interfaces
    iptables -A INPUT -j open

    iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
    iptables -A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
    iptables -P INPUT DROP

    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    iptables -A interfaces -i lo -j ACCEPT

    iptables -A open -p tcp --dport 10023 -j ACCEPT

    #Allow nfs, see /etc/conf.d/nfs for port config
    iptables -A open -p tcp --dport 32767 -j ACCEPT
    iptables -A open -p tcp --dport 32765:32766 -j ACCEPT
    iptables -A open -p tcp --dport 32764 -j ACCEPT
    iptables -A open -p tcp --dport 111 -j ACCEPT #portmap
    iptables -A open -p udp --dport 111 -j ACCEPT #portmap
    iptables -A open -p tcp --dport 2049 -j ACCEPT
    iptables -A open -p udp --dport 2049 -j ACCEPT

    DB:4.23:Configuring Iptables To Allow Nfs c8

    yassin wrote:
    It blocked out my SSH server.

  • RELEVANCY SCORE 4.22

    DB:4.22:Iptables Cant Initialize? 9m



    Hi all, Im trying to enable NAT on my Raspberry Pi for a project, I have been consulting the Arch Wiki page and have found that I need to use IPTables to enable masquerading.

    So I execute the command as stated:
    # iptables -t nat -A POSTROUTING -o internet0 -j MASQUERADE
    # iptables -A FORWARD -i internet0 -o internal0 -j ACCEPT
    # iptables -A FORWARD -i internal0 -o internet0 -j ACCEPT

    DB:4.22:Iptables Cant Initialize? 9m


    I think you need to ask on the Arch Linux ARM forum.

  • RELEVANCY SCORE 4.22

    DB:4.22:[Solved] Strange Wifi Ad-Hoc Issue z8



    Hello everybody.

    There are 4 laptops between which a WiFi network should be established: Arch (the router), 2 Ubuntu 10.04, and Windows 7.The problem is that only one Ubuntu laptop is able to connect to my Ad-Hoc access point.The other two can see the name of my AP in the connections list, but when they try to link, nothing happens.Literally, nothing — ifconfig wlan0 on my machine shows that no data is transferred: RX and TX just do not change, although being refreshed every second.

    I have Intel 3945abg wireless card, bringing the AP up with the following script:
    #!/bin/bash

    ifconfig wlan0 down;
    iwconfig wlan0 essid TEST mode Ad-Hoc key s:qwert;
    ifconfig wlan0 192.168.3.1;
    ifconfig wlan0 up;

    killall dnsmasq; dnsmasq;

    /etc/rc.d/iptables restart;

    iptables -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X

    iptables -A INPUT -i lo -j ACCEPT

    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A INPUT -m state --state NEW -i !ppp0 -j ACCEPT
    iptables -A FORWARD -i ppp0 -o wlan0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    iptables -A FORWARD -i wlan0 -o ppp0 -j ACCEPT

    iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

    iptables -A FORWARD -i ppp0 -o ppp0 -j REJECT
    iptables -A FORWARD -i eth0 -o ppp0 -j REJECT

    echo 1 /proc/sys/net/ipv4/ip_forward

    DB:4.22:[Solved] Strange Wifi Ad-Hoc Issue z8


    Finally solved by installing 2.6.32-LTS kernel.

  • RELEVANCY SCORE 4.20

    DB:4.20:Hardening Esx Server (Iptables?) 1x



    Anyone have a document / HOWTO hardenize an ESX Server?

    TIA

    Manlio

    DB:4.20:Hardening Esx Server (Iptables?) 1x


    Since the management nic is assigned exclusively to service console we prefer to use strong security features of firewalls (like SecureComputing's Sidewinder or Cisco PIX or IOS-FW) or at least of layer 3 switches (like Cisco 3550, 3750 etc) to control all traffic from and to this nic. I prefer bringing the best things of each expert together.

    Just an idea for the virtual switches: here it would be great to have features like in the IOS of cisco switches. Since there are different IOS simulators around (like the Boson Netsim) a cooperation between VMware and Cisco or one of the simulator vendors could bring very interesting advantages. Up to now increased security for the VMs would need to have seperate virtual switches with their own outbound nics for each VM to secure the access from and to these systems. To consolidate the number of network ports without degrading the security means this would be great.

    Regards,

    Franz

  • RELEVANCY SCORE 4.20

    DB:4.20:Iptables Postrouting fa



    Hi there,

    Trying to configure an EdgeMAX Edgerouter lite (fw 1.2.0) iptables rules from command line and I am encountering a strange issue :

    eth0 - external

    eth2 - internal

    iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE

    This is the only iptables rule.

    Any connection behind eth2 to extern is ending up with connection reset by peer, are there any rule or configuration that I miss ?

    Thank you

    DB:4.20:Iptables Postrouting fa


    I'd suggest 1st upgrading to v1.5.0 and then try the setup wizard in the GUI.




    EdgeMAX Router Software Development

  • RELEVANCY SCORE 4.20

    DB:4.20:Plesk Automated Iptables Configuration Security Issue?! jc





    Hello there,

    I am currently configuring my iptables firewall and wanted to do that with the integrated interface in Plesk Panel.
    When I was testing the configuration, I found out that the preset configuration of input/output traffic in Plesk is pretty much useless?!

    When I choose to block all these connections by default, Plesk generates this script:



    #!/bin/sh
    #ATTENTION!
    #
    #DO NOT MODIFY THIS FILE BECAUSE IT WAS GENERATED AUTOMATICALLY,
    #SO ALL YOUR CHANGES WILL BE LOST THE NEXT TIME THE FILE IS GENERATED.

    set -e

    echo 0 /proc/sys/net/ipv4/ip_forward
    ([ -f /var/lock/subsys/ipchains ] /etc/init.d/ipchains stop) /dev/null 21 || true
    (rmmod ipchains) /dev/null 21 || true
    /sbin/iptables -F
    /sbin/iptables -X
    /sbin/iptables -Z
    /sbin/iptables -P INPUT DROP
    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
    /sbin/iptables -A INPUT -m state --state INVALID -j DROP
    /sbin/iptables -P OUTPUT DROP
    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
    /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP
    /sbin/iptables -P FORWARD DROP
    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
    /sbin/iptables -A FORWARD -m state --state INVALID -j DROP
    /sbin/iptables -A INPUT -i lo -j ACCEPT
    /sbin/iptables -A OUTPUT -o lo -j ACCEPT
    /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT
    /sbin/iptables -t mangle -F
    /sbin/iptables -t mangle -X
    /sbin/iptables -t mangle -Z
    /sbin/iptables -t mangle -P PREROUTING ACCEPT
    /sbin/iptables -t mangle -P OUTPUT ACCEPT
    /sbin/iptables -t mangle -P INPUT ACCEPT
    /sbin/iptables -t mangle -P FORWARD ACCEPT
    /sbin/iptables -t mangle -P POSTROUTING ACCEPT
    /sbin/ip6tables -F
    /sbin/ip6tables -X
    /sbin/ip6tables -Z
    /sbin/ip6tables -P INPUT DROP
    /sbin/ip6tables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
    /sbin/ip6tables -A INPUT -m state --state INVALID -j DROP
    /sbin/ip6tables -P OUTPUT DROP
    /sbin/ip6tables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/ip6tables -A OUTPUT -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
    /sbin/ip6tables -A OUTPUT -m state --state INVALID -j DROP
    /sbin/ip6tables -P FORWARD DROP
    /sbin/ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    /sbin/ip6tables -A FORWARD -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
    /sbin/ip6tables -A FORWARD -m state --state INVALID -j DROP
    /sbin/ip6tables -A INPUT -i lo -j ACCEPT
    /sbin/ip6tables -A OUTPUT -o lo -j ACCEPT
    /sbin/ip6tables -A FORWARD -i lo -o lo -j ACCEPT
    /sbin/ip6tables -t mangle -F
    /sbin/ip6tables -t mangle -X
    /sbin/ip6tables -t mangle -Z
    /sbin/ip6tables -t mangle -P PREROUTING ACCEPT
    /sbin/ip6tables -t mangle -P OUTPUT ACCEPT
    /sbin/ip6tables -t mangle -P INPUT ACCEPT
    /sbin/ip6tables -t mangle -P FORWARD ACCEPT
    /sbin/ip6tables -t mangle -P POSTROUTING ACCEPT
    /sbin/iptables -t nat -F
    /sbin/iptables -t nat -X
    /sbin/iptables -t nat -Z
    /sbin/iptables -t nat -P PREROUTING ACCEPT
    /sbin/iptables -t nat -P OUTPUT ACCEPT
    /sbin/iptables -t nat -P POSTROUTING ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 12443 -j DROP
    /sbin/ip6tables -A INPUT -p tcp --dport 12443 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 11443 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 11444 -j DROP
    /sbin/ip6tables -A INPUT -p tcp --dport 11443 -j DROP
    /sbin/ip6tables -A INPUT -p tcp --dport 11444 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 8447 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 8447 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 8443 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 8880 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 80 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 21 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 22 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 587 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 587 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 25 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 465 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 110 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 995 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 143 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 993 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 106 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 3306 -j DROP
    /sbin/ip6tables -A INPUT -p tcp --dport 3306 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 5432 -j DROP
    /sbin/ip6tables -A INPUT -p tcp --dport 5432 -j DROP

    /sbin/iptables -A INPUT -p tcp --dport 9008 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 9080 -j DROP
    /sbin/ip6tables -A INPUT -p tcp --dport 9008 -j DROP
    /sbin/ip6tables -A INPUT -p tcp --dport 9080 -j DROP

    /sbin/iptables -A INPUT -p udp --dport 137 -j DROP
    /sbin/iptables -A INPUT -p udp --dport 138 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 139 -j DROP
    /sbin/iptables -A INPUT -p tcp --dport 445 -j DROP
    /sbin/ip6tables -A INPUT -p udp --dport 137 -j DROP
    /sbin/ip6tables -A INPUT -p udp --dport 138 -j DROP
    /sbin/ip6tables -A INPUT -p tcp --dport 139 -j DROP
    /sbin/ip6tables -A INPUT -p tcp --dport 445 -j DROP

    /sbin/iptables -A INPUT -p udp --dport 1194 -j DROP
    /sbin/ip6tables -A INPUT -p udp --dport 1194 -j DROP

    /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT
    /sbin/ip6tables -A INPUT -p udp --dport 53 -j ACCEPT
    /sbin/ip6tables -A INPUT -p tcp --dport 53 -j ACCEPT

    /sbin/iptables -A INPUT -p udp -j ACCEPT
    /sbin/iptables -A INPUT -p tcp -j ACCEPT
    /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 134/0 -j ACCEPT
    /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 135/0 -j ACCEPT
    /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 136/0 -j ACCEPT
    /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 137/0 -j ACCEPT

    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j ACCEPT
    /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 128/0 -j ACCEPT
    /sbin/ip6tables -A INPUT -p icmpv6 --icmpv6-type 129/0 -j ACCEPT

    /sbin/iptables -A INPUT -j DROP
    /sbin/ip6tables -A INPUT -j DROP

    /sbin/iptables -A OUTPUT -j DROP
    /sbin/ip6tables -A OUTPUT -j DROP

    /sbin/iptables -A FORWARD -j DROP
    /sbin/ip6tables -A FORWARD -j DROP

    echo 1 /proc/sys/net/ipv4/ip_forward
    echo 1 /opt/psa/var/modules/firewall/ip_forward.active
    chmod 644 /opt/psa/var/modules/firewall/ip_forward.active
    #
    # End of script
    #

    DB:4.20:Plesk Automated Iptables Configuration Security Issue?! jc




    Thanks abdi, but that is no excuse for the wrong iptables configuration in Plesk ;-)

  • RELEVANCY SCORE 4.20

    DB:4.20:Ufw Firewall Script ma



    Hi, to use UFW to I need to enable the iptables daemon?

    DB:4.20:Ufw Firewall Script ma

    jerik wrote:
    ufw (uncomplicated firewall) is a simple frontend for iptables and is available in the community repository.

    I did as the wiki said, I punched in
    sudo ufw allow ssh/tcp
    sudo ufw logging on
    sudo ufw enable

  • RELEVANCY SCORE 4.19

    DB:4.19:Iptables Howto p7



    I find this to be a great howto for iptables:
    Enjoy securing yourself
    http://www.nuxified.org/roll_your_own_firewall

    Cheikh

    DB:4.19:Iptables Howto p7


    I think this one is better: http://wiki.archlinux.org/index.php/Sim … wall_HOWTO

    But maybe that is because I wrote it.

  • RELEVANCY SCORE 4.19

    DB:4.19:In Iptables, How To Identify The Traffic From Squid? 8j



    In Iptables, how to identify the data to ppp0 are from a specific app (eg. squid) which is also installed on the same machine?

    DB:4.19:In Iptables, How To Identify The Traffic From Squid? 8j

    brebs wrote:
    An easy way is to have iptables match on gid.

    Otherwise, check out connmark.

  • RELEVANCY SCORE 4.15

    DB:4.15:Sharing Connection - Last Step Problem / Dns Server? [Solved] jj



    Hi, I followed the guide:https://wiki.archlinux.org/index.php/Internet_Share

    And I did exactly the next steps:

    [Server machine]wlan0 receives internet connectioneth0 will distribute internet connection shared
    ip link set up dev eth0
    ip addr add 10.0.0.100/24 dev eth0
    sysctl net.ipv4.ip_forward=1
    sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
    sudo iptables-save | sudo tee /etc/iptables/iptables.rules
    sudo systemctl restart iptables

  • RELEVANCY SCORE 4.15

    DB:4.15:Need Help Configuring Linux Iptables For 11.2.0.2 Rac jp


    How do we configure Linux Red Hat 5 IPtables for the subinterfaces that use the 11.2.0.2 RAC SCAN and VIP IPs? Any help would be appreciated

    DB:4.15:Need Help Configuring Linux Iptables For 11.2.0.2 Rac jp

    We understand how to use IPtables generally, but in Oracle 11.2.0.2 RAC appears to use semi-random sub-interfaces ranging from eth0:1 to eth0:5. Is that the entire range, or are there other sub-interface names that Oracle might possibly use (i.e. would it ever use a sub-interface as high as eth0:99)?

    Is there some place that that range (if it is a range) can be assigned, or where the sub-interface names Oracle should use can be specified?

  • RELEVANCY SCORE 4.15

    DB:4.15:Iptables? zc



    Hi,

    Host: RHEAS3U6 VM: W2K3

    vmnet0 -- bridge eth0

    vmnet2 -- bridge eth1

    When configure IPtables, don't work on virtual interfaces. Iptables work on Eth0 and Eth1.

    How protect my VM with the Iptables incorpotate with Host Linux?

    Thanks.

    DB:4.15:Iptables? zc


    yes....

    NAT can be util for me...

    Thanks.

  • RELEVANCY SCORE 4.15

    DB:4.15:Opening Ports In Iptables xf



    I set up iptables firewall according to wiki here: https://wiki.archlinux.org/index.php/Si … PEN_chains

    However, I am not sure if I restoring the final rule like that
    # iptables -D INPUT -j REJECT --reject-with icmp-proto-unreachable
    # iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable

    DB:4.15:Opening Ports In Iptables xf


    You only need to restore the final rule if you are using one of the port scanning tricks from the wiki. If you follow the directions in the wiki for the port scanning tricks (they are optional) the final rule will no longer be final, the two line section of code you quoted just puts it back to its proper position as the last rule in your INPUT chain. It really has nothing to do with opening ports in your TCP and UDP chains.

    --reject-with icmp-proto-unreachable is supposed to be the proper response for this rule. A lot of people have opinions that dropping is better, and they are not hard to find on the internet. I use the proper response in my firewalls, Ill let you decide which you want in yours.

  • RELEVANCY SCORE 4.15

    DB:4.15:Iptables xs


    Hola alguien sabe dónde guardan las tablas de los iptables pues me gustaría poner algunas líneas para cuando el router inicie las cargue. Saludos Unix

    DB:4.15:Iptables xs

    Hola alguien sabe dónde guardan las tablas de los iptables pues me gustaría poner algunas líneas para cuando el router inicie las cargue. Saludos Unix

  • RELEVANCY SCORE 4.15

    DB:4.15:Iptables Command Translated Cisco Asa 5540 Ver 9.0(1) sa



    I would like to have these commands on our Firewall to avoid at least several students to use this service. Can someone help me to translate this? It's apparently working great if I will use an Linux box or another firewall compatible with iptables.

    Thanks in advance.

    Hermano

    iptables -I INPUT -s hotspotshield.com -j REJECT

    iptables -I INPUT -s hotspotshield.net -j REJECT

    iptables -I INPUT -s anchorfree.com -j REJECT

    iptables -I INPUT -s anchorfree.net -j REJECT

    iptables -I INPUT -s openvpn.net -j REJECT

    iptables -I OUTPUT -d hotspotshield.com -j REJECT

    iptables -I OUTPUT -d hotspotshield.net -j REJECT

    iptables -I OUTPUT -d anchorfree.com -j REJECT

    iptables -I OUTPUT -d anchorfree.net -j REJECT

    iptables -I OUTPUT -d openvpn.net -j REJECT

    DB:4.15:Iptables Command Translated Cisco Asa 5540 Ver 9.0(1) sa


    Check the following link, it should help you out.

    http://www.packetpros.com/2012/08/url-filter-on-asa.html

  • RELEVANCY SCORE 4.15

    DB:4.15:Iptables V1.4.19.1: Cant Initialize Iptables Table `Filter xk



    Ive installed monitorix and in the log file I found this error, that I do not think its related to monitorix but to the kernel
    iptables v1.4.19.1: cant initialize iptables table `filter: Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded.

  • RELEVANCY SCORE 4.15

    DB:4.15:Host Only Network Problems When Using Iptables Firewall dp



    I've created a firewall using a script posted under http://ubuntuforums.org/showthread.php?t=159661

    #!/bin/bash

    \# No spoofing

    if \[ -e /proc/sys/net/ipv4/conf/all/rp_filter ]

    then

    for filtre in /proc/sys/net/ipv4/conf/*/rp_filter

    do

    echo 1 $filtre

    done

    fi

    \# No icmp

    echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_all

    echo 1 /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

    #load some modules you may need

    modprobe ip_tables

    modprobe ip_nat_ftp

    modprobe ip_nat_irc

    modprobe iptable_filter

    modprobe iptable_nat

    \# Remove all rules and chains

    iptables -F

    iptables -X

    \# first set the default behaviour = accept connections

    iptables -P INPUT ACCEPT

    iptables -P OUTPUT ACCEPT

    iptables -P FORWARD ACCEPT

    \# Create 2 chains, it allows to write a clean script

    iptables -N FIREWALL

    iptables -N TRUSTED

    \# Allow ESTABLISHED and RELATED incoming connection

    iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

    iptables -A FIREWALL -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

    \# Allow loopback traffic

    iptables -A FIREWALL -i lo -j ACCEPT

    \# Send all package to the TRUSTED chain

    iptables -A FIREWALL -j TRUSTED

    \# DROP all other packets

    iptables -A FIREWALL -j DROP

    \# Send all INPUT packets to the FIREWALL chain

    iptables -A INPUT -j FIREWALL

    \# DROP all forward packets, we don't share internet connection in this example

    iptables -A FORWARD -j DROP

    \# Allow NETBIOS for samba (only eth0)

    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 137 -j ACCEPT

    iptables -A TRUSTED -i eth0 -p udp -m udp --dport 138 -j ACCEPT

    iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 139 -j ACCEPT

    \# Allow https

    iptables -A TRUSTED -i eth0 -p udp -m udp --sport 443 -j ACCEPT

    iptables -A TRUSTED -i eth0 -p tcp -m tcp --sport 443 -j ACCEPT

    iptables -A TRUSTED -i eth1 -p udp -m udp --sport 443 -j ACCEPT

    iptables -A TRUSTED -i eth1 -p tcp -m tcp --sport 443 -j ACCEPT

    \# End message

    echo " \[End iptables rules setting]"

    All works fine between host and windows guests, but I can't access other machines via the NETBIOS protocols.

    What I've to add (virtual device e.g.) to the script about to make it work ? If the firewall is disabled everything is ok.

    DB:4.15:Host Only Network Problems When Using Iptables Firewall dp


    Until now I had only experiences with bridged (servers with static IP addresses) networks. For my kind of virtualisation NAT is the best solution.

    Thanks a lot for that clue.

  • RELEVANCY SCORE 4.15

    DB:4.15:{Solved} Iptables No Chain/Target/Match By That Name. az



    I have two laptop (exactly same kernel and everything) and this command :
    iptables -A INPUT -p tcp -m tcp --dport 15678 -j ACCEPT

  • RELEVANCY SCORE 4.15

    DB:4.15:Ios Acl Vs Iptables ks



    Hi

    I am doing some research on cisco ios acl and linux iptables, i came across lots of intresting ios acl features which i was not familiar with earlier, as well as of iptables.

    I am lookin for some differences and experiences about using ACL and IPtables for accomplishing same taks.

    Regards

    fani

    DB:4.15:Ios Acl Vs Iptables ks


    Hi

    I am doing some research on cisco ios acl and linux iptables, i came across lots of intresting ios acl features which i was not familiar with earlier, as well as of iptables.

    I am lookin for some differences and experiences about using ACL and IPtables for accomplishing same taks.

    Regards

    fani

  • RELEVANCY SCORE 4.15

    DB:4.15:Iptables Problem With Input Connections ja



    Ive got 4 computers and 1 server. I need to allow connection of 2 computers to server but on specific ports only. Rest of computers should be able to connect on any port. My firewall on server:
    iptables -F
    iptables -X

    iptables -P INPUT ACCEPT

    iptables -A INPUT -i eth0 -p tcp -s 192.168.0.50 --dport 3128 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -s 192.168.0.50 --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -s 192.168.0.50 --dport 80 -j ACCEPT

    iptables -A INPUT -i eth0 -p tcp -s 192.168.0.60 --dport 3128 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -s 192.168.0.60 --dport 22 -j ACCEPT
    iptables -A INPUT -i eth0 -p tcp -s 192.168.0.60 --dport 80 -j ACCEPT

    iptables -A INPUT -s 192.168.0.50 -j DROP
    iptables -A FORWARD -s 192.168.0.50 -j DROP

    iptables -A INPUT -s 192.168.0.60 -j DROP
    iptables -A FORWARD -s 192.168.0.60 -j DROP

    DB:4.15:Iptables Problem With Input Connections ja


    When I change order of ip then 60 works and 50 not...

  • RELEVANCY SCORE 4.13

    DB:4.13:Changing Iptables Locks Server d9





    OS: Redhat 9
    Linux 2.4.20-021

    /etc/sysconfig/iptables is present

    When I run the following script to change my firewall settings ( which are non-existent now ), it echos that ipforwarding has been disabled, then the script hangs and the server locks and has to be rebooted.

    lsmod is not on my system so I cannot check what modules have been loaded

    The script I run is:
    #!/bin/sh
    #
    #

    set -e

    if [ -r /proc/sys/net/ipv4/ip_forward ]; then
    echo Disabling IP forwarding
    echo 0 /proc/sys/net/ipv4/ip_forward
    fi

    /sbin/iptables -F

    /sbin/iptables -X

    /sbin/iptables -Z

    /sbin/iptables -P INPUT DROP

    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A INPUT -m state --state INVALID -j DROP

    /sbin/iptables -P OUTPUT DROP

    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP

    /sbin/iptables -P FORWARD DROP

    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A FORWARD -m state --state INVALID -j DROP

    /sbin/iptables -A INPUT -i lo -j ACCEPT

    /sbin/iptables -A OUTPUT -o lo -j ACCEPT

    /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 9008 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 9080 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
    /sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 12.214.251.53 -j ACCEPT
    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j DROP

    /sbin/iptables -A INPUT -j ACCEPT

    /sbin/iptables -A OUTPUT -j ACCEPT

    /sbin/iptables -A FORWARD -j DROP

    # End of script
    #

    Any help would be appreciated

    Jack

    DB:4.13:Changing Iptables Locks Server d9




    OS: Redhat 9
    Linux 2.4.20-021

    /etc/sysconfig/iptables is present

    When I run the following script to change my firewall settings ( which are non-existent now ), it echos that ipforwarding has been disabled, then the script hangs and the server locks and has to be rebooted.

    lsmod is not on my system so I cannot check what modules have been loaded

    The script I run is:
    #!/bin/sh
    #
    #

    set -e

    if [ -r /proc/sys/net/ipv4/ip_forward ]; then
    echo Disabling IP forwarding
    echo 0 /proc/sys/net/ipv4/ip_forward
    fi

    /sbin/iptables -F

    /sbin/iptables -X

    /sbin/iptables -Z

    /sbin/iptables -P INPUT DROP

    /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A INPUT -m state --state INVALID -j DROP

    /sbin/iptables -P OUTPUT DROP

    /sbin/iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A OUTPUT -m state --state INVALID -j DROP

    /sbin/iptables -P FORWARD DROP

    /sbin/iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    /sbin/iptables -A FORWARD -m state --state INVALID -j DROP

    /sbin/iptables -A INPUT -i lo -j ACCEPT

    /sbin/iptables -A OUTPUT -o lo -j ACCEPT

    /sbin/iptables -A FORWARD -i lo -o lo -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 8443 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 8880 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 80 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 443 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 21 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 22 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 25 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 465 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 110 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 995 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 143 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 993 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 106 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 3306 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 5432 -j ACCEPT

    /sbin/iptables -A INPUT -p tcp --dport 9008 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 9080 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 137 -j ACCEPT
    /sbin/iptables -A INPUT -p udp --dport 138 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 139 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 445 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 1194 -j ACCEPT

    /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
    /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -s 12.214.251.53 -j ACCEPT
    /sbin/iptables -A INPUT -p icmp --icmp-type 8/0 -j DROP

    /sbin/iptables -A INPUT -j ACCEPT

    /sbin/iptables -A OUTPUT -j ACCEPT

    /sbin/iptables -A FORWARD -j DROP

    # End of script
    #

    Any help would be appreciated

    Jack

  • RELEVANCY SCORE 4.13

    DB:4.13:[Solved] Blocking Internet Traffic If Openvpn Disconnects - Elegantly k8



    I have followed the wiki instructions to set up the simple, stateful firewall. And it seems to be working fine. But now I want to expand it so that if my openvpn connection fails, then all internet traffic is blocked. Ive researched this and it seems that there are a number of ways to achieve this. But I want to do it in a way that fits with the arch wiki firewall and does it in an effective and elegant way.

    So, Ive got two questions and would be grateful for some expert advice.

    1) Have I inserted my additional rule in the right place? (To block traffic if the vpn connection fails)

    2) In the way that I have done this, I need to supply vpn server ip address. So, if I switch vpn servers, then I have to change the ip address and update the iptable table rules. Ive got a script that does this quickly but still its a bit awkward. Is there another way of doing this - again that fits with the arch wiki firewall - that either doesnt need the vpn ip server address or allows me to specify multiple vpn servers?

    Heres what I have so far. (In my script, ip of vpn server is the actual ip address.)
    #!/bin/bash
    iptables-restore /etc/iptables/empty.rules
    iptables -N TCP
    iptables -N UDP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT

    #I added the next rule to block traffic should vpn connection fail
    iptables -A OUTPUT -o wlp3s0 ! -d ip of vpn server -j DROP

    iptables -P INPUT DROP
    iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 30/min --limit-burst 8 -j ACCEPT
    iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A INPUT -m conntrack --ctstate INVALID -j DROP
    iptables -A INPUT -p udp -m conntrack --ctstate NEW -j UDP
    iptables -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP
    iptables -I TCP -p tcp -m recent --update --seconds 60 --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
    iptables -A INPUT -p tcp -m recent --set --name TCP-PORTSCAN -j REJECT --reject-with tcp-rst
    iptables -I UDP -p udp -m recent --update --seconds 60 --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
    iptables -A INPUT -p udp -m recent --set --name UDP-PORTSCAN -j REJECT --reject-with icmp-port-unreachable
    iptables -A INPUT -j REJECT --reject-with icmp-proto-unreachable
    iptables=/etc/iptables/iptables.rules
    iptables-save /etc/iptables/iptables.rules
    systemctl start iptables.service systemctl status iptables.service

    DB:4.13:[Solved] Blocking Internet Traffic If Openvpn Disconnects - Elegantly k8


    Personally, I would just replace that line with:
    iptables -F
    iptables -X

  • RELEVANCY SCORE 4.13

    DB:4.13:Iptables + Tor + I2p, Based On Tails j3



    I stumble upon those iptables rules which comes from Tails design specification. Im trying to adopt them to work with Arch, sadly without any luck. I did some cosmetic changes resulting in -
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT DROP

    # Established incoming connections are accepted.
    iptables -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    # Traffic on the loopback interface is accepted.
    iptables -A INPUT -i lo -j ACCEPT

    # Established outgoing connections are accepted.
    iptables -A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT

    # Internal network connections are accepted.
    iptables -A OUTPUT -d 127.0.0.0/255.0.0.0 -j ACCEPT

    # Local network connections should not go through Tor but DNS shall be rejected.
    iptables -N lan
    iptables -A lan -p TCP --dport domain -j REJECT
    iptables -A lan -p UDP --dport domain -j REJECT
    iptables -A lan -j ACCEPT

    # Sort out traffic to local network
    # Note that we exclude the VirtualAddrNetwork used for .onions here.
    iptables -A OUTPUT -d 192.168.0.0/255.255.0.0 -j lan
    iptables -A OUTPUT -d 10.0.0.0/255.0.0.0 -j lan
    iptables -A OUTPUT -d 172.16.0.0/255.240.0.0 -j lan

    # Tor is allowed to do anything it wants to.
    iptables -A OUTPUT -m owner --uid-owner tor -j ACCEPT

    # i2p is allowed to do anything it wants to.
    iptables -A OUTPUT -m owner --uid-owner i2p -j ACCEPT

    # Everything else is dropped.
    iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

    iptables -P PREROUTING ACCEPT
    iptables -P POSTROUTING ACCEPT
    iptables -P OUTPUT ACCEPT

    # .onion mapped addresses redirection to Tor.
    iptables -A OUTPUT -d 127.192.0.0/255.192.0.0 -p tcp -m tcp -j REDIRECT --to-ports 9050

    DB:4.13:Iptables + Tor + I2p, Based On Tails j3


    OK, I did figure out that I need to modify last rule like so -
    iptables -t nat -A OUTPUT -d 127.192.0.0/255.192.0.0 -p tcp -m tcp -j REDIRECT --to-ports 9050

  • RELEVANCY SCORE 4.13

    DB:4.13:Apf Is Not Working 17





    APF is not working on this vps:

    [root@host ~]# apf -r
    eth0: error fetching interface information: Device not found
    eth0: error fetching interface information: Device not found
    eth0: error fetching interface information: Device not found
    eth0: error fetching interface information: Device not found
    eth0: error fetching interface information: Device not found
    could not verify that interface eth0 is routed to a network, aborting.

    Via Node I already ran this:

    [root@server001 root]# vzctl set 10003 --iptables ipt_REJECT --iptables ipt_tos --iptables ipt_TOS --iptables ipt_LOG --iptables ip_conntrack --iptables ipt_limit --iptables ipt_multiport --iptables iptable_filter --iptables iptable_mangle --iptables ipt_TCPMSS --iptables ipt_tcpmss --iptables ipt_ttl --iptables ipt_length --iptables ipt_state --iptables iptable_nat --iptables ip_nat_ftp --save

    I did restart iptables just fine.

    Any help appreciated

    APF conf is correct also:

    SET_VNET=0
    SET_MONOKERN=1

    DB:4.13:Apf Is Not Working 17




    VE doesnt have ethX device in common
    case, you have to use venet0.

  • RELEVANCY SCORE 4.13

    DB:4.13:Iptables mp



    Hii, How can I enable iptables to run at boot and use the config I gave it please?

    DB:4.13:Iptables mp


    Yep Tanx guys, I am an Idiot:)there is a good WIKI on this

  • RELEVANCY SCORE 4.13

    DB:4.13:Iptables Command 1m



    I installed iptables with pacman but...
    # which iptables
    which: no iptables in (/usr/bin:/bin:/usr/bin/X11:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/root/bin)

    DB:4.13:Iptables Command 1m


    1) Your path variable much have been wrong. iptables is located in /sbin which isnt normally in a normal users PATH, only root. (This is because iptables can only be run as root)2) Make sure iptables is before network in your rc.conf -- but depending on your filewall rules, that may or may not work. Some rules may require the network to be started before they can start. Its seriously not a major issue to start iptables after network

  • RELEVANCY SCORE 4.13

    DB:4.13:Iptables / Firewall 93



    Hi!few week ago somebody tried to exploit my machine and i decided to use a firewall.( http://bbs.archlinux.org/viewtopic.php?id=59550 )Iptables syntax is quit hard (for me) so i used firewall builder to compile some rules.I startet them , saved them with /etc/rc.d/iptables save and finally added iptables to my rc.conf.
    iptables -L

    DB:4.13:Iptables / Firewall 93


    The arno-iptables-firewall in the AUR provides nice defaults and high configurability.