hi!! My problem is i want to have one real ip. i want to re- direct all my traffic comming on port 22 to 192.168.1.202 and trafic for port 21 to 192.168.1.203 where both the machines are within lan and on server i am using squid. Pleas help and if possible provide the iptable rule for this purpose right now i am using but it is not working tables -t nat -A PREROUTING -i eth1 -p udp --dport 21 -j DNAT --to-destination 192.168.1.203 plz help! Junaid
about iptables
11 posts
• Page 1 of 1
- fireworks
- Microsoft OFFICE
- labview
- shareware
- windows media center
- Windows XP
- AI
- jobs
- Computer architecture
- IBM PC
Jump to:
- 1. A theoretical problem involving ping
Hello, What happens if a router receives and ICMP Echo request, but the source address in the IP packet it is contained in doesn't match any entries in its routing table, and the default gateway isn't set? Thanks, Nikola - 2. remote access to desktops
Hello, I am looking for a solution to offering a tech support service where MS laptops and linux boxes are intermingled. Already sorted out that openvpn is great to bring the boxes together onto the same LAN. I want customers to share their desktops with me, so I can dink round on their machines fixing things and I want to share my desktop with customers to demonstrate stuff. Anything opensource spring to mind? TIA Syd - 3. Need to keep a more robust DNS cache in my Windows client
I own a minimal domain with a single Linux (web, DNS, e-mail, etc.) server. I happen to travel all over and stay in hotels in the USA and abroad which sometimes may subscribe to "el cheapo" ISPs which try to minimize the DNS queries and for some reason queries to my DNS server end up in the bit bucket or something... In order to have a more robust DNS in my Windows laptop, I would like to implement two measures: - The must be some sort of time delay to keep already resolved IP addresses in Windows, correct? How can I increase this time delay of the DNS cache? - Back when the Internet was young (and so was I, as a sysadmin at MIT) we had to periodically download a file (/etc/hosts) which contained, believe or not, the IP addresses of all the Internet servers. That was the standard way to work, before DNS was invented. Such technique is still useful, in case DNS is not resolvong my problems :-) The question is: Where do I hardwire IP addresses in my Windows laptop? They should be used only when the regular DNS fails. TIA, -Ramon - 4. How to ignore the Record Route IP option?
Hi, how may I configure my system in order to ignore the RECORD ROUTE IP option? Note that I don't want to drop packets, I just want not to honor such a request. E.g. how to be transparent to 'ping -R' while routing packets. Many thanks. - 5. How to set iptables for IPSec tunnel?
I want to setup firewall protection with iptables to support IPSec ESP tunnels. That is, the firewall will drop anything from any host if it is not from an established IPSec ESP tunnel. And it will accept anything if it's from an IPSec tunnel. I tried: iptables -N my-fw iptables -A my-fw -p esp -j ACCEPT iptables -A my-fw -p tcp --sport 500 --dport 500 -j ACCEPT iptables -A my-fw -j DROP iptables -A INPUT -i eth0 -j my-fw Then I tried to ping from one end of the tunnel to the other end of the tunnel and ping didn't go through. I need to modify my rules as below to make it work: iptables -N my-fw iptables -A my-fw -p esp -j ACCEPT iptables -A my-fw -p icmp -j ACCEPT iptables -A my-fw -p udp --sport 500 --dport 500 -j ACCEPT iptables -A my-fw -p tcp --sport 500 --dport 500 -j ACCEPT iptables -A my-fw -j DROP iptables -A INPUT -i eth0 -j my-fw That is, I need also to open up ping to make ping work. But if I open up icmp, I cannot prevent pings from hosts that's outside my IPSec tunnels. This defeats my purpose. So if my purpose is to allow "anything" within the tunnel and disallow/ drop anything outside the IPSec tunnels, how should I setup the iptables rules? Eric
Next
about iptables
by junaidaslam » Tue, 30 Aug 2005 16:55:58 GMT
Re: about iptables
by Davide Bianchi » Tue, 30 Aug 2005 17:12:43 GMT
Nice. Read the documentation related to PORT-REDIRECTION or NAT. ? Why UDP ? Davide -- Q: How many Microsoft support staff does it take to change a light bulb? A: Four. One to ask "What is the registration number of the light bulb?", one to ask "Have you tried rebooting it?", another to ask "Have you tried reinstalling it?" and the last one to say "It must be your hardware because the light bulb in our office works fine..."
Re: about iptables
by junaidaslam » Tue, 30 Aug 2005 18:18:27 GMT
Well can you give me exact string sorry will change it nice joke!
Re: about iptables
by lasseboo » Wed, 31 Aug 2005 06:35:52 GMT
hi, Junaid, your rule is OK. what about the way back...? a nd do you have allowed the way _in_ at all...? # example: redirect a mailserver smtp $iptables -t nat -A PREROUTING -i $ext -p tcp -d 1.7.5.17 --dport 25 -j DNAT --to-destination 172.16.0.8 $iptables -t nat -A PREROUTING -i $ext -p tcp -d 1.7.5.16 --dport 25 -j DNAT --to-destination 172.16.0.8 $iptables -A FORWARD -i $ext -o $int -p tcp -d 172.16.0.8 --dport 25 -m state --state NEW -j ACCEPT greetings lasseboo
about iptables
by nick » Tue, 22 Nov 2005 10:23:39 GMT
when i use this iptables in Fedora4, an error occur, cant apply the rules,why? ############################################################### ### Define interfaces here INT_DEV=eth0 EXT_DEV=ppp0 INT_NET=192.168.1.0/24 ### Loading firewall modules modprobe ip_conntrack modprobe ip_conntrack_ftp ############################################################### ### Enable Packet Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward ### Remove all previous rules, and delete any user defined chains iptables -F iptables -X iptables -t nat -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.2:3389 echo 1 > /proc/sys/net/ipv4/ip_forward
Re: about iptables
by Robert Nichols » Wed, 23 Nov 2005 00:28:27 GMT
In article <dlr7fo$26a3$ XXXX@XXXXX.COM >,
:when i use this iptables in Fedora4, an error occur, cant apply the
:rules,why?
:
:###############################################################
:### Define interfaces here
:INT_DEV=eth0
:EXT_DEV=ppp0
:INT_NET=192.168.1.0/24
:
:### Loading firewall modules
:modprobe ip_conntrack
:modprobe ip_conntrack_ftp
:
:###############################################################
:### Enable Packet Forwarding
:echo 1 > /proc/sys/net/ipv4/ip_forward
:
:### Remove all previous rules, and delete any user defined chains
:iptables -F
:iptables -X
:iptables -t nat -F
:
:iptables -P INPUT DROP
:iptables -P FORWARD DROP
:iptables -P OUTPUT ACCEPT
:iptables -A INPUT -i lo -j ACCEPT
:iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT
:iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
:iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
:iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j ACCEPT
:iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE
:iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT
:--to-destination 192.168.0.2:3389
:echo 1 > /proc/sys/net/ipv4/ip_forward
Well, I notice that the interfaces mentioned at the top are
"eth0" (internal) and "ppp0" (external),
whereas the rules appear to be for:
"eth1" (internal) and "eth0" (external).
What do you actually have?
I also notice the lack of an ESTABLISHED,RELATED rule in the INPUT chain
from eth0, but that shouldn't prevent installing the ruleset -- just
prevent your FC4 box from successfully using the external connection on
its own behalf.
--
Bob Nichols AT comcast.net I am "RNichols42"
about iptables
by ParTizan » Sat, 29 Apr 2006 07:45:54 GMT
Hi All, I guess, this is a simple question, but I couldn't find an answer in internet. my setup: dsl modem <---> linksys router+dhcp (192.168.1.1) <---> linux box (1 nic) dhcp 192.168.1.1 dns1 71.0.0.1 dns1 151.0.0.2 iptables rules: iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i eth0 -p udp -s 71.0.0.1 --sport domain -m state --state ESTABLISHED -j ACCEPT iptables -A INPUT -i eth0 -p udp -s 151.0.0.2 --sport domain -m state --state ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p udp -d 71.0.0.1 --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p udp -d 151.0.0.2 --dport domain -m state --state NEW,ESTABLISHED -j ACCEPT what else do I need to add to be able to browse internet from linux box? when I try lynx yahoo.com - it says "making http connection to yahoo.com" and then nothing. thanks.
Re: about iptables
by Grant » Sat, 29 Apr 2006 08:33:47 GMT
Your firewall doesn't need to know about the DNS servers.
Bits of my firewall setup:
< http://www.**--****.com/ ; for net topology
rc.firewall:
...
X_LOCAL="eth0" # main local net: 100-Base-T
X_WORLD="ppp0" # expected ADSL modem interface
...
MSTATE="--match state --state"
...
report " policy"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
report " local"
iptables -A INPUT -p all $MSTATE ESTABLISHED,RELATED -j ACCEPT ##[1]
iptables -A INPUT -p all -i lo -j ACCEPT
iptables -A INPUT -p all -i $X_LOCAL -j ACCEPT
...
[1] This comes first, it allows expected traffic back into the box
Now you need add rules to allow incoming traffic, if you are not
offering services to the public, you don't need any. ;)
Also:
# NAT table
# ``````````
# Perform SNAT or MASQUERADE for localnet to world connections
# Difference between SNAT and MASQUERADE?
# SNAT is more efficient for static public IP address, and established
# connections will survive a reconnect. MASQUERADE is for dynamic IP
# where established connections are dropped when link goes down as a
# new, likely different, IP address is expected on the next connection.
install_nat_table()
{
report " nat"
if [ -n "$IP_WORLD" ]; then
report " SNAT $IP_WORLD"
iptables -t nat -A POSTROUTING -o $X_WORLD \
-j SNAT --to-source $IP_WORLD
else
report " MASQUERADE"
iptables -t nat -A POSTROUTING -o $X_WORLD \
-j MASQUERADE
fi
}
[part of firewall startup, for context]
case $1 in
restart )
# called from ip-up when ADSL connection established, parameters:
# $1 restart -- anything else switches firewall to local mode
# $2 <interface> -- example ppp0
# $3 <IP>, optional -- if specified the output will be SNAT to the
# supplied IP address, otherwise MASQUERADE is used
install_firewall_local_mode
if [ -z "$2" ]; then
echo -e "\nrc.firewall: warning: restart without \c"
echo -e "<interface>, local mode running."
exit 0
else
X_WORLD=$2 # eg. ppp0
fi
if [ -z "$3" ]; then
IP_WORLD="" # MASQUERADE
else
IP_WORLD=$3 # SNAT to supplied IP address
fi
install_firewall_world_mode
echo -e "\n\nrc.firewall: finish: world mode running."
;;
...
Not posting the whole thing 'cos it's a ~600 line bash script.
Grant.
--
Memory fault -- brain fried
Re: about iptables
by ParTizan » Sat, 29 Apr 2006 09:28:00 GMT
thanks! but , do I really need all these settings? as you can see , I'm already behind my router.
Re: about iptables
by Grant » Sat, 29 Apr 2006 10:06:18 GMT
Assuming you reply to me (pls quote context in replies), start with: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -p all --match state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p all -i lo -j ACCEPT for standalone (single box + modem) operation. Those lines basically allow output from box, but only expected (requested) traffic can come back into the box. I suggest you add some OUTPUT logging for debug, perhaps: iptables -A OUTPUT -p all -o eth0 -j LOG --log-level info \ --log-prefix "fw_out: " "--log-level info" sends to /var/log/messages, do a tail -f on the log to watch the thing in action. Grant. -- Memory fault -- brain fried
Similar Threads:
1.iptables v1.3.3: can't initialize iptables table `filter': Table does not exist
I thought all I ahve to do is compile the kernel with IP filterinmg enabled? What do you mean "compile iptables"? Thanks, On Sep 3, 6:37m, Guenther Sohler < XXXX@XXXXX.COM > wrote: > Did you compile iptables on the machine, it was intended for ? > As far as I know, during configuring of iptables, the script > selects a linux kernel source and create iptables for that. if > the kernel source does not correspond to the kernel running in your > system, the resulting iptables might not work > > > > On Thu, 28 Aug 2008 14:32:56 -0700, Keep Asking wrote: > > I have this problem on iptables: > > iptables -L > > iptables v1.3.3: can't initialize iptables table `filter': Table does > > not exist (do y > > ou need to insmod?) > > > I checked my kernel configuration: > > rep FILTER .config > > CONFIG_NETFILTER=y > > # CONFIG_NETFILTER_DEBUG is not set > > CONFIG_IP_NF_FILTER=y > > > It looked iptable was started: > > dmesg | grep Net > > ip_tables: (C) 2000-2002 Netfilter core team > > > Also I have some tables: > > ls /proc/net/ip* > > /proc/net/ip_tables_matches proc/net/ip_tables_targets >>>> /proc/net/ip_tables_names >> >>>> What should be th eproblem? >>>> Thanks,- Hide quoted text - >> >> - Show quoted text -
2.iptables v1.3.3: can't initialize iptables table `filter': Table does not exist
Did you compile iptables on the machine, it was intended for ? As far as I know, during configuring of iptables, the script selects a linux kernel source and create iptables for that. if the kernel source does not correspond to the kernel running in your system, the resulting iptables might not work On Thu, 28 Aug 2008 14:32:56 -0700, Keep Asking wrote: > I have this problem on iptables: > iptables -L > iptables v1.3.3: can't initialize iptables table `filter': Table does > not exist (do y > ou need to insmod?) > > I checked my kernel configuration: > grep FILTER .config > CONFIG_NETFILTER=y > # CONFIG_NETFILTER_DEBUG is not set > CONFIG_IP_NF_FILTER=y > > It looked iptable was started: > dmesg | grep Net > ip_tables: (C) 2000-2002 Netfilter core team > > Also I have some tables: > ls /proc/net/ip* > /proc/net/ip_tables_matches /proc/net/ip_tables_targets > /proc/net/ip_tables_names > > What should be th eproblem? > Thanks,
3.iptables v1.3.3: can't initialize iptables table `filter': Table does ?not exist
Keep Asking < XXXX@XXXXX.COM > wrote: > I have this problem on iptables: > iptables -L > iptables v1.3.3: can't initialize iptables table `filter': Table does > not exist (do y > ou need to insmod?) > > I checked my kernel configuration: > grep FILTER .config > CONFIG_NETFILTER=y > # CONFIG_NETFILTER_DEBUG is not set > CONFIG_IP_NF_FILTER=y > > It looked iptable was started: > dmesg | grep Net > ip_tables: (C) 2000-2002 Netfilter core team > > Also I have some tables: > ls /proc/net/ip* > /proc/net/ip_tables_matches /proc/net/ip_tables_targets > /proc/net/ip_tables_names > > What should be th eproblem? > Thanks, > Are the x_tables & iptable_filter modules loaded? Look in /lib/modules/2.6.26.3/kernel/net/netfilter/ and /lib/modules/2.6.26.3/kernel/net/ipv4/netfilter/ replacing 2.6.26.3 by whatever kernel version you're using to see the available modules. Try modprobing iptable_filter. Jerry
4.iptables v1.3.3: can't initialize iptables table `filter': Table does not exist
I have this problem on iptables: iptables -L iptables v1.3.3: can't initialize iptables table `filter': Table does not exist (do y ou need to insmod?) I checked my kernel configuration: grep FILTER .config CONFIG_NETFILTER=y # CONFIG_NETFILTER_DEBUG is not set CONFIG_IP_NF_FILTER=y It looked iptable was started: dmesg | grep Net ip_tables: (C) 2000-2002 Netfilter core team Also I have some tables: ls /proc/net/ip* /proc/net/ip_tables_matches /proc/net/ip_tables_targets /proc/net/ip_tables_names What should be th eproblem? Thanks,
5.Looking for iptables applications code (iptables.c) to run some rules to forward packets
I couldn't find iptables.c to compile iptables application code under freshly installed Linux machine (I can see iptables packet filtering kernel code under net/ipv4/netfiler Directory). But I need to run iptables rules, so I need to make iptables executable binary, so I need iptables application code. Thanks in advance.
6. iptables "can't initialize iptables table `filter'"
11 posts
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 36 guest