Search Results

Search found 1249 results on 50 pages for 'iptables'.

Page 19/50 | < Previous Page | 15 16 17 18 19 20 21 22 23 24 25 26  | Next Page >

  • Default Gateway solution on NAT'd network (best options)

    - by kwiksand
    I've recently changed a network from a bunch of machines exposed to the net on a network to a more security conscious Firewall-fronted network with a DMZ for public services. Everything's mostly working perfectly now, but I've got the old problem of NAT Loopback where a machine within the LAN wants to access a public service via the public/external IP. I've solved this problem previously in a small/SOHO environment simply using NAT loopback features of the router in use or a simple iptables rule to do the same, but I want to make sure I make the most resilient choice with the least concern. It seems I can: Use iptables as I've said to DNAT and MASQUERADE the change source/destination so the connection works correctly i.e iptables -A PREROUTING -t nat -d ip.of.eth0.here -p tcp --dport 8080 -j DNAT --to 192.168.0.201:8080 iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -p tcp --dport 8080 -d 192.168.0.201 -j MASQUERADE Use split DNS, with internal mappings for public IP's Potentially do some route nastyness by setting the Default Gateway to use a different externally exposed IP to then come back in the public route (messy) Someone mentioned putting the Default Gateway within the DMZ as well (on serverfault), but I can't find the post again. I'm sure this is a common issue for many with NAT'd networks, but I've not really seen the perfect solve all when it comes to fixing this problem. What is your opinion?

    Read the article

  • debian VM refusing all traffic apart from http

    - by james lewis
    I've got a VM with a fresh install of Debian (wheezy) and I've installed node and mongo on it. The VM is using a bridged network connection so I was expecting to be able to point my host machines browser at the ip address of the Debian VM (port 1337 for my node example or port 28017 for my mongo status page) and see one of the two services (node or mongo). My requests are refused though. As far as I can tell Debian allows all traffic by default and you have to manually configure iptables to drop traffic. I've checked iptables and it says it's setup to allow anything through. It looks like this: root@devbox:/home/jlewis# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination As a test I setup nginx and I was able to get to the nginx landing page from my host no problems so obviously http traffic is allowed. I then set nginx up to forward all traffic upstream to mongo - no problems there, I was able to see the status page. I then did the same for my example node server and again, no problems. So http traffic is fine, but all other traffic is blocked. Anyone know why debian might be refusing all other traffic other than iptables being setup to drop it? EDIT - output from netstat -nltp: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:28017 0.0.0.0:* LISTEN 1762/mongod tcp 0 0 0.0.0.0:51028 0.0.0.0:* LISTEN 1541/rpc.statd tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 2462/sshd tcp 0 0 127.0.0.1:1337 0.0.0.0:* LISTEN 2794/node tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 2274/exim4 tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN 1762/mongod tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1510/rpcbind tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 2189/nginx tcp6 0 0 :::22 :::* LISTEN 2462/sshd tcp6 0 0 :::45335 :::* LISTEN 1541/rpc.statd tcp6 0 0 ::1:25 :::* LISTEN 2274/exim4 tcp6 0 0 :::111 :::* LISTEN 1510/rpcbind

    Read the article

  • How to route to a secondary interface on the same physical ethernet?

    - by sjose3612611
    INTERNET<->(wan)BRIDGED_DEVICE(lan)<->ETH_ROUTER<->LAN Problem: Need to access web server on BRIDGED_DEVICE's LAN from INTERNET via ROUTER (BRIDGED_DEVICE's web server cannot be accessed form INTERNET since it has no Public management IP). Cannot configure bridged device. It has a static IP on its LAN to which its web server binds. Attempt: Create a secondary/alias WAN Interface on ETH_ROUTER (e.g Primary: eth0.1 (for internet access) and Secondary: eth0.2 (for accessing web server on BRIDGED_DEVICE), (No VLANs). eth0.1 has a public IP; eth0.2 has a static private IP in the BRIDGED_DEVICE's subnet (e.g 10.0.X.Y). Iptables on ETH_ROUTER: Added a port forward (DNAT) from eth0.1 to eth0.2: iptables -t nat -I PREROUTING -i eth0.1 -p tcp --dport 80 -j DNAT --to-destination 10.0.X.Y iptables -t nat -I POSTROUTING -o eth0.2 -s 10.0.X.0/24 -j MASQUERADE Stateful firewall w/ overall drop policy on FORWARD chain, hence: iptables -I FORWARD -i eth0.1 -d 10.0.X.Y -p tcp --dport 80 -j ACCEPT Can ping from ETH_ROUTER to BRIDGED_DEVICE but unable to reach the web server from Internet. I see packet cont increasing for the DNAT rule but not sure where it disappears in the ETH_ROUTER after that. ETH_ROUTER is the only device that can be configured to achieve this. If familiar with this scenario, please suggest what I may be missing or doing wrong here or suggest techniques to debug?

    Read the article

  • When connecting to PPTP Centos via Windows 7 VPN, I get error 2147943625

    - by Charlie Dyason
    The remote computer refused the network connection. phrase has been my arch enemy for the past week now I recently "bought" a VPS server, I gave up trying to configure it with OpenVPN, all the issues were making me lose my mind, so I tried the easier way with pptp, but i figure, both are leading to a dead end... I followed this post (many others too but this is the unlucky one), http://blog.secaserver.com/2011/10/install-vpn-pptp-server-centos-6/ and it all goes well with the setup, however, I run into this error when connecting to the VPN in Windows 7 here is a pic of the error: Image So I do not know what I have done wrong... When connecting, Code: Select all netstat -apn | grep -w 1723 before connecting: netstat -apn |grep -w 1723 tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 1137/pptpd after the error came I tried again: netstat -apn |grep -w 1723 tcp 0 0 0.0.0.0:1723 0.0.0.0:* LISTEN 1137/pptpd tcp 0 0 41.185.26.238:1723 41.13.212.47:49607 TIME_WAIT - iptables: # Generated by iptables-save v1.4.7 on Fri Nov 1 18:14:53 2013 *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [63:8868] -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i eth0 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT -A INPUT -i eth0 -p tcp -m tcp --dport 1723 -j ACCEPT -A INPUT -i eth0 -p gre -j ACCEPT -A FORWARD -i ppp+ -o eth0 -j ACCEPT -A FORWARD -i eth0 -o ppp+ -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT # Completed on Fri Nov 1 18:14:53 2013 # Generated by iptables-save v1.4.7 on Fri Nov 1 18:14:53 2013 *nat : PREROUTING ACCEPT [96:12732] : POSTROUTING ACCEPT [0:0] : OUTPUT ACCEPT [31:2179] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # Completed on Fri Nov 1 18:14:53 2013 options.pptpd the only changes was the require-mppe # BSD licensed ppp-2.4.2 upstream with MPPE only, kernel module ppp_mppe.o # {{{ refuse-pap refuse-chap refuse-mschap # Require the peer to authenticate itself using MS-CHAPv2 [Microsoft # Challenge Handshake Authentication Protocol, Version 2] authentication. require-mschap-v2 require-mppe # Require MPPE 128-bit encryption # (note that MPPE requires the use of MSCHAP-V2 during authentication) require-mppe-128 # }}} I check the iptables, everything is normal, all INPUTs, etc are before rejects, username and password I also checked in chap-secrets file, I am really puzzled...

    Read the article

  • Blocking HTTPS and P2P Traffic

    - by Genboy
    I have a Debian server running at the gateway level on a LAN. This runs squid for creating block lists of websites - for eg. blocking social networking on the LAN. Also uses iptables. I am able to do a lot of things with squid & iptables, but a few things seem difficult to achieve. 1) If I block facebook through their http url, people can still access https://www.facebook.com because squid doesn't go through https traffic by default. However, if the users set the gateway IP address as proxy on their web browser, then https is also blocked. So I can do one thing - using iptables drop all outgoing 443 traffic, so that people are forced to set proxy on their browser in order to browse any HTTPS traffic. However, is there a better solution for this. 2) As the number of blocked urls increase in squid, I am planning to integrate squidguard. However, the good squidguard lists are not free for commercial use. Anyone knows of a good squidguard list which is free. 3) Block yahoo messenger, gtalk etc. There are so many ports on which these Instant Messenger softwares work. You need to drop lots of outgoing ports in iptables. However, new ports get added, so you have to keep adding them. And even if your list of ports is current, people can still use the web version of gtalk etc. 4) Blocking P2P. Haven't been able to figure out how to do this till now.

    Read the article

  • Destination NAT Onto the Same Network from internal clients

    - by mivi
    I have a DSL router which acts as NAT (SNAT & DNAT). I have setup a server on internal network (10.0.0.2 at port 43201). DSL router was configured to "port forward" (or DNAT) all incoming connections to 10.0.0.2:43201. I created a virtual server for port forwarding on DSL router. I also added following iptables rules for port forwarding. iptables -t nat -A PREROUTING -p tcp -i ppp_0_1_32_1 --dport 43201 -j DNAT --to-destination 10.0.0.2:43201 iptables -I FORWARD 1 -p tcp -m state --state NEW,ESTABLISHED,RELATED -d 10.0.0.2 --dport 43201 -j ACCEPT # ppp_0_1_32_1 is routers external interface. # routers internal IP address is 10.0.0.1 and server is setup at 10.0.0.2:43201 Problem is that connections coming from external IP addresses are able to access internal server using External IP address, but internal clients (under NAT) are not able to access server using external IP address. Example: http://<external_address>:43201 is working from external clients But, internal clients are not able to access using http://<external_address>:43201 This seems to be similar to the problem described in http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-10.html (NAT HOW-TO Destination NAT Onto the Same Network). Firstly, I am not able to understand why is this a problem for internal clients? Secondly, what iptables rule will enable internal clients to access server using external IP address? Please suggest.

    Read the article

  • openvpn problem

    - by Jared Voronik
    I have a problem with openvpn. I have already setup openvpn sucessfully on some other servers in the past (basic configuration, nothing special). On this server, I used the same config file, but for setting up nat iptables -t nat -A POSTROUTING -s 10.4.0.0/24 -o eth0 -j MASQUERADE doesn't work. It gives error: iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. How do I fix this error? Also, if I can't fix this error, can I do bridging instead of routing? I have only 1 interface, and I can connect to remote server only via ssh (and need to avoid reboots if at all possible) so if briding means a whole ethernet card has to be devoted to the openvpn (and no other servers) then briding is out, otherwise I can use briding. Do you know of a simple, step by step guide to configure openvpn briding (just simple openvpn server and clients that can access internet through vpn server, nothing fancy)?

    Read the article

  • Linux policy routing - packets not coming back

    - by Bugsik
    i am trying to set up policy routing on my home server. My network looks like this: Host routed VPN gateway Internet link through VPN 192.168.0.35/24 ---> 192.168.0.5/24 ---> 192.168.0.1 DSL router 10.200.2.235/22 .... .... 10.200.0.1 VPN server The traffic from 192.168.0.32/27 should be and is routed through VPN. I wanted to define some routing policies to route some traffic from 192.168.0.5 through VPN as well - for start - from user with uid 2000. Policy routing is done using iptables mark target and ip rule fwmark. The problem: When connecting using user 2000 from 192.168.0.5 tcpdump shows outgoing packets, but nothing comes back. Traffic from 192.168.0.35 works fine (here I am not using fwmark but src policy). Here is my VPN gateway setup: # uname -a Linux placebo 3.2.0-34-generic #53-Ubuntu SMP Thu Nov 15 10:49:02 UTC 2012 i686 i686 i386 GNU/Linux # iptables -V iptables v1.4.12 # ip -V ip utility, iproute2-ss111117 IPtables rules (all policies in table filter are ACCEPT) # iptables -t mangle -nvL Chain PREROUTING (policy ACCEPT 770K packets, 314M bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 767K packets, 312M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy ACCEPT 5520 packets, 1920K bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 782K packets, 901M bytes) pkts bytes target prot opt in out source destination 74 4707 MARK all -- * * 0.0.0.0/0 0.0.0.0/0 owner UID match 2000 MARK set 0x3 Chain POSTROUTING (policy ACCEPT 788K packets, 903M bytes) pkts bytes target prot opt in out source destination # iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 996 packets, 51172 bytes) pkts bytes target prot opt in out source destination Chain INPUT (policy ACCEPT 7 packets, 432 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1364 packets, 112K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 2302 packets, 160K bytes) pkts bytes target prot opt in out source destination 119 7588 MASQUERADE all -- * vpn 0.0.0.0/0 0.0.0.0/0 Routing: # ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master lan state UNKNOWN qlen 1000 link/ether 00:40:63:f9:c3:8f brd ff:ff:ff:ff:ff:ff valid_lft forever preferred_lft forever 3: lan: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP link/ether 00:40:63:f9:c3:8f brd ff:ff:ff:ff:ff:ff inet 192.168.0.5/24 brd 192.168.0.255 scope global lan inet6 fe80::240:63ff:fef9:c38f/64 scope link valid_lft forever preferred_lft forever 4: vpn: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 100 link/none inet 10.200.2.235/22 brd 10.200.3.255 scope global vpn # ip rule show 0: from all lookup local 32764: from all fwmark 0x3 lookup VPN 32765: from 192.168.0.32/27 lookup VPN 32766: from all lookup main 32767: from all lookup default # ip route show table VPN default via 10.200.0.1 dev vpn 10.200.0.0/22 dev vpn proto kernel scope link src 10.200.2.235 192.168.0.0/24 dev lan proto kernel scope link src 192.168.0.5 # ip route show default via 192.168.0.1 dev lan metric 100 10.200.0.0/22 dev vpn proto kernel scope link src 10.200.2.235 192.168.0.0/24 dev lan proto kernel scope link src 192.168.0.5 TCP dump showing no traffic coming back when connection is made from 192.168.0.5 user 2000 # tcpdump -i vpn tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on vpn, link-type RAW (Raw IP), capture size 65535 bytes ### Traffic from user 2000 on 192.168.0.5 ### 10:19:05.629985 IP 10.200.2.235.37291 > 10.100-78-194.akamai.com.http: Flags [S], seq 2868799562, win 14600, options [mss 1460,sackOK,TS val 6887764 ecr 0,nop,wscale 4], length 0 10:19:21.678001 IP 10.200.2.235.37291 > 10.100-78-194.akamai.com.http: Flags [S], seq 2868799562, win 14600, options [mss 1460,sackOK,TS val 6891776 ecr 0,nop,wscale 4], length 0 ### Traffic from 192.168.0.35 ### 10:23:12.066174 IP 10.200.2.235.49247 > 10.100-78-194.akamai.com.http: Flags [S], seq 2294159276, win 65535, options [mss 1460,nop,wscale 4,nop,nop,TS val 557451322 ecr 0,sackOK,eol], length 0 10:23:12.265640 IP 10.100-78-194.akamai.com.http > 10.200.2.235.49247: Flags [S.], seq 2521908813, ack 2294159277, win 14480, options [mss 1367,sackOK,TS val 388565772 ecr 557451322,nop,wscale 1], length 0 10:23:12.276573 IP 10.200.2.235.49247 > 10.100-78-194.akamai.com.http: Flags [.], ack 1, win 8214, options [nop,nop,TS val 557451534 ecr 388565772], length 0 10:23:12.293030 IP 10.200.2.235.49247 > 10.100-78-194.akamai.com.http: Flags [P.], seq 1:480, ack 1, win 8214, options [nop,nop,TS val 557451552 ecr 388565772], length 479 10:23:12.574773 IP 10.100-78-194.akamai.com.http > 10.200.2.235.49247: Flags [.], ack 480, win 7776, options [nop,nop,TS val 388566081 ecr 557451552], length 0

    Read the article

  • Simulated NAT Traversal on Virtual Box

    - by Sumit Arora
    I have installed virtual box ( with Two virtual Adapters(NAT-type)) - Host (Ubuntu -10.10) - Guest-Opensuse-11.4 . Objective : Trying to simulate all four types of NAT as defined here : https://wiki.asterisk.org/wiki/display/TOP/NAT+Traversal+Testing Simulating the various kinds of NATs can be done using Linux iptables. In these examples, eth0 is the private network and eth1 is the public network. Full-cone iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination Restricted cone iptables -t nat POSTROUTING -o eth1 -p tcp -j SNAT --to-source iptables -t nat POSTROUTING -o eth1 -p udp -j SNAT --to-source iptables -t nat PREROUTING -i eth1 -p tcp -j DNAT --to-destination iptables -t nat PREROUTING -i eth1 -p udp -j DNAT --to-destination iptables -A INPUT -i eth1 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth1 -p tcp -m state --state NEW -j DROP iptables -A INPUT -i eth1 -p udp -m state --state NEW -j DROP Port-restricted cone iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source Symmentric echo "1" /proc/sys/net/ipv4/ip_forward iptables --flush iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE --random iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT What I did : OpenSuse guest with Two Virtual adapters - eth0 and eth1 -- eth1 with address 10.0.3.15 /eth1:1 as 10.0.3.16 -- eth0 with address 10.0.2.15 now running stund(http://sourceforge.net/projects/stun/) client/server : Server eKimchi@linux-6j9k:~/sw/stun/stund ./server -v -h 10.0.3.15 -a 10.0.3.16 Client eKimchi@linux-6j9k:~/sw/stun/stund ./client -v 10.0.3.15 -i 10.0.2.15 On all Four Cases It is giving same results : test I = 1 test II = 1 test III = 1 test I(2) = 1 is nat = 0 mapped IP same = 1 hairpin = 1 preserver port = 1 Primary: Open Return value is 0x000001 Q-1 :Please let me know If any has ever done, It should behave like NAT as per description but nowhere it working as a NAT. Q-2: How NAT Implemented in Home routers (Usually Port Restricted), but those also pre-configured iptables rules and tuned Linux

    Read the article

  • Transparent proxy which preserves client mac address

    - by A G
    I have a customer that wants to intercept SSL traffic as it leaves their network. My proposed solution is to setup a proxy that is transparent and both layer 2 and layer 3 so it can simply be dropped into their network without any change in config required. The proxy has two NICs, one connected to the server, the other to the client. The client, proxy and gateway are under control of the customer, the server is not. For example: client --- Proxy --- gateway -|- server I have my proxy program configured with IP_TRANSPARENT socket option to it can respond to connections destined for a remote IP. I am using the following setup: iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port 3128 --tproxy-mark 1/1 iptables -t mangle -A PREROUTING -p tcp -j MARK --set-mark 1 ip rule add fwmark 1/1 table 1 ip route add local 0.0.0.0/0 dev lo table 1 The client in question is on its own subnet and has been configured so that the proxy is the default gateway. The result is: Client sends a frame to the proxy; source IP is client, source mac is client, destination IP is server, destination mac is proxy Proxy forwards this frame to the gateway; source IP is proxy, source mac is proxy, destination IP is server, destination mac is gateway Gateway forwards this to the server and gets a response back. Gateway sends reply back to proxy; source IP is server, source mac is gateway, destination IP is proxy, destination mac is proxy Proxy forwards this reply to client; source IP is server, source mac is proxy, destination IP is client, destination mac is client. The tproxy and iptables configuration lets the proxy send packets with a non local ip address. Is there a way to make something transparent at the mac address level? That is, put the client on the same subnet as the gateway. The gateway sees the source IP and mac as that of the client, even though they originated from the proxy. Could this be done by configuring the proxy as a bridge then use ebtables to escalate the traffic to be handled by iptables? When I use ebtables to push something up to iptables, it appears my proxy program doesn't respond to the packets as they are destined for the gateways's mac address, not the proxy's. What are some other potential avenues I could investigate? EDIT: When the client and gateway are on different subnets (and client has set the proxy as the gateway), it works as described in 1 to 5. But I want to know if it is possible to have the client and gateway on the same subnet and have the proxy fully transparent (ie client is not aware of the proxy). Thanks! EDIT 2: I can configure the proxy as a bridge using brctl, but cannot find a way to direct this traffic to my proxy program - asked here Possible for linux bridge to intercept traffic?. Currently, with the description numbered 1 to 5, it operates at layer 3; it is transparent on the client side (client thinks it is talking to the server's IP), but not on the gateway side (gateway is talking to the proxy's IP). What I want to find out is, is it possible to make this operate at layer 2, so it is fully transparent? What are the available options I should research? Thanks

    Read the article

  • LVS Configuration issue (Using piranha Tool)

    - by PravinG
    I have configured LVS on cent os using piranha tool .I am using vip of internal n/w as gateway for real server we have two NIC one having exteranl Ip and other for internal n/w which is on 192.168.3.0/24 network. But I am not able to connect from client it shows connection refused error . Please suggest iptables rules for private n public n/w to communicate. May be I am missing this . Iptables rules that we have added are : iptables -t nat -A POSTROUTING -p tcp -s 192.168.3.0/24 --sport 5000 -j MASQUERADE this is my ipconfig: eth0 Link encap:Ethernet HWaddr 00:00:E8:F6:74:DA inet addr:122.166.233.133 Bcast:122.166.233.255 Mask:255.255.255.0 inet6 addr: fe80::200:e8ff:fef6:74da/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:94433 errors:0 dropped:0 overruns:0 frame:0 TX packets:130966 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:9469972 (9.0 MiB) TX bytes:19929308 (19.0 MiB) Interrupt:16 Base address:0x2000 eth0:1 Link encap:Ethernet HWaddr 00:00:E8:F6:74:DA inet addr:122.166.233.136 Bcast:122.166.233.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:16 Base address:0x2000 eth1 Link encap:Ethernet HWaddr 00:E0:20:14:F9:2D inet addr:192.168.3.1 Bcast:192.168.3.255 Mask:255.255.255.0 inet6 addr: fe80::2e0:20ff:fe14:f92d/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:123718 errors:0 dropped:0 overruns:0 frame:0 TX packets:148856 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:18738556 (17.8 MiB) TX bytes:11697153 (11.1 MiB) Interrupt:17 Memory:60000400-600004ff eth1:1 Link encap:Ethernet HWaddr 00:E0:20:14:F9:2D inet addr:192.168.3.10 Bcast:192.168.3.255 Mask:255.255.255.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 Interrupt:17 Memory:60000400-600004ff eth2 Link encap:Ethernet HWaddr 00:16:76:6E:D1:D2 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) Interrupt:21 Base address:0xa500 and ipvsadm -ln command [root@abts-kk-static-133 ~]# ipvsadm -ln IP Virtual Server version 1.2.1 (size=4096) Prot LocalAddress:Port Scheduler Flags -> RemoteAddress:Port Forward Weight ActiveConn InActConn TCP 122.166.233.136:5000 wlc TCP 122.166.233.136:5004 wlc lvs server routing table Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.3.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 122.166.233.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 169.254.0.0 0.0.0.0 255.255.0.0 U 1003 0 0 eth0 169.254.0.0 0.0.0.0 255.255.0.0 U 1004 0 0 eth1 0.0.0.0 122.166.233.1 0.0.0.0 UG 0 0 0 eth0 real 1 real 2 we have configured various ports from 5000:5008 . Do we need to this iptables for all ports? Suggest me how should I solve this issue.

    Read the article

  • Use a proxy which connects to the school proxy

    - by denNorske
    How to get my computer use a proxy ON my computer, which connects to the school proxy ? The reason I ask this, is because I need all programs on my computer, absolutely the whole system to go through the network, without having to use proxy authentication? Then I was thinking of a possibility to use a local proxy without authentication, to connect to the school proxy (with all authentication details), and then be able to make the system go through it? Is that possible? I've heard some stories about using IP-tables to make a transparent proxy, but I have no idea how to do that, as i am pretty new at all this. So, details, explanations and suggestions about this are very welcome! If you need more details, I'll provide them!

    Read the article

  • Using Apache2 to set up a basic webpage

    - by mrhatter
    I am having a problem with a test page I set up for my website. The config file (index.html) looks like this <html> <head> <title>Welcome to website.net!</title> </head> <body> <h1>Success! The website.net virtual host is working!</h1> </body> </html> Which should display a page like this in my browser when I navigate to www.mywebsite.net Welcome to website.net! Success! The website.net virtual host is working! However I get a 403 "forbidden" error when I navigate to the page. What am I missing? I have the directory installed on /var/www/mywebsite.net/public_html/index.html I have the permissions of the /var/www directory set to 755 so that others can read and exicute it but it does not seem to be working. I also have port 80 open on my iptable. The server is a VPS server if that makes a difference however I have added a DNS record for the ip address. Any help is appreciated! UPDATE: Here is my virtual host configuration file "mywebsite.net.conf" <VirtualHost *:80> # Admin email, Server Name (domain name), and any aliases ServerAdmin [email protected] ServerName www.mywebsite.net ServerAlias mywebsite.net # Index file and Document Root (where the public files are located) DirectoryIndex index.html index.php DocumentRoot /home/myusername/public/mywebsite.net/public # Log file locations LogLevel warn ErrorLog /home/mysuername/public/mywebsite.net/log/error.log CustomLog /home/myusername/public/mywebsite.net/log/access.log combined <Directory /home/myusername/public/mywebsite.net/public> Options Indexes ExecCGI Includes FollowSymLinks MultiViews AllowOverride All Order Deny,Allow Allow from all </Directory> </VirtualHost>

    Read the article

  • Open port in gufw is closed, no incoming connection on deluge

    - by user66987
    I have a problem configuring gufw. I open ports on it, but when i test in deluge it shows as closed. Any help on setting up the firewall would be greatly appreciated. This is the output I get on the firewall in terminal: Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1346/dnsmasq tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 970/cupsd tcp 0 0 0.0.0.0:55521 0.0.0.0:* LISTEN 17362/python tcp6 0 0 ::1:631 :::* LISTEN 970/cupsd tcp6 0 0 :::55521 :::* LISTEN 17362/python udp 0 0 10.0.0.125:1900 0.0.0.0:* 17362/python udp 0 0 127.0.0.1:1900 0.0.0.0:* 17362/python udp 0 0 0.0.0.0:1900 0.0.0.0:* 17362/python udp 0 0 127.0.0.1:53162 0.0.0.0:* 17362/python udp 0 0 127.0.0.1:53 0.0.0.0:* 1346/dnsmasq udp 0 0 0.0.0.0:68 0.0.0.0:* 1312/dhclient udp 0 0 10.0.0.125:36948 0.0.0.0:* 17362/python udp 0 0 0.0.0.0:37240 0.0.0.0:* 17362/python udp 0 0 10.0.0.125:6771 0.0.0.0:* 17362/python udp 0 0 127.0.0.1:6771 0.0.0.0:* 17362/python udp 0 0 0.0.0.0:6771 0.0.0.0:* 17362/python udp 0 0 10.0.0.125:50034 0.0.0.0:* 17362/python udp 0 0 0.0.0.0:58340 0.0.0.0:* 982/avahi-daemon: r udp 0 0 0.0.0.0:5353 0.0.0.0:* 982/avahi-daemon: r udp 0 0 0.0.0.0:56947 0.0.0.0:* 17362/python udp 0 0 127.0.0.1:57059 0.0.0.0:* 17362/python udp6 0 0 :::49793 :::* 982/avahi-daemon: r udp6 0 0 :::5353 :::* 982/avahi-daemon: r kenneth@kenneth-K53U:~$ sudo ufw status Status: aktive Til Handling Fra --- -------- --- 6881:6891/tcp ALLOW Anywhere 6881:6891/udp ALLOW Anywhere 55521/tcp ALLOW Anywhere 6881:6891/tcp ALLOW Anywhere (v6) 6881:6891/udp ALLOW Anywhere (v6) 55521/tcp ALLOW Anywhere (v6) I also want to be able to use the firewall with linuxdc, so I need other ports open as well. This is connected to the firewall. Because when I turn off the firewall, the port is open. So this is not a problem with my modem. Do I need the firewall? The broadband modem has a hardware firewall. Update: Forgot to add. When my firewall is inactive, it closes ports after a time. So when I use linuxdc, I have to flush iptabels and activating it again. Is this supposed to do this when the firewall is deactivated? Update again: All my ports are closed now, flushing the iptable does not work anymore. I have uninstalled gufw, but still all my ports are closed. And to say it again, this has nothing to do with my broadband modem since it worked when I used windows 7. I need help to open the ports.

    Read the article

  • Configuring my Linux firewall for Tomcat

    - by David Pinn
    I'm following some instructions for Installing Tomcat. They require me to add the following line to my iptables file: -A RH-Lokkit-0-50-INPUT -p tcp -m tcp --dport 8080 --syn -j ACCEPT Having carefully read the man page for iptables, I have learned what the parameters do, except for the first one. What does -A RH-Lokkit-0-50-INPUT do, and can you confirm that it is sensible in this case?

    Read the article

  • How do I allow all possible IPs for Gmail servers through my ufw firewall?

    - by nomadicME
    I am currently using the following rule: ufw allow out from my_local_ip to any port 587 This is a little too lax for my liking. I would like to tighten it up and restrict it to only gmail's smtp server ip addresses, but they are always changing. I used to just wait until an outgoing email didn't make it to its destination, then check syslog for the ip address that was blocked, then add that to the ufw configure script. However, now I have a need for much more reliability. Is there any way to use smtp.gmail.com in ufw? I don't think so, but thought I would ask. Any other ideas? Thanks.

    Read the article

  • Unable to ping to outside network from behind a Linux router

    - by Supratik
    Hi My system is behind a Linux firewall, where eth0 is connected to internet and eth1 is connected to my LAN. The issue is I am not able to ping to outside my network. The iptables rule I have used here as below. iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -p icmp -j SNAT --to-source $PUBLICIP Please correct me if I am doing anything wrong here. Warm Regards Supratik

    Read the article

  • How to host an AP or a hotspot?

    - by user1048138
    I'm running Ubuntu 12.04 as a virtual machine on my Mac. Since I am unable to get the virtual machine to have full access to my WiFi card, I bought another USB WiFi card to use. This is my WiFi card. If you are unfamiliar with Virtual machine, as far as I know, since the Ubuntu has its own card now, it shouldn't matter. I have followed these guides with no luck: https://help.ubuntu.com/community/WifiDocs/WirelessAccessPoint http://www.danbishop.org/2011/12/11/using-hostapd-to-add-wireless-access-point-capabilities-to-an-ubuntu-server/ The problem is that the WiFi connection appears on all of the machines that I have in my house: 2 iPhones, Dell machine running Ubuntu and two Macbooks. However the connection times out on all of these machines. Questions: Could this be a driver issue if that same WiFi card can connect to other WiFi points and use its internet Could this be DHCP related? I would think not. It should at least get a 169.X.X.X address? No? Any solutions for me?

    Read the article

  • Regulating outgoing traffic on ubuntu VM

    - by DazSlayer
    I am making a virtual network setup for my high school cybersecurity team to practice. I am connecting all the VMs together through a VPN and then people who are practicing will VPN in and ssh/remote desktop into the different VMs. The problem is that for practicing, they will need root access into the VMs and because the VMs are connecting to my personal network, the VMs pose a security risk to my personal network. Is there any way in either VMWare or VirtualBox or even making an unchangeable iptable (I can make all the windows VMs go thru a linux VM) to prevent people from connecting to my local network via the VM?

    Read the article

  • forward outbound traffic rule

    - by Claudiu
    I am trying to forward the outbound traffic to another server. Current rule is: /sbin/iptables -A OUTPUT -p tcp -s localhost -o 91.xxx.xxx.xxx --dport 65000:65010 -j ACCEPT but when I do a iptables -L, the rule its showed like this: ACCEPT tcp -- localhost.localdomain anywhere tcp dpts:65000:65010 So I guess my rule is bad written since the "destination" column shows "anywhere" Can you help me with this?

    Read the article

  • Why can't I view a specific websites?

    - by user79263
    I am a netwrok administrator at a small company (22 PC) and i have a problem, and i don't know which could be the cause. I can't access a specific website from the LAN. I have a server which has 2 NICs(one to ISP and one to LAN). I have installed on the server (Bind DNS server and DHCP server) Debian 6 Server. I want to mention that "nslookup mcel.co.mz", and "dig my_site" is not working perfectly, I can't access the site from inside the LAN. I can't send emails to person that are located in that domain. When I dig mcel.co.mz @8.8.8.8 the domain is resolved. Why can't I view a specific websites? www.mcel.co.mz Why can't send email to person that are on some domains? @mcel.co.mz I don't have any rule configured in Debian Server which wouldn't let me acces the site. I am the only one responsable with the IT department. Lowly,

    Read the article

  • Remote access to internal machine (ssh port-forwarding)

    - by MacUsers
    I have a server (serv05) at work with a public ip, hosting two KVM guests - vtest1 & vtest2 - in two different private network - 192.168.122.0 & 192.168.100.0 - respectively, this way: [root@serv05 ~]# ip -o addr show | grep -w inet 1: lo inet 127.0.0.1/8 scope host lo 2: eth0 inet xxx.xxx.xx.197/24 brd xxx.xxx.xx.255 scope global eth0 4: virbr1 inet 192.168.100.1/24 brd 192.168.100.255 scope global virbr1 6: virbr0 inet 192.168.122.1/24 brd 192.168.122.255 scope global virbr0 # [root@serv05 ~]# route -n Kernel IP routing table Destination Gateway Genmask Flags Metric Ref Use Iface 192.168.100.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr1 xxx.xxx.xx.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0 169.254.0.0 0.0.0.0 255.255.0.0 U 1002 0 0 eth0 0.0.0.0 xxx.xxx.xx.62 0.0.0.0 UG 0 0 0 eth0 I've also setup IP FORWARDing and Masquerading this way: iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE iptables --append FORWARD --in-interface virbr0 -j ACCEPT All works up to this point. If I want to remote access vtest1 (or vtest2) first I ssh to serv05 and then from there ssh to vtest1. Is there a way to setup a port forwarding so that vtest1 can be accessed directly from the outside world? This is what I probably need to setup: external_ip (tcp port 4444) -> DNAT -> 192.168.122.50 (tcp port 22) I know it's easily do'able using a SOHO router but can't figure out how can I do that on a Linux box. Any help form you guys?? Cheers!! Update: 1 Now I've made ssh to listen to both of the ports: [root@serv05 ssh]# netstat -tulpn | grep ssh tcp 0 0 xxx.xxx.xx.197:22 0.0.0.0:* LISTEN 5092/sshd tcp 0 0 xxx.xxx.xx.197:4444 0.0.0.0:* LISTEN 5092/sshd and port 4444 is allowed in the iptables rules: [root@serv05 sysconfig]# grep 4444 iptables -A PREROUTING -i eth0 -p tcp -m tcp --dport 4444 -j DNAT --to-destination 192.168.122.50:22 -A INPUT -p tcp -m state --state NEW -m tcp --dport 4444 -j ACCEPT -A FORWARD -i eth0 -p tcp -m tcp --dport 4444 -j ACCEPT But I'm getting connection refused: maci:~ santa$ telnet serv05 4444 Trying xxx.xxx.xx.197... telnet: connect to address xxx.xxx.xx.197: Connection refused telnet: Unable to connect to remote host Any idea what's I'm still missing? Cheers!!

    Read the article

  • DD-WRT firewall rule configuration

    - by ddobie
    I'm using DD-WRT on my linksys router. I want to limit each user on my network to 200 connections at any given time. Does anyone know the rules I enter the firewall in DD-WRT admit panel. I tried the following with no luck: iptables -I FORWARD -s -d 192.168.1.0/24 -p tcp -m connlimit --connlimit-above 150 -j DROP iptables -I FORWARD -s -d 192.168.1.0/24 -p udp -m connlimit --connlimit-above 50 -j DROP

    Read the article

  • Prevent being locked out [duplicate]

    - by Nick
    This question already has an answer here: How do you test iptables rules to prevent remote lockout and check matches? 3 answers When you are configuring iptables or ssh over ssh and the data center is thousands of kilometers away(and getting someone there to plug in a KVM is hard) what are some standard practices to prevent locking yourself out?

    Read the article

< Previous Page | 15 16 17 18 19 20 21 22 23 24 25 26  | Next Page >