Search Results

Search found 3489 results on 140 pages for 'tcp'.

Page 20/140 | < Previous Page | 16 17 18 19 20 21 22 23 24 25 26 27  | Next Page >

• Remotely push DNS server to client via OpenVPN

  - by wishi

  Hi! When I try to push a DNS server via the OpenVPN server-config I don't get that server to be the first DNS server on the connected client system. It ends up being specified as an alternative DNS server. push "dhcp-option DNS 89.238.75.146" # DNS-Server 1 (local djbdns) To overcome certain network restrictions, if they're at place, I use 443 TCP. - That means that my DNS queries are sent via TCP (if I manually reconfigure the DNS server), which doesn't scale very well from a performance perspective. Are there any kewl solutions for that? Marius

  Read the article

• Why would a server not send a SYN/ACK packet in response to a SYN packet

  - by codemonkey

  Lately, we've become aware of a TCP connection issue that is mostly limited to mac and Linux users who browse our websites. From the user perspective, it presents itself as a really long connection time to our websites (11 seconds). We've managed to track down the technical signature of this problem, but can't figure out why it is happening or how to fix it. Basically, what is happening is that the client's machine is sending the SYN packet to establish the TCP connection and the web server receives it, but does not respond with the SYN/ACK packet. After the client has sent many SYN packets, the server finally responds with a SYN/ACK packet and everything is fine for the remainder of the connection. And, of course, the kicker to the problem: it is intermittent and does not happen all the time (though it does happen between 10-30% of the time) We are using Fedora 12 Linux as the OS and Nginx as the web server.

  Read the article

• How does Router know where to forward packet

  - by kornelijepetak

  If several computers with local addresses (192.168.0.#) are connected to a router and each computer opens a web browser and requests a page over HTTP, when these TCP:80 packets are sent out, the router switches the local address with the static IP of the router (i.e. Provider given IP) so the server can reply to the appropriate address. But how does the router know to which computer to forward the HTTP reply, since the TCP header does not contain the local IP address (does it?), and all computers are using port 80? Does this have anything to do with the MAC addresses? How exactly does this work?

  Read the article

• How to configure firewall to allow using a specific port

  - by user174416

  I am trying to make tcp ip connection to a server xxx.xxx.xxx.xxx with port xxxx. But I am getting error message "10061 connection refused". I think firewall on the server is stopping my program to access that port. How can I configure the firewall of server to allow my program to use that port. I had asked this question on stackoverflow (http://stackoverflow.com/questions/13448429/socket-error-while-making-tcp-ip-connection-in-delphi) where I was suggested to ask it on super user. Please provide me any solution....

  Read the article

• Meaning of tcp_delack_min

  - by Phi

  Hi, the current Linux Kernel (e.g. 2.6.36) uses Delayed Acknowledgments (delack). In /include/net/tcp.h it says: define TCP_DELACK_MIN ((unsigned)(HZ/25)) So, for a Kernel using a HZ value of 1000, an ACK should be delayed by a minimum of 40 ms. However, RFC 2581 says a TCP implementation should acknowledge every second full sized segment without further delay. Does anybody know whether the Linux Kernel follows that 'should' or whether the TCP_DELACK_MIN value means that even after a full sized segment was received, the ACK continues to be delayed until 40 ms have passed?

  Read the article

• nat with iptables, re-connecting fail within about 3 minutes

  - by xpu

  i constructed a nat with iptables, as following: echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -I PREROUTING -p tcp --dport 9000 -j DNAT --to xx.xx.xx.xx iptables -t nat -I POSTROUTING -p tcp --dport 9000 -j MASQUERADE service iptables save service iptables restart the configuration worked fine, but there was a problem when i disconnected and tried to reconnect again, connection will be refused within about 2~3 minutes, after that, things go fine again. what was the problem? how do i make it to accept new connection after the old one break?

  Read the article

• Solaris TCP stack tuning

  - by disserman

  We have a large web project (about 2-3k requests per second), using haproxy (http://haproxy.1wt.eu/) as a frontend and load balancer between the java application servers. The frontend (haproxy) is running on Linux but we are going to migrate it to the Solaris 10 as all our other servers are running under Solaris. After switching a traffic I see the two things: a) the web site became loading slower (5-10 seconds with images in comparison to 2-3 seconds on Linux) b) sometimes haproxy fails to perform a "lifecheck" (get a special web page and analyze http response code) due to the socket timeout. After switching traffic back to Linux everything is okay. I've tried to tune all params I found in /dev/tcp but no progress. I believe the problem is in some open socket limitations. If someone can point me to the answer, I would be greatly appreciated. p.s. haproxy is running under Xen DomU on Linux (Kernel 2.6.18, Debian 5), under zone on Solaris (10 u8). the only thing we did on Linux is increasing of ip_conntrack_max (I believe Solaris option tcp_conn_req_max_q is the equivalent).

  Read the article

• network latency, TCP and UDP packets

  - by user115848

  Hello recently my network has started to cause me lots of problems. I have a cable modem, connected to a tp-link router (with some port forwarding). Everything was working fine then i started to get lots of udp (port 53) "UNREPLIED" logs in the router. Now there are tcp UNREPLIED logs too. This is causing lots of latency and failed connections when trying to connect to different internet sites. Also, we run an openfire server for spark connections, and I believe its causing connectivity issues for some users who are trying to connect using Spark (some people connect fine, others don't). Please see screen shot below for packet logs. It has to be something internally, as I connected straight to the comcast modem and i was able to connect to the internet and various sites as normal. I tried to swap out the router with a different and got the same issue. I scanned both my internal dns servers for viruses or malware and it came up empty. Another anomaly is that when i try to connect to www.cnn.com, i get redirected to the different site. I scanned my own machine for hijacks. Not sure if this is related to the networking issue. Please let me know if you have any ideas for troubleshooting.

  Read the article

• A duplicate name has been detected on the TCP network

  - by MSedm

  When I installed my domain controller and DNS, I had 2 NIC on the server. Both NIC has its own IP address. NICs are not teamed, they are seperate and ip address are in the same subnet. Both IP address are now registered in the DNS. i found them in Forward and reverse lookup zone. Everything working ok except the following error in the event log. "A duplicate name has been detected on the TCP network......" Now I have realized that this is because of the second NIC. My question is if i disable the second NIC, what happen to those DNS record assiciated with the second ip address? How do I remove all the DNS recored for the disabled NIC? There are A record, some record with the name (same as parent folder), PTR record and may be more. How do i disable second NIC and remove all the associated DNS recoreds? Please help.

  Read the article

• Ubuntu 12.04 LXC nat prerouting not working

  - by petermolnar

  I have a running Debian Wheezy setup I copied exactly to an Ubuntu 12.04 ( elementary OS, used as desktop as well ) While the Debian setup runs flawlessly, the Ubuntu version dies on the prerouting to containers ( or so it seems ) In short: lxc works containers work and run connecting to container from host OK ( including mixed ports & services ) connecting to outside world from container is fine What does not work is connecting from another box to the host on a port that should be NATed to a container. The setups: /etc/rc.local CMD_BRCTL=/sbin/brctl CMD_IFCONFIG=/sbin/ifconfig CMD_IPTABLES=/sbin/iptables CMD_ROUTE=/sbin/route NETWORK_BRIDGE_DEVICE_NAT=lxc-bridge HOST_NETDEVICE=eth0 PRIVATE_GW_NAT=192.168.42.1 PRIVATE_NETMASK=255.255.255.0 PUBLIC_IP=192.168.13.100 ${CMD_BRCTL} addbr ${NETWORK_BRIDGE_DEVICE_NAT} ${CMD_BRCTL} setfd ${NETWORK_BRIDGE_DEVICE_NAT} 0 ${CMD_IFCONFIG} ${NETWORK_BRIDGE_DEVICE_NAT} ${PRIVATE_GW_NAT} netmask ${PRIVATE_NETMASK} promisc up Therefore lxc network is 192.168.42.0/24 and the host eth0 ip is 192.168.13.100; setup via network manager as static address. iptables: *mangle :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] COMMIT *filter :FORWARD ACCEPT [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] # Accept traffic from internal interfaces -A INPUT -i lo -j ACCEPT # accept traffic from lxc network -A INPUT -d 192.168.42.1 -s 192.168.42.0/24 -j ACCEPT # Accept internal traffic Make sure NEW incoming tcp connections are SYN # packets; otherwise we need to drop them: -A INPUT -p tcp ! --syn -m state --state NEW -j DROP # Packets with incoming fragments drop them. This attack result into Linux server panic such data loss. -A INPUT -f -j DROP # Incoming malformed XMAS packets drop them: -A INPUT -p tcp --tcp-flags ALL ALL -j DROP # Incoming malformed NULL packets: -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Accept traffic with the ACK flag set -A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT # Allow incoming data that is part of a connection we established -A INPUT -m state --state ESTABLISHED -j ACCEPT # Allow data that is related to existing connections -A INPUT -m state --state RELATED -j ACCEPT # Accept responses to DNS queries -A INPUT -p udp -m udp --dport 1024:65535 --sport 53 -j ACCEPT # Accept responses to our pings -A INPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT # Accept notifications of unreachable hosts -A INPUT -p icmp -m icmp --icmp-type destination-unreachable -j ACCEPT # Accept notifications to reduce sending speed -A INPUT -p icmp -m icmp --icmp-type source-quench -j ACCEPT # Accept notifications of lost packets -A INPUT -p icmp -m icmp --icmp-type time-exceeded -j ACCEPT # Accept notifications of protocol problems -A INPUT -p icmp -m icmp --icmp-type parameter-problem -j ACCEPT # Respond to pings, but limit -A INPUT -m icmp -p icmp --icmp-type echo-request -m state --state NEW -m limit --limit 6/s -j ACCEPT # Allow connections to SSH server -A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -m limit --limit 12/s -j ACCEPT COMMIT *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A PREROUTING -d 192.168.13.100 -p tcp -m tcp --dport 2221 -m state --state NEW -m limit --limit 12/s -j DNAT --to-destination 192.168.42.11:22 -A PREROUTING -d 192.168.13.100 -p tcp -m tcp --dport 80 -m state --state NEW -m limit --limit 512/s -j DNAT --to-destination 192.168.42.11:80 -A PREROUTING -d 192.168.13.100 -p tcp -m tcp --dport 443 -m state --state NEW -m limit --limit 512/s -j DNAT --to-destination 192.168.42.11:443 -A POSTROUTING -d 192.168.42.0/24 -o eth0 -j SNAT --to-source 192.168.13.100 -A POSTROUTING -o eth0 -j MASQUERADE COMMIT sysctl: net.ipv4.conf.all.forwarding = 1 net.ipv4.conf.all.mc_forwarding = 0 net.ipv4.conf.default.forwarding = 1 net.ipv4.conf.default.mc_forwarding = 0 net.ipv4.ip_forward = 1 I've set up full iptables log on the container; none of the packets addressed to 192.168.13.100, port 80 is reaching the container. I've even tried different kernels ( server kernel, raring lts kernel, etc ), modprobe everything iptables & nat related, nothing. Any ideas?

  Read the article

• Is the TCP protocol good enough for real-time multiplayer games?

  - by kevin42

  Back in the day, TCP connections over dialup/ISDN/slow broadband resulted in choppy, laggy games because a single dropped packet resulted in a resync. That meant a lot of game developers had to implement their own reliability layer on top of UDP, or they used UDP for messages that could be dropped or received out of order, and used a parallel TCP connection for information that must be reliable. Given the average user has faster network connections now, can a real time game such as an FPS give good performance over a TCP connection?

  Read the article

• Help understanding linux/tcp.h

  - by Chris

  I'm learning to use raw sockets, and im trying to prase out the tcp header data, but i can't seem to figure out what res1, ece, and cwr are. Through my networking book and google i know what the rest stand for, but can't seem to find anything on those three. Below is the tcphdr struct in my includes area. Ive commented the parts a bit as i was figureing out what they stood for. struct tcphdr { __be16 source; __be16 dest; __be32 seq; __be32 ack_seq; #if defined(__LITTLE_ENDIAN_BITFIELD) _u16 res1:4, doff:4,//tcp header length fin:1,//final syn:1,//synchronization rst:1,//reset psh:1,//push ack:1,//ack urg:1,// urge ece:1, cwr:1; #elif defined(_BIG_ENDIAN_BITFIELD) __u16 doff:4,//tcp header length res1:4, cwr:1, ece:1, urg:1,//urge ack:1,//ack psh:1,//push rst:1,//reset syn:1,//synchronization fin:1;//final #else #error "Adjust your defines" #endif __be16 window; __sum16 check; __be16 urg_ptr; };

  Read the article

• Sharing a COM port over TCP

  - by guinness

  What would be a simple design pattern for sharing a COM port over TCP to multiple clients? For example, a local GPS device that could transmit co-ordinates to remote hosts in realtime. So I need a program that would open the serial port and accept multiple TCP connections like: class Program { public static void Main(string[] args) { SerialPort sp = new SerialPort("COM4", 19200, Parity.None, 8, StopBits.One); Socket srv = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp); srv.Bind(new IPEndPoint(IPAddress.Any, 8000)); srv.Listen(20); while (true) { Socket soc = srv.Accept(); new Connection(soc); } } } I would then need a class to handle the communication between connected clients, allowing them all to see the data and keeping it synchronized so client commands are received in sequence: class Connection { static object lck = new object(); static List<Connection> cons = new List<Connection>(); public Socket socket; public StreamReader reader; public StreamWriter writer; public Connection(Socket soc) { this.socket = soc; this.reader = new StreamReader(new NetworkStream(soc, false)); this.writer = new StreamWriter(new NetworkStream(soc, true)); new Thread(ClientLoop).Start(); } void ClientLoop() { lock (lck) { connections.Add(this); } while (true) { lock (lck) { string line = reader.ReadLine(); if (String.IsNullOrEmpty(line)) break; foreach (Connection con in cons) con.writer.WriteLine(line); } } lock (lck) { cons.Remove(this); socket.Close(); } } } The problem I'm struggling to resolve is how to facilitate communication between the SerialPort instance and the threads. I'm not certain that the above code is the best way forward, so does anybody have another solution (the simpler the better)?

  Read the article

• How to know the source of certain TCP traffic on AIX

  - by A.Rashad

  We have two AIX boxes, one for production system and another for testing. both systems are running ATM machine switches, where the ATM device is connected via TCP socket. we had an issue on production system where the machine would power off or get disconnected but the netstat -na | grep <IP of machine > would still mention that the socket is up when simulated that case on the UAT environment, the problem did not happen, where the socket would terminate in 3 to 5 minutes. when sniffed on the traffic between the machine and ATM we found that no traffic takes place on production while there is some sort of heartbeat on UAT. but it is not initiated by the application. $>tcpdump | grep -v "10.2.2.71" | grep -v "HSRP" | grep "10.3.1.30" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on en6, link-type 1, capture size 96 bytes 09:08:13.323421 IP server073.afs3-callback > 10.3.1.30.impera: . 278204201:278204202(1) ack 3307884029 win 164 09:08:13.335334 IP 10.3.1.30.impera > server073.afs3-callback: . ack 1 win 64180 09:08:23.425771 IP 10.3.1.30.impera > server073.afs3-callback: . 1:2(1) ack 1 win 64180 09:08:23.425789 IP server073.afs3-callback > 10.3.1.30.impera: . ack 2 win 65535 09:09:13.628985 IP server073.afs3-callback > 10.3.1.30.impera: . 0:1(1) ack 1 win 164 09:09:13.633900 IP 10.3.1.30.impera > server073.afs3-callback: . ack 1 win 64180 09:09:23.373634 IP 10.3.1.30.impera > server073.afs3-callback: . 1:2(1) ack 1 win 64180 09:09:23.373647 IP server073.afs3-callback > 10.3.1.30.impera: . ack 2 win 65535 while on production, that traffic is not there. we want to know where this traffic is initiated from to implement on production to sense disconnection our comms parameters are: tcp_keepcnt = 2 tcp_keepidle = 100 tcp_keepinit = 150 tcp_keepintvl = 150 tcp_finwait2 = 1200 can anyone help? Editing Question: One point I missed because I was rushing to a meeting. the difference between the Production and UAT in setup is that in Production we have an application called F5 working as load balancer between the ATMs and the AIX box, while it is a direct connection through MPLS in case of UAT. note: we had one MPLS and one GPRS connected ATMs on UAT, and both connections terminated when unplugged in about 4 minutes Edit 2 the no -o tcp_timewait command returns 1 in both Production and UAT

  Read the article

• How to know the source of certain TCP traffic on AIX

  - by A.Rashad

  We have two AIX boxes, one for production system and another for testing. both systems are running ATM machine switches, where the ATM device is connected via TCP socket. we had an issue on production system where the machine would power off or get disconnected but the netstat -na | grep <IP of machine > would still mention that the socket is up when simulated that case on the UAT environment, the problem did not happen, where the socket would terminate in 3 to 5 minutes. when sniffed on the traffic between the machine and ATM we found that no traffic takes place on production while there is some sort of heartbeat on UAT. but it is not initiated by the application. $>tcpdump | grep -v "10.2.2.71" | grep -v "HSRP" | grep "10.3.1.30" tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on en6, link-type 1, capture size 96 bytes 09:08:13.323421 IP server073.afs3-callback > 10.3.1.30.impera: . 278204201:278204202(1) ack 3307884029 win 164 09:08:13.335334 IP 10.3.1.30.impera > server073.afs3-callback: . ack 1 win 64180 09:08:23.425771 IP 10.3.1.30.impera > server073.afs3-callback: . 1:2(1) ack 1 win 64180 09:08:23.425789 IP server073.afs3-callback > 10.3.1.30.impera: . ack 2 win 65535 09:09:13.628985 IP server073.afs3-callback > 10.3.1.30.impera: . 0:1(1) ack 1 win 164 09:09:13.633900 IP 10.3.1.30.impera > server073.afs3-callback: . ack 1 win 64180 09:09:23.373634 IP 10.3.1.30.impera > server073.afs3-callback: . 1:2(1) ack 1 win 64180 09:09:23.373647 IP server073.afs3-callback > 10.3.1.30.impera: . ack 2 win 65535 while on production, that traffic is not there. we want to know where this traffic is initiated from to implement on production to sense disconnection our comms parameters are: tcp_keepcnt = 2 tcp_keepidle = 100 tcp_keepinit = 150 tcp_keepintvl = 150 tcp_finwait2 = 1200 can anyone help?

  Read the article

• VirtualBox guest responds to ping but all ports closed in nmap

  - by jeremyjjbrown

  I want to setup a test database on a vm for development purposes but I cannot connect to the server via the network. I've got Ubuntu 12.04vm installed on 12.04 host in Virtualbox 4.2.4 set to - Bridged network mode - Promiscuous Allow All When I try to ping the virtual guest from any network client I get the expected result. PING 192.168.1.209 (192.168.1.209) 56(84) bytes of data. 64 bytes from 192.168.1.209: icmp_req=1 ttl=64 time=0.427 ms ... Internet access inside the vm is normal But when I nmap it I get nothin! jeremy@bangkok:~$ nmap -sV -p 1-65535 192.168.1.209 Starting Nmap 5.21 ( http://nmap.org ) at 2012-11-15 18:39 CST Nmap scan report for jeremy (192.168.1.209) Host is up (0.0032s latency). All 65535 scanned ports on jeremy (192.168.1.209) are closed Service detection performed. Please report any incorrect results at http://nmap.org/submit/ Nmap done: 1 IP address (1 host up) scanned in 0.88 seconds ufw and iptables on VM... jeremy@jeremy:~$ sudo service ufw stop [sudo] password for jeremy: ufw stop/waiting jeremy@jeremy:~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I have scanned around and have no reason to believe that my router is blocking internal ports. jeremy@bangkok:~$ nmap -v 192.168.1.2 Starting Nmap 5.21 ( http://nmap.org ) at 2012-11-15 18:44 CST Initiating Ping Scan at 18:44 Scanning 192.168.1.2 [2 ports] Completed Ping Scan at 18:44, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 18:44 Completed Parallel DNS resolution of 1 host. at 18:44, 0.03s elapsed Initiating Connect Scan at 18:44 Scanning 192.168.1.2 [1000 ports] Discovered open port 445/tcp on 192.168.1.2 Discovered open port 139/tcp on 192.168.1.2 Discovered open port 3306/tcp on 192.168.1.2 Discovered open port 80/tcp on 192.168.1.2 Discovered open port 111/tcp on 192.168.1.2 Discovered open port 53/tcp on 192.168.1.2 Discovered open port 5902/tcp on 192.168.1.2 Discovered open port 8090/tcp on 192.168.1.2 Discovered open port 6881/tcp on 192.168.1.2 Completed Connect Scan at 18:44, 0.02s elapsed (1000 total ports) Nmap scan report for 192.168.1.2 Host is up (0.0017s latency). Not shown: 991 closed ports PORT STATE SERVICE 53/tcp open domain 80/tcp open http 111/tcp open rpcbind 139/tcp open netbios-ssn 445/tcp open microsoft-ds 3306/tcp open mysql 5902/tcp open vnc-2 6881/tcp open bittorrent-tracker 8090/tcp open unknown Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds Answer... Turns out all of the ports were open to the network. I installed open ssh and confirmed it. Then I edited my db conf to listen to external IP's and all was well.

  Read the article

• iptables : how to correctly allow incoming and outgoing traffic for certain ports?

  - by Rubytastic

  Im trying to get incoming and outgoing traffic to be enabled on specific ports, because I block everything at the end of the iptables rules. INPUT and FORWARD reject. What would be the appropiate way to open certain ports for all traffic incoming and outgoing? From docs I found below but one has to really define both lines? iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT I try to open ports for xmpp service and some other deamons running on server. Rules: *filter # Allow all loopback (lo0) traffic and drop all traffic to 127/8 that doesn't use lo0 -A INPUT -i lo -j ACCEPT -A INPUT -d 127.0.0.0/8 -j REJECT # Accept all established inbound connections -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow all outbound traffic - you can modify this to only allow certain traffic -A OUTPUT -j ACCEPT # Allow HTTP # Prevent DDOS attacks (http://blog.bodhizazen.net/linux/prevent-dos-with-iptables/) # Disallow HTTPS -A INPUT -p tcp --dport 80 -m state --state NEW -m limit --limit 50/minute --limit-burst 200 -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -m limit --limit 50/second --limit-burst 50 -j ACCEPT -A INPUT -p tcp --dport 443 -j DROP # Allow SSH connections # The -dport number should be the same port number you set in sshd_config -A INPUT -p tcp -s <myip> --dport ssh -j ACCEPT -A INPUT -p tcp -s <myip> --dport 5984 -j ACCEPT -A INPUT -p tcp --dport ssh -j REJECT # Attempt to block portscans # Anyone who tried to portscan us is locked out for an entire day. -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP # Once the day has passed, remove them from the portscan list -A INPUT -m recent --name portscan --remove -A FORWARD -m recent --name portscan --remove # These rules add scanners to the portscan list, and log the attempt. -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" -A INPUT -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j LOG --log-prefix "Portscan:" -A FORWARD -p tcp -m tcp --dport 139 -m recent --name portscan --set -j DROP # Stop smurf attacks -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP -A INPUT -p icmp -m icmp -j DROP # Drop excessive RST packets to avoid smurf attacks -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT # Don't allow pings through -A INPUT -p icmp -m icmp --icmp-type 8 -j DROP # Log iptables denied calls -A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: " --log-level 7 # Reject all other inbound - default deny unless explicitly allowed policy -A INPUT -j REJECT -A FORWARD -j REJECT COMMIT

  Read the article

• Log with iptalbes which user is delivering email to port 25

  - by Maus

  Because we got blacklisted on CBL I set up the following firewall rules with iptables: #!/bin/bash iptables -A OUTPUT -d 127.0.0.1 -p tcp -m tcp --dport 25 -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT iptables -A OUTPUT -p tcp -m tcp --dport 25 -m owner --uid-owner Debian-exim -j ACCEPT iptables -A OUTPUT -p tcp -m limit --limit 15/minute -m tcp --dport 25 -j LOG --log-prefix "LOCAL_DROPPED_SPAM" iptables -A OUTPUT -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-port-unreachable I'm not able to connect to port 25 from localhost with another user than root or a mail group member - So it seems to work. Still some questions remain: How effective do you rate this rule-set to prevent spam coming from bad PHP-Scripts hosted on the server? Is there a way to block port 25 and 587 within the same statement? Is the usage of /usr/sbin/sendmail also limited or blocked by this rule-set? Is there a way to log the username of all other attempts which try to deliver stuff to port 25?

  Read the article

• outlook iptables configuration

  - by mediaexpert

  I've a Debian mail server, but only the outlook users can't be able to download the emails. I've seen a lot of post about some kind of forwarding port configuration, I've tried some commands, but I don't be able to solve this problem, please help me. below INPUT and FORWARD iptables: Chain INPUT (policy DROP 20 packets, 1016 bytes) pkts bytes target prot opt in out source destination 60833 16M ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 state NEW,ESTABLISHED 18970 971K ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:110 state NEW,ESTABLISHED Chain FORWARD (policy DROP 0 packets, 0 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT tcp -- * * 192.168.0.0/24 0.0.0.0/0 tcp dpt:110 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 192.168.1.0/24 0.0.0.0/0 tcp dpt:110 0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:25 0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:110

  Read the article

• How to configure iptables to use apt-get in a server?

  - by segaco

  I'm starting using iptables (newbie) to protect a linux server (specifically Debian 5.0). Before I configure the iptables settings, I can use apt-get without a problem. But after I configure the iptables, the apt-get stop working. For example I use this script in iptables: #!/bin/sh IPT=/sbin/iptables ## FLUSH $IPT -F $IPT -X $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X $IPT -P INPUT DROP $IPT -P OUTPUT DROP $IPT -P FORWARD DROP $IPT -A INPUT -i lo -j ACCEPT $IPT -A OUTPUT -o lo -j ACCEPT $IPT -A INPUT -p tcp --dport 22 -j ACCEPT $IPT -A OUTPUT -p tcp --sport 22 -j ACCEPT $IPT -A INPUT -p tcp --dport 80 -j ACCEPT $IPT -A OUTPUT -p tcp --sport 80 -j ACCEPT $IPT -A INPUT -p tcp --dport 443 -j ACCEPT $IPT -A OUTPUT -p tcp --sport 443 -j ACCEPT # Allow FTP connections @ port 21 $IPT -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Allow Active FTP Connections $IPT -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT $IPT -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT # Allow Passive FTP Connections $IPT -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT $IPT -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT #DNS $IPT -A OUTPUT -p udp --dport 53 --sport 1024:65535 -j ACCEPT $IPT -A INPUT -p tcp --dport 1:1024 $IPT -A INPUT -p udp --dport 1:1024 $IPT -A INPUT -p tcp --dport 3306 -j DROP $IPT -A INPUT -p tcp --dport 10000 -j DROP $IPT -A INPUT -p udp --dport 10000 -j DROP then when I run apt-get I obtain: core:~# apt-get update 0% [Connecting to ftp.us.debian.org] [Connecting to security.debian.org] [Conne and it stalls. What rules I need to configure to make it works. Thanks

  Read the article

• Iptables - forward email ports?

  - by Emmet Brown

  im trying to open some local ports (LAN) and then re-direct them to another server (WAN) using iptables. Here is my config: #WAN allow-hotplug eth1 auto eth1 iface eth1 inet static #Tarjeta red WAN address 192.168.2.2 gateway 192.168.2.1 netmask 255.255.255.0 #LAN allow-hotplug eth0 auto eth0 iface eth0 inet static address 192.168.16.6 netmask 255.255.255.0 network 192.168.16.0 broadcast 192.168.16.255 I try this: iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 110 -j DNAT --to 200.40.30.218:110 iptables -A FORWARD -p tcp -i eth0 -o eth1 -d 200.40.30.218 --dport 110 -j ACCEPT iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 25 -j DNAT --to 200.40.30.218:25 iptables -A FORWARD -p tcp -i eth0 -o ethq -d 200.40.30.218 --dport 25 -j ACCEPT but, it did not work. i also try changeing eth0 to eth1 (and eth1 to eth0) but nothing happened. Starting Nmap 5.00 ( http://nmap.org ) at 2011-10-03 14:44 UYST Interesting ports on 192.168.16.6: Not shown: 997 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 8080/tcp open http-proxy Im running debian. Can u guys help me to check what is happening? edit: IPTABLES-SAVE # Generated by iptables-save v1.4.8 on Mon Oct 3 15:43:14 2011 *mangle :PREROUTING ACCEPT [139993:77867651] :INPUT ACCEPT [139385:77761761] :FORWARD ACCEPT [186:12071] :OUTPUT ACCEPT [173556:74341650] :POSTROUTING ACCEPT [173734:74352988] COMMIT # Completed on Mon Oct 3 15:43:14 2011 # Generated by iptables-save v1.4.8 on Mon Oct 3 15:43:14 2011 *nat :PREROUTING ACCEPT [1649:190626] :POSTROUTING ACCEPT [6729:339646] :OUTPUT ACCEPT [6697:337660] -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 200.40.30.218:110 -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 200.40.30.218:25 COMMIT # Completed on Mon Oct 3 15:43:14 2011 # Generated by iptables-save v1.4.8 on Mon Oct 3 15:43:14 2011 *filter :INPUT ACCEPT [138307:77066136] :FORWARD ACCEPT [168:11207] :OUTPUT ACCEPT [172288:73655708] -A FORWARD -d 200.40.30.218/32 -i eth0 -o eth1 -p tcp -m tcp --dport 110 -j ACCEPT -A FORWARD -d 200.40.30.218/32 -i eth0 -o ethq -p tcp -m tcp --dport 25 -j ACCEPT COMMIT # Completed on Mon Oct 3 15:43:14 2011 Regards

  Read the article

• Issues with forwarding Iptables

  - by Ricardo Rios

  I have some issues with my redirectioning lines on iptables, it seems it does not work, any help will be appreciated iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s 192.168.2.0/24 -o eth0 -j SNAT --to 10.10.10.1 iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 10.10.10.1:8080 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080 iptables -t nat -A PREROUTING -d 200.59.189.125 -p tcp --dport 8081 -j DNAT --to 192.168.2.51:8081 iptables -t nat -A PREROUTING -d 200.59.189.125 -p tcp --dport 34551 -j DNAT --to 192.168.2.51:8081 iptables -t nat -A PREROUTING -d 200.59.189.125 -p tcp --dport 8082 -j DNAT --to 192.168.2.52:8082 iptables -t nat -A PREROUTING -d 200.59.189.125 -p tcp --dport 34552 -j DNAT --to 192.168.2.52:8082 iptables -t nat -A PREROUTING -d 200.59.189.125 -p tcp --dport 8083 -j DNAT --to 192.168.2.53:8083 iptables -t nat -A PREROUTING -d 200.59.189.125 -p tcp --dport 34553 -j DNAT --to 192.168.2.53:8083 iptables -t nat -A PREROUTING -d 200.59.189.125 -p tcp --dport 8084 -j DNAT --to 192.168.2.54:8084 iptables -t nat -A PREROUTING -d 200.59.189.125 -p tcp --dport 34554 -j DNAT --to 192.168.2.54:8084 iptables -t nat -A PREROUTING -d 200.59.189.125 -p tcp --dport 8085 -j DNAT --to 192.168.2.55:8085 iptables -t nat -A PREROUTING -d 200.59.189.125 -p tcp --dport 34555 -j DNAT --to 192.168.2.55:80 echo Ejecutadas Reglas del Firewall

  Read the article

• cannot send emails to other Web servers

  - by developer

  I'm trying to limit my server's open ports in CSF. The IPv4 port settings include: # Allow incoming TCP ports TCP_IN = "22,25,53,80,110,143,443,587,3654,53343” # Allow outgoing TCP ports TCP_OUT = "22,53,80,113,443,465,995,3654" # Allow incoming UDP ports UDP_IN = "53" # Allow outgoing UDP ports # To allow outgoing traceroute add 33434:33523 to this list UDP_OUT = "53,113,123" As you see, I have port 25 open in TCP_IN but have removed it from TCP_OUT. The reason is I wanted to have my mails transmitted over smtps, so I have port 465 opened instead in TCP_OUT. Since I am using Rouncube in Directpanel, I have also set the following in Rouncube's config.inc.php: $config['default_host'] = 'ssl://mail.mydomain.com'; $config['smtp_server'] = 'ssl://mail.mydomain.com'; $config['smtp_port'] = 465; However, when I remove port 25 from TCP_OUT, I no longer can send mails, say, to gmail, though I can send mails to own. But I can receive all mails. Please let me know if I need to make any further changes. Do I need to disable port 25 at all, to have my mails sent via ssl. Thanks

  Read the article

• python reports socket in use, netstat and others claim its not

  - by captainmish

  We have a strange socket issue with a RHES3 box: Python 2.4.1 (#1, Jul 5 2005, 19:17:11) [GCC 3.2.3 20030502 (Red Hat Linux 3.2.3-52)] Type "help", "copyright", "credits" or "license" for more information. >>> import socket >>> s = socket.socket() >>> s.bind(('localhost',12351)) Traceback (most recent call last): File "<stdin>", line 1, in ? File "<string>", line 1, in bind socket.error: (98, 'Address already in use') This seems normal, lets see what has that socket: # netstat -untap | grep 12351 {no output} # grep 12351 /proc/net/tcp {no output} # lsof | grep 12351 {no output} # fuser -n tcp 12351 {no output, repeating the python test fails again} # nc localhost 12351 {no output} # nmap localhost 12351 {shows port closed} Other high ports work fine (eg 12352 works) Is there something magic about this port? Is there somewhere else I can look? Where does python find out that socket is in use that netstat doesnt know about? Any other way I can find out what/if that socket is?

  Read the article

• Using multiple distinct TCP security binding configurations in a single WCF IIS-hosted WCF service a

  - by Sandor Drieënhuizen

  I have a set of IIS7-hosted net.tcp WCF services that serve my ASP.NET MVC web application. The web application is accessed over the internet. WCF Services (IIS7) <--> ASP.NET MVC Application <--> Client Browser The services are username authenticated, the account that a client (of my web application) uses to logon ends up as the current principal on the host. I want one of the services to be authenticated differently, because it serves the view model for my logon view. When it's called, the client is obviously not logged on yet. I figure Windows authentication serves best or perhaps just certificate based security (which in fact I should use for the authenticated services as well) if the services are hosted on a machine that is not in the same domain as the web application. That's not the point here though. Using multiple TCP bindings is what's giving me trouble. I tried setting it up like this: <bindings> <netTcpBinding> <binding> <security mode="TransportWithMessageCredential"> <message clientCredentialType="UserName"/> </security> </binding> <binding name="public"> <security mode="Transport"> <message clientCredentialType="Windows"/> </security> </binding> </netTcpBinding> </bindings> The thing is that both bindings don't seem to want live together in my host. When I remove either of them, all's fine but together they produce the following exception on the client: The requested upgrade is not supported by 'net.tcp://localhost:8081/Service2.svc'. This could be due to mismatched bindings (for example security enabled on the client and not on the server). In the server trace log, I find the following exception: Protocol Type application/negotiate was sent to a service that does not support that type of upgrade. Am I looking into the right direction or is there a better way to solve this?

  Read the article

< Previous Page | 16 17 18 19 20 21 22 23 24 25 26 27  | Next Page >