Search Results

Search found 1249 results on 50 pages for 'iptables'.

Page 24/50 | < Previous Page | 20 21 22 23 24 25 26 27 28 29 30 31  | Next Page >

  • Managed hosting firewall vs managing own firewall

    - by ddawber
    I posted on stackoverflow as to the overall benefits of managed hosting vs non-managed hosting. The more I think about it, it seems to boil down to one question: should I use a managed host because they take care of the firewall, or would I be okay managing my own, software firewall? The sites on the box do get quite a lot of traffic but as for throughput and what-not, it's not something I know much about. Ideally, i'd take my sites over to a Linode stack and manage incoming connections using iptables or an alternative. Here are some example hardware solutions a managed host would provide: Cisco Pix 501, Pix 506, Pix 515 and ASA 5505 and ASA 5510 Firewalls, configurable in a control panel the likes of an enterprise firewall such as FortiGate 110C Aside from this, I do not need managed hosting, so I appreciate your suggestions.

    Read the article

  • DHCP Client Can't Find DHCP Server

    - by leeman24
    I currently have 3 machines: CentOS (router) eth1 - 18.0.168.1 eth2 - 145.165.34.1 Windows Server 2008 (server) 18.0.168.2 DHCP scope - 145.165.34.10 - 145.165.34.20 Windows 7 (client) Supposed to use DHCP I can't get my Windows 7 client to get an address from the Windows Server 2008 DHCP server. Every network interface can ping each other (ex. 18.0.168.2 can ping 18.0.168.1 & 145.165.34.1 and the other way around). My Linux machine acting as the router has default IP tables. Other than this command which may or may not be right: iptables -I INPUT -p udp -d 18.0.168.2 --dport 67:68 -j ACCEPT I have also tried it after I flushed the IP tables. I was looking at the dhcrelay command but it seems CentOS doesn't have it and I am not even sure how to use it.

    Read the article

  • HTTP through a proxy server is not allowed

    - by jidma
    When I try to connect to my Tomcat server on http://<servername>:8080 it works fine, but from another ISP provided it gives the following error: HTTP through a proxy server is not allowed. Some ISP apparently don't allow http over the port 8080, as they think the client uses a proxy. I also have a httpd running on port 80 for my website. So in order to avoid the proxy error, I would like to make to following routing: If the user connects to http://<servername>, then the website is served via apache. If the user connects to http://<servername>/AppName, then the port is rerouted to 8080, without the client (or his ISP) knowing. Is that possible (using iptables or something else) ? Thank you

    Read the article

  • SSH via DHCP server

    - by SFault
    I have a DHCP server setup and I can't seem to connect to anything through SSH. When I'm logged in to the server itself, I can SSH. But when I connect any machine to the DHCP server, that machine can SSH but every server I SSH to asks for a password when the normal behavior (when not connected to the DHCP server) does not. Here are the contents of my iptables script that are related to port 22. $IPT -t nat -A PREROUTING -i $LAN -p tcp --dport 22 -j REDIRECT --to-port 22 $IPT -A FORWARD -i $LAN -p tcp --dport 22 -j ACCEPT $IPT -A INPUT -i $LAN -p tcp --dport 22 -j ACCEPT $IPT -A INPUT -i $WAN -p tcp --dport 22 -j ACCEPT $IPT -A OUTPUT -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT $IPT -A INPUT -i $LAN -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT Am I missing something?

    Read the article

  • Rate limit a wireless interface

    - by Jamie Hankins
    I have access to my routers SSH and IPTables. I want to rate limit my guest network to 1Mb/s so they can't guzzle my bandwidth. rai1 RTWIFI SoftAP ESSID:"GuestNetwork" Nickname:"" Mode:Managed Channel=6 Access Point: :F9 Bit Rate=300 Mb/s wdsi0 RTWIFI SoftAP ESSID:"YouCan'tTouchThis" Nickname:"" Mode:Managed Channel=6 Access Point: :F8 Bit Rate=300 Mb/s wdsi1 RTWIFI SoftAP ESSID:"YouCan'tTouchThis" Nickname:"" Mode:Managed Channel=6 Access Point: :F9 Bit Rate=300 Mb/s wdsi2 RTWIFI SoftAP ESSID:"YouCan'tTouchThis" Nickname:"" Mode:Managed Channel=6 Access Point: Not-Associated Bit Rate:300 Mb/s wdsi3 RTWIFI SoftAP ESSID:"YouCan'tTouchThis" Nickname:"" Mode:Managed Channel=6 Access Point: Not-Associated Bit Rate:300 Mb/s I'm just wondering the command I need to limit it. I tried the iwconfig limit command but it failed. Thanks

    Read the article

  • How to test if SYN and FIN are both dropped at the same time in hping3?

    - by snow
    One of the rules to prevent unexpected attack is to prevent SYN & FIN being used together. SYN and FIN are both set $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP How do I use hping to test if this iptable rule works? hping3 192.168.7.0 --keep -S -F??? Is this complete? When just type iptables -L, it shows: Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere DROP tcp -- anywhere anywhere tcp flags:FIN,SYN/FIN,SYN WHY do I need to put the "SYN,FIN" twice before drop? Is it because one for source and one for destination?

    Read the article

  • Anyone else being hit by traffic on TCP port 11370

    - by Jakub
    I've been watching my logs (Ubuntu 9.10 server) and dunno about any of you but I am getting a ton of traffic from sources like Russia, Romania, etc.. on port 11370 (my iptables are logndrop'ing it. But was just curious). Some googling revealed this info: http://www.keysigning.org/sks/ -which seems to use port 11370 & 11371 Could that be the service they are scanning for (i don't run it)? ICS shows this: https://isc.incidents.org/port.html?port=11370 Just curious what you guys think and if anyone has seen this before? If need be I can post my log on here, but its just a dropped log of TCP port 11370 from various IPs. Thought it was strange as thats the ONLY Port I seem to repeatedly be hit on (from logs). I'm running on a Linode (VPS) if that matters to annyone.

    Read the article

  • Broadcast UDP over VPN

    - by ibmz
    I have OpenVPN configured and have 5 dd-wrt router clients. I would like the machines on those routers to be-able to UDP Broadcast across all 5 networks. I cannot bridge the interfaces(to my knowledge) because each router needs to be able to operate on its own should the VPN connection die (dhcp needs to work). currently each router has its own /24 (eg 192.168.1.x) network. Is there a way to use IPTables to mangle the udp and forward them to all VPN Clients? To summarize i need 1)to UDP broadcast to all routers and their clients 2)for all routers to be able to operate independently should the VPN go down

    Read the article

  • Rate-Limit affects All clients or single IP?

    - by Asad Moeen
    Well up-til now I've considered iptables rate-limit commands with the "recent" module to work for each IP Address. For example rate-limit rule of 20k/s will trigger only if a single IP exceeds 20k/s rate and not if 4 different IPs exceed 5k/s rate. Please correct me if I considered this wrong as I've only used these rules for TCP/ UDP. But today I tried similar rules for ICMP and applied 4/s Input/Output. But then on trying to ping-test from just-ping.com I could see packet loss on almost all IP Addresses. How could that happen because if it worked for each IP Address then it wouldn't be triggering the rule because I believe each IP from just-ping has a rate of probably 1/s. I still think the first one is true because if it wasn't then my GameServer would block everyone if the combined rate ( in case of more connected players ) increased the threshold. This hasn't happened up til now so the ICMP thing really confused me. Thank you.

    Read the article

  • Separating two networks

    - by Farhan Ali
    I have two routers, R1 and R2. R1 (a stock linksys router running dd-wrt) is connected to internet and is serving internet to a network of 5 devices/PCs running a DHCP server, with a network of 192.168.1.0/24. R1 also serves internet services to R2. R2 (a ubuntu server 12.04) gets internet from R1. R2 has 3 PCs attached to it, runs a DHCP server with a network of 172.22.22.0/24. My requirement is that the clients on both sides should not talk to each other at all – with the exception that R1 clients may access the R2 router through its IP of 192.168.1.x. At the moment, R2 clients are able to ping R1 clients, which is unacceptable, whereas R1 clients cannot ping R2 clients, which is OK. I believe iptables could be set up but I don't know how.

    Read the article

  • Specific IP routing for VPN

    - by Roy
    Is there a way that I can prevent an entire subnet from using internal routing. The VPN server is supposed to be a way to access the company's intranet websites for some people, while for others it is supposed to do routing to the outside only and therefore not having access to any internal websites. The VPN server has a DNS on the actual server but not all should be using this DNS. Some of the users should be directly sent out of the server to the internet. Example: 10.0.0.1 is the DNS on the server, gateway for the VPN 10.0.0.2 is a user (A) on the VPN having access to the intranet websites (subnet is 10.0.0.0/25) 10.0.0.192 is a user (B) only needing routing and no access to intranet websites (subnet is 10.0.0.192/26) All traffic of user B should be directly rerouted out of the server. I have tried several iptables but without success.

    Read the article

  • SSH not working over IPSec tunnel (Strongswan)

    - by PattPatel
    I configured a small network on a cloud virtual machine. This virtual machine has a static IP address assigned to eth0 interface that I'll call $EXTIP. mydomain.com points to $EXTIP. Inside, I have some linux containers, that get their ip through DHCP in the Subnet 10.0.0.0/24 (i called the virtual interface nat ). They run some services that can be reached through DNAT. Then I wanted to connect to these containers through an IPSec tunnel, so I configured StrongSwan. ipsec.conf: conn %default dpdaction=none rekey=no conn remote keyexchange=ikev2 ike=######## left=[$EXTIP] leftsubnet=10.0.1.0/24,10.0.0.0/24 leftauth=pubkey lefthostaccess=yes leftcert=########.pem leftfirewall=yes leftid="#########" right=%any rightsourceip=10.0.1.0/24 rightauth=######## rightid=%any rightsendcert=never eap_identity=%any auto=add type=tunnel Everything works fine, IPSec clients get IPs of the 10.0.1.0/24 subnet and can reach the containers subnet. My problem is that I'm not able to get SSH connections over the tunnel. It simply does not work, ssh client does not produce any output. Sniffing with tcpdump gives: tcpdump: 09:50:29.648206 ARP, Request who-has 10.0.0.1 tell mydomain.com, length 28 09:50:29.648246 ARP, Reply 10.0.0.1 is-at 00:ff:aa:00:00:01 (oui Unknown), length 28 09:50:29.648253 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [S], seq 4007849772, win 29200, options [mss 1460,sackOK,TS val 1151153 ecr 0,nop,wscale 7], length 0 09:50:29.648296 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [S.], seq 2809522632, ack 4007849773, win 14480, options [mss 1460,sackOK,TS val 11482992 ecr 1151153,nop,wscale 6], length 0 09:50:29.677225 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [.], ack 2809522633, win 229, options [nop,nop,TS val 1151162 ecr 11482992], length 0 09:50:29.679370 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [P.], seq 0:23, ack 1, win 229, options [nop,nop,TS val 1151162 ecr 11482992], length 23 09:50:29.679403 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [.], ack 24, win 227, options [nop,nop,TS val 11483002 ecr 1151162], length 0 09:50:29.684337 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [P.], seq 1:32, ack 24, win 227, options [nop,nop,TS val 11483003 ecr 1151162], length 31 09:50:29.685471 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [.], seq 32:1480, ack 24, win 227, options [nop,nop,TS val 11483003 ecr 1151162], length 1448 09:50:29.685519 IP mydomain.com > 10.0.0.1: ICMP mydomain.com unreachable - need to frag (mtu 1422), length 556 09:50:29.685567 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [.], seq 32:1402, ack 24, win 227, options [nop,nop,TS val 11483003 ecr 1151162], length 1370 09:50:29.685572 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [.], seq 1402:1480, ack 24, win 227, options [nop,nop,TS val 11483003 ecr 1151162], length 78 09:50:29.714601 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [.], ack 32, win 229, options [nop,nop,TS val 1151173 ecr 11483003], length 0 09:50:29.714642 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [P.], seq 1480:1600, ack 24, win 227, options [nop,nop,TS val 11483012 ecr 1151173], length 120 09:50:29.723649 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [P.], seq 1393:1959, ack 32, win 229, options [nop,nop,TS val 1151174 ecr 11483003], length 566 09:50:29.723677 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [.], ack 24, win 227, options [nop,nop,TS val 11483015 ecr 1151173,nop,nop,sack 1 {1394:1960}], length 0 09:50:29.725688 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [.], ack 1480, win 251, options [nop,nop,TS val 1151177 ecr 11483003], length 0 09:50:29.952394 IP 10.0.0.1.ssh > 10.0.1.2.54869: Flags [P.], seq 1480:1600, ack 24, win 227, options [nop,nop,TS val 11483084 ecr 1151173,nop,nop,sack 1 {1394:1960}], length 120 09:50:29.981056 IP mydomain.com.54869 > 10.0.0.1.ssh: Flags [.], ack 1600, win 251, options [nop,nop,TS val 1151253 ecr 11483084,nop,nop,sack 1 {1480:1600}], length 0 If you need it this is my iptables configuration file: iptables: *filter :INPUT ACCEPT [144:9669] :FORWARD DROP [0:0] :OUTPUT ACCEPT [97:15649] :interfacce-trusted - [0:0] :porte-trusted - [0:0] -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -j interfacce-trusted -A FORWARD -j porte-trusted -A FORWARD -j REJECT --reject-with icmp-host-unreachable -A FORWARD -d 10.0.0.1/32 -p tcp -m tcp --dport 80 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 10.0.0.1/32 -p tcp -m tcp --dport 443 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A FORWARD -d 10.0.0.3/32 -p tcp -m tcp --dport 1234 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT -A interfacce-trusted -i nat -j ACCEPT -A porte-trusted -d 10.0.0.1/32 -p tcp -m tcp --dport 80 -j ACCEPT -A porte-trusted -d 10.0.0.1/32 -p tcp -m tcp --dport 443 -j ACCEPT -A porte-trusted -d 10.0.0.3/32 -p tcp -m tcp --dport 1234 -j ACCEPT COMMIT *nat :PREROUTING ACCEPT [10:600] :INPUT ACCEPT [10:600] :OUTPUT ACCEPT [4:268] :POSTROUTING ACCEPT [18:1108] -A PREROUTING -d [$EXTIP] -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.1:80 -A PREROUTING -d [$EXTIP] -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.1:443 -A PREROUTING -d [$EXTIP] -p tcp -m tcp --dport 8069 -j DNAT --to-destination 10.0.0.3:1234 -A POSTROUTING -s 10.0.0.0/24 -o eth0 -m policy --dir out --pol ipsec -j ACCEPT -A POSTROUTING -s 10.0.1.0/24 -o nat -j MASQUERADE -A POSTROUTING -s 10.0.0.0/24 -o eth0 -j MASQUERADE COMMIT Probably I'm missing something stupid... Thanks in advance for helping :))

    Read the article

  • How can I restrict SSH access when the source IP is dynamic

    - by Supratik
    Hi I want to protect SSH access to our live web server from all IP's except our office static IP. There are some employees who connects to this live server from their dynamic IP's. So, it is not always possible for me to change in the iptables rule in live server whenever the dynamic IP of the employee changes. I tried to put them in office VPN and allowed only SSH access from office IP but the office connection is slow in compared to our employee's private internet connection, moreover it adds an extra overhead to our office network. Is there any way I can solve this problem ?

    Read the article

  • squid transparent proxy on all ports

    - by Yves Richard
    I have setup squid as a transparent proxy by redirecting port 80 to the native squid port 3128. I know there are issues with getting secure ports like ssl and imaps to go though the proxy but can I redirect all other ports through the proxy as well. I am trying to get a better idea of bandwidth usage. I have setup iptables to log usage and i am getting most traffic going into the related/established rule. I am trying to determine the origins of this traffic by sending traffic to squid for more detailed logging.

    Read the article

  • monitor just what's going on -on a firewall

    - by bbutle01
    I have this little snapgear firewall. It's a little purpose built box running a custom linux, SH4 processor @240 Mhz, 64MB of ram. Basically how close we are to capacity is a mystery to me. I know I can run top and see the status of all the processes, but how can I see just how much of the processor is going to passing data... and how to estimate when I'm going to need to upgrade, and by tweaking iptables rules, how does that help/hurt the processor. suggestions?

    Read the article

  • Routing application traffic through specific interface

    - by UnicornsAndRainbows
    Hello All! First question here, so please go easy: I have a debian linux 5.0 server with two public interfaces. I would like to route outbound traffic from one instance of an application via one interface and the second instance through the second interface. There are some challenges: both instances of the application use the same protocol both instances of the application can access the entire internet (can't route based on dest network) I can't change the code of the application I don't think a typical approach to load balancing all traffic is going to work well, because there are relatively few destination servers being accessed in the outbound traffic, and all traffic would really need to be distributed pretty evenly across these relatively few servers. I could probably run two virtualized servers on the box and bind each of them to a different external ip, but I'm looking for a simpler solution, maybe using iproute or iptables? Any ideas for me? Thanks in advance - and I'm happy to answer any questions.

    Read the article

  • I need to somehow change my ip address

    - by tric
    hello. i`m in a lan using iptables/masquerade. what i want to do, is to login in a web application.i write my user and passwd and click login and everything is fine, but if i try to modify something in that aplication it tells me that i have a wrong ip address.i knwo for sure that this app only allows ip 10.3.x.x .how can i trick that application to think that i have an ip from class 10.3.x.x and not my wan ip? 10x sorry for my bad english!

    Read the article

  • Forwarding broadcast traffic

    - by Dragos
    I have a host that receives broadcast queries on a UDP port. I would like to forward this broadcast traffic to another host from another network. Is it possible to port forwarding broadcast traffic using iptables? I have tried to specify package traffic as broadcast, but I didn't success. (-m pkttype --pkt-type broadcast). If I recive unicast traffic on that port, the forwarding succeeds. I try to forwarding using nat table.(-A POSTROUTING -j DNAT --to-destinatiox x.x.x.x) Thanks.

    Read the article

  • How do I stop someone from saturating my line & wasting CPU cycles

    - by JoshRibs
    My web host shows inbound & outbound traffic with mrtg. I have a steady 3.5mbps inbound traffic from Nigeria. Even assuming the source IPs & destination ports are blocked with Iptables & verifying nothing is listening on those ports, will the traffic still always pass through the switch & "get" to my server (where my server wastes CPU cycles "dropping" the packets)? Assuming I was setup with a hardware firewall, the traffic would still show in mrtg assuming the firewall is behind the switch? So is there any way to stop someone from saturating your 100mbps line, if they also have a 100mbps line? Other than filing an abuse complaint with the kind folks in Nigeria?

    Read the article

  • HUGE MAC FILTER and scripting

    - by user195917
    I make an dhcp server on CentOS, and i apply a mac filter for my clients. Now, with a small number of clients (max 10) ,is not that hard, but what I will do with 2000 clients? My idea was to create a list (ex. "macfilter.lst") and this list, to be updated after a database. I have tow questions. First: How do i create a filter in IPTABLES that takes info`s from a file (file hosted on server) Second: Any idea about how to write a script, that update a file after a database?? Thanks so much for your help.

    Read the article

  • virtualbox port forwarding - firewall config

    - by Roose
    i have a ubuntu host system with virtualbox running a windows server. In Virtualbox i have configured the network with a NAT interface and port forwarding for the RDP deamon running inside the vm. That works really well - i can connect to the windows rdp service over the internet. TCP *:3389 - *:3389 Now i like to restrict the access to the rdp service to only 3 public ip addresses and have no idea how to do that via iptables / shorewall. Something like: ACCEPT net:91.x.x.x fw tcp 3389 (shorewall rule) isn't working. Would be glad for any hint.

    Read the article

  • NATing with a single-homed machine possible?

    - by Harry
    I have the following setup: a) a single-homed machine, A, that can see the Internet. b) other machines B, C, and D that cannot see the Internet. c) A, B, C, and D can see each other. d) all machines are running either RHEL 5.3 or Fedora 16. Question: Is it possible to have B, C, and D share the Internet connection with A somehow? Note, again, that machine A does not have a second NIC installed. (The solutions that I am finding on the Net assume A to be a dual-homed system!) Also, could you please recommend a set of book(s) or online resources for a current and in-depth coverage of iptables for people with only a basic knowledge of TCP/IP?

    Read the article

  • Binding services to localhost and using SSH tunnels - can requests be forged?

    - by Martin
    Given a typical webserver, with Apache2, common PHP scripts and a DNS server, would it be sufficient from a security perspective to bind administration interfaces like phpmyadmin to localhost and access it via SSH tunnels? Or could somebody, who knew eg. that phpmyadmin (or any other commonly availible script) is listening at a certain port on localhost easily forge requests that would be executed if no other authentication was present? In other words: could somebody from somewhere in the internet easily forge a request, so that the webserver would accept it, thinking it originated from 127.0.0.1 if the server is listening on 127.0.0.1 only? If there were a risk, could it be somehow dealt with on a lower level than the application, eg. by using iptables? The idea being, that if someone found a weakness in a php script or apache, the network would still block this request because it did not arrive via a SSH-tunnel?

    Read the article

  • Is it possible to know a user logged in on Ubuntu instantly?

    - by Mustafa Orkun Acar
    In fact, I am trying to restrict access to some websites for different users. I asked the question: Restrict access to some websites for different users. The given answer is ok; but as the owner of answer says, it works if users are locally logged in. That is; if the user logs out and logs in, restrictions are no more valid. So, I decided to run a script including the iptables commands for restrictions at every log in event. I want to know whether it is possible to know instantly the user logs in.

    Read the article

  • Forward public port to localhost

    - by Dan
    I have a process running on my Ubuntu 12.04 server that insists on binding to a public IP address. I only want it accessible from localhost, and NOT the outside world. I've been trying to work out a way to forward 1.2.3.4:8888 to 127.0.0.1:8888. I saw something about iptables not wanting to forward connections to loopback, and I haven't been able to make it work with xinetd either. It's also important that the connection not only be available on localhost, but be inaccessible on the interface it's trying to run on. Is this even possible?

    Read the article

< Previous Page | 20 21 22 23 24 25 26 27 28 29 30 31  | Next Page >