Search Results

Search found 1249 results on 50 pages for 'iptables'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 28/50 | < Previous Page | 24 25 26 27 28 29 30 31 32 33 34 35  | Next Page >

  • firehol (firewall) with bridge: how to filter

    - by Leon
    I have two interfaces: eth0 (public address) and lxcbr0 with 10.0.3.1. I have a LXC guest running with ip 10.0.3.10 This is my firehol config: version 5 trusted_ips=`/usr/local/bin/strip_comments /etc/firehol/trusted_ips` trusted_servers=`/usr/local/bin/strip_comments /etc/firehol/trusted_servers` blacklist full `/usr/local/bin/strip_comments /etc/firehol/blacklist` interface lxcbr0 virtual policy return server "dhcp dns" accept router virtual2internet inface lxcbr0 outface eth0 masquerade route all accept interface any world protection strong #Outgoing these protocols are allowed to everywhere client "smtp pop3 dns ntp mysql icmp" accept #These (incoming) services are available to everyone server "http https smtp ftp imap imaps pop3 pop3s passiveftp" accept #Outgoing, these protocols are only allowed to known servers client "http https webcache ftp ssh pyzor razor" accept dst "${trusted_servers}" On my host I can connect only to "trusted servers" on port 80. In my guest I can connect to port 80 on every host. I assumed that firehol would block that. Is there something I can add/change so that my guest(s) inherit the rules of the eth0 interface?

    Read the article

  • Using 2 Transparent HAProxy for load balancing

    - by Nyxynyx
    We can configure HAProxy to be a transparent proxy by using the guide here, where one of the steps says ...to put the backend servers in a different subnet to the front end clients and make sure that the default gateway points back at the HAProxy load balancer. However when we need to have 2 transparent HAProxy in front of our balanced servers (for redundancy), it seems like this wont work as we can only set one gateway for our balanced servers. What will be the correct way to setup the system such that we can have 2 transparent HAProxy infront of the balanced servers? The main reason for having transparent proxies is the need to find the client's IP addresses over TCP.

    Read the article

  • Bridge 2 routers

    - by Nathan Adams
    I have 2 Linksys WRT54GL routers flashed with DD-WRT. On each I have a different ISP, and thus a different private network. I would like to be able to talk to either network regardless of what network I am on. Example: ISP1 - Router1 - Client ISP2 - Router2 - Client What I would like to do is something like: ISP1 - Router1 - Client              ^              |              v ISP2 - Router2 - Client This would be ideally because then I don't need to introduce another device in the mix, unless I have to. But I guess the first question is - is this even possible?

    Read the article

  • iproute2 premptive route creation, i think....

    - by Bryan Hunt
    Firstly: I know could do this the easy way with SSH but I want to learn how to route. I want to route packets back through the same tun0 interface from which they came into my system. I can do it for single routes. This works: sudo ip route add 74.52.23.120 metric 2 via 10.8.0.1 But i'd have to add them manually for each request that came down the pipe I've taken the blue pill and followed the http://lartc.org/howto/lartc.netfilter.html: Netfilter & iproute - marking packets tutorial But it's oriented towards redirecting OUTGOING packets based upon markers What I want is for a packet that comes in via tun0 not to be dropped which is what's happening right now, running scappy or suchlike to receive packets it doesn't seem to be receiving anything. Watching in wireshark I see the initial SYN packets coming in on the tun0 interface but that's as far as it gets without a static route as shown above. Am I nuts?

    Read the article

  • ipfw to redirect traffic from port 80 and 443 to 8080

    - by user1048138
    -A PREROUTING -s 10.0.10.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080 -A PREROUTING -s 10.0.10.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8080 -A POSTROUTING -s 10.0.10.0/24 -o eth0 -j MASQUERADE The above code is what I have used on linux to forward my ports to 8080, how can I do the same on a mac? I have tried test_machine:~ root# ipfw show 00666 0 0 fwd 127.0.0.1,8080 tcp from any to me dst-port 80 and its not working! any suggestions?

    Read the article

  • hosts.deny not working

    - by Captain Planet
    Currently I am watching the live auth.log and someone is continuously trying the brute force attack for 10 hours. Its my local server so no need to worry but I want to test. I have installed denyhosts. There is already an entry for that IP address in hosts.deny. But still he is trying the attacks from same IP. System is not blocking that. Firstly I don't know how did that IP address get entered in that file. I didn't enter it, is there any other system script which can do that. hosts.deny is sshd: 120.195.108.22 sshd: 95.130.12.64 hosts.allow ALL:ALL sshd: ALL Is there any iptable setting that can override the host.deny file

    Read the article

  • Creating Routes using the second NIC in the box

    - by Aditya Sehgal
    OS: Linux I need some advice on how to set up the routing table. I have a box with two physical NIC cards eth0 & eth1 with two associated IPs IP1 & IP2 (both of the same subnet). I need to setup a route which will force all messages from IP1 towards IP3 (of the same subnet) to go via IP2. I have a raw socket capture program listening on IP2 (This is not for malicious use). I have set up the routing table as Destination Gateway Genmask Flags Metric Ref Use Iface IP3 IP2 255.255.255.255 UGH 0 0 0 eth1 If I try to specify eth0 while adding the above rule, I get an error "SIOCADDRT: Network is unreachable". I understand from the manpage of route that if the GW specified is a local interface, then that would be use as the outgoing interface. After setting up this rule, if i do a traceroute (-i eth0), the packet goes first to the default gateway and then to IP3. How do I force the packet originating from eth0 towards IP3 to first come to IP2. I cannot make changes to the routing table of the gateway. Please suggest.

    Read the article

  • Firewalls: What is the difference between Policy, NAT and Routes?

    - by Jakobud
    I'm learning fwbuilder and firewalls in general. I don't understand the differences between Policy, NAT and Routes. They all seem like they are just ways to tell the data where to go depending on what it is and where its coming from. What is the real difference? Is a properly configured firewall taking advantage of all three (Policy, NAT and Routes) or are they just three different ways to accomplish the same thing and you only need one of them?

    Read the article

  • shorewall masquerading from tun0 to ppp0

    - by damir
    First interface is ppp0 (pptp vpn) Second inteface is tun0 (openvpn) Third interface eth0 (default gw interface) Openvpn is set to change default route on client for all packets to go through tun0 vpn, that part is working ok. I would like to make all packets from tun0 go to ppp0 and get out from that interface (MASQ) but somehow they always end up on eth0 (default gw interface) /etc/shorewall/masq ppp0 tun0 doesn't seem to work

    Read the article

  • centos 6.3 kvm external ip forwarding to guests

    - by user1111702
    I have a centos 6.3 server with kvm installed. The server has 4 external ips and one NIC. 176.9.xxx.xx1 176.9.xxx.xx2 176.9.xxx.xx3 176.9.xxx.xx4 I use the following configuration ifcfg-eth0 as slave to ifcfg-br0 the configuration in ifcfg-eth0 is DEVICE=eth0 ONBOOT=yes BRIDGE=br0 HWADDR=14:da:e9:b3:8b:99 and in the ifcfg-br0 DEVICE=br0 TYPE=Bridge BOOTPROTO=static BROADCAST=176.9.xxx.xxx IPADDR=176.9.xxx.xx1 NETMASK=255.255.255.0 SCOPE="peer 176.9.xxx.xxx" and I have 3 more aliases for br0 , br0:1 to get the trafic from the second external ip DEVICE=br0:1 IPADDR=176.9.xxx.xx2 NETMASK=255.255.255.248 ONBOOT=yes br0:2 to get the trafic from the third external ip DEVICE=br0:1 IPADDR=176.9.xxx.xx3 NETMASK=255.255.255.248 ONBOOT=yes br0:3 to get the trafic from the second external ip DEVICE=br0:1 IPADDR=176.9.xxx.xx4 NETMASK=255.255.255.248 ONBOOT=yes The above settings work fine and I recieve the trafic from all the external ips. My problem is that I want to pass the trafic from external ip to specific virtual guest on my server. ie trafic that comes from 176.9.xxx.xxx2 must pass to virtual machine 1 176.9.xxx.xxx3 must pass to virtual machine 2 176.9.xxx.xxx4 must pass to virtual machine 3 Can you please help me how to achieve this ? What are the settings on the host and what should I do to the guests. Thank you in advance

    Read the article

  • OpenVPN bridged not pinging beyond openvpn server on Ubuntu/Windows 2003

    - by ani
    I set up an OpenVPN server using Ubuntu and a windows server 2003 client to interconnect two networks between two different offices. They can now ping each other, but the rest of the network cannot be contacted by the windows client. Office 1 has internal network of: 192.168.0.0 255.255.240.0 Office 2 has internal network of: 192.168.16.0 255.255.255.0 And the configuration files are: Server.conf port 1194 --script-security 2 up "/etc/openvpn/up.sh br0" down "/etc/openvpn/down.sh br0" # TCP or UDP server? ;proto tcp proto udp dev tap0 ;dev tun ca ca.crt cert openvpn.crt key openvpn.key dh dh1024.pem ifconfig-pool-persist ipp.txt server-bridge 192.168.0.59 255.255.240.0 192.168.6.72 192.168.6.75 push "route 192.168.0.0 255.255.240.0" push "dhcp-option DNS 192.168.0.2" push "dhcp-option DOMAIN testeers.local" keepalive 10 120 tls-auth ta.key 0 # This file is secret comp-lzo user nobody group nogroup persist-key persist-tun log /var/log/openvpn/openvpn.log status /var/log/openvpn-status.log verb 3 Client Config file client dev tap ;dev tun --script-security 2 ;proto tcp proto udp remote 1xx.2xx.xxx.124 1194 resolv-retry infinite nobind persist-key persist-tun ca ca.crt cert admin-VAIO.crt key admin-VAIO.key ns-cert-type server tls-auth ta.key 1 comp-lzo verb 3 Ifconfig on the server now shows the following: br0 Link encap:Ethernet HWaddr 00:50:56:8b:1a:49 inet addr:192.168.0.59 Bcast:192.168.15.255 Mask:255.255.240.0 inet6 addr: fe80::250:56ff:fe8b:1a49/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:1081860 errors:0 dropped:1358 overruns:0 frame:0 TX packets:242385 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:76600615 (76.6 MB) TX bytes:64474575 (64.4 MB) eth0 Link encap:Ethernet HWaddr 00:50:56:8b:1a:49 UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:1144125 errors:0 dropped:7172 overruns:0 frame:0 TX packets:252486 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:109893729 (109.8 MB) TX bytes:66372620 (66.3 MB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:67865 errors:0 dropped:0 overruns:0 frame:0 TX packets:67865 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:5183276 (5.1 MB) TX bytes:5183276 (5.1 MB) tap0 Link encap:Ethernet HWaddr 32:4f:42:11:b7:c5 inet6 addr: fe80::304f:42ff:fe11:b7c5/64 Scope:Link UP BROADCAST RUNNING PROMISC MULTICAST MTU:1500 Metric:1 RX packets:3329 errors:0 dropped:0 overruns:0 frame:0 TX packets:215472 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:373205 (373.2 KB) TX bytes:17465832 (17.4 MB)

    Read the article

  • error: "net.netfilter.nf_conntrack_acct" is an unknown key

    - by anonymous
    Hello, i have the next error when i run 'sysctl -p' error: "net.netfilter.nf_conntrack_acct" is an unknown key net.netfilter.nf_conntrack_acct = 1 net.ipv4.netfilter.ip_conntrack_max = 9527600 net.ipv4.netfilter.ip_conntrack_tcp_timeout_established = 7200 lsmod ipv6 289352 34 loop 19724 0 nf_conntrack_ipv4 19352 0 nf_conntrack 71440 1 nf_conntrack_ipv4 joydev 15232 0 evdev 14592 0 ext3 125456 3 jbd 54696 1 ext3 mbcache 13188 1 ext3 raid1 24832 4 md_mod 81700 5 raid1 thermal_sys 17728 0 Debian 5.0.8 Any idea? Thanks

    Read the article

  • Using IP Tables to deny packet patterns?

    - by Chris
    I'm not experienced with IP tables but it's something I'll be looking into if this is plausible. I'm looking to set up a system to inspect packets and look for a pattern similar to korek's chop chop attack. Is there a way to set up the IP tables to defend against this attack? Thanks

    Read the article

  • How to forward connection from one interface to another under linux

    - by Daniel
    Hi, I have linux box which has two network interface, eth0, eth1. from eth1 I can access an internal website, say under port 8080. from outside the box, I can't access that network. my question is, is there a way I set up something so from outside the box, there appears to be a web server running in port 8080 and when I connect to it, it automatically forwards to eht1 the internal site? I tried to enable ip forward and add a static route, but it doesn't work. thanks.

    Read the article

  • Block IPs if they access a resource

    - by Victor Oliva
    I own a server that it's costantly being attacked by scripts (that try to access to phpMyAdmin's setup file's and stuff like this). I've heard that many people get this kinds of attacks, but I'm starting to worry since they are getting more common (last month I got 2 attacks, and on november 7th there are 3 attempts already (1st, 4th and 6th of nov). I'm not really concerned about it, since I don't have any database. All the info i have on that server is absolutely public, but I'm worried about that attacking-rate increase. So I thought I could -temporarily- block the IPs that come from those attackers, or something that could make my server ignore requests that ask for phpMyAdmin, pma, xamp, etc. Is there something like that? my server is Linux+Apache+Php

    Read the article

  • NAT for static private addresses

    - by biggdman
    Could someone please help me out with the following scenario: I have a machine that hosts 3 lxc containers, and acts like a router for them. The LXC containers have private ip addresses set on the interfaces that are connected to the host. I want to provide Internet access to the containers and I want to configure the host system so it translates only the addresses that are configured static on the lxc containers interfaces. Should I try to configure the host so it translates each of the 3 private addresses to the public address of the host's interface that is connected to the Internet?

    Read the article

  • private subnet nat (openvpn / racoon)

    - by Jonas Schnelli
    I have a openvpn subnet 10.8.0.0/24 running one server and one client (laptop). openvpn works fine. Browsing the web over openvpn from the laptop works also fine. Now on the server there is a private subnet with 10.7.8.128/28. The subnet is set up with racoon (IPSEC s2s vpn). The s2s vpn allows me to access the subnet 10.3.5.0/24 at the other s2s vpn end. Works all fine when I'm connected with ssh to my server. From my laptop i can ping 10.7.8.129 (the servers ipsec local ip) but i cannot reach the net 10.3.5.0/24. I tried to add a static route on my laptop 10.3.5.0/24 over gw 10.7.8.129 with no success. Any ideas how i do setup the nat / routing? Thanks

    Read the article

  • Which ports for IPSEC/LT2P?

    - by Matt
    I have a firewall/router (not doing NAT). I've googled and seen conflicting answers. It seems UDP 500 is the common one. But the others are confusing. 1701, 4500. And some say I need to also allow gre 50, or 47, or 50 & 51. Ok, which ports are the correct ones for IPSec/L2TP to work in a routed environment without NAT? i.e. I want to use the built in windows client to connect to a VPN behind this router/firewall.

    Read the article

  • Is it necessary to have firewalls rules between trusted nodes communicating on their backend interfaces?

    - by Tom
    I have 6 nodes that have internet access on eth1 and private access to one another on eth0. Currently I have firewall rules for eth0, for things like memcached and NFS. Is this necessary? It's a real headache as NFS for example communicates on loads of different ports, and I recently introduced glusterfs which needs more still. Is the headache of figuring out what backend ports to unblock worth the security enhancement? I should mention that I will of course still have a firewall rule on eth0 to block servers owned by others in the same datacenter. Thanks

    Read the article

  • 'IPv6' Newbie with IPv6 address assigment

    - by Cute Puppy
    I am new to IP v6 and I am looking to translate some existing private IPv4 addresses into v6 address assignment. Can someone please help me to answer/explain the questions below? If I have an v4 address of: 10.10.0.0/22 10.10.1.0/22 10.10.2.0/22 10.10.3.0/22 10.10.8.0/20 10.20.1.0/24 What will the new v6 address to be? I have been looking online @ http://www.subnetonline.com/pages/subnet-calculators/ipv4-to-ipv6-converter.php or other sites, Seems like they translated it directly to be: fe80::a0a:0 /118 fe80::a0a:100 /118 fe80::a0a:200 /118 fe80::a0a:300 /118 fe80::a0a:800 /118 fe80::a14:100 /120 Can someone please explain to me how we get to /118 from either "/22 or /24" (1. and 5) In addition, I would like to create the new private address based on the Unique local address "fc00::/16" How do I expand from there? Any help is greatly appreciated it!! Thanks,

    Read the article

  • switch OFF syn cookies

    - by Nick
    We have several servers they have public IP's, but work together (one is with Load Balancer, orther with Apache Web server, other with MySQL and so on. Most of the ports are fire-walled, so only "local" servers can be connect there. However ALL servers have some ports that must be publicly open. We have SYN Cookies enabled and from time to time we got: possible SYN flooding on port 8080. Sending cookies. Port 8080 is not public. How we can switch OFF SYN Cookies for some ports (e.g. 8080, 3306 etc) or from some sources (e.g. our servers), but in same time SYN Cookies to be switched ON for all other ports, e.g. port 80. We found this similar problem, except our servers are with public IP's: SYN cookies on internal machines

    Read the article

  • What's wrong with this iptable rule?

    - by warl0ck
    I run dnsmasq locally as a cache server, in the old days, I allow all INPUT packets from lo+, and set policy of INPUT to DROP: -A INPUT -i lo+ -j ACCEPT Now I decide to put this on the raw table to speed up rules matching, -A PREROUTING -i lo+ -j ACCEPT But that doesn't work as expected. Why? Since the packets get processed by the raw table first, then nat, then filter, why isn't that rule work the same as the old one?

    Read the article

  • Stop sending packets to private IPs

    - by SlasherZ
    I have a problem that my server got locked down because it was sending packets to private IPs. My question is, what is the best solution to stop that? Here is the log that I got from my hosting provider: [Mon Jun 2 00:04:36 2014] forward-to-private:IN=br0 OUT=br0 PHYSIN=vm-44487.0 PHYSOUT=eth0 MAC=78:fe:3d:47:3d:20:00:1c:14:01:4e:cd:08:00 SRC=78.46.198.21 DST=192.168.249.128 LEN=1454 TOS=0x00 PREC=0x00 TTL=64 ID=58859 DF PROTO=UDP SPT=41366 DPT=41234 LEN=1434 [Mon Jun 2 00:17:15 2014] forward-to-private:IN=br0 OUT=br0 PHYSIN=vm-44487.0 PHYSOUT=eth0 MAC=78:fe:3d:47:3d:20:00:1c:14:01:4e:cd:08:00 SRC=78.46.198.21 DST=192.168.249.128 LEN=1456 TOS=0x00 PREC=0x00 TTL=64 ID=52234 DF PROTO=UDP SPT=55430 DPT=41234 LEN=1436

    Read the article

  • Packets marked INVALID in FORWARD rule

    - by Raphink
    I have a firewall that has 3 IP aliases on 1 physical interface. Packets get dropped between these 3 interfaces (either ICMP, HTTP, or anything else). We tracked it down to these packets being marked INVALID in the FORWARD rule and dropped due to the this rule: chain FORWARD { policy DROP; # connection tracking mod state state INVALID LOG log-prefix 'INVALID FORWARD DROP: '; mod state state INVALID DROP; mod state state (ESTABLISHED RELATED) ACCEPT; } (That is, we see the INVALID FORWARD DROP logs in dmesg) What could be causing this?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 24 25 26 27 28 29 30 31 32 33 34 35  | Next Page >