a*******e
发帖数: 3021 | 1 俺用iptables好久了,可是一直是用别人的程序,不懂所以然。。。
俺想要22 SSH口,局域网samba口,局域网cups口,bt口, xbox口, http口
下面是俺的iptables系列
SSH
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
samba
$IPTABLES -A tcp_packets -p TCP -s 192.168.1.0/24 -m multiport --dports 139,
445 -j allowed
cups
$IPTABLES -A tcp_packets -p TCP -s 192.168.1.0/24 --dport 631 -j allowed
bt
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 40000:40500 -j allowed
xbox
$IPTABLES -A tcp_packets -p TCP -s 192.168.1.0/24 --dport 9000 -j allowed
$IPTABLE |
|
r*****8
发帖数: 2697 | 2 【 以下文字转载自 Linux 讨论区 】
发信人: rock888 (RocK), 信区: Linux
标 题: 求助: archlinux升级后iptables not working
发信站: BBS 未名空间站 (Mon Jan 23 14:37:14 2012, 美东)
昨天手痒把神座2号的archlinux升级到了kernel 3.2.1-1-ARCH #1 PREEMPT Sun Jan
22 07:37:31
结果iptables不work了
iptables -L
iptables v1.4.12.1: can't initialize iptables table `filter': Table does not
exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
不知道有没有人碰到过这样的问题, 放狗搜了半天也不得要领, 很多都是reboot就解决
问题.
现在发现/proc/net/ 下面根本没有ip_tables_names和其他一些ip_打... 阅读全帖 |
|
a*******e
发帖数: 3021 | 3 [root@localhost rc.d]# service iptables stop
iptables: Flushing firewall rules: [ OK ]
iptables: Setting chains to policy ACCEPT: filter [ OK ]
iptables: Unloading modules: [ OK ]
[root@localhost rc.d]# service iptables start
[root@localhost rc.d]#
怎么不告诉我启动成功了没有啊?我记得以前是可以的。前天刚装的fedora 11. |
|
r*****8
发帖数: 2697 | 4 昨天手痒把神座2号的archlinux升级到了kernel 3.2.1-1-ARCH #1 PREEMPT Sun Jan
22 07:37:31
结果iptables不work了
iptables -L
iptables v1.4.12.1: can't initialize iptables table `filter': Table does not
exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
不知道有没有人碰到过这样的问题, 放狗搜了半天也不得要领, 很多都是reboot就解决
问题.
现在发现/proc/net/ 下面根本没有ip_tables_names和其他一些ip_打头的文件, 是不
是kernel不完整啊?
以前pacman -Syu 升级从来没有出现过这个问题.
新春快乐! |
|
w*******t
发帖数: 960 | 5 我的网络 internet -- router(port forwarding) --- ubuntu pc( w/ iptables)
iptables 里 drop input
允许一些必要的port
把规则改了改,
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
又加了这几条 drop非法连接
-A INPUT -m state --state INVALID -j DROP
-A OUTPUT -m state --state INVALID -j DROP
-A FORWARD -m state --state INVALID -j DROP
======================================================================
asterisk CLi还是出现下面的信息:
212.I29.2.I76
这里的5112端口,我并没有开... 阅读全帖 |
|
c******n
发帖数: 4965 | 6 just run this on your linux box,
################################
# following is yahoo.com address
EXTERNAL_BOX_IP=67.195.160.76
PORT=10000
sudo iptables -t nat -F
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
###############################
then do nc -l 10000
as a fake server
then do nc 67.195.160.76 10000
and type a bunch of characters
you will see that the... 阅读全帖 |
|
c******n
发帖数: 4965 | 7 【 以下文字转载自 Linux 讨论区 】
发信人: creation (努力自由泳50m/45sec !), 信区: Linux
标 题: Re: how to do this iptables setup?
发信站: BBS 未名空间站 (Fri Sep 16 20:55:09 2011, 美东)
but here's what I dont' understand:
I checked the packets in wireshark.
the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
after DNAT changes the dest IP, it goes through another routing decision, so
at this step it s... 阅读全帖 |
|
w*******t
发帖数: 960 | 8 一个困惑了一天的iptables问题要请教,
ubuntu V14,我设置了22等几个端口允许,其他的都block了。 但为何我的asterisk里
还能看见人不停的试我的密码,端口就不在允许范围内
下面是我的iptables -S输出
=====================================================================
-A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060:5061 -j ACCEPT
-A INPUT -p tcp -m tcp --dpo... 阅读全帖 |
|
a*******e
发帖数: 3021 | 9 没人帮我看看?
那位老大帮我试试下面这些命令然后把输出贴上来?
1) service iptables restart
2) service iptables status |
|
a*******e
发帖数: 3021 | 10 问题是这样的,
...........
The License Manager operates on 2 ports: 50001, + 1 other (usually random)
port. The firewall is able to handle keeping 27004 open for the LM, but
since
port 2 is randomly determined by default, the firewall can't differentiate
between LM traffic and other traffic on those random ports.
............
我可以用这个来打开50001口,但是那个随机的咋办?
iptables -A tcp_packets -p TCP -s 0/0 --dport 27004 -j allowed
下面是我关掉防火墙时的输出,
netstat -a | grep al
Proto Recv-Q Send-Q Local Address Forei... 阅读全帖 |
|
a*******e
发帖数: 3021 | 11 比如我的电脑局域网ip是192.168.1.3
我在电脑上firewall设置
iptables -A INPUT -p tcp -s 192.168.1.3 -j ACCEPT
iptables -A OUTPUT -p tcp -s 192.168.1.3 -j ACCEPT
有什么危险嘛?
这2句规则具体讲是啥意思? |
|
z**r
发帖数: 17771 | 12 你这两句没啥用处,第一个是input traffic,你把source放成自己的IP有什么用?第
二个是output,对自己initiate的traffic有什么必要加以限制?
事实上,如果你这个是你真实的配置,是你家里的server,你根本没有必要打开
iptables, 反正如果从外面访问,你得做port forwarding,到时候你只forward ssh
,然后把所有的交给ssh来处理
另外,man iptables可以看具体用法 |
|
a*******e
发帖数: 3021 | 13 就是说这两句规则没什么潜在危险了。
iptables还是有用的,因为我的server不止开了ssh口,还有wow,http,amsn,bt等等端
口阿
这些还是集中到iptables里来限制的好
ssh |
|
s**h
发帖数: 1889 | 14 哦,我对这个不熟,就是抄了一个规则觉得用得挺方便:
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
recent --set --name SSH
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW -m
recent --update --seconds 600 --hitcount 6 --rttl --name SSH -j DROP
这个是限制一定时间内新建ssh连接不得超过一定数目的。我也不知道是哪个模块,呵
呵。 |
|
c******n
发帖数: 4965 | 15 for all traffic going to remote box 1.2.3.4 : 8888
I want to route the traffic to localhost : 8888, and I already have a ssh
tunnel
listening on localhost : 8888 to route the traffic to 1.2.3.4:8888
Thanks
I did something like this: but doesn't seem to work
/sbin/iptables -t nat -A PREROUTING -p tcp -i eth0 -d xxx.xxx.xxx.xxx
--dport 8888 -j DNAT --to 192.168.0.2:80
/sbin/iptables -A FORWARD -p tcp -i eth0 -d 192.168.0.2 --dport 80 -j ACCEPT |
|
r****t
发帖数: 10904 | 16 应该是个常见问题了,一直不知道咋办:
A acts as the gateway, eth0 internal, eth1 external.
B is a web server behind A.
能做 DNAT 让 internet 访问到 B, 但是和 B 在同一个子网的机器却没法
直接用 A 的 IP 访问 B, 因为一些原因不想改内部 DNS, 我现在用
iptables -t nat -A PREROUTING -s $INTERNAL_NET -i eth0 -d IP_A -j DNAT --to-
dest IP_B
iptables -t nat -A POSTROUTING -s IP_B -o eth0 -d $INTERNAL_NET -j SNAT --to
-source IP_A
不能工作,请问我该怎么办? |
|
c******n
发帖数: 4965 | 17 I want to hijack all the traffic going to $EXTERNAL_BOX_IP:22 to be going to
the 22 port of my local box instead,
I tried the following but it doesn't work
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport 22 -j
DNAT --to-destination 127.0.0.0
sudo iptables -t nat -A INPUT -s 127.0.0.0 -p tcp --dport 22 -j SNAT --
to-source $EXTERNAL_BOX_IP
any ideas?
Thanks a lot |
|
c******n
发帖数: 4965 | 18 i don't think so, PREROUTING is for incoming messages,
here the messages are generated by my local process ( ssh client )
I got it working in another post.
but here it is
sudo iptables -t nat -A OUTPUT -d $EXTERNAL_BOX_IP -p tcp --dport $PORT -j
DNAT --to-destination 127.0.0.1
sudo iptables -t nat -A POSTROUTING -p tcp --dport $PORT -j MASQUERADE
j |
|
w*s
发帖数: 7227 | 19 Hi guys, i'm booting from nfs file system.
Everything works until i type:
# /sbin/iptables -P INPUT DROP
nfs: server 10.50.180.36 not responding, still trying
now this iptables script is from the test i had in ubuntu desktop,
and it works.
But when i try the 1st line in the embedded system,
system hangs with
nfs: server 10.50.180.36 not responding, still trying
Any hints pls ? |
|
|
E***e
发帖数: 3430 | 21 怎么能把WAN的53映射到1194啊?
希望不涉及LAN,只针对所有WAN的53。
是不是改用IPTABLES的PREROUTING?
具体语句该怎么写呢?谢谢! |
|
|
w*******t
发帖数: 960 | 23 -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
这句的本意是 允许本地访问外部端口
我的网络 internet modem --- router(port forwarding) ----ubuntu server
这个iptables在ubuntu server上
外部的访问经过路由端口转发到这台主机上,对于主机看来都是192.168.0.1这个内部
地址? |
|
p**i
发帖数: 688 | 24 能不能把你的iptables -nvL结果贴一下
139, |
|
r****t
发帖数: 10904 | 25 非多拉还是洗洗歇了吧。用的人真的不多了。试试 iptables -L 检查下看看。 |
|
a*******e
发帖数: 3021 | 26 跟fedora没关系的吧
这是iptables的问题
不过问题解决了 |
|
h*****0
发帖数: 4889 | 27 场景:一个简单的DSL router(tomato 1.28 firmware),外面接着公网,里面是一个内
网。
内网中有两台电脑,其ip被固定为了FirstIP和SecondIP。
因为需要两台电脑一起玩游戏《星际争霸》(使用端口6112),所以可以用以下四行
iptables命令来解决问题。 |
|
|
S*A
发帖数: 7142 | 29 你要确切问的是哪一个 iptable 的 module?
有统计的 module, 但是据我所知没有根据 ip 地址访问频率来禁止那些
ip 的 module.有可以根据访问频率禁止那一条规则的。
你要知道是哪个 module 我们才好讨论。
唯一接近的是防止 sync flood 的功能, 那个是通过给sender 发 challenge.
sender 必须回应 cookie 才能继续。这个方法是没有black log queue。
那个 black log queue 实际上跑到 sender 那一边了。 |
|
s**h
发帖数: 1889 | 30 有点疑问。我自己试过,家里有3台机访问跑这个iptable规则的linux机,我在一台机
上故意在短时间内访问超过上限,这台客户机就再也不能访问了,可是其他两台机还是
可以照常访问。而且过了几天那台违规的机器好象都不能访问(这一点记得不太准确了)
。必须flush才行。不知道这是不是说明这个规则是针对ip的。
m
m
,呵 |
|
S*A
发帖数: 7142 | 31 how about:
iptables -t nat -A OUTPUT -p tcp -d 1.2.3.4 -j REDIRECT --to-ports 8888
That will redirect any port to port 8888. You can add --dport 8888
for only 1.2.3.4:8888
ACCEPT |
|
c******n
发帖数: 4965 | 32 figured out, need one more line
sudo iptables -t nat -A POSTROUTING -d 127.0.0.0 -p tcp --dport 22 -j
SNAT --to-source 127.0.0.0
to |
|
|
z**r
发帖数: 17771 | 34 it should be
sudo iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_BOX_IP --dport 22 -j
DNAT --to-destionation 127.0.0.1
to |
|
c******n
发帖数: 4965 | 35 but here's what I dont' understand:
I checked the packets in wireshark.
the first packet sent out by client is REAL_IP_OF_CLIENT_BOX to 127.0.0.1
I thought according to the tutorial http://www.frozentux.net/iptables-tutorial/images/tables_traverse.jpg
after DNAT changes the dest IP, it goes through another routing decision, so
at this step it should be set to the lo interface, so MASQUERADE should set
its source to be 127.0.0.1 ???
also wireshark shows that the return ip is $EXTERNAL_BOX_IP to ... 阅读全帖 |
|
x**m
发帖数: 941 | 36 What is "$ /sbin/iptables -L" before setting the default action to DROP? |
|
S*A
发帖数: 7142 | 37 of course, you are blocking your own nfs usage
from the iptables.
You should add explicit accept rules for nfs
before you change the default rules to drop. |
|
c******n
发帖数: 4965 | 38 I'm trying to simulate the situation where a connection is lost, to prepare
for fault-tolerance of my application.
my server listens on port 11111
instead of pulling out the physical cable, so far I do
sudo /sbin/iptables -t filter -A INPUT -p tcp --dport 11111 -j REJECT
this would reject new connections. but it seems that for already-established
connections,
the client side TCP won't trigger an exception if more bytes are pushed onto
the connection
is there a way to let TCP trigger an error ?
... 阅读全帖 |
|
|
x**m
发帖数: 941 | 40 If I were you, I might do this in a virtual machine and simulate real
connection drop by disabling its virtual network interface.
Can you try:
sudo /sbin/iptables -t filter -A INPUT -p tcp --dport 11111 --state
ESTABLISHED -j REJECT |
|
r*****8
发帖数: 2697 | 41 公孙老兄, 你的修好了吗? 有没有iptables的问题? |
|
r*****8
发帖数: 2697 | 42 实在没有办法修复iptables, 而且发现有人居然一个劲地攻击, 只好恢复了备份, 以后
再不手痒了, 再手痒就打手! |
|
w*s
发帖数: 7227 | 43 newbie question,
so someone use code keeps on opening my webpage,
how to prevent this using iptables ?
any sample ?
many thanks ! |
|
D*******l
发帖数: 5462 | 44 用了dualwan后,外网的电话不能连上来。我用这个个命令:
iptables -I INPUT -p udp -m multiport --dport 10000:10100 -d 0.0.0.0/0
-j ACCEPT
提示我端口不对,现在擦回了ddwrt。
我想对不一下防火墙有什么不同。 |
|
i**w
发帖数: 883 | 45 神由上装了asterisk,一直没问题。
最近想通过internet用softphone连router上的asterisk,但注册的时候总是408 error
。猜想tomato的防火墙把所有的port都block了。试过port forward到192.168.1.1,端
口还是没有打开。网上考古了半天,iptables 也没有搞定
哪位指教一下怎么才能打开5060端口?谢谢 |
|
c******n
发帖数: 4965 | 46 many java applications are written as JMX MBeans
but EC2 presents many problems for JMX
1) normally you have only port 22 open, changing security group is a hassle
if you are just debugging for one shot.
2) the second port used by JMX is determined dynamically, so you don't know
which port to open
3) JMX is going to figure out the *internal* ip of EC2 and let your JMX
client to connect to RMI on that IP, which can not be reached.
so to solve these
1) use ssh tunnel, + iptables on client
2) http:... 阅读全帖 |
|
c******n
发帖数: 4965 | 47 【 以下文字转载自 Java 讨论区 】
发信人: creation (努力自由泳50m/45sec !), 信区: Java
标 题: trick to use JMX on EC2
发信站: BBS 未名空间站 (Fri Sep 16 01:46:21 2011, 美东)
many java applications are written as JMX MBeans
but EC2 presents many problems for JMX
1) normally you have only port 22 open, changing security group is a hassle
if you are just debugging for one shot.
2) the second port used by JMX is determined dynamically, so you don't know
which port to open
3) JMX is going to figure out the *internal* ip of EC2 and le... 阅读全帖 |
|
c********g
发帖数: 1173 | 48 呵呵,我以前用最简单的TomatoUSB用了将近两年,一直也懒得折腾。最近不是有需要
了吗。然后刚刚发现用了四年半的hackintosh突然起不来了。看来又要折腾了。
至于双web port,其实很简单。创建一个vlan,但bridge要assign成none。然后到”
administration-》Scripts“,在”init“中加入:
sleep 10;
ifconfig vlan4 YOUR_STATIC_IP broadcast STATIC_IP_BROADCAST netmask NET_MASK
up;
其中vlan4是上面刚刚创建的那个vlan。
如果想把到这个static ip的traffic forward到一个internal server,在 ”firewall
“里面加上这些:
iptables -t nat -A PREROUTING -p tcp -d YOUR_STATIC_IP --dport 443 -j DNAT -
-to INTERNAL_SERVER_IP;
iptables -t nat -A PREROUTING -p tcp -d ... 阅读全帖 |
|
c*******y
发帖数: 3529 | 49 五、服务器SNAT设置
首先开启Linux的内核路由,设置ipv4转发为1,即开启转发
1. vim /etc/sysctl.conf
2. net.ipv4.ip_forward = 1
3. sysctl -p
六、配置iptables
nano /etc/iptables/iptables.rule
改成一下内容
*filter
:INPUT ACCEPT [33439:7588681]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [11527:1594660]
COMMIT
*nat
:PREROUTING ACCEPT [384:124396]
:INPUT ACCEPT [384:124396]
:OUTPUT ACCEPT [6:456]
:POSTROUTING ACCEPT [6:456]
-A POSTROUTING -s 10.8.0.0/24 -o eth0 -j MASQUERADE
COMMIT
然后启动iptables:
systemctl enable iptables
systemctl star... 阅读全帖 |
|
