Server Fault Stack Exchange
Server Fault Stack Exchange

Questions tagged [iptables]

iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset. It is targeted towards system administrators. Please, when asking a question about iptables, add the output from the following command: iptables -L -v -n

iptables is userspace utility complementary to Linux kernel-level Netfilter firewall.

When seeking help in regards of the firewall configuration it's advisable to supply iptables-save output to give a readable ruleset listing possibly appending it with iptables -L -v -n — to give matching ruleset information.

6626 questions
2
votes
0 answers

Are DNS server responses categorized as "ESTABLISHED" by iptables? If so, why?

CentOS 5.x I'm trying to confirm which specific rule in my iptables config is allowing return UDP traffic from my DNS server. I THINK, it's this one: -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT If I take off RELATED and…
Mike B
  • 11,871
  • 42
  • 107
  • 168
2
votes
2 answers

iptables rule to set source IP depending on local userid

I have two users, alpha (uid 500) and beta (uid 501), and two IP addresses assigned as eth0 and eth0:1. I would like all outgoing packets originated by processes started by user alpha to be marked with the source IP address of eth0, and all packets…
mario
  • 21
  • 1
  • 2
2
votes
1 answer

Change sender-IP for VM in libvirt behind NAT

I have a server with my own public /28 IPv4 Network. On this server I have some vServers, done with KVM/libvirt. These vServers are connected with a virtual network, NATed to the internet. Every vServer has a private (192.168.x.y/24) address and not…
LittleFox
  • 56
  • 4
2
votes
1 answer

iptables: REJECT not working, but DROP does

I have recently setup a server with fail2ban, and it is mostly working except I am getting errors whenever this command tries to execute: sudo iptables -D fail2ban-ssh -s xxx.xxx.xxx.xxx -j REJECT --reject-with icmp-port-unreachable The error…
Stephen
  • 143
  • 5
2
votes
3 answers

Why can blocked IPs get through my iptables? What's wrong with this configuration?

(Why can/How are) blocked IPs (get/getting) through my iptables? Hello and thanks for your consideration... I have configured iptables and included (below) output from the command "iptables --line-numbers -n -L" yet IP addresses (like 31.41.219.180)…
NeedSomeHelp
  • 21
  • 3
2
votes
1 answer

iptables to allow input and output traffic to and from web server only

I have an Elastic Search server which seems to have been exploited (it's being used for a DDoS attack having had NO firewall for about a month). As a temporary measure while I create a new one I was hoping to block all traffic to and from the server…
Caedmon
  • 123
  • 6
2
votes
1 answer

How to route traffic through OpenVPN for the server only

I have a number of services running on my server to which I want to restrict access to only those connecting through OpenVPN. I did manage to get routing to work to a second IP I added to the machine, but this is not ideal. *.*.*.1 is the primary…
user1936123
  • 133
  • 5
2
votes
0 answers

firehol simple config doesn't work on Debian 7

I'm trying to set up a very simple firehol setup under a brand new Debian7 server. I only installed ssh and sudo before this Installed firehol with sudo apt-get install firehol Changed the config in /etc/firehol/firehol.conf…
BxlSofty
  • 753
  • 1
  • 5
  • 11
2
votes
2 answers

How do I test my firewall rules?

I've setup some rules in ufw on a remote server and I've turned the firewall on. Now I want to ensure my rules actually block traffic. However, when running nmap -PN -p from my local workstation it appears the port I'm blocking is…
Dane O'Connor
  • 1,269
  • 2
  • 15
  • 20
2
votes
1 answer

iptables traversal and the chain policies, manual editing

I like editing the iptables file manually, but there's something that confuses me a bit. From how I have understood iptables from the manual, it traverses the rules from top to bottom, and if no match is possible it will be logged and denied by the…
Nomad
  • 128
  • 6
2
votes
1 answer

Redirect all traffic sent to an unallocated alias IP within a VPN subnet, to a fixed IP within another VPN

I have a server hosting multiple bridged (i.e. tap) VPNs using openvpn, where each VPN has a different 10.8.X.0/24 subnet. I wish to redirect traffic sent to a specific, unallocated IP address (e.g. 10.8.X.254) in each VPN to a fixed address on a…
tom-hd
  • 78
  • 5
2
votes
4 answers

Can't set SSH port to something other than 22

When I try to set my SSH port to something other than 22 (editing /etc/sysconfig/iptables and /etc/ssh/sshd_config) I end up locked out of my server and having to boot into rescue mode to rectify the problem. I've gone through this cycle a few times…
Codemonkey
  • 1,086
  • 4
  • 19
  • 41
2
votes
1 answer

How to configure nDPI for iptables

I am new to nDPI, I have installed nDPI but when I add rules like; iptables -I OUTPUT -m ndpi --http -j REJECT It shows this error iptables v1.4.7: Couldn't load match 'ndpi':/lib64/xtables/libipt_ndpi.so: cannot open shared object file: No such…
zuhair
  • 21
  • 1
  • 3
2
votes
3 answers

Capture first packet of established TCP connection with iptables?

I'm looking for a way to examine the first packet only of a newly established TCP connection (the first packet with actual payload, that is). Is there a way to do this with iptables? Matching ESTABLISHED packets would match all packets of a…
N.A.
  • 23
  • 1
  • 3
2
votes
1 answer

iptables blocking local connection to mongodb

I have a VM (Ubuntu 12.04.4 LTS) with mongodb (2.0.4) that I want to restrict with iptables to only accepting SSH (in/out) and nothing else. This is how my setup script looks like to setup the rules: #!/bin/sh # DROP everything iptables -F iptables…
Niklas9
  • 123
  • 4
1 2 3
99 100