Questions tagged as ['iptables']

iptables is the userspace command line program used to configure the Linux 2.4.x and 2.6.x IPv4 packet filtering ruleset. It is targeted towards system administrators. Please, when asking a question about iptables, add the output from the following command: iptables -L -v -n
Score: 0
IPTables to access resources on localhost via public IP
lc flag

I have following setup: Proxmox Host dedicated server with one public IP and installed IPTables and bunch of Virtual Machines with docker installed.

I use iptables to port forward port 443 to one of the VM's via DNAT and it works fine from outside of the Host ie Internet. But if i try to access resources within VM running on VM via the public IP it is not accessible.

Use case: i have nginx with SSL ...

Score: 0
Se ven avatar
Connecte to VPN server via VPN client which is a NAT instance
jp flag

Main question is how to connect to a vpn server via a vpn client which is a NAT instance, let me describe about it.

Scenes 1:

I have a group of service instance(ubuntu 18.04) named A

One instances which i use for NAT instance named B

both group A and instance B are in same vpc, A has no public ip ,B has one pulibc ip, and which i did is use B as a NAT and set SNAT in vpc so group A can access internet  ...

Score: 0
LilaQ avatar
Using 3 openvpn instances at the same time
pe flag

So I have 3 OpenVPN Access Servers, and downloaded the config for all 3 of them. Then on my raspberry I ran 3 instances of openvpn (even with a different subnet configured in the Access Servers) with each of the config files.

My goal is to be able to route incoming traffic to individual devices, e.g. IP_of_Access_Server_1 leads to Client_1 in my network, IP_of_Access_Server_2 leads to Client_2 etc. That' ...

Score: 0
coder avatar
Redirect IP to another if not available
tr flag

I have 4 IPs something like that

  1. 10.10.10.11
  2. 10.10.10.12
  3. 10.10.10.13
  4. 10.10.10.14

and two ports 1000 and 1001.

my Linux server should connect those IPs with ports. Now I want to make this process automatic. To be more precise, the server tried to connect 10.10.10.11:1000 but it failed now it should try to connect 10.10.10.11:1001 automatically and so on. The problem is that I do not know how to do it. ...

Score: 0
Redirect traffic from an interface to a VPN tun interface with iptables
ge flag

I'm trying to achieve something easy but apparently I'm missing something.

In my box I have a VPN client running which created a tun0 interface. The box has external traffic coming from the eth0.

I would like to forward the traffic from eth0 to tun0. I run the following commands:

iptables -A FORWARD -i eth0 -o tun0 -s 192.168.100.0/28 -j ACCEPT
iptables -A FORWARD -i tun0 -o eth0 -m state --state ESTAB ...
Score: 0
Joe avatar
debian as gatway block port from ip
cn flag
Joe

I have a number of public ips behind a debian router connected to vms. I want a specific ip not to be able to use port 25 outgoing.

I have tried /sbin/iptables -A OUTPUT -o ens19 -p tcp --destination-port 25 -s xxx.xxx.xxx.xxx -j DROP along with several other combinations of command but I cannot get it to work. It will block outgoing ports on the router fine but not for systems behind it.

Score: 1
solveit avatar
How to delete the grepped iptables
ar flag

I have iptables starting from cali-

 root@Ubuntu-18-VM:~# iptables -S | grep -oP '(?<!^:)cali-[^ ]+'
    cali-FORWARD
    cali-INPUT
    cali-OUTPUT
    cali-cidr-block
    cali-from-hep-forward
    cali-from-host-endpoint
    cali-from-wl-dispatch
    cali-from-wl-dispatch-5
    cali-fw-cali2847b154969
    cali-fw-cali4bb24809f90
    cali-fw-cali531f8f2e712
    cali-fw-cali5a82b3ff301
    cali-pri-_CV ...
Score: 0
Setting tcp option to packet header
my flag

I'm trying to debug some networking issues and I'd like to add the "router alert" flag to some SYN packets that are being sent from my server. Is there a way to do that using iptables?

I'm looking at the mangle table but I couldn't find anything on adding arbitrary tcp header options to the packets. I imagine it would be something like iptables -t mangle -I OUTPUT -p tcp --dport 22 --tcp-flags SYN SY ...

Score: 0
sebastien dontneedtoknowthat avatar
How to prevent netfilter to automatically change the source ports
jp flag

I observed that netfilter changes the source port when a connection is established in the conntrack module. I need to prevent this behavior.

Here is what I have done to reproduce my problem:

  1. I create a netfilter rule that will perform DNAT from port 2002 to 2003

sudo iptables -w -t nat -A OUTPUT -s 192.168.30.3 -d 192.168.30.1 -p udp --sport 2001 --dport 2002 -j DNAT --to-destination :2003

  1. I t ...
Score: 0
light9876 avatar
How to block dots "." in an iptables rule?
vn flag

I have this rule in my iptables to block domains ending with .watch:

sudo iptables -A OUTPUT -j DROP -m string --string ".watch" --algo kmp

But the problem is that the . cannot be matched. So the line above does not match anything. But if I remove the dot from .watch to watch it works okay.

How can I block the dots "." in iptables rules?

Score: 0
Output iptables drooping 443 even when rule allows it
cn flag

Output iptables drooping 443 even when rule allows it

This are my current rules

INPUT DROP [2:406]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
:LOGGING - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -s 192.168.1.1/32 -p udp -m udp --sport 53 -m co ...
Score: 1
IPTables -m set unknown option
cn flag

I'm having trouble seting-up iptables on Ubuntu 20.04.

Does anyone know why this doesn't work?

# iptables -A INPUT -m set -–match-set cf src -p tcp -m multiport –dports http,https -j ACCEPT
iptables v1.8.4 (legacy): unknown option "set"
Try `iptables -h' or 'iptables --help' for more information.

My cf has the cloudflare ip's:

for x in $(curl https://www.cloudflare.com/ips-v4); do ipset add c ...
Score: 0
Sahat Shah avatar
How to protect Backend server from DDoS
in flag

I live in a country where there is no DDOS protection for game servers ( UDP Protocol ).

Since latency is important for users, I can't host it in other country or region.

So I have only one option left and that is using fail-over servers.

Current architecture

I have a main dedicated server where game server is running.

I have 64 dummy VPS where I have installed Nginx proxy.

So the main server's IP  ...

Score: 1
Makoa avatar
Reverse proxy forwarding
sa flag

Could you help me?

sudo echo "1" > /proc/sys/net/ipv4/ip_forward
sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to-destination 1.1.1.1
sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j DNAT --to-destination 2.2.2.2
sudo iptables -t nat -A POSTROUTING -j MASQUERADE

I am using these iptables rules to create loadbalancing servers. I am just distributing .mp4 and .mp3 contents, b ...

Score: 0
Jonathan S. Fisher avatar
Packets from xfrm interface won't route, but opposite works
cn flag

I'm working on a site-to-site vpn, where one end us a UDM and the other is Strongswan. The goal is to provide bi-directional routing into a cloud environment. I'm completely baffled why this isn't working.

The good news is Strongswan connects and will pass traffic. But I have some routing issues on the Strongswan side. My Strongswan host has two interfaces, eth0 which has the public internet IP o ...

Score: 0
Oli avatar
Routing traffic between two OpenVpn servers
cn flag
Oli

I'm trying to route traffic between two openvpn servers; I would like to have the following connection:

Client --> OpenVpnServer1 --> OpenVpnServer2 --> Internet

I have both servers running and working separately, but I have tried to configure OpenVpnServer1 to forward all it's clients traffic to OpenVpnServer2 using iptables but failed.

OpenVpnServer1 Interfaces and configs:

eth0 -- public inter ...

Score: 0
iptables doesn't redirect 443 to 8443 on local machine
cn flag

I want to redirect all the traffic from my computer from port 443 to port 8443. All the traffic is on the same machine. A proxy server is listening to port 8443 and i tried to add the following Rule:

sudo iptables -t nat -A PREROUTING -i wlp3s0 -p tcp --dport 443 -j REDIRECT --to-port 8443

But my proxy didn't get any package. wlp3s0 is my wifi adapter according to ifconfig. What did i wrong?

Score: 0
jusschwa avatar
Transparently proxying to nodeport in kubernetes
in flag

I have a kubernetes set up with a pod containing the following containers:

  1. Squid container
  2. transocks (like redsocks); a transparent SOCKS proxy

I am running this in k3s locally on a linux PC and want to transparently proxy all outgoing traffic from the PC through this transparent proxy. So outgoing host traffic forced to the transocks port on the kubernetes pod. Right now it is not working, the co ...

Score: 0
CentOS 8: two external network adapters, two ISPs - routing problems
pr flag

Given: a CentOS 8-powered computer with three network adapters.

eth0, eth2: external, connected to two different ISPs
eth1: faces home network (intranet)

The task: allow accessing certain internal services from either ISP. There are several services, I only mention SSH below.

In the configs below:
IP1: external IP at first ISP (ISP1), assigned to eth0
Gateway1: IP of gateway provided by ISP1
Network1,N ...

Score: 1
Vipin Menon avatar
How to properly clone packets with tee?
gy flag

Trying to understand the TEE module of iptables. Intend is trying to clone and send the same packet to 2 IPs

Tried the following

iptables -A INPUT -P tcp --dport 2003 -j TEE --gateway IP1
iptables -A INPUT -P tcp --dport 2003 -j TEE --gateway IP2

Does this tee the traffic to both gateways or only the 1st rule? running the command iptables -L -v shows the rules and packets getting counted against ...

Score: 0
master lfc6 avatar
need help converting an iptables command to firewalld
us flag

Guys how can I convert the following commands to firewalld accepted format ?

iptables -A FORWARD -s 80.6.0.0/23 -p udp --dport 25 -j DROP
iptables -A FORWARD -s 80.6.0.0/23 -p tcp --dport 25 -j DROP
Score: 1
user3411911 avatar
WireGuard: Limiting download & upload bandwidth
de flag

I'm trying to limit download and upload speed of each wireguard peer to 512kbit.

The problem is that my following commands, only limits download bandwidth of peer and doesn't limit upload bandwidth. Any help would be appreciated.

tc rules for example peer with ip 10.7.0.2 and iptables mark 12:

tc qdisc add dev eth0 root handle 1: htb
tc qdisc add dev wg0 root handle 1: htb

tc class add dev eth0 pare ...
Score: 1
sham avatar
Not able to reach host after giving iptables -F
fr flag

Was trying to clear the firewall settings in my RedHat Linux server.

After giving iptables -F, I am not able to reach the server.

# iptables -L
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     icmp --  anywhere             anywhere
ACCEPT     all  --  anywhere             an ...
Score: 0
John Smith avatar
iptables redirect hardcoded DNS requests
in flag

I'm slowly trying to learn iptables and would like to redirect all DNS (port 53) requests not coming from/to a list of IPs (from 192.168.2.1, 192.168.2.29 or to 1.1.1.1). I figured I can use chains. It does not work though. Could you please give me a hint:

iptables -N dnsrewrite
iptables -A dnsrewrite -s 192.168.2.1 -j RETURN
iptables -A dnsrewrite -s 192.168.2.29 -j RETURN
iptables -A dnsrewrite - ...
Score: 2
narotello avatar
Is there a way to obtain CPS and Thruoghput metrics in Linux?
aq flag

I want to analyze my Debian 9 server's network workload to detect some possible network overloads.

The main metrics I need to analyze are:

  • CPS (connections per second)
  • Throughput

Is there a way to obtain these metrics from within Linux?
I thought that CPS metric could be somehow obtained through conntrack NEW connections events but not sure that this would be the most proper way..

Sorry if obviou ...

Score: 1
TPROXY interferes DNAT port forwarding rules
in flag

I'm setting up TPROXY on my VyOS router to forward certain traffic to a local transparent proxy. It works pretty well, until I discovered that all of my DNAT port forwarding rules are no longer working (connection timeout when connecting from external network).

Environment

  • Router: 10.0.0.1/24 (Proxy is running on 1234 port and adding SO_MARK with 0xff)
  • Internal Host: 10.0.0.2/24 (Port 80 should be expo ...
Score: 1
Server isn't responding to pings routed via vpn
in flag

I've server and virtual machine on it. I'm hosting OpenVPN on this server. The virtual machine has two interfaces: ens18 - for public IP, ens19 - for an internal network. I'm trying to ping 10.2.0.3 (virtual machine ip on ens19) via VPN, but it's not responding. When I run tcpdump -i ens19 icmp on the virtual machine, its returning this:

tcpdump: verbose output suppressed, use -v or -vv for full protocol  ...
Score: 0
Mirror incoming traffic on specific port to another IP, using my IPSec strongswan tunnel
za flag

I want to internally publish an SMTP server (IP 10.0.0.10) that is behind a VPN tunnel on my internal server (192.168.0.12) using strongswan. My strongswan is running within a docker container.

For this I want my internal server 192.168.0.12 to listen to its 25 port and to forward the traffic to the tunneled server on the same port 10.0.0.10:25.

So far I tried using iptables, but without success.

Score: 0
Aman Juman avatar
WireGuard Chain Tunnel
ng flag

I'm trying to build a chain WireGuard Tunnel. Right now testing, but I'm stuck.

I have two WireGuard servers, 1st one is in India 2nd one is in Singapore. Here is what I'm trying.

Client < 10.26.26.0/24 > India < 10.26.27.0/24 > Singapore

IN Tunnel Peer: 10.26.26.20/32 SG Tunnel Peer: 10.26.27.20/32

I was able to deploy the WireGuard on both servers. And now I'm trying to establish a c ...

Score: 0
Trying to forward SMTP port on strongswan IPsec tunneled docker container?
za flag

I have successfully setup a vpn tunnel with strongswan within a docker container and want to use that tunneled connection to forward specific ports like SMTP to a host on the other side of the tunnel, in my case host 10.0.0.10.

The goal would be to be able to use SMTP in my app directly by connecting to strongswan-container service in the middle like this

(smtp-host)-[IPSec-tunnel]-(strongswan-containe ...