Advanced iptables

Hi everyone, how I can get the advanced features of IPtables.
I mean .... the -m average, the -j ROUTE, etc
I try to get with patch-o-matic in the svn repo (netfilter) but when I compile I get a big error "file missing" MakeFile (on the kernel source in the netfilter directory NOT EXIST) so....
anyone know or have a PKGBUILD way to make this???
thanks
PD: Sorry 4 my bad english, it is not my native :-P

You might have a look at this page sometime there good suggestions here Lots of Info and Manuals for this Phone
Motorola Support - Find Answers | Motorola Mobility, Inc.
The Manual for the Turbo: https://motorola-global-portal.custhelp.com/ci/fattach/get/1021914/1414680708/redirect/1/filename/Droid_Turbo.pdf

Similar Messages

[SOLVED] Easy iptables setup to begin with...

Hello!
I'd like to write quick & easy iptables.rules that only just work for now until I've got time to get into the "more advanced basics". I took a look at the "Simple stateful firewall Howto and what I need now is to reenable everything that does not work any more (Samba, ssh etc.).
- Is there some easy way to take a look at what's blocked while I try out all programs that use the network one after another so I can add "ACCEPT"-lines with the corresponding ports by copying the howto's ACCEPT - lines and replacing the ports?
- I can't figure out a "rule" to let everything inside the private network trough... something like "-A -i wlan0 something 192.*" ...
So... I really have to much to figure out at once at the moment. Is there a way to do this stuff really fast without knowing the basics for now or is it in general safe enough to just remove iptables again until I've got time to read me trough how it works in detail?
Last edited by whoops (2009-03-30 14:52:42)

Combining with what fukawi2 said, I think this would be a good start for you. Sorry that it isn't formatted very well.
iptables -P INPUT DROP
# set default policy on the INPUT chain to drop
iptables -P FORWARD DROP
# set default policy on the FORWARD chain to drop
iptables -N LOG_REJECT
iptables -A LOG_REJECT -j LOG --log-prefix "[IPTABLES REJECT] : " --log-tcp-options --log-ip-options
iptables -A LOG_REJECT -j REJECT
iptables -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
# make sure new connections are SYN packets
iptables -A INPUT -f -j DROP
# drops all fragmented packets
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
# drop packets for xmas attack
iptables -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
# drops packets for null attack
iptables -A INPUT -i lo -j ACCEPT
# accepts traffic on the loopback interface
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# allows connections that originated with your machine
iptables -A INPUT -i wlan0 -s 192.168.0.0/24 -j ACCEPT
# allows local network
iptables -A INPUT -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT
# this allows ssh, you can allow any other service the same way, for a span of ports, portnumber:portnumber should work, like 5000:5009
iptables -A INPUT -j LOG_REJECT
# any traffic that doesn't match a rule above is sent to the LOG_REJECT chain which is set to drop all packets sent to it and to add [IPTABLES REJECT] in the log file.

[SOLVED] Test conversion to systemd - Help with iptables status

With all the discussion around systemd and with a move for systemd to [core] soon, I thought I would convert an arch laptop from initscripts to systemd and see how it worked.
I followed the advice on the arch wiki for systemd, having already moved the systemd compatible parameters out of rc.conf a while ago. After installing systemd and systemd-arch-units, and adding init=/bin/systemd to the boot kernel line the system booted up nicely with systemd - graphical login failed as the relevant unit is not enabled at that stage - so hitting return to get a login prompt and logging as root it was quick to enable graphical.target and kdm.service, and rebooting then gave me a normal kdm login screen and then a normal login to kde.
All fine at this point. (By the way total login time was just over 30 seconds for both initscripts and systemd) - then it was necessary to check which services were running - most were running by default under systemd including postfix, dovecot, and sound worked fine with a quick check on a browser for a video feed. Networking was working fine too.
However iptables which was previously working fine under initscripts was not running - I checked that the firewall rules file was intact which is was. Executing systemctl enable iptables.service appeared to be accepted but after executing systemctl start iptables.service and checking status again it was "exited" - the commands listed under the "start" command seemed normal and no error message appeared in the /var/log/messages file about iptables.
Can anyone suggest what is needed to get iptables working under systemd (yes I have read the wiki entries but nothing seemed to be relevant to fixing that particular issue).
Thanks in advance.
Last edited by mcloaked (2012-08-30 09:01:25)

cfr wrote:
I think what you're seeing is normal. Does it give a 0 exit status?
The service is of type "oneshot". I *think* that means that it is expected to exit.
As I understand it, iptables is a bit like ipfw. It's in the kernel and the userspace tools just provide an interface to that. So there's no daemon to run.
You can tell if it has worked correctly by
iptables --list
to check that your rules have been loaded correctly.
Note: I hope somebody will quickly correct me if I'm wrong about this because I've been assuming this is the expected behaviour on my own machine!
Perfectly correct - I didn't think to check iptables --list but yes all the rules are there as they should be.
It would be nice to have this documented in the wiki under systemd to help anyone else coming across the same issue.
I will mark this as solved in the topic title - thank you for replying - it was very helpful (and stopped me continuing the search for a solution by googling!)

Iptables command "translated" Cisco ASA 5540 Ver 9.0(1)

I would like to have these commands on our Firewall to avoid at least several students to use this service. Can someone help me to translate this? It's apparently working great if I will use an Linux box or another firewall compatible with iptables.
Thanks in advance.
Hermano
iptables -I INPUT -s hotspotshield.com -j REJECT
iptables -I INPUT -s hotspotshield.net -j REJECT
iptables -I INPUT -s anchorfree.com -j REJECT
iptables -I INPUT -s anchorfree.net -j REJECT
iptables -I INPUT -s openvpn.net -j REJECT
iptables -I OUTPUT -d hotspotshield.com -j REJECT
iptables -I OUTPUT -d hotspotshield.net -j REJECT
iptables -I OUTPUT -d anchorfree.com -j REJECT
iptables -I OUTPUT -d anchorfree.net -j REJECT
iptables -I OUTPUT -d openvpn.net -j REJECT

Check the following link, it should help you out.
http://www.packetpros.com/2012/08/url-filter-on-asa.html

Another iptables thread

Hi all,
first of all the situation.
I have a lan with several clients (192.168.15.x)
and one of them is an Exchange Server.
As an Router i am trying to setup ubuntu server.
Which works in some disciplines but not in others.
I got an dhcp and internet routing working
for the lan clients.
But i cannot access the internal exchange server
from the outside. So what i need is a routing to
port 80, 443 and 25 from the ubuntu server to the
exchange client.
I tried several iptable scripts, but nothing did help.
Here are the relevant parts of the script:
iptables -A FORWARD -p tcp -m multiport --dports 20,21,80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to -destination 192.168.15.1:80
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.15.1:443
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.15.1
#iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 80 -j ACCEPT
#iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 80 -j SNAT --to-source $LAN_IP
As you can see i tried every combination i found on the
internet and it seems to work a bit.
When i try to access my lan with my external ip
it always takes ages until i get the page load error.
I just cannot figure out what is exactly wrong.
Some advice would be great.
Below is the whole script just if somebody
needs it.
Thanks in Advance
Sven
#!/bin/bash
# Linux-iptables-Firewallskript, Copyright (c) 2008 under the GPL
# Autogenerated by iptables Generator v1.22 (c) 2002-2008 by Harald Bertram
# Please visit http://harry.homelinux.org for new versions of
# the iptables Generator (c).
# This Script was generated by request from:
# [email protected] on: 2008-11-19 17:12.41 MET.
# If you have questions about the iptables Generator or about
# your Firewall-Skript feel free to take a look at out website or
# send me an E-Mail to [email protected].
# My special thanks are going to Lutz Heinrich (trinitywork at hotmail dot com)
# who made lots of Beta-Testing and gave me lots of well qualified
# Feedback that made me able to improve the iptables Generator.
case "$1" in
start)
echo "Starte IP-Paketfilter"
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# MY_REJECT-Chain
iptables -N MY_REJECT
# MY_REJECT fuellen
iptables -A MY_REJECT -p tcp -m limit --limit 7200/h -j LOG --log-prefix "REJECT TCP "
iptables -A MY_REJECT -p tcp -j REJECT --reject-with tcp-reset
iptables -A MY_REJECT -p udp -m limit --limit 7200/h -j LOG --log-prefix "REJECT UDP "
iptables -A MY_REJECT -p udp -j REJECT --reject-with icmp-port-unreachable
iptables -A MY_REJECT -p icmp -m limit --limit 7200/h -j LOG --log-prefix "DROP ICMP "
iptables -A MY_REJECT -p icmp -j DROP
iptables -A MY_REJECT -m limit --limit 7200/h -j LOG --log-prefix "REJECT OTHER "
iptables -A MY_REJECT -j REJECT --reject-with icmp-proto-unreachable
# MY_DROP-Chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
# Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
# SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
# SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
# FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
# FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
# PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
# URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -dports 1024:65536
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# SSH
iptables -A INPUT -i eth1 -m state --state NEW -p tcp --dport 22 -j ACCEPT
# OPENVPN_V1
iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 5000 -j ACCEPT
# OPENVPN_V2
iptables -A INPUT -i eth1 -m state --state NEW -p udp --dport 1194 -j ACCEPT
# ICMP Echo-Request (ping) zulassen und beantworten
iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
# IP-Adresse des LAN-Interfaces ermitteln
LAN_IP=$(ifconfig eth2 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1)
# NAT fuer HTTP
# iptables -A FORWARD -p tcp -m multiport --dports 20,21,80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.15.1:80
iptables -t nat -A PREROUTING -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.15.1:443
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to-destination 192.168.15.1
#iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 80 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
#iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 80 -j SNAT --to-source $LAN_IP
# NAT fuer HTTPS
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 443 -j DNAT --to-destination 192.168.15.1
#iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 443 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
#iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 443 -j SNAT --to-source $LAN_IP
# NAT fuer SMTP
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to-destination 192.168.15.1
iptables -A FORWARD -i eth1 -m state --state NEW -p tcp -d 192.168.15.1 --dport 25 -j ACCEPT
# Benutze Source NAT (SNAT) fuer die aktuelle Verbindung in das LAN
iptables -t nat -A POSTROUTING -o eth2 -p tcp --dport 25 -j SNAT --to-source $LAN_IP
# LAN-Zugriff auf eth2
iptables -A INPUT -m state --state NEW -i eth2 -j ACCEPT
# Default-Policies mit REJECT
iptables -A INPUT -j MY_REJECT
iptables -A OUTPUT -j MY_REJECT
iptables -A FORWARD -j MY_REJECT
# Forwarding/Routing
echo "Aktiviere IP-Routing"
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
# SYN-Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 2> /dev/null
# Stop Source-Routing
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_source_route 2> /dev/null; done
# Stop Redirecting
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/accept_redirects 2> /dev/null; done
# Reverse-Path-Filter
for i in /proc/sys/net/ipv4/conf/*; do echo 2 > $i/rp_filter 2> /dev/null; done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*; do echo 1 > $i/log_martians 2> /dev/null; done
# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
# Ungültige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
# Speicherallozierung und -timing für IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2
stop)
echo "Stoppe IP-Paketfilter"
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
echo "Deaktiviere IP-Routing"
echo 0 > /proc/sys/net/ipv4/ip_forward
# Default-Policies setzen
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
status)
echo "Tabelle filter"
iptables -L -vn
echo "Tabelle nat"
iptables -t nat -L -vn
echo "Tabelle mangle"
iptables -t mangle -L -vn
echo "Fehlerhafter Aufruf"
echo "Syntax: $0 {start|stop|status}"
exit 1
esac

Hm, sry i didnt find time to try earlier.
I did what you suggested and just used a small script:
# iptables-Modul
modprobe ip_tables
# Connection-Tracking-Module
modprobe ip_conntrack
# Das Modul ip_conntrack_irc ist erst bei Kerneln >= 2.4.19 verfuegbar
modprobe ip_conntrack_irc
modprobe ip_conntrack_ftp
# Tabelle flushen
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
iptables -t nat -X
iptables -t mangle -X
# Default-Policies setzen
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
# Loopback-Netzwerk-Kommunikation zulassen
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.15.1
iptables -A PREROUTING -i eth1 -p tcp -m tcp --dport 443 -j DNAT --to-destination 192.168.15.1
# ICMP Echo-Request (ping) zulassen und beantworten
iptables -A INPUT -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
# IP-Adresse des LAN-Interfaces ermitteln
LAN_IP=$(ifconfig eth2 | head -n 2 | tail -n 1 | cut -d: -f2 | cut -d" " -f 1)
# LAN-Zugriff auf eth2
iptables -A INPUT -m state --state NEW -i eth2 -j ACCEPT
# Forwarding/Routing
echo "Aktiviere IP-Routing"
echo 1 > /proc/sys/net/ipv4/ip_forward 2> /dev/null
And i cannot get it working. Phew, this really drives me insane.
I achieved a lot of things in the last years, learned a lot of
things by doing it myself. But this seems to stop me.
I already tried out so much that i dont know what else i
can do.
I am lost in my lan between all the packages flooding around

Rules of Vidalia for Iptables

Hello all,
I have some problems with Tor/Vidalia and Iptables, I want to use Vidalia as a proxy for Firefox with foxyProxy, but if i don't disable Iptables, that's don't work and i get a infinite loop message "Failed to find node for hop 0 of our path. Discarding this circuit."
Here is the torrc
ControlPort 9051
DataDirectory /home/archeryus/.tor
DirReqStatistics 0
EntryNodes removed_for_security_or_not
ExitNodes removed_for_security_or_not
Log notice stdout
ReachableAddresses *:80,*:443
ReachableAddresses reject *:*
StrictNodes 1
So the proxy for proxyfoxy is 127.0.0.1:9050
Here is the Iptables
# Generated by iptables-save v1.4.19.1 on Fri Jun 21 16:43:57 2013
*filter
:INPUT DROP [59:3304]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m multiport --sports 80,443,8000 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 212.27.38.253/32 -p tcp -m tcp --sport 554 -j ACCEPT
-A INPUT -s 212.27.38.253/32 -p tcp -m tcp --dport 8080 -j ACCEPT
-A INPUT -s 212.27.38.253/32 -p udp -j ACCEPT
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -p udp -m udp --dport 53 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p tcp -m multiport --dports 80,443,8000 -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -d 212.27.38.253/32 -p tcp -m tcp --dport 554 -j ACCEPT
-A OUTPUT -d 212.27.38.253/32 -p udp -j ACCEPT
COMMIT
# Completed on Fri Jun 21 16:43:57 2013
# Generated by iptables-save v1.4.19.1 on Fri Jun 21 16:43:57 2013
*nat
:PREROUTING ACCEPT [90:5040]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [59:3656]
:POSTROUTING ACCEPT [53:3260]
COMMIT
# Completed on Fri Jun 21 16:43:57 2013
The local loop entry/out seem's to be allowed, the ports that i have specified to tor too (80,443), but that.. just don't work. It's probably sure that's a iptables rules problems because if i do a "systemctl stop iptables", it's work good..
Thanks in advance !

I just did the following:
1. pacman -S tor (no configuration)
2. systemctl start tor
3. set the socks5 proxy (only this one!) in firefox to localhost:9050
4. reload my iptables with your above rules
And now I write this over the tor network. So your rules do work (not commenting on them plus - I have not checked, but you might want to xx the IPs in your rules) Just give it a try without that foxyproxy addon or make sure it is not specifying a http proxy.

Microsoft Azure lockedout after addikng iptables rules.

Hi,
I have a Microsoft Azure Linux cloud server. Recently I have added some iptable rule to enable some ports, and also enables the port forwarding with ENDPOINTS. After restarting the iptables, I have locked out from the cloud server, and I am not able to login
to my server anymore. Is there any way to flush the iptables from the Azure frontend ?? As i am new to Azure, am not sure about any frontend control panel for the firewalls.
Please suggest me some possible solutions
Thanks in Advance !!!
Sharath Murali

Hi Sharath;
With regards to flushing of iptables from the front end, currently we do not have an option to do that.
To resolve the issue i suggest you to delete the VM but retain the disc and then create a new VM, attach the disk to the new VM and disable the firewall and then rebuild
the VM using the old disk.
Regards;
Prasant

Arno-iptables-firewall and CUPS

Hello everyone.
I'm having a problem with my firewall and CUPS. The thing is, when I try to print when the firewall is active the programs (kword, kcontrol, etc) can't contact cups daemon. But when the firewall is stopped I can print normally. The problem is obviously something with the firewall configuration.
So, the question is, does anyone know how should I configure the firewall (Arno's iptables firewall) in order to solve this problem?. I thought about opening the cups port (631) but this wouldn't be the best solution. I don't want to open a port that shouldn't be open.
The weird thing is that I can access cups thru localhost:631 using konqueror but incredibly slowly. I don't know why the firewall is blocking cups.
I almost forget. Before you ask the printer is connected direcly to my computer. Is not a network printer. I have the needed module loaded (usblp) and the cups server is running.
Thanks in advance,
Gonza
Last edited by Gonzakpo (2008-06-20 20:16:20)

Hello.
I tried the command iptables -F but nothing. The cups server is still unreacheable by kcontrol.
After running arno's firewall, the iptables -vL output is:
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
15 2568 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED tcp dpts:1024:65535
0 0 ACCEPT udp -- any any anywhere anywhere state RELATED udp dpts:1024:65535
0 0 ACCEPT icmp -- any any anywhere anywhere state RELATED
8 1515 HOST_BLOCK all -- any any anywhere anywhere
8 1515 SPOOF_CHK all -- any any anywhere anywhere
8 1515 VALID_CHK all -- eth0 any anywhere anywhere
8 1515 EXT_INPUT_CHAIN !icmp -- eth0 any anywhere anywhere state NEW
0 0 EXT_INPUT_CHAIN icmp -- eth0 any anywhere anywhere state NEW limit: avg 60/sec burst 100
0 0 EXT_ICMP_FLOOD_CHAIN icmp -- eth0 any anywhere anywhere state NEW
0 0 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 5 LOG level info prefix `Dropped INPUT packet: '
0 0 DROP all -- any any anywhere anywhere
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
0 0 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
0 0 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state RELATED tcp dpts:1024:65535
0 0 ACCEPT udp -- any any anywhere anywhere state RELATED udp dpts:1024:65535
0 0 ACCEPT icmp -- any any anywhere anywhere state RELATED
0 0 HOST_BLOCK all -- any any anywhere anywhere
0 0 UPNP_FORWARD all -- eth0 !eth0 anywhere anywhere
0 0 SPOOF_CHK all -- any any anywhere anywhere
0 0 VALID_CHK all -- eth0 any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere limit: avg 1/min burst 3 LOG level info prefix `Dropped FORWARD packet: '
0 0 DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 8 packets, 552 bytes)
pkts bytes target prot opt in out source destination
0 0 TCPMSS tcp -- any eth0 anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU
7 340 ACCEPT all -- any any anywhere anywhere state ESTABLISHED
8 552 HOST_BLOCK all -- any any anywhere anywhere
0 0 LOG all -f any any anywhere anywhere limit: avg 3/min burst 5 LOG level info prefix `FRAGMENTED PACKET (OUT): '
0 0 DROP all -f any any anywhere anywhere
8 552 EXT_OUTPUT_CHAIN all -- any eth0 anywhere anywhere
Chain DMZ_INET_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain DMZ_INPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain DMZ_LAN_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain EXT_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain EXT_ICMP_FLOOD_CHAIN (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG icmp -- any any anywhere anywhere icmp destination-unreachable limit: avg 12/hour burst 1 LOG level info prefix `ICMP-unreachable flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 LOG icmp -- any any anywhere anywhere icmp time-exceeded limit: avg 12/hour burst 1 LOG level info prefix `ICMP-time-exceeded flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp time-exceeded
0 0 LOG icmp -- any any anywhere anywhere icmp parameter-problem limit: avg 12/hour burst 1 LOG level info prefix `ICMP-param.-problem flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp parameter-problem
0 0 LOG icmp -- any any anywhere anywhere icmp echo-request limit: avg 12/hour burst 1 LOG level info prefix `ICMP-request(ping) flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp echo-request
0 0 LOG icmp -- any any anywhere anywhere icmp echo-reply limit: avg 12/hour burst 1 LOG level info prefix `ICMP-reply(pong) flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp echo-reply
0 0 LOG icmp -- any any anywhere anywhere icmp source-quench limit: avg 12/hour burst 1 LOG level info prefix `ICMP-source-quench flood: '
0 0 DROP icmp -- any any anywhere anywhere icmp source-quench
0 0 LOG icmp -- any any anywhere anywhere limit: avg 12/hour burst 1 LOG level info prefix `ICMP(other) flood: '
0 0 DROP icmp -- any any anywhere anywhere
Chain EXT_INPUT_CHAIN (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- any any anywhere anywhere tcp dpt:0 limit: avg 6/hour burst 1 LOG level info prefix `TCP port 0 OS fingerprint: '
0 0 LOG udp -- any any anywhere anywhere udp dpt:0 limit: avg 6/hour burst 1 LOG level info prefix `UDP port 0 OS fingerprint: '
0 0 DROP tcp -- any any anywhere anywhere tcp dpt:0
0 0 DROP udp -- any any anywhere anywhere udp dpt:0
0 0 LOG tcp -- any any anywhere anywhere tcp spt:0 limit: avg 6/hour burst 5 LOG level info prefix `TCP source port 0: '
0 0 LOG udp -- any any anywhere anywhere udp spt:0 limit: avg 6/hour burst 5 LOG level info prefix `UDP source port 0: '
0 0 DROP tcp -- any any anywhere anywhere tcp spt:0
0 0 DROP udp -- any any anywhere anywhere udp spt:0
4 1314 ACCEPT udp -- any any anywhere anywhere udp spt:bootps dpt:bootpc
0 0 ACCEPT tcp -- + any anywhere anywhere tcp dpt:4872
0 0 ACCEPT udp -- + any anywhere anywhere udp dpt:4875
0 0 LOG icmp -- any any anywhere anywhere icmp echo-request limit: avg 3/min burst 1 LOG level info prefix `ICMP-request: '
0 0 LOG icmp -- any any anywhere anywhere icmp destination-unreachable limit: avg 12/hour burst 1 LOG level info prefix `ICMP-unreachable: '
0 0 LOG icmp -- any any anywhere anywhere icmp time-exceeded limit: avg 12/hour burst 1 LOG level info prefix `ICMP-time-exceeded: '
0 0 LOG icmp -- any any anywhere anywhere icmp parameter-problem limit: avg 12/hour burst 1 LOG level info prefix `ICMP-param.-problem: '
0 0 DROP icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 DROP icmp -- any any anywhere anywhere icmp time-exceeded
0 0 DROP icmp -- any any anywhere anywhere icmp parameter-problem
0 0 DROP icmp -- any any anywhere anywhere icmp echo-request
0 0 DROP icmp -- any any anywhere anywhere icmp echo-reply
0 0 LOG tcp -- any any anywhere anywhere tcp dpts:1024:65535 flags:!FIN,SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth scan (UNPRIV)?: '
0 0 LOG tcp -- any any anywhere anywhere tcp dpts:0:1023 flags:!FIN,SYN,RST,ACK/SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth scan (PRIV)?: '
0 0 DROP tcp -- any any anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN
0 0 LOG tcp -- any any anywhere anywhere tcp dpts:0:1023 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (PRIV): '
0 0 LOG udp -- any any anywhere anywhere udp dpts:0:1023 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (PRIV): '
2 96 LOG tcp -- any any anywhere anywhere tcp dpts:1024:65535 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (UNPRIV): '
1 57 LOG udp -- any any anywhere anywhere udp dpts:1024:65535 limit: avg 6/min burst 2 LOG level info prefix `Connection attempt (UNPRIV): '
3 144 DROP tcp -- any any anywhere anywhere
1 57 DROP udp -- any any anywhere anywhere
0 0 DROP icmp -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere limit: avg 1/min burst 5 LOG level info prefix `Other-IP connection attempt: '
0 0 DROP all -- any any anywhere anywhere
Chain EXT_OUTPUT_CHAIN (1 references)
pkts bytes target prot opt in out source destination
Chain HOST_BLOCK (3 references)
pkts bytes target prot opt in out source destination
Chain INET_DMZ_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain LAN_INET_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain LAN_INPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain MAC_FILTER (0 references)
pkts bytes target prot opt in out source destination
Chain POST_FORWARD_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain POST_INPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain POST_OUTPUT_CHAIN (0 references)
pkts bytes target prot opt in out source destination
Chain RESERVED_NET_CHK (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any 10.0.0.0/8 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class A address: '
0 0 LOG all -- any any 172.16.0.0/12 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class B address: '
0 0 LOG all -- any any 192.168.0.0/16 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class C address: '
0 0 LOG all -- any any 169.254.0.0/16 anywhere limit: avg 1/min burst 1 LOG level info prefix `Class M$ address: '
0 0 DROP all -- any any 10.0.0.0/8 anywhere
0 0 DROP all -- any any 172.16.0.0/12 anywhere
0 0 DROP all -- any any 192.168.0.0/16 anywhere
0 0 DROP all -- any any 169.254.0.0/16 anywhere
Chain SPOOF_CHK (2 references)
pkts bytes target prot opt in out source destination
8 1515 RETURN all -- any any anywhere anywhere
Chain UPNP_FORWARD (1 references)
pkts bytes target prot opt in out source destination
Chain VALID_CHK (2 references)
pkts bytes target prot opt in out source destination
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS scan: '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS-PSH scan: '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG limit: avg 3/min burst 5 LOG level info prefix `Stealth XMAS-ALL scan: '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN limit: avg 3/min burst 5 LOG level info prefix `Stealth FIN scan: '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST limit: avg 3/min burst 5 LOG level info prefix `Stealth SYN/RST scan: '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN limit: avg 3/min burst 5 LOG level info prefix `Stealth SYN/FIN scan(?): '
0 0 LOG tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE limit: avg 3/min burst 5 LOG level info prefix `Stealth Null scan: '
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN
0 0 DROP tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 DROP tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 LOG tcp -- any any anywhere anywhere tcp option=64 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP flag(64): '
0 0 LOG tcp -- any any anywhere anywhere tcp option=128 limit: avg 3/min burst 1 LOG level info prefix `Bad TCP flag(128): '
0 0 DROP tcp -- any any anywhere anywhere tcp option=64
0 0 DROP tcp -- any any anywhere anywhere tcp option=128
0 0 DROP all -- any any anywhere anywhere state INVALID
0 0 LOG all -f any any anywhere anywhere limit: avg 3/min burst 1 LOG level warning prefix `Fragmented packet: '
0 0 DROP all -f any any anywhere anywhere

LAN chain in iptables. Are there better approaches?

Hi all.
I'm a newbie in iptables and network security stuff. Would like to get an advice on a following problem.
I have a router with IP 192.168.1.1, my LAN contains bunch of wireless devices and desktop PC with a static IP *.2.
I want to enable certain services (ftp, sftp for local user, game servers, etc.) on my desktop PC to be accessible from any of my wireless devices.
Though, I don't want them to be accessible from the router, because I want to be safe just in case if router gets hacked (router has DDNS enabled and runs sshd for tunneling purposes).
It is not actually safety that bothers me a lot. I'm just trying to gain some understanding on topic, so I decided to make this particular setup.
I've read that Simple Stateful Firewall article on wiki and now I'm considering doing the following, but not sure, whether this is good approach:
# create chains
iptables -N LAN
iptables -N LAN_TCP
iptables -N LAN_UDP
# route all traffic from wireless devices to LAN chain
iptables -A INPUT -m iprange --src-range 192.168.1.3-192.168.1.255 -j LAN
# specific LAN chain rules
iptables -A LAN -p tcp --syn -m conntrack --ctstate NEW -j LAN_TCP
iptables -A LAN_TCP -p tcp --dport 22 -j ACCEPT
Is it worthwhile? Are there better approaches? I suspect, that if router gets hacked, hacker will be able to change its IP, so such rules won't work, will they?
Just thought, that perhaps restricting by routers mac would be a better approach. Though I've wrote a lot of text already... So, anyway, would like to get comments from forum members
Thanks in advance.

That should work, although don't forget to DROP or REJECT by default:
iptables -P INPUT DROP
iptables / netfilter is very flexible and you can achieve any given task a number of ways. There are generally no "right" and "wrong" ways, just best practices here and there.

Expand Text Box? "Advanced" text options not hidden?

The title text box/editor is very small in the 10.2 update. It's just big enough for 2 lines of text. I find it fairly inconvenient to have it so small (I am referring to the text box in the inspector). I'm guessing there is no way to expand this to fit more lines of text in, but if anyone knows how that'd be sweet! Otherwise I'm just crossing my fingers it gets a quick update since I'm using it every day for work.
Also, the "advanced" tab always being collapsed in the basic text editing tools is annoying, too. I use this every time I make a title(which I'm making two videos a day, so it's a little more tedious now after the update). Personally, for a professional program I would consider the options in the "advanced" section to actually be basic and fairly necessary...based on how I use it, so maybe I'm not a normal case.
Nothing is broken, just less convenient...
Thanks y'all!

That is a wonderful idea if I could find where to do that (maybe another feedback will be to make finding the feedback area easier (: ). Where can I find the feedback area? Thanks for the quick reply as well!

Open advances given to vendor-urgent

Hi,
I want to know list of purchase orders which have open advances.
plz suggest me the report or transaction name where i will get this details of vendor/ purchase order and balance advance amount.

Hi,
Check this report in Accounts Payable Information systems
S_ALR_87012105 - List of Down Payments Open On Key Date - Vendors
Please let me know if you need more information.
Assign points if useful.
Regards
Sridhar M

[SOLVED] how to use diffrent iptables rules for different ppp account?

x86 plantform run arch linux system , have two network interface etn1 eth0 .eth1 connect to internet. eth0 connect to other terminals through switch. want use different iptables rules for different pppoe account .also want to know how to forbidden more than one terminals established pppoe link use same account at the same time .
Last edited by linuxsir (2013-09-26 06:48:01)

(You establish PPPoE sessions over the local network to the Arch machine? Which then routes the traffic?)
first question ,yes that is exactly what i am done. second question i also have a small scripts on windows pc to solve routes traffic problem
route -p delete 0.0.0.0
route -p add 192.168.9.0 mask 255.255.255.0 192.168.9.1
route -p add 0.0.0.0 mask 0.0.0.0 192.168.22.0
but after a while i found scripts is not necessary because windows always attempt to use PPPoE sessions as default internet connection local connection is also ok
and use -i pppX in my iptables rules dose not solve my problem , because same account start PPPoE session could be marked as ppp0 or ppp1. it is hard to identified which account start session.

DID YOU KNOW?? - ABOUT ADVANCED COMPONENTS IN THE PALETTE??

<br>
Hi All,
DID YOU KNOW??
The IDE ships with the following Advanced Components in the Palette.
These advanced components are a set of JavaServer Page markup tags for advanced users. The components have no visual appearance and are useful to developers with experience in JSP and JavaServer Faces technologies.
* Encoding
* Faces Action Listener
* Faces Converter
* Faces Validator
* Faces Value Change Listener
* Faces Verbatim
* Link
* Load Bundle
* Markup
* Meta
* Parameter
* Script
Lets look at MARKUP component in more detail.
The MARKUP Component
You can drag the Markup component Markup component icon from the Palette's Advanced category to the Visual Designer to create a standard HTML tag. The Markup component enables you to insert HTML elements into the JSP page in places that HTML is not permitted.
When you drop this component on a page in the Visual Designer, you cannot see it on the page until you set the tag property. You can see it in the Outline window and you can select it there to edit its properties in the Properties window.
Use the tag property to specify the type of HTML element to insert. For instance, to insert an <hr> tag, set the tag property to hr with no angle brackets and select the singleton property .
To provide compliance with XHTML, if the HTML element you are inserting is a singleton element, you must specify the singleton property, which causes a trailing /> to be generated in the rendered HTML. For example, the <br> element is a singleton element that must be rendered as
to make it XHTML compliant.
If you want to specify HTML attributes in addition to id and style for the element you are inserting, use the extraAttributes property.
Learn more :-
http://developers.sun.com/prodtech/javatools/jscreator/reference/docs/help/2update1/components/advanced_list.html
We would like to know the following from you :-
1) Are you using these Advanced Components in applications you are building? If so How and Where?
2) Did you face any challenges while using them?
3) Did you find any special usages/scenarios for using these components?
Thanks for all your inputs and for joining in the discussion.
K
</br>

What would you like in the documentation? Do you have specific questions about particular components? Do you want examples? What's missing from the online help at http://developers.sun.com/prodtech/javatools/jscreator/reference/docs/help/2update1/components/advanced_list.html?

Advance select for source file in Sender File Adapter

Hi
I am trying to utilise the parameter 'Advance Selection for source file' on a sender file adapter to pick the file from multiple folders
My problem is that this parameter that is listed on the SAP help is not getting in File accessing Parameters.
I am running PI 7.02 (NW702_07_Rel)
Service pack 07
Has anyone come across this before?
any suggestions on how to do this?

Hi,
In PI7.0 the property exists. I have used it previously. I think SP was 13.
Regards,
Nutan
Edited by: nutan champia on Nov 24, 2011 10:42 AM

How to go for Advance selction for source file in J2SE adapter

Hi all,
I am doing a file to file scenario using J2SE adapter.I have to pick file from two different directory we can easily achieve it in J2EE adapter using advance selection of source file but how to proceed in case of J2SE plain adapter.Please guide me with your knowledge.
Regards,
saurabh

This is not possible. You need different adapters, but you can use the same interface and namespace, so there should be no issue.
Regards
Stefan

Advanced iptables

Similar Messages

Maybe you are looking for