Iptables rule needed for DHCP client?

For a long time I've had a rule in my iptables ruleset which explicitly allows replies from DHCP servers:
-A INPUT -p udp -m udp --sport 67 --dport 68 -j ACCEPT
Now I'm wondering if I actually need this. I don't filter any outgoing packets and I do have the usual "accept related and established packets" rule before this one. DHCP is really odd and exposes some edge-cases in network setup. In this case, there will be times when I don't have an IP (fresh start for an interface), or when I ask to renew a lease from one DHCP server but get a reply from a totally different one (yeah, our network is weird). I wonder if netfilter is smart enough to see those replies as "established" or "related". Does anybody know for sure? Do you use DHCP and iptables, without such a rule?

I took the time to test various DHCP scenarios and found that indeed, it doesn't look like I need this rule. I originally started using it because I did need such a rule with ipfw on OS X - it would block the replies since it didn't know how to deal well with situations where you have to transmit with a 0.0.0.0 source IP.

Similar Messages

DNS record ownership for DHCP clients

my configuration:
dhcp/dns/dc installed on same system - Windows 2008 R2 SP1 in domain environment.
all zones configured to secure updates only with aging and scavenging enabled
dhcp servers are member of DNSupdateproxy group.
dhcp are configured with standard domain user account (this user was made a member of dnsupdateproxy as well, DOES THAT MATTER?)
dhcp scopes are configured with default DNS setup (force DNS update by DHCP)
now...
all DNS records for endpoint devices on dhcp lease (windows7, mac os X, ubuntu) are owned by SYSTEM
in security tab for some DNS records i can see service account with write permission to record ( i believe this is desired state)
in other records service account has no permission but timestamps are still updated by computer account (hostname$ has write permission). these records have pencil icon on computers in dhcp lease table.
Problem with this (hostname$ has write permissions) is when user connect to network via VPN (obtains dhcp lease) it get's two records registered in DNS -> 1 record for ip distributed by dhcp server and 2nd record for his home private network.
Have anyone seen this before?
i've tried deleting DNS records / releasing ip on endpoint device (example win7). It would not register to DNS by DHCP. However if i do ipconfig /registerdns it will do it, but dhcp service account won't have permission no this record.

Apparently it appears that DHCP may not be configured with credentials, DHCP DNS settings are not configured to force DHCP to register ALL requests, nor has the DHCP server itself have been added to the DnsUpdateProxy group. These are all prerequisites
for DHCP to own all records, otherwise you will see default behavior, which is:
By default, a Windows 2000 and newer statically configured machines will
register their A record (hostname) and PTR (reverse entry) into DNS.
If set to DHCP, a Windows 2000 or newer machine will request DHCP to allow
the machine itself to register its own A record, but DHCP will register its PTR
(reverse entry) record.
The entity that registers the record in DNS, owns the record.
In summary:
Configure DHCP Credentials. The credentials only need to be a plain-Jane, non-administrator, user account. Give it a really strong password.
Set DHCP properties, DNS tab, to update everything, whether the clients can or cannot.
Add the DHCP server(s) to the Active Directory, Built-In DnsUpdateProxy security group.
Make sure ALL other non-DHCP servers are NOT in the DnsUpdateProxy group. For example, some believe that the DNS servers or other DCs not running DHCP should be in it. They must be removed or it won't work.
On Windows 2008 R2 or newer, DISABLE Name Protection.
If DHCP is co-located on a Windows 2008 R2 or Windows 2012 DC, you can and must secure the DnsUpdateProxy group by running the following:
dnscmd /config /OpenAclOnProxyUpdates 0
Configure Scavenging one one DNS server. Set the NOREFRESH and REFRESH values combined to be equal or greater than the DHCP Lease length. What it scavenges will replicate to others anyway.
DHCP Service Configuration, Dynamic DNS Updates, Scavenging, Static Entries, Timestamps, DnsUpdateProxy Group, DHCP Credentials, prevent duplicate DNS records, DHCP has a "pen" icon, and more...
Published by Ace Fekay, MCT, MVP DS on Aug 20, 2009 at 10:36 AM 3758 2
http://msmvps.com/blogs/acefekay/archive/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group.aspx
Good summary:
How Dynamic DNS behaves with multiple DHCP servers on the same Domain?
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/e9d13327-ee75-4622-a3c7-459554319a27
DNS Record Ownership and the DnsUpdateProxy Group
http://technet.microsoft.com/en-us/library/dd334715(v=ws.10).aspx
DNS Record Ownership and the DnsUpdateProxy Group
"... to protect against unsecured records or to permit members of the DnsUpdateProxy group to register records in zones that allow only secured dynamic updates, you must create a dedicated (NON-ADMIN) user account and
configure DHCP servers to perform DNS dynamic updates with the credentials of this account (user name, password, and domain). Multiple DHCP servers can use the credentials of one dedicated user account."
http://technet.microsoft.com/en-us/library/dd334715(WS.10).aspx
DNS record ownership and the DnsUpdateProxy group
http://social.technet.microsoft.com/Forums/en-US/winserverNIS/thread/b17c798c-c4b2-4624-926c-4d2676e68279/
Ace Fekay
MVP, MCT, MCITP/EA, MCTS Windows 2008/R2 & Exchange 2007, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services
Technical Blogs & Videos: http://www.delawarecountycomputerconsulting.com/
This post is provided AS-IS with no warranties or guarantees and confers no rights.

Udev custom rule needed for mounting an ipad via ifuse

I followed the wiki for using ifuse to mount devices. There is a rule made for iphone/ipads on that same page which I would like to adapt to an ipad2. Can someone help me with creating a rule for this purpose? I read the udev and writting udev rules articles, but am unsure how to tie this into ifuse. For example, I don't know what device to plug into the following command since ifuse is used to mount the ipad.
# udevadm info -a -n [device]
# mount | grep ipad
ifuse on /media/ipad type fuse.ifuse (rw,nosuid,nodev)
Last edited by graysky (2011-09-02 22:35:41)

Another way to see this:
Apple offers half price apps. Configurator is not mandatory, but half price apps are almost useless to a school without Configurator.
Using Configurator means schools are forced to always use the most bleeding edge iOS.
==============================================================
Imagine if Microsoft offered half price apps to schools, but only if the IT staff forced everyone to use windows 8. Oh my...
This affects many apps. If you feel apple should not be so forceful and restricive please call and let them know you don't want configurator to force the new ios at the time of prep. (866) 752-7753

[perl] Writing my first module (IPTables::Rule); Looking for feedback

Well pretty much as the subject says... I've been hacking away with perl for a while, but this is the first time I've tried writing a module.
I think (hope) I'm on the right track in terms of doing it the "right" way (or one of the X "right" ways perl lets you!).
If you're bored and have time to have a glance over and tell me how I'm doing, that would be great
https://github.com/fukawi2/IPTables-Rule

juster wrote:This looks nice and seems to be very complete. Creating modules is a thankless art and I wish you the best. I skimmed through it and noticed a few things that stood out to me:
Thanks for your time and input
juster wrote:You use empty prototypes for all your functions. These are not necessary and I think you have picked up this habit from somewhere else. Most likely from shell scripting. I also only mention this because prototypes can be misleading to programmers because they almost always do the unexpected and cause subtle confusion.
Sure, let's say shell scripting............
Removed them all.
juster wrote:I see you call private functions, preceded by the ampersand (&). This is the old perl 4 syntax for calling functions. Luckily this ugliness is behind us. The only practical reason to use it now is to disable argument checking which has been previously enforced by prototypes. If you remove the empty prototypes you won't have to call your "private" subs by prefixing their names with ampersands.
I was actually aware the ampersands are not required, but I like them... They're just a little hint when skimming code that it's a function... Just like $, @ or % on variables. Having a Google around, I didn't actually know there was a difference between using it and not using it, so I'm removed them too. I'll get used to it
juster wrote:The setters in your docs use assignment instead of passing the new values as arguments to methods.
Doh, that's why an extra set of eyes is useful... The test module can't pick that up
Fixed also.
juster wrote:Lastly, and maybe most important, why not put this on CPAN? Join us in the chaos! Anyways... have fun and merry xmas.
I was thinking about it... Wanted to make sure it's not a complete dogs breakfast first though

Which business function needed for Business client? SICF missing...

Now we have ehp2 installed in our erp.
Which business function i need to activate that Business client will work and in transaction SICF /sap/bc/nwbc/ will found then?
br
KK

Hi Kanki,
This thread is related to the BASIS.
Please post this thread to the BASIS Forum.
Thanks,
Chidanand

Ipf.conf entries needed for netbackup client, server, ssh

Hi,
Could somebody please help me in configuring ipfilter (ipf.conf entries/solaris 10) on two machine,
1. netbackup client
2. netbackup master/media server
I would like to enable icmp echo and ssh on both the machines.
many thanks
Ushas Symon

Hi,
Could somebody please help me in configuring ipfilter (ipf.conf entries/solaris 10) on two machine,
1. netbackup client
2. netbackup master/media server
I would like to enable icmp echo and ssh on both the machines.
many thanks
Ushas Symon

DHCP Client Service Procedure Not Found

I have a W2008R2 Standard server (DC) holding both DHCP and DNS roles. When the server was originally built the (migrated from 2003) DHCP did not load properly and per a Microsoft support incident we backed up the existing DHCP and rebuilt it. Everything
was working fine however the DHCP Client Service does not run. This was back in 2012 so I don't recall if it the service was started and quit or if we just didn't notice that the Client Service was not running. It has not been a problem for me
until now. I need to run a new backup agent on this server and it requires the DHCP Client Service to be running. I did notice upon a reboot that the service was "stopping" and will not restart. It appears as though it does start
on boot and then immediately stops as I would not have caught the "stopping" status had I not went into the Services mmc right away. The error that I get when trying to restart is 127: The specified procedure could not be found. This
is the only info logged in the event viewer as well. The service is configured to start using Network Service credentials and is set to automatic. The dependencies are: "depends on" Ancillary Function Driver for Winsock & TCP/IP
Protocol Driver. The WinHTTP Web Proxy Auto-Discovery Service depends on the Client Service. I have noticed on two other W2008R2 servers that the dependencies are different: The "depends on" are: Ancillary Funtion Driver for Winsock,
NetIO Legacy TDI Support Driver and Network Store Interface Service. The components depending on the Client Service are the same on all servers. I'm not sure if these differences are due to the fact that this server is running DHCP server and the others
are not? Or is this difference the reason for my issue? I'm hesitant to change these parameters without some guidance for fear of trashing my entire box. I did remove and completely rebuilld/reinstall the DHCP server role last night, hoping that
may fix the issue, but no luck. I've run DNS tests & DCDiag with no issues found. Anyone familiar with this problem? What to do? Thanks!

Updates: There are no events being reported at all in the DHCP Service log. Things I have tried thus far:
All Windows Updates installed
Uninstall and re-install the DHCP Server
Reset Winsock
Made sure permssions are set to Full for both Network Service & Local Service accounts (I tried changing the logon account to Local Service also).
I noticed on another (working) W2008R2 server that the dependencies were different although this server did not hold the role of DHCP Server. The problematic server only listed Ancillary Function Driver for Winsock & Tcpip. The working
server listed Ancillary Function Driver for Winsock, Network Store Interface Service and NetIO Legacy TDI Support Driver. I then changed the dependencies to match that of the working server. Verified that all of these were "started" in
Device Manager. The DHCP Client Service now fails with Error 1079: The account specified for this service is different from the account specified for other services running the same process. (I did find a Microsoft Fixit for this--didn't
make any difference though).
I noticed on the other working server that the logon account for DHCP Client Service is actually LocalServiceNetworkRestricted. I had set it to LocalService. After making this change, my error now has changed to: Windows could not start the DHCP
Client service on Local Computer. Error 1314: A required privilege is not held by the client.
I split my DHCP scope and set up a second DHCP server to determine what effect the DHCP Server role had on things. I don't know that I've noticed anything to be honest. So moving on...
I mirrored the permissions in the registry to those of the new (additional) DHCP server for the following key: HKLM\System\CurrentControlSet\Services\DHCP. When I compare the permissions I notice that the problematic server is missing some
entries. The working server has: SYSTEM, LOCAL SERVICE, NETWORK SERVICE, Administrator, Users, Network Configuration Operators & Dhcp. The troubled server does not list Network Configuration Operators or Dhcp. I was able to add
the NW Configuration Operators ( a built-in security group), but do not see anything for Dhcp other than user groups for DHCP Admins & Users. Based on what I see on the working server, I don't think that is the right thing to add.
I also noticed that some keys were missing for this reg entry vs. the same key on the second server. Missing were (all under the HKLM entry above): RequiredPrivileges (REG_MULTI_SZ) value: SeChangeNotifyPrivilege SeCreateGlobalPrivilege ServiceDll
(REG_EXPAND_SZ) %SystemRoot%\system32\dhcpcore.dll (*I did verify this file does exist) and ServiceSidType (REG_DWORD) value: 1. I added these reg keys. I also noticed that the troubled server has a subkey titled Enum. There are 4 values
listed: Default (REG_SZ), no value. 0 (REG_SZ) Data value= Root\LEGACY_DHCP\0000, Count (REG_DWORD) Value: 1 and NextInstance (REG_DWORD) Value: 1. The working server does not have this key.
In comparing the reg values on each server, the only significant difference that I've notice other than what is listed above is HKLM\System\CurrentControlSet\Services\Dhcp\Parameters. On the working server the ServiceDll is dhcpcore.dll. On the
server having the issue that value is defined as dhcpcsvc.dll. I'm suspect that this could be a contributing factor, but have not made the change yet.
I am still sitting with the error 1314: A required privilege is not held by the client.
So this is where I'm at...Any ideas would be appreciated as I'm really trying to avoid having to rebuild this entire server. Thank you

How to configure dhcp client identifier

Hi Everybody,
The DHCP client ID is an id that is unique for DHCP clients at least in the same subnet. Usually the client uses MAC-address as Client-Identifier in the DHCPDISCOVER message. The Client-Identifier may be different other than MAC-Address, For example a FQDN name, as per the RFC 2132 Ref, (code 61).+_
Usaually, we use the following to bind the ip address based on MAC-address
pntadm -r SUNWfiles -p /var/dhcp -A 10.42.32.86 -i '0:3:ba:a5:a9:93' -a 10.42.32.80
At server side, I am using the following for specifying the FQDN name.
pntadm -r SUNWfiles -p /var/dhcp -A 10.42.32.86 -i 'one.atr.com' -a 10.42.32.80
and at client side, I am inserting the following entry in the /etc/default/dhcpagent file
CLIENT_ID='one.atr.com'
But this is not working. What I am doing wrong.
+1. At the server side, then how to assign the ip addresses to the clients , if the Client-Identifier is FQDN name in the DHCPDISCOVER message other than MAC-Address.+
+2. How to configure the client-identifier as FQDN name at client side.+
Please help me,
Thanks Inadvance,
Mummaneni.

Sandman,
Here is an example of a router acting as a DHCP server. Please remember that you have to exclude IP addresses that you don't want to lease out.
ip dhcp pool example
import all
network 192.168.1.0 255.255.255.0
dns-server 1.2.3.4
default-router 192.168.1.1
ip dhcp excluded-address 192.168.1.1 192.168.1.149
ip dhcp excluded-address 192.168.1.200 192.168.1.254
HTH,
Mark

Macs show up as "unknown" on my router's DHCP Client Table

Both of my Macs, an Intel Mac Mini running Snow Leopard and a G4 iMac running Tiger show up as "unknown" in my router's DHCP client table.
All of my Windows PCs all show up with their computer names.
Is there a way to get my Macs' computer names to show up in the DHCP client table? The router is a Linksys RTP300.

Open Network System Preferences, click on the service you are using to connect to the network (airport, ethernet, etc), click on Advanced and go to the TCP/IP tab. There is a field for DHCP client ID. This may pass a name to the router and it may use it. I don't know.
Another option is the WINS tab. You can set the Netbios name (other than the default) and workgroup (and any WINS servers, if you know their addresses).

Closed port for torrent with no iptables.rules

I have a home system with internet connection over a router. Firewall in the router seems to be disabled. I had installed guarddog and selected all the protocols that I need. There is no iptables in deamons line of rc.conf nor there is any iptables.rules files. There are 2 files in /etc/iptables, empty.rules and simple_firewall.rules. So, I wonder if any firewall is working at all in my system since guarddog is a frontend to iptables (i guess) and also is there any need for firewall since almost all the ports are closed.
Secondly, the main issue. I was using ktorrent and it was working fine until a few days ago. Now, bittorrent is not working. its not connecting at all. I tried deluge from community repo and tested the ports with http://www.deluge-torrent.org/test-port.php?port=6881 and it gave me this result:
TCP port 6881 closed on 121.247.200.189
UDP port 6881 open on 121.247.200.189
121.247.200.189 seems to be the ip of my isp as I got a dynamic one.
I am able to reach surf net but not able to download using bitorrent, however, both is possible in windows.
Taking clue from forum, i did nmap.
nmap on my router
[shantanu@bluehead ~]$ nmap 192.168.1.1
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:49 IST
Interesting ports on 192.168.1.1:
Not shown: 1679 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
53/tcp closed domain
80/tcp open http
443/tcp closed https
554/tcp closed rtsp
1755/tcp closed wms
2401/tcp closed cvspserver
5000/tcp closed UPnP
5001/tcp closed commplex-link
5050/tcp closed mmcc
6881/tcp closed bittorent-tracker
6969/tcp closed acmsoda
7070/tcp closed realserver
8000/tcp closed http-alt
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook
11371/tcp closed pksd
Nmap finished: 1 IP address (1 host up) scanned in 27.653 seconds
nmap on my ip
[shantanu@bluehead ~]$ nmap 192.168.1.5
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:48 IST
Interesting ports on 192.168.1.5:
Not shown: 1696 closed ports
PORT STATE SERVICE
6000/tcp open X11
Nmap finished: 1 IP address (1 host up) scanned in 0.519 seconds
nmap on isp's ip displayed above.
[shantanu@bluehead ~]$ nmap 121.247.200.189
Starting Nmap 4.20 ( http://insecure.org ) at 2007-06-25 20:50 IST
Interesting ports on 121.247.200.189.bang-dynamic-bb.vsnl.net.in (121.247.200.189):
Not shown: 1679 filtered ports
PORT STATE SERVICE
21/tcp open ftp
23/tcp open telnet
53/tcp closed domain
80/tcp open http
443/tcp closed https
554/tcp closed rtsp
1755/tcp closed wms
2401/tcp closed cvspserver
5000/tcp closed UPnP
5001/tcp closed commplex-link
5050/tcp closed mmcc
6881/tcp closed bittorent-tracker
6969/tcp closed acmsoda
7070/tcp closed realserver
8000/tcp closed http-alt
8080/tcp closed http-proxy
8888/tcp closed sun-answerbook
11371/tcp closed pksd
Nmap finished: 1 IP address (1 host up) scanned in 30.573 seconds
Everywhere the bittorrent port seems to be closed. [b]How do I open this port?.[b/]
Last edited by ravisghosh (2007-06-25 21:09:55)

@madeye, first of all I used utorrent in Then I tried as you [shantanu@bluehead Chain INPUT (policy DROP)
target prot opt source ACCEPT 0 -- anywhere ACCEPT udp -- anywhere ACCEPT 0 -- 192.168.1.5 logaborted tcp -- anywhere ACCEPT 0 -- anywhere ACCEPT icmp -- anywhere ACCEPT icmp -- anywhere ACCEPT icmp -- anywhere nicfilt 0 -- anywhere srcfilt 0 -- anywhere Chain FORWARD (policy DROP)
target prot opt source ACCEPT 0 -- anywhere ACCEPT icmp -- anywhere ACCEPT icmp -- anywhere ACCEPT icmp -- anywhere srcfilt 0 -- anywhere Chain OUTPUT (policy DROP)
target prot opt source ACCEPT 0 -- anywhere ACCEPT udp -- anywhere ACCEPT 0 -- anywhere ACCEPT icmp -- anywhere ACCEPT icmp -- anywhere ACCEPT icmp -- anywhere s1 0 -- anywhere Chain f0to1 (3 references)
target prot opt source ACCEPT udp -- anywhere ACCEPT icmp -- anywhere ACCEPT tcp -- anywhere logdrop 0 -- anywhere Chain f1to0 (1 references)
target prot opt source ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT udp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT udp -- anywhere ACCEPT tcp -- anywhere ACCEPT udp -- anywhere ACCEPT icmp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere ACCEPT tcp -- anywhere logdrop 0 -- anywhere Chain logaborted (1 references)
target prot opt source logaborted2 0 -- anywhere LOG 0 -- anywhere Chain logaborted2 (1 references)
target prot opt source LOG 0 -- anywhere ACCEPT 0 -- anywhere Chain logdrop (4 references)
target prot opt source logdrop2 0 -- anywhere LOG 0 -- anywhere DROP 0 -- anywhere Chain logdrop2 (1 references)
target prot opt source LOG 0 -- anywhere DROP 0 -- anywhere Chain logreject (0 references)
target prot opt source logreject2 0 -- anywhere LOG 0 -- anywhere REJECT tcp -- anywhere REJECT udp -- anywhere DROP 0 -- anywhere Chain logreject2 (1 references)
target prot opt source LOG 0 -- anywhere REJECT tcp -- anywhere REJECT udp -- anywhere DROP 0 -- anywhere Chain nicfilt (1 references)
target prot opt source RETURN 0 -- anywhere RETURN 0 -- anywhere RETURN 0 -- anywhere logdrop 0 -- anywhere Chain s0 (1 references)
target prot opt source f0to1 0 -- anywhere f0to1 0 -- anywhere f0to1 0 -- anywhere logdrop 0 -- anywhere Chain s1 (1 references)
target prot opt source f1to0 0 -- anywhere Chain srcfilt (2 references)
target prot opt source s0 0 -- anywhere That means iptables I removed guarding Removed iptables and Last edited by thanks a lot for such elaborate help.
windows and u r very much right that it uses UPnP. In deluge (bt client on arch), UPnP was there but disabled (shaded). Hence, I tried running utorrent using wine and it gave a error message "Unable to map UPnP port' and is not able to connect. So, UPnP is not working in my box.
suggested "iptables -L" and it gave me the following results.
~]$ sudo iptables -L
destination
anywhere
anywhere udp spt:bootps dpt:bootpc
192.168.1.255
anywhere state RELATED,ESTABLISHED tcp flags:RST/RST
anywhere state RELATED,ESTABLISHED
anywhere icmp destination-unreachable
anywhere icmp time-exceeded
anywhere icmp parameter-problem
anywhere
anywhere
destination
anywhere state RELATED,ESTABLISHED
anywhere icmp destination-unreachable
anywhere icmp time-exceeded
anywhere icmp parameter-problem
anywhere
destination
anywhere
anywhere udp spt:bootpc dpt:bootps
anywhere state RELATED,ESTABLISHED
anywhere icmp destination-unreachable
anywhere icmp time-exceeded
anywhere icmp parameter-problem
anywhere
destination
anywhere udp dpts:6970:7170
anywhere icmp echo-reply
anywhere tcp spts:1024:65535 dpts:6881:6889 state NEW
anywhere
destination
anywhere tcp spts:1024:5999 dpt:6969 state NEW
anywhere tcp spts:1024:5999 dpt:http state NEW
anywhere tcp spts:1024:5999 dpt:http-alt state NEW
anywhere tcp spts:1024:5999 dpt:8008 state NEW
anywhere tcp spts:1024:5999 dpt:8000 state NEW
anywhere tcp spts:1024:5999 dpt:8888 state NEW
anywhere tcp spts:1024:5999 dpt:ftp state NEW
anywhere tcp spts:1024:5999 dpt:https state NEW
anywhere tcp dpt:rtsp state NEW
anywhere tcp dpt:7070 state NEW
anywhere tcp spts:1024:5999 dpt:cvspserver state NEW
anywhere tcp dpt:1755 state NEW
anywhere udp dpt:1755
anywhere tcp spts:1024:5999 dpt:11371 state NEW
anywhere tcp spts:1024:5999 dpt:5050 state NEW
anywhere tcp spts:1024:5999 dpt:telnet state NEW
anywhere tcp spts:1024:5999 dpts:5000:5001 state NEW
anywhere udp spts:1024:5999 dpt:5000
anywhere tcp dpt:domain state NEW
anywhere udp dpt:domain
anywhere icmp echo-request
anywhere tcp spts:1024:5999 dpt:5222 state NEW
anywhere tcp spts:1024:5999 dpt:5223 state NEW
anywhere tcp spts:1024:5999 dpts:6881:6889 state NEW
anywhere
destination
anywhere limit: avg 1/sec burst 10
anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
destination
anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `ABORTED '
anywhere state RELATED,ESTABLISHED
destination
anywhere limit: avg 1/sec burst 10
anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
anywhere
destination
anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `DROPPED '
anywhere
destination
anywhere limit: avg 1/sec burst 10
anywhere limit: avg 2/min burst 1 LOG level warning prefix `LIMITED '
anywhere reject-with tcp-reset
anywhere reject-with icmp-port-unreachable
anywhere
destination
anywhere LOG level warning tcp-sequence tcp-options ip-options prefix `REJECTED '
anywhere reject-with tcp-reset
anywhere reject-with icmp-port-unreachable
anywhere
destination
anywhere
anywhere
anywhere
anywhere
destination
192.168.1.5
192.168.1.255
bluehead.localdomain
anywhere
destination
anywhere
destination
anywhere
is not disabled and that firewall rules are setup by guarddog.
using "pacman -Rns guarddog" and rebooted. Still get the same results with utorrent and "iptables -L" and also the port test shows tcp 6881 is still closed.
now bt clients seems to be able to connect and it works; however, port test still shows tcp 6881 closed.
ravisghosh (2007-06-27 16:51:12)

[SOLVED] Help needed with iptables rule with unusual setup

Hi I recently setup hostapd on my netbook so I could share a wireless network with my phone and I'm having trouble because my netbook is also hosting a Jetty sever (Subsonic media streamer).
My setup is as follows
[CABLE MODEM]===[WIRED ROUTER]=====[NETBOOK] ))))) [PHONE]
The wired router provides the DHCP server.
On my netbook I created a (br0) bridge between eth0 and wlan0 and started hostapd. That all works fine when I'm not trying to host my Jetty server on my netbook.
The netbook has the IP 192.168.0.8
The phone has the IP 192.168.0.6
I do not want to give the Jetty server root permissions just so it can run on port 80. So instead I start it instead on port 4040 and then use a iptables rule to redirect connections to port 80 to port 4040.
Before I setup hostapd on machine I used to use the following.
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 4040
However when I'm using hostapd and try to access websites on my phone its web browser is ALWAYS REDIRECTED to my jetty server. I'm not really surprised at this as the rule I mentioned above is for any destination or any source.
I tried this rule:
iptables -t nat -A PREROUTING -d localhost -p tcp --dport 80 -j REDIRECT --to-ports 4040
This didn't work. On my phone I could access websites as expected but nobody (tried external from network and internally) could access the jetty server on port 80. Does anyone know why this rule doesn't work?
I tried this rule:
iptables -t nat -A PREROUTING \! -s 192.168.0.6 -p tcp --dport 80 -j REDIRECT --to-ports 4040
This rule worked (Redirect port 4040 connections to port 80 if the connection isn't from my phone). But this is NOT very good at all as it means I would need a separate rule for every wireless device that connected to my netbook (via hostapd). Also if the IP address of my phone ever changes this rule becomes useless too!
Does anyone have any ideas?
Any help would be greatly appreciated.
Thanks.
Last edited by delcypher (2010-07-24 20:17:35)

Well looks like I fixed my own problem.
I added a LOG target in the PREROUTING chain like so
iptables -t nat -A PREROUTING -p tcp --dport 80 -j LOG --log-prefix 'cheesy-redirect'
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-ports 80
When I looked at /var/logs/everything I noticed this.
dan-netbook kernel: cheesy-redirectIN=br0 OUT= PHYSIN=eth0 MAC=00:26:18:73:ea:28:00:09:5b:5d:0a:33:08:00 SRC=178.102.41.92 DST=192.168.0.3 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=51411 DF PROTO=TCP SPT=48219 DPT=80 WINDOW=49640 RES=0x00 SYN URGP=0
The destination is 192.168.0.3 ! Which is very very weird. This the IP address I had told my router to give my eth0 card in the past when I wasn't using a network bridge (br0). I was connected to the network using 192.168.0.8 on br0. The eth0 interface wasn't assigned an IP address.
192.168.0.3 was also the IP address I setup for static port forwarding (which I forgot about) so when I accessed my jetty server from outside my network all packets would of been forwarded to 192.168.0.3
I should never of received those packets as I was 192.168.0.8 not 192.168.0.3 at the time of logging so how I even received these packets is a mystery to me. Maybe the router software is buggy
Fixing was pretty straight forward I changed the port forward to go to 192.168.0.8 and then tried connecting to the jetty server externally and noted in the log
cheesy-redirectIN=br0 OUT= PHYSIN=eth0 MAC=00:25:d3:46:4d:0d:00:09:5b:5d:0a:33:08:00 SRC=178.102.41.92 DST=192.168.0.8 LEN=52 TOS=0x00 PREC=0x00 TTL=46 ID=65326 DF PROTO=TCP SPT=33597 DPT=80 WINDOW=49640 RES=0x00 SYN URGP=0
So the correct redirect rule is
iptables -t nat -A PREROUTING -p tcp --dport 80 -d 192.168.0.8 -j REDIRECT --to-ports 80
which works nicely
One last question though. Does anyone know how I can use a hostname rather than 192.168.0.8 which points to whatever the IP address of br0 is set to? localhost points to 127.0.0.1 so that doesn't work.

DAP rule for IPSec clients

I'm setting up DAP rules for AnyConnect clients. When I set the default policy to terminate, I get the right results from AnyConnect connections, but all IPSec clients cannont connect. I know I need to set up a DAP rule for IPSec clients to allow them through, but can't remember how to set that up.

Ok, that worked. Follow-up question though. So the only thing I'm looking at doing right now is setting up a policy to look at Anti-virus and disallow if the signature is more than a week old. Works fine with the AnyConnect. But if I add that to the IPSec rule (app = ipsec and av exists (< 7 days), it won't let the IPSec client connect at all. I seem to recall something about if we're doing posturing with IPSec client, we have to use endpoint assesment or pre-login policy? Is that the case; it would be nice to do it all w/in one DAP rule.
Thanks
Brian

Firewall rule for Novell Client

My company recently purchased McAfee Desktop Firewall and I'm trying to
configure the rules prior to deployment but I'm having trouble getting
the Novell Client to cooperate. I've tried having the firewall "learn"
the client, addresses, ports, protocols, etc. but have had no luck.
My company is running a mix of Win2k/XP computers as well as Win95/98
computers so any assistance in creating a firewall rule to allow the
clients to log in is greatly apprecaited.
Thanks!
Ash

Excellent, thanks!!
> For NetWare connectivity over IP, you need ports TCP,UDP 524 and 427
> which are NCP over IP and SLP.
>
>
> --
> Edison Ortiz
> Novell Product Support Forum SysOp
> (No Email Support, Thanks !)

[Solved] iptables rules for machine running as openvpn server

I set up an older laptop as an OpenVPN server for my home network (and a dwarffortress server, but that's beside the point). This is the first time I've set something like this up - I wanted a secure way of being able to ssh into my home network from outside.
In any case, I got it working (finally figured out I needed to port forward 1194 on my router), but I wanted to make sure that my iptables-rules look reasonable:
# Generated by iptables-save v1.4.21 on Sun Dec 28 02:16:10 2014
*nat
:PREROUTING ACCEPT [3:517]
:INPUT ACCEPT [3:517]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.88.0/24 -o wlp3s0 -j MASQUERADE
COMMIT
# Completed on Sun Dec 28 02:16:10 2014
# Generated by iptables-save v1.4.21 on Sun Dec 28 02:16:10 2014
*filter
:INPUT ACCEPT [323:24107]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [152:13348]
-A INPUT -i tun+ -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -s 192.168.88.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sun Dec 28 02:16:10 2014
Last edited by emacsomancer (2014-12-29 21:32:25)

bleach wrote:
look at your filters you accept everything
:INPUT ACCEPT [323:24107]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [152:13348]
a better way would be to block everything but outgoing and then open ports and such.
:INPUT DROP
:FORWORWOD DROP
:OUTPUT ACCEPT
then your current(92.168.88.0/24 -j ACCEPT) forwarding will go through but not other things.
some good articles on iptables; iptables,simple stateful firewall
Ok, this is my modified setup:
# Generated by iptables-save v1.4.21 on Mon Dec 29 03:36:02 2014
*filter
:INPUT DROP
:FORWARD DROP
:OUTPUT ACCEPT
-A INPUT -i tun+ -j ACCEPT
-A INPUT -i wlp3s0 -p udp -m udp --dport 1194 -m state --state NEW -j ACCEPT
-A INPUT -s 192.168.1.0/24 -i wlp3s0 -p tcp -m tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
-A FORWARD -i tun+ -j ACCEPT
-A FORWARD -s 192.168.88.0/24 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o wlp3s0 -p tcp -m tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
COMMIT
# Completed on Mon Dec 29 03:36:02 2014
# Generated by iptables-save v1.4.21 on Mon Dec 29 03:36:02 2014
*nat
:PREROUTING ACCEPT [389:94808]
:INPUT ACCEPT [1:60]
:OUTPUT ACCEPT [1:72]
:POSTROUTING ACCEPT [1:72]
-A POSTROUTING -s 192.168.88.0/24 -o wlp3s0 -j MASQUERADE
COMMIT
# Completed on Mon Dec 29 03:36:02 2014
I added in lines to allow for SSH within my internal network. But now I am unable to make a OpenVPN connection from outside...what could be wrong?

[SOLVED] how to use diffrent iptables rules for different ppp account?

x86 plantform run arch linux system , have two network interface etn1 eth0 .eth1 connect to internet. eth0 connect to other terminals through switch. want use different iptables rules for different pppoe account .also want to know how to forbidden more than one terminals established pppoe link use same account at the same time .
Last edited by linuxsir (2013-09-26 06:48:01)

(You establish PPPoE sessions over the local network to the Arch machine? Which then routes the traffic?)
first question ,yes that is exactly what i am done. second question i also have a small scripts on windows pc to solve routes traffic problem
route -p delete 0.0.0.0
route -p add 192.168.9.0 mask 255.255.255.0 192.168.9.1
route -p add 0.0.0.0 mask 0.0.0.0 192.168.22.0
but after a while i found scripts is not necessary because windows always attempt to use PPPoE sessions as default internet connection local connection is also ok
and use -i pppX in my iptables rules dose not solve my problem , because same account start PPPoE session could be marked as ppp0 or ppp1. it is hard to identified which account start session.

Iptables rule needed for DHCP client?

Similar Messages

Maybe you are looking for