On CentOS 7 i Use following commands to drop some port and allow for one IP :
iptables -A INPUT -p tcp --dport 2001 -s 1.1.1.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 2001 -j DROP
service iptables save
and everything work fine.
But when i want add another ip to allow with this command it doesn't work for second IP.
iptables -A INPUT -p tcp --dport 2001 -s 2.2.2.2 -j ACCEPT
service iptables save
** Solved **
I use -I Flag This would insert your rule on first position of inputs rule.
iptables -I INPUT -p tcp --dport 2001 -s 2.2.2.2 -j ACCEPT
Related
Sorry, I'm a noob in iptables.
I have a VPN app which binds on local port 1080, while it goes to destination port 1194 (openvpn). The app does not support privileged port binding (which needs root, of which I have). I want the app to bind on local port 25. I have browsed Google and the answer seems to be iptables. I have seen many posts, of which many say the SNAT target is the one I should use.
I have tried this code:
iptables -I POSTROUTING -o wlan0 -t nat -p tcp --destination 195.123.216.159 -m tcp --dport 1194 -j SNAT --to-source 192.168.43.239:25
And these:
iptables -I FORWARD -p tcp -d 192.168.43.239 -m tcp --dport 25 -j ACCEPT
iptables -I FORWARD -p tcp -s 192.168.43.239 -m tcp --sport 25 -j ACCEPT
iptables -I OUTPUT -o wlan0 -p tcp -m tcp --sport 25 -j ACCEPT
iptables -I INPUT -i wlan0 -p tcp -m tcp --dport 25 -j ACCEPT
What I want is to make the output to be something like this when I run the netstat command:
tcp 0 0 192.168.43.239:25 195.123.216.159:1194 ESTABLISHED
But instead, after running all the codes, the output to netstat becomes this:
tcp 0 0 192.168.43.239:1080 195.123.216.159:5000 ESTABLISHED
Is it impossible to change binding port using iptables? Please help me to understand the concepts of networking.
Turns out iptables was just doing its job correctly. Translated packets turn out to not be tracked by netstat. I was lost and completely didnt understand that iptables doesnt alter ip v6 traffic of which the app was using. And the forward rules where not necessary since the chain policy was to accept the packets.
I am running mongodb in a docker container with 27017 port exposed with host to allow remote incoming connection. I want to block incoming connection on this port except a particular IP. I tried with iptables but it is not working. Maybe because of the docker service for which iptables commands need to be modified.
However I used the following commands:
myserver>iptables -I INPUT -p tcp -s 10.10.4.232 --dport 27017 -j ACCEPT
myserver>iptables -I INPUT -p tcp -s 0.0.0.0/0 --dport 27017 -j DROP
myserver>service iptables save
Then tried the following to check
mylocal>telnet myserver 27017
It is connected. So iptables is not working.
How do I do it?
I am using centos 6.8 and running mongodb 10 in docker container.
First, enable the source IP you wish to connect:
iptables -A INPUT -p tcp --dport 27017 -s 10.10.4.232 -j ACCEPT
Then DROP all the rest:
iptables -A INPUT -p tcp --dport 27017 -j DROP
I want to redirect the traffic in my lan network through squid proxy but I am having some problems with iptables rules.
When I use the following rule:
# iptables -I FORWARD -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
I get the following error:
x_tables: ip_tables: DNAT target: only valid in nat table, not filter
I have tried using PREROUTING chain but there is nothing like this in my iptables:
# iptables -I PREROUTING -s 192.168.1.0/255.255.255.0 -p tcp --dport 80 -j DNAT --to-destination 192.168.1.196:3128
iptables: No chain/target/match by that name.
I am using iptables version v.1.4.10
Assuming that your WAN is on eth0 and LAN is on eth1 and that your proxy is on port 8080, what you're looking for is this:
iptables A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080
I am trying to setup iptables on a GoDaddy Virtual Host using the following:
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -L -v
## open port ssh tcp port 22 ##
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
## open tcp port 25 (smtp) for all ##
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
## open dns server ports for all ##
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
## open http/https (Apache) server port to all ##
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
## open tcp port 110 (pop3) for all ##
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
## open tcp port 143 (imap) for all ##
iptables -A INPUT -p tcp --dport 143 -j ACCEPT
Every time I start the iptables service, none of the websites on this server are functioning and I cant access Plesk.
If I service iptables stop, it all works again. Is there a simple syntax error here?
Are you running /etc/init.d/iptables save to save your rules? If you are on CentOS 6 you will need to run yum install policycoreutils prior to /etc/init.d/iptables save or you will get an error. Once you save the rules you need to restart iptables.
Also, you need to add a rule for port 8443 to be able to get to Plesk.
I tried to improve my server security by setting up some iptables firewall rules. The result is that Facebook login with Omniauth stopped working. In my logs I see that Facebook is sending some packages to my server ports 37035 and 41198 at least. Why? There is nothing running in those ports.
Can someone say which ports I should open so that Facebook login with Omniauth could start working again on my site.
The rules I applied are:
# Delete all existing rules
iptables -X
# Set default rules
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Allow ssh in
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# Allow incoming HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow outgoing SSH
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# Allow ping from outside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Allow pingging other servers
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow sendmail and postfix
iptables -A INPUT -i eth0 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT
# Allow dns lookups
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# Prevent dos attacks - upgrade to hashlimit if needed
iptables -A INPUT -p tcp --dport 80 -m limit --limit 25/minute --limit-burst 100 -j ACCEPT
# Log dropped packages
iptables -N LOGGING
iptables -A INPUT -j LOGGING
iptables -A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
iptables -A LOGGING -j DROP
Here is an example log entry from my syslog (My IP is filtered)
IPTables Packet Dropped: IN=eth0 OUT= MAC=40:40:ea:31:ac:8d:64:00:f1:cd:1f:7f:08:00 SRC=69.171.224.54 DST=my_ip LEN=56 TOS=0x00 PREC=0x00 TTL=86 ID=0 DF PROTO=TCP SPT=443 DPT=44605 WINDOW=14480 RES=0x00 ACK SYN URGP=0
Finally got an answer for this question. https://superuser.com/questions/479503/why-are-ports-30000-to-60000-needed-when-browsing-the-net
Ports from 32768 to 61000 are needed for http connections.