Please help me out a little bit. I've inherited a firewall made of CentOS 6 and I'm a bit affraid to modify the iptables at all, but I have to do it for a task.
The tanks is to make one client in the office accessable from the internet but only on one port. Internet comes on the interface ppp0, clients are being serverd on the eth1. And I have to forward the port 80 to 3000. And our public IP to the clients IP. :D Sounds secure and easy right?
I've come up with a sollution, but I'm affraid to give it a go until I'm sure. Please make me sure of it. :D
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 10.1.2.3:3000
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 3000 -j DNAT --to-destination 10.1.2.3:3000
Do not apply this to the 80th port because then all the clients will be unable to browse the internet, because they are also using the 80th port. :D
Related
Use case: Onpremise log server traffic need to be replicated to a cloud based log server.
What works : Device A can send logs to log Server B over UDP 514. Server B and cloud based log server C are reachable to each other but on different network. A GRE network tunnel is created between B and C to bring them in same network. So, traffic mirror from B to C works as below.
B # iptables -t mangle -I PREROUTING -i eth0 -p UDP --dport 514 -j TEE --gateway C.greIP
Challenge : Traffic received by C was actually destined for B hence getting dropped in C. There is a listener on UDP port 514 on C server binded to 0.0.0.0 however the log server of C does not see the logs.
It seems the UDP packets are getting dropped at C. What could be possible solution to handle non local ip traffic?
I have tried DNAT C # iptables -t nat -I PREROUTING -p UDP -d B --dport 514 -j DNAT --to-destination C:514 but it won't work. tcpdump on C shows packets are being received for non local IP and C # iptables -nvL -t nat shows that DNAT rule is getting matched.
Well, the same method which duplicated the packets from B to C worked on C.
Basically B duplicates the packets B # iptables -t mangle -I PREROUTING -i eth0 -p UDP --dport 514 -j TEE --gateway C.greIP and then once the packets are arrived in C, C can duplicate the packets to C # iptables -t mangle -I PREROUTING -i enlight -p udp -d B --dport 514 -j TEE --gateway C
This allowed the local process on C machine to handle duplicate udp syslog packets.
I have installed turn server in my godaddy server. To see that my turn server is working or not i have used https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/.
ICE Trickle in chrome output:
Chrome Output
ICE Trickle in mozilla output (version-58.0.2(64bit)):
Mozilla output
Issues i am facing:
1.webrtc works only for chrome to chrome(webrtc doesnt work for mozilla to mozilla).
2.mozilla shows "ICE failed add STUN error".
3.why there is different ICE trickle output for both the browsers?
It seems to me that turn server is not working!!
Can anybody help me with these issue i dont know what i am doing wrong. I dont know if its NAT problem or godaddy server problem or anything else. Are godaddy servers behind NAT?
Configurations i have done:
Firewall changes:
iptables -A INPUT -p tcp --dport 3478 -j ACCEPT
iptables -A INPUT -p udp --dport 3478 -j ACCEPT
iptables -A INPUT -p tcp --dport 5349 -j ACCEPT
iptables -A INPUT -p udp --dport 5349 -j ACCEPT
iptables -A INPUT -p udp --dport 49152:65535 -j ACCEPT
service iptables save
Turnserver configuration:
listening-port=3478
listening-ip=1.2.3.4(example)
external-ip=same as listening ip i.e 1.2.3.4(example)
verbose
fingerprint
realm = mydomain.com
I am running turn server using these command :
turnserver -L listening-ip -o -a -f -r mydomain.com
I'm trying to use Rundeck on Ubuntu 14.04.
How do I change the web interface port from 4440 (default) to 80?
The port number seems to be referred to in various config locations (including /etc/rundeck/profile and /etc/rundeck/framework.properties) but changing these had no effect for me and I can't find a specific section in the documentation on changing the web port.
Use a proxy pass with either Apache or Nginx. Its a solution..
You needed to modify these files from 4440 to 80
framework.properties
profile
rundeck-config.properties
But you will get the following java exception when trying to run in 80.
java.net.SocketException: Permission denied
Hence apache or nginx proxy pass is the working solution
Do you can use two rules iptables
iptables -t nat -I PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 4440
iptables -I INPUT -p tcp --dport 4440 -j ACCEPT
I would like to know your professional opinions on the following rule for iptables. I know it is possible to move cPanel's port but it's not so easy for WHM and some other services etc.
I needed something to route a new private port i.e. 1234 to the service while blocking the default port i.e. 2083. In my head, the following rule does this:
Marks the packets incoming on the private port
Redirects the packets to the actual port
Only accepts marked packets on the actual port
Note: The policies are defaulted to DROP all NEW connections
The rules below are working as expected, but before I go and get too excited that the job is done, I wanted a pro opinion on it first. The rules, and preceding context:
# Policy defaults
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Accept anything to/from localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept anything established/related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# --------------------------------------------------------------------
# Port forward and block (cPanel)
iptables -A PREROUTING -t mangle -p tcp --dport 1234 -j MARK --set-mark 0x400
iptables -A PREROUTING -t nat -p tcp --dport 1234 -j REDIRECT --to-ports 2083
iptables -A INPUT -p tcp --dport 2083 -m mark --mark 0x400/0x400 -m state --state NEW -j ACCEPT -m comment --comment "cPanel (Secure)"
Im no iptables wizzkid but it seems to work, Is this fairly secure?
Thanks in advance
Hey guys in my iptables file I have the following line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20000:25000 -j ACCEPT
Because I'm trying to open a range of ports that will need to be open for multiple (Yes THAT many multiple) different minecraft servers.
I know the issue is the IPTables because when I stopped them, I was able to get on the server (Port 20004) But with them on, I can't connect, did I format it right? I even did just
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20004 -j ACCEPT
The second one copying the exact SSH port 22 rule, except the port obviously, any ideas? Thanks!
Did you issue an
-F INPUT
first, if relevant?
You have asked for ideas. If you've not tried this one, you might. IPtables bugs sometimes are not trivial to isolate, are they? However, it can help if you start from a known state, which the -F achieves.
Good luck.
You can try this
#iptables -A INPUT -p tcp --match multiport --dports 20000:25000 -j ACCEPT
You can also use the above rule
iptables -A INPUT -m state --state NEW -m tcp -p tcp --match multiport --dports 20000:25000 -j ACCEPT