I would like to know your professional opinions on the following rule for iptables. I know it is possible to move cPanel's port but it's not so easy for WHM and some other services etc.
I needed something to route a new private port i.e. 1234 to the service while blocking the default port i.e. 2083. In my head, the following rule does this:
Marks the packets incoming on the private port
Redirects the packets to the actual port
Only accepts marked packets on the actual port
Note: The policies are defaulted to DROP all NEW connections
The rules below are working as expected, but before I go and get too excited that the job is done, I wanted a pro opinion on it first. The rules, and preceding context:
# Policy defaults
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# Accept anything to/from localhost
iptables -A INPUT -i lo -j ACCEPT
# Accept anything established/related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# --------------------------------------------------------------------
# Port forward and block (cPanel)
iptables -A PREROUTING -t mangle -p tcp --dport 1234 -j MARK --set-mark 0x400
iptables -A PREROUTING -t nat -p tcp --dport 1234 -j REDIRECT --to-ports 2083
iptables -A INPUT -p tcp --dport 2083 -m mark --mark 0x400/0x400 -m state --state NEW -j ACCEPT -m comment --comment "cPanel (Secure)"
Im no iptables wizzkid but it seems to work, Is this fairly secure?
Thanks in advance
Related
I'm trying to add iptables rule on a specific port.
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
fails: "unknown option: --dport"
iptables -A INPUT -p tcp -m tcp --dport ssh -j ACCEPT
fails: "Couldn't load match 'tcp': No such file or directory"
Initially I thought that the tcp extension is missing, but when running "strace",
it look that iptables loads the file "/usr/lib/xtables/libxt_tcp.so".
I'm building custom image, using yocto, at dunfell release.
What am I missing?
I have installed turn server in my godaddy server. To see that my turn server is working or not i have used https://webrtc.github.io/samples/src/content/peerconnection/trickle-ice/.
ICE Trickle in chrome output:
Chrome Output
ICE Trickle in mozilla output (version-58.0.2(64bit)):
Mozilla output
Issues i am facing:
1.webrtc works only for chrome to chrome(webrtc doesnt work for mozilla to mozilla).
2.mozilla shows "ICE failed add STUN error".
3.why there is different ICE trickle output for both the browsers?
It seems to me that turn server is not working!!
Can anybody help me with these issue i dont know what i am doing wrong. I dont know if its NAT problem or godaddy server problem or anything else. Are godaddy servers behind NAT?
Configurations i have done:
Firewall changes:
iptables -A INPUT -p tcp --dport 3478 -j ACCEPT
iptables -A INPUT -p udp --dport 3478 -j ACCEPT
iptables -A INPUT -p tcp --dport 5349 -j ACCEPT
iptables -A INPUT -p udp --dport 5349 -j ACCEPT
iptables -A INPUT -p udp --dport 49152:65535 -j ACCEPT
service iptables save
Turnserver configuration:
listening-port=3478
listening-ip=1.2.3.4(example)
external-ip=same as listening ip i.e 1.2.3.4(example)
verbose
fingerprint
realm = mydomain.com
I am running turn server using these command :
turnserver -L listening-ip -o -a -f -r mydomain.com
Please help me out a little bit. I've inherited a firewall made of CentOS 6 and I'm a bit affraid to modify the iptables at all, but I have to do it for a task.
The tanks is to make one client in the office accessable from the internet but only on one port. Internet comes on the interface ppp0, clients are being serverd on the eth1. And I have to forward the port 80 to 3000. And our public IP to the clients IP. :D Sounds secure and easy right?
I've come up with a sollution, but I'm affraid to give it a go until I'm sure. Please make me sure of it. :D
iptables -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to-destination 10.1.2.3:3000
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 3000 -j DNAT --to-destination 10.1.2.3:3000
Do not apply this to the 80th port because then all the clients will be unable to browse the internet, because they are also using the 80th port. :D
I know you can limit number of connections per ip, per time interval etc, but what I am wanting is amount of data.
I'm hosting a socket server, and I thought rather than making it do the processing to check for flooding - offload it to the firewall. I know you can guard against syn flooding attacks, like mentioned here:
http://www.cyberciti.biz/tips/howto-limit-linux-syn-attacks.html
For example:
# Limit the number of incoming tcp connections
# Interface 0 incoming syn-flood protection
iptables -N syn_flood
iptables -A INPUT -p tcp --syn -j syn_flood
iptables -A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
iptables -A syn_flood -j DROP
#Limiting the incoming icmp ping request:
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j ACCEPT
iptables -A INPUT -p icmp -m limit --limit 1/s --limit-burst 1 -j LOG --log-prefix PING-DROP:
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp -j ACCEPT
I'm not sure what iptables can do, so the question is a bit vague. But since web-sockets use tcp I should be able to limit number of bytes per second. And flag connections exceeding that limit or just drop them, whatever.
I can't seem to find a good reference on this, as they are all about tracking connections etc, not data transfer. Does anyone know of a good reference or how to do this? Is iptables not a good firewall for this? if not what is?
The kernel-side firewall is the fastest and the most secure software solution (difficult to kill the kernel isn't it?). Using it have also the advantage to use the hardware firewall found on some network controllers.
Iptables is the primary tool for controlling it, but there are many others frontends with easier syntax.
If you want to configure easier, you should use this :.
Keep in mind tracking byte count for each IP can use lot of memory.
In your case I would install ipset, which is developed by the same team of iptables :
#create ipset for accounting with default lifetime 300 secs
ipset create IP_QUOTA_SET hash:ip timeout 300 counters
#create separated rule chain
iptables --new-chain PER_IP_QOUTING
#send packets to chain
iptables -t filter -A INPUT \
-i <in-iface> --dst <ip> \
-p tcp --dport <dstport> \
-j PER_IP_QUOTING
#if ip doesn't exist in the set, add it
iptables -t filter -A PER_IP_QUOTING \
-m set ! --match-set IP_QUOTA_SET src \
-j SET --add-set IP_QUOTA_SET src --timeout 300
#if packet exists in the set, check bytes
#if byte counter > quota then drop packet
iptables -t filter -A PER_IP_QUOTING \
-m set --match-set IP_QUOTA_SET src \
--bytes-gr 1000 -j DROP
#pass other packets (for debug purpose)
iptables -t filter -A PER_IP_QUOTING \
-j RETURN
In this case you can check the list and edit it by ipset command.
To show current list with counters and timeouts :ipset list IP_QUOTA_SET.
STRONG NOTE : iptables is Linux specific and is available since linux 2.4. The kernel implementation along the userspace tools did change in 2.0 and 2.2 previously.
The 3.13 version introduced a new change which will replace ipset; arptables; ebtables; ip6tables, and iptables with a single tool.
As with previous versions, their will be a transition period where frontends like vuurmuur will remain compatible with the kernel, but don't expect to use iptables in the future.
You can try the iptable command mark together with tc (traffic-shaping):http://www.amiryan.org/2009/02/16/traffic-shaping-under-linux-with-tc-and-iptables/.
Hey guys in my iptables file I have the following line:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20000:25000 -j ACCEPT
Because I'm trying to open a range of ports that will need to be open for multiple (Yes THAT many multiple) different minecraft servers.
I know the issue is the IPTables because when I stopped them, I was able to get on the server (Port 20004) But with them on, I can't connect, did I format it right? I even did just
-A INPUT -m state --state NEW -m tcp -p tcp --dport 20004 -j ACCEPT
The second one copying the exact SSH port 22 rule, except the port obviously, any ideas? Thanks!
Did you issue an
-F INPUT
first, if relevant?
You have asked for ideas. If you've not tried this one, you might. IPtables bugs sometimes are not trivial to isolate, are they? However, it can help if you start from a known state, which the -F achieves.
Good luck.
You can try this
#iptables -A INPUT -p tcp --match multiport --dports 20000:25000 -j ACCEPT
You can also use the above rule
iptables -A INPUT -m state --state NEW -m tcp -p tcp --match multiport --dports 20000:25000 -j ACCEPT