We Keep Coding

Redirect incoming traffic from OpenVPN server to OpenVPN client

I have OpenVPN Server (PiVPN + PiHole) (LAN IP: 192.168.0.200 VPN IP: 192.168.10.1) and I have also OpenVPN client (VPN IP: 192.168.10.2). And I want to if I enter to my browser http://192.168.0.200:84 it's show me the website from http://192.168.10.2:80.
pi#JNDServer:~ $ cat VPN.txt
# Generated by iptables-save v1.8.2 on Sat Sep 5 01:06:31 2020
*filter
:INPUT ACCEPT [2139:316887]
:FORWARD ACCEPT [895:339256]
:OUTPUT ACCEPT [1738:473525]
-A INPUT -d 192.168.10.2/32 -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -d 192.168.10.2/32 -p tcp -m tcp --dport 1280 -j ACCEPT
COMMIT
# Completed on Sat Sep 5 01:06:31 2020
# Generated by iptables-save v1.8.2 on Sat Sep 5 01:06:31 2020
*nat
:PREROUTING ACCEPT [252:17107]
:INPUT ACCEPT [223:15327]
:OUTPUT ACCEPT [189:14460]
:POSTROUTING ACCEPT [36:3185]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 32400 -j DNAT --to-destination 10.8.0.2:32400
-A PREROUTING -i eth0 -p tcp -m tcp --dport 1280 -j DNAT --to-destination 192.168.10.2:80
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -m comment --comment openvpn-nat-rule -j MASQUERADE
-A POSTROUTING -s 192.168.10.0/24 -o eth0 -j MASQUERADE
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Sep 5 01:06:31 2020

CentOS 6: Not Allowing Connection to Port 5432

I have a CentOS 6 as VM on a Windows box. I can use Putty to connect to the machine (on port 22) but can't connect via client applications (pgAdmin) or via telnet mytargetvmip 5432 to the postgresql (I did modify the pg_hba.conf file).
Here is what I have done: I changed the ip tables file and then do a service iptables restart command but to no good.
Please note, in the given iptables file, I had also tried iptables -I INPUT 1 -m tcp -p tcp --dport 5432 -j ACCEPT just before COMMIT but no luck. I want to be able to connect via any remote IP.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m state --state NEW -m tcp --dport 5432 -j ACCEPT
COMMIT
Thanks.

Never mind, in addition to pg_hba.conf file, I also had to modify the postgresql.conf file to uncomment and make the listen_address to "*". After that, I removed my entry for port 5432 from the iptables file and then the following commands:
iptables -I INPUT 1 -m tcp -p tcp --dport 5432 -j ACCEPT
service iptables save
service iptables restart
Everything works.
HTH

Access to port 80 from outside - Centos

I am redirecting requests from port 6080 to port 80:
cd /etc/httpd/conf/httpd.conf
<virtualHost *:80>
ProxyRequests off
ProxyPass / http://localhost:6080/
ProxyPassReverse / http://localhost:6080/
</VirtualHost>
and I have port 80 open :
cd /etc/sysconfig/iptables
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2440:360634]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT
-A INPUT -p udp -m state --state NEW -m udp --dport 6080 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
and I checked with netstat to make sure it is listening.
When I use wget localhost:80 and I got the index.html retrieved however when I try to get the html from browser, I get:
"this webpage is not available".
How can I access to this port from outside?

This line is incorrect:
-A INPUT -p udp -m state --state NEW -m udp --dport 80 -j ACCEPT
Port 80 is suppose to be TCP (not UDP) so change to:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
Remove the line below because it is doesn't help and is covered by the rule above:
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
Do you really want port 6080 exposed to the outside world?If not remove
-A INPUT -p udp -m state --state NEW -m udp --dport 6080 -j ACCEPT
I should point out that removing this line probably won't hurt anything because it too was specified as using UDP and not TCP. If you did want it exposed to the outside world then you'll have to change it too. Generally when you do proxying internally behind a firewall you don't intend to expose the internal port so I would be very suspicious. If for some reason beyond my ability to understand you really do need to expose it too then you'll have to change the port 6080 line to:
-A INPUT -p tcp -m state --state NEW -m tcp --dport 6080 -j ACCEPT
I believe it should look like this:
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2440:360634]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT

Looks like you're missing '--state NEW' on the line where you open port 80.

IPtables Centos 7 in the wrong order acording to lynis?

I got my iptables loaded in the /etc/sysconfig/iptables .
# Generated by iptables-save v1.4.21 on Tue Sep 9 18:38:38 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [12:1312]
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 10101 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 993 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 143 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 995 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 110 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 465 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP
-A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
COMMIT
# Completed on Tue Sep 9 18:38:38 2014
When i run Lynis to audit my server i get the following response .
- Found possible unused iptables rules (3 4 5 6 7 8 9 10 11 12 13 14) [test:FIRE-4513]
It states found "possible" unused iptables is this due to a wrong order of my iptables ?
thanks in advance for any leads .

Check out the related iptables command and see what rules apply. Then check your netstat -an output and determine if those services are running and get traffic.
If you believe there is traffic and the results stay the same, contact the author of Lynis (lynis-dev#domain)

centos iptables at windows network

I've got a machine, running Centos and it's connected to a windows network. When I try to view the network I'm getting the error "unable to connect share list from server". Once I turned iptables off everything works fine. How ca I fix this problem. My current iptables configuration is
# Generated by iptables-save v1.4.7 on Sat Nov 16 11:06:35 2013
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [6:360]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m tcp -p tcp --dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 445 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 137 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m udp -p udp --dport 138 -j ACCEPT
-A INPUT -s 192.168.2.0/24 -m state --state NEW -m tcp -p tcp --dport 139 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
# Completed on Sat Nov 16 11:06:35 2013

You can temporary add the log rule for rejected traffic:
-A INPUT -j LOG --log-prefix "Rejected: "
before your:
-A INPUT -j REJECT --reject-with icmp-host-prohibited
And you`ll see which traffic is rejected..

a] First log the dropped ip tables for example like this
#----------
# Logs to messages.log
#----------
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: INPUT " --log-level 4
-A OUTPUT -m limit --limit 5/min -j LOG --log-prefix "iptables denied: OUTPUT " --log-level 4
-A FORWARD -m limit --limit 5/min -j LOG --log-prefix "iptables denied: FORWARD " --log-level 4
b] tail dropped tables from messages
tomas#raspirarium:~ $ tail -f /var/log/messages |grep "iptables denied"
c] write ip tables rules beyond the denied rules in message.log on the fly as is the example bottom
#----------
# Windows Samba
#----------
# incoming request
-A INPUT -i eth0 -p tcp -s 192.168.79.0/24 -m multiport --dports 139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -d 192.168.79.0/24 -m multiport --sports 1024:65535 -m state --state ESTABLISHED -j ACCEPT
# outgoing laso handler
-A OUTPUT -o eth0 -p tcp -s 192.168.79.0/24 -m multiport --dports 139,445 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -s 192.168.79.0/24 -m multiport --sports 1024:65535 -m state --state ESTABLISHED -j ACCEPT