Here are all the things I tried:
Ran docker deamon with -dns:
sudo docker -d -dns 8.8.8.8
Made sure that IP forwarding is enabled:
$ sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 1
Nameservers are in place:
$ docker -dns '8.8.8.8' run centos:6.4 ping -c 3 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
--- 8.8.8.8 ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 12000ms
Appreciate any suggestions.
It sounds like Docker's automatic iptables configuration is not working. This can often occur if you've changed the host IP address without restarting the Docker daemon. I would try the following:
Ensure you can ping from the host (just to be sure!)
Restart the Docker daemon and try again (this should reset iptables configuration)
Inspect the output from iptables --list --table nat
Mine looks as so:
# iptables --list --table nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- <redacted>/24 !<redacted>/24
MASQUERADE all -- <redacted>/16 !<redacted>/16
Chain DOCKER (2 references)
target prot opt source destination
Related
Use case: Onpremise log server traffic need to be replicated to a cloud based log server.
What works : Device A can send logs to log Server B over UDP 514. Server B and cloud based log server C are reachable to each other but on different network. A GRE network tunnel is created between B and C to bring them in same network. So, traffic mirror from B to C works as below.
B # iptables -t mangle -I PREROUTING -i eth0 -p UDP --dport 514 -j TEE --gateway C.greIP
Challenge : Traffic received by C was actually destined for B hence getting dropped in C. There is a listener on UDP port 514 on C server binded to 0.0.0.0 however the log server of C does not see the logs.
It seems the UDP packets are getting dropped at C. What could be possible solution to handle non local ip traffic?
I have tried DNAT C # iptables -t nat -I PREROUTING -p UDP -d B --dport 514 -j DNAT --to-destination C:514 but it won't work. tcpdump on C shows packets are being received for non local IP and C # iptables -nvL -t nat shows that DNAT rule is getting matched.
Well, the same method which duplicated the packets from B to C worked on C.
Basically B duplicates the packets B # iptables -t mangle -I PREROUTING -i eth0 -p UDP --dport 514 -j TEE --gateway C.greIP and then once the packets are arrived in C, C can duplicate the packets to C # iptables -t mangle -I PREROUTING -i enlight -p udp -d B --dport 514 -j TEE --gateway C
This allowed the local process on C machine to handle duplicate udp syslog packets.
I have a typical configuration where Rpi acts as an router between two subnets. One subnet is connected to Rpi eth0 and there is now laptop connected directly (one day there will be an ip-camera). Rpi connects via wlan0 to to wireless router to get an internet connection.
Picture of configuration
There is several instruction on the web to get this working and it almost works. I can ping devices connected to my wireless router (but not my wireless router!?), from laptop connected to Rpi. I have internet connection on laptop connected to Rpi. Problem is though that I can't ping my laptop (that is connected to Rpi) from subnet of my wireless router. Yes, it has got something to do with my iptables confuration.
Here is some data:
I have set up net.ipv4.ip_forward=1 in my sysctl.conf file
I have done these settings:
sudo iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
sudo iptables -A FORWARD -i wlan0 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o wlan0 -j ACCEPT
IPtables look like this:
pi#raspberrypi:~ $ sudo iptables -L -v
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
296 191K ACCEPT all -- wlan0 eth0 anywhere anywhere state RELATED,ESTABLISHED
37 14316 ACCEPT all -- eth0 wlan0 anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Routing tabe looks like this:
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default 192.168.3.1 0.0.0.0 UG 100 0 0 wlan0
default 192.168.3.1 0.0.0.0 UG 202 0 0 eth0
10.10.0.0 0.0.0.0 255.255.255.0 U 202 0 0 eth0
192.168.3.0 0.0.0.0 255.255.255.0 U 100 0 0 wlan0
192.168.3.1 0.0.0.0 255.255.255.255 UH 202 0 0 eth0
Any other information that could be useful?
In your wireless router routing table you should forward traffic going to 10.10.0.0/24 to the interface connected to the second subnet, the traffic going to 192.3.0.0/24 to the interface connected to the Rpi and other traffic to the interface connected to internet.
You also should have a routing table to the Subnet-1 with your Rpi as a gateway like this:
Destination Gateway Genmask
192.168.3.0 Rpi #IP 255.255.255.0
I'm working on a CentOS 6 machine. I've tried to follow the following guides:
How to open port in centOS
http://ask.xmodulo.com/open-port-firewall-centos-rhel.html
If I run nmap ipofmachine on the target machine I have this strange result.
Host is up (0.0079s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp closed http
443/tcp closed https
8080/tcp closed http-proxy
Still, when I run sudo iptables -L I have the following output:
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT tcp -- anywhere anywhere tcp dpt:webcache
ACCEPT tcp -- anywhere anywhere tcp dpt:http
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:webcache
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Am I missing something? Let me know if you need more information (I'm trying to open port 8080).
In order to allow connections on a specific port you must configure the CentoOS firewall:
> sudo firewall-cmd --permanent --zone=public --add-port=8080/tcp
> sudo firewall-cmd --reload
You need to configure privilege elevation with sudo
If you are using IPTables, add the following rule into etc/sysconfig/iptables
-A INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j ACCEPT
Then run the following command to save: iptables-restore < /etc/sysconfig/iptables
I'm using CentOS.
I have done the following in my IPTable test environment. I have flushed all the rules, using
iptables -F
Then I have added the following rule.
iptables -I INPUT -p all -j ACCEPT
Then based on an observation, I have added the this rule;
iptables -A INPUT -s 192.168.2.50 -j DROP
I have run the
service iptable save
After that i tried to ping the blocked ip (192.168.2.50). I can still ping it and the blocked ip can ping me.
I want to block any incomming connection from blocked IP.
This is my output for iptables -L
Chain INPUT (policy DROP) target prot opt source destination
ACCEPT all -- anywhere anywhere
DROP all -- 192.168.2.50 anywhere
Chain FORWARD (policy DROP) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
Chain icmp_packets (0 references) target prot opt source destination
Chain tcp_packets (0 references) target prot opt source destination
Please help.. Thanks..
Iptables works with chains of rules. Inside a chain, rules are applied to packets in order, from the first (at the top) to the last.
Your first rule ACCEPT all -- anywhere anywhere let all the packets going through the chain to be accepted, so they don't go further to the next rule which should drop all.
Thus, if you want just to drop ALL the traffic to your macchine, just remove your first rule with iptables -D INPUT 1 which will delete the first rule in the input chain, leaving only the drop all rule. Then add again the accept all rule with iptables -A INPUT -p all -j ACCEPT, so all the packets that are not from the blocked ip will be allowed to pass.
I think you should do
iptables -A INPUT -s 192.168.2.50 -j DROP
before iptables -I INPUT -p all -j ACCEPT.
I was trying to change the incoming interface of the packet using iptables MARK and ip route commands.
I have tried this approach which suggests the use of iptable Mark and iproute2 utilities instead of ROUTE target, but could not find any success changing the incoming interface of the packet in the receiving path.
I have an application 'A' which binds to an interface intfA in linux i.e the application sends and receives packets only on via intfA.
Sending path
In a tunnel based setup, I was able to send packet's out from intfA to tap0 using the following iptable commands:
iptables -t mangle -A OUTPUT -d 8.9.10.11/32 -j MARK --set-mark 1
ip rule add fwmark 1 priority 9000 table 1
My default routing entry in main table is pointing to intfA
In table '1' I have made the default routing table entry point to tap0:
route add default dev tap0 table 1
I could observe from the kernel dmesg logs that the outgoing interface of the packet changed succesfully from intfA to tap0.
In the return path
After tap0 gets the encrypted packet from tunnel, it decrypts it and injects the plain text packet with destination 'a.b.c.d' into the linux kernel via the tap0 interface.
So at the kernel prerouting hook, I see the packet coming with IP = 'a.b.c.d' and with incoming tap0.
Following iptable rules were used to change the incoming interface:
iptables -t mangle -A PREROUTING -d a.b.c.d/32 -j MARK --set-mark 2
ip rule add fwmark 2 priority 8000 table 2
In table '2' I have made the default routing table entry point to intfA:
route add default dev intfA table 2
I tried to log the packets at the PREROUTING hook and the INPUT hook using the following iptable commands:
iptables -t mangle -A PREROUTING -d a.b.c.d/32 -j LOG --log-level 0 --log-prefix "VPN PREOUTING: "
iptables -t mangle -A INPUT -d a.b.c.d/32 -j LOG --log-level 0 --log-prefix "VPN INPUT: "
I was hoping the incoming interface of the packet to be changed from tap0 to intfA between the PREROUTING hook and INPUT hook. But suprisingly the interface doesn't change in both the kernel log trace. I could see the incoming packets marked with mark 2 as well.
From the dmesg log's i confirmed that the Incoming interface still remains as tap0 after the INPUT hook.
I wanted to understand the reason behind this behaviour for the iptables commands I have used. Not sure if I missed anything in iptables commands I used which is causing this issue.
I have the same problem. As a temporary solution I've found that -j TEE target helps:
iptables -t mangle -A PREROUTING [options] -j TEE --gateway IP
In your case, fill [options] and the gateway's IP (intfA address) with your values.