Use fail2ban to allow only specific ip to connect to mail account - postfix-mta

We would like to give access to a specific mailadress on our server (postfix and dovecot) only from a specific ip address. My idea was to use fail2ban for that.
How could a filter look like for that?

give access to a specific mailadress on our server (postfix and dovecot)
Why you need fail2ban for that?
Write simple script (systemd-unit) creating a rules or new chain which would allow expected IPs and add reject/drop default policy for this mail ports,
and start it at boot time, for example:
chain=INPUT
for p in smtp smtps pop3 pop3s imap imaps; do
for ip in 192.0.2.1 192.0.2.2 192.0.2.3; do
iptables -A $chain -i $device -m state --state NEW -p tcp --dport "$p" -s "$ip" -j ACCEPT
done
iptables -A $chain -i $device -m state --state NEW -p tcp --dport "$p" -j REJECT
done
If you need some dynamic allowance (e. g. by port- or http-url-knowcking etc), you can indeed do this with fail2ban.
Take a look at example jail pass2allow-ftp or at related RFE #1112.
How could a filter look like for that?
How the filter does look is depending on what exactly will be monitored (for instance by url-knocking which http-server access-log format, e. g. of nging or apache, you'd have) or on what exactly you need to react to allow the IP. An example of log in such case is necessary to answer the question properly.
Also you may read wiki :: Best practice # Reduce parasitic log traffic to provide sane implementation for such "jail".

Related

forward Traffic (like proxy) and keep source ip

I would like to point the connection to my A server 25565 port to another 30000 port of B server. But I need to access the ip address of the user who sent me a connection request from B server.
I have no idea how to do it. I've directed the traffic using the proxy logic in Java, but the performance is bad.
Is there another alternative way I can use it?
iptables -t nat -A PREROUTING -p tcp --dport 25565 -j DNAT --to-destination myAnotherServerIP:30000
iptables -t nat -A POSTROUTING -j MASQUERADE
I did by adding this iptables rules. But I can't reach the IP address where the request came from. (Source IP Adress)
I don't have to do it that iptables rules. Any alternative would be a useful system or path.
There are several options to achieve that. For example:
HA-proxy
nginx TCP proxy
Both are build for high throughput and low latency and both can be configure to provide decent access information.

IP address whitelisting for specific service

How do you filter external connections to a specific service, running on Docker? Specifically, how do you filter incoming requests down to a static list of whitelisted IPs?
This answer assumes that:
The container will always listen on the same host:port.
The container will always be bound on the same network card interface, if ever several are available. This is easily done by using the option -p hostIp:hostPort:containerPort within the docker run command.
Stemming from these two assumptions, it can then be assumed that the service running in the container will always listen on the same host socket defined as hostIp:hostPort.
Now, all you have to do is firewalling which is independent from docker.
I am not an expert and did not test theses lines! Be warned before executing them.
# DROP every packets coming from every sources sent to the port $PORT
iptables -A INPUT -p tcp --dport $PORT -j DROP
# ACCEPT every packets coming from source xx.xx.xx.xx sent to port $PORT
iptables -A INPUT -p tcp -s xx.xx.xx.xx --dport $PORT -j ACCEPT
# Repeat the last command if needed, you can also specify a network, such as 192.30.252.0/22 instead of xx.xx.xx.xx
These rules are to be set in this precise order. A whitelist can be likened to a blacklist with expection.

Multiple IPs + bridge for KVM

I got a problem at the moment and really don't know where the mistake is. I got a Root-Server from my ISP. This Root-Server has already one IP included and today i booked two more IP-Addresses. So what I want to do now is to map this two new IP-Adresses to two virtual Machines but also hold the included IP for the Root-Server. So how I realize this?
I thought something like:
br0 - holds the original IP of the Root-Server
br0:0 - holds first IP of first virtual Machine
br0:1 - holds second IP of second virtual Machine
But this doesn't work. Any Ideas. I'm really frustrated. Worked the hole Day on it and no solution.
I was also struggling with similar scenario, I've got server and got to point that setting up bridge did cut me out and had to restart to be able to reach it , anyway I've managed to handle it by iptables ..
#create alias for your second ip address (lets say its 111.222.333.2 , local address 192.168.1.2)
ifconfig eth0:1 111.222.333.2
#you should add netmask to be proper if you've got subnet
#now you should be able to ping this second address from outside world - try it,
#that is if you have not set up firewall to block pings ... flush iptables rules if you are not sure...
#set up NAT rule (network-address-translate : outside ip-> local ip and back local ip->outside ip)
#assumes your virtual machines lives as 192.168.1.2
iptables -t nat -A PREROUTING -d 111.222.333.2 -j DNAT --to-destination 192.168.1.2
iptables -t nat -A POSTROUTING -s 192.168.1.2 -j SNAT --to-source 111.222.333.2
This did help me with server which has multiple IP addresses and KVM virtual machines,
which were originally run in default network (forward mode=nat), so they had internet through NAT and internal IP at first , this also gives them outside-world public IP address.
You can also do these redirects on port-by-port basis by adjusting iptables rule to set address like -d 111.222.333.2:80 -p tcp and also adding port to local address ...
You may also need to turn on device IP forwarding, you can check that by for example sysctl -a | grep forward (where you should see it on for your eth0 device) , optionally adjusting it by proper sysctl command like
sysctl -w net.ipv4.ip_forward=1
Map br0 to VM1 and VM2 as TAP DEVICE and in VM1 and VM2 you can see that as eth device;
Assign IP1 and IP2 to VM1 and VM2 respectively; With this configuration you can ping from VM1 to VM2 and from host machine to any guest machine(VM1 or VM2);
The following link will help you setting up TAP device for VM via bridge; See qemu-ifup script specified there and understand it well.

Redirect all the traffic from router to proxy server

I don't know if the question is related to the topics on stackoverflow so, if not sorry in advance.
I have the following problem that I'm trying to solve :
I am connected to my university network that requires me to configure my browser to use a proxy. I want to set up a router in my house ( D-Link Dir-300 with Firmware: DD-WRT v24-sp2) and because I am using multiple Android devices that are not rooted ( I can't use global proxy apps ) I was thinking about the following solution :
Question Can I make my router redirect all the traffic from my wireless network to the proxy server that I'm using ( allowing the devices not to configure a proxy server) ?
I have a HTTP redirect tool available on the router configuration page
I looked up the destination IP address from the proxy URL that I was using and I get 4 IP addresses for that node, I tried to use two of them with the source network set to 192.168.1.0 but it didn't work -my browser on the android devices doesn't work without setting up the proxy.
____________________________________ EDIT ____________________________
After looking some more I found this link
#!/bin/sh
PROXY_IP=[IP]
PROXY_PORT=[PORT]
LAN_IP=`nvram get lan_ipaddr`
LAN_NET=$LAN_IP/`nvram get lan_netmask`
iptables -t nat -A PREROUTING -i br0 -s $LAN_NET -d ! $LAN_IP -p tcp --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
iptables -t nat -A POSTROUTING -o br0 -s $PROXY_IP -p tcp -d $LAN_NET -j SNAT --to $PROXY_IP
iptables -A FORWARD -i vlan1 -o br0 -s $LAN_NET -d $PROXY_IP -p tcp --dport $PROXY_PORT -j ACCEPT
How can I modify it to redirect all the traffic udp/tcp etc coming from all the ports?
Easy option is to configure your proxy on your android device. When setting up the wireless connection select advanced options and enter your proxy settings, on older android devices it's somewhat hidden but I managed to do it on a 2.3 one.
For iOS you can add it later to your wifi settings.
If you router is not the main entry point for internet (if it's secondary) you can configure it to route to your PC/laptop. Configure a static IP op your PC/laptop, share internet over there, and configure that IP as gateway on your router.
You can install a proxy tool (charles proxy for example) on your PC and configure it to forward your traffic to the internet-proxy. On your devices you still need to setup the proxy, but this time it's your PC's proxy (gateway+8080).

Forwarding within local network to same network

I have X-Wrt based on OpenWrt 8.09 on my router
I have home LAN of few computers on which I have some network servers (SVN, web, etc). For each of service I made forwarding on my router (Linksys wrt54gl) to access it from the Internet (<my_external_ip>:<external_port> -> <some_internal_ip>:<internal_port>)
But within my local network this resources by above request is unreachable (so I need make some reconfiguration <some_internal_ip>:<internal_port> to access).
I added some line to my /etc/hosts
<my_external_ip> localhost
So now all requests from local network to <my_external_ip> forwards to my router but further redirection to appropriate port not works.
Advise proper redirection please.
You need to install an IP redirect for calls going out of the internal network and directed to the public IP. Normally these packets get discarded. You want to reroute them, DNATting to the destination server, but also masqueraded so that the server, seeing as you, its client, are in its same network, doesn't respond directly to you with its internal IP (which you, the client, not having sent the packet there, would discard).
I found this on OpenWRT groups:
iptables -t nat -A prerouting_rule -d YOURPUBLICIP -p tcp --dport PORT -j DNAT --to YOURSERVER
iptables -A forwarding_rule -p tcp --dport PORT -d YOURSERVER -j ACCEPT
iptables -t nat -A postrouting_rule -s YOURNETWORK -p tcp --dport PORT -d YOURSERVER -j MASQUERADE
https://forum.openwrt.org/viewtopic.php?id=4030
If I remember correctly OpenWrt allows you to define custom DNS entries. So maybe simply give a proper local names to your sources (ie. svnserver.local) and map them to specific local IPs. This way you do not even need to go through router to access local resources from local network.

Resources