I met a interesting problem today...
First, I setup a iptable policy like this:
iptables -A INPUT -p tcp --dport <jupyter_server_port> -j ACCEPT
iptables -P INPUT DROP
that will drop all the packages except those TCP packages who request the jupyter server. After I did this, I could still get response from the server. But the notebook said it couldn't connect to the kernel.
After some googling, I found this document https://ipython.org/ipython-doc/3/development/how_ipython_works.html which indicate that the notebook server need to communicate to the ipython kernel through ZeroMQ. So, I disable the second policy and problem solved.
But I still wonder How I could still keeping the second policy and let the server work just like normal?
Related
I'm running docker a machine that server various services. I want to control these services using iptables or preferably using ufw (as I'm not that skilled with iptables itself).
In my previous setup, I used "vanilla" docker which uses a virtual interface called "docker0" to route network traffic through containers. I successfully "googled" a solution to make the firewall work described in this article: https://svenv.nl/unixandlinux/dockerufw (note: even though I wrote the article, it's just a sum of internet knowledge merged together).
One of the things the I found was this piece:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -o docker0 -s 172.17.0.0/16 -j MASQUERADE
COMMIT
Which (I assume) makes sure everything goes into docker0 properly.
Now I've change my setup and started using "docker-compose" which spins up docker containers automatically in an isolated network. Once again, docker uses a virtual device for this which is named after the id of the network:
$ docker network ls
NETWORK ID NAME DRIVER SCOPE
(...)
207a57fc0080 dockeropenvpndata_network-vpn bridge local
(...)
and...
$ ifconfig | grep 207a57fc0080
br-207a57fc0080 Link encap:Ethernet HWaddr 02:42:ce:c5:81:04
I assume that changing the iptables config posted above to the new network device might solve the problem:
*nat
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING ! -o br-207a57fc0080 -s 172.17.0.0/16 -j MASQUERADE
COMMIT
However I have no idea how to test this.
The interface's name (network id) seems to be (pseudo) random
The interface's name (network id) is only known after docker-compose up
As far as I know the rule is applied at boot time, when the id is still unknown.
In short, I'm looking for a way to firewall my docker machine again. Does anyone know how to achieve this?
Turns out that the configuration in /etc/default/docker is not taken into account when using systemd, resulting in --iptables=false not being set.
The docker options for systemd are specified in the service file in /lib/systemd/system/docker.service. Entries in this file can be overridden by adding/adjusting the drop-in file in cat /etc/systemd/system/docker.service.d/docker.conf
I add the drop-in file with these contents:
[Service]
EnvironmentFile=-/etc/default/docker
ExecStart=
ExecStart=/usr/bin/dockerd --iptables=false -H fd://
(The first empty ExecStart= is actually required)
This starts docker without the iptables configuration and makes the original steps (see link in the original question) work again.
I have ubuntu server with few vps running, mostly shared between friends and colleagues, it is from Hetzner,
I also have 2 set of ips ranging from 5.9.237.xxx to 5.9.237.xxx & 5.9.248.xxx to 5.9.248.xxx.
Today they locked my server due to different IP set on the VPS which is causing the problem, now i have KVM access, and they asked me to set up an IP TABLE rule which only allow to communicate the IP which are assigned and ignore the rest,
How to do this? Am a bit lost,
My OS is Ubuntu, and i want command that will ignore all the ips except the set of ip i give.
Thank You.
You need to drop all (careful with iptables, you can block yourself out) you should learn how your distro handles them .. here are the command s that after a reboot will reset back to normal so temp to test.. .
iptables -A INPUT -i eth0 -j DROP
iptables -I INPUT -i eth0 -s 10.10.10.0/24 -j ACCEPT
or of course specify certain ips
iptables -I INPUT -i eth0 -s 10.10.10.118 -j ACCEPT
there is alot more to iptables then this but this should get you started
I just run this command
iptables -A INPUT -s 1.1.1.1 -p TCP -j DROP
Do i have to reset a service or something like that? It does not seems to work because when i use netstat -antp i can still see the ip i just dropped
The TCP connection may still be kept open until the timeouts (up to 5 minutes if I remember correctly), but the traffic itself should be dropped (eg. there should be no data flowing).
I can run the following command to accomplish what I am trying to do, however I would like to setup entries in my ~/.ssh/config to handle a transparent jump:
ssh -tt login.domain.org gsissh -tt -p 2222 remote.behind.wall.domain.org
Note that the second hop MUST be made with gsissh, some info can be found here: http://toolkit.globus.org/toolkit/docs/5.0/5.0.4/security/openssh/pi/
AFAIK this precludes the standard use of netcat or the -W flag in the ProxyCommand option in the .ssh/config. I think this is because ssh will try to use ssh instead of gsissh on the intermediate machine.
If I put something like this in my .ssh/config it will hop through to the target machine, but when I exit I will land in a shell on the intermediate machine and it borks my ControlMaster setup—the next time I try to ssh to the final destination I end up on the intermediate machine
Host dest
HostName login.domain.org
PermitLocalCommand yes
LocalCommand gsissh -p 2222 remote.behind.wall.domain.org
Also, it seems that trickery using -L or -R is disabled for security reasons.
I would love some help if anybody has any tips.
Thanks
How to write IPTable rules such that the administrator on 128.238.66.2 has ssh access to the firewall and no one else is allowed access?
Is it like: iptables –A INPUT –s 128.238.66.2 –j ACCEPT?
Try like this (please be aware that if the IP is wrong, you're locked out):
iptables -A INPUT -p tcp --dport ssh -j REJECT
iptables -A INPUT -p tcp -s 128.238.66.2 --dport ssh -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport ssh -m state --state ESTABLISHED -j ACCEPT
When we say about iptable it is that it bounds with Kernel. The function of iptable is for Setting_Up Firewall.
And to understand its basics you should understand it in, from ground level rather knocking with your sequence of absurd commands as you end-up scribbling & scratching head. Following step by step standard instruction will not be scenario always. SO, lets understand it.
There are three level segregation when we talk about iptable.
Level-1: Rule
Level-2: Chain
Level-3: Table
Lets see one by one now,
Rules are-> ACCEPT, DROP, QUEUE, RETURN
Chains are-> Input, Output, Forward, Pre Routing, Post Routing
Tables are-> Filter Table (Default), NAT Table, RAW Table, Mangle Table
Coming Next Firewalls by generations of improvement can be said like,
1) Packet Filtering Firewall
2) Stateful Firewall
3) Application Layer Firewall
4) Proxies Firewall.