How to add range of ports in firewall-cmd direct rule - rhel7

I want to add a range of OUTPUT chain ports using firewall-cmd using its direct rule method, something like this:
firewall-cmd --permanent --direct --add-rule ipv4 filter OUTPUT 0 -p tcp -m tcp --dport=80-1000 -j ACCEPT
This says success however not seem to work

Use a comma, i.e. --dport 80,1000.
That said, using direct rules is discouraged (your command returns 'success' because firewall-cmd doesn't check the directly entered iptables syntax -- it assumes you have the rule correct). Man page says:
Direct options should be used only as a last resort when it's not possible to use for example --add-service=service or --add-rich-rule='rule'.
See Configuring Complex Firewall Rules with the "Rich Language" Syntax.

The below command will accept traffic from ports 22,53 and 80 (see source):
/sbin/iptables -A INPUT -p tcp --match multiport --dports 22,53,80 -j ACCEPT
I prefer this variation with reload required for permanent rules only:
sudo firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp -m multiport --dport 22,53,80 -j ACCEPT && sudo firewall-cmd --reload

Related

IPv6 forwarding on wireguard

I've been trying to set up a Wireguard VPN on my Dedibox at Scaleway for the past few days now, with limited success. First of all, IPv4 is working, so at least I am not hopelessly lost. Currently my peers are using private IPv4 addresses to talk to the server, which then nats them onto it's own public IP using iptables. Works great. Now I want to set up IPv6 too, but not using nat. I want to forward public IPv6 addresses assigned on my peers using ip6tables and use those to go over the internet, rather than using the Masquerade option like with IPv4.
I have so far had limited success in that field. I set up a little test environment in GNS3 and without Wireguard it's definitely possible to route IPv6 addresses using ip6tables (just to find out what rules to make, I am kind of new to iptables). Now I tried to do the same thing on my wireguard equipped server, but to no avail. My PostUp and PostDown are currently as follows (censoring out my IPv6 addresses):
PostUp:
iptables -A FORWARD -o wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o enp0s20 -j MASQUERADE
ip6tables -t filter -I INPUT 1 -s 2001:db8:abcd:100::/56 -j ACCEPT
ip6tables -t filter -I INPUT 2 -s 2001:db8:abcd:101::/64 -j ACCEPT
ip6tables -t filter -I FORWARD 1 -o wg0 -j ACCEPT
ip6tables -t filter -I FORWARD 2 -i wg0 -j ACCEPT
PostDown:
iptables -D FORWARD -o wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o enp0s20 -j MASQUERADE
ip6tables -t filter -D INPUT -s 2001:db8:abcd:100::/56 -j ACCEPT
ip6tables -t filter -D INPUT -s 2001:db8:abcd:101::/64 -j ACCEPT
ip6tables -t filter -D FORWARD -o wg0 -j ACCEPT
ip6tables -t filter -D FORWARD -i wg0 -j ACCEPT
The public IPv6 range assigned to my main interface (enp0s20) is 2001:db8:abcd:100::/56, while I want to use 2001:db8:abcd:101::/64 for my Wireguard peers.
Another curious thing is that for some reason it appears as though I can ping between peers on this network, but that might be a fluke here, not exactly sure. I currently have both my workstation and smartphone on this network, and pinging between my workstation and smartphone works fine using the following command on Windows:
ping -6 -S 2001:db8:abcd:101::2 2001:db8:abcd:101::3
Where my workstation ends in 2 and my smartphone ends in 3.
I am at a total loss, anyone who could help me with this?

How can I use iptables to make a TCP proxy between me and a outside service?

So far I was able to redirect TCP connections with a specific destination address or port to my own program with this iptables rule:
iptables -t nat -A OUTPUT -p tcp -d <address> --dport <port> -j REDIRECT --to <local_port>
This works well until I create a connection to this destination from my proxy because it recursively connects to itself.
Is there a way for iptables to know what the original connection is and only redirect it?
Or is there a better approach?
You can try using owner module and skip the redirection for the traffic coming from the proxy. Check for --uid-owner or --pid-owner, you should be able to differentiate the traffic based on either of these.
Something like this,
iptables -t nat -I OUTPUT -m owner -p tcp -d <address> --dport <port> --uid-owner <proxy-owner> -j ACCEPT

Converting IPTables rules to Firewalld

I'm working on setting up Cuckoo Sandbox and I have several IPTables rules that need to be converted to Firewalld rules.
Here's the reference page for the Cuckoo Sandbox install guide: http://docs.cuckoosandbox.org/en/latest/installation/guest/network/#virtual-networking
The 3 lines that I need to convert from IPTables format are (Subnet removed):
iptables -A FORWARD -o eth0 -i vboxnet0 -s 0.0.0.0/0 -m conntrack --ctstate NEW -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A POSTROUTING -t nat -j MASQUERADE
I've made an attempt to convert the rules and implement them using firewall-cmd, and here are the three updated rules that I came up with:
firewall-cmd --permanent --direct --add-rule ipv4 -A FORWARD -o eth0 -i vboxnet0 -s 0.0.0.0/0 -m conntrack --ctstate NEW -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter POSTROUTING 0 -t nat -j MASQUERADE
However, when I attempt to add one of the above rules using sudo firewall-cmd I get a response that says:
wrong priority
usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>
What am I doing wrong?
Thanks for any help!
It looks like you have just copied and pasted your iptables arguments to the back of an firewall-cmd command: that will not work. The error message is telling you that it is not finding what it expects after 'ipv4': table, chain, priority and args. You need something like:
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p tcp --dport 9000 -j ACCEPT
You can add MASQUERADE in a couple of ways:
firewall-cmd --permanent --zone=external --add-masquerade
firewall-cmd --permanent --direct --add-rule ipv4 nat POSTROUTING 0 -o eth1 -j MASQUERADE
Here is a good reference for getting started with firewalld: https://www.certdepot.net/rhel7-get-started-firewalld/

Plex VPN port forwarded properly but not accessible

TL;DR version at the bottom.
My ISP gives me a private IP (10 48 64 1) and I'm unable to do any port forwarding.
My setup:
Debian Wheezy Linux headless Server
Asuswrt-merlin router(latest version)
AirVPN via Openvpn
With some reading, some VPN allow port forwarding to be done. So I went ahead with AirVPN and it worked great (for torrent). I tried to port forward Plex Media Server unfortunately it doesn't work.
Port Forward in AirVPN (24253 is for torrent and 61477 is for Plex with local port of 32400)
Even Plex says that it works!
I was told to do some forwarding on IPtables on my router, so I went ahead with these codes (got it from AirVPN forum)
#!/bin/sh
iptables -I FORWARD -i tun11 -p udp -d 192.168.2.140 --match multiport --dports 24253,32400,61477 -j ACCEPT
iptables -I FORWARD -i tun11 -p tcp -d 192.168.2.140 --match multiport --dports 24253,32400,61477 -j ACCEPT
iptables -t nat -I PREROUTING -i tun11 -p tcp --match multiport --dports 24253,32400,61477 -j DNAT --to-destination 192.168.2.140
iptables -t nat -I PREROUTING -i tun11 -p udp --match multiport --dports 24253,32400,61477 -j DNAT --to-destination 192.168.2.140
With this, somehow my router shows blank on the PREROUTING (but port is opened based on what I see from torrent and canyouseeme org)
With this everything should be set up, no problem and it be visible from outside, but unfortunately it doesn't. I tried from work to view my plex but it keeps saying 'connecting'.
All I can think now is the problem lies in the linux part (firewall maybe?)
I'm stuck for a few days and googling doesn't seem to help anymore.
Thanks for reading! I hope it can be solved.
TL;DR version
I'm connected to VPN but I have forwarded properly (canyouseeme org says it's opened) but Plex says cannot be viewed from outside network (keep connecting).
Nevermind! I made the mistake by not changing the port back to 61477 which was for Plex. I used torrent's port and hence why it wasn't working.

Simplest HTTP/TCP switcher

I have two tomcat instances running on ports A and B. I would like all traffic on port C to be forward to A or B, ideally with a simple command and minimal configuration.
Is there a simple TCP switcher that can change the traffic like that ?
UPDATE: changing from ports A to B manually (command line for example) would be ok.
iptables offer the PREROUTING specifier for that:
iptables -t nat -A PREROUTING -p tcp --dport <C> -j REDIRECT --to-port <A>
Here <C> and <A> obviously refer to your ports.

Resources