I have two network interface, eth0 is the internal network necessary for the connection of PCs with the softphone and eth1 to link to internet. I'm using iptables on CentOS 6.5 to direct all the outputs of the Freepbx (Asterisk) to eth1, but I don't have success.
The rule
iptables -A PREROUTING -i eth1 -t mangle -p tcp --dport 5060 -j MARK --set-mark 1
Take a ook at sip.conf. In the [general] section, there is a bindaddress or udpbindaddress. Set it to 0.0.0.0 to make sure asterisk listens on all interfaces. You can check it by:
netstat -lnap | grep 5060
udp 0 0 0.0.0.0:5060 0.0.0.0:* 30822/asterisk
Then restrict access to unnecessary interfaces using iptables, like (note the order):
iptables -A INPUT -i eth1 -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -p udp --dport 5060 -j DROP
iptables -A OUTPUT -o eth1 -p udp --sport 5060 -j ACCEPT
iptables -A OUTPUT -p udp --sport 5060 -j DROP
If public ip on same server, you need use INPUT table and ACCEPT destination.
If it on other host, you have use DNAT.
Related
I have a server running Linux : server A
I want the traffic on server A to be redirected to remote server b
Actually do the same as the forward port
I used the following command for the forward port.
sysctl net.ipv4.ip_forward = 1
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 150 -j DNAT - to-destination des_ip:dest_port
iptables -t nat -A POSTROUTING -j MASQUERADE
The forward port did well and i could connect to server B through server B.
Now I want to know how much traffic is used on port 150 on server A?
If Server A is not a router, I can easily set a limit with the following commands and calculate the traffic consumed on Server A.
sudo iptables -A INPUT -p tcp --dport 150 -j DROP
sudo iptables -A INPUT -p tcp --dport 150 -m quota --quota 100000000 -j ACCEPT
But because server A is a router, these commands do not work
Is there any other command line that I can use to calculate the consumed traffic of port 150 on server A(server A is a router)?
I want to collect the usage data of each port using Python and store it in the database.
In this question, I wanted to redirect port 150, which is the source port, to the destination port.
After research about PREROUTING and INPUT chain in iptables, this is what I realized:
INPUT chain is after PREROUTING chain. According to this schematic.
Ports are translated to the destination port, in PREROUTING chain by NAT, therefore In INPUT chain there is no traffic with the source port and all traffic translated to destination port.
I can see network usage on destination port in INPUT chain, but I can not see the network usage on source port in INPUT chain.
Because all packet headers translated to destination port.
So it's true that quota for source port does not start count in any of the chains.
Even if I create the following rules in FORWARD chain:
sudo iptables -A FORWARD -p tcp --dport 150 -j DROP
sudo iptables -A FORWARD -p tcp --dport 150 -m quota --quota 100000000 -j ACCEPT
Again, we will not see any change in quota
Because the FORWARD chain is after the PREROUTING chain.
I have two network interfaces on a node. One is internal network and the other is external network. Internal network is 192.168.50.0/255.255.255.0(internal network).
And external network is 192.168.0.0/255.255.255.0. Kubernetes consists of 192.168.50.0/255.255.255.0. I want to approach internal network from another local nodes without using internal network interface. How can I solve this problem?
Without subnet masks , I do not understand how they are different networks.
But , in any case , you need to enable routing packets from one interface to another. I assume you are on Linux node , there you may enable ip-forwarding.
echo 1 >> /proc/sys/net/ipv4/ip_forward
Then set up some rules in iptables to perform the natting and forwarding:
Example rules:
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# We allow traffic from the LAN side
iptables -A INPUT -i eth0 -j ACCEPT
######################################################################
#
# ROUTING
#
######################################################################
# eth0 is LAN
# eth1 is WAN
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# fowarding
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
https://serverfault.com/questions/453254/routing-between-two-networks-on-linux
I'm using following code for capturing incoming and outgoing tcp packets by ports:
tcpdump -i any -s 0 -vvv -A port 3727 or port 5016 or port 3724 -w /home/admin/dump1.cap
But tcpdump captures only incoming packets, I need incoming and outgoing packets at the same time. Anybody know where my mistake?
Thanks in advance.
tcpdump -i any -s 0 -vvv -A port 3727 or port 5016 or port 3724 --direction=in --direction=out -w /home/admin/dump1.cap
--direction=in for the incoming traffic
--direction=out for the outgoing traffic.
More you can find on the manual page of tcpdump.
http://www.tcpdump.org/tcpdump_man.html
This can happen if your traffic is going through an ipsec tunnel (check whether this is the case by running ipsec statusall). To capture decrypted packets you can add IPtables rules to forward ipsec traffic to the nflog interface:
iptables -t mangle -I PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -I POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
Then tcpdump the nflog interface:
tcpdump -i nflog:5 -y IPV4 -s0 -A port 3727 or port 5016 or port 3724
Remember to remove the nflog rules when you're done!
iptables -t mangle -D PREROUTING -m policy --pol ipsec --dir in -j NFLOG --nflog-group 5
iptables -t mangle -D POSTROUTING -m policy --pol ipsec --dir out -j NFLOG --nflog-group 5
Source: https://wiki.strongswan.org/projects/strongswan/wiki/CorrectTrafficDump
How to restrict a container's port exposed by Docker from only a list of IPs? Only this list of IP would be able to access this port.
I tried that:
iptables -I DOCKER -p tcp --dport PORT_X -j REJECT --reject-with icmp-port-unreachable
iptables -I DOCKER -p tcp --dport PORT_X --source EXTERNAL_IP_1 --destination HOST_IP_1 -j ACCEPT
iptables -I DOCKER -p tcp --dport PORT_X --source EXTERNAL_IP_2 --destination HOST_IP_1 -j ACCEPT
iptables -I DOCKER -p tcp --dport PORT_X --source EXTERNAL_IP_3 --destination HOST_IP_1 -j ACCEPT
I had the same problem. I solved it with this rules :
iptables -I DOCKER-USER -i <your_interface_name> -j DROP
iptables -I DOCKER-USER -i <your_interface_name> -s <your_first_ip> -j ACCEPT
iptables -I DOCKER-USER -i <your_interface_name> -s <your_second_ip> -j ACCEPT
Care, DOCKER-USER is a chain which will not be deleted when service docker restart
You should be able to add your port flag, but i'm not an expert and it is not my needs.
Your policy is whitelist, it's better to create a user custom chain handle this alone.
For example, I have a redis container, I want it only serve for specific IPs:
$ docker run -d -p 6379:6379 redis:2.8
After started redis container, the iptables looks like this:
$ iptables -t filter -nL
Chain DOCKER (1 references)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 172.17.0.2 tcp dpt:6379
Create our custom chain:
$ iptables -N CUSTOM_REDIS
$ iptables -A CUSTOM_REDIS -p tcp --dport 6379 --source 172.31.101.37 --destination 172.17.0.2 -j ACCEPT
$ iptables -A CUSTOM_REDIS -p tcp --dport 6379 --source 172.31.101.38 --destination 172.17.0.2 -j ACCEPT
$ iptables -A CUSTOM_REDIS -p tcp --dport 6379 --source 0.0.0.0/0 --destination 172.17.0.2 -j DROP
Replace the original rule with custom chain:
$ iptables -R DOCKER 1 -p tcp --source 0.0.0.0/0 --destination 172.17.0.2 --dport 6379 -j CUSTOM_REDIS
Now my redis can only access by ip: 172.31.101.37 and 172.31.101.38.
Note:
172.17.0.2 is the ip of redis container
From the docker guide here:
Docker’s forward rules permit all external source IPs by default. To allow only a specific IP or network to access the containers, insert a negated rule at the top of the DOCKER filter chain. For example, to restrict external access such that only source IP 8.8.8.8 can access the containers, the following rule could be added:
$ iptables -I DOCKER -i ext_if ! -s 8.8.8.8 -j DROP
In your case since you want to allow multiple IP addresses I think something like this should work:
iptables -I DOCKER -s EXTERNAL_IP_1 -p tcp --dport PORT_X -j ACCEPT
iptables -I DOCKER -s EXTERNAL_IP_2 -p tcp --dport PORT_X -j ACCEPT
iptables -I DOCKER -s EXTERNAL_IP_3 -p tcp --dport PORT_X -j ACCEPT
iptables -I DOCKER -p tcp --dport PORT_X -j REJECT --reject-with icmp-port-unreachable
You may also want to prevent access from docker directly, using the specific IP you want to listen, like -p 1.2.3.4:6379:6379/tcp syntax, that way the container will listen only on that IP and interface.
If you use that IP as private IPs, you can avoid completely the iptables because you restricted access only from local/private network.
You can use ufw from inside docker container
sudo ufw [--dry-run] [delete] [insert NUM] allow|deny|reject|limit [in|out on INTERFACE] [log|log-all] [proto protocol] [from ADDRESS [port PORT]][to ADDRESS [port PORT]]
nginx-proxy is a Docker container that acts as a reverse proxy to other containers. It uses the Docker API to detect other containers and automatically proxies traffic to them.
I have a simple nginx-proxy setup: (where subdomain.example.com is replaced with my domain)
docker run -d -p 80:80 -v /var/run/docker.sock:/tmp/docker.sock:ro jwilder/nginx-proxy
docker run -e VIRTUAL_HOST=subdomain.example.com kdelfour/cloud9-docker
It works with no problem when I have my firewall off. When I have my firewall on, I get a 504 Gateway Time-out error from nginx. This means that I'm able to see nginx on port 80, but my firewall rules seem to be restricting container-to-container and/or Docker API traffic.
I created a GitHub issue, but the creator of nginx-proxy said he had never run into this issue.
These are the "firewall off" rules: (these work)
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
These are my "firewall on" rules: (these don't work)
# Based on tutorial from http://www.thegeekstuff.com/scripts/iptables-rules / http://www.thegeekstuff.com/2011/06/iptables-rules-examples/
# Delete existing rules
iptables -F
# Set default chain policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# Allow loopback access
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow inbound/outbound SSH
iptables -A INPUT -i eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT
# Allow inbound/outbound HTTP
iptables -A INPUT -i eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT
# Allow inbound/outbound HTTPS
iptables -A INPUT -i eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth0 -p tcp --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT
# Ping from inside to outside
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Ping from outside to inside
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Allow outbound DNS
iptables -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 53 -j ACCEPT
# Allow outbound NTP
iptables -A OUTPUT -p udp -o eth0 --dport 123 -j ACCEPT
iptables -A INPUT -p udp -i eth0 --sport 123 -j ACCEPT
# This bit is from https://blog.andyet.com/2014/09/11/docker-host-iptables-forwarding
# Docker Rules: Forward chain between docker0 and eth0.
iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
ip6tables -A FORWARD -i docker0 -o eth0 -j ACCEPT
ip6tables -A FORWARD -i eth0 -o docker0 -j ACCEPT
iptables-save > /etc/network/iptables.rules
Why won't the proxy work when I have my firewall on?
Thanks to advice by Joel C (see the comments above), there was a problem on the FORWARD chain which I fixed like so:
iptables -A FORWARD -i docker0 -j ACCEPT