I have a requirement in which need to block certain processes to consume network data using VPN interface ( tun0).
physical interface(cellular data) -> tun0- >user space program->physical interface-> destination.
pls correct me if i am wrong , the above way the traffic flows though when VPN is enabled.
so if i want to block one particular process network packet not to forwared to tun0 interface, i have applied the iptable rules for both the physical interface and the tun0 interface. still the application is able to use the network data using the tun0 interface.
is there a way to block the traffic at tun0 interface?
dont know which rules you set but maybe this fix
(allow only tun0, reject others)
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A INPUT -i ! tun0 -j REJECT
iptables -A OUTPUT -o ! tun0 -j REJECT
Related
So far I was able to redirect TCP connections with a specific destination address or port to my own program with this iptables rule:
iptables -t nat -A OUTPUT -p tcp -d <address> --dport <port> -j REDIRECT --to <local_port>
This works well until I create a connection to this destination from my proxy because it recursively connects to itself.
Is there a way for iptables to know what the original connection is and only redirect it?
Or is there a better approach?
You can try using owner module and skip the redirection for the traffic coming from the proxy. Check for --uid-owner or --pid-owner, you should be able to differentiate the traffic based on either of these.
Something like this,
iptables -t nat -I OUTPUT -m owner -p tcp -d <address> --dport <port> --uid-owner <proxy-owner> -j ACCEPT
I have two network interfaces on a node. One is internal network and the other is external network. Internal network is 192.168.50.0/255.255.255.0(internal network).
And external network is 192.168.0.0/255.255.255.0. Kubernetes consists of 192.168.50.0/255.255.255.0. I want to approach internal network from another local nodes without using internal network interface. How can I solve this problem?
Without subnet masks , I do not understand how they are different networks.
But , in any case , you need to enable routing packets from one interface to another. I assume you are on Linux node , there you may enable ip-forwarding.
echo 1 >> /proc/sys/net/ipv4/ip_forward
Then set up some rules in iptables to perform the natting and forwarding:
Example rules:
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
# We allow traffic from the LAN side
iptables -A INPUT -i eth0 -j ACCEPT
######################################################################
#
# ROUTING
#
######################################################################
# eth0 is LAN
# eth1 is WAN
# Allow established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
# fowarding
iptables -A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT
https://serverfault.com/questions/453254/routing-between-two-networks-on-linux
I have a server (openvpn) which is not multithreaded and hence does not take advantage of the multiple cores in the box. I'm trying to solve the problem by running multiple servers, each on a different port, e.g. 127.0.0.1:8000, 127.0.0.1:8001, ... then load balancing the exterior 1194 port based on the source IP -- openvpn uses UDP but all packets for a client must arrive at the same server.
Issue I'm running into is how to load balance. I tried IPVS, but it seems like it doesn't work with servers on the same host. Then tried nginx's new udp feature, but again no dice. Any ideas on how to achieve this?
I discovered that plain old iptables can create such a load balancer, using the HMARK target extension (see man 8 iptables-extensions).
Essentially the HMARK target can mark a packet based on a hash of specific IP tuple parameters, source IP and source port in my case, as these will be unique per client, even behind a NAT. Then I can route the packets to the appropriate localhost server based on the mark:
iptables -A PREROUTING -t mangle -p udp --dport 1194 -j HMARK \
--hmark-tuple src,sport --hmark-mod 2 \
--hmark-rnd 0xcafeface --hmark-offset 0x8000
iptables -A PREROUTING -t nat -p udp -m mark --mark 0x8000 \
-j DNAT --to-destination 127.0.0.1:8000
iptables -A PREROUTING -t nat -p udp -m mark --mark 0x8001 \
-j DNAT --to-destination 127.0.0.1:8001
Remember to enable routing packets to localhost:
sysctl -w net.ipv4.conf.eth0.route_localnet=1
I have ubuntu server with few vps running, mostly shared between friends and colleagues, it is from Hetzner,
I also have 2 set of ips ranging from 5.9.237.xxx to 5.9.237.xxx & 5.9.248.xxx to 5.9.248.xxx.
Today they locked my server due to different IP set on the VPS which is causing the problem, now i have KVM access, and they asked me to set up an IP TABLE rule which only allow to communicate the IP which are assigned and ignore the rest,
How to do this? Am a bit lost,
My OS is Ubuntu, and i want command that will ignore all the ips except the set of ip i give.
Thank You.
You need to drop all (careful with iptables, you can block yourself out) you should learn how your distro handles them .. here are the command s that after a reboot will reset back to normal so temp to test.. .
iptables -A INPUT -i eth0 -j DROP
iptables -I INPUT -i eth0 -s 10.10.10.0/24 -j ACCEPT
or of course specify certain ips
iptables -I INPUT -i eth0 -s 10.10.10.118 -j ACCEPT
there is alot more to iptables then this but this should get you started
Here is a little picture
Asterisk eth1 10.254.254.2/28------------- Many Good Guys
eth1:1 192.168.83.5/32----------- 192.168.59.3 Bad Guy Peer
I have an Asterisk which is connected with several peers. Some of them are connected through
eth1 and one the badest through alias eth1:1.
Then my asterisk send invite to peers it goes with the eth1 source. So for the bad guy I need to change my source ip to 192.168.83.5 As far as I know it can be done with iptables.
So I tried the rule
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j SNAT
--to 192.168.83.5
nothing happens.
When I log I can see send packets in INPUT and OUTPUT chains with :
iptables -t filter -A OUTPUT -o eth1 -s 10.254.254.2 -d 192.168.59.3
-j LOG --log-level 7 --log-prefix "OUTPUT"
iptables -t filter -A INPUT-i eth1 -s 192.168.59.3 -d 192.168.83.5 -j
LOG --log-level 7 --log-prefix "OUTPUT"
but I don’t see any in POSTROUTING chain with:
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j LOG
--log-level 7 --log-prefix "POSTROUTING"
That is I have nothing to SNAT(((
At the same time the traffic from other peers is visible in POSTROUTING log. What can it be?
Any thoughts, wishes, kicks would be very appreciated!
The solution has been found!!
I didn' t find a way to make my iptables work. But know i know how to do it without iptables at all.
So generally speaking my task was to modify|mask|replace my source ip of eth1 with eth1:1 ip.
By the way i use CentOS 5.8
And there is a command:
ip route add
which gives you ability to point scr address unlike the route command.
so
ip route add 192.168.59.3/32 via 10.254.254.1 dev eth1 src
192.168.83.5
is doing just what i need.
Thank you for attention!
That will not work. Reason is simple, asterisk will set in packet source addres=address of eth1.
You can start enother asterisk same host(with other config dir). I am sorry, i not know other simple variants.