How can I block a serie of IP with iptables ?
e.g. I want to block all the ip begin with 122.225.109.xx
Is it something simple like this ?
iptables -I INPUT -s 211.119.109.x -j DROP
thx
You need to specify the subnet mask:
iptables -I INPUT -s 211.119.109.0/255.255.255.0 -j DROP
Related
I've been trying to set up a Wireguard VPN on my Dedibox at Scaleway for the past few days now, with limited success. First of all, IPv4 is working, so at least I am not hopelessly lost. Currently my peers are using private IPv4 addresses to talk to the server, which then nats them onto it's own public IP using iptables. Works great. Now I want to set up IPv6 too, but not using nat. I want to forward public IPv6 addresses assigned on my peers using ip6tables and use those to go over the internet, rather than using the Masquerade option like with IPv4.
I have so far had limited success in that field. I set up a little test environment in GNS3 and without Wireguard it's definitely possible to route IPv6 addresses using ip6tables (just to find out what rules to make, I am kind of new to iptables). Now I tried to do the same thing on my wireguard equipped server, but to no avail. My PostUp and PostDown are currently as follows (censoring out my IPv6 addresses):
PostUp:
iptables -A FORWARD -o wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o enp0s20 -j MASQUERADE
ip6tables -t filter -I INPUT 1 -s 2001:db8:abcd:100::/56 -j ACCEPT
ip6tables -t filter -I INPUT 2 -s 2001:db8:abcd:101::/64 -j ACCEPT
ip6tables -t filter -I FORWARD 1 -o wg0 -j ACCEPT
ip6tables -t filter -I FORWARD 2 -i wg0 -j ACCEPT
PostDown:
iptables -D FORWARD -o wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o enp0s20 -j MASQUERADE
ip6tables -t filter -D INPUT -s 2001:db8:abcd:100::/56 -j ACCEPT
ip6tables -t filter -D INPUT -s 2001:db8:abcd:101::/64 -j ACCEPT
ip6tables -t filter -D FORWARD -o wg0 -j ACCEPT
ip6tables -t filter -D FORWARD -i wg0 -j ACCEPT
The public IPv6 range assigned to my main interface (enp0s20) is 2001:db8:abcd:100::/56, while I want to use 2001:db8:abcd:101::/64 for my Wireguard peers.
Another curious thing is that for some reason it appears as though I can ping between peers on this network, but that might be a fluke here, not exactly sure. I currently have both my workstation and smartphone on this network, and pinging between my workstation and smartphone works fine using the following command on Windows:
ping -6 -S 2001:db8:abcd:101::2 2001:db8:abcd:101::3
Where my workstation ends in 2 and my smartphone ends in 3.
I am at a total loss, anyone who could help me with this?
So far I was able to redirect TCP connections with a specific destination address or port to my own program with this iptables rule:
iptables -t nat -A OUTPUT -p tcp -d <address> --dport <port> -j REDIRECT --to <local_port>
This works well until I create a connection to this destination from my proxy because it recursively connects to itself.
Is there a way for iptables to know what the original connection is and only redirect it?
Or is there a better approach?
You can try using owner module and skip the redirection for the traffic coming from the proxy. Check for --uid-owner or --pid-owner, you should be able to differentiate the traffic based on either of these.
Something like this,
iptables -t nat -I OUTPUT -m owner -p tcp -d <address> --dport <port> --uid-owner <proxy-owner> -j ACCEPT
I have a requirement in which need to block certain processes to consume network data using VPN interface ( tun0).
physical interface(cellular data) -> tun0- >user space program->physical interface-> destination.
pls correct me if i am wrong , the above way the traffic flows though when VPN is enabled.
so if i want to block one particular process network packet not to forwared to tun0 interface, i have applied the iptable rules for both the physical interface and the tun0 interface. still the application is able to use the network data using the tun0 interface.
is there a way to block the traffic at tun0 interface?
dont know which rules you set but maybe this fix
(allow only tun0, reject others)
iptables -A INPUT -i tun0 -j ACCEPT
iptables -A OUTPUT -o tun0 -j ACCEPT
iptables -A INPUT -i ! tun0 -j REJECT
iptables -A OUTPUT -o ! tun0 -j REJECT
I have two tomcat instances running on ports A and B. I would like all traffic on port C to be forward to A or B, ideally with a simple command and minimal configuration.
Is there a simple TCP switcher that can change the traffic like that ?
UPDATE: changing from ports A to B manually (command line for example) would be ok.
iptables offer the PREROUTING specifier for that:
iptables -t nat -A PREROUTING -p tcp --dport <C> -j REDIRECT --to-port <A>
Here <C> and <A> obviously refer to your ports.
Here is a little picture
Asterisk eth1 10.254.254.2/28------------- Many Good Guys
eth1:1 192.168.83.5/32----------- 192.168.59.3 Bad Guy Peer
I have an Asterisk which is connected with several peers. Some of them are connected through
eth1 and one the badest through alias eth1:1.
Then my asterisk send invite to peers it goes with the eth1 source. So for the bad guy I need to change my source ip to 192.168.83.5 As far as I know it can be done with iptables.
So I tried the rule
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j SNAT
--to 192.168.83.5
nothing happens.
When I log I can see send packets in INPUT and OUTPUT chains with :
iptables -t filter -A OUTPUT -o eth1 -s 10.254.254.2 -d 192.168.59.3
-j LOG --log-level 7 --log-prefix "OUTPUT"
iptables -t filter -A INPUT-i eth1 -s 192.168.59.3 -d 192.168.83.5 -j
LOG --log-level 7 --log-prefix "OUTPUT"
but I don’t see any in POSTROUTING chain with:
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j LOG
--log-level 7 --log-prefix "POSTROUTING"
That is I have nothing to SNAT(((
At the same time the traffic from other peers is visible in POSTROUTING log. What can it be?
Any thoughts, wishes, kicks would be very appreciated!
The solution has been found!!
I didn' t find a way to make my iptables work. But know i know how to do it without iptables at all.
So generally speaking my task was to modify|mask|replace my source ip of eth1 with eth1:1 ip.
By the way i use CentOS 5.8
And there is a command:
ip route add
which gives you ability to point scr address unlike the route command.
so
ip route add 192.168.59.3/32 via 10.254.254.1 dev eth1 src
192.168.83.5
is doing just what i need.
Thank you for attention!
That will not work. Reason is simple, asterisk will set in packet source addres=address of eth1.
You can start enother asterisk same host(with other config dir). I am sorry, i not know other simple variants.