I am trying to configure iptables for my Centos6 server.
I am encountering problem with NewRelic ips.
This is my iptables file:
*filter
#new relic
-A INPUT -s 50.31.164.0/24 -j ACCEPT
-A INPUT -s 103.21.244.0/22 -j ACCEPT
-A INPUT -s 103.22.200.0/22 -j ACCEPT
-A INPUT -s 103.31.4.0/22 -j ACCEPT
-A INPUT -s 104.16.0.0/12 -j ACCEPT
-A INPUT -s 108.162.192.0/18 -j ACCEPT
-A INPUT -s 141.101.64.0/18 -j ACCEPT
-A INPUT -s 162.158.0.0/15 -j ACCEPT
-A INPUT -s 162.247.240.0/22 -j ACCEPT
-A INPUT -s 173.245.48.0/20 -j ACCEPT
-A INPUT -s 188.114.96.0/20 -j ACCEPT
-A INPUT -s 190.93.240.0/20 -j ACCEPT
-A INPUT -s 197.234.240.0/22 -j ACCEPT
-A INPUT -s 198.41.128.0/17 -j ACCEPT
-A INPUT -s 199.27.128.0/21 -j ACCEPT
-A OUTPUT -d 50.31.164.0/24 -j ACCEPT
-A OUTPUT -d 103.21.244.0/22 -j ACCEPT
-A OUTPUT -d 103.22.200.0/22 -j ACCEPT
-A OUTPUT -d 103.31.4.0/22 -j ACCEPT
-A OUTPUT -d 104.16.0.0/12 -j ACCEPT
-A OUTPUT -d 108.162.192.0/18 -j ACCEPT
-A OUTPUT -d 141.101.64.0/18 -j ACCEPT
-A OUTPUT -d 162.158.0.0/15 -j ACCEPT
-A OUTPUT -d 162.247.240.0/22 -j ACCEPT
-A OUTPUT -d 173.245.48.0/20 -j ACCEPT
-A OUTPUT -d 188.114.96.0/20 -j ACCEPT
-A OUTPUT -d 190.93.240.0/20 -j ACCEPT
-A OUTPUT -d 197.234.240.0/22 -j ACCEPT
-A OUTPUT -d 198.41.128.0/17 -j ACCEPT
-A OUTPUT -d 199.27.128.0/21 -j ACCEPT
# Default chain policy
-P INPUT DROP
-P FORWARD DROP
-P OUTPUT DROP
COMMIT
Now the problem is that new relic is blocked, although all of it's ips are opened.
If I change the default policy to:
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
Which is practically disabling iptables, everything works.
Do you have any suggestions?
Jane,
I would start by reviewing the output of
iptables -nL
to ensure that what is currently running is the same as the file that you think is being loaded (Which I assume is /etc/sysconfig/iptables).
If they match, I would add some logging, either from the command line by
iptables --append INPUT --jump LOG --log-prefix Input____ --log-level=$LOG_LEVEL
iptables --append OUTPUT --jump LOG --log-prefix Output____ --log-level=$LOG_LEVEL
or modifying your file and adding
-A INPUT -j LOG --log-prefix "Input____" --log-level 6
-A OUTPUT -j LOG --log-prefix "Output____" --log-level 6
immediately before the # Default chain policy line and reload the firewall.
I would choose the command line option, so as to not make the changes permanent.
The output from the log will usually go to /var/log/messages. (You can check /etc/syslog.conf to find out where kern.* is logging.)
You can easily find the logged output by
tail -f /var/log/messages | grep put____
and then trying to access one of the NewRelic ips.
If you need some more help, post the output of iptables -nL and tail -f /var/log/messages | grep put____
It appears as though these rules are intended to make certain your system can communicate with the list of IP addresses listed on New Relic's doc site:
https://docs.newrelic.com/docs/apm/new-relic-apm/getting-started/networks
The rules you have now are a good start for allowing communication between your system and New Relic. I can help get the connectivity to New Relic working but I cannot advise you as to what your complete firewall rules should be. Firewalls are a complex subject and certainly not one size fits all.
Please do not consider my additions as making the above list of rules comprehensive.
Now that the disclaimer is out of the way, the likely reason the agent/monitor isn't able to report data to New Relic is likely because these rules are blocking all DNS lookups.
For any of the application monitors (meaning the Java agent, Ruby agent, etc) or the Linux Server Monitor to send data to New Relic a DNS lookup for 'collector.newrelic.com' must be performed. This 'collector' actually redirects the agent or monitor to another system that is the "real" collector.
With the rules listed above, when the application agent or server monitor tries to perform a DNS lookup for 'collector.newrelic.com', it will fail. This failure will prevent the agent or server monitor from reporting any data to New Relic.
You can allow DNS lookups by adding something general like so:
-A OUTPUT -p udp --sport 1024:65535 --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
-A INPUT -p udp --sport 53 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
You might further refine this rule by including the IP address(es) of your DNS server(s) explicitly.
Adding those lines and restarting the firewall should solve the New Relic reporting issue.
One final comment, the iptables rules shown here also prevent all incoming web requests. If you have a website or web application, these rules will prevent anyone from reaching your site. This should also be addressed in your revised list of firewall rules.
Related
I am running the traffic from my docker container through sshuttle to a remote server, which is working great with this command:
sshuttle -l 0.0.0.0 -r user#server 0/0 -v
The problem is that I need incoming connections to be allowed to reach my local server via the remote server's ip address and a specific port. I've tried creating an additional ssh tunnel via
ssh -NR 0.0.0.0:43523:localhost:43523
This almost works, as the incoming connections show up in the sshuttle verbose logs, but the connection never establishes (connection timed out from the client side).
Here are the iptables rules created by sshuttle at runtime:
iptables -t nat -N sshuttle-12300
iptables -t nat -F sshuttle-12300
iptables -t nat -I OUTPUT 1 -j sshuttle-12300
iptables -t nat -I PREROUTING 1 -j sshuttle-12300
iptables -t nat -A sshuttle-12300 -j RETURN -m ttl --ttl 63
iptables -t nat -A sshuttle-12300 -j RETURN -m addrtype --dst-type LOCAL
iptables -t nat -A sshuttle-12300 -j REDIRECT --dest 0.0.0.0/0 -p tcp --to-ports 12300
So my question is: What is causing the incoming connections to not work? And how can I fix it?
I've been trying to set up a Wireguard VPN on my Dedibox at Scaleway for the past few days now, with limited success. First of all, IPv4 is working, so at least I am not hopelessly lost. Currently my peers are using private IPv4 addresses to talk to the server, which then nats them onto it's own public IP using iptables. Works great. Now I want to set up IPv6 too, but not using nat. I want to forward public IPv6 addresses assigned on my peers using ip6tables and use those to go over the internet, rather than using the Masquerade option like with IPv4.
I have so far had limited success in that field. I set up a little test environment in GNS3 and without Wireguard it's definitely possible to route IPv6 addresses using ip6tables (just to find out what rules to make, I am kind of new to iptables). Now I tried to do the same thing on my wireguard equipped server, but to no avail. My PostUp and PostDown are currently as follows (censoring out my IPv6 addresses):
PostUp:
iptables -A FORWARD -o wg0 -j ACCEPT
iptables -t nat -A POSTROUTING -o enp0s20 -j MASQUERADE
ip6tables -t filter -I INPUT 1 -s 2001:db8:abcd:100::/56 -j ACCEPT
ip6tables -t filter -I INPUT 2 -s 2001:db8:abcd:101::/64 -j ACCEPT
ip6tables -t filter -I FORWARD 1 -o wg0 -j ACCEPT
ip6tables -t filter -I FORWARD 2 -i wg0 -j ACCEPT
PostDown:
iptables -D FORWARD -o wg0 -j ACCEPT
iptables -t nat -D POSTROUTING -o enp0s20 -j MASQUERADE
ip6tables -t filter -D INPUT -s 2001:db8:abcd:100::/56 -j ACCEPT
ip6tables -t filter -D INPUT -s 2001:db8:abcd:101::/64 -j ACCEPT
ip6tables -t filter -D FORWARD -o wg0 -j ACCEPT
ip6tables -t filter -D FORWARD -i wg0 -j ACCEPT
The public IPv6 range assigned to my main interface (enp0s20) is 2001:db8:abcd:100::/56, while I want to use 2001:db8:abcd:101::/64 for my Wireguard peers.
Another curious thing is that for some reason it appears as though I can ping between peers on this network, but that might be a fluke here, not exactly sure. I currently have both my workstation and smartphone on this network, and pinging between my workstation and smartphone works fine using the following command on Windows:
ping -6 -S 2001:db8:abcd:101::2 2001:db8:abcd:101::3
Where my workstation ends in 2 and my smartphone ends in 3.
I am at a total loss, anyone who could help me with this?
So far I was able to redirect TCP connections with a specific destination address or port to my own program with this iptables rule:
iptables -t nat -A OUTPUT -p tcp -d <address> --dport <port> -j REDIRECT --to <local_port>
This works well until I create a connection to this destination from my proxy because it recursively connects to itself.
Is there a way for iptables to know what the original connection is and only redirect it?
Or is there a better approach?
You can try using owner module and skip the redirection for the traffic coming from the proxy. Check for --uid-owner or --pid-owner, you should be able to differentiate the traffic based on either of these.
Something like this,
iptables -t nat -I OUTPUT -m owner -p tcp -d <address> --dport <port> --uid-owner <proxy-owner> -j ACCEPT
I looked up the NAT class in mininet.nodelib, it is implemented through iptables:
self.cmd( 'iptables -I FORWARD',
'-i', self.localIntf, '-d', self.subnet, '-j DROP' )
self.cmd( 'iptables -A FORWARD',
'-i', self.localIntf, '-s', self.subnet, '-j ACCEPT' )
self.cmd( 'iptables -A FORWARD',
'-o', self.localIntf, '-d', self.subnet,'-j ACCEPT' )
self.cmd( 'iptables -t nat -A POSTROUTING',
'-s', self.subnet, "'!'", '-d', self.subnet, '-j MASQUERADE' )
However when I install a logging rule :
iptables -A INPUT -j LOG --log-prefix "IPT log: " --log-level 4
Not a single /related/ entry appears in the /var/log/kern.log file (it works, if I run the same rule with no mininet).
Thanks in advance!
Edit:
To be more precise, here is what I tried to do:
mininet>h2 iptables -A OUTPUT -j LOG --log-prefix "IPT log: " --log-level 3
mininet>h2 iptables -I OUTPUT -j LOG --log-prefix "IPT log: " --log-level 3
mininet>h2 ping h0
.... normal ping output ....
mininet>h2 wget h0
.... index.html being saved on disk ....
mininet>h2 grep "IPT log" /var/log -R
As grep shows, there is no a single relevant line in the logs, despite multiple ICMP message being sent by ping and TCP communication performed by wget.
Edit2:
Here is my iptables rules, after the experiments (sorry for the text-picture):
The INPUT chain will contain only packets whose destination is the local machine, not packets that are being forwarded.
A packet that is being routed (forwarded) by the node (in this case, the machine containing the iptables rules) will pass through the following chains:
PREROUTING -> FORWARD -> POSTROUTING
If you want to log all the packets that are being forwarded, you need to change the INPUT chain with the FORWARD chain in your log rule.
If you want to log only packets that that are being NATd, you need to use the POSTROUTING chain and the nat table in your log rule.
EDIT
Since the iptables rules (in the OUTPUT chain from your experiment) targeting LOG are being triggered (based on your screenshot), we can rule out any iptables [log rules] problem.
The issue must be somewhere else, such as the logging facility service (eg, syslog).
Here is a little picture
Asterisk eth1 10.254.254.2/28------------- Many Good Guys
eth1:1 192.168.83.5/32----------- 192.168.59.3 Bad Guy Peer
I have an Asterisk which is connected with several peers. Some of them are connected through
eth1 and one the badest through alias eth1:1.
Then my asterisk send invite to peers it goes with the eth1 source. So for the bad guy I need to change my source ip to 192.168.83.5 As far as I know it can be done with iptables.
So I tried the rule
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j SNAT
--to 192.168.83.5
nothing happens.
When I log I can see send packets in INPUT and OUTPUT chains with :
iptables -t filter -A OUTPUT -o eth1 -s 10.254.254.2 -d 192.168.59.3
-j LOG --log-level 7 --log-prefix "OUTPUT"
iptables -t filter -A INPUT-i eth1 -s 192.168.59.3 -d 192.168.83.5 -j
LOG --log-level 7 --log-prefix "OUTPUT"
but I don’t see any in POSTROUTING chain with:
iptables -t nat -A POSTROUTING -s 10.254.254.2 -d 192.168.59.3 -j LOG
--log-level 7 --log-prefix "POSTROUTING"
That is I have nothing to SNAT(((
At the same time the traffic from other peers is visible in POSTROUTING log. What can it be?
Any thoughts, wishes, kicks would be very appreciated!
The solution has been found!!
I didn' t find a way to make my iptables work. But know i know how to do it without iptables at all.
So generally speaking my task was to modify|mask|replace my source ip of eth1 with eth1:1 ip.
By the way i use CentOS 5.8
And there is a command:
ip route add
which gives you ability to point scr address unlike the route command.
so
ip route add 192.168.59.3/32 via 10.254.254.1 dev eth1 src
192.168.83.5
is doing just what i need.
Thank you for attention!
That will not work. Reason is simple, asterisk will set in packet source addres=address of eth1.
You can start enother asterisk same host(with other config dir). I am sorry, i not know other simple variants.