|
Size: 1952
Comment: Create
|
Size: 3254
Comment: sysctl.conf
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 7: | Line 7: |
| == Interesting modules == | * update rules for dynamic dns hosts [[linux/iptables/dyndns]] * iptables handling overlapping subnets [[linux/iptables/overlap]] == 2015 Problem redirecting traffic from outside interface to vnc service listening on localhost:127.0.0.1 == * http://wiki.clover.co.za/FrontPage?action=fullsearch&context=180&value=iptables&titlesearch=Titles * http://serverfault.com/questions/551361/redirect-incoming-packets-to-loopback * http://serverfault.com/questions/504389/how-to-configure-port-forwarding-to-enable-internal-service-accessed-by-another?rq=1 * http://serverfault.com/questions/149929/how-to-configure-traffic-from-a-specific-ip-hardcoded-to-an-ip-to-forward-to-ano?rq=1 * Possible answer: * http://serverfault.com/questions/283409/how-to-use-iptables-to-forward-requests-to-a-jboss-server-running-on-a-different/285247#285247 * #echo 1 > /proc/sys/net/ipv4/ip_forward * in /etc/sysctl.conf: net.ipv4.ip_forward = 1 == Interesting modules 2010 == |
| Line 13: | Line 26: |
| iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A pri‐ vatized IP block" |
iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block" |
| Line 43: | Line 55: |
| == Common Problems and solutions == * Multi-interface setup ignoring/dropping packets on certain interfaces * Caused by reverse path filtering. * Fix: {{{ # Enables source route verification net.ipv4.conf.default.rp_filter = 2 # Enable reverse path net.ipv4.conf.all.rp_filter = 2 }}} |
|
| Line 45: | Line 68: |
| ---- CategoryLinux |
IPTABLES
see linux/firewall
update rules for dynamic dns hosts linux/iptables/dyndns
iptables handling overlapping subnets linux/iptables/overlap
2015 Problem redirecting traffic from outside interface to vnc service listening on localhost:127.0.0.1
http://wiki.clover.co.za/FrontPage?action=fullsearch&context=180&value=iptables&titlesearch=Titles
http://serverfault.com/questions/551361/redirect-incoming-packets-to-loopback
- Possible answer:
#echo 1 > /proc/sys/net/ipv4/ip_forward
- in /etc/sysctl.conf: net.ipv4.ip_forward = 1
Interesting modules 2010
- comment - Allows you to add comments (up to 256 characters) to any rule.
--comment comment Example: iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block"
- connlimit
- Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).
- rateest
- The rate estimator can match on estimated rates as collected by the RATEEST target. It supports matching on absolute bps/pps values, com‐ paring two rate estimators and matching on the difference between two rate estimators.
- recent
- Allows you to dynamically create a list of IP addresses and then match against that list in a few different ways. For example, you can create a "badguy" list out of people attempting to connect to port 139 on your firewall and then DROP all future packets from them without considering them.
- time
- This matches if the packet arrival time/date is within a given range. All options are optional, but are ANDed when specified.
- TRACE
- This target marks packes so that the kernel will log every rule which match the packets as those traverse the tables, chains, rules. (The ipt_LOG or ip6t_LOG module is required for the logging.) The packets are logged with the string prefix: "TRACE: tablename:chain‐ name:type:rulenum " where type can be "rule" for plain rule, "return" for implicit rule at the end of a user defined chain and "policy" for the policy of the built in chains. It can only be used in the raw table.
Common Problems and solutions
- Multi-interface setup ignoring/dropping packets on certain interfaces
- Caused by reverse path filtering.
Fix:
# Enables source route verification net.ipv4.conf.default.rp_filter = 2 # Enable reverse path net.ipv4.conf.all.rp_filter = 2
- Caused by reverse path filtering.
...