|
Size: 3009
Comment:
|
Size: 3436
Comment: route_localnet
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 9: | Line 9: |
| == 2015 Problem redirecting traffic from outside interface to vnc service listening on localhost:127.0.0.1 = | == 2015 Problem redirecting traffic from outside interface to vnc service listening on localhost:127.0.0.1 == |
| Line 14: | Line 15: |
| * Possible answer: * http://serverfault.com/questions/283409/how-to-use-iptables-to-forward-requests-to-a-jboss-server-running-on-a-different/285247#285247 * #echo 1 > /proc/sys/net/ipv4/ip_forward * in /etc/sysctl.conf: net.ipv4.ip_forward = 1 * Sollutions, linux does not allow routing of traffic to 127.0.0.1/8 subnet by default, have to enable per interface {{{ cat /proc/sys/net/ipv4/conf/eth0/route_localnet }}} |
|
| Line 21: | Line 29: |
| iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A pri‐ vatized IP block" |
iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block" |
IPTABLES
see linux/firewall
update rules for dynamic dns hosts linux/iptables/dyndns
iptables handling overlapping subnets linux/iptables/overlap
2015 Problem redirecting traffic from outside interface to vnc service listening on localhost:127.0.0.1
http://wiki.clover.co.za/FrontPage?action=fullsearch&context=180&value=iptables&titlesearch=Titles
http://serverfault.com/questions/551361/redirect-incoming-packets-to-loopback
- Possible answer:
#echo 1 > /proc/sys/net/ipv4/ip_forward
- in /etc/sysctl.conf: net.ipv4.ip_forward = 1
- Sollutions, linux does not allow routing of traffic to 127.0.0.1/8 subnet by default, have to enable per interface
cat /proc/sys/net/ipv4/conf/eth0/route_localnet
Interesting modules 2010
- comment - Allows you to add comments (up to 256 characters) to any rule.
--comment comment Example: iptables -A INPUT -s 192.168.0.0/16 -m comment --comment "A privatized IP block"
- connlimit
- Allows you to restrict the number of parallel connections to a server per client IP address (or client address block).
- rateest
- The rate estimator can match on estimated rates as collected by the RATEEST target. It supports matching on absolute bps/pps values, com‐ paring two rate estimators and matching on the difference between two rate estimators.
- recent
- Allows you to dynamically create a list of IP addresses and then match against that list in a few different ways. For example, you can create a "badguy" list out of people attempting to connect to port 139 on your firewall and then DROP all future packets from them without considering them.
- time
- This matches if the packet arrival time/date is within a given range. All options are optional, but are ANDed when specified.
- TRACE
- This target marks packes so that the kernel will log every rule which match the packets as those traverse the tables, chains, rules. (The ipt_LOG or ip6t_LOG module is required for the logging.) The packets are logged with the string prefix: "TRACE: tablename:chain‐ name:type:rulenum " where type can be "rule" for plain rule, "return" for implicit rule at the end of a user defined chain and "policy" for the policy of the built in chains. It can only be used in the raw table.
Common Problems and solutions
- Multi-interface setup ignoring/dropping packets on certain interfaces
- Caused by reverse path filtering.
Fix:
# Enables source route verification net.ipv4.conf.default.rp_filter = 2 # Enable reverse path net.ipv4.conf.all.rp_filter = 2
- Caused by reverse path filtering.
...