EzDev.org

iptables interview questions

Top iptables frequently asked interview questions

Advertisements

Iptables: How to allow only one ip through specific port?

How can I on my ubuntu server, in Iptables only allow one IP adress on a specific port?

Thanks


Source: (StackOverflow)

How to do the port forwarding from one ip to another ip in same network?

I would like do some NAT in iptables. So that, all the packets coming to 192.168.12.87 and port 80 will be forwarded to 192.168.12.77 port 80.

How to do this with iptables?

Or

Any other ways to achieve the same?


Source: (StackOverflow)

Advertisements

What is the correct way to open a range of ports in iptables

I have come across articles advising for the following:

iptables -A INPUT -p tcp 1000:2000 -j ACCEPT

And others stating that the above will not work and iptables only supports multiple port declarations with the --multiport option.

Is there a correct way to open many ports with iptables?


Source: (StackOverflow)

What is the point of the docker-proxy process? Why is a userspace tcp proxy needed?

I have noticed that there is docker-proxy process running for each published port. What is the purpose of this process? Why is a user space tcp proxy needed for this?

$ ps -Af | grep proxy
root      4776  1987  0 01:25 ?        00:00:00 docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 22222 -container-ip 172.17.0.2 -container-port 22
root      4829  1987  0 01:25 ?        00:00:00 docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 5555 -container-ip 172.17.0.3 -container-port 5555

and some related iptable rules created by docker:

$ sudo iptables -t nat -L -n -v
Chain PREROUTING (policy ACCEPT 1 packets, 263 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DOCKER     all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type LOCAL

Chain INPUT (policy ACCEPT 1 packets, 263 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 1748 packets, 139K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   32  7200 DOCKER     all  --  *      *       0.0.0.0/0           !127.0.0.0/8          ADDRTYPE match dst-type LOCAL

Chain POSTROUTING (policy ACCEPT 1719 packets, 132K bytes)
 pkts bytes target     prot opt in     out     source               destination         
   32  7200 MASQUERADE  all  --  *      !docker0  172.17.0.0/16        0.0.0.0/0           

Chain DOCKER (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            127.0.0.1            tcp dpt:22222 to:172.17.0.2:22
    0     0 DNAT       tcp  --  !docker0 *       0.0.0.0/0            127.0.0.1            tcp dpt:5555 to:172.17.0.3:5555

Source: (StackOverflow)

Force local IP traffic to an external interface

I have a machine with several interfaces that I can configure as I want, for instance:

  • eth1: 192.168.1.1
  • eth2: 192.168.2.2

I would like to forward all the traffic sent to one of these local addresses through the other interface. For instance, all requests to an iperf, ftp, http server at 192.168.1.1 should be not just routed internally, but forwarded through eth2 (and the external network will take care of re-routing the packet to eth1).

I tried and looked at several commands, like iptables, ip route, etc... but nothing worked.

The closest behavior I could get was done with:

ip route change to 192.168.1.1/24 dev eth2

which send all 192.168.1.x on eth2, except for 192.168.1.1 which is still routed internally. May be I could then do NAT forwarding of all traffic directed to fake 192.168.1.2 on eth1, rerouted to 192.168.1.1 internally? I am actually struggling with iptables, but it is too tough for me.

The goal of this setup is to do interface driver testing without using two PCs.

I am using Linux, but if you know how to do that with Windows, I'll buy it!

Edit:

The external network is just a crossover cable between eth1 and eth2. Let's say I have an http server on my machine. Now I want to access this server from the same machine, but I want to force the TCP/IP traffic to go through this eth1/eth2 cable. How should I configure my interfaces for this?


Source: (StackOverflow)

Allowing FTP with IPTables

My current scenario involves allowing various rules, but I need ftp to be accessible from anywhere. The OS is Cent 5 and I am using VSFTPD. I can't seem to get the syntax correct. All other rules work correctly.

## Filter all previous rules
*filter

## Loopback address
-A INPUT -i lo -j ACCEPT

## Established inbound rule
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

## Management ports
-A INPUT -s x.x.x.x/24 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -s x.x.x.x/23 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -s x.x.x.x/24 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -s x.x.x.x/23 -p icmp -m icmp --icmp-type any -j ACCEPT
-A INPUT -s x.x.x.x/23 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -i lo -j ACCEPT

## Allow NRPE port (Nagios)
-A INPUT -s x.x.x.x -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT
-A INPUT -s x.x.x.x -p tcp -m state --state NEW -m tcp --dport 5666 -j ACCEPT

##Allow FTP

## Default rules
:INPUT DROP [0:0]
:FORWARD DROP
:OUTPUT ACCEPT [0:0]
COMMIT

The following are rules I have tried.

##Allow FTP
-A INPUT --dport 21 any -j ACCEPT
-A INPUT --dport 20 any -j ACCEPT

-A INPUT -p tcp --dport 21 -j ACCEPT
-A INPUT -p tcp --dport 20 -j ACCEPT

-A INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT


-A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 20 -j ACCEPT
-A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 21 -j ACCEPT

-A INPUT -s 0.0.0.0/0 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
-A INPUT -s 0.0.0.0/0 -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT

Source: (StackOverflow)

Hardware Firewall Vs. Software Firewall (IP Tables, RHEL)

TL;DR
My hosting company says IP Tables is useless and doesn't provide any protection. Is this BS?

I have two, co-located servers. Yesterday my DC company contacted me to tell me that because I'm using a software firewall my server is "Vulnerable to multiple, critical security threats" and my current solution offers "No protection from any form of attack".

They say I need to get a dedicated Cisco firewall ($1000 installation then $200/month EACH) to protect my servers. I was always under the impression that, while hardware firewalls are more secure, something like IPTables on RedHat offered enough protection for your average server.

Both servers are just web-servers, there's nothing critically important on them but I've used IPTables to lock down SSH to just my static IP address and block everything except the basic ports (HTTP(S), FTP and a few other standard services).

I'm not going to get the firewall, if ether of the servers were hacked it would be an inconvenience but all they run is a few Wordpress and Joomla sites so I definitely don't think it's worth the money.


Source: (StackOverflow)

iptables equivalent for mac os x

I want to forward requests from 192.168.99.100:80 to 127.0.0.1:8000. This is how I'd do it in linux using iptables:

iptables -t nat -A OUTPUT -p tcp --dport 80 -d 192.168.99.100 -j DNAT --to-destination 127.0.0.1:8000

How do I do the same thing in MacOS X? I tried out a combination of ipfw commands without much success:

ipfw add fwd 127.0.0.1,8000 tcp from any to 192.168.99.100 80

(Success for me is pointing a browser at http://192.168.99.100 and getting a response back from a development server that I have running on localhost:8000)


Source: (StackOverflow)

Denyhosts vs fail2ban vs iptables- best way to prevent brute force logons?

I'm setting up a LAMP server and need to prevent SSH/FTP/etc. brute-force logon attempts from succeeding. I've seen many recommendations for both denyhosts and fail2ban, but few comparisons of the two. I also read that an IPTables rule can fill the same function.

Why would I choose one of these methods over another? How do people on serverfault handle this problem?


Source: (StackOverflow)

Minimal rate and default class problem for HTB

I have some doubts about a HTB structure I'm using.

My aim is to limit the download and upload speed of users in a local network. Each user of the network has a personal list of domains with a down and up speed for the domain he cannot exceed.

It means user1 can have his acces on slashdot.org restricted to 8KB on download and 3KB for upload, and user2 can have on slashdot.org a restricted access of 4KB down and 1KB up.

For now I setup a iptables/tc couple that works great, but at a very little scale, using 2 or 3 virtual hosts at the same time (Unfortunately, I cannot perform real size test).

Here is my current structure (I'll only show the one on the egress of the LAN, the one for the upload being simply a "copy" of this one)

An HTB qdisc (handle 2:) attached on the interface, the default traffic class is the class FFFF.

The root class 2:1 directly under the HTB qdisc having for rate and ceiling the DOWNLINK capacity.

The default class 2:FFFF as a child of 2:1, with a rate of 1kbsp and a ceil of DOWNLINK capacity.

Then, there is other classes dynamically added when there is a new restriction for an user from a certain domain, a new tc class is added to control the download speed from its domain.

For now, here is what I did:

Create a new tc class with a unique id (taken from a database, not the point here), as a parent the class 2:1, rate value is 1bps, ceil value is set to the limited download speed.

Here are the tc commands:

-------------- BEGIN SCRIPT --------------
DOWNLINK=800

## Setting up the static tc qdisc and class

$tc qdisc add dev $LAN_IFACE root handle 2: htb default 0xFFFF

# Main class so the default class can borrow bandwith from the others
$tc class replace dev $LAN_IFACE parent 0x2: classid 0x2:0x1 htb rate $DOWNLINK ceil $DOWNLINKkbps

# add the default class of class id 2:a under the main class of classid 2:1
$tc class replace dev $LAN_IFACE parent 0x2:0x1 classid 0x2:0xFFFF htb rate 1kbps ceil $DOWNLINKkbps prio 0

# add to the leaf class 2:10 for default traffic a sfq qdisc
$tc qdisc add dev $LAN_IFACE parent 0x2:0xFFFF handle 0xFFFF: sfq perturb 10

## The dynamic part called each time a new restriction for a couple domain/user is added
$tc class replace dev $LAN_IFACE parent 0x2:0x1 classid 0x2:0x$idHex htb rate 1bps ceil $speedDownkbps prio 1

# Add the sfq at the leaf class 2:1$id
$tc qdisc add dev $LAN_IFACE parent 0x2:0x$idHex handle 0x$idHex: sfq perturb 10

# $id is the mark added by iptables for this couple domain/user
$tc filter replace dev $LAN_IFACE parent 0x2:0 protocol ip prio 3 handle 0x$id fw flowid 0x2:0x$idHex
-------------- END SCRIPT --------------

All the normal traffic (without speed restriction) should go to the default class, and that the restricted one should be sent to its corresponding tc class.

The point I doubt seriously about is the use of the minimal 1bps speed rate for the default class and the restricted class. I cannot control the number of restricted classes that will be created, and I don't want to total rate of the restricted class the be over the one of the root class.

Another point, I added the default the prio 0, and the restricted class the prio 1, so in case the default class should borrow (almost always according to its very slow rate), this class will be served before the other restricted domain. But won't those domains will starve if I keep the ceil of the default class as the one of the root class ?

How can I succeed to allow the users to keep a decent interactivity and bandwidth for a non restricted usage, while limiting the speed for several couple domains/user ?

I am also wondering if the default class is here useful, since if I don;t specify a default class for the htb qdisc, the packets not matching the filters will be dequeued at the hardware speed. (but here again with making the restricted class starve ?)

I'm really new to tc and network QoS, so any advice, critics (constructive ones ;) ) will be welcome.

Vincent.


Source: (StackOverflow)

IPTables only allow localhost access

I have struggled throughout the years to get a solid understanding on iptables. Any time I try and read through the man pages my eyes start to glaze over.

I have a service that I only want to allow the localhost to have access to.

What terms (or configuration, if someone is feeling generous) should I Google for to allow only localhost host to have access to a given port?


Source: (StackOverflow)

iptables port redirect not working for localhost

I want to redirect all traffic from port 443 to the internal port 8080. I'm using this config for iptables:

iptables -t nat -I PREROUTING --source 0/0 --destination 0/0 -p tcp \
         --dport 443 -j REDIRECT --to-ports 8080

This works for all external clients. But if I'm trying to access the port 443 from the same maschine I'll get a connection refused error.

wget https://localhost

How can I extend the iptables rule to redirect local traffic too?


Source: (StackOverflow)

How to reload default Mac OSX routing table without rebooting

Greetings,

I'm using vpnc for a VPN client. I'm also doing some tricky things with route to make sure I can still access my local network, etc. etc. (the particulars here are not very important).

Sometimes I get the routing table so jacked up I get ping: sendto: Network is unreachable for urls that should otherwise resolve.

Currently, if I restart Mac OS X then everything is back to normal. What I'd like to do is reset the routing tables to the "default" (e.g. what it is set to at boot) without a whole system reboot.

I think that step 1 is route flush (to remove all routes). And step 2 needs to reload all of the default routes.

Any thoughts on how to do this? (e.g. what is step 2?)

EDIT Also, I'm noticing another symptom is traceroute also fails on the address in question. For instance:

traceroute the.good.dns.name

traceroute: bind: Can't assign requested address


Source: (StackOverflow)

Debugger for Iptables

I'm looking for an easy way to follow a packet through the iptables rules. This is not so much about logging, because I don't want to log all traffic (and I only want to have LOG targets for very few rules).

Something like Wireshark for Iptables. Or maybe even something similar to a debugger for a programming language.

Thanks Chris

Note: It doesn't have to be a fancy GUI tool. But it must do more than just showing a package counter or so.

Update: It almost looks as if we can't find anything that provides the functionality that is asked for. In that case: Let's at least find a good technique that's based on iptables logging - which can be easily turned on and off, and doesn't require to write iptables rules redundantly (having to write the same rule for -j LOG and -j ...)


Source: (StackOverflow)

Why not block ICMP?

I think I almost have my iptables setup complete on my CentOS 5.3 system. Here is my script...

# Establish a clean slate
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F # Flush all rules
iptables -X # Delete all chains

# Disable routing. Drop packets if they reach the end of the chain.
iptables -P FORWARD DROP

# Drop all packets with a bad state
iptables -A INPUT -m state --state INVALID -j DROP
# Accept any packets that have something to do with ones we've sent on outbound
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# Accept any packets coming or going on localhost (this can be very important)
iptables -A INPUT -i lo -j ACCEPT
# Accept ICMP
iptables -A INPUT -p icmp -j ACCEPT

# Allow ssh
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# Allow httpd
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Allow SSL
iptables -A INPUT -p tcp --dport 443 -j ACCEPT

# Block all other traffic 
iptables -A INPUT -j DROP

For context, this machine is a Virtual Private Server Web app host.

In a previous question, Lee B said that I should "lock down ICMP a bit more." Why not just block it altogether? What would happen if I did that (what bad thing would happen)?

If I need to not block ICMP, how could I go about locking it down more?


Source: (StackOverflow)