port forwarding to access internal pc from exteral network


if your computer is 10.0.0.5 and and it connects to a router for internet connection with eth1 ( 10.0.0.1 ) and eth0 ( 192.168.0.244 ) , and now you want to access the the PC 10.0.0.5 through remote access from a 192.168.0.X network on port 3389.. type the following command
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.244 --dport 3389 -j DNAT --to 10.0.0.5:3389

iptables -A FORWARD -p tcp -i eth0 -d  10.0.0.5 --dport 3389 -j ACCEPT

/etc/init.d/iptables save

hope this helps all !!!


--

 
No comments:

how to block gtalk on gmail

In /etc/squid/special_url add the following
.chatenabled.mail.google.com
.talk.google.com
 
and in squid.conf add the following
 
acl special_url dstdomain "/etc/squid/special_url"
 
and deny acces to special_url
 
http_access deny  special_url

--
 
No comments:

ftp error: 500 invalid port connection


I am trying to access a ftp server . I am able to connect to it with the user name and password. However when i connect to the server and do a dir i get the following error. 
   
C:\Documents and Settings\Admin>ftp XXX.XXX.XXX.XXX
Connected to XXX.XXX.XXX.XXX
220 Microsoft FTP Service
User (XXX.XX.XXX.XXX:(none)): user-name
331 Password required for user-name
Password:
230 User user-name logged in.
ftp> dir
500 Invalid PORT Command.
150 Opening ASCII mode data connection for /bin/ls.
 
I got a fire wall running and i have opened port 21, The entry in the iptables is as follows .
 
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT
 
Answer :
Passive ftp

A PORT command is again issued, but this time it is from the server to the client. The client connects to the server for data transfer. Since the connection is in the same sense as the original ftp connection,  passive ftp is inherently more secure than active ftp, but note that this time we know even less about the port numbers. Now we have a connection between almost arbitrary port numbers.

Enter the ip_conntrack_ftp module once more. Again, this module is able to recognize the PORT command and pick-out the port number. Instead of NEW in the state match for the OUTPUT chain, we can use RELATED. The following rules will suffice:

iptables -A INPUT     -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024:  -m state --state ESTABLISHED,RELATED -j ACCEPT

add the following to the kernel  
 
modprobe ip_nat_ftp


--  
No comments:

restricting SSH or port 22 from external network

If you have a network like the following :

Eth0 =192.168.0.244 ( or public IP )   gateway 192.168.0.254

Eth1 =10.0.0.1

 

Client pc of network class 10.X should be able to access ssh but not from 192.168.0.X network  then do the following :

 

First check the /etc/services ---- >  look for port 22

 

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22  -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 22  -j REDIRECT --to-port 3128

 

all packets that come to eth0 get redirected to our squid application on the same server that works on port 3128 and  you need to configure the squid server to block port 22  

 Similarly you can block for various other ports !!!

 

No comments:

squid -- denying a specific sites and specific IP

 
line 1. acl special_client src 192.168.11.0 < type here ip ranage or single
ip address or multiple ip separted with single space )

line 2. acl special_url url_regex -i chat.yahoo.com ( type here webaddress
separated with | e.g. yahoo.com|rediff.com , last webaddress should not have
any | (pipe))

line 3 http_access deny special_client special_url

line 4 http_access allow marketing ( or whatever ip address range)


If any confusion while implementing these acl please feel free to contact us
any time

Cheers!


--
No comments:

Configuring iptables to Support the Squid Transparent Proxy

 If your firewall is connected to the Internet on interface eth0 and to the home network on interface eth1. The firewall is also the default gateway for the home network and handles network address translation on all the network's traffic to the Internet.
If the Squid server and firewall are the same server, all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128 and then only the firewall itself is allowed to access the Internet on port 80.
 
[root@squid ~]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80  -j REDIRECT --to-port 3128
[root@squid ~]# iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp --dport 3128
[root@squid ~]# iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --dport 80
[root@squid ~]# iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp --sport 80
[root@squid ~]# iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1 -p tcp --sport 80
[root@squid ~]# /etc/init.d/iptables save
 
Saving firewall rules to /etc/sysconfig/iptables:          [  OK  ]
 
[root@squid ~]# /etc/init.d/iptables restart
 
this only works for port 80 and not https 443
 
hope this helps all
No comments:

how is it possible to route traffic through another network class and all http traffic

installed cent OS on one PC with 2 network cards
 eth0 and eth1
eth0 = 192.168.0.244
eth1 =s 10.0.0.1 
gateway to access the net is 192.168.0.254

In order that the 10.X network range  can access the internet i added the a route
# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.254 but this didnt work so i deleted the same
 
My resolv.conf file looks like this
search linuxbox.com
nameserver 203.199.113.44
nameserver 203.199.113.27
 
So i change the following in vi /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

vi /proc/sys/net/ipv4/ip_forward

1

nedd to start iptables 

and need to add the following rules 

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

or you can use the command --- system-config-securitylevel enable http and https

here is is my sample conf file of iptables

########################################################################

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -j MARK --set-mark 0x9
-A PREROUTING -i eth0 -j MARK --set-mark 0x9
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT
############################################################

Hope this helps you out

now you should be able to ping google.com :-)

--

1 comment:
Subscribe to: Posts (Atom)

Other Articles

Enter your email address: