OnLinux

port forwarding to access internal pc from exteral network

if your computer is 10.0.0.5 and and it connects to a router for internet connection with eth1 ( 10.0.0.1 ) and eth0 ( 192.168.0.244 ) , and now you want to access the the PC 10.0.0.5 through remote access from a 192.168.0.X network on port 3389.. type the following command
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.244 --dport 3389 -j DNAT --to 10.0.0.5:3389

iptables -A FORWARD -p tcp -i eth0 -d 10.0.0.5 --dport 3389 -j ACCEPT

/etc/init.d/iptables save

hope this helps all !!!

how to block gtalk on gmail

In /etc/squid/special_url add the following

.chatenabled.mail.google.com
.talk.google.com

and in squid.conf add the following

acl special_url dstdomain "/etc/squid/special_url"

and deny acces to special_url

http_access deny special_url

--

ftp error: 500 invalid port connection

I am trying to access a ftp server . I am able to connect to it with the user name and password. However when i connect to the server and do a dir i get the following error.

C:\Documents and Settings\Admin>ftp XXX.XXX.XXX.XXX
Connected to XXX.XXX.XXX.XXX
220 Microsoft FTP Service
User (XXX.XX.XXX.XXX:(none)): user-name
331 Password required for user-name
Password:
230 User user-name logged in.
ftp> dir
500 Invalid PORT Command.
150 Opening ASCII mode data connection for /bin/ls.

I got a fire wall running and i have opened port 21, The entry in the iptables is as follows .

-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT

Answer :

Passive ftp

A PORT command is again issued, but this time it is from the server to the client. The client connects to the server for data transfer. Since the connection is in the same sense as the original ftp connection, passive ftp is inherently more secure than active ftp, but note that this time we know even less about the port numbers. Now we have a connection between almost arbitrary port numbers.

Enter the ip_conntrack_ftp module once more. Again, this module is able to recognize the PORT command and pick-out the port number. Instead of NEW in the state match for the OUTPUT chain, we can use RELATED. The following rules will suffice:

iptables -A INPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT

add the following to the kernel

modprobe ip_nat_ftp

restricting SSH or port 22 from external network

If you have a network like the following :

Eth0 =192.168.0.244 ( or public IP ) gateway 192.168.0.254

Eth1 =10.0.0.1

Client pc of network class 10.X should be able to access ssh but not from 192.168.0.X network then do the following :

First check the /etc/services ---- > look for port 22

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 22 -j REDIRECT --to-port 3128

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 22 -j REDIRECT --to-port 3128

all packets that come to eth0 get redirected to our squid application on the same server that works on port 3128 and you need to configure the squid server to block port 22

Similarly you can block for various other ports !!!

squid -- denying a specific sites and specific IP

line 1. acl special_client src 192.168.11.0 < type here ip ranage or single
ip address or multiple ip separted with single space )

line 2. acl special_url url_regex -i chat.yahoo.com ( type here webaddress
separated with | e.g. yahoo.com|rediff.com , last webaddress should not have
any | (pipe))

line 3 http_access deny special_client special_url

line 4 http_access allow marketing ( or whatever ip address range)

If any confusion while implementing these acl please feel free to contact us
any time

Cheers!

--

Configuring iptables to Support the Squid Transparent Proxy

If your firewall is connected to the Internet on interface eth0 and to the home network on interface eth1. The firewall is also the default gateway for the home network and handles network address translation on all the network's traffic to the Internet.

If the Squid server and firewall are the same server, all HTTP traffic from the home network is redirected to the firewall itself on the Squid port of 3128 and then only the firewall itself is allowed to access the Internet on port 80.

[root@squid ~]# iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3128
[root@squid ~]# iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i eth1 -p tcp --dport 3128
[root@squid ~]# iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o eth0 -p tcp --dport 80
[root@squid ~]# iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i eth0 -p tcp --sport 80
[root@squid ~]# iptables -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -o eth1 -p tcp --sport 80
[root@squid ~]# /etc/init.d/iptables save

Saving firewall rules to /etc/sysconfig/iptables: [ OK ]

[root@squid ~]# /etc/init.d/iptables restart

this only works for port 80 and not https 443

hope this helps all

how is it possible to route traffic through another network class and all http traffic

installed cent OS on one PC with 2 network cards

eth0 and eth1
eth0 = 192.168.0.244
eth1 =s 10.0.0.1
gateway to access the net is 192.168.0.254

In order that the 10.X network range can access the internet i added the a route
# route add -net 10.0.0.0 netmask 255.0.0.0 gw 192.168.0.254 but this didnt work so i deleted the same

My resolv.conf file looks like this

search linuxbox.com
nameserver 203.199.113.44
nameserver 203.199.113.27

So i change the following in vi /etc/sysctl.conf

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

vi /proc/sys/net/ipv4/ip_forward

nedd to start iptables

and need to add the following rules

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

or you can use the command --- system-config-securitylevel enable http and https

here is is my sample conf file of iptables

########################################################################

# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -i eth1 -j ACCEPT
-A RH-Firewall-1-INPUT -i eth0 -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
*mangle
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A PREROUTING -i eth1 -j MARK --set-mark 0x9
-A PREROUTING -i eth0 -j MARK --set-mark 0x9
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
COMMIT
############################################################

Hope this helps you out

now you should be able to ping google.com :-)

V2AL -comptrixsys.

http://www.comptrixsys.com/V2AL_Course_Outlines_CSPL-V-0.1.pdf

link for source RPM ---- BIND

http://people.redhat.com/atkac/bind/

Installation instructions for BIND 9.5 DLZ ( continuation... )

my named.conf file is look like this

##########################################################
//

options {
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursion yes;
};

logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

zone "0.0.127.in-addr.arpa" {
type master;
file "named.localhost";

};
zone "0.168.192.in-addr.arpa" {
notify no;
type master;
file "named.192.168.0.244";
};

dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=binddlzdb user=binddlzuser pass=binddlzpassword}
{select zone from records where zone = '%zone%'}
{select ttl, type, mx_priority, case when lower(type)='txt' then
concat('\"', data, '\"')
else data end from records where zone = '%zone%' and host = '%record%'
and not (type = 'SOA' or type = 'NS')}
{select ttl, type, mx_priority, data, resp_contact, serial,
refresh, retry, expire, minimum
from records where zone = '%zone%' and (type = 'SOA' or type='NS')}
{select ttl, type, host, mx_priority, data, resp_contact, serial,
refresh, retry, expire,
minimum from records where zone = '%zone%' and not (type =
'SOA' or type = 'NS')}
{select zone from xfr where zone = '%zone%' and client = '%client%'}
{update data_count set count = count + 1 where zone ='%zone%'}";
};

########################################################

[root@testserver ~]# ls /var/named/chroot/var/named/
named.192.168.0.244
named.empty
named.localhost
named.ca
named.loopback

vi named.192.168.0.244

$TTL 1D
@ IN SOA ns1.testserver.com. hostmaster.testserver.com (
1999021004 ; Serial, todays date + todays serial
8H ; Refresh
2H ; Retry
1W ; Expire
1D) ; Minimum TTL
NS ns1.testserver.com.

244 PTR testserver.com.

vi named.localhost

$TTL 1D
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.

1 IN PTR localhost.

Pages