Questions tagged [iptables]
iptables allow creation of rules to define packet filtering behavior. The most reliable way to provide an iptables ruleset in a question is with the output of (as root): iptables-save -c
2,681
questions
0
votes
1
answer
9
views
NAT table skipped for server replies running inside Docker container
I have a Docker container running on a vanilla setup which listens on port 9999:
docker run --rm -it -p 9999:9999 busybox nc -vvl -p 9999 0.0.0.0
I added a LOG rule to the POSTROUTING table on NAT in ...
0
votes
0
answers
13
views
What is the opt column in iptables -L?
$ sudo iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
...
0
votes
0
answers
24
views
Wireguard share LAN hosts
I the following setup (picture)
I have wg connection between my home router (as client) and Linode VPS (as server). I want to access LAN hosts from Android phone (connects as wg client to VPS). All ...
1
vote
0
answers
33
views
How can I redirect a publicly-accessible port without allowing the target port to also be publicly accessible?
I have a web server running as non-root Debian Linux kernel 6.1.x on port :8443. I'd like to allow clients to connect over :443, so I'm using iptables for that purpose:
-A PREROUTING -p tcp -m tcp --...
1
vote
0
answers
15
views
Redirect socks to another interface with nftable
I want to redirect the tcp port to interfaceX , to new destination : ip 192.168.3.8 on interfaceY with nftable rules.
I tried that:
nft flush ruleset
nft add table ip nat
nft add chain ip nat ...
1
vote
0
answers
35
views
Forcing OpenVPN process to run with a specific group using nmcli
I am struggling with this script of mine that should prepare a secure VPN connection with VPN kill switch and I need some help.
What I am trying to do (in general):
My goal is to set up a very strict ...
0
votes
0
answers
32
views
How to Log Each Outbound TCP Connection
At my company we have a set of 3 identical VMs. These VMs house an app that "sends messages". The app sends each message by making a TCP connection out to one of two fixed IP addresses (...
0
votes
0
answers
8
views
iptables-translate: translate iptables -m set --match-set to nftables
Is there a way to automatically translate --match-set iptables rules to match on a named nftables set with the same name? iptables-translate doesn't seem to be able to do this, which somewhat makes ...
1
vote
0
answers
44
views
nftables equivalent for iptables condition module
The iptables condition module allows you to make a rule match depending on whether the contents of a file are 0 or 1.
iptables -A INPUT -m condition --condition enable-my-foo-rule
This will accept ...
0
votes
0
answers
30
views
RULE_APPEND failed (Too many links)
I'm trying to apply the policy I got by running iptables-legacy-save using iptables-nft-restore. When I do, this I get this error. When I search for this error, all I can find is a paywalled redhat ...
-1
votes
0
answers
121
views
How to set up public Linux station safely?
On a Linux cloud machine, I want to set up a learning station for beginners (pubnix/pubunix).
How can I block all internet except for incoming SSH (ssh user@cloudmachine) and except for SSH local port ...
0
votes
1
answer
51
views
iptables: NAT bridge traffic
Background
I have a linux machine with bridge interfaces as shown below...
---{prenat}--> ---{postnat}-->
source: 172.25.0.3 source: 192.0.2.1
+---------------...
0
votes
0
answers
40
views
Strongswan - Communication doesn't work between hosts
I have created a SITE-TO-SITE IPSEC tunnel between my two branches, the tunnel is up and running and I can ping bidirectional both routers, the problem is that I can't do any type of communications (...
0
votes
1
answer
10
views
Inquiry on how to set up the bypass function through 2 lan ports in a pc
I have 2 LAN ports on the server (eth0, eth1). I want to export the packet that came from eth0 to eth1. Additionally, I want to make it work in the opposite direction at the same time.
Is it possible?
0
votes
1
answer
23
views
Limiting a process to only allowed to use specified network interface
I have binary program named wstunnel.
That program has no option to specify outgoing traffic. By default it will use ens3. I expect the program will use warp interface.
I'm not sure iptables can solve ...
0
votes
0
answers
22
views
Why aren't the rules inserted into my chain?
I create a chain and immediately want to add rules there, but for some reason they are not added. When the iptables -L <chain-name> chain is output, only its empty body and a list of links to it ...
-4
votes
1
answer
64
views
How to takeover forwarded tcp streams in Linux? [closed]
I have some TCP streams which are only going over my linux box. In theory, it only packet forwards them. Now some new idea happened on which now I think, it would be much better to also alter their ...
1
vote
0
answers
44
views
NAT router with private IP towards ISP and public IP on the second interface, localhost traffic problem
I need help with the following network and router. Under emergency conditions, I received the following network. The router (Ubuntu) has two interfaces and a DNS function. The private address on the ...
0
votes
0
answers
24
views
How to enable NAT loopback/hairpinning with iptables on router?
I have a HG659b router, and have got shell access to the router, so I can configure the iptables.
In the web page, I have configure a port forwarding setup to forward port 37777 to the host 192.168.1....
0
votes
0
answers
16
views
Ubuntu "Shared connection" unable to block ports
I am in need to test our connectivity of our device (specifically, how our device responds when unable to reach certain ports).
So I am trying to control the ports, by sharing the internet connection ...
1
vote
1
answer
45
views
RHEL 8 IP/Kernel Routing Multi-Homed Server Issue - Cannot get a response to ping, when trying to ping from 2nd Interface
Set up/configuration:
I have a RHEL 8 server, running Asterisk 15.x, that has 2 NICs. NMCLI is used for networking
NIC0 (eno5np0) is on the trusted network and is configured as a static IPv4 and NIC1 (...
2
votes
1
answer
16
views
Limit access of SSH user to applications iptables and ip6tables
I'm using ubuntu 22.04 and want to login with an ssh user that has only access to iptables and ip6tables. So the user should login and can only input, delete and update iptables and ip6tables, nothing ...
0
votes
0
answers
48
views
Firewalld (nftables) SNAT problem
so my setup is following:
A:
PrivIP: 172.16.1.1
PublicIP: 212.1.2.3
B:
PrivIP: 10.123.0.1 (Interface: dummyip, dont ask why I named it like that)
PublicIP: 213.1.2.3 (Interface: eth0)
They both are ...
0
votes
2
answers
116
views
Forwarding TCP and UDP packets on all ports to another IP on a second network interface?
I have an ubuntu machine at IP 192.168.3.1, another machine is connected to it at fixed IP of 192.168.3.2, This machine is also connected to a router over usb0 which has shared the IP 172.30.220.17 to ...
1
vote
0
answers
51
views
Linux doesn't forward a packet because it's bigger than the MTU
I've been trying to route some of my LAN traffic over wireguard to a raspberry pi at my parent's house for when I need my connection to appear from a different country. I have the wireguard connection ...
0
votes
1
answer
23
views
dd wrt as a proxy client
I want to use a router in a network with a proxy. Without the router, everything works if you open the proxy settings in Windows and enter the address and port. No additional actions are required. I ...
0
votes
0
answers
34
views
How does k3s expose nodeports on linux?
I am investigating connectivity issues where k3s nodeport only accepts incommoding connections on one ip/interface but not on others. During this I realized that ports exposed using k3s nodeport do ...
0
votes
1
answer
128
views
How are source ports chosen for iptables SNAT targets?
By default the SNAT target keeps the source port of the original packet. If that port is already in use, it chooses one at random. Is there any way to influence the choice of this port or gage the ...
0
votes
0
answers
76
views
Networking Errors on KVM
I am trying to run a KVM virtual machine on Debian 11 (Bullseye)
I'm also running this from crouton on ChromeOS in case that's like really crucial, but I don't think it is.
Here's the error:
Unable ...
0
votes
1
answer
87
views
iptables duplicate port traffic
I want to clone/duplicate all udp traffic incoming on port 8500 to port 8600. It is important that the source address is not modified. Also both ports must be accessible by applications (the packets ...
0
votes
0
answers
31
views
block certain urls on my VPN server using iptables
I have a private VPN server. Users have multiple ways to connect to my server: wireguard, shadowsocks.
I want to restrict my users from accessing some sites.
As I understand, the most common way - is ...
2
votes
1
answer
83
views
Tracing iptables Rules
I'm just beginning to dig into iptables for the first time today, so apologies for any naivete.
For reference, I'm using
Ubuntu 22.04.4 LTS (Jammy Jellyfish)
iptables v1.8.7 (nf_tables)
ufw 0.36.1
...
1
vote
1
answer
80
views
iptables::drop INVALID before or after ESTABLISHED,RELATED?
It's not clear to me if the check for INVALID vs ESTABLISHED,RELATED is equally fast for both cases (and if the states are completely orthogonal) Do I have to drop INVALID before accepting ESTABLISHED ...
0
votes
2
answers
156
views
Where does ss command gather its data for ports etc
When trying to see port clashes within my system, many websites online recommend using /etc/services or ss -tunl to see port info
I am noticing /etc/services is providing different information to -ss ...
0
votes
0
answers
42
views
Flow of marked packets in Linux network stack
Summary:
My question is regarding the flow of marked packets in the network stack.
Here is what i have done:
I have marked packets in the mangle table using the OUTPUT chain.
I have also added a tun ...
0
votes
1
answer
35
views
Why aren't my ipset counters incremented?
I'm trying to configure a firewall (using iptables on a Docker host) that allows inbound HTTP and HTTPS from everywhere, SSH from a certain set of IPs and no other incoming connections. I liked what I ...
0
votes
1
answer
42
views
Use VPN connection only for selected applications
I am trying to follow: https://superuser.com/a/1262250/41337 but I cannot make it work.
I do:
interface=eth0
down() {
ip netns delete myvpn
ip link delete vpn0
iptables -D INPUT \! -i ...
0
votes
1
answer
37
views
Trying to understand iptables log messages
I have set up iptables to log outgoing traffic from all but a limited set of users, and I'm trying to understand the log messages that this produces. Looking at /var/log/syslog, I see requests from ...
0
votes
1
answer
44
views
Marking packets in iptables based on output interface
I have an unusual setup on my server. We have three outgoing ethernet ports, all connected to a single bridge interface that we split into two VLANs:
ip link add veth type bridge
ip link set veth ...
0
votes
1
answer
42
views
Route all TCP traffic from port to another host:port
I have a wireguard config, creating a VPN between a remote server (10.0.1.1) and my local machine (10.0.1.2), so that the server can reach the local machine and vice versa.
I'd like the server to ...
1
vote
1
answer
23
views
iptables rule not working as expected
I cannot get this one rule working right.
My interfaces:
#WAN
auto wan0
iface wan0 inet dhcp
#LAN
auto lan0.7
iface lan0.7 inet static
address 172.17.7.1
netmask 255.255.255.0
vlan-raw-...
-4
votes
1
answer
51
views
Why is this iptables blocking the ssh to my virtual machine?
I have a virtual machine with kali running a ssh server, i want to block all traffic by ssh to this machine except from my own pc and to do it i have this iptables rules.
┌──(root㉿kali)-[/home/kali]
└─...
1
vote
0
answers
150
views
ksoftirqd taking a lot of cpu since moving to debian 12
I have a small pc linux box like intel nuc dual atom where I run some firewall settings.
Previously this machine runned debian 9 and everything worked fine.
I could have used the machine in middle of ...
1
vote
0
answers
211
views
Libvirt iptable chain LIBVIRT_FWX has no effect on interface internal traffic
I created a libvirt network in open mode and added the iptable rules that would have been created for a nat mode network. My plan is to basically create a nat network but add some custom iptable rules ...
0
votes
0
answers
60
views
Docker container traffic through host iptables tproxy
Problem
Docker container network does not go through the host TPROXY-configured tunnel.
Setup
I have a TPROXY-supported proxy server running on my machine (listening on 127.0.0.1:8080). I configured ...
0
votes
1
answer
50
views
Should 'dpkg -i iptables' be installing the required kernel modules?
I'm in the process of installing iptables onto an embedded Debian 8.7 armhf machine that does not have access to the internet. My method has been to manually find the .deb package files from the ...
0
votes
1
answer
36
views
What is the proper method to install a Debian package onto a device stuck on a private network? [duplicate]
Here is my scenario:
I want to install iptables onto an embedded Linux device that is located on a private network with no access to the internet. I can place my Windows PC onto this network and then ...
1
vote
0
answers
74
views
NAT table in iptables rules and SNAT
I am new to iptables and I would appreciate some help understanding a specific rule in the nat table of a router. The router's external interface is vlan2 (111.111.111.111) and the internal interface ...
0
votes
0
answers
28
views
Many UFW BLOCKs pr minute from numerous ports and numerous IP addresses
My syslog is flooded with numerous attacks of some sort coming from multiple sources.
I looked at all the other references in the search feature but none addressed tcp and from numerous sources
Feb 16 ...
0
votes
0
answers
25
views
How does IP Masquerading send packages back to the original device on inbound connections?
I established a WireGuard Point-to-Site connection following this Tutorial: https://www.procustodibus.com/blog/2020/11/wireguard-point-to-site-config/#configure-routing-on-host-b
The connection itself ...