I'm trying to block all outgoing network traffic on ubuntu 20.04 including any broadcast messages from my network interface. My purpose is to block all outgoing network traffic from my host with condition that network interface is on. But all suggested rules and blocking all outcoming traffic do not block broadcast messages such as: DHCP, ARP, IGMPv2, MDNS protocols messages.
How to reproduce this behavior:
Host1 - host with ufw, where I'm trying to block all traffic
Host2 - host with wireshark, which monitors traffic from Host1 by Host1 mac address filter
Host1 and Host2 are in the same LAN;
Host1: no rules in ufw/iptables, network interface eth0 is turned on, default network configuration for eth0 is configured for DHCP (static);
Host1: disable network interface eth0 with manually or with command:
sudo ip link set eth0 down
Host1: Add rules with ufw:
sudo ufw default deny outgoing
sudo ufw deny out to any
Or iptables rules
sudo iptables -P OUTPUT DROP
Host1: Enable ufw:
sudo ufw enable
Host2: Start wireshark, set filter:
eth.addr == <Host1 MAC ADDRESS>
Host1: Enable interface eth0 manually or with command:
sudo ip link set eth0 up
Host2: In wireshark will appear broadcast packets from Host1
Is it possible to block all packets and broadcasting packets too with ufw/iptables?
Related
I have a system with centOS 7 installed. And on the second system I have windows 10. Both the machines are connected to private network. Now, I want to access the centOS machine remotely over ssh.
I checked the IP address of my windows machine, and then I edited the
/etc/ssh/sshd_config
file on the centOS system, With the following entries
ListenAddress <Ip_address_of_window_machine>
But when I restart the ssh service using the following command
systemctl restart sshd.service
I get the following error
bind to port 22 on <ip-address> failed. cannot assign requested address
But when I configure entries like this
ListenAddress 0.0.0.0
ListenAddress [::]
it works fine. But I want to bound my ssh to just particular iP-address
The ListenAddress configuration options tells sshd process to bind to a specific network interface on the server. If you want restrict access to a CentOS host then you need to use firewall. Though firewalld is the proper way to go (with zones and so on), old good iptables will do the job:
sudo iptables -A INPUT -p tcp -s a.b.c.d --dport ssh -j ACCEPT
sudo iptables -A INPUT -p tcp --dport ssh -j REJECT
Where a.b.c.d is the ip address of windows hosts.
NOTICE: By configuring firewall over the networks you can easily lock yourself out!
I need to transform destination IP of packets when they arrive from our client, ands also transform the source IP of packages leaving our network to the client's network.
I have IPSec VPN tunnel with a client on a Linux box. The machine has two interfaces with the following config:
eth0: 172.15.100.5
eth1: 172.15.100.15 (public IP 33.x.x.x)
Application server is 172.15.100.50.
Clients IP: 10.26.18.38/32
Client cannot use our internal IP 172.15.100.50 to talk to the application via the tunnel. Instead, they will send traffic through the VPN to 172.20.100.55 (which is not our IP) and they need us to response with source IP as 172.20.100.55.
My thinking is that I should be able to use iptables POSTROUTING and PREROUTING transform destination IP of incoming traffic from 10.20.100.55 to 172.15.100.50 (application server), and outgoing traffic from our network application server IP 172.15.100.50 to 10.20.100.55. However, I am not sure of the correct way to achieve this.
iptables -t nat -I PREROUTING -i eth1 -d 10.20.100.55 -j DNAT --to 172.15.100.50
iptables -t nat -I POSTROUTING -i eth0 -d 10.26.18.38 -j SNAT --to 172.20.100.55
I have monitored traffic with tcpdump and on the application server, but it would appear my NAT rule is not working.
I have a webapp running on a Raspberry Pi, which is behind a NAT, and I'm trying to make a tunnel to the company's server so that I can access it from the web. Right now I've been able to establish a tunnel using ssh -fN -R 192.168.0.28:54321:localhost:443 username#192.168.0.28 (both the server and the RPi are in the same LAN at the time), and doing curl -k https://192.168.0.28:54321 returns the contents of the webpage hosted in the RPi, but only if I do it from the server. I have set GatewayPorts yes and AllowTcpForwarding yes (which anyway is the default).
It was the firewall on the server blocking the port. ¬¬
To open said port, the command is sudo iptables -I INPUT -p tcp --dport 54321 -j ACCEPT, which says that any connection comming to the TCP port 54321 must be accepted.
Is it possible to access my Apache server from outside the VirtualBox on Google Chrome browser? Its running on CentOS 7 on VirtualBox.
I have tried connecting to the ip address of the CentOS virtual machine but it didn't work. Its using 'Bridged Adapter' networking in the VM settings and i checked the ip address using the 'ip addr' command. Thanks.
Of course you can. Though you need to add a tunnel to allow access to your Centos 7 machine web service from the host machine.
For example, my VM's bridge IP address (the interface that connects to the world) is 192.168.1.38 and its interface is enp0s3. Let's say I'm running the web service on my second interface, enp0s8 with IP 192.168.100.101 on port 8000. Here's how you create the tunnel:
iptables -t nat -A PREROUTING -p tcp -i enp0s3 --dport 80 -j DNAT --to-destination 192.168.100.101:8000
services iptables save
That's it. You should be able to go to your host's Chrome browser and type in the url 192.168.1.38 and be presented with your web service. If it's still not working I'd suggest looking into your iptables rules to see if any is blocking this traffic.
It seems I don't understand IPTABLES logic.
I reinstalled ubuntu server 11.10 on my server and turned on forwarding (net.ipv4.ip_forward=1 in /etc/sysctl.conf). Server has two network interfaces - eth0 (ip 192.168.1.1) looks to local network and eth1 (ip 213.164.156.130) looks to internet.
There's also another computer in local network with ip 192.168.1.2.
Then I added two simple rules to ITABLE *nat:
-A PREROUTING -i eth1 -j DNAT --to-destination 192.168.1.2
-A POSTROUTING -o eth1 -j SNAT --to-source 213.164.156.130
I thought that the first rule means forwarding every incoming packet to 192.168.1.2.
But if I run "ping google.com", "wget google.com" from server, they successfully work. Server receives packets and doesn't do forwarding, and I'm really stuck with this.
In case I run these commands from 192.168.1.2 they also work, that means here forwarding works.
These are NAT rules.
In your first rule, address translation occurs before routing the packet. You're changing the destination address to 192.168.1.2 and in the second rule, you're changing the source address before routing to 213.164.156.130.
I'm guessing you can ping & wget because your INPUT and OUTPUT chains have a default action.
TBH, I'm confused about what you actually want to do but if you want to forward packets, you need to modify the FORWARD chain. Here's a link for detailed and helpful information on iptables so you can understand the logic better - Ch14:_Linux_Firewalls_Using_iptables">http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:Ch14:_Linux_Firewalls_Using_iptables.