I want to redirect all udp packet use tproxy in suse(kernel:3.0.101),I do this:
1.iptables -t mangle -N SHADOWSOCKS_UDP
2.iptables -t mangle -N SHADOWSOCKS_UDP_MARK
3.ip route add local default dev lo table 100
4.ip rule add fwmark 1 lookup 100
and iptables -t mangle -L shows :
enter image description here
5:iptables -t mangle -A SHADOWSOCKS_UDP -p udp -j TPROXY --on-port 3386 --tproxy-mark 0x01/0x01
and get error:
iptables: No chain/target/match by that name.
I do not know why? Thank you very much give me some advice.
and this is my tproxy config:
enter image description here
And those command works well in ubuntu(kernel version:4.4.0)
Yes. finsh it. it because suse dose not..have xt_TPROXY kernel module. you need to compile kernel module. and insmod it.
Related
I have a VM in VirtualBox with Debian 10 and I'm trying to NAT masquerade it's output interface (enp0s8) so that it's clients (VMs connected to it) can access the Internet.
All interfaces in the system have an IP. I've already enabled forwarding with:
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.ip_forward=1
And then I executed:
iptables -t nat -A POSTROUTING -o enp0s8 -j MASQUERADE
However, whenever I execute the above, the following happens:
And no matter how many times I iptables --flush -t nat and repeat the process, the result is always the same. The rule I want to apply is never saved properly and the client's IPs are never masked.
What is the issue here? Almost all tutorials say this is the correct way for masquerading.
I've also tried using nftables, without success.
It is already showing the right output. To show the rules with the interface details, you need to use,
iptables -t nat -L -n -v
And btw, if you have setup NAT networking, it is already taken care to connect outside.
And have you set the default gateway of your clients to this box?
I'm trying to set some iptables rules on a Linux Yocto device but this command keeps giving me an error:
# iptables -I INPUT -p tcp --dport ssh -j MYCHAIN
iptables: No chain/target/match by that name.
The problematic argument is "--dport" as the following command works perfectly:
# iptables -I INPUT -p tcp -j MYCHAIN
Researching, I have found similar problems (match, redirect) related with missing kernel modules. If this is my case, how can I know which one it is?
I am currently trying to secure a little my server before its release to the world. For now, there is just a Discourse instance running, that uses Mandrill as email smtp server.
There is an nginx server in front of that Discourse.
With no iptables rules, everything works fine. When I apply my rules, it brokes. I am still able to reach the Discourse and even send posts and everything, expect sending email.
With ./launcher mailtest app, it works. The Discourse error, however, is the following : ERREUR - getaddrinfo: Name or service not known.
I really try to find out myself what I should use. But I couldn't.
First, I was thinking a simple iptables -A OUTPUT -p tcp --dport 587 -j ACCEPT was enough, but I was proved the contrary.
Some other inputs :
iptables -F
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
I set Discourse to use port 587 of Mandrill.
Okay, so I just released... This is not the right SE forum for that question. I'm sorry for that.
However, since I finally found a solution (it's always when you post your question that the question hits you in the face), let me share it.
I was missing a FORWARD rule between docker0 and eth0.
iptables -A FORWARD -i docker0 -o eth0 -j ACCEPT
iptables -A FORWARD -i eth0 -o docker0 -j ACCEPT
Sorry for the inconvenient.
I am facing some problems with tcpreplay. I am running L-7 filter userspace version on ATCA- PP81 blade, and I have this following iptable rules :
iptables -A FORWARD -j NFQUEUE --queue-num 0
iptables -t mangle -A PREROUTING -p udp -i eth0 -j NFQUEUE --queue-num 0
iptables -t mangle -A PREROUTING -p tcp -i eth0 -j NFQUEUE --queue-num 0
I am sending pcap files from a computer using tcpreplay, but all the replayed pcap files except those which have broadcast address were not detected by the iptables. I checked it with:
iptables -t mangle -L -v
I tried many ways, including using a cache file as discussed in some of the forums, and everything is in vain. Now I am totally helpless. I would appreciate it if you could reply my question.
Thanking you in anticipation
regards,
Amlas
It is not possible. This is a tcpreplay limitation.
http://tcpreplay.synfin.net/wiki/FAQ
Can I use IPTables/Traffic Control with tcpreplay?
You can not use iptables/tc on the same box as you run tcpreplay. The only way to use IPTables or Traffic Control (tc) with tcpreplay is to run tcpreplay on a different box and send the traffic through the system running iptables/tc. This limitation is due to how the Linux kernel injects frames vs. reading frames for iptables/tc which makes traffic sent via tcpreplay to be invisible to iptables/tc.
I can't access Plesk Amdin because of DOS attack; can I block a hostname or IP address through SSH? If so, how would I be able to do this?
Thank you!
If you have iptables you can block it using simple rule:
iptables -I INPUT --source 1.2.3.4 -j DROP
This rule drops packets coming from IP 1.2.3.4.
Probably the easiest is to SSH to your box use vim to and add the following to the top of your .htaccess file in the root of your domain (/var/www/vhosts/yourdomain.com/httpdocs/.htaccess):
deny from 12.345.67.89
Obviously replace the IP address with the one you want to block. Repeat this for any sites you think are being attacked.
iptables -I INPUT -p tcp -s 1.2.3.4 -m statistic --probability 0.5 -j DROP
iptables -I INPUT n -p tcp -s 1.2.3.4 -m rpfilter --loose -j ACCEPT # n would be an numeric index into the INPUT CHAIN -- default is append to INPUT chain
iptables -I INPUT -p tcp -m hashlimit --hashlimit-mode srcip -s 1.2.3.4 --hashlimit-srcmask --hashlimit-above 9/second -j DROP
iptables -I INPUT -p tcp -s 1.2.3.4 -m limit --sport 80 --limit 100/second -j ACCEPT
There are countless others for your circumstances.
Sincerely,
ArrowInTree