I am using glassfish and apache2 server I've used below commands
1) sudo iptables -A INPUT -i enp1s0 -p tcp --dport 80 -j ACCEPT
2) sudo iptables -A INPUT -i enp1s0 -p tcp --dport 8080 -j ACCEPT
3) sudo iptables -A PREROUTING -t nat -i enp1s0 -p tcp --dport 80 -j REDIRECT --to-port 8080
4) sudo iptables -t nat -A OUTPUT -o lo -p tcp --dport 80800 -j REDIRECT --to-port 80
But the problem is when glassfish is stopped i am able to redirect localhost:8080 to 80 port but when glassfish is started it doesn't redirect to 80 port
Thanks in advance
4) sudo iptables -t nat -A OUTPUT -o lo -p tcp --dport 80800 -j REDIRECT --to-port 80
The port number is wrong here. It should be 8080
Related
I would like to deny any connection from my vps to other vps/ip/port via sshd.(443)
I tried using iptables and firewall rules, seems that still nothing worked.
iptables -A INPUT -s 1.1.1.1 -j DROP ;
iptables -A FORWARD -s 1.1.1.1 -j DROP ;
iptables -A OUTPUT -s 1.1.1.1 -j DROP ;
iptables -A INPUT -p tcp -s 1.1.1.1 --dport 443 -j REJECT --reject-with tcp-reset ;
iptables -A OUTPUT -p tcp -s 1.1.1.1 --dport 443 -j REJECT --reject-with tcp-reset ;
iptables -A FORWARD -p tcp -s 1.1.1.1 --dport 443 -j REJECT --reject-with tcp-reset ;
iptables -I INPUT -s 1.1.1.1 -p tcp --dport 443 -j REJECT ;
iptables -I OUTPUT -s 1.1.1.1 -p tcp --dport 443 -j REJECT ;
iptables -I FORWARD -s 1.1.1.1 -p tcp --dport 443 -j REJECT ;
firewall-cmd --direct --add-rule ipv4 filter INPUT 1 -m tcp --source 1.1.1.1 -p tcp --dport 22 -j REJECT ;
firewall-cmd --direct --add-rule ipv4 filter OUTPUT 1 -m tcp --source 1.1.1.1 -p tcp --dport 22 -j REJECT ;
firewall-cmd --direct --add-rule ipv4 filter FORWARD 1 -m tcp --source 1.1.1.1 -p tcp --dport 22 -j REJECT ;
If you are on a distro that has UFW such as Ubuntu, blocking outbound connections can be easily done with the 3 commands below. What's more, this will survive reboot, unlike any iptables commands, which need iptables-save or other tool to re-apply the iptables settings after reboot.
You didn't mention other outbound connections. The commands below block all outbound connections (but not outbound traffic for a connection that it is initiated from the outside).
sudo ufw enable
sudo ufw default allow incoming # allow inbound connections
sudo ufw default deny outgoing
To temporarily allow outbound connections, e.g. to download software updates:
sudo ufw default allow outgoing
# run your update here
sudo ufw default deny outgoing
I have one interface which visible to my network, and a loopback (127.0.0.1),
ens192 -> 192.168.22.100
lo -> 127.0.0.1
I have a service running on lo interface on port 3333, and I want to reach that port via ens192 via port 4444
192.168.22.100:4444 -> 127.0.0.1:3333
I have tried all available solutions on StackOverflow it doesn't work.
sysctl -w net.ipv4.conf.[IFNAME].route_localnet=1
iptables -t nat -A PREROUTING -p tcp -d 192.168.22.100 --dport 4444 -j DNAT --to 127.0.0.1:3333
iptables -A INPUT -i ens192 -p tcp --dport 4444 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ens192 -p tcp --sport 4444 -m state --state ESTABLISHED -j ACCEPT
I have an apache webservice running on port 8080 but would like to be able to connect on port 80. However, my unix sysadmin does not allow apache to be started as root nor does she provide access to sudo.
However, she will execute commands on request.
I believe this can be achieved with iptables. Is there a way to map port 80 to 8080 and 443 to 8083 without this sysadmin having to edit any files.
i.e. just using echo with appender >>.
She can do this by running :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
This will make redirection active immediately, but doesn't save it and thus it will not work anymore after a reboot.
It is possible to do this without editing any file at all by using iptables-save. But it depends which linux flavor you're running, and if you use ferm, ufw, or some other firewall management tools.
On RedHat/CentOS, she could just do :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
iptables-save > /etc/sysconfig/iptables
On other OSes variants, YMMV !
I have the following rule in my iptables that redirects port 5060 to 5065.
-A PREROUTING -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065
I 'd like to apply this rule for several external IPs only, e.g. for example, to 123.123.123.123 and 124.124.124.124 only.
I added the following rule instead of above:
-A PREROUTING -s 123.123.123.123 -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065
But then when I tried to add the next rule:
-A PREROUTING -s 124.124.124.124 -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065
I got the following message:
iptables: No chain/target/match by that name
How to put these rules properly?
Thank you in advance,
For preprouting and postrouting you have t specify that you are working on the NAT chain.
ie :
iptables -t nat -A PREROUTING -s 124.124.124.124 -i eth0 -p udp -m udp --dport 5060 -j REDIRECT --to-ports 5065
I have a machine with 2 interfaces:
eth0 inet addr:1.1.1.1
eth1 inet addr:2.2.2.2
eth0 is a server, eth1 is the network on virtual machine.
I have ssh on server, so 1.1.1.1:22 is busy.
I need a rule for redirecting incoming connections on eth0 port 6000 to eth1, ip 2.2.2.100 on port 22 (virtual machine ip).
In this mode if I did, on an external machine,
ssh -p 6000 root#1.1.1.1
I would login on the virtual machine.
I tried this rule but it didn't work:
sudo iptables -P FORWARD ACCEPT
sudo iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 6000 -j DNAT --to 2.2.2.100:22
Well there are like 1 million scripts/tutorials/things for this case, but if someone lands from google to here is something like this:
iptables -I FORWARD -d 2.2.2.2 -m comment --comment "Accept to forward ssh traffic" -m tcp -p tcp --dport 22 -j ACCEPT
iptables -I FORWARD -m comment --comment "Accept to forward ssh return traffic" -s 2.2.2.2 -m tcp -p tcp --sport 22 -j ACCEPT
iptables -t nat -I PREROUTING -m tcp -p tcp --dport 60000 -m comment --comment "redirect pkts to virtual machine" -j DNAT --to-destination 2.2.2.2:22
iptables -t nat -I POSTROUTING -m comment --comment "NAT the src ip" -d 2.2.2.2 -o eth1 -j MASQUERADE