block all outgoing traffic from server, allowing limited ips using iptables - iptables

Can some one help me in the below requirement using iptables:
Block all the traffic, allowing only said traffic.
I tried below rule by googling,
iptables -P OUTPUT DROP
which drops every thing, I could also see few rules which will allow only certain ips
I am not able to get the ! expression clearly.

not sure I understood what is your question about, the (!) operator means negation, for example --src !10.1.1.1 matches all the traffic which has a source IP something DIFFERENT from that, what do you mean for 'allowing said traffic ?"

Related

Pings do not work with manually set up Flow Rules

I am currently playing around with ONOS and OpenFlow. I am using ONOS 2.0.0 and mininet-wifi. I have to following scenario: A wireless node moves between multiple access points. I would like to set up flow rules for the current and the following access point. The topology looks like this:
The host with IP 10.0.0.1 moves between the access points. However, I cannot get pings to work between the two hosts. At the access points I have two rules forwarding everything from their port 1 to 2 to and vice versa:
In the core switch my manual flow rules look e.g. like that:
What am I doing wrong here? What is the reason I cannot ping in this scenario? The rules of the reactive forwarding app do not look really different. One difference in the code is that I am using FlowRule objects while the reactive forwarding uses the ForwardingObjective object. I also tried that without any difference.
The problem was that the ARP requests were not answered. I had to start the ProxyARP application of ONOS. By that ONOS responds to received ARP requests properly. After that the flow rules were used as expected for sending the ping packages.

Capture Packet Dump from a Specific Domain

I am working on a Deep Packet Inspection project of my own. In order to test this, I need https/ssl packet dump from a specific site.
As an example I want to capture all the packets transmitted during a Facebook session.
I tried wire-shark but I do not know how to capture packets, only related to Facebook since they can be originated from different domains, not only from www.facebook.com
Can anyone suggest me a way to do this?
Thank you.
Not sure wireshark can do it now. Correct me if I am wrong, currently it supports capture filter like "host www.facebook.com" by doing a DNS query to get a list of IP addresses for this hostname. Then it generates binary code to filter out packets to/from those resolved IPs.
If you know the list of hostnames in this domain (x1.facebook.com x2.facebook.com ...), you can create a filter like "host x1.facebook.com or host x2.facebook.com ..."
If you don't know the list of hostnames, then you have to write a specific capture software, which monitors all the DNS queries sent from the host, if it's for xxx.facebook.com, then keep track of the resolved IP addresses, save any packets sent to/from these IPs. For this to work, you have to clear DNS cache.
Hope it helps.

Forward Traffic on Port through SSH Reverse Tunnel

I have an interesting scenario. I've searched every where, and I have bits and pieces of information, however, I don't have the full picture, and it's driving me nuts.
I also want to mention I'm no where near sysadmin status, however, I can get around my infrastructure with enough to get the job done.
I've got 3 end points. I've got a device inside a network (endpoint#1), that's setup a reverse tunnel to one of my servers (endpoint#2). I've got another server that has to send requests (endpoint#3) to the device (endpoint#1) through the connection server (endpoint#2).
I'm currently able to sustain connections between endpoint#1 and endpoint#2, and send requests from endpoint#2 to endpoint#1 without issue, however, I need endpoint#3 to be able to talk to endpoint#1 through endpoint#2.
I've tried searching for port forwarding scenarios and reverse tunnel scenarios, however, whatever it is that I'm doing is not allowing network traffic through.
How can I set up http traffic to GET/POST from endpoint#3 to endpoint#2 and pass through to endpoint#1 through the specified reverse tunnel (on it's specified port)? HELP!
Found the answer. It's using roughly the same syntax that I'm using on SSH to setup the remote server, however, it's adding the binding ip address (interal ip address of the network that it's on) and using GatewayPorts clientspecified in the sshd_config (although, I'm not 100% I needed this - it is an option I set though).
On endpoint#1:
- ssh -R [endpoint#2.internal.ip.address]:[port]:[localhost]:[port-to-map-to-on-endpoint#1] user#endpoint#2
On endpoint#3:
- curl -X POST -d {data} http://endpoint#2.internal.ip.address/path/to/resource
This will then allow the call on endpoint#3 to be passed through to endpoint#1.

Can ELB send requests from two different IPs simultaneously?

I use mod_rpaf to get the real IPs in the logs. However, it requires load balancers IP. Earlier, I used to see the "ELB-HealthChecker/1.0" useragent to get the ELB's IP. But, strangely today I can see two health check requests every time on each of the instances from two different IPs. My ELB and the EC2 instances are in same availability zone.
Anyone faced a similar situation? Is this an expected behavior or some anomaly?
It is normal to see a variety of ELB IP addresses. ELBs scale up and down with traffic to your site and those actions will cause you to see different IP addresses.
Using mod_rpaf with ELB is never going to be a reliable solution.
If you want to know the source IP that the ELB saw, then you can use use the last value from teh X-Forwarded-For list.
See also this blog post for a patch to mod_rpaf.

SOCAT to redirect UDP don't work!

I'm trying to transmit data in UDP datagrams into a client in external location to a pc in my local lan.
But my network is over a ADSL modem sending to a pc with Slackware, this pc redirect packages into other pcs.
I'm using socat to redirect UDP:
socat -v udp-listen:1935,fork,reuseaddr udp:192.168.0.40:37000
In LAN the conection is fine, but external IPs don't work.
Somebody help?
I don't think socat is the culprit, however consider to use stone instead of socat, because using a fork() for each received packet is a bit weird. Stone is called in your case like this (I think):
stone -n -d -d -d -d 192.168.0.40:37000/udp 1935/udp
Now why external IPs perhaps do not work. Sadly your text does not tell much about your setup, so I have to guess:
It depends on your firewall/modem/router if it is able to forward UDP packets. Usually, if you initiate the UDP requests from the inside, the router will open a NAT connection, which often means, that not only the source IP of the packets change, but the source port as well. As UDP is connectionless, UDP NAT connections usually time out very quickly, say after 5 minutes, if no data is transferred on them.
If the UDP must be opened in the opposite direction (from Internet to Intranet), the router usually discards all the UDP packets coming in from Internet, because it does not know where to forward them to. A router cannot just choose some arbitrary machine, this would be a security hole. So in the "Internet connecting to a machine behind the router" you must open the UDP port on the router and let it forward to the right machine. In that case packets sent from your internal machine will get their source IP and the source port rewritten, the machine on the Internet always will see the packets as coming from your router. So except for the additional rule in the router this case is the same as the outgoing case.
Note that there are several different ways how to make NAT (symmetric, etc.) and several methods on how to open a port on the router (Config, UPnP, etc.) so the ways to poke some holes into it always depends on your hardware capabilities. This all cannot be answered here.
Some other ideas what might go wrong as well:
Some UDP protocols encode IP addresses within the payload. In that case it is not enough just to forward the packets, you must change the payload as well to correct the IP addresses exchanged to enable all machines to talk together. Such UDP protocols are badly designed, anyway, because you never should assume that two arbitrary machines can directly talk with each other, so all good protocols should support easy proxying.
Some ISPs filter certain UDP ports, for arbitrary reason. If you have problems talking from Internet to your DSL, try with two external machines directly connected to different ISPs. If these can talk via UDP check if you can talk from your Intranet to one of the external machines. If this still works, this means, that you can talk backwards as well, as usually UDP is not a directed protocol, but if there is some NAT involved you somehow must make sure that the communication ports stay open.
Mobile Internet plans often do not support P2P. This probably means, those plans do not support Internet at all, as IP, by definition, is P2P. What the ISPs really want to say with "no P2P" is (my guess), that connections from Internet to the mobile device are not supported. In that case you always must initiate a connection from the mobile device, so you cannot use push methods (Internet to Mobile), the mobile device always must pull (data from Internet). Some broadband/cable providers might do the same. Usually you can see this if your ISP hands out an IP in the 10.x.y.z range to you.
There might be another trick how to get the connection working:
Ask your ISP to get some IPv6. Perhaps use 6to4. With IPv6 you eliminate NAT completely, your local LAN then directly interconnects to the Internet on IPv6. Be sure to activate your firewall/iptables on your Intranet host on the IPv6 interface, else you might see Intruders very quickly.
HTH