I am using the following iptables script to redirect packets on port 443 to a proxy server:
iptables -t mangle -A PREROUTING -p tcp --dport 443 -j MARK --set-mark 2
I am redirecting it to my proxy server later on, which is working. For one host, however, I need to remove the iptables mark (i.e. the packets will not be redirected.) I tried the following:
iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.47 --dport 443 -j ACCEPT
I have also tried (attempting to rewrite the mark to a different number):
iptables -t mangle -A PREROUTING -p tcp -s 192.168.0.47 --dport 443 -j MARK --set-mark 1
However none of them are working. Is there a --remove-mark? I couldn't find anything on Google.
Any help would be appreciated.
When using the MARK target, the mark is a added as a bitmask. If you check in the documentation, there's an optional [/mask] for the mark.
So use "--set-mark 0/2" to remove 2.
I figured it out. I used the following:
iptables -t mangle -A PREROUTING -p tcp ! -s 192.168.0.47 --dport 443 -j MARK --set-mark 2
To mark it so it doesn't mark the host in the first place.
Related
I want the following rules to forward tcp packets
from 127.0.0.1:32770 to 172.17.0.36:1000
and forward packets from 127.0.0.1:32771 to 172.17.0.36:10001
and forward packets from 127.0.0.1:32772 to 172.17.0.36:10002
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 32770:32771 -j DNAT --to-destination 172.17.0.36:1000-1002
But currently it can forward all packets from 127.0.0.1:32770-32771 to any one of 172.17.0.36:1000-1002
I've struggled a lot to find this and finally found a solution that absolutely works, the command in your case would be:
iptables -t nat -A DOCKER ! -i docker0 -p tcp -m tcp --dport 32770:32771 -j DNAT --to-destination 172.17.0.36:1000-1002/32770
Here, 32770 is the base-port, and the mapping will start from there, for example:
32770 -> 172.17.0.36:1000
32771 -> 172.17.0.36:1001
Now, let's say the incoming range and outgoing range are not equal:
iptables -t nat -I PREROUTING -p tcp --dport 30000:30199 -j DNAT --to 10.1.1.1:40000-40099/30000
In the above case, the DNAT mapping will round itself like this:
30000 -> 10.1.1.1:40000
30001 -> 10.1.1.1:40001
...
30099 -> 10.1.1.1:40099
30100 -> 10.1.1.1:40000
30101 -> 10.1.1.1:40001
...
30199 -> 10.1.1.1:40099
The support for base-port based 1:1 port mapping in DNAT was added in 2018.
Please refer below link:
http://git.netfilter.org/iptables/commit/?id=36976c4b54061b0147d56892ac9d402dae3069df
I have seen this working in Linux kernel 4.19 and above.
I have an apache webservice running on port 8080 but would like to be able to connect on port 80. However, my unix sysadmin does not allow apache to be started as root nor does she provide access to sudo.
However, she will execute commands on request.
I believe this can be achieved with iptables. Is there a way to map port 80 to 8080 and 443 to 8083 without this sysadmin having to edit any files.
i.e. just using echo with appender >>.
She can do this by running :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
This will make redirection active immediately, but doesn't save it and thus it will not work anymore after a reboot.
It is possible to do this without editing any file at all by using iptables-save. But it depends which linux flavor you're running, and if you use ferm, ufw, or some other firewall management tools.
On RedHat/CentOS, she could just do :
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 8080
iptables -t nat -I PREROUTING -i eth0 -p tcp --dport 443 -j REDIRECT --to-port 8083
iptables-save > /etc/sysconfig/iptables
On other OSes variants, YMMV !
My centos server has an iptables rule.
iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 50 -j REJECT --reject-with tcp-reset
this code is doing the work like firewall but I don't want to block of my server ips.
my server ips:
"127.0.0.1", "my server ip1", "my server ip2", etc.
How do I get them out of this ip tables rule?
Thank you very much!
Just use :
# Loopback
iptables -I INPUT -s 127.0.0.1 -i lo -j ACCEPT
# Repeat for each SERVER_IP
iptables -I INPUT -s SERVER_IP -j ACCEPT
Note that this will open everything for SERVER_IPs. YMMV depending on want you want to allow.
For instance, if you just want to open HTTP port for those IPs :
# Loopback
iptables -I INPUT -s 127.0.0.1 -i lo -j ACCEPT
# Repeat for each SERVER_IP
iptables -I INPUT -s SERVER_IP -p tcp --dport 80 -j ACCEPT
Ok, I'm working with an OpenWRT router. I have the following iptable rules:
iptables -t nat -I prerouting_rule -m mac --mac-source $2 -p tcp --dport 80 -j DNAT --to-destination $3:80;
iptables -t nat -I prerouting_rule -m mac --mac-source $2 -p tcp --dport 443 -j DNAT --to-destination $3:80;
These rules effectively redirect traffic on ports 80 and 443 to a specific destination ip address for a specific requesting MAC address.
I'd like to add another rule (or set of rules if necessary) that will drop traffic on all other ports for this specific MAC without breaking these 2 rules.
My version of iptables is: v1.4.10
Any pointers would be greatly appreciated!
EV
iptables -t nat -A prerouting_rule -m mac --mac-source $2 -j DROP
generally: use -A instead -I, append is more "human"
edit:
you should filter out pacakages in the filter tables ;)
iptables -A FORWARD -m mac --mac-source $2 --dport 80 -j ACCEPT
iptables -A FORWARD -m mac --mac-source $2 --dport 443 -j ACCEPT
iptables -A FORWARD -m mac --mac-source $2 -j DROP
i forgot that not all tables can do anything...
I like to create a simple captive portal that works for an interface that is part of a bridge.
The bridge interface br0 (10.19.1.1/16) consists of two interfaces eth0 and eth1.
Behind eth1 are the client computers. Behind eth0 is a switch that has the internet gateway connected to.
For the captive portal, all tcp requests to port 80 coming from the clients behind eth1 need to be directed the local web server.
The following lines seem to work as the website request are redirected to the local web server. The problem is that once the authentication line below is used, the client cannot load any regular websites anymore.
I have already searched the internet but haven't found a solution.
PORTAL_INT="eth1"
PORTAL_IP="10.19.1.1"
#'drop' packets from being bridged
ebtables -t broute -A BROUTING -i $PORTAL_INT -p IPv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP
iptables -N internet -t mangle
iptables -t mangle -A PREROUTING -j internet
#authenticated
#iptables -t mangle -I internet 1 -m mac --mac-source $CLIENT_MAC -j RETURN
#mark all traffic
iptables -t mangle -A internet -j MARK --set-mark 99
#redirect website access
iptables -t nat -A PREROUTING -m mark --mark 99 -p tcp --dport 80 -j DNAT --to-destination $PORTAL_IP
iptables -t filter -A FORWARD -m mark --mark 99 -j DROP
iptables -t filter -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -m mark --mark 99 -j DROP