iptables

How can I programatically manage iptables rules on the fly?

I need to query existing rules, as well as being able to easily add and delete rules. I haven't found any APIs for doing this, is there something that I'm missing? The closest I've come to a solution is using iptables-save | iptables-xml for querying, and manually calling the iptables command itself to add/delete rules. Another solution...

SYN packets dropped occasionally on Linux

We're running a Debian with a 2.6.16 kernel, with iptables enabled. The system is running a custom made HTTP proxy, which is subjected to a mild load (it works fine with the same load on other sites). The system comprises of 4 servers that are preceded by a load balancer with virtual IP, which is preceded by an array of 4 ISA 2004 machin...

How can I open a port in iptables for RMI access

I'm trying to connect from my Java application to a development server that has port 8088 closed which is used for RMI. I appreciate any help on how to open that port. ...

Using iptables to change a destination port

Is it possible to change the destination port of a UDP packet using iptables? I'm trying to get an SNMP agent to send out traps on 1620 instead of 162. Unfortunately so far I've only managed to change the source port: iptables -t nat -A POSTROUTING -p udp --dport 162 -j SNAT --to :1620 ...

SNMP payload address translation

I'm using iptables under linux to NAT SNMP traffic. Some of the SNMP packets have VARBINDs that contain the (real) IP addresses of the devices that generated them. This confuses standard management tools, which need to see the NATted addresses in the VARBINDs. So I need to translate the addresses in the payload in addition to those in...

Open ports under Fedora Core 8 (for VMWare Server)

I have just installed VMWare Server 2.0 on a fresh Fedora Core 8 install. The ports for the web access console of VMWare are 8222 and 8333 (like the defaults). When I try a remote http access to myserver:8222 it fails. But when I run /sbin/service iptables stop access becomes possibles (although not very satisfactory). Thus, I have u...

Packet mangling utilities besides iptables?

I'm looking for a linux utility that can alter the payloads of network packets based on a set of rules. Ideally, I'd use iptables and the netfilter kernel module, but they don't support generic payload mangling: iptables will alter various header fields (addresses, ports, TOS, etc), and it can match arbitrary bytes within a packet, but ...

VMware and iptables

Is there a problem using VMware on Windows to host a virtual linux box running iptables? I have a configuration that seems to work on physical hardware but is flaky under VMware. I'm using VMware to run a virtual linux 2.6.24 machine on a Windows 2003 Server host. The linux application is essentially a NATting router that runs iptable...

What is the best way to forward all requests on a certain port to another machine on the network?

I have two dedicated servers and no hardware firewall. I'd like to forward all requests that come into the primary server on port 1008 to be fulfilled by another dedicated server on the same network. I know I need to set up some kind of TCP proxy, but I first heard of IPTables yesterday. Any quick tips? ...

Best way to redirect image requests to a different webserver?

I am trying to reduce the load on my webservers by adding an "Image server" (a dedicated server for handling image requests), and redirecting all requests for .gif,.jpg,.png etc., to it. My question is, what is the best way to handle the redirection? At the firewall level? (can I do this using iptables?) At the load balancer level? ...

Is there a way for non-root processes to bind to "privileged" ports (<1024) on Linux?

It's very annoying to have this limitation on my development box, when there won't ever be any users other than me. I'm aware of the standard workarounds, but none of them do exactly what I want: authbind (The version in Debian testing, 1.0, only supports IPv4) Using the iptables REDIRECT target to redirect a low port to a high port (...

How do you port forward from a vpn connection with ddwrt?

I have a ddwrt router v24 and build something or other. I can connect to my vpn with it, gives me an ip without a problem (192.168.10.200). I would like to port forward 8080/tcp from the vpn ip/interface into my internal lan 10.0.0.50:80. I've tried just about every iptables command I can think of and still no luck. It feels like the pr...

Simple iptables chain question

Hi, I'm writing a bash script to add simple firewalling for Xen. Here's the actual firewall configuration : Chain INPUT (policy ACCEPT) target prot opt source destination RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination RH...

Transparently proxying telnet traffic?

We have written a tool to proxy telnet traffic, and fork the inbound/outbound streams for recording purposes (this is a testing tool to test a legacy system). However, we hit a snag. The legacy system relies on knowing a client's ip address in certain cases, but when we use our proxy the clients' addresses are all changed to the proxy's ...

Linux iptables TRIGGER target description

I'm writing application which controls Linux firewall (using iptables). I need to implement some port triggering. There is TRIGGER target which seems to be suitable for it. However, I can't find good documentation of it (actually it's really hard to find any documentation of this target). Does anybody can redirect me to any information a...

Is there a connlimit module for ip6tables?

Hi, Does anyone know if there is a connlimit module that can be used for ip6tables? Please let me know. Thanks, Kenneth ...

iptable rule to drop packet with a specific substring in payload

Hi, i am trying to write rules to drop any packet, irrespective if it is outgoing, incoming or being forwareded, which has a specific sub string in the tcp or udp payload, how am i suppose to do that? ...

Dropping packets with matching string uisng iptables drops all the subsequent packets with no match

hi, I am trying to write a worm filtering utility on application layer. i have setup following rule to drop tcp packet with specific substring. iptables -A INPUT -p tcp -m string --string "test" -j DROP --algo kmp however,once a packet with matching string is found all the subsequent packets, even with non matching strings are dropped...

iptables and libpcap

hi, i have rule set up to drop udp/tcp packets with matching strings. however, my program which captures packet using libpcap, is still able to see this packet. Why is this/, what should be the iptable rules to drop packets before it is seen by libpcap? Is there anyway,perhaps other than iptables rules, to drop this packet before it i...

NAT GRE (IP protocol 47) over Linux router

I have a host that has a permanent static GRE tunnel to a server on the Internet. Right now the host has its own real IP address. I want to put the host behind a Linux box (Smoothwall), and assign it a private IP address. Lets call: tunnel-server-ip = the IP of the end of the tunnel the host is connecting to (on the internet) real-ip = ...