Archive

Archives pour la catégorie ‘Réseau’

Linux Iptables Block Outgoing Access To Selected or Specific IP Address / Port

17/04/2024 Aucun commentaire

You would like to block outgoing access to particular remote host/ip or port for all or selected service/port. In this quick tutorial I will explain how to use iptables to block outgoing access.

Block Access To Outgoing IP Address

The following rule will block ip address 202.54.1.22 from making any outgoing connection:

iptables -A OUTPUT -d 202.54.1.22 -j DROP

The above will block chat server ip address or site having dangerous contains such as viruses or malware.

Block Access To Outgoing IP TCP / UDP Port Number

To block specific port number such tcp port # 5050, enter:
iptables -A OUTPUT -p tcp --dport 5050 -j DROP

To block tcp port # 5050 for an IP address 192.168.1.2 only, enter:
iptables -A OUTPUT -p tcp -d 192.168.1.2 --dport 5050 -j DROP

Finally, you need to save your firewall rules. Under CentOS / RHEL / Fedora Linux, enter:
# /sbin/service iptables save
OR
# /etc/init.d/iptables save

Categories: Réseau, Sécurité Tags: ,

Postrouting and IP Masquerading in Linux

16/04/2024 Aucun commentaire

postrouting masqueradingIPTables is responsible to handle packet filtering in Linux system. IPTables contains several predefined and/or user-defined tables. Each table contains chains and chain contain packet rules. IPTables uses NAT table to forward packets to another node.

What is POSTROUTING?

A Postrouting chain in NAT table means altering the IP packet after the routing is completed. Logically, a postrouting can be used to change the Source Address. As the routing is completed and destination has his own address, the only unknown address that can be masked is the Source. This is why postrouting is used for SNAT.

What is IP MASQUERADING?

Now, when a packet leaves the local network and tries to travel the public network, it will fail to traverse if it keeps using the local details. This is where IP Masquerading plays the role. IP Masquerading is masking the packet with identity of the external interface.

How POSTROUTING and MASQUERADING relates?

When a packet arrives to the local gateway that has external interface, masks the packet with IP Masquerading and send it through the public interface. That says, packet has to be routed first before mangling it for Masquerading. That is why, you need to apply the Masquerading target on the Postrouting chain of the NAT table.

How to setup Masquerading in Linux Firewall?

The following command will enable IP Masquerading in Linux Firewall:

$ iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

The above rule will use NAT table (-t nat) on built-in Postrouting Chain (-A POSTROUTING) on interface eth0 (-o eth0).

The target Masquerade (-j MASQUERADE) advises to mask the above matched IP packets from the related table to external interface of the system.

Thus the above, would allow the local networks to gain access to external network through IP Masquerading.

 

Source: Mellowhost

Categories: Réseau, Sécurité Tags: , ,

Munin: Monitoring the “unreachable” hosts

14/04/2024 Aucun commentaire

Source: munin-monitoring.org
There are a number of situations where you’d like to run munin-node on hosts not directly available to the Munin server. This article describes a few scenarios and different alternatives to set up monitoring. Monitoring hosts behind a non-routing server.

In this scenario, a *nix server sits between the Munin server and one or more Munin nodes. The server in-between reaches both the Munin server and the Munin node, but the Munin server does not reach the Munin node or vice versa.

To enable for Munin monitoring, there are several approaches, but mainly either using SSH tunneling or “bouncing” via the in-between server.

SSH tunneling

The illustration below shows the principle. By using SSH tunneling only one SSH connection is required, even if you need to reach several hosts on “the other side”. The Munin server listens to different ports on the localhost interface. A configuration example is included. Note that there is also a FAQ entry on using SSH that contains very useful information.

MuninSSHForwarding

Bouncing

This workaround uses netcat and inetd/xinetd to forward the queries from the Munin server. All incoming connections to defined ports are automatically forwarded to the Munin node using netcat.

MuninPortForwarding

 

Categories: Logiciel, Réseau Tags: , , ,

Linux: 20 Iptables Examples For New SysAdmins

02/04/2024 Comments off
firewall

Firewalls

Iptables Examples For New SysAdmins

Linux comes with a host based firewall called Netfilter. According to the official project site:

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

This Linux based firewall is controlled by the program called iptables to handles filtering for IPv4, and ip6tables handles filtering for IPv6. I strongly recommend that you first read our quick tutorial that explains how to configure a host-based firewall called Netfilter (iptables) under CentOS / RHEL / Fedora / Redhat Enterprise Linux. This post list most common iptables solutions required by a new Linux user to secure his or her Linux operating system from intruders.

 
linux-logo

Linux

IPTABLES Rules Example

  • Most of the actions listed in this post are written with the assumption that they will be executed by the root user running the bash or any other modern shell. Do not type commands on remote system as it will disconnect your access.
  • For demonstration purpose I’ve used RHEL 6.x, but the following command should work with any modern Linux distro.
  • This is NOT a tutorial on how to set iptables. See tutorial here. It is a quick cheat sheet to common iptables commands.

Lire la suite…

Categories: Réseau, Sécurité Tags: , ,

Iptables Tutorial 1.2.2

02/04/2024 Comments off

Categories: Réseau Tags: