Tag: IPtables

starting a machine in Docker with ports

Posted on by admin 
docker run -p 800:80 -p 2222:22 -p  4443:443  -it 68715929d32a  /bin/bash

If ports do not work check :

sysctl net.ipv4.ip_forward

if  you get:

net.ipv4.ip_forward = 0

then issue :

sysctl -w net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1if you get the error :

 
docker: Error response from daemon: driver failed programming external connectivity on endpoint amazing_williams (44e256a6039741b20e4124800702d9794d69fb6be9da71ba25059de4dd527121): COMMAND_FAILED: '/sbin/iptables -w2 -t nat -A DOCKER -p tcp -d 0/0 --dport 4443 -j DNAT --to-destination 172.17.0.2:443 ! -i docker0' failed: iptables: <strong>No chain/target/match by that name..</strong>

 

systemctl stop firewalld
systemctl mask firewalld

Created symlink from /etc/systemd/system/firewalld.service to /dev/null.

yum install iptables-services

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
* base: mirror.euserv.net
* epel: fr.mirror.babylon.network
* extras: ftp.fau.de
* updates: centos.fastbull.org
Resolving Dependencies
--> Running transaction check
---> Package iptables-services.x86_64 0:1.4.21-16.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================================================================================================
Package Arch Version Repository Size
=============================================================================================================================================================================================================================================
Installing:
iptables-services x86_64 1.4.21-16.el7 base 50 k

Transaction Summary
=============================================================================================================================================================================================================================================
Install 1 Package

Total download size: 50 k
Installed size: 24 k
Is this ok [y/d/N]: y
Downloading packages:
iptables-services-1.4.21-16.el7.x86_64.rpm | 50 kB 00:00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : iptables-services-1.4.21-16.el7.x86_64 1/1
Verifying : iptables-services-1.4.21-16.el7.x86_64 1/1

Installed:
iptables-services.x86_64 0:1.4.21-16.el7

Complete!

systemctl enable iptables

Created symlink from /etc/systemd/system/basic.target.wants/iptables.service to /usr/lib/systemd/system/iptables.service.

service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]

try :

docker run -p 800:80 -p 2222:22 -p 4443:443 -it 68715929d32a /bin/bash

fixing permission denied issue with udp 512 port graylog

Posted on by admin

use iptables to pre-route NAT the udp port :

 

iptables -A PREROUTING -t nat -i eth0 -p udp –dport 514 -j REDIRECT –to-port 10515

 

This will bypass the limit in the OS to ports < 1024 to non=root users .

nJoy 😉

 

Auto-blacklist iptables

Posted on by admin

Gather a list of ips which fail logins and drop from firewall for the future

lastb | awk '{ FS == "[ \t]+" ; print $3; }' | egrep -o '([[:digit:]]{1,3}\.){3}[[:digit:]]{1,3}'| grep -v "192.168." | sort | uniq | xargs -n 1 -I {} iptables -A INPUT -s {} -j DROP

if you want to make it permanent simply

[root@DellR510-3 ~]# /sbin/service iptables save

 

That’s it.

nJoy 😉

 

 

 

Limiting access iptables

Posted on by admin

This is a Script that I use to deploy and script iptables.

Sample handles ssh and mysql it’s easy to extend.

#!/bin/bash
#
# iptables example configuration script
#
# Flush all current rules from iptables
#
 iptables -F
#
# Allow SSH connections on tcp port 22
# This is essential when working on remote servers via SSH to prevent locking yourself out of the system
#
# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
# SSH  rules
iptables -A INPUT -i eth0 -p tcp -s 193.50.90.251 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 212.164.176.98 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT


# mysql rules
iptables -A INPUT -i eth0 -p tcp -s 193.50.90.251 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 212.164.176.98 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
#Allow frontend 1
iptables -A INPUT -i eth0 -p tcp -s 191.94.70.36 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT
#Allow Frontend 2
iptables -A INPUT -i eth0 -p tcp -s 191.94.70.38 --dport 3306 -m state --state NEW,ESTABLISHED -j ACCEPT

iptables -A OUTPUT -o eth0 -p tcp --sport 3306 -m state --state ESTABLISHED -j ACCEPT




#
# Set default policies for INPUT, FORWARD and OUTPUT chains
#
 iptables -P INPUT DROP
 iptables -P FORWARD DROP
 iptables -P OUTPUT ACCEPT
#
# Set access for localhost
#
 iptables -A INPUT -i lo -j ACCEPT
#
# Accept packets belonging to established and related connections
#
 iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Save settings
#
 /sbin/service iptables save
#
# List rules
#
 iptables -L -v

nJoy 🙂