I am running a node server inside a docker container on port 8080 and i can access it via 172.17.0.2:8080 (container ip) now i want to access this ip from localhost:9099. I have tried using iptables to redirect this traffic coming at localhost:9099 to 172.17.0.2:8080 but all measures are in vain. This is the command i was using. Please correct me where i am going wrong. Thanks in advance. sudo iptables -t nat -A PREROUTING -p tcp --dport 9099 -j DNAT --to-destination 172.17.0.2:8080 I took help from [this](https://stackoverflow.com/questions/19897743/exposing-a-port-on-a-live-docker-container) ans but didn't work.

We have lot of applications that run on Linux server using Docker. As an example, let us say my application runs on **ServerA** as a container (Docker). CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES df68695a00f1 app/myapp:latest "/run.sh" 2 weeks ago Up 2 days 0.0.0.0:50423->3000/tcp reallymyapp The app is listening on the port 50423 on the host (mapped to port 3000 on the container). The DNS (endpoint) that is used to access the app is pointing to the HAProxy host (say **ServerB**), that routes the traffic to **ServerA:50423**. Everything works well so far. The security team in our org raised a concern that all external source IPs are potentially allowed to connect to such Docker hosts (like **ServerA**) and they want us to restrict traffic to allow only a specific IP (**ServerB** which is a load balancer) to access the containers and vice versa (**ServerA** to **ServerB**). We would then allow connectivity from our users' machines to **ServerB**/load balancer only. Now, I followed Docker documentation and tried to insert the following rule using iptables to DOCKER-USER chain: iptables -I DOCKER-USER -i ekf192 -s 10.1.2.10, 10.1.2.11, 10.1.2.12 -j ACCEPT iptables -I DOCKER-USER -i ekf192 -j DROP ACCEPT all -- 10.1.2.10 anywhere ACCEPT all -- 10.1.2.11 anywhere ACCEPT all -- 10.1.2.12 anywhere LOG all -- anywhere anywhere LOG level info prefix "IPTables Dropped: " DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Please note that we need both incoming and outgoing traffic from/to these hosts (10.1.2.10, 10.1.2.11, 10.1.2.12). Now, as per my (limited) knowledge on iptables, these rules should drop all incoming requests except for when it is origination from the mentioned IP addresses and vice versa i.e. allow outgoing traffic to mentioned IPs. The incoming traffic works as expected but the outgoing traffic to these HOSTS is getting dropped. I am scratching my head over this and cannot figure out what is going wrong...and not to mention that I absolutely suck at understanding how iptables rules work. Jan 12 16:24:43 sms100394 kernel: IPTables Dropped: IN=docker0 OUT=ekf192 MAC=02:42:09:37:a0:14:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=10.1.2.10 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=40235 DF PROTO=TCP SPT=3000 DPT=42579 WINDOW=242 RES=0x00 ACK FIN URGP=0 Jan 12 16:24:44 sms100394 kernel: IPTables Dropped: IN=docker0 OUT=ekf192 MAC=02:42:09:37:a0:14:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=10.1.2.11 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=3000 DPT=45182 WINDOW=29200 RES=0x00 ACK SYN URGP=0 Jan 12 16:24:45 sms100394 kernel: IPTables Dropped: IN=docker0 OUT=ekf192 MAC=02:42:09:37:a0:14:02:42:ac:11:00:02:08:00 SRC=172.17.0.2 DST=10.1.2.12 LEN=52 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=3000 DPT=45182 WINDOW=29200 RES=0x00 ACK SYN URGP=0

I am running Guacamole remote desktop gateway test setup to manage access to cloud VM instances. As I got one strange POC request from one client to restrict Guacamole RDG access to one specific domain which doesn't have static IP, I am out of options. Client might be using services like dynamic DNS to have their domain resolve back to whatever dynamic IP they get. So basically I have to set inbound Firewall rules in my Guacamole RDG server based on one domain name instead of IP address. Apart from basic networking logic, is there any way to achieve this requirement? I tried below command to set iptables rule based on domain name but upon execution, it actually resolve domain name and apply rule to iptables with resolved IP address.

iptables -A INPUT -p tcp --src domain.com --dport 3128 -j ACCEPT

I've been stuck on this problem all day and am keeping my fingers crossed some iptables expert reads this and can help me please. I would like to force all my docker containers's outbound traffic to go through a socks5 proxy. This is the closest I've come:

iptables -t nat -N REDSOCKS
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 0.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 10.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 127.0.0.0/8 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 169.254.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 172.16.0.0/12 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 192.168.0.0/16 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 224.0.0.0/4 -j RETURN
iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -d 240.0.0.0/4 -j RETURN

iptables -t nat -A REDSOCKS -s 172.20.0.0/16 -p tcp -j DNAT --to-destination 172.17.0.1:12345
iptables -t nat -A OUTPUT -s 172.20.0.0/16 -j REDSOCKS
iptables -t nat -A PREROUTING -s 172.20.0.0/16 -j REDSOCKS

It works almost perfectly, but the socks5 proxy is unable to tell the originating IP address. The remote address is always '127.0.0.1' Is there any way I can keep the originating IP address? # Example Scenario 1) I have applied the iptables rules above to my docker host 2) I have a docker container with the address 172.20.0.2 2) Inside that container, I do a curl to example.com 3) The traffic is forwarded to 172.17.0.1:12345 (the docker host machine) 4) The server running on 12345 shows the remote IP address as being '127.0.0.1' 5) I would like the remote IP address to show as 172.20.0.2 Thank to anyway who can try and help me with this.

I have multiple ethX interfaces. - eth0 is connected to the internet. - eth1 is connected to a trusted network. - eth2 is connected to a network I need to impose usage rules.
What I'd like to do is separate eth1 and eth2 into their own chains (trusted/untrusted) simply to maintain "easy on the eyes" rules.

:INPUT DROP
-A INPUT ! -i eth0 -j ACCEPT    # allows INPUT on traffic not internet based
... # More rules for eth0 allowing PING and shunting most everything else
-A INPUT -i eth1 -j trusted
-A INPUT -i eth2 -j untrusted

OUTPUT and FORWARD are currently set to ACCEPT due to the problems. For the time being, eth1 is just jumping to chain masquerade which is perfectly fine for the moment, but the confusion lies as to how to manipulate eth2 as it hasn't panned out too well with my attempts. My guess was to list all of the ALLOWED ports/protocols, but so far it's not working as devices connected through eth2 cannot reach anything, not even the firewall server's DNS/DHCP.

:untrusted
-A untrusted -i eth2 -p tcp -m tcp --dport 80 -j ACCEPT

What I need is basically a set of rules which "say" the following: 1. If outgoing internet traffic on eth0 is not PING, DROP 2. If eth1 goes out to internet (eth0), accept it 3. If eth2 goes out to internet on TCP port 80, accept it, drop everything else. 4. To GO out to internet, use masquerade through eth0 Any thoughts/suggestions would be truly appreciated!

I have a homelab setup like this (diagram is also available here ): One thing to note here is, my Proxmox host just has 1 NIC for ethernet cable. It has WiFi too but I decided not to use it because it won't play nicely with what I wanted to do (that's my understanding after reading dozens of articles/forums about it). So I plugged an ethernet cable from a WiFi repeater. This Proxmox host is located in different place in my home - that's why I didn't plug the ethernet directly to the home router. From my laptop, I can wirelessly SSH into the Proxmox host (192.168.1.5) just fine. I can also wirelessly access Proxmox's web UI at https://192.168.1.5:8006 just fine. What I want to do here is network segmentation between my home network and the VMs network. I know there are free router software out there like pfSense, OpenWrt and etc. But I want to take this the opportunity to build it from scratch so I can better understand how things are working together. I'm planning to run some VMs in this Proxmox host. They all should run within the VMs network I'm creating here. Some VMs may run on dynamic IP/DHCP mode and some may run on static IP mode. 99% of them will be Linux VMs. I'm good without IPv6 support in this VMs network for now. Also, using VLANs is not an option because my router doesn't support VLANs. With that said, I followed this guide to create a virtual router in Ubuntu VM. The only thing I did differently from that guide is I created a bridge (br0) and assign it a static IP (192.168.2.1/24) so it can be a router / virtual switch for my VMs network. I didn't follow the *Port Forwarding from the Internet to the LAN* and *So, about that testing...* steps because I don't need them. In other words, I followed all the steps until and including *Allowing traffic out to the Internet* step. What I see currently: - [OK] VMs can ping each other - [OK] VMs can ping internet - [Not OK] VM 1 and VM 2 can ping devices in home network e.g. laptop and router - [OK] Laptop can ping Router VM - [Not OK] Laptop can't ping VM 1 or VM 2* \* I already added a static route in my laptop by following this guide . I also tried adding a static route in the home router/gateway. FWIW, below are my configs... ip a from Proxmox host: 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eno1: mtu 1500 qdisc pfifo_fast master vmbr0 state UP group default qlen 1000 link/ether fc:4d:d4:f3:fe:d3 brd ff:ff:ff:ff:ff:ff altname enp0s25 3: wlp2s0: mtu 1500 qdisc noop state DOWN group default qlen 1000 link/ether 28:c2:dd:a5:46:53 brd ff:ff:ff:ff:ff:ff 4: vmbr0: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether fc:4d:d4:f3:fe:d3 brd ff:ff:ff:ff:ff:ff inet 192.168.1.5/24 scope global vmbr0 valid_lft forever preferred_lft forever inet6 fe80::fe4d:d4ff:fef3:fed3/64 scope link valid_lft forever preferred_lft forever 5: vmbr1: mtu 1500 qdisc noqueue state DOWN group default qlen 1000 link/ether 8e:7e:21:7e:f9:e1 brd ff:ff:ff:ff:ff:ff inet6 fe80::8c7e:21ff:fe7e:f9e1/64 scope link valid_lft forever preferred_lft forever 11: tap104i0: mtu 1500 qdisc pfifo_fast master vmbr0 state UNKNOWN group default qlen 1000 link/ether b6:5c:75:be:38:d5 brd ff:ff:ff:ff:ff:ff 12: vmbr2: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 3e:6b:04:2c:d9:e0 brd ff:ff:ff:ff:ff:ff inet6 fe80::3c6b:4ff:fe2c:d9e0/64 scope link valid_lft forever preferred_lft forever 13: tap104i1: mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000 link/ether 46:d9:8f:dd:ab:77 brd ff:ff:ff:ff:ff:ff 23: tap102i0: mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000 link/ether 46:9c:a4:fd:81:27 brd ff:ff:ff:ff:ff:ff 24: tap103i0: mtu 1500 qdisc pfifo_fast master vmbr2 state UNKNOWN group default qlen 1000 link/ether 12:90:ee:36:27:7a brd ff:ff:ff:ff:ff:ff Content of /etc/network/interfaces in Proxmox host: auto lo iface lo inet loopback iface eno1 inet manual auto vmbr0 iface vmbr0 inet static address 192.168.1.5/24 gateway 192.168.1.1 bridge-ports eno1 bridge-stp off bridge-fd 0 iface wlp2s0 inet manual auto vmbr1 iface vmbr1 inet manual bridge-ports none bridge-stp off bridge-fd 0 auto vmbr2 iface vmbr2 inet manual bridge-ports none bridge-stp off bridge-fd 0 post-up echo 1 > /proc/sys/net/ipv4/ip_forward post-up iptables -t nat -A POSTROUTING -s '192.168.2.0/24' -o vmbr0 -j MASQUERADE post-down iptables -t nat -D POSTROUTING -s '192.168.2.0/24' -o vmbr0 -j MASQUERADE Notes: - vmbr1 was from my previous experiment and not relevant/related here; none of my VMs are using vmbr1 network - The post-up and post-down lines were copied from this guide - part of my trial and error effort ip a from Router VM: 1: lo: mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: ens18: mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 2a:06:12:a9:18:98 brd ff:ff:ff:ff:ff:ff altname enp0s18 inet 192.168.1.175/24 metric 100 brd 192.168.1.255 scope global dynamic ens18 valid_lft 4270sec preferred_lft 4270sec inet6 fe80::2806:12ff:fea9:1898/64 scope link valid_lft forever preferred_lft forever 3: ens19: mtu 1500 qdisc fq_codel master br0 state UP group default qlen 1000 link/ether ca:bc:10:17:e0:2f brd ff:ff:ff:ff:ff:ff altname enp0s19 inet6 fe80::c8bc:10ff:fe17:e02f/64 scope link valid_lft forever preferred_lft forever 4: br0: mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether da:56:23:09:09:72 brd ff:ff:ff:ff:ff:ff inet 192.168.2.1/24 brd 192.168.2.255 scope global br0 valid_lft forever preferred_lft forever inet6 fe80::d856:23ff:fe09:972/64 scope link valid_lft forever preferred_lft forever Content of /etc/network/interfaces in Router VM: auto lo iface lo inet loopback auto ens18 iface ens18 inet dhcp #auto ens19 #iface ens19 inet static # address 192.168.99.1 # netmask 255.255.255.0 IP forward config in Router VM: $ cat /etc/sysctl.conf | grep net.ipv4.ip_forward net.ipv4.ip_forward=1 Content of /etc/network/if-pre-up.d/iptables in Router VM: #!/bin/sh /sbin/iptables-restore < /etc/network/iptables Content of /etc/network/iptables in Router VM: *nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] # ens18 is WAN interface # br0 is LAN interface -A POSTROUTING -o ens18 -j MASQUERADE COMMIT *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # Service rules # basic global accept rules - ICMP, loopback, traceroute, established all accepted -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT # enable traceroute rejections to get sent out -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable # DNS - accept from LAN -A INPUT -i br0 -p tcp --dport 53 -j ACCEPT -A INPUT -i br0 -p udp --dport 53 -j ACCEPT # DHCP client requests - accept from LAN -A INPUT -i br0 -p udp --dport 67:68 -j ACCEPT # SSH - accept from WAN -A INPUT -i ens18 -p tcp --dport 22 -j ACCEPT # drop all other inbound traffic -A INPUT -j DROP # Forwarding rules # forward packets along established/related connections -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT # forward ICMP -A FORWARD -p icmp -j ACCEPT -A FORWARD -p icmp -s 0.0.0.0/0 -d 192.168.2.0/24 -j ACCEPT # forward from LAN (br0) to WAN (ens18) -A FORWARD -i br0 -o ens18 -j ACCEPT # drop all other forwarded traffic -A FORWARD -j DROP COMMIT Result of sudo iptables -S command in Router VM: -P INPUT ACCEPT -P FORWARD ACCEPT -P OUTPUT ACCEPT -A INPUT -s 127.0.0.0/8 -d 127.0.0.0/8 -i lo -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -m state --state ESTABLISHED -j ACCEPT -A INPUT -p udp -m udp --dport 33434:33523 -j REJECT --reject-with icmp-port-unreachable -A INPUT -i br0 -p tcp -m tcp --dport 53 -j ACCEPT -A INPUT -i br0 -p udp -m udp --dport 53 -j ACCEPT -A INPUT -i br0 -p udp -m udp --dport 67:68 -j ACCEPT -A INPUT -i ens18 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -j DROP -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A FORWARD -p icmp -j ACCEPT -A FORWARD -d 192.168.2.0/24 -p icmp -j ACCEPT -A FORWARD -i br0 -o ens18 -j ACCEPT -A FORWARD -j DROP DHCP config in /etc/dhcp/dhcpd.conf in Router VM: subnet 192.168.2.0 netmask 255.255.255.0 { range 192.168.2.100 192.168.2.199; option routers 192.168.2.1; option domain-name-servers 192.168.2.1; option broadcast-address 192.168.2.255; host ubuntu-desktop { hardware ethernet 5A:5B:74:01:69:34; fixed-address 192.168.2.2; } } Note: ubuntu-desktop is VM 1 Questions: 1. How can I block VM 1 and VM 2 from accessing devices in my home network? TCP/UDP/ICMP and everything. 2. How can I access the VM 1 and VM 2 when I'm using laptop or desktop e.g. sending ping/ICMP request (ping 192.168.2.2/ping 192.168.2.101), access Nginx process running on port 80 (curl 192.168.2.2/curl 192.168.2.101) and SSH server process running on port 22 (ssh user@192.168.2.2/ssh user@192.168.2.101) on both VMs? I did some research about this and I got into DNAT/SNAT/Masquerade topic but I'm not sure if that's what I need. If yes, what the rules should look like? I'm new to this iptables topic. I tried rules below but I still can't ping to the VM 1 and VM 2 from my laptop. iptables -I FORWARD -s 192.168.1.0/24 -d 192.168.2.0/24 -j ACCEPT iptables -I FORWARD -s 192.168.2.0/24 -d 192.168.1.0/24 -m conntrack --ctstate ESTABLISHED -j ACCEPT iptables -t nat -I POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -j SNAT --to 192.168.2.1

I am having trouble accessing AWS RDS instance in a private subnet using session manager through ec2 instance (Ubuntu). Port forwarding using AWS Session manager -

aws ssm start-session --target $INSTANCE_ID \
                       --document-name AWS-StartPortForwardingSession \
                       --parameters '{"portNumber":,"localPortNumber":["8000"]}' \
											 --profile=production \
                       --region=us-east-1`

Now local port 8000 successfully forwarded to port 3307 of EC2. lsof -nP +c 15 | grep LISTEN session-manager 59744 xrage 12u IPv4 0xa6c821d0a800e9a1 0t0 TCP 127.0.0.1:8000 (LISTEN) EC2 instance has an iptable rule that forward all traffic on port 3307 to rds host at port 3306 (MYSQL PORT).

sudo iptables -t nat -A OUTPUT -o lo -d 127.0.0.1 -p tcp --dport 3307 -j DNAT  --to-destination :3306

This allowed me to access remote host on the desired port from ec2, But still, the remote host is not accessible locally on port 8000. Network details on the local machine - - Not using any proxy - Firewall disabled on mac So it's clear that SSM setup is working but something else is blocking this traffic, Need some help here.

I am trying to write an iptables rule using ipset with one rule matching *src* or *dst* (or both). This iptables -A FORWARD -m set --match-set src,dst -j DROP does **not** work since it applies only if both *src* AND *dst* are in the *name_of_ipset*. I know that I could simply double the rule via iptables -A FORWARD -m set --match-set src -j DROP iptables -A FORWARD -m set --match-set dst -j DROP but I hope that there is **something more simple**?!

When I try to publish container's ports to the host, docker fails to add iptables rules: $ sudo docker run --rm -p 8080:80 nginx docker: Error response from daemon: driver failed programming external connectivity on endpoint: iptables failed: iptables --wait -t nat -A DOCKER -p tcp -d 0/0 --dport 8080 -j DNAT --to-destination 172.17.0.2:80 ! -i docker0 iptables: No chain/target/match by that name. (exit status 1)). What confuses me is that the DOCKER chain seems to exist: $ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- anywhere anywhere DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED DOCKER all -- anywhere anywhere ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain DOCKER (2 references) target prot opt source destination Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP all -- anywhere anywhere DROP all -- anywhere anywhere RETURN all -- anywhere anywhere Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- anywhere anywhere ... and also here: $ sudo iptables -L -t nat Chain PREROUTING (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere anywhere ADDRTYPE match dst-type LOCAL Chain INPUT (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination DOCKER all -- anywhere !127.0.0.0/8 ADDRTYPE match dst-type LOCAL Chain POSTROUTING (policy ACCEPT) target prot opt source destination MASQUERADE all -- 172.17.0.0/16 anywhere MASQUERADE all -- 172.18.0.0/16 anywhere Chain DOCKER (2 references) target prot opt source destination RETURN all -- anywhere anywhere RETURN all -- anywhere anywhere --- Maybe relevant:ip a shows that docker0 is down: $ ip a ... 74: docker0: mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:01:52:de:7d brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 valid_lft forever preferred_lft forever I tried to stop docker, remove the broken docker0 device, and restart docker again. Same error: sudo systemctl stop docker.service sudo ip link del docker0 sudo systemctl start docker.service ip a still shows that docker0 is down. Running `sudo docker run --rm -p 8080:80 nginx ` also runs in the identical error message as above. --- System information: $ docker --version Docker version 18.05.0-ce, build f150324782 $ uname -a Linux amd8-arch 4.16.7-1-ARCH #1 SMP PREEMPT Wed May 2 21:12:36 UTC 2018 x86_64 GNU/Linux I am using Arch Linux.

I have downloaded the Asus DSL-n14u firmware, extracted the .trx file and located the iptables file, as linked below: https://www.dropbox.com/s/sanz5x2bw0o5xsu/iptables?dl=0 I know the iptables rules that I need to add. However, I am just a little confused about two things: 1) Is it possible to edit this file, add the rules, repackage the .trx file and then reload the firmware on the router? 2) If #1 is possible, where in the file would I add my custom rules? Thanks, just need a little guidance :)

I am trying to block all traffic to a webserver except from some defined subnets. I've checked numerous posts and believed I had iptables set correctly but for some reason the site is still accessible outside the subnets i've defined in the ruleset. Is anyone able to shed some light on what I may have done wrong? I've established that removing rule 3 stops the site from being reachable at all. The site itself sits in 10.10.0.0/16.

Chain INPUT (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  any    any     10.10.0.0/16         anywhere            
2        0     0 ACCEPT     all  --  any    any     172.30.0.0/16        anywhere            
3        0     0 ACCEPT     all  --  lo     any     anywhere             anywhere            

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  any    lo      anywhere             anywhere

The goal will be to add various whitelisted public IPs and lockdown the site so that it is only accessible to some. Rules were added as follows:

iptables -I INPUT -i lo -j ACCEPT
iptables -I OUTPUT -o lo -j ACCEPT
iptables -I INPUT -s 10.10.0.0/16 -j ACCEPT
iptables -I INPUT -s 172.30.0.0/16 -j ACCEPT
iptables -P INPUT DROP

I have a k8 cluster based on Ubuntu 20.04 1 master and 3 worker nodes. I drained one of the worker node. Put kubectl,iptables, kubeadm, kubelet & containerd packages on hold. OS upgrade to 22.04, went smooth, but after upgrade pods (kube-system daemon-sets) kept crashing. One of the issue I found is that DNS resolution is not working inside pods residing on upgraded node. When I revert back to ubuntu 20.04 everything works fine. Anyone help/suggestion please

I have an Alpine 3.13.5 VM freshly installed and iptables v1.8.6 (legacy) is working properly. However when I try to log the packets with this command, it's not generating any:

iptables -A INPUT -j LOG

I have tried changing log levels and creating custom /etc/syslog.conf:

user.* /var/log/user.log
kern.* /var/log/kern.log

user logs are redirected to the proper file but there's still no kern.log. Same thing is working out of box on other distros such as Debian.

I am desperately trying to get my Wireguard-VPN-Setup up and running as my Internet Connection has been switched to IPV6 (DS-lite). **My Setup(raw):** - NetCup VPS (acting as IPv4 contact point for my mobile devices out of the Internet) - Internal Wireguard Server (acting as the Gateway between internal and external network) - Iphone with Wireguard Client installed connected via mobile network only **Current Status:** - VPN Tunnel up and running between VPS and internal Wireguard Server as well as VPS and Mobile Client - VPS (VPN Address 192.168.1.10) able to ping both peers (192.168.1.1 and 192.168.1.15) - Internal Wireguard Server(192.168.1.1) able to ping VPS (192.168.1.10) but not able to reach Mobile Client (192.168.1.15) --> ICMP: Destination Host unreachable. - tcpdump on VPS Server does not show any ICMP-Request coming in from my internal Wireguard Server when trying to ping 192.168.1.15 - Mobile Client (192.168.1.15) able to ping VPS (192.168.1.10) via VPN-Tunnel but not able to reach Internal Wireguard Server (192.168.1.1) For me it seems to be a routing issue on the internal Gateway Server. Routes are set by wg-quick as follows: default via 192.168.2.1 dev enp0s10 proto static metric 100 169.254.0.0/16 dev enp0s10 scope link metric 1000 192.168.1.0/24 dev wg0 proto kernel scope link src 192.168.1.1 192.168.2.0/24 dev enp0s10 proto kernel scope link src 192.168.2.2 metric 100 IP-Forwarding is active. Any Ideas on what I could have missed? Any assistance is well appreciated!

I have linux box functioning as Wireless Access Point. Wireless clients connect and then browse the web. I am only allowing port 80. There are certain sites I'd like to block, but not by dropping the packet, but by redirecting them to a blocked.html page being served by a local web server. I have two nics. The one on the internet side is bound to 10.0.2.15. If I do a DNAT rule to redirect traffic to my web server using the internet NIC, the page is returned. If i redirect to 127.0.0.1, it is not. Why is that? Here is my IPTables configuration: # iptables -S -P INPUT DROP -P FORWARD ACCEPT -P OUTPUT DROP -A INPUT -i lo -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -p tcp -m tcp --sport 80 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -p tcp -m tcp --dport 80 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT # iptables -t nat -S -P PREROUTING ACCEPT -P INPUT ACCEPT -P OUTPUT ACCEPT -P POSTROUTING ACCEPT -N block-chain -A PREROUTING -j block-chain -A POSTROUTING -o eth1 -j MASQUERADE # THIS WILL NOT RETURN THE PAGE TO THE CLIENT -A block-chain -d 206.190.36.45/32 -p tcp -j DNAT --to-destination 127.0.0.1:80 # THIS WILL -A block-chain -d 206.190.36.45/32 -p tcp -j DNAT --to-destination 10.0.2.15:80 -A block-chain -j RETURN

I've created two Linux network namespaces (ns1 and ns2), and inside each, I have: - A bridge (ns1-br0, ns2-br0) - A TAP device (tap0, tap1) connected to the respective bridge - Each TAP device gets an IP address like 10.0.0.2/24. The problem is: I want devices like tap0 and tap1 to access the internet, but I'm confused about how to set up routing and NAT properly. The host has internet access via eth0. How do I: - Connect the namespace's bridge to the outside world? - Use NAT or MASQUERADE correctly so that TAP devices can access the internet? - Assign default gateways?

I know you can add rules one by one. But is there a way to add rules in one go - For instance, this is how you add rules in ufw in Debian - $ sudo ufw allow 80/tcp $ sudo ufw allow 443/tcp $ sudo ufw allow 22/udp Now instead of doing it 1 by 1, is there a way to do it all at once ? I did try - $ sudo ufw allow 80/tcp 443/tcp 22/udp but that didn't work, any ideas ?

I am looking to create a load balancing server. Essentially here is what I want to do: I have a public IP address, lets say 1.1.1.1 I have a second public IP address, lets say 2.2.2.2. I have a website, www.f.com point to 1.1.1.1 via an A record. I want that Ubuntu server to forward traffic like this: - Port 80 traffic is forwarded to 2.2.2.2 on port 60,000 and port 60,001. - Port 443 traffic is forwaded to 2.2.2.2 on port 60,010 and port 60,011. - Port 25 traffic is forwared to 2.2.2.2 on port 60,020 and port 60,021 The port forwarding is more important then being able to load balance. I look forward to some responses. Both server 1.1.1.1 and 2.2.2.2 are both running Ubuntu 12.04 server edition.

Why does SNAT(modifies source IP and/or ports) happen in nat table POSTROUTING chain, i.e after routing? And why does DNAT(modifies destination IP ant/or ports) happen in PREROUTING chain? I guess latter is because there might be multiple NICs in PC with different private networks and PC does not know how to route packet if destination IP address is still publickly routable address? However, for SNAT I can not see a reason why this couldn't take place in PREROUTING.

Is there any reliable way to set proxy settings **user-wide** for **all traffic** on Ubuntu? As far I'm using {http|https|ftp}_proxy variables in /home/$USER/.bashrc which is nice but there's some issues: - Many applications don't respect those settings, especially custom scripts - Restart is required to apply changes. - Doesn't work with scripts where commands are not executed in bash I need **all traffic** to go through proxy and it have to be user-wide which means I have to be able to setup different proxies for each system user profile. What comes to my mind is iptables or network-interfaces configuration but I'm not sure and I don't know how :)