Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: IPtable rules for DNS/http/https traffic for specific hosts only, not working.
Special Forums IP Networking Proxy Server IPtable rules for DNS/http/https traffic for specific hosts only, not working. Post 302899546 by phi0x on Tuesday 29th of April 2014 07:32:13 PM
Old 04-29-2014
yesterday the vps got taken down again due to too many conntrack connections they said again.

I am not sure what logs to look at but when I do netstat -ntulp it shows very few connections when they bring the vps back online. I've monitored all day checking a few times every hour to see how the netstat and the /proc/net/nf_conntrack log shows. Doesn't seem like a crazy amount of connections are being produced. I'd say no more than 1-50 connections, average around 10. Mostly opened connections from dns/proxy from a few of the ip's I have allowed in.

This is no where close to their 25-30k conntrack limit.

Today the server hasn't gone down, the iptable rules are automatically applied upon boot. Shall continue to monitor..
 

8 More Discussions You Might Find Interesting

1. UNIX for Advanced & Expert Users

Encrypt traffic between Solaris 8 hosts

I have two Solaris 8 hosts that send data to one another throughout the day. It is a legacy system and the programs used are rdist, rcp and ftp. I have been asked to ensure that the data transferred is encrypted beween the two hosts. My first thought was to replace these commands with ssh.... (2 Replies)
Discussion started by: blp001
2 Replies

2. Shell Programming and Scripting

stripping http and https from a url using sed

I have to write a sed script which removes http and https from a URL. So if a URL is https://www.example.com or Example Web Page, script should return me Example Web Page i tried echo $url | sed 's|^http://||g'. It doesn't work. Please help (4 Replies)
Discussion started by: vickylife
4 Replies

3. Shell Programming and Scripting

http and https

Hi friends, I have a local host http://ss3/cgi-bin/page/page_list.cgi running on apache webserver perfectly well. But suddenly, it stopped working and gave an error "Internet explorer Explorer cannot display the webpage". But when i added https, as https://ss3/cgi-bin/page/page_list.cgi the... (2 Replies)
Discussion started by: nmattam
2 Replies

4. UNIX for Advanced & Expert Users

How iptables directs to localhost in this series of iptable rules

Hello, I have implimented a dansguardian system using dansguardian and privoxy. I borrowed a script from Ubuntu CE that makes it where a firewall program like firehol is not needed and it doesn't need a reconfigure of the proxy settings in browsers to be changed. I really like it that way. All... (7 Replies)
Discussion started by: Narnie
7 Replies

5. Web Development

redirect http to https in apache

i read thru a few article how to do it, but i could not get it to work the way i want it. vi ../httpd.conf Redirect permanent /dev https://servername/portal/ when i type servername, works fine. my goal is to type dev, and it takes me to https://servername/portal/ (4 Replies)
Discussion started by: lawsongeek
4 Replies

6. UNIX for Advanced & Expert Users

redirect http traffic

hi, i have freebsd gateway with ipfw as router. Recently i have setup squid-3.1.10 caching server for my lan. I want to redirect http,https traffic from gateway to linux squid box. below is my setup rl0--->xxx.xxx.xxx.xxx (connected to ISP) rl1 -->192.168.1.0/24 (my lan)... (1 Reply)
Discussion started by: goog
1 Replies

7. Web Development

Mod_rewrite http to https

Hi Team, I have a question on the apache mod_rewrite module. I have a requirement of rewriting only specific url's to https. Requirement below:- want to match a word (test) on the url and if matches then it should rewrite to https. example:- ... (1 Reply)
Discussion started by: arumon
1 Replies

8. UNIX for Advanced & Expert Users

Apache - tcpdump get HTTP and HTTPS Headers

Hello I googled for "tcpdump view HOST http headers" -- that fine However can we do same for HTTPS like after the HTTPS gets decrypted by Apache ? I think this is legitimate on the server where the site is hosted since at some point the Apache itself needs to get the HOST patrameter in... (1 Reply)
Discussion started by: coolatt
1 Replies

LEARN ABOUT NETBSD

ftp-proxy

FTP-PROXY(8)						    BSD System Manager's Manual 					      FTP-PROXY(8)

NAME

     ftp-proxy -- Internet File Transfer Protocol proxy daemon

SYNOPSIS

     ftp-proxy [-6Adrv] [-a address] [-b address] [-D level] [-i netif] [-m maxsessions] [-P port] [-p port] [-q queue] [-R address] [-T tag]
	       [-t timeout]

DESCRIPTION

     ftp-proxy is a proxy for the Internet File Transfer Protocol.  FTP control connections should be redirected into the proxy using the ipnat(4)
     or pf(4) rdr command, after which the proxy connects to the server on behalf of the client.

     The proxy allows data connections to pass, rewriting and redirecting them so that the right addresses are used.  All connections from the
     client to the server have their source address rewritten so they appear to come from the proxy.  Consequently, all connections from the
     server to the proxy have their destination address rewritten, so they are redirected to the client.  The proxy uses the pf(4) anchor facility
     for this, unless the option -i is specified, it will then use the ipnat(4) interface.

     Assuming the FTP control connection is from $client to $server, the proxy connected to the server using the $proxy source address, and $port
     is negotiated, then ftp-proxy adds the following rules to the various anchors.  (These example rules use inet, but the proxy also supports
     inet6.)

     In case of active mode (PORT or EPRT):

       rdr from $server to $proxy port $port -> $client
       pass quick inet proto tcp 
	   from $server to $client port $port

     In case of passive mode (PASV or EPSV):

       nat from $client to $server port $port -> $proxy
       pass in quick inet proto tcp 
	   from $client to $server port $port
       pass out quick inet proto tcp 
	   from $proxy to $server port $port

     The options are as follows:

     -6      IPv6 mode.  The proxy will expect and use IPv6 addresses for all communication.  Only the extended FTP modes EPSV and EPRT are
	     allowed with IPv6.  The proxy is in IPv4 mode by default.

     -A      Only permit anonymous FTP connections.  Either user "ftp" or user "anonymous" is allowed.

     -a address
	     The proxy will use this as the source address for the control connection to a server.

     -b address
	     Address where the proxy will listen for redirected control connections.  The default is 127.0.0.1, or ::1 in IPv6 mode.

     -D level
	     Debug level, ranging from 0 to 7.	Higher is more verbose.  The default is 5.  (These levels correspond to the syslog(3) levels.)

     -d      Do not daemonize.	The process will stay in the foreground, logging to standard error.

     -i netif
	     Set ftp-proxy for use with IP-Filter.  The argument netif should be set to the name of the network interface where rdr is applied on.

     -m maxsessions
	     Maximum number of concurrent FTP sessions.  When the proxy reaches this limit, new connections are denied.  The default is 100 ses-
	     sions.  The limit can be lowered to a minimum of 1, or raised to a maximum of 500.

     -P port
	     Fixed server port.  Only used in combination with -R.  The default is port 21.

     -p port
	     Port where the proxy will listen for redirected connections.  The default is port 8021.

     -q queue
	     Create rules with queue queue appended, so that data connections can be queued.

     -R address
	     Fixed server address, also known as reverse mode.	The proxy will always connect to the same server, regardless of where the client
	     wanted to connect to (before it was redirected).  Use this option to proxy for a server behind NAT, or to forward all connections to
	     another proxy.

     -r      Rewrite sourceport to 20 in active mode to suit ancient clients that insist on this RFC property.

     -T tag  Automatically tag packets passing through the pf(4) rule with the name supplied.

     -t timeout
	     Number of seconds that the control connection can be idle, before the proxy will disconnect.  The maximum is 86400 seconds, which is
	     also the default.	Do not set this too low, because the control connection is usually idle when large data transfers are taking
	     place.

     -v      Set the 'log' flag on pf rules committed by ftp-proxy.  Use twice to set the 'log-all' flag.  The pf rules do not log by default.

CONFIGURATION

     To make use of the proxy using pf(4), pf.conf(5) needs the following rules.  All anchors are mandatory.  Adjust the rules as needed.

     In the NAT section:

       nat-anchor "ftp-proxy/*"
       rdr-anchor "ftp-proxy/*"
       rdr pass on $int_if proto tcp from $lan to any port 21 -> 
	   127.0.0.1 port 8021

     In the rule section:

       anchor "ftp-proxy/*"
       pass out proto tcp from $proxy to any port 21

     To make use of the proxy using ipnat(4), ipnat.conf(5) need the following rule:

       rdr $int_if any port 21 -> 127.0.0.1 port 8021 tcp

SEE ALSO

     ftp(1), ipnat(4), pf(4), ipnat.conf(5), pf.conf(5)

CAVEATS

     ipnat(4) and pf(4) does not allow the ruleset to be modified if the system is running at a securelevel higher than 1.  At that level
     ftp-proxy cannot add rules to the anchors and FTP data connections may get blocked.

     Negotiated data connection ports below 1024 are not allowed.

     The negotiated IP address for active modes is ignored for security reasons.  This makes third party file transfers impossible.

     ftp-proxy chroots to "/var/chroot/ftp-proxy" and changes to user "_proxy" to drop privileges.

BSD
								  August 1, 2007							       BSD
All times are GMT -4. The time now is 01:05 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy