Login or Register to Ask a Question and Join Our Community

Sponsored Content
Full Discussion: iptables conundrum
Special Forums IP Networking iptables conundrum Post 302915389 by Shocco on Tuesday 2nd of September 2014 04:52:22 PM
Old 09-02-2014
Debian iptables conundrum
Ok, if youre reading this prepare yourself.(debian based os)

so im trying to do this routing with ip tables, i need to forward/SNAT traffic from 192.168.111.1 to 10.10.10.250, the 192.x.x.x ips are being shoved into a honeyd like program called inetsim so its offline, 10.10.10.125 is connected to the internet, how do i get the traffic from 192.168.111.4 to 10.10.10.250:41004?

and i need it to at least be a specified port range for 192.168.111.4 since the ports vary from 49100-50000.

ive tried a lot of different iptables only to be thwarted many times. i got it working one time but i broke it somehow and i dont know how i did that.

please help! Smilie if you need to see my current/old rules let me know. i can sanitize them rather quickly
 

7 More Discussions You Might Find Interesting

1. UNIX Desktop Questions & Answers

Unix Grep Conundrum - Not for Noobies

Help, I have been stuck on this issue for weeks. I am a unix noobie. I have a very long string and within that string I am trying to get proc file names ie PROCNAME1=SOME_FILENAME_UPDTBASE.SQL There is a space on either side. I can't for the life of me peel out the proc name:... (13 Replies)
Discussion started by: owenian
13 Replies

2. Shell Programming and Scripting

Sed pattern space/looping conundrum

Although my sed skills are gradually developing, thanks in large part to this forum, I'm having a hard time dealing with pattern space and looping, which I suspect is what I'll need a better handle on to figure out my current issue, which is converting a multi line file like this: ... (4 Replies)
Discussion started by: tiggyboo
4 Replies

3. UNIX for Dummies Questions & Answers

umask conundrum

Hi All, i was reading up on a umask question on this forum and have a question on this. the umask value on my home PC running on cygwin is 022. when i create a dir it defaults to permission 755, when i create a file it defaults to 644. Now it starts at 777 for dirs and 666 for files and... (1 Reply)
Discussion started by: Irishboy24
1 Replies

4. Shell Programming and Scripting

Conundrum - Flexible way to strip extension

Hi, First post here. I have something that may prove to be difficult. I have the following files: Example1.0.0.tar.gz Example2.tar Example3.zip Example4.0.0.0.0.0.bzip2 I need to remove the file extensions and store as a variable so they look like this: Example1.0.0 Example2... (3 Replies)
Discussion started by: Spadez
3 Replies

5. Shell Programming and Scripting

sudo scripts conundrum

hello; Got a problem running monitoring scripts using sudo ssh.. Mgmt decided to take away root sudoers access.. so most of the scripts ran as: sudo ssh $BOX ... Now I need to run them as: echo $my_pw | sudo -S -l my_user_id $BOX ... I tried this but not working.. Any wisdom/tricks... (3 Replies)
Discussion started by: delphys
3 Replies

6. Red Hat

Physical Volume Create Conundrum

I want to start by saying I already resolved my issue but I want to understand why I am seeing what I am seeing. I have a server with a RAID controller two 500GB drives and six 600GB drives. The two 500GB drives are mirrored and have the OS installed on them. The six 600GB they wanted set as... (4 Replies)
Discussion started by: scotbuff
4 Replies

7. OS X (Apple)

Help in explaining this echo conundrum.

OSX 10.12.3, default bash terminal. Consider this code and note it is calling 'sh' inside the code... #!/bin/sh echo '1\n2\n2\n3\n5' > /tmp/text hexdump -C /tmp/text /bin/echo '1\n2\n3\n4\n5' > /tmp/text hexdump -C /tmp/text Now view the interactive mode below, note the underlying shell is... (6 Replies)
Discussion started by: wisecracker
6 Replies

LEARN ABOUT DEBIAN

mxallowd

mxallowd(1)							   User Manuals 						       mxallowd(1)

NAME

       mxallowd - dynamically whitelist your Mail eXchanger

SYNOPSIS

       mxallowd  [-d]  [-c  configfile]  [-t whitelist-time] [-p pflog-interface] [-l pcap-filter] [-F] [-s] [-q] [-p] -f fake-mailserver -r real-
       mailserver -n queue-num

DESCRIPTION

       mxallowd is a daemon which uses libnetfilter_queue (on Linux) or pf and pflog (on BSD) to allow (or deny) connections to a  mailserver  (or
       similar application) if the remote host hasn't connected to a fake daemon before.

       This  is  an improved version of the so-called nolisting (see http://www.nolisting.org/). The assumption is that spammers are not using RFC
       2821-compatible SMTP-clients and are sending fire-and-forget spam (directly to the first or second MX-entry  without  retrying  on  error).
       This direct access is blocked with mxallowd, you'll only get a connection if you retry.

       NOTE:  It  is  highly recommended to install nscd (nameserver caching daemon) or a similar software in order to speed-up DNS lookups. Since
       version 1.3, DNS lookups are done in a thread (so they don't block the main process), however,  on  very-high-traffic-sites,  mxallowd  may
       show significantly better overall performance in combination with nscd.

OPTIONS

       -b, --no-rdns-whitelist
	      Disable whitelisting all IP-addresses that have the same RDNS as the connecting one (necessary for google mail)

       -c, --config
	      Specifies an alternative configuration file (instead of /etc/mxallowd.conf)

       -t, --whitelist-time
	      Specify the amount of time (in seconds) until an IP-address will be removed from the whitelist

       -s, --stdout
	      Log to stdout, not to syslog

       -q, --quiet
	      Don't log anything but errors.

       -f, --fake-mailserver
	      Specify which IP-address the fake mailserver has (connecting to it will whitelist you for the real mailserver)

       -r, --real-mailserver
	      Specify which IP-address the real mailserver has

       -F, --foreground
	      Do not fork into background, stay on console

       -n, --queue-num (only available when compiled for netfilter_queue)
	      Specify  the  queue  number which will be used for the netfilter_queue-link. This has to be the same which is specified in the ipta-
	      bles-rule and it has to be specified, there is no default.

       -p, --pflog-interface (only available when compiled for pf)
	      Specify the pflog(4) interface which you configured in pf(4). The default is pflog0. Also see the pcap-filter-option if you  use	an
	      interface which does not only get smtp-traffic.

       -l, --pcap-filter (only available when compiled for pf)
	      Specify the filter for pcap. The default is "port 25". See tcpdump(8) for more information on the filters.

FILES

       /etc/mxallowd.conf
	      System-wide configuration file. Use the long options without the beginning two dashes. For example:

		   stdout
		   fake-mailserver 192.168.1.3
		   fake-mailserver 192.168.1.4
		   real-mailserver 192.168.1.5
		   queue-num 23

EXAMPLES FOR NETFILTER

       The  machine  has  two  IP-addresses.  The  mailserver  only  listens  on 192.168.1.4, the nameserver returns the mx-records mx1.domain.com
       (192.168.1.3) with priority 5 and mx2.domain.com (192.168.1.4) with priority 10.

       # modprobe nfnetlink_queue
       # iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j NFQUEUE --queue-num 23
       # mxallowd -s -F -f 192.168.1.3 -r 192.168.1.4 -n 23

       Then open a separate terminal and connect via telnet on your real mailserver. You'll see the connection attempt being dropped. Now  connect
       to the fake mailserver and watch mxallowd's output. Afterwards, connect to the real mailserver to verify your mailserver is still working.

EXAMPLES FOR PF

       The  machine  has  two  IP-addresses.  The  mailserver  only  listens  on 192.168.1.4, the nameserver returns the mx-records mx1.domain.com
       (192.168.1.3) with priority 5 and mx2.domain.com (192.168.1.4) with priority 10.

       Create a pf.conf like this:

	    table <mx-white> persist

	    real_mailserver="192.168.1.4"
	    fake_mailserver="192.168.1.3"

	    real_mailserver6="2001:dead:beef::1"
	    fake_mailserver6="2001:dead:beef::2"

	    pass in quick log on fxp0 proto tcp from <mx-white> to $real_mailserver port smtp
	    pass in quick log on fxp0 inet6 proto tcp from <mx-white> to $real_mailserver6 port smtp
	    block in log on fxp0 proto tcp to { $fake_mailserver $real_mailserver } port smtp
	    block in log on fxp0 inet6 proto tcp to { $fake_mailserver6 $real_mailserver6 } port smtp

       Afterwards, load it and start mxallowd using the following commands:

       # pfctl -f /etc/pf.conf
       # mxallowd -s -F -f 192.168.1.3 -r 192.168.1.4

       Then open a separate terminal and connect via telnet on your real mailserver. You'll see the connection attempt being dropped. Now  connect
       to the fake mailserver and watch mxallowd's output. Afterwards, connect to the real mailserver to verify your mailserver is still working.

       The ruleset for pf is actually longer because pf does more than netfilter on linux -- netfilter passes the packets and lets mxallowd decide
       whether to drop/accept whilst pf blocks/passes before even "passing" to mxallowd.

SEE ALSO

       iptables(8), pf(4), pflog(4), tcpdump(8)

AUTHOR

       Michael Stapelberg <michael+mxallowd at stapelberg dot de>

Linux								    MARCH 2012							       mxallowd(1)
All times are GMT -4. The time now is 04:55 AM.
Unix & Linux Forums Content Copyright 1993-2022. All Rights Reserved.
Privacy Policy