Hello All,
I would like to ask you very kindly with /etc/sysconfig/iptables file
I have to setup port forwarding on RHEL6 router. Users from public network must be able to ssh to servers in private network behind RHEL6 router. Problem is that servers in private network must be isolated.
My boss require that there will not be any possibility of connection from private network to any remote network behind RHEL6 router
I am not able to DROP any traffic coming from private network.
I did setup port forwarding on router from public network to private network easily but I am not able to force router to drop any traffic coming from private network outside unless I break port forwarding.
here is example of my /etc/sysconfig/iptables file. Please help with line which would drop all outgoing traffic from private network but keep port forwarding working.
Code:
cat /etc/sysconfig/iptables
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
#
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -m state --state NEW -m tcp -p tcp --dport 2222 -j ACCEPT
-A INPUT -p all -j DROP
#
COMMIT
*nat
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
-A PREROUTING -i eth0 -p tcp --dport 22 -j DNAT --to-destination 192.168.0.3:22
COMMIT
BTW: (ssh on router is running on port 2222)
Moderator's Comments:
Please use CODE tags as required by forum rules!
Last edited by RudiC; 04-04-2018 at 10:38 AM..
Reason: Added CODE tags.
I've been googling for a while now, trying to forward port 3000 to port 80....
In the past I used to DLink router to forward port 3000 to 80. I recently finished (well, is it ever done anyhow?) setting up my linux box and got it acting as a router.
I want to continue to run Apache on port 80... (1 Reply)
Hi,
I have to install an application that has a built in tftp server. Tftp comes in on port 69. As i am not installing this application as a root user i am running into trouble because only the root user can listen to ports < 1024. So changing the port i listen to to one greater than 1023 isn't... (1 Reply)
Hi
I want to set up port forwarding from one network to another network. I already have this configured on the Linux box using iptables.
iptables -t nat -A PREROUTING -p tcp -i eth1 --dport 1521 -j DNAT --to 10.218.146.230
iptables -A FORWARD -p tcp -i eth1 -d 10.218.146.230 -j ACCEPT
... (2 Replies)
Hi; I have the following issue:
I have a Solaris server running an old applications which connects to an http server in other server at certain port. The thing is that the http server has changed its ip and port and the addres in the app is hard coded and touching the app by now is out of the... (0 Replies)
Hi Linux/Unix Guru,
I am setting Linux Hopping Station to another different servers.
My current config to connect to another servers is using different port to connect.
e.g
ssh -D 1080 -p 22 username@server1.com
ssh -D 1081 -p 22 username@server2.com
Now what I would like to have... (3 Replies)
Hello,
I have a routeur linksys (192.168.1.1 ) a firewall (192.168.1.55 IN ----> 192.168.2.254 OUT) which using iptable
I want to acces to an equipment (lorex video camera serveur 192.168.2.44) which using an ddns service on the port 9000
So i don t know which redirection a will do on the... (2 Replies)
Hi,
On my linux server I have 2 routes:
Code:
nexthop via 123.201.254.5 dev eth0 weight 38 nexthop via 111.93.155.149 dev eth2 weight 36
I have a iptable rule like :
iptables -t nat -A PREROUTING -p tcp -i eth0 -d... (5 Replies)
I am having an issue with iptables. My server is a RHEL6 64bit system.
In my application I have a large number of connected clients ~100k to a particular service. The application works fine when iptables is off, 100k clients are able to connect.
However, when I turn iptables on and add a... (1 Reply)
Hi experts,
We have windows machine ( A ) in one network & 2 Linux Servers ( B & C ) in another network. There is a firewall between these 2 networks and SSH (TCP/22) & HTTPS (TCP/443) are allowed from A to B only (but not to C). There is no personal firewall / iptables running on any machine.... (1 Reply)
Hello Gurus,
I have configured port forwarding at router.
But after configuration I am not able to connect the computer from outside/Over internet/Remote desktp from other computer.
Could you please advice?
Thanks-
Pokhraj (2 Replies)
Discussion started by: pokhraj_d
2 Replies
LEARN ABOUT DEBIAN
knockd
knockd(1)knockd(1)NAME
knockd - port-knock server
SYNOPSIS
knockd [options]
DESCRIPTION
knockd is a port-knock server. It listens to all traffic on an ethernet (or PPP) interface, looking for special "knock" sequences of port-
hits. A client makes these port-hits by sending a TCP (or UDP) packet to a port on the server. This port need not be open -- since knockd
listens at the link-layer level, it sees all traffic even if it's destined for a closed port. When the server detects a specific sequence
of port-hits, it runs a command defined in its configuration file. This can be used to open up holes in a firewall for quick access.
COMMANDLINE OPTIONS -i, --interface <int>
Specify an interface to listen on. The default is eth0.
-d, --daemon
Become a daemon. This is usually desired for normal server-like operation.
-c, --config <file>
Specify an alternate location for the config file. Default is /etc/knockd.conf.
-D, --debug
Ouput debugging messages.
-l, --lookup
Lookup DNS names for log entries. This may be a security risk! See section SECURITY NOTES.
-v, --verbose
Output verbose status messages.
-V, --version
Display the version.
-h, --help
Syntax help.
CONFIGURATION
knockd reads all knock/event sets from a configuration file. Each knock/event begins with a title marker, in the form [name], where name
is the name of the event that will appear in the log. A special marker, [options], is used to define global options.
Example #1:
This example uses two knocks. The first will allow the knocker to access port 22 (SSH), and the second will close the port when the
knocker is complete. As you can see, this could be useful if you run a very restrictive (DENY policy) firewall and would like to
access it discreetly.
[options]
logfile = /var/log/knockd.log
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -A INPUT -s %IP% -j ACCEPT
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 10
tcpflags = syn
command = /usr/sbin/iptables -D INPUT -s %IP% -j ACCEPT
Example #2:
This example uses a single knock to control access to port 22 (SSH). After receiving a successful knock, the daemon will run the
start_command, wait for the time specified in cmd_timeout, then execute the stop_command. This is useful to automatically close the
door behind a knocker. The knock sequence uses both UDP and TCP ports.
[options]
logfile = /var/log/knockd.log
[opencloseSSH]
sequence = 2222:udp,3333:tcp,4444:udp
seq_timeout = 15
tcpflags = syn,ack
start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --syn -j ACCEPT
cmd_timeout = 5
stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --syn -j ACCEPT
Example #3:
This example doesn't use a single, fixed knock sequence to trigger an event, but a set of sequences taken from a sequence file (one
time sequences), specified by the one_time_sequences directive. After each successful knock, the used sequence will be invalidated
and the next sequence from the sequence file has to be used for a successful knock. This prevents an attacker from doing a replay
attack after having discovered a sequence (eg, while sniffing the network).
[options]
logfile = /var/log/knockd.log
[opencloseSMTP]
one_time_sequences = /etc/knockd/smtp_sequences
seq_timeout = 15
tcpflags = fin,!ack
start_command = /usr/sbin/iptables -A INPUT -s %IP% -p tcp --dport 25 -j ACCEPT
cmd_timeout = 5
stop_command = /usr/sbin/iptables -D INPUT -s %IP% -p tcp --dport 25 -j ACCEPT
CONFIGURATION : GLOBAL DIRECTIVES
UseSyslog
Log action messages through syslog(). This will insert log entries into your /var/log/messages or equivalent.
LogFile = /path/to/file
Log actions directly to a file, usually /var/log/knockd.log.
PidFile = /path/to/file
Pidfile to use when in daemon mode, default: /var/run/knockd.pid.
Interface = <interface_name>
Network interface to listen on. Only its name has to be given, not the path to the device (eg, "eth0" and not "/dev/eth0"). Default:
eth0.
CONFIGURATION : KNOCK/EVENT DIRECTIVES
Sequence = <port1>[:<tcp|udp>][,<port2>[:<tcp|udp>] ...]
Specify the sequence of ports in the special knock. If a wrong port with the same flags is received, the knock is discarded.
Optionally, you can define the protocol to be used on a per-port basis (default is TCP).
One_Time_Sequences = /path/to/one_time_sequences_file
File containing the one time sequences to be used. Instead of using a fixed sequence, knockd will read the sequence to be used from
that file. After each successful knock attempt this sequence will be disabled by writing a '#' character at the first position of
the line containing the used sequence. That used sequence will then be replaced by the next valid sequence from the file.
Because the first character is replaced by a '#', it is recommended that you leave a space at the beginning of each line. Otherwise
the first digit in your knock sequence will be overwritten with a '#' after it has been used.
Each line in the one time sequences file contains exactly one sequence and has the same format as the one for the Sequence direc-
tive. Lines beginning with a '#' character will be ignored.
Note: Do not edit the file while knockd is running!
Seq_Timeout = <timeout>
Time to wait for a sequence to complete in seconds. If the time elapses before the knock is complete, it is discarded.
TCPFlags = fin|syn|rst|psh|ack|urg
Only pay attention to packets that have this flag set. When using TCP flags, knockd will IGNORE tcp packets that don't match the
flags. This is different than the normal behavior, where an incorrect packet would invalidate the entire knock, forcing the client
to start over. Using "TCPFlags = syn" is useful if you are testing over an SSH connection, as the SSH traffic will usually inter-
fere with (and thus invalidate) the knock.
Separate multiple flags with commas (eg, TCPFlags = syn,ack,urg). Flags can be explicitly excluded by a "!" (eg, TCPFlags =
syn,!ack).
Start_Command = <command>
Specify the command to be executed when a client makes the correct port-knock. All instances of %IP% will be replaced with the
knocker's IP address. The Command directive is an alias for Start_Command.
Cmd_Timeout = <timeout>
Time to wait between Start_Command and Stop_Command in seconds. This directive is optional, only required if Stop_Command is used.
Stop_Command = <command>
Specify the command to be executed when Cmd_Timeout seconds have passed since Start_Command has been executed. All instances of
%IP% will be replaced with the knocker's IP address. This directive is optional.
SECURITY NOTES
Using the -l or --lookup commandline option to resolve DNS names for log entries may be a security risk! An attacker may find out the
first port of a sequence if he can monitor the DNS traffic of the host running knockd. Also a host supposed to be stealth (eg, dropping
packets to closed TCP ports instead of replying with an ACK+RST packet) may give itself away by resolving a DNS name if an attacker manages
to hit the first (unknown) port of a sequence.
SEE ALSO
knock is the accompanying port-knock client, though telnet or netcat could be used for simple TCP knocks instead. For more advanced
knocks, see hping, sendip or packit.
AUTHOR
Judd Vinet <jvinet@zeroflux.org>
knockd 0.5 June 26, 2005 knockd(1)
04-04-2018
