search for: iface_lan

Am 11.03.2018 um 11:53 schrieb Nicolas Kovacs <info at microlinux.fr>: > > I've experimented some more, and I have a partial success. Here, I'm > redirecting all HTTPS traffic *except* the one that goes to my bank: > > iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d > www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129 > > This works because my bank is hosted on a single IP. As soon as I > replace that with a domain that's hosted on multiple IP's, I get this: > > iptables -A PREROUTING -t nat -i $IFACE_LAN...

...------------------------------------ And here's the corresponding section of my firewall script: --8<------------------------------------------------------------- # Commandes IPT=/usr/sbin/iptables SYS=/usr/sbin/sysctl SERVICE=/usr/sbin/service # Internet IFACE_INET=enp2s0 # R?seau local IFACE_LAN=virbr0 IFACE_LAN_IP=192.168.2.0/24 # Serveur SERVER_IP=192.168.2.1 ... # Squid $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \ --dport 80 -j REDIRECT --to-port 3...

...I admit I've never worked with custom tables, so I don't know how to do this. In the meantime, I found the following working solution. # Exceptions EXCEPTIONS=$(egrep -v '(^\#)|(^\s+$)' /usr/local/sbin/no-proxy.txt) for EXCEPTION in $EXCEPTIONS; do $IPT -A PREROUTING -t nat -i $IFACE_LAN -d $EXCEPTION -j ACCEPT done # Squid $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \ --dport 80 -j REDIRECT --to-port 3128 $IPT -A INPUT -p tcp -i $IFACE_LAN --dpo...

...tom tables, so I don't know how to do > this. > > In the meantime, I found the following working solution. > > # Exceptions > EXCEPTIONS=$(egrep -v '(^\#)|(^\s+$)' /usr/local/sbin/no-proxy.txt) > for EXCEPTION in $EXCEPTIONS; do > $IPT -A PREROUTING -t nat -i $IFACE_LAN -d $EXCEPTION -j ACCEPT > done > > # Squid > $IPT -A INPUT -p tcp -i $IFACE_LAN --dport 3128 -j ACCEPT > $IPT -A INPUT -p udp -i $IFACE_LAN --dport 3128 -j ACCEPT > $IPT -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d $SERVER_IP \ > --dport 80 -j REDIRECT --to-port 3128 > $...

...oved the firewalld package and replaced it by a simple Iptables script: --8<---------------------------------------------------- #!/bin/sh # # firewall-lan.sh IPT=$(which iptables) MOD=$(which modprobe) SYS=$(which sysctl) SERVICE=$(which service) # Internet IFACE_INET=enp2s0 # R?seau local IFACE_LAN=enp3s0 IFACE_LAN_IP=192.168.2.0/24 # Relais des paquets (yes/no) MASQ=yes # Tout accepter $IPT -t filter -P INPUT ACCEPT $IPT -t filter -P FORWARD ACCEPT $IPT -t filter -P OUTPUT ACCEPT $IPT -t nat -P PREROUTING ACCEPT $IPT -t nat -P POSTROUTING ACCEPT $IPT -t nat -P OUTPUT ACCEPT $IPT -t mangle...

...ing to the template, I won't copy/paste the whole thing here. https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh Under Slackware, the iptables rule for a local FTP server looked like this: modprobe ip_conntrack iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT I tried this, but to no avail. Can't connect to my server. I googled a bit, and I found out that there seem to be quite many different answers about the subject of "how do I configure my firewall for Vsftpd". Any suggestions ? Niki -- Microlinux - Solutions i...

...t to catch only all traffic going from my server, but I don''t want catch NATed traffic from LAN. I need only traffic going from/to my server (traffic from INPUT, OUTPUT chain in iptables) (like SSH, postfix, WWW or proxy). This is throw all traffic from my LAN to IFB: $TC qdisc add dev $iface_lan handle ffff: ingress $TC qdisc add dev $iface_lan root handle 1:0 htb #Incoming traffic... $TC filter add dev $iface_lan parent 1:0 protocol ip prio 1 u32 match ip dst 192.168.0.0/16 flowid 1:1 action mirred egress redirect dev ifb0 #Outgoing traffic... $TC filter add dev $iface_lan parent ffff: pr...

...gt; --8<---------------------------------------------------- > #!/bin/sh > # > # firewall-lan.sh > > IPT=$(which iptables) > MOD=$(which modprobe) > SYS=$(which sysctl) > SERVICE=$(which service) > > # Internet > IFACE_INET=enp2s0 > > # R?seau local > IFACE_LAN=enp3s0 > IFACE_LAN_IP=192.168.2.0/24 > > # Relais des paquets (yes/no) > MASQ=yes > > # Tout accepter > $IPT -t filter -P INPUT ACCEPT > $IPT -t filter -P FORWARD ACCEPT > $IPT -t filter -P OUTPUT ACCEPT > $IPT -t nat -P PREROUTING ACCEPT > $IPT -t nat -P POSTROUT...

...copy/paste the whole thing here. > > https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh > > Under Slackware, the iptables rule for a local FTP server looked like this: > > modprobe ip_conntrack > iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT > > I tried this, but to no avail. Can't connect to my server. I googled a > bit, and I found out that there seem to be quite many different answers > about the subject of "how do I configure my firewall for Vsftpd". > OK looking at this, try chang...

...: > > github.com > credit-cooperatif.coop > cloud.microlinux.fr > squid-cache.org > etc. I've experimented some more, and I have a partial success. Here, I'm redirecting all HTTPS traffic *except* the one that goes to my bank: iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.credit-cooperatif.coop --dport 443 -j REDIRECT --to-port 3129 This works because my bank is hosted on a single IP. As soon as I replace that with a domain that's hosted on multiple IP's, I get this: iptables -A PREROUTING -t nat -i $IFACE_LAN -p tcp ! -d www.google.com --d...

Le 23/05/2018 ? 16:36, Nux! a ?crit?: > Try "iptables -I INPUT" for your FTP rule. Doesn't work. I redirected all my errors to /var/log/messages, so here's what I get when I try to connect Filezilla to that server. May 23 16:48:58 c7-server kernel: +++ IPv4 packet rejected +++ IN=enp0s3 OUT= MAC=08:00:27:00:00:03:d4:85:64:b2:b2:1b:08:00 SRC=192.168.2.2 DST=192.168.2.12

...copy/paste the whole thing here. > > https://github.com/kikinovak/centos-7-server-lan/blob/master/config/firewall/firewall-standalone.sh > > Under Slackware, the iptables rule for a local FTP server looked like this: > > modprobe ip_conntrack > iptables -A INPUT -p tcp -i $IFACE_LAN --dport 21 -j ACCEPT > > I tried this, but to no avail. Can't connect to my server. I googled a > bit, and I found out that there seem to be quite many different answers > about the subject of "how do I configure my firewall for Vsftpd". > > Any suggestions ? >...