Re: [CentOS] iptables & voip

On Mon, Sep 21, 2020 at 7:54 PM Gregory P. Ennis wrote: > > Everyone, > > I would like to use our gateway linux machine to give bandwidth preference to > voip udp > packets. Can anyone point me to a tutorial about the use of voip and > iptables? Arch Linux wiki has nice explanations and

[CentOS] iptables & voip

Everyone, I would like to use our gateway linux machine to give bandwidth preference to voip udp packets. Can anyone point me to a tutorial about the use of voip and iptables? I usually prefer to use iptables instead of firewalld. iptables is more intuitive, and easier to understand. Thanks

Re: [CentOS] Iptables rules not working

--On Friday, July 17, 2020 6:43 AM +0530 Kaushal Shriyan wrote: Please refer to my pastebin link https://paste.centos.org/view/cd55a9a6. Basically I want to allow the below mentioned ruleset on the server (CentOS Linux release 8.2.2004 (Core)) and drop the rest of the network traffic from

Re: [CentOS] Iptables rules not working

On Fri, Jul 17, 2020 at 2:41 AM Kenneth Porter wrote: > --On Thursday, July 16, 2020 10:41 PM +0530 Kaushal Shriyan > wrote: > > > I have run the below command but I am still able to connect from the > > internet. Do I need to add any drop traffic policy using nft? > > A single rule doesn't

Re: [CentOS] Iptables rules not working

--On Thursday, July 16, 2020 10:41 PM +0530 Kaushal Shriyan wrote: I have run the below command but I am still able to connect from the internet. Do I need to add any drop traffic policy using nft? A single rule doesn't tell us enough. Dump the entire firewall to a pastebin and post the

Re: [CentOS] Iptables rules not working

Am 16.07.20 um 18:11 schrieb Kaushal Shriyan: On Thu, Jul 16, 2020 at 9:25 PM Phil Perry wrote: On 16/07/2020 16:48, Kaushal Shriyan wrote: Hi, I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I am running the below iptables command to allow SSH port 22 from a

Re: [CentOS] Iptables rules not working

be necessary. From: CentOS on behalf of Phil Perry Sent: Thursday, July 16, 2020 10:54 AM To: centos@centos.org Subject: [EXTERNAL] Re: [CentOS] Iptables rules not working CAUTION: This email originated from outside of the organization. Do not click links or open

Re: [CentOS] Iptables rules not working

On Thu, Jul 16, 2020 at 9:25 PM Phil Perry wrote: > On 16/07/2020 16:48, Kaushal Shriyan wrote: > > Hi, > > > > I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I > am > > running the below iptables command to allow SSH port 22 from a specific > > source IP 219.91.200.59 > >

Re: [CentOS] Iptables rules not working

On 16/07/2020 16:48, Kaushal Shriyan wrote: Hi, I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I am running the below iptables command to allow SSH port 22 from a specific source IP 219.91.200.59 iptables -A INPUT -m tcp -p tcp -s 219.91.200.59 --dport 22 -j ACCEPT

Re: [CentOS] Iptables rules not working

Am 16.07.2020 um 17:48 schrieb Kaushal Shriyan: Hi, I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I am running the below iptables command to allow SSH port 22 from a specific source IP 219.91.200.59 iptables -A INPUT -m tcp -p tcp -s 219.91.200.59 --dport 22 -j ACCEPT

[CentOS] Iptables rules not working

Hi, I am running CentOS Linux release 8.2.2004 (Core) on a remote server. I am running the below iptables command to allow SSH port 22 from a specific source IP 219.91.200.59 iptables -A INPUT -m tcp -p tcp -s 219.91.200.59 --dport 22 -j ACCEPT > service iptables save The above iptables

Re: [CentOS] iptables - how to block established connections with fail2ban?

On 6/26/2019 2:41 AM, MRob wrote: > I am working to a CentOS 6 server with nonstandard iptables system without > rule for > ACCEPT ESTABLISHED connections. All tables and chains empty (flush by legacy > custom > script) so only filter/INPUT chain has rules (also fail2ban chain): > > Chain INPUT

Re: [CentOS] iptables - how to block established connections with fail2ban?

On 6/25/19 11:41 PM, MRob wrote: When fail2ban block a IP address, established connections are allowed to continue, but with no rule to accept established connections how is that possible? It doesn't look like it would be. 1: Open a connection that will demonstrate the problem later. 2:

Re: [CentOS] iptables - how to block established connections with fail2ban?

On 6/26/19 8:41 AM, MRob wrote: I am working to a CentOS 6 server with nonstandard iptables system without rule for ACCEPT ESTABLISHED connections. All tables and chains empty (flush by legacy custom script) so only filter/INPUT chain has rules (also fail2ban chain): Chain INPUT (policy

Re: [CentOS] iptables - how to block established connections with fail2ban?

On 2019-06-26 02:41, MRob wrote: I am working to a CentOS 6 server with nonstandard iptables system without rule for ACCEPT ESTABLISHED connections. All tables and chains empty (flush by legacy custom script) so only filter/INPUT chain has rules (also fail2ban chain): Chain INPUT (policy

[CentOS] iptables - how to block established connections with fail2ban?

I am working to a CentOS 6 server with nonstandard iptables system without rule for ACCEPT ESTABLISHED connections. All tables and chains empty (flush by legacy custom script) so only filter/INPUT chain has rules (also fail2ban chain): Chain INPUT (policy ACCEPT) target prot opt source

Re: [CentOS] : Iptables blocks out going connetion some times

Yes, I have double checked and am sure there is no IP address conflicts. Likun On 4/24/19 23:28, centos wrote: >On 4/24/19 10:31, likun wrote: >> Hello, Stephen, thank you for input. >> >> Yes, these servers have the same firewall rules, and both of them have the same problem from time to time,

Re: [CentOS] : Iptables blocks out going connetion some times

Yes, I have double checked and am sure there is no IP address conflicts. Likun On 4/24/19 23:28, centos wrote: >On 4/24/19 10:31, likun wrote: >> Hello, Stephen, thank you for input. >> >> Yes, these servers have the same firewall rules, and both of them have the same problem from time to time,

Re: [CentOS] Iptables blocks out going connetion some times

On Wed, 24 Apr 2019 at 06:01, likun wrote: > Hi，guys. > > There is a wierd problem with iptables recently, hopes somebody can help > me. > > I have installed Centos 7.2.1511 on a bare metal Dell server these days, > disabled firewalld and enabled iptables.services, and setup a group of very >

[CentOS] Iptables blocks out going connetion some times

Hi，guys. There is a wierd problem with iptables recently, hopes somebody can help me. I have installed Centos 7.2.1511 on a bare metal Dell server these days, disabled firewalld and enabled iptables.services, and setup a group of very simple rules, as the following: # iptables-save # Generated

[CentOS] iptables 2 firewalld

Y'all may remember me fighting this a few weeks back. I did finally succeed, and thought that my awk script might be helpful to others. Yes, it's really simple, it uses the build-in FORWARD chain. The line where I skip the definition of those chains is because it *is* built in. To use it, I did an

Re: [CentOS] iptables routing question when using multiple IP addresses

On Fri, Feb 16, 2018 at 02:54:02PM +, Ken Gramm wrote: > I've been searching around for a couple of days, and I just can't > seem to find the answer I'm looking for. > > > I have a 6.x box that I use as my gateway firewall. It has three > NICs; 1 external, 1 internal, 1 for a guest network.

[CentOS] iptables routing question when using multiple IP addresses

I've been searching around for a couple of days, and I just can't seem to find the answer I'm looking for. I have a 6.x box that I use as my gateway firewall. It has three NICs; 1 external, 1 internal, 1 for a guest network. I have various inbound traffic routed to separate internal

[CentOS] iptables

I have an old postfix server that was historically used by the campus as an outbound gateway. The campus is now supposed to use a different server running HAProxy with several backe-end postfix servers. I am using iptables on CentOS 7 to log and block smtp and submission traffic not coming

Re: [CentOS] iptables on C5

On 10/16/2016 05:39 PM, Jerry Geis wrote: I am running asterisk (11.23.0) on a C5 machine. Working fine on port 5060 udp. I have need to tcpenable=yes SIP and run that on port 5068. Since port 5060 is already running I was going to redirect 5068 to 5060. Oh, yuck. SIP includes information

[CentOS] iptables on C5

Hi all, I am trying to get iptables to work for me... I am running asterisk (11.23.0) on a C5 machine. Working fine on port 5060 udp. I have need to tcpenable=yes SIP and run that on port 5068. Since port 5060 is already running I was going to redirect 5068 to 5060. So I thought I could use

Re: [CentOS] Iptables not save rules

On Tue, 13 Sep 2016, TE Dukes wrote: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of John R Pierce Sent: Sunday, September 11, 2016 10:44 PM To: centos@centos.org Subject: Re: [CentOS] Iptables not save rules On 9/11/2016 8:55 AM

Re: [CentOS] Iptables not save rules

On Tue, Sep 13, 2016 at 08:16:28AM -0400, TE Dukes wrote: > > > > -Original Message- > > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On > > Behalf Of John R Pierce > > Sent: Sunday, September 11, 2016 10:44 PM > > To: centos

Re: [CentOS] Iptables not save rules

> -Original Message- > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On > Behalf Of John R Pierce > Sent: Sunday, September 11, 2016 10:44 PM > To: centos@centos.org > Subject: Re: [CentOS] Iptables not save rules > > On 9/11/2016 8:55 AM, TE

Re: [CentOS] Iptables not save rules

On 9/11/2016 8:55 AM, TE Dukes wrote: I have been using ipset to blacklist badbots. Works like a champ! The only problem is if I do a system reboot, I lose the ipset and the rule. I changed /etc/sysconfig/iptables.conf to: IPTABLES_SAVE_ON_RESTART="yes" IPTABLES_SAVE_ON_STOP="yes" And

[CentOS] Iptables not save rules

Hello, I have been using ipset to blacklist badbots. Works like a champ! The only problem is if I do a system reboot, I lose the ipset and the rule. I changed /etc/sysconfig/iptables.conf to: IPTABLES_SAVE_ON_RESTART="yes" IPTABLES_SAVE_ON_STOP="yes" And followed the instructions in:

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On Fri, 2016-07-01 at 07:16 +0100, Ned Slider wrote: > -A Forward -p all -i LAN-NIC -o INET-NIC -j ACCEPT If one requires all protocols, surely '-p all' is not required because it is the default ? -- Regards, Paul. England, EU. England's place is in the European Union.

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On Fri, Jul 1, 2016 at 2:16 AM, Ned Slider wrote: > > Try running: > > iptables -nv -L Yes! Much sunlight awakening crusty synapses here. :-) > > The first thing I would do is move your ESTABLISHED,RELATED rule to the top > of the chain. Once you've accepted the first

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 30/06/16 23:19, Mike wrote: Ned, Thank you very much for the response. Great example following through on the premise. It sounds like I need to have a better understanding of the traffic patterns on my network to know the optimal order for iptables filtering rules. Try running:

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Ned, Thank you very much for the response. Great example following through on the premise. It sounds like I need to have a better understanding of the traffic patterns on my network to know the optimal order for iptables filtering rules. My brief example - Premise: I want to limit outsiders

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 30/06/16 18:49, Mike wrote: On Wed, Jun 29, 2016 at 1:49 PM, Gordon Messmer wrote: By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're applying additional processing (CPU time) to the vast majority of your packets for no reason. The

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On Wed, Jun 29, 2016 at 1:49 PM, Gordon Messmer wrote: > > By putting these rules first, before the "ESTABLISHED,RELATED" rule, you're > applying additional processing (CPU time) to the vast majority of your > packets for no reason. The "E,R" rule should be first. It

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 06/29/2016 05:19 PM, Always Learning wrote: Later he adds to that empty iptables configuration. Long-winded, but nothing wrong. Saving doesn't "add" to the empty configuration, it replaced the empty config. I didn't say it was wrong, I said the saved rules are thrown away. The initial

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 30/06/16 02:37, Leon Vergottini wrote: Thank you once again to all. I have learned a lot from you replies. And I from you. The funny thing is that I have my rule set with exactly the same default DROP policy for all chains and several DROP rules at the beginning of my script. I must

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On Wed, 2016-06-29 at 10:49 -0700, Gordon Messmer wrote: > On 06/29/2016 03:00 AM, Leon Vergottini wrote: > > #!/bin/bash > > > > # RESET CURRENT RULE BASE > > iptables -F > > service iptables save > Why would you save the existing rule set? This script throws it away > later, when it runs

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 06/29/2016 12:51 PM, Dennis Jacobfeuerborn wrote: On 29.06.2016 12:00, Leon Vergottini wrote: # -- # SAVE & APPLY # -- service iptables save service iptables restart You shouldn't

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 29.06.2016 12:00, Leon Vergottini wrote: > Dear Members > > I hope you are all doing well. > > I am busy teaching myself iptables and was wondering if I may get some > advise. The scenario is the following: > > >1. Default policy is to block all traffic >2. Allow web traffic and

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 06/29/2016 03:00 AM, Leon Vergottini wrote: #!/bin/bash # RESET CURRENT RULE BASE iptables -F service iptables save Why would you save the existing rule set? This script throws it away later, when it runs save again. # MOST COMMON ATTACKS iptables -A INPUT -p tcp --tcp-flags ALL

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Dear Members Thank you for your replies. @Anthony K. -- One of the articles that I have read mentioned that the file gets read from the top to bottom and apply the rules accordingly. In addition the article also explained that if there is no matching rule, the default policy will be applied.

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Hello Leon. In addition to everything else mentioned in this thread, I'd recommend you a great book on the topic. "Attack Detection and Response with iptables, psad, and fwsnort by Michael Rash" It contains a really nice and detailed guide on iptables and most common attacks, nmap, psad and

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On Wed, 29 Jun 2016, Leon Vergottini wrote: I am busy teaching myself iptables [] How secure is this setup? Is there any mistakes or things that I need to look out for? It's only as secure as your web stack (and, in your case, SSH configuration). Packet filtering is a necessary

Re: [CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

On 29/06/16 20:00, Leon Vergottini wrote: # DEFAULT FIREWALL POLICY iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # -- # INPUT CHAIN RULES # -- # MOST COMMON

[CentOS] [CENTOS ]IPTABLES - How Secure & Best Practice

Dear Members I hope you are all doing well. I am busy teaching myself iptables and was wondering if I may get some advise. The scenario is the following: 1. Default policy is to block all traffic 2. Allow web traffic and SSH 3. Allow other applications I have come up with the

Re: [CentOS] IPtables block user from outbound ICMP

On Thu, 2016-02-25 at 07:19 +, James Hogarth wrote: > Well if you really want to call it a problem... Blocking ICMP via a host > based firewall remains pretty silly. On all servers I used IPtables to block (DROP) all incoming ICMPs except:- type 0 state RELATED,ESTABLISHED type 3 state

Re: [CentOS] IPtables block user from outbound ICMP

On 25 Feb 2016 00:30, "John Cenile" wrote: > > Thanks all, that seemed to be the problem (the suid bit). :) Well if you really want to call it a problem... Blocking ICMP via a host based firewall remains pretty silly. Bear in mind that since it's a file permission this

Re: [CentOS] IPtables block user from outbound ICMP

> >> - Mail original - > >>> De: "John Cenile" <jcenile1...@gmail.com> > >>> À: "centos" <centos@centos.org> > >>> Envoyé: Mercredi 24 Février 2016 15:42:36 > >>> Objet: [CentOS] IPtables block user from

Re: [CentOS] IPtables block user from outbound ICMP

On Wed, February 24, 2016 12:25 pm, Alexander Dalloz wrote: > Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE: >> Hello, >> - Mail original - >>> De: "John Cenile" <jcenile1...@gmail.com> >>> À: "centos" <centos@centos.org> &

Re: [CentOS] IPtables block user from outbound ICMP

Am 24.02.2016 um 15:42 schrieb John Cenile: Hello, Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface? At the moment we have the following two rules in our IPtables config: iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT

Re: [CentOS] IPtables block user from outbound ICMP

Am 24.02.2016 um 16:07 schrieb Sylvain CANOINE: Hello, - Mail original - De: "John Cenile" <jcenile1...@gmail.com> À: "centos" <centos@centos.org> Envoyé: Mercredi 24 Février 2016 15:42:36 Objet: [CentOS] IPtables block user from outbound ICMP Is

Re: [CentOS] IPtables block user from outbound ICMP

On 02/24/2016 06:42 AM, John Cenile wrote: Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface? That is, more or less, the default. In order to send ICMP packets, an application must be root, or must have the CAP_NET_RAW capability (as

Re: [CentOS] IPtables block user from outbound ICMP

Hello, - Mail original - > De: "John Cenile" <jcenile1...@gmail.com> > À: "centos" <centos@centos.org> > Envoyé: Mercredi 24 Février 2016 15:42:36 > Objet: [CentOS] IPtables block user from outbound ICMP > Is it possible at all to block al

[CentOS] IPtables block user from outbound ICMP

Hello, Is it possible at all to block all users other than root from sending outbound ICMP packets on an interface? At the moment we have the following two rules in our IPtables config: iptables -A OUTPUT -o eth1 -m owner --uid-owner 0 -j ACCEPT iptables -A OUTPUT -o eth1 -j DROP But this

[CentOS] IPTABLES question

Would someone please explain to me the difference in effect between the following two IPTABLES conditions and the significance thereof in concurrent connection limiting? --tcp-flags SYN,ACK,FIN,RST SYN -j REJECT \ --connlimit-above 3 --connlimit-mask 32 --state NEW -j REJECT \

Re: [CentOS] IPTABLES question

James B. Byrne byrnejb@... writes: Would someone please explain to me the difference in effect between the following two IPTABLES conditions and the significance thereof in concurrent connection limiting? --tcp-flags SYN,ACK,FIN,RST SYN -j REJECT \ --connlimit-above 3 --connlimit-mask

Re: [CentOS] Iptables config removed with 7.1 update

On Thu, 2015-04-02 at 22:42 -0600, Paul R. Ganci wrote: I had turned off firewalld and was using iptables when I originally installed CentOS 7.0. Two days ago I upgraded my CentOS 7.0 to 7.1. Everything seemed to be fine. Today I discovered that my iptables configuration was removed with

[CentOS] iptables marking and NAT issue

Hello all, It appears that, for some reason I have thus far failed to understand when you use marking in iptables you then run into troubles if you attempt to do NAT (MAQUERADE). Let me describe this in more detail. We are attempting to use a network test environment named ATCD running it on a

Re: [CentOS] Iptables config removed with 7.1 update

No there was nothing. Having said that I think I was having a senior moment. I have two servers on which I am testing 7.x. These are isolated machines that if I had to I could just wipe and start over. On one machine the /etc/sysconfig/iptables was intact after the upgrade. On the other it

[CentOS] Iptables config removed with 7.1 update

I had turned off firewalld and was using iptables when I originally installed CentOS 7.0. Two days ago I upgraded my CentOS 7.0 to 7.1. Everything seemed to be fine. Today I discovered that my iptables configuration was removed with the update. Has anyone else experienced this on doing

Re: [CentOS] Iptables config removed with 7.1 update

On Thu, 02 Apr 2015 22:42:02 -0600 Paul R. Ganci wrote: Literally the /etc/sysconfig/iptables is gone and the /etc/sysconfig/iptables-config is the blank template that comes with the distribution. This seems to me to be a serious bug with the upgrade. Do you have a .rpmsave file in that

Re: [CentOS] iptables question

​+1​ On Tue, Jun 17, 2014 at 9:41 AM, James B. Byrne byrn...@harte-lyne.ca wrote: On Mon, June 16, 2014 23:34, Chuck Campbell wrote: I appreciate you restating this. I'll try to go make sense of iptables, given the insight, Keep in mind that there are three default chains, INPUT,

Re: [CentOS] iptables question

On Mon, June 16, 2014 23:34, Chuck Campbell wrote: I appreciate you restating this. I'll try to go make sense of iptables, given the insight, Keep in mind that there are three default chains, INPUT, OUTPUT and FORWARD that are used to initiate the packet path through IPTABLES and that they

Re: [CentOS] iptables question

On 06/17/2014 10:41 AM, James B. Byrne wrote: On Mon, June 16, 2014 23:34, Chuck Campbell wrote: I appreciate you restating this. I'll try to go make sense of iptables, given the insight, Keep in mind that there are three default chains, INPUT, OUTPUT and FORWARD that are used to initiate

Re: [CentOS] iptables question

On 6/16/2014 11:08 PM, John R Pierce wrote: On 6/16/2014 8:52 PM, Chuck Campbell wrote: I ran a script after fail2ban was started. It looks like this: #!/bin/sh iptables -A INPUT -s 116.10.191.0/24 -j DROP iptables -A INPUT -s 183.136.220.0/24 -j DROP iptables -A INPUT -s 183.136.221.0/24 -j

Re: [CentOS] iptables question

On 6/17/2014 2:14 PM, Chuck Campbell wrote: I'll experiment with that when I am physically in front of the server, instead of remote from it. I would have had no quick remedy if I messed it up. thats why all my servers have remote consoles :) -- john r pierce

Re: [CentOS] iptables question

On 6/16/2014 15:58, Chuck Campbell wrote: If they keep going through this ip block, they will still get 255 attempts at the root password and 1020 attempts at other login/password combinations before they are blocked by fail2ban. I'm glad you got your firewall problem sorted out, but I can't

Re: [CentOS] iptables question

On 6/17/2014 6:39 PM, Warren Young wrote: On 6/16/2014 15:58, Chuck Campbell wrote: If they keep going through this ip block, they will still get 255 attempts at the root password and 1020 attempts at other login/password combinations before they are blocked by fail2ban. I'm glad you got

Re: [CentOS] iptables question

On 6/17/2014 19:35, Chuck Campbell wrote: I haven't done the load stats, but it appears to me that a hundred of these crackers hitting my machine at these rates is likely to deny my legit users some resources. So increase the fail2ban time from the default (5 minutes, as I recall) to 1 hour,

[CentOS] iptables question

I'm running fail2ban to attempt to block malicious brute-force password dictionary attacks against ssh. They seem to be rolling through a block of ip addresses as the source to defeat this kind of screening, so I've set some ip addresses to be blocked in iptables. Here is the output of iptables -L

Re: [CentOS] iptables question

On Mon, 2014-06-16 at 16:58 -0500, Chuck Campbell wrote: I'm running fail2ban to attempt to block malicious brute-force password dictionary attacks against ssh. You could:- (1) Change the SSHD port to something obscure. (2) Restrict access to the SSHD port, using iptables, to a group of

Re: [CentOS] iptables question

On Mon, 16 Jun 2014 16:58:18 -0500 Chuck Campbell wrote: Why is this ip range still able to attempt connections? Have I done something wrong with my address ranges, or added them in the wrong place? Have you considered taking the opposite approach and allowing only the IP addresses that you

Re: [CentOS] iptables question

On 6/16/2014 2:58 PM, Chuck Campbell wrote: Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-VSFTPD tcp -- anywhere anywheretcp dpt:ftp fail2ban-SSH tcp -- anywhere anywheretcp dpt:ssh

Re: [CentOS] iptables question

On 06/17/2014 01:11 AM, John R Pierce wrote: On 6/16/2014 2:58 PM, Chuck Campbell wrote: Chain INPUT (policy ACCEPT) target prot opt source destination fail2ban-VSFTPD tcp -- anywhere anywheretcp dpt:ftp fail2ban-SSH tcp -- anywhere

Re: [CentOS] iptables question

On 06/17/2014 01:46 AM, Bret Taylor wrote: Get rid of fail2ban, it's not needed. Just write a proper firewall. Are you series?? There are applications that fail2ban offers them things which others just can't.. If you can email me the ip for your servers and also the root password and allow me

Re: [CentOS] iptables question

[previous article hasn't appeared on gmane yet] On 2014-06-16, Eliezer Croitoru elie...@ngtech.co.il wrote: On 06/17/2014 01:46 AM, Bret Taylor wrote: Get rid of fail2ban, it's not needed. Just write a proper firewall. Are you series?? There are applications that fail2ban offers them things

Re: [CentOS] iptables question

All of the suggestions are graciously accepted, however, I was actually asking what I was doing wrong with iptables, and why, with the rules I put in place, someone was still able to connect to my machine. I understand there might be better ways, but if I don't understand what I did wrong last

Re: [CentOS] iptables question

On Mon, 2014-06-16 at 21:42 -0500, Chuck Campbell wrote: All of the suggestions are graciously accepted, however, I was actually asking what I was doing wrong with iptables, and why, with the rules I put in place, someone was still able to connect to my machine. I understand there might

Re: [CentOS] iptables question

On 6/16/2014 9:44 PM, Earl Ramirez wrote: On Mon, 2014-06-16 at 21:42 -0500, Chuck Campbell wrote: All of the suggestions are graciously accepted, however, I was actually asking what I was doing wrong with iptables, and why, with the rules I put in place, someone was still able to connect to

Re: [CentOS] iptables question

As John R Pierce mentioned one of your first rule in the chain is RH-Firewall-1-INPUT all -- anywhere anywhere, this simply mean everything with DROP after it will be ignored. iptables will work its way down the chain, therefore you have to options 1. remove that line or 2.

Re: [CentOS] iptables question

On 6/16/2014 8:52 PM, Chuck Campbell wrote: I ran a script after fail2ban was started. It looks like this: #!/bin/sh iptables -A INPUT -s 116.10.191.0/24 -j DROP iptables -A INPUT -s 183.136.220.0/24 -j DROP iptables -A INPUT -s 183.136.221.0/24 -j DROP iptables -A INPUT -s 183.136.222.0/24

[CentOS] iptables

I ran: iptables -L and see this: Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywherestate RELATED,ESTABLISHED ACCEPT icmp -- anywhere anywhere ACCEPT all -- anywhere

Re: [CentOS] iptables

On 11/5/2013 3:55 PM, Wes James wrote: I ran: iptables -L incomplete output. try... iptables -L -vn and you'll probably see that reject is for a specific packet type. the v is for verbose, the n is for numeric output (no DNS lookup) -- john r pierce

Re: [CentOS] iptables

On Tue, Nov 5, 2013 at 5:22 PM, John R Pierce pie...@hogranch.com wrote: On 11/5/2013 3:55 PM, Wes James wrote: I ran: iptables -L incomplete output. try... iptables -L -vn and you'll probably see that reject is for a specific packet type. the v is for verbose, the n is for numeric

[CentOS] iptables settings for X11 forwarding in CentOS 6.2

Hi, We recently installed CentOS 6.2 on our cluster. During the installation/debugging of various secondary software, we had disabled iptables. When we re-enabled them, we found that the front-end would no longer X11 forward (although it does so when the iptables are off). What do we need to

Re: [CentOS] iptables settings for X11 forwarding in CentOS 6.2

On Fri, Mar 29, 2013 at 11:34 AM, Pat Haley pha...@mit.edu wrote: Hi, We recently installed CentOS 6.2 on our cluster. During the installation/debugging of various secondary software, we had disabled iptables. When we re-enabled them, we found that the front-end would no longer X11

Re: [CentOS] iptables settings for X11 forwarding in CentOS 6.2

Hi, Actually we're talking about both SSH and XDMCP X11 forwarding. Both seem to be currently disabled by the iptables. We'll try out what you suggest and get back with the results. Thanks. Pat On Fri, Mar 29, 2013 at 11:34 AM, Pat Haley pha...@mit.edu wrote: Hi, We recently installed

Re: [CentOS] iptables settings for X11 forwarding in CentOS 6.2

On Fri, Mar 29, 2013 at 12:37 PM, Pat Haley pha...@mit.edu wrote: Hi, Actually we're talking about both SSH and XDMCP X11 forwarding. Both seem to be currently disabled by the iptables. We'll try out what you suggest and get back with the results. Thanks. Pat iptables should have no

Re: [CentOS] iptables settings for X11 forwarding in CentOS 6.2

On Fri, Mar 29, 2013 at 1:09 PM, zGreenfelder zgreenfel...@gmail.comwrote: On Fri, Mar 29, 2013 at 12:37 PM, Pat Haley pha...@mit.edu wrote: Hi, Actually we're talking about both SSH and XDMCP X11 forwarding. Both seem to be currently disabled by the iptables. We'll try out what

Re: [CentOS] iptables settings for X11 forwarding in CentOS 6.2

On Sat, Mar 30, 2013 at 12:54 PM, SilverTip257 silvertip...@gmail.comwrote: On Fri, Mar 29, 2013 at 1:09 PM, zGreenfelder zgreenfel...@gmail.com wrote: On Fri, Mar 29, 2013 at 12:37 PM, Pat Haley pha...@mit.edu wrote: Hi, Actually we're talking about both SSH and XDMCP X11

Re: [CentOS] iptables port forwarding

From: Earl A Ramirez earlarami...@gmail.com To: CentOS mailing list centos@centos.org Sent: Tuesday, December 4, 2012 3:25 PM Subject: Re: [CentOS] iptables port forwarding On 5 December 2012 03:38, Joseph Spenner joseph85...@yahoo.com wrote: I have a simple

Re: [CentOS] iptables 1.4 and kernel 2.6 CONFIG_IP_NF_MATCH_STATE

=?ISO-8859-1?Q?Miguel_Gonz=E1lez_Casta=F1os?= wrote on Tue, 04 Dec 2012 02:09:26 +0100: How can I enable that CONFIG_IP_NF_MATCH_STATE support in my kernel? Sounds like your are not running the standard kernel, but something provided by your VPS provider. If that is indeed the case you have

[CentOS] iptables port forwarding

I have a simple requirement/test I'm trying to perform, but having difficulty. I have a system with 2 interfaces, BoxA: eth0  172.26.50.102 eth1  192.101.77.62 My goal is to have a tcp port built on BoxA such that hosts on the 192.101.77.0/24 network can reach a port on a different box on the

Re: [CentOS] iptables port forwarding

On 5 December 2012 03:38, Joseph Spenner joseph85...@yahoo.com wrote: I have a simple requirement/test I'm trying to perform, but having difficulty. I have a system with 2 interfaces, BoxA: eth0 172.26.50.102 eth1 192.101.77.62 My goal is to have a tcp port built on BoxA such that

[CentOS] iptables 1.4 and kernel 2.6 CONFIG_IP_NF_MATCH_STATE

Hi, I have a VPS running Centos 6.2 and trying to run this iptables rule: [root@myserver ~]# iptables -A INPUT -i venet0 -m state --state ESTABLISHED -j ACCEPT iptables: No chain/target/match by that name. Narrowing down the issue it seems there is no IP_CONNTRACK support but now

[CentOS] iptables: recent nolonger supported in Centos 5.8?!

Helo, we use recent to control ip traffic. kernel 2.6.18-308.13.1.el5 : all is OK kernel 2.6.18-308.16.1.el5 : the first recent statement causes an error. E.g.: iptables -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80 iptables: Unknown error 18446744073709551615 The man pages

Re: [CentOS] iptables: recent nolonger supported in Centos 5.8?!

On 11/09/2012 02:07 PM, Helmut Drodofsky wrote: Helo, we use recent to control ip traffic. kernel 2.6.18-308.13.1.el5 : all is OK kernel 2.6.18-308.16.1.el5 : the first recent statement causes an error. E.g.: iptables -A INPUT -m state --state NEW -m recent --set -p tcp --dport 80

  1   2   3   4   5   >