Unanswered Questions
2,012 questions with no upvoted or accepted answers
6
votes
0
answers
14k
views
Squid transparent proxy for HTTPS / SSL trafic
I am trying to configure Squid as transparent proxy, I followed below steps to configure
Downloaded Squid 3.5 from the website, As Squid 3.1 will not support for ssl bump
./configure --enable-linux-...
- 487
6
votes
0
answers
3k
views
Why is the first of two post-up commands for routing in interfaces configuration not automatically processed
We managed to connect our servers to two distinct networks and everything works fine. We use routing rules that ensure that server responds to the right network.
I followed the instructions under ...
- 737
5
votes
2
answers
12k
views
What is the purpose of TPROXY, how should you use it and what happens internally?
After reading a bit about TPROXY (e.g at https://www.kernel.org/doc/html/latest/networking/tproxy.html ) I now have more questions then answers. I actually don't even know what TPROXY should do...
...
CommunityBot
- 1
5
votes
0
answers
2k
views
Ports exposed by docker container are shown as filtered - unable to connect
I am working on a fresh server installation of Ubuntu 20.04
I started a sample nginx by running docker run --rm -p 80:80 nginx
Port 80 appears to be open on the machine, I cant curl the nginx default ...
- 1
5
votes
0
answers
811
views
How to route server_A's internet traffic through server_B using a GRE Tunnel?
I have two Linux servers. I want to use a GRE tunnel to route all internet traffic from ClientBox through a tunnel to GatewayBox, so that, to the rest of the internet, my ClientBox appears to be ...
5
votes
0
answers
3k
views
Clarification regarding Deep Packet Inspection in the Linux Kernel's Netfilter section
The Linux Kernel provides Netfilter as a mechanism for both NAT and firewall functionality. Both of those functionalities require analysis and classification of incoming packets, which is dubbed "...
- 31
5
votes
1
answer
1k
views
IPset Alternatives and Firewall Management
I have CentOS 7, Plesk 12, 8GB RAM VPS.
I have around 1000 rules in my IPtables to block abusive users. But when reloading IPtables it takes 15 seconds to reload all 1000 rules.
First of all, is it ...
- 427
5
votes
0
answers
12k
views
Linux ipv6 forwarding
Situation
I know how to do ipv4 forwarding, and expected ipv6 forwarding to work pretty much the same way. So I configured a VirtualBox host with the network address configured from my ISP. Right now,...
- 1,213
5
votes
1
answer
4k
views
Running snort behind iptables
I run a Centos 6.5 server with a highly restrictive iptables ruleset allowing incoming traffic only on a small handful of tcp ports (8 in total) and blocks all incoming unsolicited UDP traffic.
I ...
CommunityBot
- 1
5
votes
1
answer
7k
views
strongswan VPN on OpenWrt
Hi I'm running Barrier Breaker version of OpenWRT and I have setup a VPN according to:
http://wiki.openwrt.org/inbox/strongswan.howto
I can connect to the VPN with my iPhone or Mac (to 10.10.1.0/24 ...
CommunityBot
- 1
5
votes
1
answer
3k
views
Possible for linux bridge to intercept traffic?
I have a linux machine setup as a bridge between a client and a server;
brctl addbr0
brctl addif br0 eth1
brctl addif br0 eth2
ifconfig eth1 0.0.0.0
ifconfig eth2 0.0.0.0
ip link set br0 up
I also ...
CommunityBot
- 1
4
votes
0
answers
313
views
Mitigating a DDoS attack on a TOR server
Running a political blog over TOR network with a .onion domain name
I have been getting DDoS attack, I know how to mitigate an attack on clear net where the packets coming from normal IP addresses, ...
- 341
4
votes
1
answer
1k
views
iptables u32 can match 4 bytes maximum?
I would like to match RDP packet with mstshash cookie with u32 iptable's ext. on Debian Jessie with
Linux version 3.16.0-4-amd64 ([email protected]) (gcc version 4.8.4 (Debian 4.8.4-1) )...
- 636
4
votes
0
answers
578
views
Block incoming traffic in bonding mode when primary interface is down
My server running on latest kernel (4.4.6) has configured a bond device (bond0) with two enslaved interfaces eth0, wlan0 with primary interface eth0.
cat /proc/net/bonding/bond0
Ethernet Channel ...
- 41
4
votes
1
answer
420
views
Reject all except for whitelist policy with firewalld
I've been reading on firewalld for about the whole morning, and I came up with the following public zone:
<?xml version="1.0" encoding="utf-8"?>
<zone>
<short>Public</short>
...
- 361
4
votes
1
answer
568
views
Can't firewalld replace iptables?
I used Iptables on Centos 6.5 and tried to translate iptables rules into firewalld rules on centos 7.
However, with firewalld, i have discovered i am unable to
drop packets in invalid states
create ...
- 214
4
votes
1
answer
4k
views
How do iptables work with NFQ in terms of traffic shaping in snort?
I'm trying to understand how iptables and NFQ work together with snort.
The reason that I ask this is because from what I understand snort can be set to IPS via NFQ but if you have iptables there ...
CommunityBot
- 1
4
votes
0
answers
11k
views
Transparent Proxy squid TCP_MISS/503 Error in all pages
I m trying to make a squid proxy server with to work as a transparent proxy server, and i m facing some issues that i m unable to figure out the reasons. The setup i m using is several VLAN's with ...
- 1,080
4
votes
1
answer
4k
views
SNMP query - operation not permitted
I am working on API that reads a lot of data via SNMP (routes, interfaces, QoS policies, etc...). Lately, I have experienced a random error stating:
Operation not permitted
Now, I use SNMP4J as core ...
CommunityBot
- 1
4
votes
0
answers
4k
views
ip6tables port redirect with TPROXY on IPv6 only
Our server is IPv6 only connected and an applications listen to port 8080 at private network, but we need port 80 at public Internet.
On purpose of testing, when opening the firewall for port 8080, ...
CommunityBot
- 1
4
votes
0
answers
12k
views
iptables - mark and route certain packets
Relevant to this reference http://lartc.org/howto/lartc.netfilter.html
I want to mark packets sent to a certain port (80 for simplicity sake) and route them to tun0 (which is created by openvpn).
...
- 103
4
votes
2
answers
8k
views
Packets marked INVALID in FORWARD rule
I have a firewall that has 3 IP aliases on 1 physical interface. Packets get dropped between these 3 interfaces (either ICMP, HTTP, or anything else). We tracked it down to these packets being marked ...
CommunityBot
- 1
4
votes
1
answer
648
views
Monitoring Linux Kernel Space Processing
I'm running two "services" that are served in linux kernel-space:
Linux Netfilter Firewall ("iptables")
Linux Virtual Server Loadbalancer ("IPVS", "LVS")
Now I want to (performance-)monitor my "...
- 96.6k
3
votes
2
answers
5k
views
netplan does not implement the route to gateway, in Ubuntu 22.04
sorry if this is trivial ... but I do not seem to be able to get netplan to set the proper route to the default gateway. I have to manually set it using 'sudo route add default gw [...]' to enable the ...
CommunityBot
- 1
3
votes
0
answers
594
views
How to redirect tailscale to shadowsocks
How to redirect tailscale traffic (TPC+UDP) through shadowsocks proxy on Linux?
I've tried ss-redirect with no success.
- 147
3
votes
0
answers
4k
views
Tuning Linux router and server for better performance / solving single TCP connection slow speed
I have a simplest/common network architecture.
Web server sits behind router on local network. This router does iptables DNAT so port forwarding is achieved to web server.
Therefore, I'm able to ...
- 589
3
votes
1
answer
969
views
ufw deny from ip doesn't work
I know that I should setup fail2ban but at the moment I want to deny access from one IP address and tried the following ufw command:
sudo ufw insert 1 deny from xx.xx.xx.xx to any
Here's the output ...
- 1,152
3
votes
1
answer
355
views
Can iptables drop all packets with identical source and destination ports?
I have recently encountered some malicious TCP traffic that came in with a destination of port 80, and also with a source port of 80. This traffic is obviously invalid, and would be so for any ...
- 2,250
3
votes
0
answers
2k
views
Adding some delay to a specific port on localhost using tc and netem
I'm going to simulate a network latency on three different ports of local host by using tc (traffic control for Linux) commands.
I run the following code:
!/bin/bash
tc qdisc add dev lo root handle 1:...
- 31
3
votes
0
answers
1k
views
GeoIP vs IPset performance in iptables
I would like to ask you what is faster in term of performance GeoIP or IPset.
Let me explain, imagine that I have rule:
iptables -A INPUT -m geoip ! --src-cc US,UK,CA -j DROP
And imagine that I ...
- 297
3
votes
1
answer
11k
views
Using iptables TPROXY instead of REDIRECT
I'm running Debian 8.
I'm trying to intercept all packets, and are currently using iptables for this:
iptables -t nat -A PREROUTING -p tcp -j REDIRECT --to-port 5000
This seems to work, but it ...
CommunityBot
- 1
3
votes
0
answers
88
views
How to know which program is modifying iptables?
I noticed at some random time, my iptables rules se flushed, or not matching what I set up. I'm the only user of this server, so it is not another user but it is another program I guess.
How to know ...
- 31
3
votes
1
answer
1k
views
Why does the 'nomatch' option of ipset not work in this case?
I am using ipset 6.23-2 on Debian Jessie. I created a hash:net set for and an iptables rule to drop all traffic for addresses in the set.
Chain INPUT (policy ACCEPT)
target prot opt source ...
- 101
3
votes
0
answers
4k
views
Two NICs docker host, fixed container source IP, no connection to second subnet
We have the following scenario, a docker host with two NICs in two subnets, ens8: IP 192.168.100.74/24 and ens9: IP 172.20.102.24/25, the default bridge docker0 IP 172.17.0.1/16 and a second bridge ...
- 31
3
votes
1
answer
514
views
iptables block IP for x hours not working?
On my Linux server, I want to ban IPs that access certain ports for 24 hours using IPtables. For this, I use the following IPtables rules:
# Check if IP is on banlist, if yes then drop
-A INPUT -m ...
- 1,275
3
votes
0
answers
1k
views
iptables match forwarded packet if src address is in same network as dst address
I am looking for a way in iptables to match forwarded packets where the source address is in the same network as the destination address, without specifying the network.
Of course, when I specify the ...
- 1,774
3
votes
2
answers
6k
views
Forward traffic into docker container/VM
I have a pretty beefy machine at my disposal running Ubuntu 16.04 Server. It's running several docker containers and virtual machines (using VirtualBox) referred to as VMs hereafter. At the moment the ...
CommunityBot
- 1
3
votes
1
answer
4k
views
In docker, what are these POSTROUTING iptables rules for?
Docker creates a MASQUERADE iptables rule for every container that has an exposed port (in this example I have 5 containers with exposed port 3500):
sudo iptables -t nat -L -v -n
<snip>
Chain ...
CommunityBot
- 1
3
votes
0
answers
2k
views
WhatsApp call blocking
I'm managing a small network and I'm requested to block WhatsApp calls without blocking its messaging features. As they provide their public IP addresses I thought it'd be straightforward to add some ...
CommunityBot
- 1
3
votes
1
answer
2k
views
ip6tables blocking outgoing+incoming connections
i just changed to a server with ipv6 and therefore i changed my firewall script. Changing my iptables-script to ip6tables does not seem to work though. This is the ipv6 part which neither allows ...
CommunityBot
- 1
3
votes
1
answer
2k
views
Iptables u32 matching nat
I'm currently setting up IPtables to redirect certain UDP payloads to my application.
Here is an example of what I have working so far:
iptables -t nat -I PREROUTING -p udp -d {IPDST} --dport 27055 -...
CommunityBot
- 1
3
votes
0
answers
2k
views
policy routing for local outcoming connections
I have a multihomed setup with two upstream providers. And I want to confine some connections to use only one provider — local outgoing connections that is. So, I've made a custom routing table, which ...
3
votes
0
answers
1k
views
IPTables DNAT Exemption
TL;DR - I'm looking for a way to send all my external traffic through a proxy server but not send all my internal traffic through a proxy server. How can I achieve this?
My end goal is to forward ...
- 31
3
votes
1
answer
933
views
How to configure collecd aggregate plugin to aggregate output from IPTable::Plugin?
I have enabled the CollectD:IPTables plugin to track traffic to two different server groups:
LoadPlugin iptables
<Plugin iptables>
Chain "filter" "TRACK_TRAFFIC_SERVER_A" "...
- 9,051
3
votes
3
answers
3k
views
Bind docker container ports only to specific outside server address
This is the first time i address such a network "problem" to solve with docker and i need some inputs.
This is my situation:
Ubuntu 14.04 running NginX, ufw as firewall and docker containers to run ...
CommunityBot
- 1
3
votes
0
answers
1k
views
Understanding packets dropped by iptables from puppetmaster
I am seeing packets getting dropped during my puppet client runs on a semi regular basis. And I do not understand what is causing this. I should mention that Puppet is managing the firewall rules ...
- 134k
3
votes
0
answers
890
views
forward vpn traffic from tun1 to tun0
I've been banging my head on this for a while and gave up trying to figure it out. My knowledge about routing and iptables is just too limited to understand this it seems.
I have configured a split ...
- 31
3
votes
0
answers
625
views
How to split traffic through two different network adapters based on TCP port in OS X
I have a scenario where we will be using a Mac to stream video content to an RTMP server. This RMTP service provides 2 ingest URLs so that you can upload the same video content twice and have ...
CommunityBot
- 1
3
votes
2
answers
2k
views
Can't change source IP address (to floating ip) for udp outgoing packages
I'm having trouble getting a cluster to work using pacemaker and corosync. Here is my hardware configuration:
Network: 192.168.3.0/255.255.255.0
Gateway: 192.168.3.1
node1 (Ubuntu Server 12.04 x64) ...
CommunityBot
- 1
3
votes
0
answers
3k
views
Does netfilter reassemble IP fragments when packet is forwarded?
IP datagram should be reassemble in the termination of the path because the fragments may arrive from different paths. I think Netfilter need to reassemble a IP datagram to inspect the whole payload ...
- 203