iptables – Configuration to use choose the hardware interface for the request?

I have a Linux machine (OS Debian 10), with 3 hardware interfaces connected to the Internet, 2 being USB modems: ifconfig gives -> https://termbin.com/st3r

wlan0 is the default interface here, when I try: curl –interface ppp1 ifconfig.me or curl –interface ppp0 ifconfig.me the request times out, with sudo, sudo curl –interface ppp1 ifconfig. gives me an answer but the equivalent for ppp0 expires, what are the good routing rules to add to be able to select the hardware interface to route?

Real routing rules: https://termbin.com/wi9b

vpn – Openvpn Limit LAN access with (client-config-dir) & iptables

I have a VPC network running on AWS and I have configured an OpenVPN server to connect to the local machines behind the VPC. However, I would like to restrict LAN access by client.

+---------+             +---------+
| client1 |             | client2 |
+---------+             +---------+
                      /
            +---------+
            | server  |
            +---------+
                 |
            +---------+
            |   vpc   |
            +---------+
                 |
            +---------+
            |  local  | 
            +---------+
+--------------------------+
| VPC  | subnet  | region  |
+------+---------+---------+
| vpc0 | 10.0/16 | region0 |
+------+---------+---------+

With my current openvpn configuration, I can connect to all the instances behind the VPC. However, I need that client1 can only access the machine 10.10.0.118 and client2 can only access the machine 10.10.0.222. I played with the ccd directive and iptables but can't wrap my head around it.

My Openvpn server.conf

port 1194

proto udp

dev tun0

ca ca.crt
cert server.crt
key server.key 
dh dh2048.pem
topology subnet

server 10.8.0.0 255.255.255.0
client-config-dir /etc/openvpn/ccd
push "redirect-gateway def1"
push "redirect-gateway def1 bypass-dhcp"

push "route 10.10.0.0 255.255.255.0"

ifconfig-pool-persist /var/log/openvpn/ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
keepalive 10 120
cipher AES-256-CBC
#client-to-client
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/openvpn-status.log
log         /var/log/openvpn/openvpn.log
log-append  /var/log/openvpn/openvpn.log
verb 3

Routing table for server

0.0.0.0         10.10.1.1       0.0.0.0         UG        0 0          0 eth0
10.8.0.0        0.0.0.0         255.255.255.0   U         0 0          0 tun0
10.10.1.0       0.0.0.0         255.255.255.0   U         0 0          0 eth0
10.10.1.1       0.0.0.0         255.255.255.255 UH        0 0          0 eth0

CCD FOR CUSTOMER

push-reset
ifconfig-push 10.8.0.2 255.255.0.0
iroute 10.10.0.0 255.255.0.0


IPTABLE FOR CUSTOMER

iptables -A FORWARD -i tun0 -s 10.8.0.0/24 -d 10.10.0.118 -j ACCEPT

My client.ovpn connects to the server, but I cannot send a ping or ssh request in 10.10.0.118. Without the ccd directive i can. If anyone can point me in the right direction, it would be much appreciated.

networking – Add iptables programmatically using Java for port forwarding

Is there a method (using the java.net package or a protocol) that could be used by a Java-based client application in the intranet to map the port to the residential gateway iptable ( router) to allow access from the Internet? I noticed that a chat application could automatically add a range of ports to the router for port forwarding. I don't know if a pure Java application could do this or not. Or should you use libiptc + JNI to perform this function?

linux networking – FORWARD and nat iptables with certain ports

I want to limit eno1 to Internet service(like  80,443).
below setting is OK for all service.

iptables -P FORWARD DROP

iptables -A FORWARD -i eno1 -o ppp0 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eno1 -m state --state ESTABLISHED,RELATED   -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o ppp0 -j MASQUERADE


I want something like ->
iptables -A FORWARD -p tcp -i eno1 -o ppp0  -m multiport  --dports 80,443,53 -j ACCEPT
iptables -A FORWARD -i ppp0 -o eno1 -m state --state ESTABLISHED,RELATED   -j ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -o ppp0 -j MASQUERADE
but not working, How could I do?

iptables v1.8.2 (nf_tables): failure of RULE_APPEND (invalid argument): rule in the chain OUTPUT

on debian 10 trying to apply the following iptables rules:

ip rule add fwmark 1 table 100
ip route add local 0.0.0.0/0 dev lo table 100


iptables -t mangle -N V2RAY
iptables -t mangle -A V2RAY -d 127.0.0.1/32 -j RETURN
iptables -t mangle -A V2RAY -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p tcp -j RETURN 
iptables -t mangle -A V2RAY -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN 
iptables -t mangle -A V2RAY -p udp -j TPROXY --on-port 12345 --tproxy-mark 1 
iptables -t mangle -A V2RAY -p tcp -j TPROXY --on-port 12345 --tproxy-mark 1 
iptables -t mangle -A PREROUTING -j V2RAY 


iptables -t mangle -N V2RAY_MASK
iptables -t mangle -A V2RAY_MASK -d 224.0.0.0/4 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 255.255.255.255/32 -j RETURN
iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p tcp -j RETURN 
iptables -t mangle -A V2RAY_MASK -d 192.168.0.0/16 -p udp ! --dport 53 -j RETURN 
iptables -t mangle -A V2RAY_MASK -j RETURN -m mark --mark 0xff   
iptables -t mangle -A V2RAY_MASK -p udp -j MARK --set-mark 1  
iptables -t mangle -A V2RAY_MASK -p tcp -j MARK --set-mark 1   
iptables -t mangle -A OUTPUT -j V2RAY_MASK

but finally an error:

 iptables v1.8.2 (nf_tables):  RULE_APPEND failed (Invalid argument): rule in chain OUTPUT

iptables – Automated input of variables?

I currently use -j DROP in my Linux-based router commands to keep international spammers out of my Windows Server 2016 server, and I would like to block entire countries where spammers are from (I'm aware of the impact on the response time it will have). Since my server is region specific anyway, no one outside of the United States needs to access it. Here is an example of what is in my command page on my router:

iptables -I FORWARD -s 218.0.0.0/8 -j DROP

iptables -I FORWARD -s 112.0.0.0/8 -j DROP

iptables -I FORWARD -s 59.0.0.0/8 -j DROP

iptables -I FORWARD -s 58.22.0.0/15 -j DROP

iptables -I FORWARD -s 208.88.96.0/21 -j DROP

iptables -I FORWARD -s 117.0.0.0/8 -j DROP

iptables -I FORWARD -s 125.0.0.0/8 -j DROP

iptables -I FORWARD -s 192.245.43.0/24 -j DROP

iptables -I FORWARD -s 121.0.0.0/8 -j DROP

iptables -I FORWARD -s 124.0.0.0/8 -j DROP

iptables -I FORWARD -s 123.0.0.0/8 -j DROP

iptables -I FORWARD -s 122.0.0.0/8 -j DROP

iptables -I FORWARD -s 116.0.0.0/8 -j DROP

iptables -I FORWARD -s 113.0.0.0/8 -j DROP

China alone has more than 8,000 IP scopes that I would like to add, but I don't want to have to manually create each line with the applicable IP scopes. Is there a type of script or website on which I can just paste a list of all the CIDR IP 8000+ scopes that will create my orders to copy and paste into my router? I have to believe that there is a way to automate this redundant coding.
Thank you!

autodiscovery – Removes autodiscover.xml with iptables does not work

I am trying to block all autodiscover.xml requests to our server using iptables. Here's what I've entered so far, but they don't work. See the following log. Requests keep coming.

iptables -I INPUT -p tcp --dport 80 -m string --string "POST /autodiscover" --algo bm -j DROP
iptables -I INPUT -p tcp --dport 443 -m string --string "POST /autodiscover" --algo bm -j DROP

This translates to the top of the INPUT chain:

DROP       tcp  --  anywhere             anywhere             tcp dpt:http STRING match  "POST /autodiscover" ALGO name bm TO 65535
DROP       tcp  --  anywhere             anywhere             tcp dpt:https STRING match  "POST /autodiscover" ALGO name bm TO 65535

However, I still receive requests in the Apache journal.

(09/Jan/2020:17:04:31 -0500) "POST /autodiscover/autodiscover.xml HTTP/1.1" 403 3668 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.6701; Pro)"
(09/Jan/2020:17:12:59 -0500) "POST /autodiscover/autodiscover.xml HTTP/1.1" 403 3668 "-" "Microsoft Office/16.0 (Windows NT 10.0; Microsoft Outlook 16.0.6701; Pro)"

iptables – Best use of portsentry with lots of IP banned

I use portsentry instead fail2ban to block ip during the scan and therefore before they find the SSH port.

Portsentry is configured to add an iptables rule and a line in hosts.deny.

I have over 300 ip in one day.

What is the best solution:

  • Regularly empty the iptables rules and the hosts.deny file?
  • Delete the hosts.deny action and use ipset instead of the iptables rule?

Has Portsentry not been developed for long term use?

iptables – How to transfer non-Linux host packages to the container

I am trying to do a traffic inspection on an lxc container in my host machine. My host machine is connected to a mirror port and receives duplicate copies of traffic from 4 to 5 other machines on a local network.

I can see all the traffic from these other machines via Wharkshark, so I know they are reaching my interface, but I am having trouble passing them the last hop to my lxc container.

I have tried to do NAT via iptables, but I suspect after reading a few other articles that they are filtered before reaching iptables. I saw a suggestion or two for ebtables and tried to do static routing without success.

Any help or reference to existing literature would be greatly appreciated.

firewalld does not work in CentOS 8: no rule is created in iptables

I recently upgraded a clean installation from CentOS 7 to CentOS 8 using this tutorial:

How to Upgrade CentOS 7 to CentOS 8

I had no additional software installed, only the basic installation. After the upgrade, the first thing I tried to do was open only the doors to SSH and HTTP, so I activated and started firewalld:

systemctl enable firewalld
systemctl start firewalld
systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
   Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2019-12-24 11:05:50 -02; 10min ago
     Docs: man:firewalld(1)
 Main PID: 7620 (firewalld)
    Tasks: 2 (limit: 17886)
   Memory: 22.1M
   CGroup: /system.slice/firewalld.service
           └─7620 /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid

dez 24 11:05:49 renie.cc systemd(1): Stopped firewalld - dynamic firewall daemon.
dez 24 11:05:49 renie.cc systemd(1): Starting firewalld - dynamic firewall daemon...
dez 24 11:05:50 renie.cc systemd(1): Started firewalld - dynamic firewall daemon.

Addition of ssh and http services:

firewall-cmd --add-service http
firewall-cmd --add-service http --permanent
firewall-cmd --add-service ssh
firewall-cmd --add-service ssh --permanent
firewall-cmd --add-service ssh
firewall-cmd --list-all
public (active)
  target: default
  icmp-block-inversion: no
  interfaces: eth0
  sources: 
  services: http ssh
  ports: 
  protocols: 
  masquerade: no
  forward-ports: 
  source-ports: 
  icmp-blocks: 
  rich rules: 

But I don't see any rules in IPTables:

iptables -nvL
Chain INPUT (policy ACCEPT 143 packets, 13998 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 114 packets, 13295 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Even after restarting the server, no rule is created. Could this be due to the CentOS 7 → CentOS 8 upgrade?

I have not tested or used firewalld before upgrading this server, but I do have other CentOS 7 servers that have firewalld running.

Is there a log I can analyze to debug the problem?

Thanks in advance.