Update from 20.04 to 20.10 – iptables not replaced with nftables

According to this article on itsfoss.com nftables should replace iptables after updating from 20.04 to 20.10.
In my case not only is iptables still installed, but also nftables is missing.

Does it imply that the update process has failed and there might be other components missing?
Is it much of an issue from security point of view?

Linux iptables: Drop all Apache requests except from a single IP Address

I’m currently building a website using Apache on a Debian 10 Server. I would like to block all traffic to my website except from a single IP Address (my home network’s Public IP Address) so that I can build my website without other users accessing the site while I’m building it. I would like to tackle this problem using the server’s firewall with iptables. I have created the following rules:

sudo iptables --policy INPUT DROP
sudo iptables --policy OUTPUT DROP
sudo iptables --policy FORWARD DROP

iptables -A INPUT -p tcp -m multiport --dports 80,443 -s 1.2.3.4 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT -p tcp -m multiport --sports 80,443 -s 1.2.3.4 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

After a few days of testing I’ve concluded that the issue must be something with my OUTPUT chain. Any insight or thoughts would be much appreciated, Thank you!!!

iptables – Setting up SSH tunnel. With one confused configuration

So on the other day I set up a ssh tunnel for connecting my plex server installed on my raspberry pi to my VPS. I looked up an excellent guide, and then one configuration in that guide draws my attention.

So my questions as following:

I just wonder why do I need to set a specific port, which in this case is 32400, to only allow local connections to that port. Is it because of safety reason? I cannot figure it out.

Following info may be helpful.

pi@raspberrypi:~ $ cat /etc/hosts
127.0.0.1       localhost
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

127.0.1.1       raspberrypi

iptables – replace ipset with bash script

So what I’m trying to do is to get “bad” ip’s from this page

https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt

Then I made a script that replaces ipsets to block, by replacing old ipset with one that holds the ip numbers from above mentioned place.

Was long time ago I wrote it. Now I came back to it. And I’m not really shure it works. Because when I run ipset list > temporaryfile
then I dont think all numbers in temporaryfile are found in newblacklist.txt
Here is the bash script:

#!/bin/bash

# Variable holding the path to the textfile used in this script
textfile='/home/userName/Blacklist/newblacklist.txt'

# create and add blacklist if not created and add to iptables
created=$(ipset list -name | grep -c blacklist)
if (( $created == 0 )); then
    echo creating blacklist
    ipset create blacklist hash:net
    iptables -I INPUT -m set --match-set blacklist src -j DROP 
else
    echo blacklist already there
fi


# create and add tempblacklist if not created and add to iptables
created=$(ipset list -name | grep -c tempblacklist)
if (( $created == 0 )); then
    echo creating tempblacklist
    ipset create tempblacklist hash:net
    iptables -I INPUT -m set --match-set tempblacklist src -j DROP 
else
    echo tempblacklist already there
    ipset flush tempblacklist
fi

# create a new blacklis.txt file if not there
# If there, clear it by means of rm and touch
if ( ! -e $textfile ); then
    echo creating new blacklist.txt file
    touch $textfile
else
    echo Emptying existing blacklist.txt file
    rm $textfile;
    touch $textfile;
fi

# Get the bad ip list from site and save in newblacklist.txt file
curl --compressed https://raw.githubusercontent.com/stamparm/ipsum/master/ipsum.txt 2>/dev/null>$textfile

#check if there is a list with new bad ips
#$created shows 0 if there is no such list
created=$(ipset list -name | grep -c newblacklist) 

# Uses $created to check if there is a newblacklist list in ipset
# If there is no list creates one, otherwise flushes the existing one
if (( $created == 0 )); then
    echo Creating new newblacklist list in ipset 
    ipset create newblacklist hash:net
else
    echo Flushing existing list
    ipset flush newblacklist
fi

# Clean input from comments and other stuff
variable=$(grep -v "#" $textfile | grep -v -E "s(1-2)$" | cut -f 1)
for ip in $variable;
do
    ipset add newblacklist $ip
done


ipset swap blacklist tempblacklist

ipset flush blacklist

ipset swap newblacklist blacklist

ipset flush tempblacklist

The newblacklist.txt does seem to look identical to the content in the repo mentioned above.
Basically Im not confident the iptable gets updated to ban whats currently in the repo, when I run the script.

nat – WireGuard: cannot delete iptables rule for default route

since I don’t want friends and colleagues in my VPN to use my VPN server as a proxy VPN for “anonymous” surfing, I want to disable the default route for the VPN. In a nutshell:

  • LAN (10.20.0.0/24) must be accessible
  • WAN (0.0.0.0/0) must be inaccessible

I was unable to find a WireGuard setting to do this except configuring the AllowedIPs directive in the client config. But what kind of security does that provide?? Anyone can easily edit his/her config, replace 10.20.0.0/24 with 0.0.0.0/0, and use my VPN as a proxy…

My next approach was to delete the iptables rule that permitts the forwarding from the VPN subnet to the WAN. But somehow I cannot delete the affected rule. If I create a similar rule (same subnet, same policy) I can delete it, but I am prevented from deleting the WireGuard rule somehow.

The rule in question has been marked with --> in the following output:

root@(...):~# iptables -L FORWARD

    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ...
    ACCEPT     all  --  anywhere             10.6.0.0/24          ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
--> ACCEPT     all  --  10.6.0.0/24          anywhere             /* wireguard-forward-rule */

Commands that I have tried to get rid of this rule:

root@(...):~# iptables -D FORWARD -s 10.6.0.0/24 -j ACCEPT
iptables: Bad rule (does a matching rule exist in that chain?).

If I add the same rule again (without the comment):

root@(...):~# iptables -L FORWARD

    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ...
    ACCEPT     all  --  anywhere             10.6.0.0/24          ctstate RELATED,ESTABLISHED /* wireguard-forward-rule */
--> ACCEPT     all  --  10.6.0.0/24          anywhere             /* wireguard-forward-rule */
--> ACCEPT     all  --  10.6.0.0/24          anywhere

root@(...):~# iptables -D FORWARD -s 10.6.0.0/24 -j ACCEPT
root@(...):~#

No problem… 😐

Note: If you need further logs/output, please let me know. Thanks in advance!


FINAL ANSWER:
WireGuard also specifies interfaces and a comment. These have to be an exact match when deleting rules. You can see the full list of arguments using iptables with the -v option.

The command that finally removed the rule was:

iptables -D FORWARD -i wg0 -o wlan0 -s 10.6.0.0/24 -m comment --comment "wireguard-forward-rule" -j ACCEPT

firewall – Is allowing all packets on INPUT and OUTPUT on lan interface secure on a gateway router (iptables)

My main gateway router (Also the DHCP and DNS server for my LAN) lets me ssh in and configure iptables. Seeing as almost daily I’m making it provide more services like NTP, DNS, FTP e.c.t, I want to allow all traffic and ports on my LAN interface/subnet to and from my router to make sure these services are accessible by any device on my LAN.

Essentially disabling my LAN side firewall.

However, as this is also my gateway router I do not want to configure these iptables in a way that would allow internet traffic to exploit my iptables configuration.

My private IP range is 192.168.50.0/24 and is automatically assigned an interface of br0.

here are the iptables commands I used to allow all LAN traffic.

iptables --append INPUT --in-interface br0 --jump ACCEPT
iptables --append INPUT --source 192.168.50.0/24 --jump ACCEPT
iptables --append OUTPUT --out-interface br0 --jump ACCEPT
iptables --append OUTPUT --source 192.168.50.0/24 --jump ACCEPT

I’m no expert in routing or iptables but when I interpret it as ‘Accept all output in 192.168.50.0/24‘ it makes me think that after traffic from the internet is routed through my gateway, that all of it accepted to anywhere in my LAN.

iptables – Ubuntu 20.04 as PPTP server does not provide a ipv4 default gateway to the clients

Several years ago I was using the following script to create a pptp server on Ubuntu 14.04

Recently I have used the same script on Ubuntu 20.04 but once the pptp server is up and running, the vpn clients do not get any default ipv4 gateway, so they have not internet access.

passwordv=password
ipclass=10.99.84
echo "install pptp *******************"
apt-get install pptpd -y
apt install net-tools
echo "install net-tools *******************"
cp /etc/pptpd.conf /etc/pptpd_old.conf
#server ip
line="localip $ipclass.1"
echo $line >> /etc/pptpd.conf
#pool
line="remoteip $ipclass.100-200"
echo $line >> /etc/pptpd.conf
#usernames and password /etc/ppp/chap-secrets
line="user pptpd $passwordv *"
echo $line >> /etc/ppp/chap-secrets
#add dns
line="ms-dns 208.67.222.222"
echo $line >> /etc/ppp/pptpd-options
#add dns
line="ms-dns 208.67.220.220"
echo $line >> /etc/ppp/pptpd-options
service pptpd restart
netstat -alpn | grep :1723
#forward the traffic on the server
line="net.ipv4.ip_forward = 1"
echo $line >> /etc/sysctl.conf
sysctl -p
#Create a NAT rule for iptables
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE && iptables-save
#If you would also like your PPTP clients to talk to each other, add the following iptables rules:
iptables --table nat --append POSTROUTING --out-interface ppp0 -j MASQUERADE
iptables -I INPUT -s $ipclass.0/8 -i ppp0 -j ACCEPT
iptables --append FORWARD --in-interface eth0 -j ACCEPT
netstat -alpn | grep :1723

The clients are running Windows 7 and Windows 10, both are configured to “use default gateway on remote network”, which is a default option on the ipv4 configuration of the vpn connection.

windows 7 client – ip address ok – no gateway

linux – Not really sure what I’m doing wrong here, IPTABLES, Ubuntu

I dont know what I’m doing wrong but I need to have the TCP port 1195 also open for the VPN but it just says tcp dpt:1195 instead of udp dpt:openvpn

ACCEPT tcp — anywhere anywhere tcp dpt:1195 /* Allow VPN connection */

ACCEPT udp — anywhere anywhere udp dpt:openvpn /* Allow VPN connection */

/etc/openvpn/iptables.sh

#!/bin/bash

iptables -t nat -F

iptables -t mangle -F

iptables -F

iptables -X

iptables -P OUTPUT DROP

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

iptables -A OUTPUT -d 255.255.255.255 -j ACCEPT

iptables -A INPUT -s 255.255.255.255 -j ACCEPT

iptables -A INPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT

iptables -A OUTPUT -s 192.168.0.0/24 -d 192.168.0.0/24 -j ACCEPT

iptables -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i tun+ -j ACCEPT

iptables -A FORWARD -i tun+ -j ACCEPT

iptables -A FORWARD -o tun+ -j ACCEPT

iptables -t nat -A POSTROUTING -o tun+ -j MASQUERADE

iptables -A OUTPUT -o tun+ -j ACCEPT

iptables -I OUTPUT 1 -p tcp –destination-port 1195 -m comment –comment “Allow VPN connection” -j ACCEPT

iptables -I OUTPUT 1 -p udp –destination-port 1194 -m comment –comment “Allow VPN connection” -j ACCEPT

iptables -A OUTPUT -j DROP

iptables -A INPUT -j DROP

iptables -A FORWARD -j DROP

iptables -N logging

iptables -A INPUT -j logging

iptables -A OUTPUT -j logging

iptables -A logging -m limit –limit 2/min -j LOG –log-prefix “IPTables general: ” –log-level 7

iptables -A logging -j DROP

echo “saving”

iptables-save > /etc/iptables.rules

echo “done”

#echo ‘openVPN – Rules successfully applied, we start “watch” to verify IPtables in realtime (you can cancel it as usual CTRL + c)’

#sleep 3

#watch -n 0 “sudo iptables -nvL”

ubuntu – IPTABLES – Route all incoming IP requests through another IP on a different network

I need help with iptables to allow all requests come from one single IP.

Server1 IP : 1.1.1.1 [Dedicated Server]

Server2 IP : 2.2.2.2. [VPS Server]

Both Servers are running Ubuntu, and are NOT on the same network.

I have service running on Server1 on port 1234. I want all traffic to come to server1 only from server2. And, if a request is received by Server1 directly, instead of killing/dropping the request, is it possible for server1 to forward the request to Server2, and have server2 send it to server1.

On Server2 I have:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward 
iptables -t nat -A PREROUTING -p tcp --dport 1234 -j DNAT --to-destination 1.1.1.1:1234
iptables -t nat -A POSTROUTING -j MASQUERADE

On Server1 where the service is running, I have:

echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward 
iptables -I INPUT -p tcp -s 2.2.2.2 --dport 1234 -j ACCEPT

The Server2 is redirecting requests fine to Server1. Can you help me with iptables command for Server1, to route all other incoming IP requests through server2?

Thank you.

iptables – tunneling between two linux server

if we have two server let’s say server1(92.92.92.92) server2(76.76.76.76).

I’m working on redirect incoming traffic on server1 port 4444 to server2 port 12345,this is easy with iptables rule on server1 like the following:

sysctl -w net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport 4444 -j DNAT --to-destination 76.76.76.76:12345
iptables -t nat -A POSTROUTING -j MASQUERADE  

this working well

request –> 4444:server1 <===> 12345:server2

what I need to do is using tor netwok between the two server:

request –> 4444:server1 <===> |tor network| <===> 12345:server2

how I can do what?

I tried to use HiddenServicePort on server2 but I can’t forward traffic from HiddenServicePort to another tor hostname ( in server1)

also how i can redirect traffic from iptables to tor specific hostname (server2 hostname)