iptables: how to block all incoming traffic from a specific Internet address or subnet using TomatoUSB router software (based on LINUX)

I am not trained in Linux, but I think I found the solution to my documented problem, but it does not work as expected. I am NOT an iptables guru, I am learning on the go.

A Russian IP is trying to hack my network, especially an email server that I have on my network. So I have a forward port of port 25 to the mail server machine. My router runs TomatoUSB, a Linux-based router that I have root ssh access to.

I tried this command:

 iptables -I INPUT -s 45.142.195.5 -j DROP

Y

 iptables -L -nv 

returns many things, and now at the beginning it looks like this:

 Chain INPUT (policy DROP 9 packets, 504 bytes)
  pkts bytes target     prot opt in     out     source               destination
     0     0 DROP       all  --  *      *       45.142.195.5         0.0.0.0/0

However, this did not stop the traffic, since my email server still reports connection attempts from this IP address, so the rule does not drop anything.

Maybe the INPUT chain is not where I need to add this? I am not yet educated in the different chains yet. INPUT intuitively seemed the right place, but because this is a NAT router, should I really have some kind of rule in the FORWARD chain that can say not forward to anyone if this is the source address?

It seems that what I want to do should not be difficult, but I am struggling to solve this so far.

iptables: route traffic through the floating ip

I have a cluster (kubernetes) (3 servers, ips 172.20.10. (10,11,12)), and among them there is 1 floating ip (172.20.10.20).
My provider has a 1: 1 NAT for a public IP dedicated to floating IP.
Everything about the floating IP works perfectly (when the one with the IP goes down, one of the others assumes the IP), in a way that only one has the IP at any time.
All incoming traffic also works, BUT we go to the subject.

All outbound traffic comes from individual ips 172.20.10. (10,11,12), so the providers send it to a generic public ip. But I want the traffic to come from the floating IP (of the 3 hosts).
When searching, I discovered that perhaps a NAT would be a solution, but I don't know if it would work, all on the same network.

All 3 hosts having the floating ip as gateway, and on all 3 have the iptables rules
to nat the traffic from them to the real gateway masking to the floating ip, would this work?

Does anyone have any other suggestions?

iptables 1.8.2 (debian10) does not show the packet count in the default policy

iptables 1.8.2 (debian10) does not show the packet count in the default policy?

In debian9 shows counters generally

In debian10, exit command iptables -nvL is:

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)

networks: how to allow the MAC address to access another network / subnet using IPTABLES?

Battery exchange network

The Stack Exchange network consists of 175 question and answer communities, including Stack Overflow, the largest and most reliable online community for developers to learn, share their knowledge and develop their careers.

Visit Stack Exchange

iptables: get access to the network with nat and a public IPv4

I have a public IPV4 address, a host and a virtual machine (IP 192.168.100.10)
With iptables on the host side, I managed to redirect only port 22 (ssh) to the host with the help of the nat table.

Nat table:

iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -j DNAT --to-destination 192.168.100.10

Filter table:

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

Now I wish I could access the web from the host and the virtual machine.

I tried to add in the Filter tab:

iptables -I OUTPUT -o eth0 -d 0.0.0.0/0 -j ACCEPT

But it is still impossible to get web access from the host. By the way, PING from the host to an external IP works perfectly.

NAT table:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
DNAT       all  --  anywhere             anywhere             to:192.168.100.10

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

FILTER table:

Chain INPUT (policy ACCEPT)
target     prot opt source               destination                     
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere            
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     icmp --  anywhere             anywhere             ctstate NEW,RELATED,ESTABLISHED

Any help is welcome!

linux: ONLY allow the ssh host to be nested in vm, nothing else on the network (iptables)

I had a problem with configuring iptables as desired.
I have a virtual machine in the virtual machine manager that I only need to allow host ssh & # 39; ing to it. I also have other virtual machines that shouldn't be able to send ssh to this virtual machine

I have specified a rule in the input string:

iptables -I INPUT 4 -s 172.28.105.1 -p tcp --dport 22 -j ACCEPT

This allows me to ssh from my host (which is the gateway) to my nested virtual machine. The problem is that I can still ssh from another vm, which says it is opening the connection from gatway. iptables -L -v It shows that you are trapping the vm package in the rule that I added, but I have no idea how to specify only the host

My current rules are:

VM iptables

Any advice on how to make my host ssh do?

firewall: does iptables 1.8.2 not show the packet count for the default policy?

I noticed on my debian10 server with iptables 1.8.2, when I run iptables -nvL, it doesn't show the packet count:

Chain INPUT (policy DROP 0 packets, 0 bytes)

In other words, it's & # 39; 0 & # 39 ;. I did several isolated tests and the firewall works perfectly, but there are no counts on these lines, so if I ACCEPT, the DROP policy does not count.

I already researched a little about it and I did not succeed!

16.04 – UFW rules not propagated to IPtables

I have a problem in ubuntu 16.04 LTS with UFW rules that do not propagate properly to iptables. Curiously in my VM at home these problems do not exist. There are 2 problems,

First: UFW policy is set to deny incoming, deny forward, accept outgoing. But in the IP tables the policy is Accept, accept, accept.

Second, the string in INPUT does not include a link to UFW strings in a normal way (I would expect, for example, that & # 39; ufw-before-logging-input & # 39; be there)

Can someone help me solve this problem, maybe with some IPtables commands directly while I am struggling with these? I tried reinstalling UFW but without any effect on this.

My output from (iptables -L)

Chain INPUT (policy ACCEPT)
target     prot opt source               destination
f2b-ssh    tcp  --  anywhere             anywhere             multiport dports ssh
f2b-sshd   tcp  --  anywhere             anywhere             multiport dports ssh
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:25288

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain f2b-ssh (1 references)
target     prot opt source               destination
REJECT     all  --  box1.esvc.us         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  241.ip-51-75-248.eu  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  45.6.72.17.leonetprovedor.com.br  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  l37-195-50-41.novotelecom.ru  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  300080-host.customer.zol.co.zw  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  182.61.181.138       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  151.ip-164-132-225.eu  anywhere             reject-with icmp-port-unreachable
REJECT     all  --  157.230.109.166      anywhere             reject-with icmp-port-unreachable
REJECT     all  --  129.211.79.102       anywhere             reject-with icmp-port-unreachable
REJECT     all  --  113.57.197.11        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  112.85.42.180        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  106.75.174.87        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  106.13.46.114        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  106.13.44.83         anywhere             reject-with icmp-port-unreachable
REJECT     all  --  106.12.84.112        anywhere             reject-with icmp-port-unreachable
REJECT     all  --  103.114.48.4         anywhere             reject-with icmp-port-unreachable
RETURN     all  --  anywhere             anywhere

Chain f2b-sshd (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere

Chain ufw-after-logging-forward (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "(UFW BLOCK) "

Chain ufw-after-logging-input (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "(UFW BLOCK) "

Chain ufw-after-logging-output (0 references)
target     prot opt source               destination

Chain ufw-before-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-before-logging-input (0 references)
target     prot opt source               destination

Chain ufw-before-logging-output (0 references)
target     prot opt source               destination

Chain ufw-logging-allow (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "(UFW ALLOW) "

Chain ufw-logging-deny (0 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere             ctstate INVALID limit: avg 3/min burst 10
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 10 LOG level warning prefix "(UFW BLOCK) "

Chain ufw-user-forward (0 references)
target     prot opt source               destination

Chain ufw-user-input (0 references)
target     prot opt source               destination
ACCEPT     all  --  office IP 1          anywhere
ACCEPT     all  --  office IP 2          anywhere
ACCEPT     all  --  office IP 3          anywhere
ACCEPT     all  --  office IP 4          anywhere
ACCEPT     all  --  office IP 5          anywhere
ACCEPT     all  --  office IP 6          anywhere
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https /* 'dapp_Apache%20Secure' */

Chain ufw-user-limit (0 references)
target     prot opt source               destination
LOG        all  --  anywhere             anywhere             limit: avg 3/min burst 5 LOG level warning prefix "(UFW LIMIT BLOCK) "
REJECT     all  --  anywhere             anywhere             reject-with icmp-port-unreachable

Chain ufw-user-limit-accept (0 references)
target     prot opt source               destination
ACCEPT     all  --  anywhere             anywhere

Chain ufw-user-logging-forward (0 references)
target     prot opt source               destination

Chain ufw-user-logging-input (0 references)
target     prot opt source               destination

Chain ufw-user-logging-output (0 references)
target     prot opt source               destination

Chain ufw-user-output (0 references)
target     prot opt source               destination

My departure from (detailed UFW status)

Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip

To                         Action      From
--                         ------      ----
Anywhere                   ALLOW IN    office IP 1
Anywhere                   ALLOW IN    office IP 2
Anywhere                   ALLOW IN    office IP 3
Anywhere                   ALLOW IN    office IP 4
Anywhere                   ALLOW IN    office IP 5
Anywhere                   ALLOW IN    office IP 6
443/tcp (Apache Secure)    ALLOW IN    Anywhere
443/tcp (Apache Secure (v6)) ALLOW IN    Anywhere (v6)  

iptables – DMZ over OpenVPN

I am configuring an OpenVPN server. I want you to redirect any incoming connection (except ports 22 (ssh) and 1194 (the VPN server itself)) to a client connected to the VPN.

The VPN server will live at vpn.example.com
The client is in 10.8.0.2, the VPN gateway is 10.8.0.1

How do I configure a DMZ to do this?

Here I found how to redirect a single port through the VPN: port forwarding with OpenVPN

The essence is to run iptables -t nat -A PREROUTING -i eth0 -d VPN_IP_HERE -p tcp --dport PORT_TO_REDIRECT -j DNAT --to-destination 10.8.0.2

However, this only works for one port at a time, I would love a solution like --dport *

Iptables u32 – problem filtering package

I have this UDP package:

IP (tos 0x0, ttl 107, id 11018, offset 0, flags (none), proto UDP (17), length 39)
xxx.xxx.xxx.xxx.50077 > xxx.xxx.xxx.xxx.interwise: UDP, length 11
    0x0000:  fa16 3ed2 4035 ba7b 3600 1197 0800 4500  ..>.@5.{6.....E.
    0x0010:  0027 2b0a 0000 6b11 0528 aaee 97e6 9e45  .'+...k..(.....E
    0x0020:  3e7a c39d 1e62 0013 5182 5341 4d50 9e45  >z...b..Q.SAMP.E
    0x0030:  3e7a bd5f 72                             >z._r

My goal is to verify if from text 28 there is the text "SAMP" (0x53414d50) and byte 38 (the last one) is equal to the letter "r" (0x72)

I tried this rule of Iptables:

iptables -I INPUT -p udp --dport 7777 -m u32 --u32 "28=0x53414d50&&38&0xFF=0x72" -j DROP

But it just doesn't work and I don't know why, since everything seems to be correct.

If I delete the condition that verifies the last byte (&&38&0xFF=0x72) works normally (the package is discarded).

Other methods to do so are welcome in addition to u32.