This is for the situation that you're doing other things that may conflict or have your own custom rules and ufw keeps overriding iptables.
A lot of guides don't work, and even ufw reset does not work, because it still leaves the old ufw chains.
Here is what works to disable ufw completely
systemctl stop ufw
systemctl disable ufw
ufw disable
rm -f /et........
Step 1.) Upgrade to Debian 11 first
The process to go to Debian 12 is not as smooth as 11, when trying to upgrade from Debian 10. In fact, it doesn't work directly, so you'll first need to follow this guide to update to Debian 11, reboot and come back here if successful.
Step 2.) Update sources.list
Update your /etc/apt/sources.list like this:
deb http://........
Virtualbox is a very powerful tool, but for some use cases it is less than optimal.
Say you are in a work, lab or other environment where you are not alone on the physical network and there could be overlap of IPs, but you need all of your VMs to be contactable from your host, VMs need to communicate with each other, and VMs need internet.
NAT Network will give you VM to VM communication and internet, however, it is buggy and unstable. It also doesn't allow host to VM co........
Remember that control connections are established on port 1723 and then actual data is transferred over GRE protocol 47.
If you have a NAT setup this will work without special forwarding or accepting of GRE packets (normally if you are not blocking outgoing connections and accepting established and related connections).
The below two commands will get things going so PPTP and GRE work
We first load the ip_nat_pptp module which allows PPTP to work with........
Docker adds iptables rules that break a lot of things including MASQUERADE or anything that needs the FORWARD table. If NAT is not working after Docker installation, it is probably because it set the iptables FORWARD policy to DROP.
This may also make you think that your br0 or bridge is not working, but it's likely just due to what we'll mention later on below, that, Docker probably set your FORWARD chain to default DROP all packets, so nothing on your bridge ever makes it out........
Just use apt-cache policy to find the repo of a package:
apt-cache policy lxd
lxd:
Installed: 3.0.3-0ubuntu1~18.04.2
Candidate: 3.0.3-0ubuntu1~18.04.2
Version table:
*** 3.0.3-0ubuntu1~18.04.2 500
500 http://archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages
&nb........
Let's say we have an IP that is dropped by iptables 192.168.20.2
service iptables status|grep 192.168.20.2
184 DROP all -- 192.168.20.2 0.0.0.0/0
You can use iptables itself like this to list the line numbers:
iptables -L --line-numbers
Two Ways To Delete The iptables Rule........
This is a gotcha but be aware sometimes iptables may be active and loaded by default.
Also make sure you don't just disable firewalld but also stop it otherwise it will still block stuff:
systemctl stop firewalld
If the above is not the issue then it is possible iptables is running and blocking stuff too, so you'll need to stop iptables.
So in addition to opening firewalld or disabling it, you would need to disable iptables........
yum install iptables-services
systemctl enable iptables
service iptables save
iptables: Saving firewall rules to /etc/sysconfig/iptables:[ OK ]........
Having a network bridge allows you to bridge traffic under multiple devices so they can talk natively without using any special routing, iptables/firewall or other trickery.
To create your bridge you need the bridge-utils package for brctl and if you want to do things like bridge VMs that run on a tap device you will need the uml-utilities which provides "tunctl".
1.) Install the utilities to make our bridge
sudo apt-get i........
Whether you are at work, at the coffee shop or on the public internet here are some basic but effective rules for iptables that lock things down (eg. no one can SMB or SSH to you or really anything):
# Generated by iptables-save v1.4.21 on Fri Dec 14 14:00:08 2018
*nat
:PREROUTING ACCEPT [160:19844]
:INPUT ACCEPT [4:357]
:OUTPUT ACCEPT [2955:182236]
:POSTROUTING ACCEPT [2955:182236]
COMMIT
# Completed on Fri Dec 14........
A lot of people just have a -j DROP to drop all unwanted traffic or traffic not explicitly allowed but there is a better solution if you want real and proper logging:
Here is another example of more advanced iptables rules.
Take an example iptables rules file
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth1 -p icmp -j ACCEPT........
First you need the "iptables-persistent" package. This gives you an init script that loads your settings from /etc/iptables/rules.v4 and rules.v6
When you install it, it wll save your default setings in /etc/iptables.
sudo apt-get install iptables-persistent
Remember that the rules are stored here:
For IPV4: /etc/iptables/rules.v4
For IPV6: /etc/iptables/r........
systemd is like the service manager for your Centos and other modern Linux distributions (including Debian/Mint/Ubuntu) allows you to enable services, stop them, restart them, check their status and even reboot your system.
The key commands or arguments you will use with systemctl are the following:
Unit Commands:
list-units [PATTERN...] List loaded units
&nbs........
iptables allow port 22 example
Of course change --dport and -s to suit your needs
#allow certain IP to access port 22
iptables -A INPUT -p tcp -m tcp --dport 22 -s 192.168.1.0/24 -j ACCEPT
# block others
iptables -A INPUT -p tcp --dport 22 -j DROP........
iptables -t NAT -A PREROUTING -s 24.30.44.0/24 -j DNAT --to-destination 10.10.10.1
iptables v1.4.7: can't initialize iptables table `NAT': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
Solution
# it is case sensitive "nat" and DO NOT use "NAT" or you will get this error!
iptables -t nat -A PREROUTING -s 24.30.44.0/24 -j DNAT --to-destination 10.10.10.1........
This error is commonly due to Java security or TLS settings but there is a second issue with forwarded ports that also causes it.
1. Java Security/TLS Settings issue:
This article has the solution to change them all in Linux automatically
2. Port Forwarding Issue if your Avocent DSR is behind NAT/private IP........
iptables -F
iptables -t nat -F
iptables -t mangle -F
This is as simple as it gets.........
iptables -t nat -A OUTPUT -m addrtype --src-type LOCAL --dst-type LOCAL -p tcp --dport 3306 -j DNAT --to-destination ip.ip.ip.ip
iptables -t nat -A POSTROUTING -m addrtype --src-type LOCAL --dst-type UNICAST -j MASQUERADE
sysctl -w net.ipv4.conf.all.route_localnet=1
Make sure you substitute "ip.ip.ip.ip" for your real public IP and also the "--dport 3306" for the port you want to forward.
Finally run the sysctl command and........
If you want to make sure only a certain IP can access your server for any service or protocol here is a way to do it (just be sure you have access to the IP(s) mentioned or you will be locked out).
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s IP.IP.IP.IP -j ACCEPT
iptables -A INPUT -j DROP
serv........
service iptables start
iptables: Applying firewall rules: iptables-restore: line 40 failed
[FAILED]........
iptables -t nat -A PREROUTING -p tcp -m multiport --dports 80,443,2068,8192 -j DNAT --to-destination 192.168.1.175
Just adjust the "--dports" to the ports you need and the --to-destination to the destination IP (note it must be on the same network as the server running iptables........
Are you getting the same old error message even though your iptables settings for OpenVZ are correct?
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
The reason is because in newer vzctl the old way of setting IPTABLES="" in vz.conf is completely deprecated (I spent some time fiddling wondering why my settings were correct but........
iptables -t nat -A PREROUTING -p tcp -m tcp -d 192.168.2.1/32 --dport 3389 -j DNAT --to-destination 192.168.5.2:3389
iptables v1.4.7: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
The above is often because you don't have the correct modules loaded on the hostnode or enabled for the container but in some cases it's actually a weird openvz setting.
Che........
-A PREROUTING -d 98.98.98.5/32 -p tcp -m tcp --dport 1050 -j DNAT --to-destination 192.168.1.50:3389
The above forwards port 1050 on IP98.98.98.5 to 192.168.1.50 port 3389 (you can obviously edit things to meet your needs).........
-A PREROUTING -p tcp -m multiport --dports 10000,18080,13306 -j DNAT --to-destination 192.168.5.83........
yum -y install fail2ban
vi /etc/fail2ban/jail.conf
[asterisk-tcp]
enabled = true
filter = asterisk
action = iptables-multiport[name=asterisk-tcp, port="5060,5061", protocol=tcp]
sendmail-whois[name=Asterisk, dest=you@example.com, sender=fail2ban@example.com]
logpath = /var/log/asterisk/messages
maxret........
pxe-32 tftp open timeout
The solution was to enable tftp in xinetd with "chkconfig tftp on".
See the troubleshooting below:
chkconfig --list
NetworkManager 0:off 1:off 2:off 3:off 4:off 5:off 6:off
acpid 0:off&n........
Say if you need to make a firewall script to block certain ports this works great.
for ports in 21 25 443; do
iptables rules here
done........
iptables -t nat -A PREROUTING -p udp -m multiport --dports 20,123,443 -j REDIRECT --to-port 53
getsockopt failed strangely: Invalid argument........
for ip in `cat fixlist.txt`; do
sudo -u apache ssh root@$ip "`cat iptablesrules.sh`"
done
In the above example we are going to execute the commands within the local file "iptablesrules.sh" on all the machines in "fixlist.txt". This is a great way of performing server maintenance in a clustered or cloud environment.........
This is important if you need public access to internal IPs such as at your office and don't want to use a VPN just to SSHinto different servers:
Below forwards the port "10001" to the IP192.200.5.53 on port 22 (of course adjust it to your needs).
iptables -t nat -A PREROUTING -p tcp --dport 10001 -j DNAT --to-destination 192.200.5.53:22
Remember to enable MASQUERADE on your NAT IPs or they won't be able to talk to the outside world (........
I have iptable_filter loaded on the hostnode so I don't understand this issue.........
This is something I often setup for clients because it's very helpful for people in datacenters, this allows custom OS installs on demand, you can customize it more by using kickstart etc.. but here's a base I use before customizing more:
This little script below will install everything you need to get booting by PXE Linux.
It also assumes you set a local IP (be sure not to overwrite your existing IP) on eth0:0 (note the :0) as 192.168.1.10 and it........
iptables v1.3.5: can't initialize iptables table `nat': Table does not exist (do you need to insmod?)
This solution applies to all other iptables modules/problems for OpenVZ, you'll just need to add them to both lists/lines below if you have modules other than what I have below.
The modules need to be enabled in both iptables and the OpenVZ hostnode itself and then the containers which need it must be restarted.
How To Enable IPTables Modules in OpenVZ........
This is a very basic method and won't work in all cases but will reduce the chance of torrenting/abuse by your server users.
iptables -A INPUT -p tcp --destination-port 6881:6999 -j REJECT
iptables -A OUTPUT -p tcp --source-port 6881:6999 -j REJECT........
I used the suggested script to bridge from OpenVPN and it took my client's server off-line! Don't ever use their "sample" scripts if you don't have another way of accessing the server than SSH.
I actually found it easier to use iptables to tell it to route IPs based on a certain subnet to route through eth0:
iptables -t nat -A POSTROUTING -s 192.168.200.0/24 -o eth0 -j MASQUERADE
Replace "192.168.200.0/24" with your subnet of cour........
May 6 08:16:57 devbox spamc[16225]: connect to spamd on 127.0.0.1 failed, retrying (#2 of 3): Connection timed out
May 6 08:17:02 devbox spamc[20214]: connect to spamd on 127.0.0.1 failed, retrying (#1 of 3): Connection timed out
spamc[16225]: connect to spamd on 127.0.0.1 failed, retrying (#3 of 3): Connection timed out
First make sure that the spamd service is actually running, this is your spamd (spamassassin server) cannot be reached. In my c........
I keep getting messages like this shortly after using the proxy (it works for a few seconds/page loads and then stops):
channel 12: open failed: administratively prohibited: open failed
I'm not sure what the issue is unless there's some kind of hardware firewall on the other end. I've used this exact configuration on multiple servers with no issue and even disabled iptables etc..........
yum exits in the middle
The problem is this VPS seems to be an OpenVZ template from HyperVM. The only way to make it work was to disable i386 packages since this was an x64 kernel. That shouldn't be necessary but it was the only way to make yum stop quitting after the first package or two. I couldn't find any issue by checking the logs either.
echo y|yum install vim-minimal telnet expect jwhois net-tools slocate iptables elinks gawk
L........
This has stumped me a few times because I keep forgetting that Centos 5.5 comes with a default iptables configuration that ends up blocking DRBD traffic,I tried all the normal things and couldn't understand why I couldn't make my normal DRBD config work. So if you have WFConnection problems and have tried the normal "mailing list" fixes, check your firewall status first!
Both Nodes Say the Following:
version: 8.3.8 (api:88/prot........
Adding IP address(es): 192.168.5.8 192.168.5.9
Setting CPU units: 1000
Error: undump failed: Invalid argument
Restoring failed:
Error: iptables-restore exited with 2
Error: Most probably some iptables modules are not loaded
Error: rst_restore_net: -22
Container start failed
Stopping container ...
Container was stopped
Container is unmounted
Error: Failed to undump VE
Resuming...
vzquota : (erro........
This error is annoying, in a Virtuozzo KB entry about this ip tables nat problem they say the kernel needs to be ugpraded:
Symptoms
The node runs 2.6.18-x kernel older than 2.6.18-028stab053.10.
NAT module does not work in container, you get "can't initialize iptables table 'nat'" error:
# iptables -t nat........
The default options for iptables are very basic. Here is what you need to do in order to enable them in OpenVZ.
1.) Add the modules to iptables and restart iptables:
vi /etc/sysconfig/iptables-config
Edit the line as so:
IPTABLES_MODULES="ipt_REJECT ipt_tos ipt_TOS ipt_LOG ip_conntrack ipt_limit ipt_multiport iptable_filter iptable_mangle ipt_TCPMSS ipt_tcpmss ipt_ttl ipt_length ipt_state iptable_nat ip_nat_ftp"
2.........
This is something that annoys a lot of people, fortunately the Redhat style OS's are the most simple in this respect. I disagree that Debian's way makes sense, it is more of a hackish approach in how they implement iptables.
Anyway, for those who are using Redhat/Centos style OS's it is very simple.
Set your rules from the shell/command prompt and to save the iptables firewall rules so they are remember/loaded on boot just run this command:
service iptables........