iptables | An iptables firewall configuration template | Firewall library

 by   danielmiessler Shell Version: Current License: No License

kandi X-RAY | iptables Summary

kandi X-RAY | iptables Summary

iptables is a Shell library typically used in Security, Firewall applications. iptables has no bugs, it has no vulnerabilities and it has low support. You can download it from GitHub.

An iptables firewall configuration template that accompanies the following blog post:. [ Building a Professional Firewall Using Linux and Iptables ].
Support
    Quality
      Security
        License
          Reuse

            kandi-support Support

              iptables has a low active ecosystem.
              It has 61 star(s) with 37 fork(s). There are 12 watchers for this library.
              OutlinedDot
              It had no major release in the last 6 months.
              There are 2 open issues and 0 have been closed. There are no pull requests.
              It has a neutral sentiment in the developer community.
              The latest version of iptables is current.

            kandi-Quality Quality

              iptables has 0 bugs and 0 code smells.

            kandi-Security Security

              iptables has no vulnerabilities reported, and its dependent libraries have no vulnerabilities reported.
              iptables code analysis shows 0 unresolved vulnerabilities.
              There are 0 security hotspots that need review.

            kandi-License License

              iptables does not have a standard license declared.
              Check the repository for any license declaration and review the terms closely.
              OutlinedDot
              Without a license, all rights are reserved, and you cannot use the library in your applications.

            kandi-Reuse Reuse

              iptables releases are not available. You will need to build from source code and install.

            Top functions reviewed by kandi - BETA

            kandi's functional review helps you automatically verify the functionalities of the libraries and avoid rework.
            Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of iptables
            Get all kandi verified functions for this library.

            iptables Key Features

            No Key Features are available at this moment for iptables.

            iptables Examples and Code Snippets

            No Code Snippets are available at this moment for iptables.

            Community Discussions

            QUESTION

            How to intercept IP packets going to the kernel Linux
            Asked 2022-Mar-21 at 10:37

            I need to create a TCP session "manually", without using the connect() function. I have tried to use RAW sockets. But in this case, I only get copies of the incoming IP packets. The original incoming packets slip through to the kernel and it generates an ACK response packet that damages my protocol.

            Next, variant 2, I can write a virtual eth interface driver (kernel module) and route incoming traffic to it using iptables. But there is a patched non-original (non vanila) kernel on the machine. Normal linking of the module with the kernel is not possible.

            Variant 3. I also tried not to assign an IP address to the NIC interface. In this case, the network TCP/IP layer module in the kernel is not activated and it is possible to generate and receive arbitrary IP packets on the link (ethernet) layer using the PF_PACKET socket domain type in the socket() function. But at this time, any other applications using the TCP/IP protocol can’t work.

            How can this problem be solved in other ways?

            It would be nice if it were possible to intercept packets going from the network interface to the kernel, that is, intercept the SKBuf buffer. But I don't know how to realize it.

            ...

            ANSWER

            Answered 2022-Mar-21 at 10:37

            Apparently you are trying to create a tunnel. Instead of trying to hijack an existing interface, the proper way to create a tunnel is to create a new interface, using a kernel module or TUN/TAP. However, tunnels are normally intended to receive traffic generated on the machine which runs the tunnel software, or at least routed through it. That means you will also have to set up the kernel to route the traffic to your tunnel.

            You can create a new interface as a TUN/TAP interface. It is like a virtual ethernet driver except you don't need to write a new kernel module. It is designed for tunnels (hence the name).

            The difference between TUN and TAP is that a TUN interface is an IP interface that receives IP packets from the kernel's IP routing system, and a TAP interface receives Ethernet packets (which may contain IP packets) so it can alternatively be part of a bridge (a virtual Ethernet switch - which only looks at the Ethernet header, not the IP header).

            I think for your scenario, you will find it easiest to create a TAP interface, then create a bridge (virtual Ethernet switch) between the TAP interface, and the interface which the other host is connected to. Neither one needs an IP address - the kernel will happily pass Ethernet-layer traffic without attempting to process the IP information in the packet. Your tunnel software can then emulate a host - or tunnel to an actual host - or whatever you want it to do.

            Or in visual form:

            If you want the host to also be able to talk to the machine running the tunnel software - without going through the tunnel software - then you may choose to put an IP address on the bridge.

            Source https://stackoverflow.com/questions/71518820

            QUESTION

            Kubernetes nginx ingress controller is unreliable
            Asked 2022-Mar-13 at 06:38

            I need help understanding in detail how an ingress controller, specifically the ingress-nginx ingress controller, is supposed to work. To me, it appears as a black box that is supposed to listen on a public IP, terminate TLS, and forward traffic to a pod. But exactly how that happens is a mystery to me.

            The primary goal here is understanding, the secondary goal is troubleshooting an immediate issue I'm facing.

            I have a cluster with five nodes, and am trying to get the Jupyterhub application to run on it. For the most part, it is working fine. I'm using a pretty standard Rancher RKE setup with flannel/calico for the networking. The nodes run RedHat 7.9 with iptables and firewalld, and docker 19.03.

            The Jupyterhub proxy is set up with a ClusterIP service (I also tried a NodePort service, that also works). I also set up an ingress. The ingress sometimes works, but oftentimes does not respond (connection times out). Specifically, if I delete the ingress, and then redeploy my helm chart, the ingress will start working. Also, if I restart one of my nodes, the ingress will start working again. I have not identified the circumstances when the ingress stops working.

            Here are my relevant services:

            ...

            ANSWER

            Answered 2022-Mar-13 at 06:38

            I found the answer to my question here: https://www.stackrox.io/blog/kubernetes-networking-demystified/ There probably is a caveat that this may vary to some extent depending on which networking CNI you are using, although everything I saw was strictly related to Kubernetes itself.

            I'm still trying to digest the content of this blog, and I highly recommend referring directly to that blog, instead of relying on my answer, which could be a poor retelling of the story.

            Here is approximately how a package that arrives on port 443 flows.

            You will need to use the command to see the tables.

            Source https://stackoverflow.com/questions/71013284

            QUESTION

            QEMU hostfwd works only for some ports
            Asked 2022-Feb-24 at 04:17

            I compiled qemu-system-x86_64 on aarch64 host, and was able to run a x86_64 guest with a command like

            ...

            ANSWER

            Answered 2022-Feb-24 at 04:17

            The problem was actually about firewall. My VM (based on Oracle Linux 8.5 on Oracle Linux VM Templates) actually had firewall rules in both iptables and nft. After disabling both iptables and nft, the port forward worked.

            Source https://stackoverflow.com/questions/71033704

            QUESTION

            container restart reason OOMKilled with exit code 1
            Asked 2022-Feb-23 at 08:50

            Recently, the same container of several pods in a deployment restarted with OOMKilled event. Here is the description of one of the containers:

            ...

            ANSWER

            Answered 2022-Feb-22 at 13:29

            Two possible reasons:

            Reason #1

            Subprocess was killed by OOM killer (it received SIGKILL(9) from OOM killer), resulting in application crashing with exit code 1, and OOMKilled reason for termination.

            Reason #2

            If you have initContainers specified, init container could have been killed by OOM killer, resulting in OOMKilled reason, and application crashing with exit code 1 due to the bad initialization.

            OOM kill is not very well documented in Kubernetes docs. For example

            Containers are marked as OOM killed only when the init pid gets killed by the kernel OOM killer. There are apps that can tolerate OOM kills of non init processes and so we chose to not track non-init process OOM kills. [source]

            I could not find any mentions of it anywhere, othen than this GitHub issue.

            First reason is more probable in my opinion.
            Possible solution is to increase memory limits (if you have any).

            Source https://stackoverflow.com/questions/71208960

            QUESTION

            Readiness fails in the Eclipse Hono pods of the Cloud2Edge package
            Asked 2022-Feb-09 at 06:58

            I am a bit desperate and I hope someone can help me. A few months ago I installed the eclipse cloud2edge package on a kubernetes cluster by following the installation instructions, creating a persistentVolume and running the helm install command with these options.

            ...

            ANSWER

            Answered 2022-Feb-09 at 06:58

            based on the iconic Failed to create SSL Connection output in the logs, I assume that you have run into the dreaded The demo certificates included in the Hono chart have expired problem.

            The Cloud2Edge package chart is being updated currently (https://github.com/eclipse/packages/pull/337) with the most recent version of the Ditto and Hono charts (which includes fresh certificates that are valid for two more years to come). As soon as that PR is merged and the Eclipse Packages chart repository has been rebuilt, you should be able to do a helm repo update and then (hopefully) succesfully install the c2e package.

            Source https://stackoverflow.com/questions/71034254

            QUESTION

            Kubernetes NodePort is not available on all nodes - Oracle Cloud Infrastructure (OCI)
            Asked 2022-Jan-31 at 14:37

            I've been trying to get over this but I'm out of ideas for now hence I'm posting the question here.

            I'm experimenting with the Oracle Cloud Infrastructure (OCI) and I wanted to create a Kubernetes cluster which exposes some service.

            The goal is:

            • A running managed Kubernetes cluster (OKE)
            • 2 nodes at least
            • 1 service that's accessible for external parties

            The infra looks the following:

            • A VCN for the whole thing
            • A private subnet on 10.0.1.0/24
            • A public subnet on 10.0.0.0/24
            • NAT gateway for the private subnet
            • Internet gateway for the public subnet
            • Service gateway
            • The corresponding security lists for both subnets which I won't share right now unless somebody asks for it
            • A containerengine K8S (OKE) cluster in the VCN with public Kubernetes API enabled
            • A node pool for the K8S cluster with 2 availability domains and with 2 instances right now. The instances are ARM machines with 1 OCPU and 6GB RAM running Oracle-Linux-7.9-aarch64-2021.12.08-0 images.
            • A namespace in the K8S cluster (call it staging for now)
            • A deployment which refers to a custom NextJS application serving traffic on port 3000

            And now it's the point where I want to expose the service running on port 3000.

            I have 2 obvious choices:

            • Create a LoadBalancer service in K8S which will spawn a classic Load Balancer in OCI, set up it's listener and set up the backendset referring to the 2 nodes in the cluster, plus it adjusts the subnet security lists to make sure traffic can flow
            • Create a Network Load Balancer in OCI and create a NodePort on K8S and manually configure the NLB to the ~same settings as the classic Load Balancer

            The first one works perfectly fine but I want to use this cluster with minimal costs so I decided to experiment with option 2, the NLB since it's way cheaper (zero cost).

            Long story short, everything works and I can access the NextJS app on the IP of the NLB most of the time but sometimes I couldn't. I decided to look it up what's going on and turned out the NodePort that I exposed in the cluster isn't working how I'd imagine.

            The service behind the NodePort is only accessible on the Node that's running the pod in K8S. Assume NodeA is running the service and NodeB is just there chilling. If I try to hit the service on NodeA, everything is fine. But when I try to do the same on NodeB, I don't get a response at all.

            That's my problem and I couldn't figure out what could be the issue.

            What I've tried so far:

            • Switching from ARM machines to AMD ones - no change
            • Created a bastion host in the public subnet to test which nodes are responding to requests. Turned out only the node responds that's running the pod.
            • Created a regular LoadBalancer in K8S with the same config as the NodePort (in this case OCI will create a classic Load Balancer), that works perfectly
            • Tried upgrading to Oracle 8.4 images for the K8S nodes, didn't fix it
            • Ran the Node Doctor on the nodes, everything is fine
            • Checked the logs of kube-proxy, kube-flannel, core-dns, no error
            • Since the cluster consists of 2 nodes, I gave it a try and added one more node and the service was not accessible on the new node either
            • Recreated the cluster from scratch

            Edit: Some update. I've tried to use a DaemonSet instead of a regular Deployment for the pod to ensure that as a temporary solution, all nodes are running at least one instance of the pod and surprise. The node that was previously not responding to requests on that specific port, it still does not, even though a pod is running on it.

            Edit2: Originally I was running the latest K8S version for the cluster (v1.21.5) and I tried downgrading to v1.20.11 and unfortunately the issue is still present.

            Edit3: Checked if the NodePort is open on the node that's not responding and it is, at least kube-proxy is listening on it.

            ...

            ANSWER

            Answered 2022-Jan-31 at 12:06

            Might not be the ideal fix, but can you try changing the externalTrafficPolicy to Local. This would prevent the health check on the nodes which don't run the application to fail. This way the traffic will only be forwarded to the node where the application is . Setting externalTrafficPolicy to local is also a requirement to preserve source IP of the connection. Also, can you share the health check config for both NLB and LB that you are using. When you change the externalTrafficPolicy, note that the health check for LB would change and the same needs to be applied to NLB.

            Edit: Also note that you need a security list/ network security group added to your node subnet/nodepool, which allows traffic on all protocols from the worker node subnet.

            Source https://stackoverflow.com/questions/70893487

            QUESTION

            Sentry Logging Error, what's wrong with my config and how can I get more detailed errors from sentry? (Possibly Docker related?)
            Asked 2022-Jan-26 at 05:52

            I recently have been working with Sentry, and I have been having some issues with it.

            After many hours of frustration getting it to work, I enabled debug mode to see the output. This is what happens every time:

            I have followed the docs step by step on integrating this. I have a file to initialize the logging, and then my index file. Here is my logging initialization file:

            ...

            ANSWER

            Answered 2022-Jan-25 at 14:21
            1. Is DSN An array, or a String? It should be a String according to the Sentry docs.

            2. An error which mentions 0.0.0.0 is frequently DNS related. Have you checked the DNS configuration for your docker? Is there a hosts file? A possible cause could be something intercepting the DNS requests and returning 0.0.0.0.

            Source https://stackoverflow.com/questions/70807401

            QUESTION

            Unable to start minikube on Mac M1 with docker
            Asked 2022-Jan-19 at 12:43

            I'm trying to start minikube on a Mac M1 (macOs Monterey V12.0.1) after installing minikube with homebrew (brew install minikube) but I am getting an error after running minikube start.

            The error in the logs is this one:

            ...

            ANSWER

            Answered 2021-Nov-29 at 20:06

            I was able to find the solution to my problem, although, I'm not really sure what was the main issue, it seems that it was related to old configurations in the .minikube folder in the users' home directory.

            To fix it, first I had to enabled Kubernetes in docker desktop, and then I had to stop and delete minikube cluster, and finally delete the directory. Then running the command again was successful.

            To fix:

            Source https://stackoverflow.com/questions/70160392

            QUESTION

            iptables command not found in docker-compose container
            Asked 2022-Jan-07 at 05:50

            We have the docker-compose file

            ...

            ANSWER

            Answered 2022-Jan-07 at 05:50

            /bin/sh: iptables: not found

            This means the grafana/grafana-oss:latest default doesn't include the iptables command.

            You could install it with apk add --no-cache iptables ip6tables, see Running (and debugging) iptables inside a Docker container.

            A quick experiment as next:

            Source https://stackoverflow.com/questions/70616957

            QUESTION

            How to relay outbound request from docker container to modify headers?
            Asked 2022-Jan-04 at 09:19

            I have an application that is running in Docker configured with an NGINX reverse proxy. The application is a binary, I don't have source code and there's no way to modify the header of an HTTP request from the app itself. My goal is to append a header field before the request is dispatched out of the host machine:

            ...

            ANSWER

            Answered 2021-Nov-09 at 08:52

            You could use Traefik reverse proxy v2.4+ with Traefik Pilot enabled and a plugin like Header transformation.

            You run Traefik as a container which routes the traffic to the other containers. You can then link your instance to Traefik Pilot using a token, which enables plugins. If you use labels in a docker-compose.yml file:

            Source https://stackoverflow.com/questions/69894775

            Community Discussions, Code Snippets contain sources that include Stack Exchange Network

            Vulnerabilities

            No vulnerabilities reported

            Install iptables

            You can download it from GitHub.

            Support

            For any new features, suggestions and bugs create an issue on GitHub. If you have any questions check and ask questions on community page Stack Overflow .
            Find more information at:

            Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items

            Find more libraries
            CLONE
          • HTTPS

            https://github.com/danielmiessler/iptables.git

          • CLI

            gh repo clone danielmiessler/iptables

          • sshUrl

            git@github.com:danielmiessler/iptables.git

          • Stay Updated

            Subscribe to our newsletter for trending solutions and developer bootcamps

            Agree to Sign up and Terms & Conditions

            Share this Page

            share link

            Explore Related Topics

            Consider Popular Firewall Libraries

            opensnitch

            by evilsocket

            fail2ban

            by fail2ban

            TheFatRat

            by screetsec

            TheFatRat

            by Screetsec

            ModSecurity

            by SpiderLabs

            Try Top Libraries by danielmiessler

            SecLists

            by danielmiesslerPHP

            RobotsDisallowed

            by danielmiesslerShell

            vim

            by danielmiesslerJavaScript

            egression

            by danielmiesslerShell

            HoneyCredIPTracker

            by danielmiesslerShell