Can't install packages using pip in a Conda environment.
I am getting timeout when trying to pip install.
when trying to extend the timeout I'm getting a protocol error.
when trying to telnet directly from cli to pypi.org there is no problem.
there are no fw rule on my laptop or a proxy in use.
couldn't find any special pip configuration file on my filesystem.
what am i missing?
(base) [liran#localhost ~]$ pip3 install django
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ReadTimeoutError("HTTPSConnectionPool(host='pypi.org', port=443): Read timed out. (read timeout=15)")': /simple/django/
(base) [liran#localhost ~]$ pip3 --default-timeout=1000 install django
WARNING: Retrying (Retry(total=4, connect=None, read=None, redirect=None, status=None)) after connection broken by 'ProtocolError('Connection aborted.', OSError(0, 'Error'))': /simple/django/
(base) [liran#localhost ~]$ telnet pypi.org 443
Trying 2a04:4e42::223...
Connected to pypi.org.
Escape character is '^]'.
(base) [liran#localhost ~]$ sudo iptables --list
[sudo] password for liran:
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy DROP)
target prot opt source destination
DOCKER-USER all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-1 all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
DOCKER all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere localhost
ACCEPT all -- anywhere 192.168.0.0/16
ACCEPT all -- anywhere 10.0.0.0/8
ACCEPT all -- anywhere 172.16.0.0/12
Chain DOCKER (3 references)
target prot opt source destination
Chain DOCKER-ISOLATION-STAGE-1 (1 references)
target prot opt source destination
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
DOCKER-ISOLATION-STAGE-2 all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-ISOLATION-STAGE-2 (3 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
RETURN all -- anywhere anywhere
Chain DOCKER-USER (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere
(base) [liran#localhost ~]$ sudo iptables --list-rules
-P INPUT ACCEPT
-P FORWARD DROP
-P OUTPUT ACCEPT
-N DOCKER
-N DOCKER-ISOLATION-STAGE-1
-N DOCKER-ISOLATION-STAGE-2
-N DOCKER-USER
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A FORWARD -o br-e6c6ca45026f -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-e6c6ca45026f -j DOCKER
-A FORWARD -i br-e6c6ca45026f ! -o br-e6c6ca45026f -j ACCEPT
-A FORWARD -i br-e6c6ca45026f -o br-e6c6ca45026f -j ACCEPT
-A FORWARD -o br-db5f0b288d0b -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o br-db5f0b288d0b -j DOCKER
-A FORWARD -i br-db5f0b288d0b ! -o br-db5f0b288d0b -j ACCEPT
-A FORWARD -i br-db5f0b288d0b -o br-db5f0b288d0b -j ACCEPT
-A OUTPUT -d 127.0.0.1/32 -j ACCEPT
-A OUTPUT -d 192.168.0.0/16 -j ACCEPT
-A OUTPUT -d 10.0.0.0/8 -j ACCEPT
-A OUTPUT -d 172.16.0.0/12 -j ACCEPT
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-e6c6ca45026f ! -o br-e6c6ca45026f -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -i br-db5f0b288d0b ! -o br-db5f0b288d0b -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-e6c6ca45026f -j DROP
-A DOCKER-ISOLATION-STAGE-2 -o br-db5f0b288d0b -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
(base) [liran#localhost ~]$ ifconfig
br-db5f0b288d0b: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
ether 02:42:b1:a2:5c:1e txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
br-e6c6ca45026f: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.20.0.1 netmask 255.255.0.0 broadcast 172.20.255.255
ether 02:42:30:14:c7:09 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:de:2b:44:03 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
enp7s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
ether f8:75:a4:31:51:b1 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 10 bytes 390 (390.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 10 bytes 390 (390.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vmnet1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.172.1 netmask 255.255.255.0 broadcast 172.16.172.255
inet6 fe80::250:56ff:fec0:1 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:c0:00:01 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 69 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vmnet8: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.16.102.1 netmask 255.255.255.0 broadcast 172.16.102.255
inet6 fe80::250:56ff:fec0:8 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:c0:00:08 txqueuelen 1000 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 70 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
wlp0s20f3: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.1.17 netmask 255.255.255.0 broadcast 192.168.1.255
inet6 2a00:a040:199:d001::1000 prefixlen 128 scopeid 0x0<global>
inet6 fe80::245:9de5:cdb8:4e8b prefixlen 64 scopeid 0x20<link>
inet6 2a00:a040:199:d001:110d:97b0:26a6:ef1e prefixlen 64 scopeid 0x0<global>
ether 4c:1d:96:05:98:1c txqueuelen 1000 (Ethernet)
RX packets 15060 bytes 15676416 (14.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5081 bytes 1244776 (1.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
(base) [liran#localhost ~]$ which pip
~/anaconda3_2020_11/bin/pip
Well, I didn't figure out yet why is pip install doesn't connect with the server, but I managed to install the specific packages I wanted (django, djangorestframework) using conda install django and conda install -c conda-forge djangorestframework
Related
there is already a configured transparent proxy squid-3.5.27, there is an EdgeOSEdgeRouter router
I want to make a circuit
all computers on the network -> router -> squid
squid - 109.0.0.110
router - 109.0.0.1
test Windows - 109.0.0.8
configuration squid.conf, version - squid-3.5.27
# You should use the same dns resolver on squid and all clients
dns_nameservers 127.0.0.1
# acls
acl localnet src 109.0.0.0/24 # RFC1918 possible internal network
acl localnet src 192.168.1.0/24 # RFC1918 possible internal network
acl localnet src 192.168.10.0/24 # RFC1918 possible internal network
acl SSL_ports port 443
acl Safe_ports port 80 # http
acl Safe_ports port 21 # ftp
acl Safe_ports port 443 # https
acl Safe_ports port 70 # gopher
acl Safe_ports port 210 # wais
acl Safe_ports port 1025-65535 # unregistered ports
acl Safe_ports port 280 # http-mgmt
acl Safe_ports port 488 # gss-http
acl Safe_ports port 591 # filemaker
acl Safe_ports port 777 # multiling http
acl CONNECT method CONNECT
acl blocked_http dstdomain "/etc/squid/blocked_sites.txt"
# http access
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access deny blocked_http
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 3128 intercept
https_port 3129 intercept ssl-bump connection-auth=off cert=/etc/squid/squidCA.pem
http_port 3130
always_direct allow all
sslproxy_cert_error allow all
sslproxy_flags DONT_VERIFY_PEER
acl blocked ssl::server_name "/etc/squid/blocked_https.txt"
acl whitelist src "/etc/squid/whitelist_ip.txt"
ssl_bump splice whitelist
acl step1 at_step SslBump1
ssl_bump peek step1
ssl_bump terminate blocked
ssl_bump splice all
sslcrtd_program /opt/source/squid-3.5.27/src/ssl/ssl_crtd -s /var/lib/ssl_db -M 4MB
sslcrtd_children 8 startup=1 idle=1
acl YOUTUBE ssl::server_name .googlevideo.com
delay_pools 1
delay_class 1 2
delay_parameters 1 -1/-1 5120/5120
delay_access 1 allow YOUTUBE
coredump_dir /var/spool/squid
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern -i (/cgi-bin/|\?) 0 0% 0
refresh_pattern . 0 20% 4320
cache_dir aufs /var/spool/squid 20000 49 256
maximum_object_size 61440 KB
minimum_object_size 3 KB
cache_swap_low 90
cache_swap_high 95
maximum_object_size_in_memory 512 KB
memory_replacement_policy lru
logfile_rotate 4
try this doc
iptables -t nat -A PREROUTING -i eth0 ! -s 109.0.0.110 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128
iptables -t nat -A POSTROUTING -o eth0 -s 109.0.0.8/32 -d 109.0.0.110/32 -j SNAT --to 109.0.0.1
iptables -A FORWARD -s 109.0.0.8/32 -d 109.0.0.110/32 -i eth0 -o eth0 -p tcp --dport 3128 -j ACCEPT
prescribed iptables
I try to open a site on a test Windows (109.0.0.8) - access is denied, on Windows the gateway is 109.0.0.1, in the logs on squid
1546203601.533 0 109.0.0.110 TCP_MISS/403 4857 GET http://myip.ru/ - HIER_NONE/- text/html
1546203601.533 1 109.0.0.1 TCP_MISS/403 4977 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html
tcpdump squid server
11:00:57.141246 IP 109.0.0.8.54026 > myip.ru.http: Flags [F.], seq 1, ack 1, win 2087, length 0
11:00:57.141570 IP 109.0.0.8.54030 > myip.ru.http: Flags [S], seq 1736419147, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
11:00:57.141971 IP myip.ru.http > 109.0.0.8.54026: Flags [.], ack 2, win 58, length 0
11:00:57.142115 IP myip.ru.http > 109.0.0.8.54026: Flags [F.], seq 1, ack 2, win 58, length 0
11:00:57.142304 IP myip.ru.http > 109.0.0.8.54030: Flags [S.], seq 4065681746, ack 1736419148, win 29200, options [mss 1452,nop,nop,sackOK,nop,wscale 9], length 0
11:00:57.142363 IP 109.0.0.8.54026 > myip.ru.http: Flags [.], ack 2, win 2087, length 0
11:00:57.142505 IP 109.0.0.8.54030 > myip.ru.http: Flags [.], ack 1, win 260, length 0
11:00:57.144743 IP 109.0.0.8.54025 > myip.ru.http: Flags [P.], seq 2136:2856, ack 23054, win 2087, length 720: HTTP: GET / HTTP/1.1
11:00:57.146027 IP myip.ru.http > 109.0.0.8.54025: Flags [P.], seq 23054:23572, ack 2856, win 69, length 518: HTTP: HTTP/1.1 403 Forbidden
tell me what could be the problem, I will be grateful for any help?
Update
when you open a site on http by Windows, it is issued - 403, by https - an invalid certificate, the proxy server certificate is substituted in the browser, what am I doing wrong?
Update 2
when adding rules on a router
iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 80 -j DNAT --to 109.0.0.110:3128
iptables -t nat -I PREROUTING -i eth0 -s 109.0.0.8 -p tcp --dport 443 -j DNAT --to 109.0.0.110:3129
iptables -t nat -I POSTROUTING -o eth0 -s 109.0.0.8 -d 109.0.0.110 -j SNAT --to 109.0.0.1
proxy server rules
*nat
:PREROUTING ACCEPT [314:20555]
:INPUT ACCEPT [313:20511]
:OUTPUT ACCEPT [844:60999]
:POSTROUTING ACCEPT [2:130]
-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A PREROUTING -s 109.0.0.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A PREROUTING -s 192.168.10.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 3129
-A PREROUTING -s 192.168.1.0/24 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
-A POSTROUTING -s 109.0.0.0/24 -j SNAT --to-source 109.0.0.110
-A POSTROUTING -s 192.168.10.0/24 -j SNAT --to-source 109.0.0.110
-A POSTROUTING -s 192.168.1.0/24 -j SNAT --to-source 109.0.0.110
COMMIT
*filter
:INPUT ACCEPT [340:18626]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1809:273786]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 109.0.0.0/24 -j ACCEPT
-A INPUT -s 192.168.1.0/24 -j ACCEPT
-A INPUT -s 192.168.10.0/24 -j ACCEPT
-A INPUT -j LOG
-A INPUT -p tcp -m multiport --dports 3128:3130 -j DROP
-A FORWARD -s 109.0.0.0/24 -p udp -m multiport --dports 80,443 -j DROP
COMMIT
when you open a site on Windows on http, in cache.log
kid1| WARNING: Forwarding loop detected for:
GET / HTTP/1.1^M
Upgrade-Insecure-Requests: 1^M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8^M
Accept-Encoding: gzip, deflate^M
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M
Via: 1.1 proxy.server (squid/3.5.27)^M
X-Forwarded-For: 109.0.0.1^M
Cache-Control: max-age=259200^M
Connection: keep-alive^M
Host: myip.ru^M
^M
kid1| WARNING: Forwarding loop detected for:
GET /favicon.ico HTTP/1.1^M
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36^M
Accept: image/webp,image/apng,image/*,*/*;q=0.8^M
Referer: http://myip.ru/^M
Accept-Encoding: gzip, deflate^M
Accept-Language: ru-RU,ru;q=0.9,en-US;q=0.8,en;q=0.7^M
Via: 1.1 proxy.server (squid/3.5.27)^M
X-Forwarded-For: 109.0.0.1^M
Cache-Control: max-age=259200^M
Connection: keep-alive^M
Host: myip.ru^M
in access.log
1546711344.892 0 109.0.0.110 TCP_MISS/403 4514 GET http://myip.ru/ - HIER_NONE/- text/html
1546711344.893 0 109.0.0.1 TCP_MISS/403 4634 GET http://myip.ru/ - ORIGINAL_DST/109.0.0.110 text/html
1546711344.913 0 109.0.0.110 TCP_MISS/403 4479 GET http://myip.ru/favicon.ico - HIER_NONE/- text/html
1546711344.913 0 109.0.0.1 TCP_MISS/403 4599 GET http://myip.ru/favicon.ico - ORIGINAL_DST/109.0.0.110 text/html
WARNING: Forwarding loop detected for
how to fix it, any help ?
Don't use DNAT and change destination IP! Forward your traffic to the Squid machine as it was generated on the client machine by changing the IP routing table. See https://wiki.squid-cache.org/ConfigExamples/Intercept/IptablesPolicyRoute
I had the same problem which has been solved by this approach.
I have a transparent proxy.
I want to redirect a rdp connection to local process, but from 3rd packet. that means I want to pass first and second packet and from 3rd packet until end redirect packets to local process.
I use code below to configure my tproxy.
But it does not work and no packets pass and no packets go to local process(50082).
Could you please help me? I don't know my mistake.
${ip} rule add fwmark 1 lookup 100
${ip} route add local 0.0.0.0/0 dev lo table 100
${iptables} -t mangle -N DIVERT
${iptables} -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
${iptables} -t mangle -A DIVERT -j MARK --set-mark 1
${iptables} -t mangle -A DIVERT -j ACCEPT
${iptables} -t mangle -A PREROUTING -p tcp --dport 3389 -m connbytes --connbytes 3: --connbytes-dir both --connbytes-mode packets -j TPROXY --tproxy-mark 0x1/0x1 --on-port 50082
${iptables} -t mangle -A PREROUTING -p tcp --dport 3389 -m connbytes --connbytes 1:3 --connbytes-dir both --connbytes-mode packets -j ACCEPT
I'm using fail2ban to block failed login attempts on my server. The block is performed using IP tables with the following configuration:
actionstart = iptables -N fail2ban
iptables -A fail2ban -j RETURN
iptables -I <chain> -p tcp -m multiport --dports <port> -j fail2ban
actionstop = iptables -D <chain> -p tcp -m multiport --dports <port> -j fail2ban
iptables -F fail2ban
iptables -X fail2ban
actionban = iptables -I fail2ban 1 -s <ip> -j DROP
actionunban = iptables -D fail2ban -s <ip> -j DROP
What I'm concerned about is rules processing performance. The above rules are in stateful mode and I've been wondering if stateless mode would make the processing faster. To make things clear, I'm blocking the intruder IP address on a TCP port (e.g., 22 or 25).
I read somewhere that for TCP connection specialy, adding the ESTABLISHED,RELATED states would be better. But since each IP refers to a different connection, does it make sense to apply these states?
UPDATE:
Here is a sample iptables -L:
Chain INPUT (policy ACCEPT 399 packets, 36043 bytes)
pkts bytes target prot opt in out source destination
39 4230 fail2ban tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 22,25,80,99,100,101
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 282 packets, 39686 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban (1 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 192.168.0.1 0.0.0.0/0
0 0 DROP all -- * * 192.168.0.2 0.0.0.0/0
0 0 DROP all -- * * 192.168.0.3 0.0.0.0/0
0 0 DROP all -- * * 192.168.0.4 0.0.0.0/0
39 4230 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Despite what many performance apologists claim, IPtables CAN have significant overhead, but it won't be noticeable until you get some substantial traffic. Now how you do the tables, and which extensions you call, will be determining factor on CPU overhead per packet.
As for stateless vs statefull, yes the performance difference can be immense, but again it's at a very high throughput. In addition as you may have read, it is much more complexity to manage a stateless firewall. It should really only be done if the IPtable impact is measurable.
BUT good practice should always be followed, and IMO that includes the least amount of overhead without adding lots of complexity.
Now as for your situation, fail2ban is only considering a segment of your iptables overall, but the only thing that I would recommend looking at preventively is this part.
-p tcp -m multiport --dports
Using the multiport extension does have more overhead, except when doing so would make a solid reduction of rules. Since you are only doing 2, I would list them separately, to avoid the multiport extension... or better yet just one by range, if you don't care about blocking 23 and 24.
-p tcp -m tcp --dport 22:25
As for established tracking, yes you can use it with fail2ban, although it does have some considerations. To get the most impact, you'd want to place fail2ban chain below ESTABLISHED,RELATED. However this will allow already established connections, considering you'd need an already authenticated user, it seems reasonable enough.
This is a mini example of the tables I use for my servers, with some example rules, I commented it for you,
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
## Stateless on Loopback
## Remove everything before #filter if iptables chokes on #raw
-A OUTPUT -o lo -j NOTRACK
COMMIT
*filter
## Default Chains
:INPUT ACCEPT [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
## Proto Chains
:FWINPUT-TCP - [0:0]
:FWINPUT-UDP - [0:0]
:FWINPUT-ICMP - [0:0]
## FAIL2BAN Chain
:fail2ban - [0:0]
## Accept Established
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
## Accept Loopback
-A INPUT -i lo -j ACCEPT
## Seperate Proto
-A INPUT -p tcp -g FWINPUT-TCP
-A INPUT -p udp -g FWINPUT-UDP
-A INPUT -p icmp -g FWINPUT-ICMP
## Reject Anything Non-TCP/UDP/ICMP
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
## TCP Rules
-A FWINPUT-TCP -p tcp -m tcp --dport 80 -j ACCEPT
-A FWINPUT-TCP -p tcp -m tcp --dport 443 -j ACCEPT
## fail2ban Check
-A FWINPUT-TCP -p tcp -m tcp --dport 22:25 -g fail2ban
## fail2ban Return
-A FWINPUT-TCP -p tcp -m tcp --dport 22 -j ACCEPT
-A FWINPUT-TCP -p tcp -m tcp --dport 25 -j ACCEPT
## TCP-Reset Ident
-A FWINPUT-TCP -p tcp -m tcp --dport 113 -j REJECT --reject-with tcp-reset
## Reject Any Other TCP Traffic
-A FWINPUT-TCP -j REJECT --reject-with icmp-port-unreachable
## UDP Rules
-A FWINPUT-UDP -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
## Reject Any Other UDP Traffic
-A FWINPUT-UDP -j REJECT --reject-with icmp-port-unreachable
## ICMP Rules
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 8 -m limit --limit 5/s -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A FWINPUT-ICMP -p icmp -m icmp --icmp-type 12 -j ACCEPT
## Reject Any Other ICMP Types
-A FWINPUT-ICMP -j REJECT --reject-with icmp-host-prohibited
## fail2ban Inserted Rules
-A fail2ban -j RETURN
COMMIT
I would just blank out the action start and action stop, and let fail2ban just add the blocked IP rules when running. This would a pinch more manual considerations, like if you wanted to start using fail2ban to block more stuff... but if it's a set type of thing your trying to work on, then it shouldn't be a problem.
... On my home system, and not on servers, I usually just set an iptables limit and call it good enough.
So, yes I'm very new to IPtables (and Squid). I'm moving a proxy from a Windows based installation to a CentOS-based one. My configuration is the following:
-------------
//|Squid proxy|
// -------------
-------- ---------------- ---------- -------------
|Modem |--|Router/Gateway|--| Switch |--| HTTP/FTP server |
-------- ---------------- ---------- -------------
\ ----------
\ | User 1 |
----------
:
:
The Squid proxy has two NICs, eth0 (LAN) and eth1 (WAN/internet). I want to just use Squid in the old-fashioned way, i.e. not as "transparent" proxy, and I'd like it to do reverse proxying also for the FTP and HTTP server - these should be reachable from the internet.
Squid is listening on the default port 3128 and I would like to define the IPtables correctly so that routing is going to be correct. I guess the easiest way to route all trafic is by IPtables. I've looked into this a lot, and found the reply by dgabad: Squid+iptables: how do i allow https to pass-through and bypassing Squid?
In short, it's driving me nuts that I'm much in doubt about what rules I should set, but I added the following rules:
iptables -A INPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -i intern -p tcp --dport 3128
iptables -A OUTPUT -j ACCEPT -m state --state NEW,ESTABLISHED,RELATED -o extern -p tcp --dport 80
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i extern -p tcp --sport 80
iptables -A OUTPUT -j ACCEPT -m --state ESTABLISHED,RELATED -o intern -p tcp --sport 80
(intern=eth0, extern=eth1)
My interpretation is that the first rule forwards everything TCP from eth0 to port 3128, the second one forwards anything outgoing to eth1 at port 80. The third rule opens for incoming port 80 trafic on eth1.
My questions are:
- What exactly is rule 4 for?
- Am I missing something in order to accomplish what I want? I suppose pre-routing isn't necessary with non-transparent proxies. Postrouting?
Any help in accomplishing this is much appreciated.
I have installed FreeSWITCH 1.0.6 on CentOS 5.5. I believe CentOS is blocking the ports FreeSWITCH needs in order to contact with my remote phones, but I have no idea how to use ipTables in Linux or what ports need to be open. Can anyone help?
With Asterisk the ports were 5060 - 5090 for sip and a few others but I don't remember them.
Thank you!
The accepted answer is a bad answer... FreeSWITCH does not use all these ports, and not all port are defined there. For those needing a guideline (using default configs):
3478 - STUN Discovery (UDP)
3479 - STUN Discovery (UDP)
5060 - Sofia Internal Profile (TCP & UDP)
5080 - Sofia External Profile (TCP & UDP)
8021 - Event Socket (TCP)
16384-32768 - RTP Ports (UDP)
Port usage is subject to change with module usage. You can find the entry on http://confluence.freeswitch.org, and more (up to date) information about port usage can be found at https://freeswitch.org/confluence/display/FREESWITCH/Firewall
Best reference seems to be :
http://wiki.freeswitch.org/wiki/Firewall
All of the ports are dependent on your module usage (ie. 8080 if you are using the web api). Keep in mind that all of the ports mentioned are defaults and are configurable.
I could not match FreeSWITCH wiki to ports to my setup, in the end I went with what actual open ports were reported by my machine, run the following to find out what FreeSWITCH is using on your rig:
root#tardis:~# netstat -lntp | grep freeswitch
tcp 0 0 192.0.1.2:2856 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:5066 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:8081 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:8082 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:7443 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:5080 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:5060 0.0.0.0:* LISTEN 7220/freeswitch
tcp 0 0 192.0.1.2:2855 0.0.0.0:* LISTEN 7220/freeswitch
tcp6 0 0 ::1:8081 :::* LISTEN 7220/freeswitch
tcp6 0 0 ::1:8082 :::* LISTEN 7220/freeswitch
tcp6 0 0 :::8021 :::* LISTEN 7220/freeswitch
tcp6 0 0 ::1:5080 :::* LISTEN 7220/freeswitch
tcp6 0 0 ::1:5060 :::* LISTEN 7220/freeswitch
Nevermind chumps, I figured it out myself:
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 37 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 37 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8021 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5060 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 8021 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m udp -p udp --dport 5080 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p icmp -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5532 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 5564 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited