Write For Us
iptables

Iptables rules sometimes are reset automatically

Viewed   15 times

Can't figure out why iptables rules are dropped.

sudo iptables -A INPUT -s 89.111.3.48 -j DROP

Any suggestions are welcome.

 Answers

37

sudo iptables -A INPUT -s 89.111.3.48 -j DROP

If you just run the above command, it just loads that rule into the kernel, not really changing the iptables file. This would be lost on a reboot or a restart of iptables.

service iptables save

would save the rules to /etc/sysconfig/iptables and the change would survive a reboot.

Tuesday, February 21, 2023
 
wang
 
wang
4

This question should be on Server Fault. Nevertheless, the following should do the trick, assuming you're talking about TCP and the IP you want to allow is 1.2.3.4:

iptables -A INPUT -p tcp --dport 8000 -s 1.2.3.4 -j ACCEPT
iptables -A INPUT -p tcp --dport 8000 -j DROP
Wednesday, November 30, 2022
 
calvin_chan
 
calvin_chan
1

iptables is a default module in AOSP, you can use netfilter to write c code to handle that.

For example, you can create an android project, and write a JNI file, use ndk-build to compile that, and then adb push the executable to the android file system to execute. And in the mobile end, you can adb shell to it, directly use iptables command as a root user, just like in linux do.

attachment:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <linux/types.h>
#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/netfilter.h>        /* for NF_ACCEPT */
#include <errno.h>

#include <libnetfilter_queue/libnetfilter_queue.h>

#ifdef __LITTLE_ENDIAN
#define IPQUAD(addr) 
    ((unsigned char *)&addr)[0], 
    ((unsigned char *)&addr)[1], 
    ((unsigned char *)&addr)[2], 
    ((unsigned char *)&addr)[3]
#else
#define IPQUAD(addr) 
    ((unsigned char *)&addr)[3], 
    ((unsigned char *)&addr)[2], 
    ((unsigned char *)&addr)[1], 
    ((unsigned char *)&addr)[0]
#endif


#define TO "192.168.191.129"
#define NAT_TO "192.168.2.246"

struct tcp_pseudo /*the tcp pseudo header*/
{
    __u32 src_addr;
    __u32 dst_addr;
    __u8 zero;
    __u8 proto;
    __u16 length;
} pseudohead;


long checksum(unsigned short *addr, unsigned int count) {
    /* Compute Internet Checksum for "count" bytes
   * beginning at location "addr".
   */
    register long sum = 0;

    while( count > 1 ) {
        /* This is the inner loop */
        sum += * addr++;
        count -= 2;
    }
    /* Add left-over byte, if any */
    if( count > 0 )
        sum += * (unsigned char *) addr;

    /* Fold 32-bit sum to 16 bits */
    while (sum>>16)
        sum = (sum & 0xffff) + (sum >> 16);

    return ~sum;
}



/*************************tcp checksum**********************/
long get_tcp_checksum(struct iphdr * myip, struct tcphdr * mytcp) {

    __u16 total_len = ntohs(myip->tot_len);

    int tcpopt_len = mytcp->doff*4 - 20;
    int tcpdatalen = total_len - (mytcp->doff*4) - (myip->ihl*4);

    pseudohead.src_addr=myip->saddr;
    pseudohead.dst_addr=myip->daddr;
    pseudohead.zero=0;
    pseudohead.proto=IPPROTO_TCP;
    pseudohead.length=htons(sizeof(struct tcphdr) + tcpopt_len + tcpdatalen);

    int totaltcp_len = sizeof(struct tcp_pseudo) + sizeof(struct tcphdr) + tcpopt_len +tcpdatalen;
    //unsigned short * tcp = new unsigned short[totaltcp_len];

    unsigned short * tcp = malloc(totaltcp_len);


    memcpy((unsigned char *)tcp,&pseudohead,sizeof(struct tcp_pseudo));
    memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo),(unsigned char*)mytcp,sizeof(struct tcphdr));
    memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo)+sizeof(struct tcphdr),(unsigned char *)myip+(myip->ihl*4)+(sizeof(struct tcphdr)), tcpopt_len);
    memcpy((unsigned char *)tcp+sizeof(struct tcp_pseudo)+sizeof(struct tcphdr)+tcpopt_len, (unsigned char *)mytcp+(mytcp->doff*4), tcpdatalen);

    /* printf("pseud length: %dn",pseudohead.length);
          printf("tcp hdr length: %dn",mytcp->doff*4);
          printf("tcp hdr struct length: %dn",sizeof(struct tcphdr));
          printf("tcp opt length: %dn",tcpopt_len);
          printf("tcp total+psuedo length: %dn",totaltcp_len);

          fflush(stdout);

          printf("tcp data len: %d, data start %un", tcpdatalen,mytcp + (mytcp->doff*4));
   */


    return checksum(tcp,totaltcp_len);

}


static u_int16_t tcp_checksum(struct iphdr* iphdrp){
    struct tcphdr *tcphdrp =
            (struct tcphdr*)((u_int8_t*)iphdrp + (iphdrp->ihl<<2));
            return get_tcp_checksum(iphdrp, tcphdrp);
}

static void set_tcp_checksum(struct iphdr* iphdrp){
    struct tcphdr *tcphdrp =
            (struct tcphdr*)((u_int8_t*)iphdrp + (iphdrp->ihl<<2));
            tcphdrp->check = 0;
            tcphdrp->check = get_tcp_checksum(iphdrp, tcphdrp);
}
/****************************tcp checksum end****************************/


/********************************Ip checksum*****************************/
static u_int16_t ip_checksum(struct iphdr* iphdrp){
    return checksum((unsigned short*)iphdrp, iphdrp->ihl<<2);
}

static void set_ip_checksum(struct iphdr* iphdrp){
    iphdrp->check = 0;
    iphdrp->check = checksum((unsigned short*)iphdrp, iphdrp->ihl<<2);
}
/****************************Ip checksum end******************************/


static int cb(struct nfq_q_handle *qh, struct nfgenmsg *nfmsg,
          struct nfq_data *nfa, void *data)
{
    int id = 0;
    struct nfqnl_msg_packet_hdr *ph;
    int pdata_len;
    unsigned char *payload;

    printf("entering callbackn");
    ph = nfq_get_msg_packet_hdr(nfa);
    if (ph) {
        id = ntohl(ph->packet_id);
    }

    pdata_len = nfq_get_payload(nfa, &payload);
    if (pdata_len >= 0) {
        struct iphdr *iphdrp = (struct iphdr*)payload;
        iphdrp->daddr = inet_addr(NAT_TO);
        set_ip_checksum(iphdrp);
        if(iphdrp->protocol == IPPROTO_TCP){
            set_tcp_checksum(iphdrp);
            printf(" ipsum+ %hu tcpsum+ %hu",
                   ip_checksum(iphdrp), tcp_checksum(iphdrp));
        }
        printf("len %d iphdr %d %u.%u.%u.%u ->",
               pdata_len,
               iphdrp->ihl<<2,
               IPQUAD(iphdrp->saddr));
        printf(" %u.%u.%u.%u",
               IPQUAD(iphdrp->daddr));
        printf(" ipsum %hu", ip_checksum(iphdrp));
        if(iphdrp->protocol == IPPROTO_TCP){
            printf(" tcpsum %hu", tcp_checksum(iphdrp));
        }
        printf("n");

    }
    return nfq_set_verdict(qh, id, NF_ACCEPT, (u_int32_t)pdata_len, payload);
}

int main(int argc, char **argv)
{
    struct nfq_handle *h;
    struct nfq_q_handle *qh;
    struct nfnl_handle *nh;
    int fd;
    int rv;
    char buf[4096] __attribute__ ((aligned));

    printf("opening library handlen");
    h = nfq_open();
    if (!h) {
        fprintf(stderr, "error during nfq_open()n");
        exit(1);
    }

    printf("unbinding existing nf_queue handler for AF_INET (if any)n");
    if (nfq_unbind_pf(h, AF_INET) < 0) {
        fprintf(stderr, "error during nfq_unbind_pf()n");
        exit(1);
    }

    printf("binding nfnetlink_queue as nf_queue handler for AF_INETn");
    if (nfq_bind_pf(h, AF_INET) < 0) {
        fprintf(stderr, "error during nfq_bind_pf()n");
        exit(1);
    }

    printf("binding this socket to queue '0'n");
    qh = nfq_create_queue(h,  0, &cb, NULL);
    if (!qh) {
        fprintf(stderr, "error during nfq_create_queue()n");
        exit(1);
    }

    printf("setting copy_packet moden");
    if (nfq_set_mode(qh, NFQNL_COPY_PACKET, 0xffff) < 0) {
        fprintf(stderr, "can't set packet_copy moden");
        exit(1);
    }

    fd = nfq_fd(h);

    for (;;) {
        if ((rv = recv(fd, buf, sizeof(buf), 0)) >= 0) {
            printf("pkt receivedn");
            nfq_handle_packet(h, buf, rv);
            continue;
        }
        /* if your application is too slow to digest the packets that
         * are sent from kernel-space, the socket buffer that we use
         * to enqueue packets may fill up returning ENOBUFS. Depending
         * on your application, this error may be ignored. Please, see
         * the doxygen documentation of this library on how to improve
         * this situation.
         */
        if (rv < 0 && errno == ENOBUFS) {
            printf("losing packets!n");
            continue;
        }
        perror("recv failed");
        break;
    }

    printf("unbinding from queue 0n");
    nfq_destroy_queue(qh);

#ifdef INSANE
    /* normally, applications SHOULD NOT issue this command, since
     * it detaches other programs/sockets from AF_INET, too ! */
    printf("unbinding from AF_INETn");
    nfq_unbind_pf(h, AF_INET);
#endif

    printf("closing library handlen");
    nfq_close(h);

    exit(0);
}
Thursday, December 22, 2022
 
elduff
 
elduff
2

i've not tried to use python-iptables, but it looks like you need something like:

rule = iptc.Rule()
match = rule.create_match('state')
match.state = 'RELATED,ESTABLISHED'
match.target = iptc.Target('ACCEPT')

chain = iptc.Chain(iptc.Table.(iptc.Table.FILTER), "INPUT")
chain.insert_rule(rule)

and so on.

Monday, December 26, 2022
 
abdul_wahab
 
abdul_wahab
2

"out and back" implies you are an NTP client and want to talk to a server i'd imagine by default you can do this; if you haven't set up a firewall to block everything, and have iptables set up at all, you'll have a "allow related/established" rule which means replies to outgoing requests are allowed automatically

in any case, NTP is UDP port 123, so, assuming you are a CLIENT and want to access NTP servers you'd do:

iptables -A OUTPUT -p udp --dport 123 -j ACCEPT
iptables -A INPUT -p udp --sport 123 -j ACCEPT

these will append the rules to the end of your OUTPUT and INPUT chains

Assuming you want to be a server, you'd do

iptables -A INPUT -p udp --dport 123 -j ACCEPT
iptables -A OUTPUT -p udp --sport 123 -j ACCEPT

I have a script which implements all my firewall rules, and I call it from /etc/rc.local which runs on startup on my machine (ubuntu 8.04 LTS)

EDIT: You've clarified that this is because you are a client. In ubuntu's default configuration, you shouldn't have to alter any firewall settings to do this. What firewall configuration have you done? If nothing, I'm inclinced to believe that this isn't a firewall issue.

Thursday, September 29, 2022
 
dime2lo
 
dime2lo
Only authorized users can answer the search term. Please sign in first, or register a free account.
Not the answer you're looking for? Browse other questions tagged :
iptables
 
Share
Related Answers
320
 Docker: How to re-create dockers additional iptables rules?
237
 How to write specific iptables rules using python-iptables
38
 Iptables remove specific rules by comment
11
 Iptables NAT and Masquerade rules - what do they do?
12
 best way to clear all iptables rules
5
 How many rules can iptables support?
12
 iptables rules to allow HTTP traffic to one domain only
5
 Good iptables starting rules for a webserver?
8
 iptables rules to counter the most common DoS attacks?
5
 How do you test iptables rules to prevent remote lockout and check matches?
Top Answers Related To

iptables

104
 iptables block access to port 8000 except from IP address
137
 iptables in android
92
 How can I use iptables on centos 7?
168
 How to use iptables in an Android application
470
 docker internet connectivity with iptables=false
190
 C++ iptables redirection forming separate packets
51
 iptables: Duplicating/Forwarding ports
66
 Perl IPTables Module Installation Error
48
 How to permanently update iptables
101
 How to open port 2195 in iptables CentOS 6 for activating the APNS
Write For Us · Blog · Privacy · Faqs · Terms of Use · Contact us ·