iptables and pptp server problem [Long Post]
Fons van der Beek
fons at so-o.nl
Wed Jul 28 21:21:23 UTC 2004
perhaps try using
webmin and as a "plugin" turtle firewall,
it's user friendly and it works like a dream!
(also with pptp servers VPN etc etc)
----- Original Message -----
From: "Trevor" <trevor at gnuguy.com>
To: "For users of Fedora Core releases" <fedora-list at redhat.com>
Sent: Wednesday, July 28, 2004 9:48 PM
Subject: RE: iptables and pptp server problem [Long Post]
> >The script is taken from http://martybugs.net/smoothwall/vpn.cgi
> >which is for Smoothwall.
>
> >> With no success. I suspect that it could be the mppe-ppp modules causing
> >> problems. I'm sure that TCP/port 1723 is forwarding properly... but
> that's
> >> all I see when I do a "iptstate" when trying to connect.
>
> >Do you have Smoothwall installed or do you have any other iptables rules
> >active which may block previous to your VPN rules? Your host is directly
> >connected to the net through eth1?
>
> >Alexander
>
> iptables v1.2.5 on 2.4 kernel
>
> No, it's not smoothwall. Here is the current output of my firewall. Can
> you see if there is something else blocking my PPTP GRE forwarding. BTW,
> sorry for hijacking the thread. I won't do it again. :-)
>
> $ service masq status
> Table: filter
> Chain INPUT (policy DROP)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 224.0.0.0/4 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 224.0.0.0/4
> DROP all -- 224.0.0.0/4 0.0.0.0/0
> DROP all -- 0.0.0.0/0 224.0.0.0/4
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
> RELATED,ESTABLISHED
> icmpIn icmp -- 0.0.0.0/0 0.0.0.0/0
> InputAllowIPSEC all -- 0.0.0.0/0 0.0.0.0/0
> InputAllowLocals all -- 0.0.0.0/0 0.0.0.0/0
> InboundTCP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x16/0x02
> denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x16/0x02
> InboundUDP udp -- 0.0.0.0/0 0.0.0.0/0
> denylog udp -- 0.0.0.0/0 0.0.0.0/0
> esp-in esp -- 0.0.0.0/0 0.0.0.0/0
> denylog esp -- 0.0.0.0/0 0.0.0.0/0
> gre-in 47 -- 0.0.0.0/0 0.0.0.0/0
> denylog 47 -- 0.0.0.0/0 0.0.0.0/0
> denylog all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain FORWARD (policy DROP)
> target prot opt source destination
> ForwardAllowIPSEC all -- 0.0.0.0/0 0.0.0.0/0
> ForwardAllowLocals all -- 0.0.0.0/0 0.0.0.0/0
> denylog all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 224.0.0.0/4 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 224.0.0.0/4
> DROP all -- 224.0.0.0/4 0.0.0.0/0
> DROP all -- 0.0.0.0/0 224.0.0.0/4
> icmpOut icmp -- 0.0.0.0/0 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain ForwardAllowIPSEC (1 references)
> target prot opt source destination
>
> Chain ForwardAllowLocals (1 references)
> target prot opt source destination
> ForwardAllowLocals_18960 all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain ForwardAllowLocals_18960 (1 references)
> target prot opt source destination
> ACCEPT all -- 192.168.0.0/24 0.0.0.0/0
> ACCEPT all -- 0.0.0.0/0 192.168.0.0/24
>
> Chain InboundTCP (1 references)
> target prot opt source destination
> InboundTCP_18960 all -- 0.0.0.0/0 0.0.0.0/0
> denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
> flags:0x16/0x02
>
> Chain InboundTCP_18960 (1 references)
> target prot opt source destination
> denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
> denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
> denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
> denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:389
> denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
> denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
> ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
> denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
>
> Chain InboundUDP (1 references)
> target prot opt source destination
> InboundUDP_18960 all -- 0.0.0.0/0 0.0.0.0/0
> denylog udp -- 0.0.0.0/0 0.0.0.0/0
>
> Chain InboundUDP_18960 (1 references)
> target prot opt source destination
> denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx
> denylog udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500
>
> Chain InputAllowIPSEC (1 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain InputAllowLocals (1 references)
> target prot opt source destination
> InputAllowLocals_18960 all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain InputAllowLocals_18960 (1 references)
> target prot opt source destination
> ACCEPT all -- 192.168.0.0/24 0.0.0.0/0
>
> Chain denylog (22 references)
> target prot opt source destination
> DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
> DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
> DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139
> LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
> level 4
> DROP all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain esp-in (1 references)
> target prot opt source destination
> denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx
> denylog all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain gre-in (1 references)
> target prot opt source destination
> denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx
> ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain icmpIn (1 references)
> target prot opt source destination
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12
> denylog all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain icmpOut (1 references)
> target prot opt source destination
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
> ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12
> denylog all -- 0.0.0.0/0 0.0.0.0/0
> Table: nat
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
> PreroutingBypassIPSEC all -- 0.0.0.0/0 0.0.0.0/0
> TransProxy tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
> PortForwarding all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
> MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain PortForwarding (1 references)
> target prot opt source destination
> PortForwarding_18960 all -- 0.0.0.0/0 66.xxx.xx.xxx
>
> Chain PortForwarding_18960 (1 references)
> target prot opt source destination
>
> Chain PreroutingBypassIPSEC (1 references)
> target prot opt source destination
>
> Chain TransProxy (1 references)
> target prot opt source destination
> ACCEPT all -- 0.0.0.0/0 127.0.0.1
> ACCEPT all -- 0.0.0.0/0 192.168.0.10
> ACCEPT all -- 0.0.0.0/0 66.xxx.xx.xxx
> DNAT tcp -- 0.0.0.0/0 0.0.0.0/0
> to:192.168.0.10:3128
> Table: mangle
> Chain PREROUTING (policy ACCEPT)
> target prot opt source destination
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
> TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS
> set 0x10
> TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS
> set 0x10
> TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 TOS
> set 0x10
> TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 TOS
> set 0x10
> TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TOS
> set 0x10
> TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 TOS
> set 0x10
> TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS
> set 0x08
>
> Chain POSTROUTING (policy ACCEPT)
> target prot opt source destination
>
> #!/bin/sh
>
> # chkconfig: 345 82 35
> # description: Configures IP masquerading.
>
> INTERNALIF=eth0
> OUTERIF=eth1
> OUTERNET=66.xxx.xx.xxx
> if [ -z "$OUTERNET" ]
> then
> # Make sure that OUTERNET value is set to syntactly valid value
> # to ensure that iptables syntax is at least correct
> OUTERNET=1.2.3.4
> fi
>
> adjust_tcp_in() {
> local dport=$1
> local target=$2
> local chain=$3
> # Add the rule requested.
> /sbin/iptables --append $chain --protocol tcp --dport $dport \
> --in-interface $OUTERIF --jump $target
> # Catch any matching return, just in case.
> #/sbin/iptables --append $3 --protocol tcp --dport $1 \
> #--in-interface $OUTERIF --jump denylog
> }
>
> adjust_udp_in() {
> local dport=$1
> local target=$2
> local chain=$3
> # Add the rule requested.
> /sbin/iptables --append $chain --protocol udp --dport $dport \
> --in-interface $OUTERIF --jump $target
> # Catch any matching return, just in case.
> #/sbin/iptables --append $3 --protocol udp --dport $1 \
> #--in-interface $OUTERIF --jump denylog
> }
>
> get_safe_id() {
> # Expect arguments of, chain_name, table, mode, where mode can be
> either
> # find or new
> local chain_name=$1
> local table=$2
> local mode=$3
>
> # Find the existing numbered chain.
> current=$(/sbin/iptables --table $table --list $chain_name --numeric
> | s
> ed -n '3s/ .*//p')
> if [ "x$current" = "x" ]; then
> # We didn't find it.
> echo "ERROR: Cannot find chain $chain_name in table $table"
> 1>&2
> exit 1
> fi
>
> # If we're in find mode, return this chain.
> case "$mode" in
> find)
> echo $current ;;
>
> new)
> # Make sure the number on this chain doesn't
> conflict wi
> th our
> # process ID.
> current_id=$(echo $current | sed
> 's/^[a-zA-Z][a-zA-Z]*_\
> ([0-9][0-9]*\)/\1/')
> if [ "x$current_id" = "x" ]; then
> echo "ERROR: Cannot find process ID on chain
> nam
> e" 1>&2
> exit 1
> fi
> # If it conflicts with our process ID, add one to
> ours.
> if [ $current_id -eq $$ ]; then
> echo ${chain_name}_$(expr $$ + 1)
> else
> echo ${chain_name}_$$
> fi
> ;;
> esac
> }
>
> case "$1" in
>
> start)
> echo -n "Enabling IP masquerading: "
>
> /sbin/iptables -F -t filter
> /sbin/iptables -F -t nat
> /sbin/iptables -F -t mangle
> /sbin/iptables -X -t filter
> /sbin/iptables -X -t nat
> /sbin/iptables -X -t mangle
> /sbin/iptables --flush FORWARD
> /sbin/iptables --flush INPUT
> /sbin/iptables --flush OUTPUT
>
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_conntrack_ftp
>
> /sbin/iptables --new-chain denylog
> /sbin/iptables --append denylog --jump DROP
> /sbin/iptables --append denylog --jump DROP
> /sbin/iptables --append denylog --jump DROP
> /sbin/iptables --append denylog --jump DROP
> /sbin/iptables --append denylog --jump DROP
> # Set telnet, www, smtp, pop3 and FTP for minimum delay
> for port in 21 22 23 25 80 110
> do
> /sbin/iptables --table mangle --append OUTPUT \
> --protocol tcp --dport $port \
> -j TOS --set-tos Minimize-Delay
> done
>
> # Set ftp-data for maximum throughput
> /sbin/iptables --table mangle --append OUTPUT \
> --protocol tcp --dport 20 \
> -j TOS --set-tos Maximize-Throughput
> # TODO - this hasn't yet been converted for iptables - does it
> # need to be?
>
> # set timeouts for tcp tcpfin udp
> #/sbin/iptables --masquerading --set 14400 60 600
> # Turn on Source Address Verification
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 0 > $f
> done
>
>
> /sbin/iptables --append INPUT -i lo -j ACCEPT
> /sbin/iptables --append OUTPUT -o lo -j ACCEPT
>
> # Permit multicast traffic to and from the internal interface.
> /sbin/iptables --append INPUT -s 224.0.0.0/4 \
> --in-interface $INTERNALIF --jump ACCEPT
> /sbin/iptables --append INPUT -d 224.0.0.0/4 \
> --in-interface $INTERNALIF --jump ACCEPT
>
> /sbin/iptables --append OUTPUT -s 224.0.0.0/4 \
> --out-interface $INTERNALIF --jump ACCEPT
> /sbin/iptables --append OUTPUT -d 224.0.0.0/4 \
> --out-interface $INTERNALIF --jump ACCEPT
>
> # Drop all other multicast traffic.
> /sbin/iptables --append INPUT -s 224.0.0.0/4 -j DROP
> /sbin/iptables --append INPUT -d 224.0.0.0/4 -j DROP
>
> /sbin/iptables --append OUTPUT -s 224.0.0.0/4 -j DROP
> /sbin/iptables --append OUTPUT -d 224.0.0.0/4 -j DROP
>
> # Set up chains which allow us to bypass prerouting for IPSEC networks
> /sbin/iptables --table nat --new-chain PreroutingBypassIPSEC
> /sbin/iptables --table nat --append PREROUTING --jump
> PreroutingBypassIPSEC
>
> /sbin/iptables --table nat --new-chain TransProxy
> /sbin/iptables --table nat --append PREROUTING\
> -p tcp --dport 80 -j TransProxy
> /sbin/iptables --table nat --append TransProxy \
> --destination 127.0.0.1 --jump ACCEPT
> /sbin/iptables --table nat --append TransProxy \
> --destination 192.168.0.10 --jump ACCEPT
> /sbin/iptables --table nat --append TransProxy \
> --destination $OUTERNET --jump ACCEPT
> /sbin/iptables --table nat --append TransProxy\
> -p TCP -j DNAT --to 192.168.0.10:3128
>
> # Allow any already established or related connection
> /sbin/iptables --append INPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> /sbin/iptables --new-chain icmpIn
> /sbin/iptables --append INPUT --protocol icmp --jump icmpIn
> /sbin/iptables --append icmpIn --proto icmp --icmp-type
> echo-request --jump
> ACCEPT
> /sbin/iptables --append icmpIn --proto icmp --icmp-type
> echo-reply --jump AC
> CEPT
> /sbin/iptables --append icmpIn --proto icmp --icmp-type
> destination-unreacha
> ble --jump ACCEPT
> /sbin/iptables --append icmpIn --proto icmp --icmp-type
> source-quench --jump
> ACCEPT
> /sbin/iptables --append icmpIn --proto icmp --icmp-type
> time-exceeded --jump
> ACCEPT
> /sbin/iptables --append icmpIn --proto icmp --icmp-type
> parameter-problem --
> jump ACCEPT
>
> /sbin/iptables --new-chain icmpOut
> /sbin/iptables --append OUTPUT --protocol icmp --jump icmpOut
> /sbin/iptables --append icmpOut --proto icmp --icmp-type
> echo-request --jump
> ACCEPT
> /sbin/iptables --append icmpOut --proto icmp --icmp-type
> echo-reply --jump A
> CCEPT
> /sbin/iptables --append icmpOut --proto icmp --icmp-type
> destination-unreach
> able --jump ACCEPT
> /sbin/iptables --append icmpOut --proto icmp --icmp-type
> source-quench --jum
> p ACCEPT
> /sbin/iptables --append icmpOut --proto icmp --icmp-type
> time-exceeded --jum
> p ACCEPT
> /sbin/iptables --append icmpOut --proto icmp --icmp-type
> parameter-problem -
> -jump ACCEPT
>
> # Set up chains which allow us to capture IPSEC connections
> /sbin/iptables --new-chain InputAllowIPSEC
> /sbin/iptables --append InputAllowIPSEC -i ipsec+ -j ACCEPT
> /sbin/iptables --append INPUT --jump InputAllowIPSEC
> /sbin/iptables --new-chain ForwardAllowIPSEC
> /sbin/iptables --append FORWARD --jump ForwardAllowIPSEC
>
> # Set up chains which allow us to capture local networks
> /sbin/iptables --new-chain InputAllowLocals
> /sbin/iptables --new-chain InputAllowLocals_1
> /sbin/iptables --append InputAllowLocals --jump InputAllowLocals_1
> /sbin/iptables --append INPUT --jump InputAllowLocals
> /sbin/iptables --new-chain ForwardAllowLocals
> /sbin/iptables --new-chain ForwardAllowLocals_1
> /sbin/iptables --append ForwardAllowLocals --jump ForwardAllowLocals_1
> /sbin/iptables --append FORWARD --jump ForwardAllowLocals
> /sbin/iptables --append POSTROUTING -t nat -o $OUTERIF -j MASQUERADE
>
> /sbin/iptables --new-chain InboundTCP
> /sbin/iptables --new-chain InboundTCP_1
> /sbin/iptables --append INPUT --protocol tcp --syn --jump InboundTCP
> /sbin/iptables --append InboundTCP --protocol tcp --syn --jump
> InboundTCP_1
>
> # Catch any returns, just in case
> /sbin/iptables --append INPUT --protocol tcp --syn --jump denylog
> /sbin/iptables --append InboundTCP --protocol tcp --syn --jump denylog
> /sbin/iptables --new-chain InboundUDP
> /sbin/iptables --new-chain InboundUDP_1
> /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \
> --jump InboundUDP
> /sbin/iptables --append InboundUDP --protocol udp --jump InboundUDP_1
>
> # Catch any returns, just in case
> /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \
> --jump denylog
> /sbin/iptables --append InboundUDP --protocol udp --jump denylog
> /sbin/iptables -t nat --new-chain PortForwarding
> /sbin/iptables -t nat --new-chain PortForwarding_1
> /sbin/iptables -t nat --append PREROUTING --jump PortForwarding
> /sbin/iptables -t nat --append PortForwarding --destination $OUTERNET \
> --jump PortForwarding_1
>
> /sbin/iptables --new-chain esp-in
> /sbin/iptables --append INPUT -p 50 -j esp-in
> /sbin/iptables --append INPUT -p 50 -j denylog
> /sbin/iptables --append esp-in -d \! $OUTERNET -j denylog
> /sbin/iptables --append esp-in -j denylog
>
> /sbin/iptables --new-chain gre-in
> /sbin/iptables --append INPUT -p 47 -j gre-in
> /sbin/iptables --append INPUT -p 47 -j denylog
> /sbin/iptables --append gre-in -d \! $OUTERNET -j denylog
> /sbin/iptables --append gre-in -j denylog
> /sbin/iptables --append icmpIn --jump denylog
> /sbin/iptables --append icmpOut --jump denylog
>
> /sbin/iptables --policy FORWARD DROP
> /sbin/iptables --append FORWARD --jump denylog
>
> /sbin/iptables --policy INPUT DROP
> /sbin/iptables --append INPUT --jump denylog
>
> /sbin/iptables --policy OUTPUT ACCEPT
> /sbin/iptables --append OUTPUT --jump ACCEPT
> $0 adjust
> echo "done"
> ;;
>
>
> adjust)
> FAL=$(get_safe_id ForwardAllowLocals filter find)
> IAL=$(get_safe_id InputAllowLocals filter find)
> new_fal=$(get_safe_id ForwardAllowLocals filter new)
> new_ial=$(get_safe_id InputAllowLocals filter new)
> /sbin/iptables --new-chain $new_fal
> /sbin/iptables --new-chain $new_ial
> /sbin/iptables --append $new_fal \
> -s 192.168.0.0/255.255.255.0 -j ACCEPT
> /sbin/iptables --append $new_fal \
> -d 192.168.0.0/255.255.255.0 -j ACCEPT
> /sbin/iptables --append $new_ial \
> -s 192.168.0.0/255.255.255.0 -j ACCEPT
> /sbin/iptables --replace InputAllowLocals 1 \
> --jump $new_ial
> /sbin/iptables --flush $IAL
> /sbin/iptables --delete-chain $IAL
> /sbin/iptables --replace ForwardAllowLocals 1 \
> --jump $new_fal
> /sbin/iptables --flush $FAL
> /sbin/iptables --delete-chain $FAL
>
> /sbin/iptables --replace denylog 1 -p udp --dport 520 --jump DROP
> /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump DROP
> /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump DROP
> /sbin/iptables --replace denylog 4 --jump LOG
>
> /sbin/iptables --replace esp-in 1 -d \! $OUTERNET -j denylog
> /sbin/iptables --replace esp-in 2 -j denylog
> /sbin/iptables --replace gre-in 1 -d \! $OUTERNET -j denylog
> /sbin/iptables --replace gre-in 2 -j ACCEPT
> IBT=$(get_safe_id InboundTCP filter find)
> new_ibt=$(get_safe_id InboundTCP filter new)
> /sbin/iptables --new-chain $new_ibt
> /sbin/iptables --append $new_ibt \! --destination $OUTERNET --jump
> denylog
> adjust_tcp_in 113 ACCEPT $new_ibt
> adjust_tcp_in 21 denylog $new_ibt
> adjust_tcp_in 80 ACCEPT $new_ibt
> adjust_tcp_in 443 ACCEPT $new_ibt
> adjust_tcp_in 143 denylog $new_ibt
> adjust_tcp_in 389 denylog $new_ibt
> adjust_tcp_in 110 denylog $new_ibt
> adjust_tcp_in 1723 denylog $new_ibt
> adjust_tcp_in 25 ACCEPT $new_ibt
> adjust_tcp_in 22 ACCEPT $new_ibt
> adjust_tcp_in 23 denylog $new_ibt
> /sbin/iptables --replace InboundTCP 1 \
> --jump $new_ibt
> /sbin/iptables --flush $IBT
> /sbin/iptables --delete-chain $IBT
>
> /sbin/iptables --table nat \
> --replace TransProxy 3\
> --destination $OUTERNET --jump ACCEPT
> /sbin/iptables --table nat --replace TransProxy 4\
> -p TCP -j DNAT --to 192.168.0.10:3128
>
> IBU=$(get_safe_id InboundUDP filter find)
> new_ibu=$(get_safe_id InboundUDP filter new)
> /sbin/iptables --new-chain $new_ibu
> /sbin/iptables --append $new_ibu \! --destination $OUTERNET --jump
> denylog
> adjust_udp_in 500 denylog $new_ibu
> /sbin/iptables --replace InboundUDP 1 \
> --jump $new_ibu
> /sbin/iptables --flush $IBU
> /sbin/iptables --delete-chain $IBU
>
> # Create a new PortForwarding chain
> PFC=$(/sbin/iptables --table nat --numeric --list PortForwarding |\
> sed -n '3s/ .*//p')
> /sbin/iptables --table nat --new-chain PortForwarding_$$
> /sbin/iptables --table nat --replace PortForwarding 1 --destination
> $OUTERNE
> T --jump PortForwarding_$$
> /sbin/iptables --table nat --flush $PFC
> /sbin/iptables --table nat --delete-chain $PFC
>
> ;;
>
> masqstop)
> echo ""
> echo -n "Shuting down IP Masquerading:"
> /sbin/iptables -F FORWARD
> /sbin/iptables -P FORWARD DROP
> echo " Done!"
> echo "" ;;
> restart)
> $0 stop
> $0 start
> ;;
>
> status)
> echo $"Table: filter"
> /sbin/iptables --list -n
> echo $"Table: nat"
> /sbin/iptables -t nat --list -n
> echo $"Table: mangle"
> /sbin/iptables -t mangle --list -n
> ;;
>
> stop)
> echo ""
> echo -n "Shutting down IP masquerade and firewall rules:"
> /sbin/iptables -P FORWARD DROP
> /sbin/iptables -P OUTPUT ACCEPT
> /sbin/iptables -P INPUT DROP
> /sbin/iptables -F INPUT
> /sbin/iptables -F OUTPUT
> /sbin/iptables -F FORWARD
> /sbin/iptables -F
> /sbin/iptables --append FORWARD -s 192.168.0.0/255.255.255.0 -d
> 192.168.0.0/
> 255.255.255.0 -j ACCEPT
> /sbin/iptables -X
> echo " Done!"
> echo "" ;;
>
> *)
> echo "Usage: masq {start|stop|restart|...}"
> exit 1
>
> esac
> exit 0
>
>
> Modules:
> [root at bcpe root]# lsmod
> Module Size Used by Tainted: P
> ipt_LOG 4640 1 (autoclean)
> ppp_mppe 12864 0 (autoclean)
> ppp_async 8256 0 (autoclean)
> ppp_generic 24332 0 (autoclean) [ppp_mppe ppp_async]
> appletalk 24172 12 (autoclean)
> slhc 6508 0 (autoclean) [ppp_generic]
> printer 8160 0 (unused)
> 8139too 16448 1
> mii 2408 0 [8139too]
> 3c59x 28680 1
> ipt_MASQUERADE 2464 1 (autoclean)
> ipt_state 1536 1 (autoclean)
> ipt_TOS 1952 7 (autoclean)
> ip_conntrack_ftp 5056 0 (unused)
> ip_nat_ftp 4320 0 (unused)
> iptable_mangle 3136 1 (autoclean)
> iptable_nat 21460 2 (autoclean) [ipt_MASQUERADE ip_nat_ftp]
> ip_conntrack 21836 3 (autoclean) [ipt_MASQUERADE ipt_state
> ip_conntrack_ftp ip_nat_ftp iptable_nat]
> iptable_filter 2752 1 (autoclean)
> ip_tables 13792 9 [ipt_LOG ipt_MASQUERADE ipt_state ipt_TOS
> iptable_mangle iptable_nat iptable_filter]
> ide-cd 30272 0
> cdrom 32032 0 [ide-cd]
> ide-scsi 9664 0
> hid 20832 0 (unused)
> input 5792 0 [hid]
> usb-uhci 24484 0 (unused)
> usbcore 71904 0 [printer hid usb-uhci]
> ext3 67328 2
> jbd 49496 2 [ext3]
> 3w-xxxx 32160 3
> sd_mod 12960 6
> scsi_mod 109392 3 [ide-scsi 3w-xxxx sd_mod]
>
>
>
> --
> fedora-list mailing list
> fedora-list at redhat.com
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
>
>
More information about the users
mailing list