RE: iptables and pptp server problem [Long Post]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



>The script is taken from http://martybugs.net/smoothwall/vpn.cgi
>which is for Smoothwall.

>> With no success.  I suspect that it could be the mppe-ppp modules causing
>> problems.  I'm sure that TCP/port 1723 is forwarding properly... but
that's
>> all I see when I do a "iptstate" when trying to connect.

>Do you have Smoothwall installed or do you have any other iptables rules
>active which may block previous to your VPN rules? Your host is directly
>connected to the net through eth1?

>Alexander

iptables v1.2.5 on 2.4 kernel

No, it's not smoothwall.  Here is the current output of my firewall.  Can
you see if there is something else blocking my PPTP GRE forwarding.  BTW,
sorry for hijacking the thread.  I won't do it again. :-)

$ service masq status
Table: filter
Chain INPUT (policy DROP)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  224.0.0.0/4          0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            224.0.0.0/4
DROP       all  --  224.0.0.0/4          0.0.0.0/0
DROP       all  --  0.0.0.0/0            224.0.0.0/4
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
RELATED,ESTABLISHED
icmpIn     icmp --  0.0.0.0/0            0.0.0.0/0
InputAllowIPSEC  all  --  0.0.0.0/0            0.0.0.0/0
InputAllowLocals  all  --  0.0.0.0/0            0.0.0.0/0
InboundTCP  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
flags:0x16/0x02
denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
flags:0x16/0x02
InboundUDP  udp  --  0.0.0.0/0            0.0.0.0/0
denylog    udp  --  0.0.0.0/0            0.0.0.0/0
esp-in     esp  --  0.0.0.0/0            0.0.0.0/0
denylog    esp  --  0.0.0.0/0            0.0.0.0/0
gre-in     47   --  0.0.0.0/0            0.0.0.0/0
denylog    47   --  0.0.0.0/0            0.0.0.0/0
denylog    all  --  0.0.0.0/0            0.0.0.0/0

Chain FORWARD (policy DROP)
target     prot opt source               destination
ForwardAllowIPSEC  all  --  0.0.0.0/0            0.0.0.0/0
ForwardAllowLocals  all  --  0.0.0.0/0            0.0.0.0/0
denylog    all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  224.0.0.0/4          0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            224.0.0.0/4
DROP       all  --  224.0.0.0/4          0.0.0.0/0
DROP       all  --  0.0.0.0/0            224.0.0.0/4
icmpOut    icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain ForwardAllowIPSEC (1 references)
target     prot opt source               destination

Chain ForwardAllowLocals (1 references)
target     prot opt source               destination
ForwardAllowLocals_18960  all  --  0.0.0.0/0            0.0.0.0/0

Chain ForwardAllowLocals_18960 (1 references)
target     prot opt source               destination
ACCEPT     all  --  192.168.0.0/24       0.0.0.0/0
ACCEPT     all  --  0.0.0.0/0            192.168.0.0/24

Chain InboundTCP (1 references)
target     prot opt source               destination
InboundTCP_18960  all  --  0.0.0.0/0            0.0.0.0/0
denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
flags:0x16/0x02

Chain InboundTCP_18960 (1 references)
target     prot opt source               destination
denylog    all  --  0.0.0.0/0           !66.xxx.xx.xxx
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:113
denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:443
denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:143
denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:389
denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:110
denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:1723
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:22
denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:23

Chain InboundUDP (1 references)
target     prot opt source               destination
InboundUDP_18960  all  --  0.0.0.0/0            0.0.0.0/0
denylog    udp  --  0.0.0.0/0            0.0.0.0/0

Chain InboundUDP_18960 (1 references)
target     prot opt source               destination
denylog    all  --  0.0.0.0/0           !66.xxx.xx.xxx
denylog    udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:500

Chain InputAllowIPSEC (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain InputAllowLocals (1 references)
target     prot opt source               destination
InputAllowLocals_18960  all  --  0.0.0.0/0            0.0.0.0/0

Chain InputAllowLocals_18960 (1 references)
target     prot opt source               destination
ACCEPT     all  --  192.168.0.0/24       0.0.0.0/0

Chain denylog (22 references)
target     prot opt source               destination
DROP       udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:520
DROP       udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:137:139
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:137:139
LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 0
level 4
DROP       all  --  0.0.0.0/0            0.0.0.0/0

Chain esp-in (1 references)
target     prot opt source               destination
denylog    all  --  0.0.0.0/0           !66.xxx.xx.xxx
denylog    all  --  0.0.0.0/0            0.0.0.0/0

Chain gre-in (1 references)
target     prot opt source               destination
denylog    all  --  0.0.0.0/0           !66.xxx.xx.xxx
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0

Chain icmpIn (1 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 12
denylog    all  --  0.0.0.0/0            0.0.0.0/0

Chain icmpOut (1 references)
target     prot opt source               destination
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 4
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 12
denylog    all  --  0.0.0.0/0            0.0.0.0/0
Table: nat
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination
PreroutingBypassIPSEC  all  --  0.0.0.0/0            0.0.0.0/0
TransProxy  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80
PortForwarding  all  --  0.0.0.0/0            0.0.0.0/0

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination
MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain PortForwarding (1 references)
target     prot opt source               destination
PortForwarding_18960  all  --  0.0.0.0/0            66.xxx.xx.xxx

Chain PortForwarding_18960 (1 references)
target     prot opt source               destination

Chain PreroutingBypassIPSEC (1 references)
target     prot opt source               destination

Chain TransProxy (1 references)
target     prot opt source               destination
ACCEPT     all  --  0.0.0.0/0            127.0.0.1
ACCEPT     all  --  0.0.0.0/0            192.168.0.10
ACCEPT     all  --  0.0.0.0/0            66.xxx.xx.xxx
DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0
to:192.168.0.10:3128
Table: mangle
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination

Chain INPUT (policy ACCEPT)
target     prot opt source               destination

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS
set 0x10
TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS
set 0x10
TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:23 TOS
set 0x10
TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25 TOS
set 0x10
TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80 TOS
set 0x10
TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:110 TOS
set 0x10
TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS
set 0x08

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination

#!/bin/sh

# chkconfig: 345 82 35
# description: Configures IP masquerading.

    INTERNALIF=eth0
    OUTERIF=eth1
    OUTERNET=66.xxx.xx.xxx
    if [ -z "$OUTERNET" ]
    then
        # Make sure that OUTERNET value is set to syntactly valid value
        # to ensure that iptables syntax is at least correct
        OUTERNET=1.2.3.4
    fi

adjust_tcp_in() {
        local dport=$1
        local target=$2
        local chain=$3
        # Add the rule requested.
        /sbin/iptables --append $chain --protocol tcp --dport $dport \
                --in-interface $OUTERIF --jump $target
        # Catch any matching return, just in case.
        #/sbin/iptables --append $3 --protocol tcp --dport $1 \
        #--in-interface $OUTERIF --jump denylog
        }

adjust_udp_in() {
        local dport=$1
        local target=$2
        local chain=$3
        # Add the rule requested.
        /sbin/iptables --append $chain --protocol udp --dport $dport \
                --in-interface $OUTERIF --jump $target
        # Catch any matching return, just in case.
        #/sbin/iptables --append $3 --protocol udp --dport $1 \
        #--in-interface $OUTERIF --jump denylog
        }

get_safe_id() {
        # Expect arguments of, chain_name, table, mode, where mode can be
either
        # find or new
        local chain_name=$1
        local table=$2
        local mode=$3

        # Find the existing numbered chain.
        current=$(/sbin/iptables --table $table --list $chain_name --numeric
| s
ed -n '3s/ .*//p')
        if [ "x$current" = "x" ]; then
                # We didn't find it.
                echo "ERROR: Cannot find chain $chain_name in table $table"
1>&2
                exit 1
        fi

        # If we're in find mode, return this chain.
        case "$mode" in
                find)
                        echo $current ;;

                new)
                        # Make sure the number on this chain doesn't
conflict wi
th our
                        # process ID.
                        current_id=$(echo $current | sed
's/^[a-zA-Z][a-zA-Z]*_\
([0-9][0-9]*\)/\1/')
                        if [ "x$current_id" = "x" ]; then
                                echo "ERROR: Cannot find process ID on chain
nam
e" 1>&2
                                exit 1
                        fi
                        # If it conflicts with our process ID, add one to
ours.
                        if [ $current_id -eq $$ ]; then
                                echo ${chain_name}_$(expr $$ + 1)
                        else
                                echo ${chain_name}_$$
                        fi
                ;;
        esac
        }

case "$1" in

 start)
    echo -n "Enabling IP masquerading: "

    /sbin/iptables -F -t filter
    /sbin/iptables -F -t nat
    /sbin/iptables -F -t mangle
    /sbin/iptables -X -t filter
    /sbin/iptables -X -t nat
    /sbin/iptables -X -t mangle
    /sbin/iptables --flush  FORWARD
    /sbin/iptables --flush  INPUT
    /sbin/iptables --flush  OUTPUT

/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp

    /sbin/iptables --new-chain denylog
    /sbin/iptables --append denylog --jump DROP
    /sbin/iptables --append denylog --jump DROP
    /sbin/iptables --append denylog --jump DROP
    /sbin/iptables --append denylog --jump DROP
    /sbin/iptables --append denylog --jump DROP
    # Set telnet, www, smtp, pop3 and FTP for minimum delay
    for port in 21 22 23 25 80 110
    do
        /sbin/iptables --table mangle --append OUTPUT \
            --protocol tcp --dport $port \
            -j TOS --set-tos Minimize-Delay
    done

    # Set ftp-data for maximum throughput
    /sbin/iptables --table mangle --append OUTPUT \
            --protocol tcp --dport 20 \
            -j TOS --set-tos Maximize-Throughput
    # TODO - this hasn't yet been converted for iptables - does it
    # need to be?

    # set timeouts for tcp tcpfin udp
    #/sbin/iptables --masquerading --set 14400 60 600
    # Turn on Source Address Verification
    for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 0 > $f
    done


    /sbin/iptables --append INPUT -i lo -j ACCEPT
    /sbin/iptables --append OUTPUT -o lo -j ACCEPT

    # Permit multicast traffic to and from the internal interface.
    /sbin/iptables --append INPUT -s 224.0.0.0/4 \
        --in-interface $INTERNALIF --jump ACCEPT
    /sbin/iptables --append INPUT -d 224.0.0.0/4 \
        --in-interface $INTERNALIF --jump ACCEPT

    /sbin/iptables --append OUTPUT -s 224.0.0.0/4 \
        --out-interface $INTERNALIF --jump ACCEPT
    /sbin/iptables --append OUTPUT -d 224.0.0.0/4 \
        --out-interface $INTERNALIF --jump ACCEPT

    # Drop all other multicast traffic.
    /sbin/iptables --append INPUT -s 224.0.0.0/4        -j DROP
    /sbin/iptables --append INPUT -d 224.0.0.0/4        -j DROP

    /sbin/iptables --append OUTPUT -s 224.0.0.0/4       -j DROP
    /sbin/iptables --append OUTPUT -d 224.0.0.0/4       -j DROP

    # Set up chains which allow us to bypass prerouting for IPSEC networks
    /sbin/iptables --table nat --new-chain PreroutingBypassIPSEC
    /sbin/iptables --table nat --append PREROUTING --jump
PreroutingBypassIPSEC

    /sbin/iptables --table nat --new-chain TransProxy
    /sbin/iptables --table nat --append PREROUTING\
        -p tcp --dport 80 -j TransProxy
    /sbin/iptables --table nat --append TransProxy \
        --destination 127.0.0.1 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination 192.168.0.10 --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy \
        --destination $OUTERNET --jump ACCEPT
    /sbin/iptables --table nat --append TransProxy\
        -p TCP -j DNAT --to 192.168.0.10:3128

    # Allow any already established or related connection
    /sbin/iptables --append INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT

    /sbin/iptables --new-chain icmpIn
    /sbin/iptables --append INPUT --protocol icmp --jump icmpIn
    /sbin/iptables --append icmpIn --proto icmp --icmp-type
echo-request --jump
ACCEPT
    /sbin/iptables --append icmpIn --proto icmp --icmp-type
echo-reply --jump AC
CEPT
    /sbin/iptables --append icmpIn --proto icmp --icmp-type
destination-unreacha
ble --jump ACCEPT
    /sbin/iptables --append icmpIn --proto icmp --icmp-type
source-quench --jump
 ACCEPT
    /sbin/iptables --append icmpIn --proto icmp --icmp-type
time-exceeded --jump
 ACCEPT
    /sbin/iptables --append icmpIn --proto icmp --icmp-type
parameter-problem --
jump ACCEPT

    /sbin/iptables --new-chain icmpOut
    /sbin/iptables --append OUTPUT --protocol icmp --jump icmpOut
    /sbin/iptables --append icmpOut --proto icmp --icmp-type
echo-request --jump
 ACCEPT
    /sbin/iptables --append icmpOut --proto icmp --icmp-type
echo-reply --jump A
CCEPT
    /sbin/iptables --append icmpOut --proto icmp --icmp-type
destination-unreach
able --jump ACCEPT
    /sbin/iptables --append icmpOut --proto icmp --icmp-type
source-quench --jum
p ACCEPT
    /sbin/iptables --append icmpOut --proto icmp --icmp-type
time-exceeded --jum
p ACCEPT
    /sbin/iptables --append icmpOut --proto icmp --icmp-type
parameter-problem -
-jump ACCEPT

    # Set up chains which allow us to capture IPSEC connections
    /sbin/iptables --new-chain InputAllowIPSEC
    /sbin/iptables --append InputAllowIPSEC -i ipsec+ -j ACCEPT
    /sbin/iptables --append INPUT --jump InputAllowIPSEC
    /sbin/iptables --new-chain ForwardAllowIPSEC
    /sbin/iptables --append FORWARD --jump ForwardAllowIPSEC

    # Set up chains which allow us to capture local networks
    /sbin/iptables --new-chain InputAllowLocals
    /sbin/iptables --new-chain InputAllowLocals_1
    /sbin/iptables --append InputAllowLocals --jump InputAllowLocals_1
    /sbin/iptables --append INPUT --jump InputAllowLocals
    /sbin/iptables --new-chain ForwardAllowLocals
    /sbin/iptables --new-chain ForwardAllowLocals_1
    /sbin/iptables --append ForwardAllowLocals --jump ForwardAllowLocals_1
    /sbin/iptables --append FORWARD --jump ForwardAllowLocals
    /sbin/iptables --append POSTROUTING -t nat -o $OUTERIF -j MASQUERADE

    /sbin/iptables --new-chain InboundTCP
    /sbin/iptables --new-chain InboundTCP_1
    /sbin/iptables --append INPUT --protocol tcp --syn --jump InboundTCP
    /sbin/iptables --append InboundTCP --protocol tcp --syn --jump
InboundTCP_1

 # Catch any returns, just in case
    /sbin/iptables --append INPUT --protocol tcp --syn --jump denylog
    /sbin/iptables --append InboundTCP --protocol tcp --syn --jump denylog
    /sbin/iptables --new-chain InboundUDP
    /sbin/iptables --new-chain InboundUDP_1
    /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \
       --jump InboundUDP
    /sbin/iptables --append InboundUDP --protocol udp --jump InboundUDP_1

# Catch any returns, just in case
    /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \
       --jump denylog
    /sbin/iptables --append InboundUDP --protocol udp --jump denylog
    /sbin/iptables -t nat --new-chain PortForwarding
    /sbin/iptables -t nat --new-chain PortForwarding_1
    /sbin/iptables -t nat --append PREROUTING --jump PortForwarding
    /sbin/iptables -t nat --append PortForwarding --destination $OUTERNET \
                                --jump PortForwarding_1

    /sbin/iptables --new-chain esp-in
    /sbin/iptables --append INPUT -p 50 -j esp-in
    /sbin/iptables --append INPUT -p 50 -j denylog
    /sbin/iptables --append esp-in -d \! $OUTERNET -j denylog
    /sbin/iptables --append esp-in -j denylog

    /sbin/iptables --new-chain gre-in
    /sbin/iptables --append INPUT -p 47 -j gre-in
    /sbin/iptables --append INPUT -p 47 -j denylog
    /sbin/iptables --append gre-in -d \! $OUTERNET -j denylog
    /sbin/iptables --append gre-in -j denylog
    /sbin/iptables --append icmpIn --jump denylog
    /sbin/iptables --append icmpOut --jump denylog

    /sbin/iptables --policy FORWARD DROP
    /sbin/iptables --append FORWARD --jump denylog

    /sbin/iptables --policy INPUT DROP
    /sbin/iptables --append INPUT --jump denylog

    /sbin/iptables --policy OUTPUT ACCEPT
    /sbin/iptables --append OUTPUT --jump ACCEPT
    $0 adjust
    echo "done"
    ;;


adjust)
        FAL=$(get_safe_id ForwardAllowLocals filter find)
        IAL=$(get_safe_id InputAllowLocals filter find)
        new_fal=$(get_safe_id ForwardAllowLocals filter new)
        new_ial=$(get_safe_id InputAllowLocals filter new)
    /sbin/iptables --new-chain $new_fal
    /sbin/iptables --new-chain $new_ial
        /sbin/iptables --append $new_fal \
                -s 192.168.0.0/255.255.255.0 -j ACCEPT
        /sbin/iptables --append $new_fal \
                -d 192.168.0.0/255.255.255.0 -j ACCEPT
        /sbin/iptables --append $new_ial \
                -s 192.168.0.0/255.255.255.0 -j ACCEPT
        /sbin/iptables --replace InputAllowLocals 1 \
                --jump $new_ial
        /sbin/iptables --flush $IAL
        /sbin/iptables --delete-chain $IAL
        /sbin/iptables --replace ForwardAllowLocals 1 \
                --jump $new_fal
        /sbin/iptables --flush $FAL
        /sbin/iptables --delete-chain $FAL

    /sbin/iptables --replace denylog 1 -p udp --dport 520 --jump DROP
    /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump DROP
    /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump DROP
    /sbin/iptables --replace denylog 4 --jump LOG

    /sbin/iptables --replace esp-in 1 -d \! $OUTERNET -j denylog
    /sbin/iptables --replace esp-in 2 -j denylog
    /sbin/iptables --replace gre-in 1 -d \! $OUTERNET -j denylog
    /sbin/iptables --replace gre-in 2 -j ACCEPT
        IBT=$(get_safe_id InboundTCP filter find)
        new_ibt=$(get_safe_id InboundTCP filter new)
        /sbin/iptables --new-chain $new_ibt
    /sbin/iptables --append $new_ibt \! --destination $OUTERNET --jump
denylog
    adjust_tcp_in 113 ACCEPT $new_ibt
    adjust_tcp_in 21 denylog $new_ibt
    adjust_tcp_in 80 ACCEPT $new_ibt
    adjust_tcp_in 443 ACCEPT $new_ibt
    adjust_tcp_in 143 denylog $new_ibt
    adjust_tcp_in 389 denylog $new_ibt
    adjust_tcp_in 110 denylog $new_ibt
    adjust_tcp_in 1723 denylog $new_ibt
    adjust_tcp_in 25 ACCEPT $new_ibt
    adjust_tcp_in 22 ACCEPT $new_ibt
    adjust_tcp_in 23 denylog $new_ibt
        /sbin/iptables --replace InboundTCP 1 \
                --jump $new_ibt
        /sbin/iptables --flush $IBT
        /sbin/iptables --delete-chain $IBT

    /sbin/iptables --table nat \
        --replace TransProxy 3\
        --destination $OUTERNET --jump ACCEPT
    /sbin/iptables --table nat --replace TransProxy 4\
        -p TCP -j DNAT --to 192.168.0.10:3128

        IBU=$(get_safe_id InboundUDP filter find)
        new_ibu=$(get_safe_id InboundUDP filter new)
        /sbin/iptables --new-chain $new_ibu
    /sbin/iptables --append $new_ibu \! --destination $OUTERNET --jump
denylog
    adjust_udp_in 500 denylog $new_ibu
        /sbin/iptables --replace InboundUDP 1 \
                --jump $new_ibu
        /sbin/iptables --flush $IBU
        /sbin/iptables --delete-chain $IBU

# Create a new PortForwarding chain
PFC=$(/sbin/iptables --table nat --numeric --list PortForwarding |\
   sed -n '3s/ .*//p')
    /sbin/iptables --table nat --new-chain PortForwarding_$$
    /sbin/iptables --table nat --replace PortForwarding 1 --destination
$OUTERNE
T --jump PortForwarding_$$
    /sbin/iptables --table nat --flush $PFC
    /sbin/iptables --table nat --delete-chain $PFC

    ;;

masqstop)
      echo ""
      echo -n "Shuting down IP Masquerading:"
      /sbin/iptables -F FORWARD
      /sbin/iptables -P FORWARD DROP
      echo "            Done!"
      echo "" ;;
restart)
        $0 stop
        $0 start
        ;;

 status)
      echo $"Table: filter"
      /sbin/iptables --list -n
      echo $"Table: nat"
      /sbin/iptables -t nat --list -n
      echo $"Table: mangle"
      /sbin/iptables -t mangle --list -n
      ;;

stop)
     echo ""
     echo -n "Shutting down IP masquerade and firewall rules:"
     /sbin/iptables -P FORWARD DROP
     /sbin/iptables -P OUTPUT ACCEPT
     /sbin/iptables -P INPUT DROP
     /sbin/iptables -F INPUT
     /sbin/iptables -F OUTPUT
     /sbin/iptables -F FORWARD
     /sbin/iptables -F
    /sbin/iptables --append FORWARD -s 192.168.0.0/255.255.255.0 -d
192.168.0.0/
255.255.255.0 -j ACCEPT
     /sbin/iptables -X
     echo "             Done!"
     echo "" ;;

 *)
    echo "Usage: masq {start|stop|restart|...}"
    exit 1

esac
exit 0


Modules:
[root@bcpe root]# lsmod
Module                  Size  Used by    Tainted: P
ipt_LOG                 4640   1  (autoclean)
ppp_mppe               12864   0  (autoclean)
ppp_async               8256   0  (autoclean)
ppp_generic            24332   0  (autoclean) [ppp_mppe ppp_async]
appletalk              24172  12  (autoclean)
slhc                    6508   0  (autoclean) [ppp_generic]
printer                 8160   0  (unused)
8139too                16448   1
mii                     2408   0  [8139too]
3c59x                  28680   1
ipt_MASQUERADE          2464   1  (autoclean)
ipt_state               1536   1  (autoclean)
ipt_TOS                 1952   7  (autoclean)
ip_conntrack_ftp        5056   0  (unused)
ip_nat_ftp              4320   0  (unused)
iptable_mangle          3136   1  (autoclean)
iptable_nat            21460   2  (autoclean) [ipt_MASQUERADE ip_nat_ftp]
ip_conntrack           21836   3  (autoclean) [ipt_MASQUERADE ipt_state
ip_conntrack_ftp ip_nat_ftp iptable_nat]
iptable_filter          2752   1  (autoclean)
ip_tables              13792   9  [ipt_LOG ipt_MASQUERADE ipt_state ipt_TOS
iptable_mangle iptable_nat iptable_filter]
ide-cd                 30272   0
cdrom                  32032   0  [ide-cd]
ide-scsi                9664   0
hid                    20832   0  (unused)
input                   5792   0  [hid]
usb-uhci               24484   0  (unused)
usbcore                71904   0  [printer hid usb-uhci]
ext3                   67328   2
jbd                    49496   2  [ext3]
3w-xxxx                32160   3
sd_mod                 12960   6
scsi_mod              109392   3  [ide-scsi 3w-xxxx sd_mod]




[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux