Re: iptables and pptp server problem [Long Post]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



perhaps try using 
webmin and as a "plugin" turtle firewall,
it's user friendly and it works like a dream!
(also with pptp servers VPN etc etc)



----- Original Message ----- 
From: "Trevor" <trevor@xxxxxxxxxx>
To: "For users of Fedora Core releases" <fedora-list@xxxxxxxxxx>
Sent: Wednesday, July 28, 2004 9:48 PM
Subject: RE: iptables and pptp server problem [Long Post]


> >The script is taken from http://martybugs.net/smoothwall/vpn.cgi
> >which is for Smoothwall.
> 
> >> With no success.  I suspect that it could be the mppe-ppp modules causing
> >> problems.  I'm sure that TCP/port 1723 is forwarding properly... but
> that's
> >> all I see when I do a "iptstate" when trying to connect.
> 
> >Do you have Smoothwall installed or do you have any other iptables rules
> >active which may block previous to your VPN rules? Your host is directly
> >connected to the net through eth1?
> 
> >Alexander
> 
> iptables v1.2.5 on 2.4 kernel
> 
> No, it's not smoothwall.  Here is the current output of my firewall.  Can
> you see if there is something else blocking my PPTP GRE forwarding.  BTW,
> sorry for hijacking the thread.  I won't do it again. :-)
> 
> $ service masq status
> Table: filter
> Chain INPUT (policy DROP)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  224.0.0.0/4          0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            224.0.0.0/4
> DROP       all  --  224.0.0.0/4          0.0.0.0/0
> DROP       all  --  0.0.0.0/0            224.0.0.0/4
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          state
> RELATED,ESTABLISHED
> icmpIn     icmp --  0.0.0.0/0            0.0.0.0/0
> InputAllowIPSEC  all  --  0.0.0.0/0            0.0.0.0/0
> InputAllowLocals  all  --  0.0.0.0/0            0.0.0.0/0
> InboundTCP  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
> flags:0x16/0x02
> denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
> flags:0x16/0x02
> InboundUDP  udp  --  0.0.0.0/0            0.0.0.0/0
> denylog    udp  --  0.0.0.0/0            0.0.0.0/0
> esp-in     esp  --  0.0.0.0/0            0.0.0.0/0
> denylog    esp  --  0.0.0.0/0            0.0.0.0/0
> gre-in     47   --  0.0.0.0/0            0.0.0.0/0
> denylog    47   --  0.0.0.0/0            0.0.0.0/0
> denylog    all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain FORWARD (policy DROP)
> target     prot opt source               destination
> ForwardAllowIPSEC  all  --  0.0.0.0/0            0.0.0.0/0
> ForwardAllowLocals  all  --  0.0.0.0/0            0.0.0.0/0
> denylog    all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  224.0.0.0/4          0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            224.0.0.0/4
> DROP       all  --  224.0.0.0/4          0.0.0.0/0
> DROP       all  --  0.0.0.0/0            224.0.0.0/4
> icmpOut    icmp --  0.0.0.0/0            0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain ForwardAllowIPSEC (1 references)
> target     prot opt source               destination
> 
> Chain ForwardAllowLocals (1 references)
> target     prot opt source               destination
> ForwardAllowLocals_18960  all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain ForwardAllowLocals_18960 (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  192.168.0.0/24       0.0.0.0/0
> ACCEPT     all  --  0.0.0.0/0            192.168.0.0/24
> 
> Chain InboundTCP (1 references)
> target     prot opt source               destination
> InboundTCP_18960  all  --  0.0.0.0/0            0.0.0.0/0
> denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp
> flags:0x16/0x02
> 
> Chain InboundTCP_18960 (1 references)
> target     prot opt source               destination
> denylog    all  --  0.0.0.0/0           !66.xxx.xx.xxx
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:113
> denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:443
> denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:143
> denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:389
> denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:110
> denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:1723
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25
> ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:22
> denylog    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:23
> 
> Chain InboundUDP (1 references)
> target     prot opt source               destination
> InboundUDP_18960  all  --  0.0.0.0/0            0.0.0.0/0
> denylog    udp  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain InboundUDP_18960 (1 references)
> target     prot opt source               destination
> denylog    all  --  0.0.0.0/0           !66.xxx.xx.xxx
> denylog    udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:500
> 
> Chain InputAllowIPSEC (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain InputAllowLocals (1 references)
> target     prot opt source               destination
> InputAllowLocals_18960  all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain InputAllowLocals_18960 (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  192.168.0.0/24       0.0.0.0/0
> 
> Chain denylog (22 references)
> target     prot opt source               destination
> DROP       udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:520
> DROP       udp  --  0.0.0.0/0            0.0.0.0/0          udp dpts:137:139
> DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpts:137:139
> LOG        all  --  0.0.0.0/0            0.0.0.0/0          LOG flags 0
> level 4
> DROP       all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain esp-in (1 references)
> target     prot opt source               destination
> denylog    all  --  0.0.0.0/0           !66.xxx.xx.xxx
> denylog    all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain gre-in (1 references)
> target     prot opt source               destination
> denylog    all  --  0.0.0.0/0           !66.xxx.xx.xxx
> ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain icmpIn (1 references)
> target     prot opt source               destination
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 4
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 12
> denylog    all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain icmpOut (1 references)
> target     prot opt source               destination
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 8
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 0
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 3
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 4
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 11
> ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0          icmp type 12
> denylog    all  --  0.0.0.0/0            0.0.0.0/0
> Table: nat
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> PreroutingBypassIPSEC  all  --  0.0.0.0/0            0.0.0.0/0
> TransProxy  tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80
> PortForwarding  all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  0.0.0.0/0            0.0.0.0/0
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain PortForwarding (1 references)
> target     prot opt source               destination
> PortForwarding_18960  all  --  0.0.0.0/0            66.xxx.xx.xxx
> 
> Chain PortForwarding_18960 (1 references)
> target     prot opt source               destination
> 
> Chain PreroutingBypassIPSEC (1 references)
> target     prot opt source               destination
> 
> Chain TransProxy (1 references)
> target     prot opt source               destination
> ACCEPT     all  --  0.0.0.0/0            127.0.0.1
> ACCEPT     all  --  0.0.0.0/0            192.168.0.10
> ACCEPT     all  --  0.0.0.0/0            66.xxx.xx.xxx
> DNAT       tcp  --  0.0.0.0/0            0.0.0.0/0
> to:192.168.0.10:3128
> Table: mangle
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain INPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain FORWARD (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:21 TOS
> set 0x10
> TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:22 TOS
> set 0x10
> TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:23 TOS
> set 0x10
> TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:25 TOS
> set 0x10
> TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:80 TOS
> set 0x10
> TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:110 TOS
> set 0x10
> TOS        tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:20 TOS
> set 0x08
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> #!/bin/sh
> 
> # chkconfig: 345 82 35
> # description: Configures IP masquerading.
> 
>     INTERNALIF=eth0
>     OUTERIF=eth1
>     OUTERNET=66.xxx.xx.xxx
>     if [ -z "$OUTERNET" ]
>     then
>         # Make sure that OUTERNET value is set to syntactly valid value
>         # to ensure that iptables syntax is at least correct
>         OUTERNET=1.2.3.4
>     fi
> 
> adjust_tcp_in() {
>         local dport=$1
>         local target=$2
>         local chain=$3
>         # Add the rule requested.
>         /sbin/iptables --append $chain --protocol tcp --dport $dport \
>                 --in-interface $OUTERIF --jump $target
>         # Catch any matching return, just in case.
>         #/sbin/iptables --append $3 --protocol tcp --dport $1 \
>         #--in-interface $OUTERIF --jump denylog
>         }
> 
> adjust_udp_in() {
>         local dport=$1
>         local target=$2
>         local chain=$3
>         # Add the rule requested.
>         /sbin/iptables --append $chain --protocol udp --dport $dport \
>                 --in-interface $OUTERIF --jump $target
>         # Catch any matching return, just in case.
>         #/sbin/iptables --append $3 --protocol udp --dport $1 \
>         #--in-interface $OUTERIF --jump denylog
>         }
> 
> get_safe_id() {
>         # Expect arguments of, chain_name, table, mode, where mode can be
> either
>         # find or new
>         local chain_name=$1
>         local table=$2
>         local mode=$3
> 
>         # Find the existing numbered chain.
>         current=$(/sbin/iptables --table $table --list $chain_name --numeric
> | s
> ed -n '3s/ .*//p')
>         if [ "x$current" = "x" ]; then
>                 # We didn't find it.
>                 echo "ERROR: Cannot find chain $chain_name in table $table"
> 1>&2
>                 exit 1
>         fi
> 
>         # If we're in find mode, return this chain.
>         case "$mode" in
>                 find)
>                         echo $current ;;
> 
>                 new)
>                         # Make sure the number on this chain doesn't
> conflict wi
> th our
>                         # process ID.
>                         current_id=$(echo $current | sed
> 's/^[a-zA-Z][a-zA-Z]*_\
> ([0-9][0-9]*\)/\1/')
>                         if [ "x$current_id" = "x" ]; then
>                                 echo "ERROR: Cannot find process ID on chain
> nam
> e" 1>&2
>                                 exit 1
>                         fi
>                         # If it conflicts with our process ID, add one to
> ours.
>                         if [ $current_id -eq $$ ]; then
>                                 echo ${chain_name}_$(expr $$ + 1)
>                         else
>                                 echo ${chain_name}_$$
>                         fi
>                 ;;
>         esac
>         }
> 
> case "$1" in
> 
>  start)
>     echo -n "Enabling IP masquerading: "
> 
>     /sbin/iptables -F -t filter
>     /sbin/iptables -F -t nat
>     /sbin/iptables -F -t mangle
>     /sbin/iptables -X -t filter
>     /sbin/iptables -X -t nat
>     /sbin/iptables -X -t mangle
>     /sbin/iptables --flush  FORWARD
>     /sbin/iptables --flush  INPUT
>     /sbin/iptables --flush  OUTPUT
> 
> /sbin/modprobe ip_nat_ftp
> /sbin/modprobe ip_conntrack_ftp
> 
>     /sbin/iptables --new-chain denylog
>     /sbin/iptables --append denylog --jump DROP
>     /sbin/iptables --append denylog --jump DROP
>     /sbin/iptables --append denylog --jump DROP
>     /sbin/iptables --append denylog --jump DROP
>     /sbin/iptables --append denylog --jump DROP
>     # Set telnet, www, smtp, pop3 and FTP for minimum delay
>     for port in 21 22 23 25 80 110
>     do
>         /sbin/iptables --table mangle --append OUTPUT \
>             --protocol tcp --dport $port \
>             -j TOS --set-tos Minimize-Delay
>     done
> 
>     # Set ftp-data for maximum throughput
>     /sbin/iptables --table mangle --append OUTPUT \
>             --protocol tcp --dport 20 \
>             -j TOS --set-tos Maximize-Throughput
>     # TODO - this hasn't yet been converted for iptables - does it
>     # need to be?
> 
>     # set timeouts for tcp tcpfin udp
>     #/sbin/iptables --masquerading --set 14400 60 600
>     # Turn on Source Address Verification
>     for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>         echo 0 > $f
>     done
> 
> 
>     /sbin/iptables --append INPUT -i lo -j ACCEPT
>     /sbin/iptables --append OUTPUT -o lo -j ACCEPT
> 
>     # Permit multicast traffic to and from the internal interface.
>     /sbin/iptables --append INPUT -s 224.0.0.0/4 \
>         --in-interface $INTERNALIF --jump ACCEPT
>     /sbin/iptables --append INPUT -d 224.0.0.0/4 \
>         --in-interface $INTERNALIF --jump ACCEPT
> 
>     /sbin/iptables --append OUTPUT -s 224.0.0.0/4 \
>         --out-interface $INTERNALIF --jump ACCEPT
>     /sbin/iptables --append OUTPUT -d 224.0.0.0/4 \
>         --out-interface $INTERNALIF --jump ACCEPT
> 
>     # Drop all other multicast traffic.
>     /sbin/iptables --append INPUT -s 224.0.0.0/4        -j DROP
>     /sbin/iptables --append INPUT -d 224.0.0.0/4        -j DROP
> 
>     /sbin/iptables --append OUTPUT -s 224.0.0.0/4       -j DROP
>     /sbin/iptables --append OUTPUT -d 224.0.0.0/4       -j DROP
> 
>     # Set up chains which allow us to bypass prerouting for IPSEC networks
>     /sbin/iptables --table nat --new-chain PreroutingBypassIPSEC
>     /sbin/iptables --table nat --append PREROUTING --jump
> PreroutingBypassIPSEC
> 
>     /sbin/iptables --table nat --new-chain TransProxy
>     /sbin/iptables --table nat --append PREROUTING\
>         -p tcp --dport 80 -j TransProxy
>     /sbin/iptables --table nat --append TransProxy \
>         --destination 127.0.0.1 --jump ACCEPT
>     /sbin/iptables --table nat --append TransProxy \
>         --destination 192.168.0.10 --jump ACCEPT
>     /sbin/iptables --table nat --append TransProxy \
>         --destination $OUTERNET --jump ACCEPT
>     /sbin/iptables --table nat --append TransProxy\
>         -p TCP -j DNAT --to 192.168.0.10:3128
> 
>     # Allow any already established or related connection
>     /sbin/iptables --append INPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> 
>     /sbin/iptables --new-chain icmpIn
>     /sbin/iptables --append INPUT --protocol icmp --jump icmpIn
>     /sbin/iptables --append icmpIn --proto icmp --icmp-type
> echo-request --jump
> ACCEPT
>     /sbin/iptables --append icmpIn --proto icmp --icmp-type
> echo-reply --jump AC
> CEPT
>     /sbin/iptables --append icmpIn --proto icmp --icmp-type
> destination-unreacha
> ble --jump ACCEPT
>     /sbin/iptables --append icmpIn --proto icmp --icmp-type
> source-quench --jump
>  ACCEPT
>     /sbin/iptables --append icmpIn --proto icmp --icmp-type
> time-exceeded --jump
>  ACCEPT
>     /sbin/iptables --append icmpIn --proto icmp --icmp-type
> parameter-problem --
> jump ACCEPT
> 
>     /sbin/iptables --new-chain icmpOut
>     /sbin/iptables --append OUTPUT --protocol icmp --jump icmpOut
>     /sbin/iptables --append icmpOut --proto icmp --icmp-type
> echo-request --jump
>  ACCEPT
>     /sbin/iptables --append icmpOut --proto icmp --icmp-type
> echo-reply --jump A
> CCEPT
>     /sbin/iptables --append icmpOut --proto icmp --icmp-type
> destination-unreach
> able --jump ACCEPT
>     /sbin/iptables --append icmpOut --proto icmp --icmp-type
> source-quench --jum
> p ACCEPT
>     /sbin/iptables --append icmpOut --proto icmp --icmp-type
> time-exceeded --jum
> p ACCEPT
>     /sbin/iptables --append icmpOut --proto icmp --icmp-type
> parameter-problem -
> -jump ACCEPT
> 
>     # Set up chains which allow us to capture IPSEC connections
>     /sbin/iptables --new-chain InputAllowIPSEC
>     /sbin/iptables --append InputAllowIPSEC -i ipsec+ -j ACCEPT
>     /sbin/iptables --append INPUT --jump InputAllowIPSEC
>     /sbin/iptables --new-chain ForwardAllowIPSEC
>     /sbin/iptables --append FORWARD --jump ForwardAllowIPSEC
> 
>     # Set up chains which allow us to capture local networks
>     /sbin/iptables --new-chain InputAllowLocals
>     /sbin/iptables --new-chain InputAllowLocals_1
>     /sbin/iptables --append InputAllowLocals --jump InputAllowLocals_1
>     /sbin/iptables --append INPUT --jump InputAllowLocals
>     /sbin/iptables --new-chain ForwardAllowLocals
>     /sbin/iptables --new-chain ForwardAllowLocals_1
>     /sbin/iptables --append ForwardAllowLocals --jump ForwardAllowLocals_1
>     /sbin/iptables --append FORWARD --jump ForwardAllowLocals
>     /sbin/iptables --append POSTROUTING -t nat -o $OUTERIF -j MASQUERADE
> 
>     /sbin/iptables --new-chain InboundTCP
>     /sbin/iptables --new-chain InboundTCP_1
>     /sbin/iptables --append INPUT --protocol tcp --syn --jump InboundTCP
>     /sbin/iptables --append InboundTCP --protocol tcp --syn --jump
> InboundTCP_1
> 
>  # Catch any returns, just in case
>     /sbin/iptables --append INPUT --protocol tcp --syn --jump denylog
>     /sbin/iptables --append InboundTCP --protocol tcp --syn --jump denylog
>     /sbin/iptables --new-chain InboundUDP
>     /sbin/iptables --new-chain InboundUDP_1
>     /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \
>        --jump InboundUDP
>     /sbin/iptables --append InboundUDP --protocol udp --jump InboundUDP_1
> 
> # Catch any returns, just in case
>     /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \
>        --jump denylog
>     /sbin/iptables --append InboundUDP --protocol udp --jump denylog
>     /sbin/iptables -t nat --new-chain PortForwarding
>     /sbin/iptables -t nat --new-chain PortForwarding_1
>     /sbin/iptables -t nat --append PREROUTING --jump PortForwarding
>     /sbin/iptables -t nat --append PortForwarding --destination $OUTERNET \
>                                 --jump PortForwarding_1
> 
>     /sbin/iptables --new-chain esp-in
>     /sbin/iptables --append INPUT -p 50 -j esp-in
>     /sbin/iptables --append INPUT -p 50 -j denylog
>     /sbin/iptables --append esp-in -d \! $OUTERNET -j denylog
>     /sbin/iptables --append esp-in -j denylog
> 
>     /sbin/iptables --new-chain gre-in
>     /sbin/iptables --append INPUT -p 47 -j gre-in
>     /sbin/iptables --append INPUT -p 47 -j denylog
>     /sbin/iptables --append gre-in -d \! $OUTERNET -j denylog
>     /sbin/iptables --append gre-in -j denylog
>     /sbin/iptables --append icmpIn --jump denylog
>     /sbin/iptables --append icmpOut --jump denylog
> 
>     /sbin/iptables --policy FORWARD DROP
>     /sbin/iptables --append FORWARD --jump denylog
> 
>     /sbin/iptables --policy INPUT DROP
>     /sbin/iptables --append INPUT --jump denylog
> 
>     /sbin/iptables --policy OUTPUT ACCEPT
>     /sbin/iptables --append OUTPUT --jump ACCEPT
>     $0 adjust
>     echo "done"
>     ;;
> 
> 
> adjust)
>         FAL=$(get_safe_id ForwardAllowLocals filter find)
>         IAL=$(get_safe_id InputAllowLocals filter find)
>         new_fal=$(get_safe_id ForwardAllowLocals filter new)
>         new_ial=$(get_safe_id InputAllowLocals filter new)
>     /sbin/iptables --new-chain $new_fal
>     /sbin/iptables --new-chain $new_ial
>         /sbin/iptables --append $new_fal \
>                 -s 192.168.0.0/255.255.255.0 -j ACCEPT
>         /sbin/iptables --append $new_fal \
>                 -d 192.168.0.0/255.255.255.0 -j ACCEPT
>         /sbin/iptables --append $new_ial \
>                 -s 192.168.0.0/255.255.255.0 -j ACCEPT
>         /sbin/iptables --replace InputAllowLocals 1 \
>                 --jump $new_ial
>         /sbin/iptables --flush $IAL
>         /sbin/iptables --delete-chain $IAL
>         /sbin/iptables --replace ForwardAllowLocals 1 \
>                 --jump $new_fal
>         /sbin/iptables --flush $FAL
>         /sbin/iptables --delete-chain $FAL
> 
>     /sbin/iptables --replace denylog 1 -p udp --dport 520 --jump DROP
>     /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump DROP
>     /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump DROP
>     /sbin/iptables --replace denylog 4 --jump LOG
> 
>     /sbin/iptables --replace esp-in 1 -d \! $OUTERNET -j denylog
>     /sbin/iptables --replace esp-in 2 -j denylog
>     /sbin/iptables --replace gre-in 1 -d \! $OUTERNET -j denylog
>     /sbin/iptables --replace gre-in 2 -j ACCEPT
>         IBT=$(get_safe_id InboundTCP filter find)
>         new_ibt=$(get_safe_id InboundTCP filter new)
>         /sbin/iptables --new-chain $new_ibt
>     /sbin/iptables --append $new_ibt \! --destination $OUTERNET --jump
> denylog
>     adjust_tcp_in 113 ACCEPT $new_ibt
>     adjust_tcp_in 21 denylog $new_ibt
>     adjust_tcp_in 80 ACCEPT $new_ibt
>     adjust_tcp_in 443 ACCEPT $new_ibt
>     adjust_tcp_in 143 denylog $new_ibt
>     adjust_tcp_in 389 denylog $new_ibt
>     adjust_tcp_in 110 denylog $new_ibt
>     adjust_tcp_in 1723 denylog $new_ibt
>     adjust_tcp_in 25 ACCEPT $new_ibt
>     adjust_tcp_in 22 ACCEPT $new_ibt
>     adjust_tcp_in 23 denylog $new_ibt
>         /sbin/iptables --replace InboundTCP 1 \
>                 --jump $new_ibt
>         /sbin/iptables --flush $IBT
>         /sbin/iptables --delete-chain $IBT
> 
>     /sbin/iptables --table nat \
>         --replace TransProxy 3\
>         --destination $OUTERNET --jump ACCEPT
>     /sbin/iptables --table nat --replace TransProxy 4\
>         -p TCP -j DNAT --to 192.168.0.10:3128
> 
>         IBU=$(get_safe_id InboundUDP filter find)
>         new_ibu=$(get_safe_id InboundUDP filter new)
>         /sbin/iptables --new-chain $new_ibu
>     /sbin/iptables --append $new_ibu \! --destination $OUTERNET --jump
> denylog
>     adjust_udp_in 500 denylog $new_ibu
>         /sbin/iptables --replace InboundUDP 1 \
>                 --jump $new_ibu
>         /sbin/iptables --flush $IBU
>         /sbin/iptables --delete-chain $IBU
> 
> # Create a new PortForwarding chain
> PFC=$(/sbin/iptables --table nat --numeric --list PortForwarding |\
>    sed -n '3s/ .*//p')
>     /sbin/iptables --table nat --new-chain PortForwarding_$$
>     /sbin/iptables --table nat --replace PortForwarding 1 --destination
> $OUTERNE
> T --jump PortForwarding_$$
>     /sbin/iptables --table nat --flush $PFC
>     /sbin/iptables --table nat --delete-chain $PFC
> 
>     ;;
> 
> masqstop)
>       echo ""
>       echo -n "Shuting down IP Masquerading:"
>       /sbin/iptables -F FORWARD
>       /sbin/iptables -P FORWARD DROP
>       echo "            Done!"
>       echo "" ;;
> restart)
>         $0 stop
>         $0 start
>         ;;
> 
>  status)
>       echo $"Table: filter"
>       /sbin/iptables --list -n
>       echo $"Table: nat"
>       /sbin/iptables -t nat --list -n
>       echo $"Table: mangle"
>       /sbin/iptables -t mangle --list -n
>       ;;
> 
> stop)
>      echo ""
>      echo -n "Shutting down IP masquerade and firewall rules:"
>      /sbin/iptables -P FORWARD DROP
>      /sbin/iptables -P OUTPUT ACCEPT
>      /sbin/iptables -P INPUT DROP
>      /sbin/iptables -F INPUT
>      /sbin/iptables -F OUTPUT
>      /sbin/iptables -F FORWARD
>      /sbin/iptables -F
>     /sbin/iptables --append FORWARD -s 192.168.0.0/255.255.255.0 -d
> 192.168.0.0/
> 255.255.255.0 -j ACCEPT
>      /sbin/iptables -X
>      echo "             Done!"
>      echo "" ;;
> 
>  *)
>     echo "Usage: masq {start|stop|restart|...}"
>     exit 1
> 
> esac
> exit 0
> 
> 
> Modules:
> [root@bcpe root]# lsmod
> Module                  Size  Used by    Tainted: P
> ipt_LOG                 4640   1  (autoclean)
> ppp_mppe               12864   0  (autoclean)
> ppp_async               8256   0  (autoclean)
> ppp_generic            24332   0  (autoclean) [ppp_mppe ppp_async]
> appletalk              24172  12  (autoclean)
> slhc                    6508   0  (autoclean) [ppp_generic]
> printer                 8160   0  (unused)
> 8139too                16448   1
> mii                     2408   0  [8139too]
> 3c59x                  28680   1
> ipt_MASQUERADE          2464   1  (autoclean)
> ipt_state               1536   1  (autoclean)
> ipt_TOS                 1952   7  (autoclean)
> ip_conntrack_ftp        5056   0  (unused)
> ip_nat_ftp              4320   0  (unused)
> iptable_mangle          3136   1  (autoclean)
> iptable_nat            21460   2  (autoclean) [ipt_MASQUERADE ip_nat_ftp]
> ip_conntrack           21836   3  (autoclean) [ipt_MASQUERADE ipt_state
> ip_conntrack_ftp ip_nat_ftp iptable_nat]
> iptable_filter          2752   1  (autoclean)
> ip_tables              13792   9  [ipt_LOG ipt_MASQUERADE ipt_state ipt_TOS
> iptable_mangle iptable_nat iptable_filter]
> ide-cd                 30272   0
> cdrom                  32032   0  [ide-cd]
> ide-scsi                9664   0
> hid                    20832   0  (unused)
> input                   5792   0  [hid]
> usb-uhci               24484   0  (unused)
> usbcore                71904   0  [printer hid usb-uhci]
> ext3                   67328   2
> jbd                    49496   2  [ext3]
> 3w-xxxx                32160   3
> sd_mod                 12960   6
> scsi_mod              109392   3  [ide-scsi 3w-xxxx sd_mod]
> 
> 
> 
> -- 
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list
> 
> 



[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux