perhaps try using webmin and as a "plugin" turtle firewall, it's user friendly and it works like a dream! (also with pptp servers VPN etc etc) ----- Original Message ----- From: "Trevor" <trevor@xxxxxxxxxx> To: "For users of Fedora Core releases" <fedora-list@xxxxxxxxxx> Sent: Wednesday, July 28, 2004 9:48 PM Subject: RE: iptables and pptp server problem [Long Post] > >The script is taken from http://martybugs.net/smoothwall/vpn.cgi > >which is for Smoothwall. > > >> With no success. I suspect that it could be the mppe-ppp modules causing > >> problems. I'm sure that TCP/port 1723 is forwarding properly... but > that's > >> all I see when I do a "iptstate" when trying to connect. > > >Do you have Smoothwall installed or do you have any other iptables rules > >active which may block previous to your VPN rules? Your host is directly > >connected to the net through eth1? > > >Alexander > > iptables v1.2.5 on 2.4 kernel > > No, it's not smoothwall. Here is the current output of my firewall. Can > you see if there is something else blocking my PPTP GRE forwarding. BTW, > sorry for hijacking the thread. I won't do it again. :-) > > $ service masq status > Table: filter > Chain INPUT (policy DROP) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 224.0.0.0/4 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 224.0.0.0/4 > DROP all -- 224.0.0.0/4 0.0.0.0/0 > DROP all -- 0.0.0.0/0 224.0.0.0/4 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state > RELATED,ESTABLISHED > icmpIn icmp -- 0.0.0.0/0 0.0.0.0/0 > InputAllowIPSEC all -- 0.0.0.0/0 0.0.0.0/0 > InputAllowLocals all -- 0.0.0.0/0 0.0.0.0/0 > InboundTCP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > flags:0x16/0x02 > denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > flags:0x16/0x02 > InboundUDP udp -- 0.0.0.0/0 0.0.0.0/0 > denylog udp -- 0.0.0.0/0 0.0.0.0/0 > esp-in esp -- 0.0.0.0/0 0.0.0.0/0 > denylog esp -- 0.0.0.0/0 0.0.0.0/0 > gre-in 47 -- 0.0.0.0/0 0.0.0.0/0 > denylog 47 -- 0.0.0.0/0 0.0.0.0/0 > denylog all -- 0.0.0.0/0 0.0.0.0/0 > > Chain FORWARD (policy DROP) > target prot opt source destination > ForwardAllowIPSEC all -- 0.0.0.0/0 0.0.0.0/0 > ForwardAllowLocals all -- 0.0.0.0/0 0.0.0.0/0 > denylog all -- 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 224.0.0.0/4 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 224.0.0.0/4 > DROP all -- 224.0.0.0/4 0.0.0.0/0 > DROP all -- 0.0.0.0/0 224.0.0.0/4 > icmpOut icmp -- 0.0.0.0/0 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > > Chain ForwardAllowIPSEC (1 references) > target prot opt source destination > > Chain ForwardAllowLocals (1 references) > target prot opt source destination > ForwardAllowLocals_18960 all -- 0.0.0.0/0 0.0.0.0/0 > > Chain ForwardAllowLocals_18960 (1 references) > target prot opt source destination > ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 > ACCEPT all -- 0.0.0.0/0 192.168.0.0/24 > > Chain InboundTCP (1 references) > target prot opt source destination > InboundTCP_18960 all -- 0.0.0.0/0 0.0.0.0/0 > denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp > flags:0x16/0x02 > > Chain InboundTCP_18960 (1 references) > target prot opt source destination > denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 > denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443 > denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143 > denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:389 > denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 > denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 > ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 > denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 > > Chain InboundUDP (1 references) > target prot opt source destination > InboundUDP_18960 all -- 0.0.0.0/0 0.0.0.0/0 > denylog udp -- 0.0.0.0/0 0.0.0.0/0 > > Chain InboundUDP_18960 (1 references) > target prot opt source destination > denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx > denylog udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500 > > Chain InputAllowIPSEC (1 references) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > > Chain InputAllowLocals (1 references) > target prot opt source destination > InputAllowLocals_18960 all -- 0.0.0.0/0 0.0.0.0/0 > > Chain InputAllowLocals_18960 (1 references) > target prot opt source destination > ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 > > Chain denylog (22 references) > target prot opt source destination > DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520 > DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139 > DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139 > LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0 > level 4 > DROP all -- 0.0.0.0/0 0.0.0.0/0 > > Chain esp-in (1 references) > target prot opt source destination > denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx > denylog all -- 0.0.0.0/0 0.0.0.0/0 > > Chain gre-in (1 references) > target prot opt source destination > denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx > ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 > > Chain icmpIn (1 references) > target prot opt source destination > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12 > denylog all -- 0.0.0.0/0 0.0.0.0/0 > > Chain icmpOut (1 references) > target prot opt source destination > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 > ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12 > denylog all -- 0.0.0.0/0 0.0.0.0/0 > Table: nat > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > PreroutingBypassIPSEC all -- 0.0.0.0/0 0.0.0.0/0 > TransProxy tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 > PortForwarding all -- 0.0.0.0/0 0.0.0.0/0 > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > Chain PortForwarding (1 references) > target prot opt source destination > PortForwarding_18960 all -- 0.0.0.0/0 66.xxx.xx.xxx > > Chain PortForwarding_18960 (1 references) > target prot opt source destination > > Chain PreroutingBypassIPSEC (1 references) > target prot opt source destination > > Chain TransProxy (1 references) > target prot opt source destination > ACCEPT all -- 0.0.0.0/0 127.0.0.1 > ACCEPT all -- 0.0.0.0/0 192.168.0.10 > ACCEPT all -- 0.0.0.0/0 66.xxx.xx.xxx > DNAT tcp -- 0.0.0.0/0 0.0.0.0/0 > to:192.168.0.10:3128 > Table: mangle > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS > set 0x10 > TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS > set 0x10 > TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 TOS > set 0x10 > TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 TOS > set 0x10 > TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TOS > set 0x10 > TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 TOS > set 0x10 > TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS > set 0x08 > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > > #!/bin/sh > > # chkconfig: 345 82 35 > # description: Configures IP masquerading. > > INTERNALIF=eth0 > OUTERIF=eth1 > OUTERNET=66.xxx.xx.xxx > if [ -z "$OUTERNET" ] > then > # Make sure that OUTERNET value is set to syntactly valid value > # to ensure that iptables syntax is at least correct > OUTERNET=1.2.3.4 > fi > > adjust_tcp_in() { > local dport=$1 > local target=$2 > local chain=$3 > # Add the rule requested. > /sbin/iptables --append $chain --protocol tcp --dport $dport \ > --in-interface $OUTERIF --jump $target > # Catch any matching return, just in case. > #/sbin/iptables --append $3 --protocol tcp --dport $1 \ > #--in-interface $OUTERIF --jump denylog > } > > adjust_udp_in() { > local dport=$1 > local target=$2 > local chain=$3 > # Add the rule requested. > /sbin/iptables --append $chain --protocol udp --dport $dport \ > --in-interface $OUTERIF --jump $target > # Catch any matching return, just in case. > #/sbin/iptables --append $3 --protocol udp --dport $1 \ > #--in-interface $OUTERIF --jump denylog > } > > get_safe_id() { > # Expect arguments of, chain_name, table, mode, where mode can be > either > # find or new > local chain_name=$1 > local table=$2 > local mode=$3 > > # Find the existing numbered chain. > current=$(/sbin/iptables --table $table --list $chain_name --numeric > | s > ed -n '3s/ .*//p') > if [ "x$current" = "x" ]; then > # We didn't find it. > echo "ERROR: Cannot find chain $chain_name in table $table" > 1>&2 > exit 1 > fi > > # If we're in find mode, return this chain. > case "$mode" in > find) > echo $current ;; > > new) > # Make sure the number on this chain doesn't > conflict wi > th our > # process ID. > current_id=$(echo $current | sed > 's/^[a-zA-Z][a-zA-Z]*_\ > ([0-9][0-9]*\)/\1/') > if [ "x$current_id" = "x" ]; then > echo "ERROR: Cannot find process ID on chain > nam > e" 1>&2 > exit 1 > fi > # If it conflicts with our process ID, add one to > ours. > if [ $current_id -eq $$ ]; then > echo ${chain_name}_$(expr $$ + 1) > else > echo ${chain_name}_$$ > fi > ;; > esac > } > > case "$1" in > > start) > echo -n "Enabling IP masquerading: " > > /sbin/iptables -F -t filter > /sbin/iptables -F -t nat > /sbin/iptables -F -t mangle > /sbin/iptables -X -t filter > /sbin/iptables -X -t nat > /sbin/iptables -X -t mangle > /sbin/iptables --flush FORWARD > /sbin/iptables --flush INPUT > /sbin/iptables --flush OUTPUT > > /sbin/modprobe ip_nat_ftp > /sbin/modprobe ip_conntrack_ftp > > /sbin/iptables --new-chain denylog > /sbin/iptables --append denylog --jump DROP > /sbin/iptables --append denylog --jump DROP > /sbin/iptables --append denylog --jump DROP > /sbin/iptables --append denylog --jump DROP > /sbin/iptables --append denylog --jump DROP > # Set telnet, www, smtp, pop3 and FTP for minimum delay > for port in 21 22 23 25 80 110 > do > /sbin/iptables --table mangle --append OUTPUT \ > --protocol tcp --dport $port \ > -j TOS --set-tos Minimize-Delay > done > > # Set ftp-data for maximum throughput > /sbin/iptables --table mangle --append OUTPUT \ > --protocol tcp --dport 20 \ > -j TOS --set-tos Maximize-Throughput > # TODO - this hasn't yet been converted for iptables - does it > # need to be? > > # set timeouts for tcp tcpfin udp > #/sbin/iptables --masquerading --set 14400 60 600 > # Turn on Source Address Verification > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do > echo 0 > $f > done > > > /sbin/iptables --append INPUT -i lo -j ACCEPT > /sbin/iptables --append OUTPUT -o lo -j ACCEPT > > # Permit multicast traffic to and from the internal interface. > /sbin/iptables --append INPUT -s 224.0.0.0/4 \ > --in-interface $INTERNALIF --jump ACCEPT > /sbin/iptables --append INPUT -d 224.0.0.0/4 \ > --in-interface $INTERNALIF --jump ACCEPT > > /sbin/iptables --append OUTPUT -s 224.0.0.0/4 \ > --out-interface $INTERNALIF --jump ACCEPT > /sbin/iptables --append OUTPUT -d 224.0.0.0/4 \ > --out-interface $INTERNALIF --jump ACCEPT > > # Drop all other multicast traffic. > /sbin/iptables --append INPUT -s 224.0.0.0/4 -j DROP > /sbin/iptables --append INPUT -d 224.0.0.0/4 -j DROP > > /sbin/iptables --append OUTPUT -s 224.0.0.0/4 -j DROP > /sbin/iptables --append OUTPUT -d 224.0.0.0/4 -j DROP > > # Set up chains which allow us to bypass prerouting for IPSEC networks > /sbin/iptables --table nat --new-chain PreroutingBypassIPSEC > /sbin/iptables --table nat --append PREROUTING --jump > PreroutingBypassIPSEC > > /sbin/iptables --table nat --new-chain TransProxy > /sbin/iptables --table nat --append PREROUTING\ > -p tcp --dport 80 -j TransProxy > /sbin/iptables --table nat --append TransProxy \ > --destination 127.0.0.1 --jump ACCEPT > /sbin/iptables --table nat --append TransProxy \ > --destination 192.168.0.10 --jump ACCEPT > /sbin/iptables --table nat --append TransProxy \ > --destination $OUTERNET --jump ACCEPT > /sbin/iptables --table nat --append TransProxy\ > -p TCP -j DNAT --to 192.168.0.10:3128 > > # Allow any already established or related connection > /sbin/iptables --append INPUT -m state --state ESTABLISHED,RELATED -j > ACCEPT > > /sbin/iptables --new-chain icmpIn > /sbin/iptables --append INPUT --protocol icmp --jump icmpIn > /sbin/iptables --append icmpIn --proto icmp --icmp-type > echo-request --jump > ACCEPT > /sbin/iptables --append icmpIn --proto icmp --icmp-type > echo-reply --jump AC > CEPT > /sbin/iptables --append icmpIn --proto icmp --icmp-type > destination-unreacha > ble --jump ACCEPT > /sbin/iptables --append icmpIn --proto icmp --icmp-type > source-quench --jump > ACCEPT > /sbin/iptables --append icmpIn --proto icmp --icmp-type > time-exceeded --jump > ACCEPT > /sbin/iptables --append icmpIn --proto icmp --icmp-type > parameter-problem -- > jump ACCEPT > > /sbin/iptables --new-chain icmpOut > /sbin/iptables --append OUTPUT --protocol icmp --jump icmpOut > /sbin/iptables --append icmpOut --proto icmp --icmp-type > echo-request --jump > ACCEPT > /sbin/iptables --append icmpOut --proto icmp --icmp-type > echo-reply --jump A > CCEPT > /sbin/iptables --append icmpOut --proto icmp --icmp-type > destination-unreach > able --jump ACCEPT > /sbin/iptables --append icmpOut --proto icmp --icmp-type > source-quench --jum > p ACCEPT > /sbin/iptables --append icmpOut --proto icmp --icmp-type > time-exceeded --jum > p ACCEPT > /sbin/iptables --append icmpOut --proto icmp --icmp-type > parameter-problem - > -jump ACCEPT > > # Set up chains which allow us to capture IPSEC connections > /sbin/iptables --new-chain InputAllowIPSEC > /sbin/iptables --append InputAllowIPSEC -i ipsec+ -j ACCEPT > /sbin/iptables --append INPUT --jump InputAllowIPSEC > /sbin/iptables --new-chain ForwardAllowIPSEC > /sbin/iptables --append FORWARD --jump ForwardAllowIPSEC > > # Set up chains which allow us to capture local networks > /sbin/iptables --new-chain InputAllowLocals > /sbin/iptables --new-chain InputAllowLocals_1 > /sbin/iptables --append InputAllowLocals --jump InputAllowLocals_1 > /sbin/iptables --append INPUT --jump InputAllowLocals > /sbin/iptables --new-chain ForwardAllowLocals > /sbin/iptables --new-chain ForwardAllowLocals_1 > /sbin/iptables --append ForwardAllowLocals --jump ForwardAllowLocals_1 > /sbin/iptables --append FORWARD --jump ForwardAllowLocals > /sbin/iptables --append POSTROUTING -t nat -o $OUTERIF -j MASQUERADE > > /sbin/iptables --new-chain InboundTCP > /sbin/iptables --new-chain InboundTCP_1 > /sbin/iptables --append INPUT --protocol tcp --syn --jump InboundTCP > /sbin/iptables --append InboundTCP --protocol tcp --syn --jump > InboundTCP_1 > > # Catch any returns, just in case > /sbin/iptables --append INPUT --protocol tcp --syn --jump denylog > /sbin/iptables --append InboundTCP --protocol tcp --syn --jump denylog > /sbin/iptables --new-chain InboundUDP > /sbin/iptables --new-chain InboundUDP_1 > /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \ > --jump InboundUDP > /sbin/iptables --append InboundUDP --protocol udp --jump InboundUDP_1 > > # Catch any returns, just in case > /sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \ > --jump denylog > /sbin/iptables --append InboundUDP --protocol udp --jump denylog > /sbin/iptables -t nat --new-chain PortForwarding > /sbin/iptables -t nat --new-chain PortForwarding_1 > /sbin/iptables -t nat --append PREROUTING --jump PortForwarding > /sbin/iptables -t nat --append PortForwarding --destination $OUTERNET \ > --jump PortForwarding_1 > > /sbin/iptables --new-chain esp-in > /sbin/iptables --append INPUT -p 50 -j esp-in > /sbin/iptables --append INPUT -p 50 -j denylog > /sbin/iptables --append esp-in -d \! $OUTERNET -j denylog > /sbin/iptables --append esp-in -j denylog > > /sbin/iptables --new-chain gre-in > /sbin/iptables --append INPUT -p 47 -j gre-in > /sbin/iptables --append INPUT -p 47 -j denylog > /sbin/iptables --append gre-in -d \! $OUTERNET -j denylog > /sbin/iptables --append gre-in -j denylog > /sbin/iptables --append icmpIn --jump denylog > /sbin/iptables --append icmpOut --jump denylog > > /sbin/iptables --policy FORWARD DROP > /sbin/iptables --append FORWARD --jump denylog > > /sbin/iptables --policy INPUT DROP > /sbin/iptables --append INPUT --jump denylog > > /sbin/iptables --policy OUTPUT ACCEPT > /sbin/iptables --append OUTPUT --jump ACCEPT > $0 adjust > echo "done" > ;; > > > adjust) > FAL=$(get_safe_id ForwardAllowLocals filter find) > IAL=$(get_safe_id InputAllowLocals filter find) > new_fal=$(get_safe_id ForwardAllowLocals filter new) > new_ial=$(get_safe_id InputAllowLocals filter new) > /sbin/iptables --new-chain $new_fal > /sbin/iptables --new-chain $new_ial > /sbin/iptables --append $new_fal \ > -s 192.168.0.0/255.255.255.0 -j ACCEPT > /sbin/iptables --append $new_fal \ > -d 192.168.0.0/255.255.255.0 -j ACCEPT > /sbin/iptables --append $new_ial \ > -s 192.168.0.0/255.255.255.0 -j ACCEPT > /sbin/iptables --replace InputAllowLocals 1 \ > --jump $new_ial > /sbin/iptables --flush $IAL > /sbin/iptables --delete-chain $IAL > /sbin/iptables --replace ForwardAllowLocals 1 \ > --jump $new_fal > /sbin/iptables --flush $FAL > /sbin/iptables --delete-chain $FAL > > /sbin/iptables --replace denylog 1 -p udp --dport 520 --jump DROP > /sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump DROP > /sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump DROP > /sbin/iptables --replace denylog 4 --jump LOG > > /sbin/iptables --replace esp-in 1 -d \! $OUTERNET -j denylog > /sbin/iptables --replace esp-in 2 -j denylog > /sbin/iptables --replace gre-in 1 -d \! $OUTERNET -j denylog > /sbin/iptables --replace gre-in 2 -j ACCEPT > IBT=$(get_safe_id InboundTCP filter find) > new_ibt=$(get_safe_id InboundTCP filter new) > /sbin/iptables --new-chain $new_ibt > /sbin/iptables --append $new_ibt \! --destination $OUTERNET --jump > denylog > adjust_tcp_in 113 ACCEPT $new_ibt > adjust_tcp_in 21 denylog $new_ibt > adjust_tcp_in 80 ACCEPT $new_ibt > adjust_tcp_in 443 ACCEPT $new_ibt > adjust_tcp_in 143 denylog $new_ibt > adjust_tcp_in 389 denylog $new_ibt > adjust_tcp_in 110 denylog $new_ibt > adjust_tcp_in 1723 denylog $new_ibt > adjust_tcp_in 25 ACCEPT $new_ibt > adjust_tcp_in 22 ACCEPT $new_ibt > adjust_tcp_in 23 denylog $new_ibt > /sbin/iptables --replace InboundTCP 1 \ > --jump $new_ibt > /sbin/iptables --flush $IBT > /sbin/iptables --delete-chain $IBT > > /sbin/iptables --table nat \ > --replace TransProxy 3\ > --destination $OUTERNET --jump ACCEPT > /sbin/iptables --table nat --replace TransProxy 4\ > -p TCP -j DNAT --to 192.168.0.10:3128 > > IBU=$(get_safe_id InboundUDP filter find) > new_ibu=$(get_safe_id InboundUDP filter new) > /sbin/iptables --new-chain $new_ibu > /sbin/iptables --append $new_ibu \! --destination $OUTERNET --jump > denylog > adjust_udp_in 500 denylog $new_ibu > /sbin/iptables --replace InboundUDP 1 \ > --jump $new_ibu > /sbin/iptables --flush $IBU > /sbin/iptables --delete-chain $IBU > > # Create a new PortForwarding chain > PFC=$(/sbin/iptables --table nat --numeric --list PortForwarding |\ > sed -n '3s/ .*//p') > /sbin/iptables --table nat --new-chain PortForwarding_$$ > /sbin/iptables --table nat --replace PortForwarding 1 --destination > $OUTERNE > T --jump PortForwarding_$$ > /sbin/iptables --table nat --flush $PFC > /sbin/iptables --table nat --delete-chain $PFC > > ;; > > masqstop) > echo "" > echo -n "Shuting down IP Masquerading:" > /sbin/iptables -F FORWARD > /sbin/iptables -P FORWARD DROP > echo " Done!" > echo "" ;; > restart) > $0 stop > $0 start > ;; > > status) > echo $"Table: filter" > /sbin/iptables --list -n > echo $"Table: nat" > /sbin/iptables -t nat --list -n > echo $"Table: mangle" > /sbin/iptables -t mangle --list -n > ;; > > stop) > echo "" > echo -n "Shutting down IP masquerade and firewall rules:" > /sbin/iptables -P FORWARD DROP > /sbin/iptables -P OUTPUT ACCEPT > /sbin/iptables -P INPUT DROP > /sbin/iptables -F INPUT > /sbin/iptables -F OUTPUT > /sbin/iptables -F FORWARD > /sbin/iptables -F > /sbin/iptables --append FORWARD -s 192.168.0.0/255.255.255.0 -d > 192.168.0.0/ > 255.255.255.0 -j ACCEPT > /sbin/iptables -X > echo " Done!" > echo "" ;; > > *) > echo "Usage: masq {start|stop|restart|...}" > exit 1 > > esac > exit 0 > > > Modules: > [root@bcpe root]# lsmod > Module Size Used by Tainted: P > ipt_LOG 4640 1 (autoclean) > ppp_mppe 12864 0 (autoclean) > ppp_async 8256 0 (autoclean) > ppp_generic 24332 0 (autoclean) [ppp_mppe ppp_async] > appletalk 24172 12 (autoclean) > slhc 6508 0 (autoclean) [ppp_generic] > printer 8160 0 (unused) > 8139too 16448 1 > mii 2408 0 [8139too] > 3c59x 28680 1 > ipt_MASQUERADE 2464 1 (autoclean) > ipt_state 1536 1 (autoclean) > ipt_TOS 1952 7 (autoclean) > ip_conntrack_ftp 5056 0 (unused) > ip_nat_ftp 4320 0 (unused) > iptable_mangle 3136 1 (autoclean) > iptable_nat 21460 2 (autoclean) [ipt_MASQUERADE ip_nat_ftp] > ip_conntrack 21836 3 (autoclean) [ipt_MASQUERADE ipt_state > ip_conntrack_ftp ip_nat_ftp iptable_nat] > iptable_filter 2752 1 (autoclean) > ip_tables 13792 9 [ipt_LOG ipt_MASQUERADE ipt_state ipt_TOS > iptable_mangle iptable_nat iptable_filter] > ide-cd 30272 0 > cdrom 32032 0 [ide-cd] > ide-scsi 9664 0 > hid 20832 0 (unused) > input 5792 0 [hid] > usb-uhci 24484 0 (unused) > usbcore 71904 0 [printer hid usb-uhci] > ext3 67328 2 > jbd 49496 2 [ext3] > 3w-xxxx 32160 3 > sd_mod 12960 6 > scsi_mod 109392 3 [ide-scsi 3w-xxxx sd_mod] > > > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: http://www.redhat.com/mailman/listinfo/fedora-list > >
