|
PLEASE !!! Can't open ports with rc.firewall
followin is my rc.firewall script.
everything seems to be working fine but LAN clients can't connect edonkey or emule clients. As far as I can understand this is beacuse servers cant access udp and tcp clients ports from the outside. Isn't it ??? I've tried to open tcp and udp ports with: # HERE WE TRY FOR EDONKEY $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $INTNET --dport 8050 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p udp -s $UNIVERSE -d $INTNET --dport 8053 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $INTNET --dport 8052 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p udp -s $UNIVERSE -d $INTNET --dport 8055 -j ACCEPT but still can't can any one help me ??? MANY, MANY THANKS IN ADVANCE... #!/bin/sh #====================================================================== FWVER=0.80s IPTABLES=/sbin/iptables LSMOD=/sbin/lsmod DEPMOD=/sbin/depmod MODPROBE=/sbin/modprobe GREP=/bin/grep AWK=/bin/awk SED=/bin/sed IFCONFIG=/sbin/ifconfig #====================================================================== EXTIF="eth0" INTIF="eth1" INTNET="192.168.0.0/16" INTIP="192.168.0.1/16" UNIVERSE="0.0.0.0/0" EXTIP="`$IFCONFIG $EXTIF | $AWK \ /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`" #====================================================================== echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" echo " ---" echo " External IP: $EXTIP" echo " ---" echo " Internal Network: $INTNET" echo " Internal IP: $INTIP" echo " ---" #====================================================================== echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo -en " Loading kernel modules: " echo -en "ip_tables, " if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then $MODPROBE ip_tables fi echo -en "ip_conntrack, " if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then $MODPROBE ip_conntrack fi echo -e "ip_conntrack_ftp, " if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then $MODPROBE ip_conntrack_ftp fi #IRC tracking mechanism for full IRC tracking # echo -en "ip_conntrack_irc, " # # if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then # $MODPROBE ip_conntrack_irc # fi echo -en "iptable_nat, " if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then $MODPROBE iptable_nat fi echo -e "ip_nat_ftp" if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then $MODPROBE ip_nat_ftp fi #IRC NAT functionality (for DCC) into the core IPTABLES code # echo -e "ip_nat_irc" # # if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then # $MODPROBE ip_nat_irc # fi echo " ---" #====================================================================== # partial list of some of the other IPTABLES kernel modules and their function. # -------------------------------------------------------------------- # ip_nat_snmp_basic - this module allows for proper NATing of some # SNMP traffic # iptable_mangle - this target allows for packets to be # manipulated for things like the TCPMSS # option, etc. # ipt_mark - this target marks a given packet for future action. # This automatically loads the ipt_MARK module # ipt_tcpmss - this target allows to manipulate the TCP MSS # option for braindead remote firewalls. # This automatically loads the ipt_TCPMSS module # ipt_limit - this target allows for packets to be limited to # to many hits per sec/min/hr # ipt_multiport - this match allows for targets within a range # of port numbers vs. listing each port individually # ipt_state - this match allows to catch packets with various # IP and TCP flags set/unset # ipt_unclean - this match allows to catch packets that have invalid # IP/TCP flags set # iptable_filter - this module allows for packets to be DROPped, # REJECTed, or LOGged. This module automatically # loads the following modules: # ipt_LOG - this target allows for packets to be # logged # ipt_REJECT - this target DROPs the packet and returns # a configurable ICMP packet back to the # sender. #====================================================================== echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " ---" echo " Clearing any existing rules and setting default policy to DROP.." $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then $IPTABLES -F drop-and-log-it fi $IPTABLES -X $IPTABLES -Z echo " Creating a DROP chain.." $IPTABLES -N drop-and-log-it $IPTABLES -A drop-and-log-it -j LOG --log-level info $IPTABLES -A drop-and-log-it -j DROP #====================================================================== #====================================================================== # ----- INPUT Section ----- #====================================================================== #====================================================================== echo -e "\n - Loading INPUT rulesets" # loopback interfaces are valid. $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interface, local machines, going anywhere is valid $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT # remote interface, claiming to be local machines, IP spoofing, get lost $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it # external interface, from any source, for ICMP traffic is valid $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT # remote interface, any source, going to permanent PPP address is valid # disabled by default $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT # Allow any related traffic coming back to the MASQ server in $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ ESTABLISHED,RELATED -j ACCEPT # Catch all rule, all other incoming is denied and logged. $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it #====================================================================== # ----- Begin OPTIONAL INPUT Section ----- #====================================================================== # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server $IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT $IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT # HTTPd - Enable the following lines if you run an EXTERNAL WWW server echo -e " - Allowing EXTERNAL access to the WWW server" $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT # HERE WE TRY FOR EDONKEY $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $INTNET --dport 8050 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p udp -s $UNIVERSE -d $INTNET --dport 8053 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $INTNET --dport 8052 -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p udp -s $UNIVERSE -d $INTNET --dport 8055 -j ACCEPT #====================================================================== # ----- End OPTIONAL INPUT Section ----- #====================================================================== #====================================================================== #====================================================================== # ----- OUTPUT Section ----- #====================================================================== #====================================================================== echo -e " - Loading OUTPUT rulesets" # loopback interface is valid. $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT # local interfaces, any source going to local net is valid $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT # local interface, any source going to local net is valid $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT # outgoing to local net on remote interface, stuffed routing, deny $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it # anything else outgoing on remote interface is valid $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT #====================================================================== # ----- Begin OPTIONAL OUTPUT Section ----- #====================================================================== # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server $IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \ -d 255.255.255.255 --dport 68 -j ACCEPT $IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \ -d 255.255.255.255 --dport 68 -j ACCEPT #====================================================================== # ----- End OPTIONAL OUTPUT Section ----- #====================================================================== #====================================================================== #====================================================================== # ----- FORWARD Section ----- #====================================================================== #====================================================================== # Catch all rule, all other outgoing is denied and logged. $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading FORWARD rulesets" #====================================================================== # ----- Begin OPTIONAL FORWARD Section ----- #====================================================================== # #====================================================================== # ----- End OPTIONAL FORWARD Section ----- #====================================================================== echo " - FWD: Allow all connections OUT and only existing/related IN" #FOR INTERNAL LAN $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Catch all rule, all other forwarding is denied and logged. $IPTABLES -A FORWARD -j drop-and-log-it echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF" # #More liberal form #$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # #Stricter form $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n" |
ok -- so you are saying accept data comming into eth0 from outside the network with a destination of
an internal network address ???????? incoming requests from www into eth0 ($EXTIF)should have the destination of your externally visible IP address -d $EXTIP not your internal addresses -d $INTNET and allow NAT routing to pass it along i think anyway that might be the only problem but that's a very long and confusing script |
exactly I want data comming into eth0 from outside the network with a destination of an internal network address through ports 8050 to 8055 for tcp and 8053 to 8058 for udp
I haver changed -d $EXTIP for -d $INTNET and started the server but nothing... how do I allow NAT routing to pass along ??? THANKS AGAIN !!! |
| All times are GMT -5. The time now is 11:09 PM. |