LinuxQuestions.org
LinuxAnswers - the LQ Linux tutorial section.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 08-25-2004, 08:39 PM   #1
peryserv
LQ Newbie
 
Registered: Aug 2004
Distribution: redhat 9
Posts: 4

Rep: Reputation: 0
Unhappy PLEASE !!! Can't open ports with rc.firewall


followin is my rc.firewall script.

everything seems to be working fine but LAN clients can't connect edonkey or emule clients. As far as I can understand this is beacuse servers cant access udp and tcp clients ports from the outside. Isn't it ???

I've tried to open tcp and udp ports with:

# HERE WE TRY FOR EDONKEY
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $INTNET --dport 8050 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $INTNET --dport 8053 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $INTNET --dport 8052 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $INTNET --dport 8055 -j ACCEPT

but still can't


can any one help me ???


MANY, MANY THANKS IN ADVANCE...







#!/bin/sh

#======================================================================

FWVER=0.80s

IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig

#======================================================================

EXTIF="eth0"
INTIF="eth1"
INTNET="192.168.0.0/16"
INTIP="192.168.0.1/16"
UNIVERSE="0.0.0.0/0"
EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

#======================================================================

echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"

echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " ---"
echo " External IP: $EXTIP"
echo " ---"
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " ---"

#======================================================================

echo " - Verifying that all kernel modules are ok"
$DEPMOD -a

echo -en " Loading kernel modules: "

echo -en "ip_tables, "

if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$MODPROBE ip_tables
fi

echo -en "ip_conntrack, "

if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack
fi

echo -e "ip_conntrack_ftp, "

if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_conntrack_ftp
fi


#IRC tracking mechanism for full IRC tracking
# echo -en "ip_conntrack_irc, "
#
# if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
# $MODPROBE ip_conntrack_irc
# fi

echo -en "iptable_nat, "

if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$MODPROBE iptable_nat
fi

echo -e "ip_nat_ftp"

if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$MODPROBE ip_nat_ftp
fi

#IRC NAT functionality (for DCC) into the core IPTABLES code
# echo -e "ip_nat_irc"
#
# if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
# $MODPROBE ip_nat_irc
# fi

echo " ---"

#======================================================================
# partial list of some of the other IPTABLES kernel modules and their function.
# --------------------------------------------------------------------
# ip_nat_snmp_basic - this module allows for proper NATing of some
# SNMP traffic
# iptable_mangle - this target allows for packets to be
# manipulated for things like the TCPMSS
# option, etc.
# ipt_mark - this target marks a given packet for future action.
# This automatically loads the ipt_MARK module
# ipt_tcpmss - this target allows to manipulate the TCP MSS
# option for braindead remote firewalls.
# This automatically loads the ipt_TCPMSS module
# ipt_limit - this target allows for packets to be limited to
# to many hits per sec/min/hr
# ipt_multiport - this match allows for targets within a range
# of port numbers vs. listing each port individually
# ipt_state - this match allows to catch packets with various
# IP and TCP flags set/unset
# ipt_unclean - this match allows to catch packets that have invalid
# IP/TCP flags set
# iptable_filter - this module allows for packets to be DROPped,
# REJECTed, or LOGged. This module automatically
# loads the following modules:
# ipt_LOG - this target allows for packets to be
# logged
# ipt_REJECT - this target DROPs the packet and returns
# a configurable ICMP packet back to the
# sender.
#======================================================================

echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo " ---"

echo " Clearing any existing rules and setting default policy to DROP.."

$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi

$IPTABLES -X

$IPTABLES -Z

echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP

#======================================================================
#======================================================================
# ----- INPUT Section -----
#======================================================================
#======================================================================

echo -e "\n - Loading INPUT rulesets"

# loopback interfaces are valid.
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interface, local machines, going anywhere is valid
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

# remote interface, claiming to be local machines, IP spoofing, get lost
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

# external interface, from any source, for ICMP traffic is valid
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT

# remote interface, any source, going to permanent PPP address is valid
# disabled by default
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT

# Allow any related traffic coming back to the MASQ server in
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT

# Catch all rule, all other incoming is denied and logged.
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

#======================================================================
# ----- Begin OPTIONAL INPUT Section -----
#======================================================================

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
echo -e " - Allowing EXTERNAL access to the WWW server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

# HERE WE TRY FOR EDONKEY
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $INTNET --dport 8050 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $INTNET --dport 8053 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $INTNET --dport 8052 -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p udp -s $UNIVERSE -d $INTNET --dport 8055 -j ACCEPT

#======================================================================
# ----- End OPTIONAL INPUT Section -----
#======================================================================

#======================================================================
#======================================================================
# ----- OUTPUT Section -----
#======================================================================
#======================================================================

echo -e " - Loading OUTPUT rulesets"

# loopback interface is valid.
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

# local interface, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT

# outgoing to local net on remote interface, stuffed routing, deny
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

# anything else outgoing on remote interface is valid
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

#======================================================================
# ----- Begin OPTIONAL OUTPUT Section -----
#======================================================================

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT

#======================================================================
# ----- End OPTIONAL OUTPUT Section -----
#======================================================================

#======================================================================
#======================================================================
# ----- FORWARD Section -----
#======================================================================
#======================================================================

# Catch all rule, all other outgoing is denied and logged.
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo -e " - Loading FORWARD rulesets"

#======================================================================
# ----- Begin OPTIONAL FORWARD Section -----
#======================================================================

#

#======================================================================
# ----- End OPTIONAL FORWARD Section -----
#======================================================================

echo " - FWD: Allow all connections OUT and only existing/related IN"

#FOR INTERNAL LAN
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged.
$IPTABLES -A FORWARD -j drop-and-log-it

echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
 
Old 08-25-2004, 10:17 PM   #2
foo_bar_foo
Senior Member
 
Registered: Jun 2004
Posts: 2,553

Rep: Reputation: 51
ok -- so you are saying accept data comming into eth0 from outside the network with a destination of
an internal network address ????????

incoming requests from www into eth0 ($EXTIF)should have the destination of your externally visible IP address
-d $EXTIP
not your internal addresses
-d $INTNET

and allow NAT routing to pass it along

i think anyway that might be the only problem but that's a very long and confusing script
 
Old 08-26-2004, 07:43 PM   #3
peryserv
LQ Newbie
 
Registered: Aug 2004
Distribution: redhat 9
Posts: 4

Original Poster
Rep: Reputation: 0
exactly I want data comming into eth0 from outside the network with a destination of an internal network address through ports 8050 to 8055 for tcp and 8053 to 8058 for udp

I haver changed -d $EXTIP for -d $INTNET and started the server but nothing...

how do I allow NAT routing to pass along ???



THANKS AGAIN !!!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Protecting open ports on firewall RecoilUK Linux - Security 3 06-08-2005 11:29 PM
How to open ports on hardware firewall? ben_build#2.1.0 Linux - Security 3 03-13-2005 02:59 PM
Open ports behind a firewall? ni0wn Slackware 4 09-16-2004 07:48 AM
Help with RedHat firewall open ports Linux6574 Red Hat 2 04-24-2004 08:20 AM
Open ports on firewall LionMaster Linux - Security 3 04-13-2003 05:29 PM


All times are GMT -5. The time now is 12:12 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration