iptables are not run automatically

suvashan · 05-17-2007, 01:49 AM

Hi friends....

I need a help ...

I made a Linux server for proxy (Squid) and fire wall (iptables) .Now my problem is when i boot my server my firewall script are not started automatically.I want the firewall script run when the system boot.Already I done some steps for that...like copy my script and paste on "etc/sysconfig/iptables"...

This are all the steps I done ...!

"cp /root/primary_firewall /etc/sysconfig/iptables"

"vi /etc/rc.local"

add the following line:

/sbin/insmod ip_conntrack_ftp

Save and exit the file.

but still my iptables not started when the system boot...

so here every time I have to log in and run the iptables like

./iptables

so I want to put this job to cron...

so please help me.

Simon Bridge · 05-17-2007, 02:00 AM

add the command to run your iptables script to /etc/rc.local

Though, if this is fedora, there is a special method.
Note: I hope you are not logging as root routinely...

suvashan · 05-17-2007, 02:31 AM

my iptable path is "/"

"cp /etc/rc.local /etc/sysconfig/iptables"

"vi /etc/rc.local"

add the following line:

/sbin/insmod ip_conntrack_ftp

Save and exit the file.

so now where i have to put /etc/rc.local tis...

on /etc/rc.local
or

/root/primary_firewall

please reply ...

suvashan · 05-17-2007, 02:51 AM

my iptables path is "/"

"cp /etc/rc.local /etc/sysconfig/iptables"

"vi /etc/rc.local"

add the following line:

/sbin/insmod ip_conntrack_ftp

Save and exit the file.

so now where i have to put /etc/rc.local tis...

on /etc/rc.local

or

/root/primary_firewall

please reply ...

Simon Bridge · 05-17-2007, 03:49 AM

The command you ran to start your firewall manually was:

./iptables

The ./ tells the shell to look in the current working directory. In the example you gave, the working directory was /root so I,m guessing that the iptables script is /root/iptables... so the relevant line in /etc/rc.local would be /root/iptables.

suvashan · 05-17-2007, 03:57 AM

hi /...

my iptables path is "/"(root)

in this case when i add "/etc/rc.local"

this line i get an error..

"insmod:ipconntrack_ftp:no module by that name found"

so i re open my iptables and comment the line..."/etc/rc.local"

selvam

Simon Bridge · 05-17-2007, 05:43 AM

"insmod:ipconntrack_ftp:no module by that name found"

... remove the insmod line from /etc/rc.local

Simon Bridge · 05-17-2007, 06:00 AM

Please clarify your statements.

Quote:

my iptables path is "/"(root)

Excuse me? How can this be? Surely the iptables program is /sbin/iptables ???
Could it be that you have your firewall script in the root directory? Why would you put this in such an odd place?

Quote:

in this case when i add "/etc/rc.local"
this line i get an error..

Excuse me? This sentence is incomplete... when you add "/etc/rc.local" to what? ... to this line? What line?

Quote:

so i re open my iptables and comment the line..."/etc/rc.local"

How are you opening your iptables and why wuold yau have any mention of /etc/rc.local in there?

What you do is

vi /etc/rc.local

find the line that says:

/sbin/insmod ip_conntrack_ftp

delete that line, thed add a new line in its place that gives the full path to the command you used to start your firewall. i.e. if you start your firewall with the following commands:

cd /root
./firewall.sh

... then the new line will say:

/root/firewall.sh

suvashan · 05-17-2007, 06:02 AM

i was just removed "insmod line from /etc/rc.local"

and go to my iptables.

# CD /
# vi iptables
here i just add "/etc/rc.local"

then save this file(wq)

and ran the script ./iptables.

now i get an error.

"/etc/rc.local:line7:bin/touch:too many open files in system.
/etc/rc.local:/bin/sh:bad interpreter:too many open files in system.
flushing al chains:{ok}
removing user defined chains

ok)
Resetting built-in chains to the default ACCEPT policy{ok}

just restart the system but Stil my iptable not start automatically .....

just go to terminal and ran manually :./iptables.

suvashan · 06-05-2007, 02:51 AM

Quote 1:
my iptables path is "/"(root)

Actually my iptables script path is :/"

Quote 2:

in this case when i add "/etc/rc.local"
this line i get an error..

i mean i was just add the line on my iptables script

like this...

[root@earth root]

[root@earth root] cd / (press enter)

[root@earth /]vi iptables (press enter)

in these script i was added these line...

"/etc/rc.local"

and just save (wq)

and run the script

[root@earth /]./iptables

now also i am getting the same problem...these iptables not start automatically.

"

SlackDaemon · 06-05-2007, 03:44 AM

Quote:

Originally Posted by suvashan

Quote 1:
my iptables path is "/"(root)

Actually my iptables script path is :/"

Quote 2:
inn these script i was added these line...

"/etc/rc.local"

and just save (wq)

now also i am getting the same problem...these iptables not start automatically.

Okay I think you misunderstood Simon_bridge's instructions.

1) Remove the line /etc/rc.local from your iptables script.

2) vi /etc/rc.local and add the line:

/etc/sysconfig/iptables then save it and restart

If that doesn't work, try the following:

1) Remove the line /etc/rc.local from your iptables script

2) run the iptables script how you normally run it. ./iptables

3) type service iptables save

4) type chkconfig iptables on

5) reboot

suvashan · 06-05-2007, 04:46 AM

hi James Dewar

i was tried .but again it's not work automatically ...

manually i am strting(./iptables)

thanks for u r advice..need help...else can i put the job to cron...?

need some advice

selvam

SlackDaemon · 06-05-2007, 05:00 AM

Please post your iptables script. You don't want to use cron for this!

suvashan · 06-05-2007, 05:50 AM

#!/bin/bash
# /usr/local/sbin/setiptables.bash

# Acceptable ports

APORTS=" 23 1720 80 389 522 1503 1720 1731 1433 8383 110 3128 5060 1503 3129 4311 1433 554 1755"
# Reject ports Kazaa(1214), Gnnutella (6346 6347)
RPORTS=" 1214 443 445 135 25 6346 6347 81"

EX_ETH=eth0 # External Interface
IN_ETH=eth1 # Local Interface
LOCAL_IP=192.168.1.100 # Local Host IP
LOCAL_NET=192.168.1.0/192.168.1.120 # Local Network
#EXTERNAL_NET=202.144.158.192/28 # External Network
EXTERNAL_NET=61.247.252.125 # External Networki
EXTERNAL_IP=61.247.252.125
PROXY_IP=192.168.1.100 # Proxy Server IP (Transparent Proxy)
PROXY_PORT=3128 # Proxy Server Port No

# Clear all iptables

#/etc/init.d/iptables stop
#comment on 03/04/2006

/etc/init.d/iptables stop
#created on 03/04/2006

iptables --flush
iptables --delete-chain

#iptables -P INPUT DROP
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT

#iptables -A INPUT --dport 25 -j DROP

# Masquerade

#iptables -t nat -A PREROUTING -p tcp -i $EX_ETH -d $EXTERNAL_NET --dport 5060 -j DNAT --to 192.168.1.200:80

#iptables -A FORWARD -p tcp -i $EX_ETH -d 192.168.1.200 --dport 80 -j ACCEPT

#iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389

iptables -t nat -A POSTROUTING -s 192.168.1.100 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
#iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

#iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1434
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.3 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.3 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
#iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389

iptables -t nat -A POSTROUTING -s 192.168.1.1 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.1 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 1434
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900

iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337

iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
#iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433

#iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900

iptables -t nat -A POSTROUTING -s 192.168.1.10 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.10 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
#iptables -t nat -A POSTROUTING -s 192.168.1.2 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.24 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.2 -o $EX_ETH -j MASQUERAD
E
iptables -t nat -A POSTROUTING -s 192.168.1.14 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.14 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337

# Transparent Proxy
#iptables -t nat -A PREROUTING -i $IN_ETH \
# -p tcp --dport 80 -j REDIRECT --to-port $PROXY_PORT

# Transparent Proxy (to a Remote Box)
# iptables -t nat -A PREROUTING -i $IN_ETH -s ! $LOCAL_IP -p tcp \
# --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
# iptables -t nat -A POSTROUTING -o eth0 -s $LOCAL_NET -d $PROXY_IP \
# -j SNAT --to $LOCAL_IP
# iptables -A FORWARD -s $LOCAL_NET -d $PROXY_IP -i $IN_ETH -o $EX_ETH
# -p tcp --dport $PROXY_PORT -j ACCEPT

#packets for established connections

iptables -A INPUT -p tcp -d 61.247.252.125 -m state --state \
NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -p tcp -d 61.247.252.125 -i eth0 -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'
# Accept
for AP in $APORTS
do
#iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -s $LOCAL_NET -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'

#iptables -A INPUT -i $EX_ETH -p udp --dport $AP -s $LOCAL_NET -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'
iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -s $LOCAL_NET -j ACCEPT
iptables -A INPUT -i $EX_ETH -p udp --dport $AP -s $LOCAL_NET -j ACCEPT
# iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/192.168.1.120 -i eth1
# iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/192.168.1.120 -o eth1
done

#iptables -A OUTPUT -p ALL -s 192.168.1.100 -j ACCEPT
#iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
#iptables -A INPUT -i eth1 -s 0/0 -d 192.168.1.42 -j REJECT

#for AP in $APORTS
#do
iptables -A INPUT -d 61.247.252.125 -i $EX_ETH -p tcp --dport $AP -j ACCEPT
iptables -A INPUT -d 61.247.252.125 -i $EX_ETH -p udp --dport $AP -j ACCEPT
#done

# Reject
#for RP in $RPORTS
#do
# iptables -A INPUT -p tcp --dport $RP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
# iptables -A INPUT -p tcp --dport $RP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
# iptables -A INPUT -p tcp --dport $RP -j REJECT
# iptables -A INPUT -p udp --dport $RP -j REJECT
# iptables -A INPUT -i eth1 -p tcp --dport $RP -j REJECT
# iptables -A INPUT -i eth1 -p udp --dport $RP -j REJECT
#done

#iptables -A INPUT -i $IN_ETH -p tcp --dport 5060 -j ACCEPT
#iptables -A INPUT -i $IN_ETH -p udp -m udp --dport 7070:7080 -j ACCEPT
#iptables -A FORWARD -o eth1 -p tcp --dport 5000:5050 -j DROP

# Any other packets must be dropped.
#iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
#iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j DROP

# FORWARD Chain
#:iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
#iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables -A INPUT -i $EX_ETH -p tcp --dport 80 -j LOG
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 80 -j DNAT --to-dest 192.168.1.200:80
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 8081 -j DNAT --to-dest 192.168.1.200:8081
#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 80 -j LOG
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 554 -j ACCEPT

#iptables -A INPUT -i $EX_ETH -p tcp --dport 1433 -j LOG
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 1433 -j DNAT --to-dest 192.168.1.200:1433
#iptables -t nat -A PREROUTING -j ACCEPT

#iptables -t nat -A PREROUTING -s any/0 -d 61.247.252.125 -p tcp --dport 554 -j DNAT --to-dest 192.168.1.200:554

#iptables -A FORWARD -i $EX_ETH -j ACCEPT
#iptables -A FORWARD -i $IN_ETH -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp -d 192.168.1.200 --dport 554 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp -d 192.168.1.200 --dport 7070 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 554 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 7070 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 6970:6999 -j ACCEPT

#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p tcp --dport 554 -j DNAT --to-destination 192.168.1.200:554
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p tcp --dport 7070 -j DNAT --to-destination 192.168.1.200:7070
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 554 -j DNAT --to-destination 192.168.1.200:554
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 7070 -j DNAT --to-destination 192.168.1.200:7070
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 6970:6999 -j DNAT --to-destination 192.168.1.200:6970-6999

#echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables -t nat -A PREROUTING -i $IN_ETH -p tcp --dport 5060 -j DNAT --to-dest 192.168.1.200:5060

#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $IN_ETH -p tcp -s 192.168.1.200 \
#-o $IN_ETH --dport 5060 -m state --state NEW -j ACCEPT

#iptables -A FORWARD -t filter -o $IN_ETH -m state \
# --state NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A FORWARD -t filter -i $IN_ETH -m state \
# --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -p tcp --dport 5060 -j LOG --log-prefix "test"
#iptables -A FORWARD -s 192.168.1.200 -i $IN_ETH -o $IN_ETH -p tcp -j ACCEPT

#iptables -t nat -A FORWARD -i $IN_ETH -o $IN_ETH -p tcp --dport 5060 -m state --state ESTABLISHED -j ACCEPT

#iptables -A INPUT -p tcp -i $EX_ETH --dport 1720 -j LOG --log-prefix "mytest"
iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP --dport 1720 -j DNAT --to-dest 192.168.1.200:1720
iptables -t nat -A PREROUTING -j ACCEPT

iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 1720 -j ACCEPT

#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 10200:10209 -j DNAT --to-destination 192.168.1.100
#iptables -A FORWARD -d $LOCAL_IP -o $IN_ETH -p tcp --dport 10200:10209 -j ACCEPT

#iptables -t nat -A PREROUTING -i $EX_ETH -p udp --dport 10200:10259 -j DNAT --to-destination 192.168.1.100
#iptables -A FORWARD -d $LOCAL_IP -i $IN_ETH -p udp --dport 10200:10259 -j ACCEPT

#iptables -I PREROUTING -t nat -p tcp --dport 1720 -j REDIRECT
#iptables -I INPUT -p tcp --dport 1720 -j LOG --log-prefix "hello"
iptables -I INPUT -p tcp --dport 1720 -j ACCEPT
iptables -I INPUT -p tcp --dport 10200:10209 -j ACCEPT
iptables -I INPUT -p udp --dport 10200:10259 -j ACCEPT

iptables -I OUTPUT -p tcp -j ACCEPT
iptables -I OUTPUT -p udp -j ACCEPT

iptables -I INPUT -p tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT

#iptables -I PREROUTING -t nat -p tcp --dport 10200:10209 -d $EXTERNAL_NET -j DNAT --to-destination $LOCAL_IP
#iptables -I PREROUTING -t nat -p udp --dport 10200:10259 -d $EXTERNAL_NET -j DNAT --to-destination $LOCAL_IP
#iptables -I PREROUTING -t nat -p tcp --dport 5060 ! -s $EXTERNAL_NET -j DNAT --to-destination 192.168.1.200

#iptables -t nat -I PREROUTING -p tcp --dport 5060 -i $IN_ETH -j DNAT --to-dest 192.168.1.200:5060
#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 7101 -j ACCEPT

#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 7102 -j DNAT --to-dest 192.168.1.200:7102
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 7102 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -p tcp -d 64.4.13.0/24 -j DROP

# Turn on IP forwarding
#echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables -A FORWARD -i eth0 -o eth0 -j LOG --log-prefix "external try"
#iptables -A FORWARD -i eth0 -o eth0 -j REJECT
#iptables -A OUTPUT -j LOG -o eth0
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG --log-prefix "forward only"

suvashan · 06-05-2007, 05:50 AM

hi please see my iptables script....!