Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to
LinuxQuestions.org , a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free.
Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please
contact us . If you need to reset your password,
click here .
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a
virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month.
Click here for more info.
05-17-2007, 01:49 AM
#1
LQ Newbie
Registered: Apr 2007
Posts: 16
Rep:
iptables are not run automatically
Hi friends....
I need a help ...
I made a Linux server for proxy (Squid) and fire wall (iptables) .Now my problem is when i boot my server my firewall script are not started automatically.I want the firewall script run when the system boot.Already I done some steps for that...like copy my script and paste on "etc/sysconfig/iptables"...
This are all the steps I done ...!
"cp /root/primary_firewall /etc/sysconfig/iptables"
"vi /etc/rc.local"
add the following line:
/sbin/insmod ip_conntrack_ftp
Save and exit the file.
but still my iptables not started when the system boot...
so here every time I have to log in and run the iptables like
./iptables
so I want to put this job to cron...
so please help me.
05-17-2007, 02:00 AM
#2
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
add the command to run your iptables script to /etc/rc.local
Though, if this is fedora, there is a special method.
Note: I hope you are not logging as root routinely...
05-17-2007, 02:31 AM
#3
LQ Newbie
Registered: Apr 2007
Posts: 16
Original Poster
Rep:
hello ...wher i can add tis....
my iptable path is "/"
"cp /etc/rc.local /etc/sysconfig/iptables"
"vi /etc/rc.local"
add the following line:
/sbin/insmod ip_conntrack_ftp
Save and exit the file.
so now where i have to put /etc/rc.local tis...
on /etc/rc.local
or
/root/primary_firewall
please reply ...
Last edited by suvashan; 05-17-2007 at 02:51 AM .
05-17-2007, 02:51 AM
#4
LQ Newbie
Registered: Apr 2007
Posts: 16
Original Poster
Rep:
my iptables path is "/"
"cp /etc/rc.local /etc/sysconfig/iptables"
"vi /etc/rc.local"
add the following line:
/sbin/insmod ip_conntrack_ftp
Save and exit the file.
so now where i have to put /etc/rc.local tis...
on /etc/rc.local
or
/root/primary_firewall
please reply ...
05-17-2007, 03:49 AM
#5
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
The command you ran to start your firewall manually was:
./iptables
The ./ tells the shell to look in the current working directory. In the example you gave, the working directory was /root so I,m guessing that the iptables script is /root/iptables... so the relevant line in /etc/rc.local would be /root/iptables.
05-17-2007, 03:57 AM
#6
LQ Newbie
Registered: Apr 2007
Posts: 16
Original Poster
Rep:
s ..my iptables
hi /...
my iptables path is "/"(root)
in this case when i add "/etc/rc.local"
this line i get an error..
"insmod:ipconntrack_ftp:no module by that name found"
so i re open my iptables and comment the line..."/etc/rc.local"
selvam
Last edited by suvashan; 05-17-2007 at 05:30 AM .
05-17-2007, 05:43 AM
#7
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
"insmod:ipconntrack_ftp:no module by that name found"
... remove the insmod line from /etc/rc.local
05-17-2007, 06:00 AM
#8
LQ Guru
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211
Rep:
Please clarify your statements.
Quote:
my iptables path is "/"(root)
Excuse me? How can this be? Surely the iptables program is /sbin/iptables ???
Could it be that you have your firewall script in the root directory? Why would you put this in such an odd place?
Quote:
in this case when i add "/etc/rc.local"
this line i get an error..
Excuse me? This sentence is incomplete... when you
add "/etc/rc.local" to what? ... to
this line ? What line?
Quote:
so i re open my iptables and comment the line..."/etc/rc.local"
How are you opening your iptables and why wuold yau have any mention of /etc/rc.local in there?
What you do is
vi /etc/rc.local
find the line that says:
/sbin/insmod ip_conntrack_ftp
delete that line, thed add a new line in its place that gives the full path to the command you used to start your firewall. i.e. if you start your firewall with the following commands:
cd /root
./firewall.sh
... then the new line will say:
/root/firewall.sh
05-17-2007, 06:02 AM
#9
LQ Newbie
Registered: Apr 2007
Posts: 16
Original Poster
Rep:
get tis error....!
i was just removed "insmod line from /etc/rc.local"
and go to my iptables.
# CD /
# vi iptables
here i just add "/etc/rc.local"
then save this file(wq)
and ran the script ./iptables.
now i get an error.
"/etc/rc.local:line7:bin/touch:too many open files in system.
/etc/rc.local:/bin/sh:bad interpreter:too many open files in system.
flushing al chains:{ok}
removing user defined chains
ok)
Resetting built-in chains to the default ACCEPT policy{ok}
just restart the system but Stil my iptable not start automatically .....
just go to terminal and ran manually :./iptables.
Last edited by suvashan; 05-17-2007 at 06:08 AM .
06-05-2007, 02:51 AM
#10
LQ Newbie
Registered: Apr 2007
Posts: 16
Original Poster
Rep:
i just explain u r quotes....!
Quote 1:
my iptables path is "/"(root)
Actually my iptables script path is :/"
Quote 2:
in this case when i add "/etc/rc.local"
this line i get an error..
i mean i was just add the line on my iptables script
like this...
[root@earth root]
[root@earth root] cd / (press enter)
[root@earth /]vi iptables (press enter)
in these script i was added these line...
"/etc/rc.local"
and just save (wq)
and run the script
[root@earth /]./iptables
now also i am getting the same problem...these iptables not start automatically.
"
06-05-2007, 03:44 AM
#11
Member
Registered: Mar 2006
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222
Rep:
Quote:
Originally Posted by suvashan
Quote 1:
my iptables path is "/"(root)
Actually my iptables script path is :/"
Quote 2:
inn these script i was added these line...
"/etc/rc.local"
and just save (wq)
now also i am getting the same problem...these iptables not start automatically.
Okay I think you misunderstood Simon_bridge's instructions.
1) Remove the line
/etc/rc.local from your iptables script.
2)
vi /etc/rc.local and add the line:
/etc/sysconfig/iptables then save it and restart
If that doesn't work, try the following:
1) Remove the line
/etc/rc.local from your iptables script
2) run the iptables script how you normally run it. ./iptables
3) type
service iptables save
4) type
chkconfig iptables on
5) reboot
06-05-2007, 04:46 AM
#12
LQ Newbie
Registered: Apr 2007
Posts: 16
Original Poster
Rep:
hi James Dewar
i was tried .but again it's not work automatically ...
manually i am strting(./iptables)
thanks for u r advice..need help...else can i put the job to cron...?
need some advice
selvam
06-05-2007, 05:00 AM
#13
Member
Registered: Mar 2006
Distribution: RedHat, Slackware, Experimenting with FreeBSD
Posts: 222
Rep:
Please post your iptables script. You don't want to use cron for this!
06-05-2007, 05:50 AM
#14
LQ Newbie
Registered: Apr 2007
Posts: 16
Original Poster
Rep:
#!/bin/bash
# /usr/local/sbin/setiptables.bash
# Acceptable ports
APORTS=" 23 1720 80 389 522 1503 1720 1731 1433 8383 110 3128 5060 1503 3129 4311 1433 554 1755"
# Reject ports Kazaa(1214), Gnnutella (6346 6347)
RPORTS=" 1214 443 445 135 25 6346 6347 81"
EX_ETH=eth0 # External Interface
IN_ETH=eth1 # Local Interface
LOCAL_IP=192.168.1.100 # Local Host IP
LOCAL_NET=192.168.1.0/192.168.1.120 # Local Network
#EXTERNAL_NET=202.144.158.192/28 # External Network
EXTERNAL_NET=61.247.252.125 # External Networki
EXTERNAL_IP=61.247.252.125
PROXY_IP=192.168.1.100 # Proxy Server IP (Transparent Proxy)
PROXY_PORT=3128 # Proxy Server Port No
# Clear all iptables
#/etc/init.d/iptables stop
#comment on 03/04/2006
/etc/init.d/iptables stop
#created on 03/04/2006
iptables --flush
iptables --delete-chain
#iptables -P INPUT DROP
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT
#iptables -A INPUT --dport 25 -j DROP
# Masquerade
#iptables -t nat -A PREROUTING -p tcp -i $EX_ETH -d $EXTERNAL_NET --dport 5060 -j DNAT --to 192.168.1.200:80
#iptables -A FORWARD -p tcp -i $EX_ETH -d 192.168.1.200 --dport 80 -j ACCEPT
#iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389
iptables -t nat -A POSTROUTING -s 192.168.1.100 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
#iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
#iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1434
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.3 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.3 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
#iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389
iptables -t nat -A POSTROUTING -s 192.168.1.1 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.1 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 1434
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
#iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
#iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900
iptables -t nat -A POSTROUTING -s 192.168.1.10 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.10 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
#iptables -t nat -A POSTROUTING -s 192.168.1.2 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.24 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.2 -o $EX_ETH -j MASQUERAD
E
iptables -t nat -A POSTROUTING -s 192.168.1.14 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.14 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
# Transparent Proxy
#iptables -t nat -A PREROUTING -i $IN_ETH \
# -p tcp --dport 80 -j REDIRECT --to-port $PROXY_PORT
# Transparent Proxy (to a Remote Box)
# iptables -t nat -A PREROUTING -i $IN_ETH -s ! $LOCAL_IP -p tcp \
# --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
# iptables -t nat -A POSTROUTING -o eth0 -s $LOCAL_NET -d $PROXY_IP \
# -j SNAT --to $LOCAL_IP
# iptables -A FORWARD -s $LOCAL_NET -d $PROXY_IP -i $IN_ETH -o $EX_ETH
# -p tcp --dport $PROXY_PORT -j ACCEPT
#packets for established connections
iptables -A INPUT -p tcp -d 61.247.252.125 -m state --state \
NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -p tcp -d 61.247.252.125 -i eth0 -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'
# Accept
for AP in $APORTS
do
#iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -s $LOCAL_NET -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'
#iptables -A INPUT -i $EX_ETH -p udp --dport $AP -s $LOCAL_NET -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'
iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -s $LOCAL_NET -j ACCEPT
iptables -A INPUT -i $EX_ETH -p udp --dport $AP -s $LOCAL_NET -j ACCEPT
# iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/192.168.1.120 -i eth1
# iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/192.168.1.120 -o eth1
done
#iptables -A OUTPUT -p ALL -s 192.168.1.100 -j ACCEPT
#iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
#iptables -A INPUT -i eth1 -s 0/0 -d 192.168.1.42 -j REJECT
#for AP in $APORTS
#do
iptables -A INPUT -d 61.247.252.125 -i $EX_ETH -p tcp --dport $AP -j ACCEPT
iptables -A INPUT -d 61.247.252.125 -i $EX_ETH -p udp --dport $AP -j ACCEPT
#done
# Reject
#for RP in $RPORTS
#do
# iptables -A INPUT -p tcp --dport $RP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
# iptables -A INPUT -p tcp --dport $RP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
# iptables -A INPUT -p tcp --dport $RP -j REJECT
# iptables -A INPUT -p udp --dport $RP -j REJECT
# iptables -A INPUT -i eth1 -p tcp --dport $RP -j REJECT
# iptables -A INPUT -i eth1 -p udp --dport $RP -j REJECT
#done
#iptables -A INPUT -i $IN_ETH -p tcp --dport 5060 -j ACCEPT
#iptables -A INPUT -i $IN_ETH -p udp -m udp --dport 7070:7080 -j ACCEPT
#iptables -A FORWARD -o eth1 -p tcp --dport 5000:5050 -j DROP
# Any other packets must be dropped.
#iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
#iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j DROP
# FORWARD Chain
#:iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
#iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j DROP
echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -A INPUT -i $EX_ETH -p tcp --dport 80 -j LOG
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 80 -j DNAT --to-dest 192.168.1.200:80
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 8081 -j DNAT --to-dest 192.168.1.200:8081
#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 80 -j LOG
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 554 -j ACCEPT
#iptables -A INPUT -i $EX_ETH -p tcp --dport 1433 -j LOG
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 1433 -j DNAT --to-dest 192.168.1.200:1433
#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -t nat -A PREROUTING -s any/0 -d 61.247.252.125 -p tcp --dport 554 -j DNAT --to-dest 192.168.1.200:554
#iptables -A FORWARD -i $EX_ETH -j ACCEPT
#iptables -A FORWARD -i $IN_ETH -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp -d 192.168.1.200 --dport 554 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp -d 192.168.1.200 --dport 7070 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 554 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 7070 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 6970:6999 -j ACCEPT
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p tcp --dport 554 -j DNAT --to-destination 192.168.1.200:554
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p tcp --dport 7070 -j DNAT --to-destination 192.168.1.200:7070
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 554 -j DNAT --to-destination 192.168.1.200:554
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 7070 -j DNAT --to-destination 192.168.1.200:7070
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 6970:6999 -j DNAT --to-destination 192.168.1.200:6970-6999
#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -t nat -A PREROUTING -i $IN_ETH -p tcp --dport 5060 -j DNAT --to-dest 192.168.1.200:5060
#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $IN_ETH -p tcp -s 192.168.1.200 \
#-o $IN_ETH --dport 5060 -m state --state NEW -j ACCEPT
#iptables -A FORWARD -t filter -o $IN_ETH -m state \
# --state NEW,ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -t filter -i $IN_ETH -m state \
# --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -p tcp --dport 5060 -j LOG --log-prefix "test"
#iptables -A FORWARD -s 192.168.1.200 -i $IN_ETH -o $IN_ETH -p tcp -j ACCEPT
#iptables -t nat -A FORWARD -i $IN_ETH -o $IN_ETH -p tcp --dport 5060 -m state --state ESTABLISHED -j ACCEPT
#iptables -A INPUT -p tcp -i $EX_ETH --dport 1720 -j LOG --log-prefix "mytest"
iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP --dport 1720 -j DNAT --to-dest 192.168.1.200:1720
iptables -t nat -A PREROUTING -j ACCEPT
iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 1720 -j ACCEPT
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 10200:10209 -j DNAT --to-destination 192.168.1.100
#iptables -A FORWARD -d $LOCAL_IP -o $IN_ETH -p tcp --dport 10200:10209 -j ACCEPT
#iptables -t nat -A PREROUTING -i $EX_ETH -p udp --dport 10200:10259 -j DNAT --to-destination 192.168.1.100
#iptables -A FORWARD -d $LOCAL_IP -i $IN_ETH -p udp --dport 10200:10259 -j ACCEPT
#iptables -I PREROUTING -t nat -p tcp --dport 1720 -j REDIRECT
#iptables -I INPUT -p tcp --dport 1720 -j LOG --log-prefix "hello"
iptables -I INPUT -p tcp --dport 1720 -j ACCEPT
iptables -I INPUT -p tcp --dport 10200:10209 -j ACCEPT
iptables -I INPUT -p udp --dport 10200:10259 -j ACCEPT
iptables -I OUTPUT -p tcp -j ACCEPT
iptables -I OUTPUT -p udp -j ACCEPT
iptables -I INPUT -p tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
#iptables -I PREROUTING -t nat -p tcp --dport 10200:10209 -d $EXTERNAL_NET -j DNAT --to-destination $LOCAL_IP
#iptables -I PREROUTING -t nat -p udp --dport 10200:10259 -d $EXTERNAL_NET -j DNAT --to-destination $LOCAL_IP
#iptables -I PREROUTING -t nat -p tcp --dport 5060 ! -s $EXTERNAL_NET -j DNAT --to-destination 192.168.1.200
#iptables -t nat -I PREROUTING -p tcp --dport 5060 -i $IN_ETH -j DNAT --to-dest 192.168.1.200:5060
#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 7101 -j ACCEPT
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 7102 -j DNAT --to-dest 192.168.1.200:7102
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 7102 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -p tcp -d 64.4.13.0/24 -j DROP
# Turn on IP forwarding
#echo 1 > /proc/sys/net/ipv4/ip_forward
#iptables -A FORWARD -i eth0 -o eth0 -j LOG --log-prefix "external try"
#iptables -A FORWARD -i eth0 -o eth0 -j REJECT
#iptables -A OUTPUT -j LOG -o eth0
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG --log-prefix "forward only"
06-05-2007, 05:50 AM
#15
LQ Newbie
Registered: Apr 2007
Posts: 16
Original Poster
Rep:
hi please see my iptables script....!
All times are GMT -5. The time now is 03:24 AM .
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know .
Latest Threads
LQ News