LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 02-06-2007, 11:40 PM   #1
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Rep: Reputation: 30
Iptables firewall script stop working occassionally


Dear friends,

I have a few proxy servers with iptables firewall script on it, for some reason i faced the following problems fequently:

1) iptables script has been loaded and worked initially but somehow stop working after some time
2) modprobe ip_conntrack_ip to enable ftp, but after sometime the ftp stop working again
3) https connection stopped working also after some time the firewall script loaded (maybe 1 or 2 days)

For all the above problems, all i need to do is to service iptables stop then run the firewall script again. As for 2), i just need to service iptables stop, modprobe ip_conntrack_ip, then run firewall script. Same goes for 3), just stop iptables and run script again. Everything will work as normal again after i do that, but then its not very efficient if i have to do those things all the time because users cannot tolerate having timeout.

I dont see anything suspicious in /var/log/messages, because of that i dont really know what cause the problem coz when i loaded the firewall script, there is no error at all. Restart iptables solve the problem but why....

Thanks for taking time reading my thread,

Regards
Y
 
Old 02-07-2007, 12:58 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Did the change occur after a reboot? If not, do you know roughly what time the script reset (does it seem to occur the same time of day)? Are the machines on this network using static IP addresses or are they dynamically assigned (e.g. DHCP)?
 
Old 02-07-2007, 01:10 AM   #3
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
Hi Capt_caveman,

Thanks for reply. Not neccessary happen after reboot. But maybe you have pointed out something there, all the servers that have this problem use dynamic IP in the firewall script....but what could be the problem if using dynamic ips?
thanks alot for your help.
 
Old 02-07-2007, 09:09 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Nothing specific right now, but I've seen a number of people with similar issues that went unresolved and it has always seemed like that may be the cause. Could be that you're blocking portions of DHCP traffic and DHCP leases are failing to renew, but I don't think restarting iptables would solve that. I'll have to tinker on my test LAN to see if recreate it.

First, could you check several things. To ensure that this isn't an issue of the conntrack table filling up, could you post the contents of /proc/sys/net/ipv4/ip_conntrack_max and the output of:
Code:
wc -l /proc/net/ip_conntrack
.
Also post output of:
Code:
iptables -vL
iptables -t nat -vL
Also there was a bug in older versions of iptables that could cause possibly this. What version of iptables are you running (do: rpm -q iptables)?
 
Old 02-12-2007, 01:21 AM   #5
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
Hi Captain Caveman,

Thanks a lot for your reply. I am waiting for the server to stuck again and then i can copy down the ip_conntrack logs.
hmmm...the conntract table gets occupied will affect the running iptables? I supposed that could be a possiblity too....what are the ways to prevent it pilling up? i just changed the IP table a bit without ping, coz i read that ping failure can result in pilling up conntrack table...

I will report the outcome of ip_conntrack table when the server stuck again,
thanks Captain!

Regards
Y
 
Old 02-12-2007, 07:01 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
The conntrack table has a maximum number of connections that it can maintain. This maximum is defined in /proc/sys/net/ipv4/ip_conntrack_max. Once the max is reached the system will start dropping packets, though you should get log messages. Restarting iptables flushes the conntrack table, so that can cure the symptoms of a full conntrack table problem. Again don't know until you can post the output those commands.
 
Old 02-15-2007, 09:53 PM   #7
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
Dear Capt_Caveman,

Here are the outputs:
for wc -l /proc/net/ip_conntrack,

tcp 6 431588 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32771 dport=32770 src=127.0.0.1 dst=127.0.0.1 sport=32770 dport=32771 [ASSURED] use=1
tcp 6 430804 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32791 dport=32790 src=127.0.0.1 dst=127.0.0.1 sport=32790 dport=32791 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32813 dport=32812 src=127.0.0.1 dst=127.0.0.1 sport=32812 dport=32813 [ASSURED] use=1
udp 17 15 src=60.53.38.106 dst=202.188.0.133 sport=32771 dport=53 [UNREPLIED] src=202.188.0.133 dst=60.53.32.118 sport=53 dport=32771 use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32795 dport=32794 src=127.0.0.1 dst=127.0.0.1 sport=32794 dport=32795 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32779 dport=32778 src=127.0.0.1 dst=127.0.0.1 sport=32778 dport=32779 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32789 dport=32788 src=127.0.0.1 dst=127.0.0.1 sport=32788 dport=32789 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32809 dport=32808 src=127.0.0.1 dst=127.0.0.1 sport=32808 dport=32809 [ASSURED] use=1
tcp 6 431999 ESTABLISHED src=192.168.3.1 dst=192.168.3.253 sport=1063 dport=22 src=192.168.3.253 dst=192.168.3.1 sport=22 dport=1063 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32805 dport=32804 src=127.0.0.1 dst=127.0.0.1 sport=32804 dport=32805 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32783 dport=32782 src=127.0.0.1 dst=127.0.0.1 sport=32782 dport=32783 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32781 dport=32780 src=127.0.0.1 dst=127.0.0.1 sport=32780 dport=32781 [ASSURED] use=1
udp 17 26 src=60.53.38.106 dst=202.188.1.5 sport=32771 dport=53 [UNREPLIED] src=202.188.1.5 dst=60.53.32.118 sport=53 dport=32771 use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32815 dport=32814 src=127.0.0.1 dst=127.0.0.1 sport=32814 dport=32815 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32773 dport=32772 src=127.0.0.1 dst=127.0.0.1 sport=32772 dport=32773 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32807 dport=32806 src=127.0.0.1 dst=127.0.0.1 sport=32806 dport=32807 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32799 dport=32798 src=127.0.0.1 dst=127.0.0.1 sport=32798 dport=32799 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32775 dport=32774 src=127.0.0.1 dst=127.0.0.1 sport=32774 dport=32775 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32817 dport=32816 src=127.0.0.1 dst=127.0.0.1 sport=32816 dport=32817 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32803 dport=32802 src=127.0.0.1 dst=127.0.0.1 sport=32802 dport=32803 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32793 dport=32792 src=127.0.0.1 dst=127.0.0.1 sport=32792 dport=32793 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32801 dport=32800 src=127.0.0.1 dst=127.0.0.1 sport=32800 dport=32801 [ASSURED] use=1
udp 17 10 src=192.168.3.146 dst=207.217.126.41 sport=2518 dport=53 [UNREPLIED] src=207.217.126.41 dst=60.53.32.118 sport=53 dport=2518 use=1
udp 17 16 src=192.168.3.146 dst=207.217.126.41 sport=2629 dport=53 [UNREPLIED] src=207.217.126.41 dst=60.53.32.118 sport=53 dport=2629 use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32787 dport=32786 src=127.0.0.1 dst=127.0.0.1 sport=32786 dport=32787 [ASSURED] use=1
udp 17 21 src=192.168.3.146 dst=207.217.126.41 sport=2666 dport=53 [UNREPLIED] src=207.217.126.41 dst=60.53.32.118 sport=53 dport=2666 use=1
tcp 6 430804 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32811 dport=32810 src=127.0.0.1 dst=127.0.0.1 sport=32810 dport=32811 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32797 dport=32796 src=127.0.0.1 dst=127.0.0.1 sport=32796 dport=32797 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32785 dport=32784 src=127.0.0.1 dst=127.0.0.1 sport=32784 dport=32785 [ASSURED] use=1
tcp 6 429875 ESTABLISHED src=127.0.0.1 dst=127.0.0.1 sport=32819 dport=32818 src=127.0.0.1 dst=127.0.0.1 sport=32818 dport=32819 [ASSURED] use=1
 
Old 02-15-2007, 11:43 PM   #8
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
Dear Capt_Caveman,

Heres the output for
# iptables -vL

Chain INPUT (policy DROP 1 packets, 40 bytes)
pkts bytes target prot opt in out source destination
67587 34M SHUN all -- any any anywhere anywhere
8412 864K ACCEPT all -- lo any anywhere anywhere
59175 34M IN_FIREWALL all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT INPUT: '
0 0 DROP all -- any any anywhere anywhere

Chain FORWARD (policy DROP 5 packets, 390 bytes)
pkts bytes target prot opt in out source destination
209K 29M SHUN all -- any any anywhere anywhere
10350 14M IN_NETWORK all -- ppp0 any anywhere anywhere
198K 15M OUT_NETWORK all -- eth1 any anywhere anywhere
29 1342 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT FORWARD: '
0 0 ACCEPT all -- any any 192.168.3.35 anywhere
77 3630 DROP all -- any any anywhere anywhere

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
74154 35M SHUN all -- any any anywhere anywhere
8412 864K ACCEPT all -- any lo anywhere anywhere
65742 34M OUT_FIREWALL all -- any any anywhere anywhere
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT OUTPUT: '
0 0 DROP all -- any any anywhere anywhere

Chain BADFLAGS (11 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT BADFLAGS: '
0 0 DROP all -- any any anywhere anywhere

Chain BAD_IP (4 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT BAD_IP: '
0 0 DROP all -- any any anywhere anywhere

Chain IN_FIREWALL (1 references)
pkts bytes target prot opt in out source destination
10 605 IN_ICMP icmp -- any any anywhere anywhere
55667 33M TCP_FLAGS tcp -- any any anywhere anywhere
1246 59916 SYN_FLOOD tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN
0 0 ACCEPT udp -- any any anywhere 60.53.38.106 udp dpt:5060
421 60942 ACCEPT udp -- any any anywhere 60.53.38.106 udp dpts:10001:65535
58742 33M IN_IP_CHECK all -- any any anywhere anywhere
54151 33M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
3 180 ACCEPT tcp -- any any 192.168.3.0/24 anywhere tcp dpt:ssh state NEW
1 60 ACCEPT tcp -- any any 211.188.18.19 anywhere tcp dpt:ssh state NEW
0 0 ACCEPT tcp -- any any tm.net.my anywhere tcp dpt:ssh state NEW
0 0 ACCEPT tcp -- any any anywhere 60.53.38.106 tcp dpt:ftp
0 0 ACCEPT tcp -- any any 60.53.38.106 anywhere tcp spt:ftp-data
1169 56056 ACCEPT tcp -- any any anywhere sttu.shin tcp dpt:squid
5 300 ACCEPT tcp -- any any anywhere 60.53.38.106 tcp dpt:10000
27 1882 ACCEPT udp -- any any anywhere anywhere udp dpt:domain
1 48 ACCEPT tcp -- any any anywhere anywhere tcp dpt:http
476 47356 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT IN_FIREWALL: '
3385 325K DROP all -- any any anywhere anywhere

Chain IN_ICMP (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any 192.168.3.0/24 anywhere icmp echo-request
0 0 ACCEPT icmp -- any any 192.168.3.0/24 anywhere icmp echo-reply
0 0 ACCEPT icmp -- any any 192.168.6.0/24 anywhere icmp echo-request
0 0 ACCEPT icmp -- any any 192.168.6.0/24 anywhere icmp echo-reply
1 56 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp time-exceeded
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
9 549 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT In ICMP: '
9 549 DROP all -- any any anywhere anywhere

Chain IN_IP_CHECK (1 references)
pkts bytes target prot opt in out source destination
0 0 BAD_IP all -- ppp0 any 65.55.35.116 anywhere
0 0 BAD_IP all -- ppp0 any 192.168.3.0/24 anywhere
0 0 BAD_IP all -- eth1 any 65.55.35.116 anywhere

Chain IN_NETWORK (1 references)
pkts bytes target prot opt in out source destination
0 0 IN_ICMP icmp -- any any anywhere anywhere
9834 14M TCP_FLAGS tcp -- any any anywhere anywhere
0 0 SYN_FLOOD tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN
9834 14M ACCEPT tcp -- any any anywhere anywhere state RELATED,ESTABLISHED
516 67080 ACCEPT udp -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:5060
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpts:10001:65535
0 0 ACCEPT udp -- any any anywhere sttu.shin udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere sttu.shin tcp dpt:http flags:SYN,RST,ACK/SYN

Chain OUT_FIREWALL (1 references)
pkts bytes target prot opt in out source destination
0 0 OUT_ICMP icmp -- any any anywhere anywhere
65229 34M TCP_FLAGS tcp -- any any anywhere anywhere
64052 34M ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:5060
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpts:10001:65535
1690 103K OUT_IP_CHECK all -- any any anywhere anywhere
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:telnet
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dptop3
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpts:netbios-ns:netbios-ssn
1552 93120 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
81 4860 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https
52 3771 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp spt:squid
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp spt:ftp-data
3 576 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT OUT_FIREWALL: '
5 760 DROP all -- any any anywhere anywhere

Chain OUT_ICMP (2 references)
pkts bytes target prot opt in out source destination
0 0 ACCEPT icmp -- any any anywhere 192.168.3.0/ 24 icmp echo-request
0 0 ACCEPT icmp -- any any anywhere 192.168.3.0/ 24 icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere 192.168.6.0/ 24 icmp echo-request
0 0 ACCEPT icmp -- any any anywhere 192.168.6.0/ 24 icmp echo-reply
0 0 ACCEPT icmp -- any any anywhere anywhere icmp destination-unreachable
0 0 ACCEPT icmp -- any any anywhere anywhere icmp source-quench
0 0 ACCEPT icmp -- any any anywhere anywhere icmp parameter-problem
0 0 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT Out ICMP: '
0 0 DROP all -- any any anywhere anywhere

Chain OUT_IP_CHECK (1 references)
pkts bytes target prot opt in out source destination
1685 102K RETURN all -- any ppp0 65.55.35.116 anywhere
5 760 RETURN all -- any eth1 sttu.shin anywhere
0 0 BAD_IP all -- any any anywhere anywhere

Chain OUT_NETWORK (1 references)
pkts bytes target prot opt in out source destination
0 0 OUT_ICMP icmp -- any any anywhere anywhere
5527 299K TCP_FLAGS tcp -- any any anywhere anywhere
5489 297K ACCEPT all -- any any anywhere anywhere state RELATED,ESTABLISHED
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ftp
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:ssh
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:smtp
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dptop3
14 672 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:http
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:https
547 30853 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:domain
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:socks
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:1503
0 0 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:h323hostcall
6 288 ACCEPT tcp -- any any anywhere anywhere state NEW tcp dpt:4000
0 0 ACCEPT udp -- any any anywhere anywhere state NEW udp dpt:4000
192K 15M DROP udp -- any any anywhere anywhere state NEW udp dpts:netbios-ns:netbios-ssn

Chain SHUN (3 references)
pkts bytes target prot opt in out source destination

Chain SYN_FLOOD (2 references)
pkts bytes target prot opt in out source destination
1244 59820 RETURN tcp -- any any anywhere anywhere tcp flags:SYN,RST,ACK/SYN limit: avg 5/sec burst 10
0 0 RETURN !tcp -- any any anywhere anywhere
0 0 RETURN tcp -- any any anywhere anywhere tcp flags:!SYN,RST,ACK/SYN
2 96 LOG all -- any any anywhere anywhere limit: avg 3/min burst 3 LOG level error prefix `IPT SYN_FLOOD: '
2 96 DROP all -- any any anywhere anywhere

Chain TCP_FLAGS (4 references)
pkts bytes target prot opt in out source destination
0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,ACK/FIN
0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:PSH,ACK/PSH
0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:ACK,URG/URG
0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,RST/FIN,RST
0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN/FIN,SYN
0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:SYN,RST/SYN,RST
0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,PSH,URG
0 0 BADFLAGS tcp -- any any anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
 
Old 02-16-2007, 12:07 AM   #9
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
# iptables -t nat -vL

Chain PREROUTING (policy ACCEPT 209K packets, 16M bytes)
pkts bytes target prot opt in out source destination
0 0 DNAT udp -- ppp0 any anywhere 65.55.35.116 udp dpt:5060 to:192.168.3.109
2 180 DNAT udp -- ppp0 any anywhere 65.55.35.116 udp dpts:10001:65535 to:192.168.3.109
0 0 DNAT tcp -- ppp0 any anywhere 65.55.35.116 tcp dpt:domain to:192.168.3.253
1 48 DNAT tcp -- ppp0 any anywhere 65.55.35.116 tcp dpt:http to:192.168.3.253

Chain POSTROUTING (policy ACCEPT 19 packets, 1667 bytes)
pkts bytes target prot opt in out source destination
2994 178K SNAT all -- any ppp0 anywhere anywhere to:65.55.35.116

Chain OUTPUT (policy ACCEPT 2418 packets, 146K bytes)
pkts bytes target prot opt in out source destination
 
Old 02-16-2007, 12:35 AM   #10
Niceman2005
Member
 
Registered: Nov 2004
Distribution: Fedora Core 2
Posts: 330

Original Poster
Rep: Reputation: 30
Dear Captain Caveman,

Thats all the output from the command. IF there is anything bad, please help me to correct..thanks Captain!

Regards
Y
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Arno's IPTables-Firewall Script To Share Internet dalponis Linux - Software 3 10-09-2007 11:06 AM
Need help writing firewall/iptables script BuckRogers01 Linux - Networking 2 02-26-2006 03:48 PM
Working IPTABLES STRONG firewall for TWO internal networks kennedy01 Linux - Wireless Networking 3 08-24-2004 11:10 PM
script: stop firewall allelopath Linux - Software 1 04-30-2003 06:20 PM
Iptables Firewall script. Stingreen Linux - Security 4 04-11-2002 08:24 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:01 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration