metallica1973 |
12-09-2007 07:00 PM |
Vncviewer and blank screen
I am using Fedora 6 and an iptables script. Everytime I attempt to vnc to a client outside of my network I can connect fine(usename and password) but after in connects nothing appears on the screen. That happens from any computer on my LAN so I know that it is not the computer. When I do the samething from my firewall I can connect without any issues and everything is fine. My firewall script is rather large but I will post for feedback. thanks
PHP Code:
#! /bin/sh
IPTABLES="/sbin/iptables"
case "$1" in stop) echo "Shutting down firewall..." $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT echo "...done" ;; status) echo $"Table: filter" iptables --list echo $"Table: nat" iptables -t nat --list echo $"Table: mangle" iptables -t mangle --list ;; restart|reload) $0 stop $0 start ;; start) echo "Starting Firewall..." echo ""
##--------------------------Begin Firewall---------------------------------##
#----Default-Interfaces-----# EXTIF="eth0" INTIF="eth1" INTLAN="192.168.7.0/27" SQUID_FILTER="192.168.7.2" FIREWALL="192.168.7.1" #----Special Variables-----#
# IP Mask for all IP addresses UNIVERSE="0.0.0.0/0"
# Specification of the high unprivileged IP ports. UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports. #XWINPORTS="6000:6063"
# Ports for IRC-Connection-Tracking #IRCPORTS="6665,6666,6667,6668,6669,7000"
# DMZ UDP ports #DMZUDP="1024:1030,5060:5065,10000:20000" ####PS2 PORTS####
#-----Port-Forwarding Variables-----#
SSH_SERVER="192.168.2.21"
#IP for forwarded HTTP-traffic HTTPIP="192.168.7.1/27" DMZ_HTTPIP="192.168.2.1/27" #IP's for DMZ to VOIP DMZ_LAN="192.168.2.0/27" DMZ_IFACE="eth2" DMZ_IP="192.168.2.1" #DMZ_PC_IP="192.168.2.2" #DMZ_VOIP_PHONE="192.168.2.30" DMZ_VOIP_SERVER="192.168.2.2" #DMZ_SSH_SERVER="192.168.2.16"
####PS2####### #PS2_NETWORK="192.168.5.0/28" #PS2_IFACE="eth1" #PS2_IP="192.168.5.1/28" #PS2="192.168.5.10"
#----Flood Variables-----#
# Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s" # Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10"
# Overall Limit for Loggging in Logging-Chains LOGLIMIT="2/s" # Burst Limit for Logging in Logging-Chains LOGLIMITBURST="10"
# Overall Limit for Ping-Flood-Detection PINGLIMIT="5/s" # Burst Limit for Ping-Flood-Detection PINGLIMITBURST="10"
echo "Loading IPTABLES modules"
dmesg -n 1 #Kill copyright display on module load /sbin/modprobe ip_tables /sbin/modprobe iptable_filter #/sbin/modprobe ip_conntrack_sip #/sbin/modprobe ip_nat_sip /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS #/sbin/modprobe ip_nat_irc ports=$IRCPORTS dmesg -n 6
echo " --- "
#----Clear/Reset all chains-----#
#Clear all IPTABLES-chains
#Flush everything, start from scratch $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat
#Set default policies to DROP $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP
#$IPTABLES -N DMZ2WAN #$IPTABLES -N WAN2DMZ
#----Set network sysctl options-----# echo "Setting sysctl options" #Enable forwarding in kernel echo 1 > /proc/sys/net/ipv4/ip_forward #Disabling IP Spoofing attacks. echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter #Don't respond to broadcast pings (Smurf-Amplifier-Protection) echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #Block source routing echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route #Kill timestamps echo 0 > /proc/sys/net/ipv4/tcp_timestamps #Enable SYN Cookies echo 1 > /proc/sys/net/ipv4/tcp_syncookies #Kill redirects echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects #Enable bad error message protection echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses #Log martians (packets with impossible addresses) echo 1 > /proc/sys/net/ipv4/conf/all/log_martians #Set out local port range echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range #Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "
echo "Creating user-chains"
#----Create logging chains-----#
#Invalid packets (not ESTABLISHED,RELATED or NEW) $IPTABLES -N LINVALID $IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP " $IPTABLES -A LINVALID -j DROP #TCP-Packets with one ore more bad flags $IPTABLES -N LBADFLAG $IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP " $IPTABLES -A LBADFLAG -j DROP #Logging of connection attempts on special ports (Trojan portscans, special services, etc.) $IPTABLES -N LSPECIALPORT $IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP " $IPTABLES -A LSPECIALPORT -j DROP #Logging of possible TCP-SYN-Floods $IPTABLES -N LSYNFLOOD $IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " $IPTABLES -A LSYNFLOOD -j DROP #Logging of possible Ping-Floods $IPTABLES -N LPINGFLOOD $IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " $IPTABLES -A LPINGFLOOD -j DROP
#All other dropped packets $IPTABLES -N LDROP $IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP " $IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP " $IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP " $IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP " $IPTABLES -A LDROP -j DROP
#All other rejected packets $IPTABLES -N LREJECT $IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT " $IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT " $IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT " $IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT " $IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable $IPTABLES -A LREJECT -j REJECT
#----Create Accept-Chains-----# #TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in $IPTABLES -N TCPACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT
#----Create special User-Chains-----#
#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)
$IPTABLES -N CHECKBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG
#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)
#SMB-Traffic $IPTABLES -N SMB $IPTABLES -A SMB -p tcp --dport 137 -j DROP $IPTABLES -A SMB -p tcp --dport 138 -j DROP $IPTABLES -A SMB -p tcp --dport 139 -j DROP $IPTABLES -A SMB -p tcp --dport 445 -j DROP $IPTABLES -A SMB -p udp --dport 137 -j DROP $IPTABLES -A SMB -p udp --dport 138 -j DROP $IPTABLES -A SMB -p udp --dport 139 -j DROP $IPTABLES -A SMB -p udp --dport 445 -j DROP $IPTABLES -A SMB -p tcp --sport 137 -j DROP $IPTABLES -A SMB -p tcp --sport 138 -j DROP $IPTABLES -A SMB -p tcp --sport 139 -j DROP $IPTABLES -A SMB -p tcp --sport 445 -j DROP $IPTABLES -A SMB -p udp --sport 137 -j DROP $IPTABLES -A SMB -p udp --sport 138 -j DROP $IPTABLES -A SMB -p udp --sport 139 -j DROP $IPTABLES -A SMB -p udp --sport 445 -j DROP
#Inbound Special Ports $IPTABLES -N SPECIALPORTS #Deepthroat Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j LSPECIALPORT #Subseven Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT #Netbus Scan $IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT $IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT #Back Orifice scan $IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT #X-Win #$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j LSPECIALPORT
#Hack'a'Tack 2000 $IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT
#ICMP/TRACEROUTE FILTERING #Inbound ICMP/Traceroute $IPTABLES -N ICMPINBOUND #Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD
##Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP
#Allow all other ICMP in $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT
#Outbound ICMP/Traceroute $IPTABLES -N ICMPOUTBOUND #Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP #Block ICMP-TTL-Expired #MS Traceroute (MS uses ICMP instead of UDp for tracert) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP #Block ICMP-Parameter-Problem $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP #Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting) $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP
##Accept all other ICMP going out $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT
#----End User-Chains-----#
echo " --- "
#----Start Ruleset-----#
echo "Implementing firewall rules..."
################# ## INPUT-Chain ## (everything that is addressed to the firewall itself #################
##GENERAL Filtering
# Kill INVALID packets (not ESTABLISHED, RELATED or NEW) $IPTABLES -A INPUT -m state --state INVALID -j LINVALID # Check TCP-Packets for Bad Flags $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
##Packets FROM FIREWALL-BOX ITSELF
#Local IF $IPTABLES -A INPUT -i lo -j ACCEPT # #Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter) $IPTABLES -A INPUT -d 127.0.0.0 -j LREJECT $IPTABLES -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
##Packets FROM INTERNAL NET
##Allow unlimited traffic from internal network using legit addresses to firewall-box ##If protection from the internal interface is needed, alter it
$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT
########################################DMZ PHONE##############################################################################
$IPTABLES -A INPUT -i $DMZ_IFACE -d $DMZ_LAN -j ACCEPT
##ICMP & Traceroute filtering
#Block UDP-Traceroute
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP
#Drop all SMB-Traffic $IPTABLES -A INPUT -i $EXTIF -j SMB #Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset
##Public services running ON FIREWALL-BOX (comment out to activate):
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -m state --state ESTABLISHED,RELATED -j TCPACCEPT #$IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
############################### ssh ###########################################
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 513 -m state --state NEW -j TCPACCEPT ############Separate logging of special portscans/connection attempts #######################
$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS
##Allow ESTABLISHED/RELATED connections in $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j TCPACCEPT $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j ACCEPT ##Catch all rule $IPTABLES -A INPUT -j LDROP
################## ## Output-Chain ## (everything that comes directly from the Firewall-Box) ##################
##Packets TO FIREWALL-BOX ITSELF
#Local IF $IPTABLES -A OUTPUT -o lo -j ACCEPT
##Packets TO INTERNAL NET
#Allow unlimited traffic to internal network using legit addresses
################################## DMZ OUTPUT #########################################################################
$IPTABLES -A OUTPUT -o $EXTIF -s $DMZ_LAN -j ACCEPT
#$IPTABLES -A OUTPUT -o $DMZ_IFACE -p ALL -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -p ALL -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p ALL -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $INTLAN -j ACCEPT
$IPTABLES -A OUTPUT -j LDROP
#################### ## FORWARD-Chain ## (everything that passes the firewall, incoming) ####################
##GENERAL Filtering
#Kill invalid packets (not ESTABLISHED, RELATED or NEW) $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID # Check TCP-Packets for Bad Flags $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG
##Filtering FROM INTERNAL NET
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB #$IPTABLES -A FORWARD -o $EXTIF -j SMB
##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)
#HTTP-Forwarding $IPTABLES -A FORWARD -p tcp -s $INTLAN -i $EXTIF -o $INTIF -d $SQUID_FILTER --dport 3128 -j ACCEPT
##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -d $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -d $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT
## Filtering FROM EXTERNAL NET ################################################# SSH ##################################################################### $IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d 192.168.2.21 --dport 22 -m state --state NEW -j ACCEPT #$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_SSH_SERVER --dport 513 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -j SMB ##Allow replies coming in $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
# $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -p tcp -s 192.168.7.0/27 -m multiport --dports 25,110 -m state --state NEW -j ACCEPT
########################################## DMZ #########################################################################
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT $IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 5050:5065 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 10000:20000 -m state --state NEW -j ACCEPT
################################################## VOIP ASTERISK WEB Interface ##############################################################################3
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 80 -m state --state NEW -j ACCEPT
##Catch all rule/Deny every other forwarding
$IPTABLES -A FORWARD -j LDROP
################ ## PREROUTING ## ################
##Port-Forwarding (--> Also see chain FORWARD)
######################################################## SSH ################################################################
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 513 -j DNAT --to-destination $DMZ_SSH_SERVER $IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 22 -j DNAT --to-destination $SSH_SERVER
######################################################### HTTP ############################################################
$IPTABLES -t nat -A PREROUTING -i $EXTIF -s ! $SQUID_FILTER -p tcp --dport 8080 -j DNAT --to $SQUID_FILTER:3128
######################################### ASTERISK VOIP SERVER####################################################################################################3 #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 -j DNAT --to-destination $DMZ_VOIP_SERVER
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $DMZ_VOIP_SERVER $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $DMZ_VOIP_SERVER #$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF -d $DMZ_HTTPIP --dport 53 -j DNAT --to-destination $DMZ_PC_IP #$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_HTTPIP --dport 53 -j DNAT --to-destination $DMZ_PC_IP
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $DMZ_VOIP_SERVER $IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $DMZ_VOIP_SERVER
################### ## POSTROUTING ## ###################
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -d $SQUID_FILTER -j MASQUERADE
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -d $SQUID_FILTER -p tcp -j SNAT --to-source $FIREWALL #Masquerade from Internal Net to External Net $IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
#------End Ruleset------#
echo "...done" echo ""
echo "--> IPTABLES firewall loaded/activated <--"
##--------------------------------End Firewall---------------------------------##
;; *) echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF" exit 1 esac
exit 0
|