LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-03-2004, 07:20 AM   #1
wierdthing
LQ Newbie
 
Registered: Nov 2004
Posts: 1

Rep: Reputation: 0
iptables +azureus +forwarding not working


Well then this problem has been bothering me for a while now and i cant seem to fix it. for some reason the port forwarding on my firewall script doesnt seem to be working. On the computer that i'm forwarding it to it gets a NAT error. (note this is concerning bittorent and azureus) I have turned off UPnP in azureus but other than that i'm stumped. Following is the entire script note that i even tried opening the entire port range without forwarding this also for some reason doesnt want to work. I am using Slackware 10 standard with no upgrades.

# Environment variables, change these values accordingly

EXT_IF=eth1
INT_IF=eth0
INT_NET=192.168.1.0/24

ANY=0.0.0.0/0

IPTABLES=/usr/sbin/iptables
MODPROBE=/sbin/modprobe

#
## You shouldn't need to touch anything below here
#

# Load appropriate iptables modules, others will be loaded dynamically on demand

$MODPROBE ip_tables
$MODPROBE iptable_filter
$MODPROBE ip_nat_ftp
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp

# Set proc values for TCP/IP. In order:
#
# Disable IP spoofing attacks
# Ignore broadcast pings
# Block source routing
# Kill redirects
# Set acceptable local port range
# Allow dynamic IP addresses
# Enable forwarding (gateway)

echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc/sys/net/ipv4/ip_forward

# Flush everything

$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

#
## --- DEFAULT POLICY --- ##
#

# Drop everything on INPUT and FORWARD chains, accept OUTPUT

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

#
## --- INPUT CHAIN --- ##
#

# Allow Telstra hearbeat -- BPA users uncomment this

# $IPTABLES -A INPUT -p udp --sport 5050 -j ACCEPT
# $IPTABLES -A INPUT -p udp --sport 5051 -j ACCEPT


# Allow bootp port -- Optus and some ADSL users need this

$IPTABLES -A INPUT -p udp -d 255.255.255.255 --dport 68 -j ACCEPT


# Allow access to services on this (the gateway) machine

# SSH
# $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT

# Teamspeak
# $IPTABLES -A INPUT -p udp --dport 8767 -j ACCEPT

# Half Life server
# $IPTABLES -A INPUT -p udp --dport 27015 -j ACCEPT
# $IPTABLES -A INPUT -p udp --dport 27010 -j ACCEPT

# FTP
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT

# Bittorrent
$IPTABLES -A INPUT -p tcp --dport 6881:6999 -j ACCEPT



# $IPTABLES -A INPUT -p tcp --dport 6882 -j ACCEPT
# $IPTABLES -A INPUT -p tcp --dport 6883 -j ACCEPT
# $IPTABLES -A INPUT -p tcp --dport 6884 -j ACCEPT
# $IPTABLES -A INPUT -p tcp --dport 6885 -j ACCEPT
# $IPTABLES -A INPUT -p tcp --dport 6886 -j ACCEPT
# $IPTABLES -A INPUT -p tcp --dport 6887 -j ACCEPT
# $IPTABLES -A INPUT -p tcp --dport 6888 -j ACCEPT


# Accept all connections on local and internal interfaces

$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INT_IF -j ACCEPT


# Stateful inspection -- Allow packets in from connections already established

$IPTABLES -A INPUT -i $EXT_IF -m state --state ESTABLISHED,RELATED -j ACCEPT


# Drop packets from invalid sources (reserved networks and localhost)

$IPTABLES -A INPUT -i $EXT_IF -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -i $EXT_IF -s 169.254.0.0/16 -j DROP
$IPTABLES -A INPUT -d 127.0.0.0/8 -j DROP


# Don't log igmp, web or ssl. More noise we don't need to log.

$IPTABLES -A INPUT -p igmp -j DROP
$IPTABLES -A INPUT -p tcp --dport 80 -j DROP
$IPTABLES -A INPUT -p tcp --dport 443 -j DROP


# Log everything else

$IPTABLES -A INPUT -i $EXT_IF -j LOG --log-prefix "|iptables -- "

#
## -- BANDWIDTH SHAPING -- ##
#

#
# EGRESS (upstream)
#

# TOS marked packets (we'll just work with minimise-delay and maximise-throughput)
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Minimize-Delay -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -m tos --tos Maximize-Throughput -j MARK --set-mark 30

# UDP (most games, including all Half Life mods as well as DNS, IM clients and more)
$IPTABLES -t mangle -A POSTROUTING -p udp -j MARK --set-mark 10

# Games that use DirectPlay from DirectX (note UDP traffic already matched above)
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 47624 -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 2300:2400 -j MARK --set-mark 10

# Place other games here
# EVE online
# $IPTABLES -t mangle -A POSTROUTING -p tcp --dport 26000 -j MARK --set-mark 10

# ICMP (ping)
$IPTABLES -t mangle -A POSTROUTING -p icmp -j MARK --set-mark 10

# SSH
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 22 -j MARK --set-mark 10

# Web, SSL
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 80 -j MARK --set-mark 20
$IPTABLES -t mangle -A POSTROUTING -p tcp --dport 443 -j MARK --set-mark 20

# ACKs
$IPTABLES -t mangle -A POSTROUTING -p tcp -m length --length :64 -j MARK --set-mark 20

#
# No need for catchall for class 30, handled by HTB root qdisc initilisation
#

#
# INGRESS (downstream)
#

# Only prioritise class 10 traffic

# Don't police high priority UDP, game, ping and SSH packets
$IPTABLES -t mangle -A PREROUTING -p udp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 47624 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 2300:2400 -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p icmp -j MARK --set-mark 10
$IPTABLES -t mangle -A PREROUTING -p tcp --sport 22 -j MARK --set-mark 10

# Place other games here
# EVE online
# $IPTABLES -t mangle -A PREROUTING -p tcp --sport 26000 -j MARK --set-mark 10

# Catchall, police everything else
$IPTABLES -t mangle -A PREROUTING -m mark --mark 0 -j MARK --set-mark 30

#
# NOTE: It's a good idea -not- to add HTTP to be let through the police filter even
# for browsing as many P2P programs, not to mention your HTTP file downloads, will
# flood the link unpoliced, causing delays with high priority (class 10) packets.
# Shape HTTP going out, but let it be bulk coming in.
#
# Read the note at the end of the .shaper script for more on INGRESS shaping.
#

#
## --- FORWARD CHAIN --- ##
#

# Stateful inspection -- Forward in connections already established

$IPTABLES -A FORWARD -i $EXT_IF -o $INT_IF -s $ANY -d $INT_NET -m state --state ESTABLISHED,RELATED -j ACCEPT


# Forwards for software running on Windows/Linux machines behind the firewall

# Kazaa Lite (change destination IP accordingly)

# $IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 1214 -j DNAT --to-dest 192.168.1.10
# $IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 1214 -d 192.168.1.10 -j ACCEPT

# Bittorrent Forwarding

$IPTABLES -t nat -A PREROUTING -i $EXT_IF -p tcp --dport 6881:6999 -j DNAT --to-dest 192.168.1.50
$IPTABLES -A FORWARD -p tcp -i $EXT_IF --dport 6881:6999 -d 192.168.1.50 -j ACCEPT


# Forwards for hosting DirectPlay games

# iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 47624 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 47624 -j DNAT --to-destination 192.168.1.10:47624
# iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2300:2400 -j DNAT --to-destination 192.168.1.10:2300-2400
# iptables -A FORWARD -i eth0 -o eth1 -p udp --dport 2300:2400 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2300:2400 -j DNAT --to-destination 192.168.1.10:2300-2400


# Forward out all traffic

$IPTABLES -A FORWARD -i $INT_IF -d $ANY -j ACCEPT

#
## --- OUTPUT CHAIN --- ##
#

# Follows policy

#
## --- NAT --- ##
#

# Enable masquerade

$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -j MASQUERADE

#
## -- Transparent proxy to Squid --- ##
#

# $IPTABLES -t nat -A PREROUTING -i $INT_IF -p tcp --dport 80 -j REDIRECT --to-port 3128
 
Old 04-02-2006, 10:06 AM   #2
redmap
LQ Newbie
 
Registered: Apr 2006
Posts: 7

Rep: Reputation: 0
Did you get it working? I'm having the same problem and can't figure out what to do.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to make azureus (or any port forwarding) works in my suse 9.3 box and squid proxy efm Linux - Newbie 0 10-31-2005 02:22 AM
iptables on router: simple port forwarding not working hamish Linux - Networking 1 10-27-2005 07:06 AM
IPtables port-forwarding not working. Ratclaws Linux - Networking 3 04-12-2005 09:14 AM
iptables port forwarding not working! friendklay Linux - Networking 1 03-23-2005 07:37 AM
Port forwarding with iptables is not working?!! philipina Linux - Networking 1 04-03-2004 04:18 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 06:58 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration