LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 03-30-2005, 08:09 AM   #1
b:z
Member
 
Registered: Mar 2005
Posts: 146

Rep: Reputation: 15
Question Linux gateway with iptables - Everybody help me, please


This is the firewall script that i collect from Internet, i have applied it to my network, however i have more problem with it such as:
- Can not restrict FTP
- Can deny software download: xmule, BitTorrent.
Here is network diagram:

(((Internet)))========((<eth0>=====<eth1> ))======((LAN))===

Here is the firewall script:

======================================================================
#######################################################################
# Local Area Network Configuration
#######################################################################
#
LAN_IP="192.168.1.10"
#
LAN_IP_RANGE="192.168.1.0/24"
#
LAN_BCAST_ADDRESS="192.168.255.255"
#
LAN_IFACE="eth1"
#
#######################################################################
# Localhost Configuration
#######################################################################
#
LO_IFACE="lo"
#
LO_IP="127.0.0.1"
#
#######################################################################
# Internet Configuration
#######################################################################
#
INET_IP="192.168.2.10"
#
INET_IFACE="eth0"
#
#######################################################################
# iptables configuration
#######################################################################
#
iptables="/usr/sbin/iptables"
#
#######################################################################
# Module Loading
#######################################################################
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUERADE
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#/sbin/modprobe ipt_owner
#
# Non require modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#
######################################################################
# /proc setup - Enable ip_forward
######################################################################
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
######################################################################
# iptables rule setup
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables --delete-chain
#
#Create chain for bad tcp packets
#
iptables -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets
#
######################################################################
# Create content in userspecified chains
######################################################################
#
#bad_tcp_packets chain
#
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
#allowed chain
#
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
#
# TCP rules
#
##iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
##iptables -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
##iptables -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP
#
# ICMP rules
#
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
####################################################################
# INPUT chain
####################################################################
#
# Bad TCP packets we don't want.
#
iptables -A INPUT -p tcp -j bad_tcp_packets
#
###################################################################
# Rules for special networks not part of the Internet
###################################################################
#
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
#
###################################################################
# special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
###################################################################
#
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
#
###################################################################
# Rules for incoming packets from the internet.
###################################################################
#
iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
#
# Log weird packets that don't match the above.
#
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
###################################################################
# FORWARD chain
###################################################################
#
# Bad TCP packets we don't want
#
iptables -A FORWARD -p tcp -j bad_tcp_packets
iptables -A FORWARD -s 192.168.16.0/24 -d 192.168.16.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Accept the packets we actually want to forward
#
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
###################################################################
# OUTPUT chain
###################################################################
#
# Bad TCP packets we don't want.
#
iptables -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
#
# Log weird packets that don't match the above.
#
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
#
###################################################################
# POSTROUTING chain
###################################################################
#
# Enable simple IP Forwarding and Network Address Translation
#
##iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
#
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3128 -j REDIRECT --to-port 8008
#
#################################################################
###################### Private Rule #############################
#################################################################
##################
##################
# rule for FTP connection
iptables -N ftp_rule
# admin
iptables -A ftp_rule -m mac --mac-source 00:50:8B:AF:73:C4 -p tcp --dport 20:21 -j ACCEPT
# manager
iptables -A ftp_rule -m mac --mac-source 00:02:55:64:03:6D -p tcp --dport 20:21 -j ACCEPT
# drop all
iptables -A ftp_rule -p tcp --dport 20:21 -j DROP
#
##################
##################
##################

===================================================================
And network's status:

Purpose:
- Localnetwork connect Internet through Squid proxy
- POP3, SMTP
- FTP only allow for admin and manager
- No protocol run through Linux Gateway
Current problems:
- Can't filter FTP as my purpose
- Some users can use BitTorrent, xmule,...

Please help me to find the error in my firewall script. I really need your help ,and more idea from all of you.
 
Old 03-30-2005, 10:33 AM   #2
Avatar
Member
 
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 544

Rep: Reputation: 31
I think you should consider letting another software do this. IPTABLES is not the best for this. I recommend using SQUID, which technically is a HTTP proxy, but it uses ACL (access control lists) for example, managers, users, admins; it also allows you to restrict the amount of bytes users can download.

here is a howto on using SQUID to restrict downloading certain files:
http://www.telenovela-world.com/~spa...O/install.html

There is plenty of documentation on using SQUID for access control levels as well.

You would use IPTABLES to block malicious traffic, and then redirect all requests from your LAN to squid.

Hope this helps.
 
Old 03-30-2005, 02:44 PM   #3
fr_laz
Member
 
Registered: Jan 2005
Location: Cork Ireland
Distribution: Debian
Posts: 384

Rep: Reputation: 32
Hi,

Remark :
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADDRESS="192.168.255.255"
your bdcast address doesn't match your /24 mask !

What exactly do you mean by restricting ftp ?
If you need to limit the throughput, you can do it through QOS (see http://www.ds9a.nl/2.4Networking/howto/, especially the Hierarchical Token Bucket part).
There're also some special targets for iptables, which can be more simple than using QoS (http://www.netfilter.org/documentati...ons-HOWTO.html) that you could use (look at quota, fuzzy, iplimit...)

As for the problem of xmule, bitorent and so on, if they use well-known port numbers, then it's not a problem, you just have to reject those ports (iptables -I FORWARD -p udp --sport 4662 -j DROP for emule -- I used -I and not -A so that the line can be added after your script)... if the softwares you want to stop use common ports (80 such as kazaa), then it's more complicated... and maybe more the task of an IDS than iptables's.

hope this helps...
 
Old 03-30-2005, 08:35 PM   #4
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
Quote:
I think you should consider letting another software do this. IPTABLES is not the best for this. I recommend using SQUID, which technically is a HTTP proxy, but it uses ACL (access control lists) for example, managers, users, admins; it also allows you to restrict the amount of bytes users can download.

here is a howto on using SQUID to restrict downloading certain files:
http://www.telenovela-world.com/~sp...TO/install.html

There is plenty of documentation on using SQUID for access control levels as well.

You would use IPTABLES to block malicious traffic, and then redirect all requests from your LAN to squid.

Hope this helps.
Currently, i'm using iptables, combine it with Squid proxy. I also think how to restrict FTP with "acl ftp_deny proto FTP - http_access deny ftp_deny", however it doesn't work. Maybe the cause occur by iptables have allowed trafiic go out Internet.



Quote:
Remark :
LAN_IP_RANGE="192.168.1.0/24"
LAN_BCAST_ADDRESS="192.168.255.255"
your bdcast address doesn't match your /24 mask !

What exactly do you mean by restricting ftp ?
If you need to limit the throughput, you can do it through QOS (see http://www.ds9a.nl/2.4Networking/howto/, especially the Hierarchical Token Bucket part).
There're also some special targets for iptables, which can be more simple than using QoS (http://www.netfilter.org/documentat...ions-HOWTO.html) that you could use (look at quota, fuzzy, iplimit...)

As for the problem of xmule, bitorent and so on, if they use well-known port numbers, then it's not a problem, you just have to reject those ports (iptables -I FORWARD -p udp --sport 4662 -j DROP for emule -- I used -I and not -A so that the line can be added after your script)... if the softwares you want to stop use common ports (80 such as kazaa), then it's more complicated... and maybe more the task of an IDS than iptables's.
I want deny all FTP and xmule, BitTorrent user,..... in my local network to Internet. Only allow access Internet, mail pop3 in outside.
 
Old 03-31-2005, 02:48 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
i think part of the reason you are having problems is because your script is so complicated...

i have cleaned it up somewhat and maybe now it'll be easier for people to help you also...

the changes i made to your script will allow only web and pop3 access for the lan, like you say you want... i think you were trying to provide FTP access to two mac addresses only, so i did that in the script...

HTTP traffic will still use the squid proxy (in transparent mode), make it listen on port 3128...

i've made a changelog so you can see the changes i've made to your script...

Quote:
CHANGELOG

- removed all comments
- eliminated some module loads...
- replaced "iptables" with the variable $IPT as using iptables as a variable is redundant
- replaced the flushing rules with better ones
- eliminated the user chains as they aren't "needed" for such a simple firewall
- created a simpler bad packet chain
- added some decent simple kernel parameters
- removed bogus INPUT rules for LO from LAN/INET??
- changed MASQUERADE to SNAT as their is a static external ip
- removed insane input rule which allowed ALL input from lan
- allow lan to ONLY be able to use POP3 and WEB (HTTP/HTTPS/DNS)
- HTTP traffic from the lan the the internet should be redirected to the local proxy on port 3128/tcp
- allow two mac addresses (00:50:8B:AF:73:C4 and 00:02:55:64:03:6D) FTP access
(everyone else will be limited to POP3 and WEB)
- moved the rule which activates forwarding to the end of the script, so that forwarding
is only activated after everything is set...
- changed output policy to accept as there was nothing special being done for output anyways...
- added loading of module for mac filtering
- major cleanups all over the place
okay, here's the modified script:

Code:
#!/bin/sh

LAN_IP="192.168.1.10"
LAN_IP_RANGE="192.168.1.0/24"
LAN_IFACE="eth1"
INET_IP="192.168.2.10"
INET_IFACE="eth0"

IPT="/usr/sbin/iptables"

echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_mac
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_irc

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

$IPT -N BAD_PACKETS
$IPT -A BAD_PACKETS -m state --state INVALID -j DROP
$IPT -A BAD_PACKETS -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A BAD_PACKETS -p ICMP --fragment -j DROP
$IPT -A BAD_PACKETS -j RETURN

$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -j BAD_PACKETS
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE \
--dport 3128 -m state --state NEW -j ACCEPT
$IPT -A INPUT -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "INPUT DROP: "

$IPT -A FORWARD -j BAD_PACKETS
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -p UDP -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE \
--dport 53 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE \
--dport 110 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE \
--dport 443 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -m mac --mac-source \
00:50:8B:AF:73:C4 --dport 21 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -m mac --mac-source \
00:02:55:64:03:6D --dport 21 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FORWARD DROP: "

$IPT -t nat -A PREROUTING -i $LAN_IFACE -p TCP \
--dport 80 -j REDIRECT --to-port 3128

$IPT -t nat -A POSTROUTING -o $INET_IFACE \
-j SNAT --to-source $INET_IP

echo "1" > /proc/sys/net/ipv4/ip_forward
i hope this helps... good luck...


Last edited by win32sux; 03-31-2005 at 05:32 AM.
 
Old 03-31-2005, 03:22 AM   #6
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
i am really thank you 'win32sux' and all people who help me. It's work well.
Thanks for anyway, for your time and your love .
I will learn more about iptables firewall as your knowledge.
 
Old 03-31-2005, 03:56 AM   #7
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
Hello, 'win32sux'
I still meet the problem with POP3 email. User in my local network can access POP3 server outside Internet.
Can you help me solve it?
Thanks so much.
 
Old 03-31-2005, 04:22 AM   #8
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
you want to block POP3 access?? then just comment the port 110/tcp rule:

Code:
#$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE \
#--dport 110 -m state --state NEW -j ACCEPT
 
Old 03-31-2005, 04:26 AM   #9
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
i'm very sorry, i type the letter wrong.
I want our user can access POP3, Yahoo and MSN however they can't ('can' above is wrong) access POP, and Y!M 'win32sux'when i apply the firewall script.
Please help me. thanks so much.
 
Old 03-31-2005, 04:35 AM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
the script i contributed only allows POP3, HTTP (via squid), HTTPS, and DNS from the LAN to the Internet...

to add things like MSN Messenger and Yahoo Messenger you need to find-out what protocol and ports they use, and then add a rule to the FORWARD chain following the same syntax of the rules already there... for example, if msn messenger uses protocol TCP and ports 6500 to 6599, then you'd put a rule like this in the FORWARD section of the script:

Code:
$IPT -A FORWARD -p TCP -i $LAN_IFACE -o $INET_IFACE -s $LAN_IP_RANGE \
--dport 6500:6599 -m state --state NEW -j ACCEPT
but i don't know what ports msn or yahoo use...

maybe you can google them or maybe someone else knows...


Last edited by win32sux; 03-31-2005 at 04:37 AM.
 
Old 03-31-2005, 04:37 AM   #11
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
Oh, i forgot to tell you that the domain which user access to POP3 protocol
- i configure DNS in my linux gateway: abc.com
- my domain is hosted from outside Internet: abc.com (the same with my current DNS)
- This is my abc.zone
================================
$TTL 86400
@ IN SOA ns.abc.com hostmaster.abc.com. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
;
IN A 192.168.1.1
NS www ; Inet Address of nameserver
abc.com MX 10 mail ; Primary Mail Exchanger
;
localhost A 127.0.0.1
mail CNAME localhost
;
ns CNAME localhost
;
www CNAME localhost
;
qa IN A 192.168.1.1
;
pop A 203.194.234.123
smtp A 203.194.234.123
mbox A 203.194.234.123
============================================
It can work before i apply the firewall script.
Please help me solve the problem.
Thanks so much.
 
Old 03-31-2005, 04:40 AM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
you have a POP3 server on the LAN which you want to access from the Internet?? okay... example:

Code:
$IPT -t nat -A PREROUTING -i $INET_IFACE -p TCP \
--dport 110 -j DNAT --to-destination 192.168.1.200

$IPT -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d 192.168.1.200 \
--dport 110 -m state --state NEW -j ACCEPT

Last edited by win32sux; 03-31-2005 at 04:46 AM.
 
Old 03-31-2005, 04:43 AM   #13
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
No, i don't have POP3 server on LAN, we use POP3 server from another hosting, and i have configure my DNS on Linux gateway the same as domain 'abc.com' hosted from outside Internet.
However, it can work before i applied the script
Please help me. Thanks so much.
 
Old 03-31-2005, 04:50 AM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 379Reputation: 379Reputation: 379Reputation: 379
okay, are you saying that you have a DNS server on the firewall and you need machines on the LAN to connect to that DNS server?? if that's the case then stick this in the INPUT section of the script:

Code:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IP_RANGE \
--dport 53 -m state --state NEW -j ACCEPT
it should look like this in the script:

Code:
$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -j BAD_PACKETS
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE \
--dport 3128 -m state --state NEW -j ACCEPT

$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IP_RANGE \
--dport 53 -m state --state NEW -j ACCEPT

$IPT -A INPUT -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "INPUT DROP: "

Last edited by win32sux; 03-31-2005 at 06:49 AM.
 
Old 03-31-2005, 05:01 AM   #15
b:z
Member
 
Registered: Mar 2005
Posts: 146

Original Poster
Rep: Reputation: 15
Yeah,
It works better with POP3 access.
YM also works beacause i only allow one port 5050, however when i allow range IP 5000:5100, it can work.

Thanks so much. You have a best man.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Home gateway + iptables kurrupt Linux - Security 2 08-08-2005 07:48 AM
Linux gateway with iptables - Everybody help me, please b:z Linux - Security 1 03-30-2005 06:58 PM
IPTables setting up gateway using dsl garymayor Linux - Networking 4 02-11-2005 03:41 AM
dhcpd , bind, iptables gateway help munkie_poo Linux - Networking 1 01-25-2005 04:21 AM
iptables rules on gateway alon005 Linux - Security 7 10-05-2004 07:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:33 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration