iptables are not run automatically
 

Hi friends....

I need a help ...

I made a Linux server for proxy (Squid) and fire wall (iptables) .Now my problem is when i boot my server my firewall script are not started automatically.I want the firewall script run when the system boot.Already I done some steps for that...like copy my script and paste on "etc/sysconfig/iptables"...

This are all the steps I done ...!

"cp /root/primary_firewall /etc/sysconfig/iptables"

"vi /etc/rc.local"

add the following line:

/sbin/insmod ip_conntrack_ftp

Save and exit the file.


but still my iptables not started when the system boot...

so here every time I have to log in and run the iptables like

./iptables

so I want to put this job to cron...

so please help me.

add the command to run your iptables script to /etc/rc.local

Though, if this is fedora, there is a special method.
Note: I hope you are not logging as root routinely...

hello ...wher i can add tis....
 

my iptable path is "/"

"cp /etc/rc.local /etc/sysconfig/iptables"

"vi /etc/rc.local"

add the following line:

/sbin/insmod ip_conntrack_ftp

Save and exit the file.


so now where i have to put /etc/rc.local tis...

on /etc/rc.local
or

/root/primary_firewall

please reply ...

my iptables path is "/"

"cp /etc/rc.local /etc/sysconfig/iptables"

"vi /etc/rc.local"

add the following line:

/sbin/insmod ip_conntrack_ftp

Save and exit the file.


so now where i have to put /etc/rc.local tis...

on /etc/rc.local

or

/root/primary_firewall

please reply ...

The command you ran to start your firewall manually was:

./iptables

The ./ tells the shell to look in the current working directory. In the example you gave, the working directory was /root so I,m guessing that the iptables script is /root/iptables... so the relevant line in /etc/rc.local would be /root/iptables.

s ..my iptables
 

hi /...

my iptables path is "/"(root)

in this case when i add "/etc/rc.local"

this line i get an error..

"insmod:ipconntrack_ftp:no module by that name found"

so i re open my iptables and comment the line..."/etc/rc.local"

selvam

"insmod:ipconntrack_ftp:no module by that name found"

... remove the insmod line from /etc/rc.local

Please clarify your statements.
Excuse me? How can this be? Surely the iptables program is /sbin/iptables ???
Could it be that you have your firewall script in the root directory? Why would you put this in such an odd place?
Excuse me? This sentence is incomplete... when you add "/etc/rc.local" to what? ... to this line? What line?
How are you opening your iptables and why wuold yau have any mention of /etc/rc.local in there?

What you do is

vi /etc/rc.local

find the line that says:

/sbin/insmod ip_conntrack_ftp

delete that line, thed add a new line in its place that gives the full path to the command you used to start your firewall. i.e. if you start your firewall with the following commands:

cd /root
./firewall.sh

... then the new line will say:

/root/firewall.sh

get tis error....!
 

i was just removed "insmod line from /etc/rc.local"

and go to my iptables.

# CD /
# vi iptables
here i just add "/etc/rc.local"

then save this file(wq)

and ran the script ./iptables.

now i get an error.

"/etc/rc.local:line7:bin/touch:too many open files in system.
/etc/rc.local:/bin/sh:bad interpreter:too many open files in system.
flushing al chains:{ok}
removing user defined chains:(ok)
Resetting built-in chains to the default ACCEPT policy{ok}


just restart the system but Stil my iptable not start automatically .....

just go to terminal and ran manually :./iptables.

i just explain u r quotes....!
 

Quote 1:
my iptables path is "/"(root)

Actually my iptables script path is :/"

Quote 2:

in this case when i add "/etc/rc.local"
this line i get an error..

i mean i was just add the line on my iptables script

like this...

[root@earth root]


[root@earth root] cd / (press enter)


[root@earth /]vi iptables (press enter)

in these script i was added these line...

"/etc/rc.local"

and just save (wq)

and run the script

[root@earth /]./iptables

now also i am getting the same problem...these iptables not start automatically.

"

Okay I think you misunderstood Simon_bridge's instructions.

1) Remove the line /etc/rc.local from your iptables script.

2) vi /etc/rc.local and add the line:

/etc/sysconfig/iptables then save it and restart


If that doesn't work, try the following:

1) Remove the line /etc/rc.local from your iptables script

2) run the iptables script how you normally run it. ./iptables

3) type service iptables save

4) type chkconfig iptables on

5) reboot

hi James Dewar

i was tried .but again it's not work automatically ...

manually i am strting(./iptables)

thanks for u r advice..need help...else can i put the job to cron...?


need some advice

selvam

Please post your iptables script. You don't want to use cron for this!

#!/bin/bash
# /usr/local/sbin/setiptables.bash


# Acceptable ports


APORTS=" 23 1720 80 389 522 1503 1720 1731 1433 8383 110 3128 5060 1503 3129 4311 1433 554 1755"
# Reject ports Kazaa(1214), Gnnutella (6346 6347)
RPORTS=" 1214 443 445 135 25 6346 6347 81"

EX_ETH=eth0 # External Interface
IN_ETH=eth1 # Local Interface
LOCAL_IP=192.168.1.100 # Local Host IP
LOCAL_NET=192.168.1.0/192.168.1.120 # Local Network
#EXTERNAL_NET=202.144.158.192/28 # External Network
EXTERNAL_NET=61.247.252.125 # External Networki
EXTERNAL_IP=61.247.252.125
PROXY_IP=192.168.1.100 # Proxy Server IP (Transparent Proxy)
PROXY_PORT=3128 # Proxy Server Port No

# Clear all iptables

#/etc/init.d/iptables stop
#comment on 03/04/2006

/etc/init.d/iptables stop
#created on 03/04/2006

iptables --flush
iptables --delete-chain

#iptables -P INPUT DROP
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT

#iptables -A INPUT --dport 25 -j DROP

# Masquerade


#iptables -t nat -A PREROUTING -p tcp -i $EX_ETH -d $EXTERNAL_NET --dport 5060 -j DNAT --to 192.168.1.200:80

#iptables -A FORWARD -p tcp -i $EX_ETH -d 192.168.1.200 --dport 80 -j ACCEPT





#iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389

iptables -t nat -A POSTROUTING -s 192.168.1.100 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
#iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

#iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE -p tcp --dport 110


iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1434
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.3 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.3 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
#iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389

iptables -t nat -A POSTROUTING -s 192.168.1.1 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.1 -o $EX_ETH -j MASQUERADE -p tcp --dport 110


iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 1434
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900



iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337

iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
#iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433


#iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 110


iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900

iptables -t nat -A POSTROUTING -s 192.168.1.10 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.10 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
#iptables -t nat -A POSTROUTING -s 192.168.1.2 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.24 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.2 -o $EX_ETH -j MASQUERAD
E
iptables -t nat -A POSTROUTING -s 192.168.1.14 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.14 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337


# Transparent Proxy
#iptables -t nat -A PREROUTING -i $IN_ETH \
# -p tcp --dport 80 -j REDIRECT --to-port $PROXY_PORT

# Transparent Proxy (to a Remote Box)
# iptables -t nat -A PREROUTING -i $IN_ETH -s ! $LOCAL_IP -p tcp \
# --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
# iptables -t nat -A POSTROUTING -o eth0 -s $LOCAL_NET -d $PROXY_IP \
# -j SNAT --to $LOCAL_IP
# iptables -A FORWARD -s $LOCAL_NET -d $PROXY_IP -i $IN_ETH -o $EX_ETH
# -p tcp --dport $PROXY_PORT -j ACCEPT

#packets for established connections

iptables -A INPUT -p tcp -d 61.247.252.125 -m state --state \
NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -p tcp -d 61.247.252.125 -i eth0 -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'
# Accept
for AP in $APORTS
do
#iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -s $LOCAL_NET -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'

#iptables -A INPUT -i $EX_ETH -p udp --dport $AP -s $LOCAL_NET -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'
iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -s $LOCAL_NET -j ACCEPT
iptables -A INPUT -i $EX_ETH -p udp --dport $AP -s $LOCAL_NET -j ACCEPT
# iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/192.168.1.120 -i eth1
# iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/192.168.1.120 -o eth1
done



#iptables -A OUTPUT -p ALL -s 192.168.1.100 -j ACCEPT
#iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
#iptables -A INPUT -i eth1 -s 0/0 -d 192.168.1.42 -j REJECT


#for AP in $APORTS
#do
iptables -A INPUT -d 61.247.252.125 -i $EX_ETH -p tcp --dport $AP -j ACCEPT
iptables -A INPUT -d 61.247.252.125 -i $EX_ETH -p udp --dport $AP -j ACCEPT
#done

# Reject
#for RP in $RPORTS
#do
# iptables -A INPUT -p tcp --dport $RP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
# iptables -A INPUT -p tcp --dport $RP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
# iptables -A INPUT -p tcp --dport $RP -j REJECT
# iptables -A INPUT -p udp --dport $RP -j REJECT
# iptables -A INPUT -i eth1 -p tcp --dport $RP -j REJECT
# iptables -A INPUT -i eth1 -p udp --dport $RP -j REJECT
#done

#iptables -A INPUT -i $IN_ETH -p tcp --dport 5060 -j ACCEPT
#iptables -A INPUT -i $IN_ETH -p udp -m udp --dport 7070:7080 -j ACCEPT
#iptables -A FORWARD -o eth1 -p tcp --dport 5000:5050 -j DROP


# Any other packets must be dropped.
#iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
#iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j DROP


# FORWARD Chain
#:iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
#iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables -A INPUT -i $EX_ETH -p tcp --dport 80 -j LOG
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 80 -j DNAT --to-dest 192.168.1.200:80
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 8081 -j DNAT --to-dest 192.168.1.200:8081
#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 80 -j LOG
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 554 -j ACCEPT

#iptables -A INPUT -i $EX_ETH -p tcp --dport 1433 -j LOG
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 1433 -j DNAT --to-dest 192.168.1.200:1433
#iptables -t nat -A PREROUTING -j ACCEPT


#iptables -t nat -A PREROUTING -s any/0 -d 61.247.252.125 -p tcp --dport 554 -j DNAT --to-dest 192.168.1.200:554

#iptables -A FORWARD -i $EX_ETH -j ACCEPT
#iptables -A FORWARD -i $IN_ETH -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp -d 192.168.1.200 --dport 554 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp -d 192.168.1.200 --dport 7070 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 554 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 7070 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 6970:6999 -j ACCEPT

#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p tcp --dport 554 -j DNAT --to-destination 192.168.1.200:554
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p tcp --dport 7070 -j DNAT --to-destination 192.168.1.200:7070
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 554 -j DNAT --to-destination 192.168.1.200:554
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 7070 -j DNAT --to-destination 192.168.1.200:7070
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 6970:6999 -j DNAT --to-destination 192.168.1.200:6970-6999



#echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables -t nat -A PREROUTING -i $IN_ETH -p tcp --dport 5060 -j DNAT --to-dest 192.168.1.200:5060

#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $IN_ETH -p tcp -s 192.168.1.200 \
#-o $IN_ETH --dport 5060 -m state --state NEW -j ACCEPT

#iptables -A FORWARD -t filter -o $IN_ETH -m state \
# --state NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A FORWARD -t filter -i $IN_ETH -m state \
# --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -p tcp --dport 5060 -j LOG --log-prefix "test"
#iptables -A FORWARD -s 192.168.1.200 -i $IN_ETH -o $IN_ETH -p tcp -j ACCEPT



#iptables -t nat -A FORWARD -i $IN_ETH -o $IN_ETH -p tcp --dport 5060 -m state --state ESTABLISHED -j ACCEPT

#iptables -A INPUT -p tcp -i $EX_ETH --dport 1720 -j LOG --log-prefix "mytest"
iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP --dport 1720 -j DNAT --to-dest 192.168.1.200:1720
iptables -t nat -A PREROUTING -j ACCEPT

iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 1720 -j ACCEPT


#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 10200:10209 -j DNAT --to-destination 192.168.1.100
#iptables -A FORWARD -d $LOCAL_IP -o $IN_ETH -p tcp --dport 10200:10209 -j ACCEPT


#iptables -t nat -A PREROUTING -i $EX_ETH -p udp --dport 10200:10259 -j DNAT --to-destination 192.168.1.100
#iptables -A FORWARD -d $LOCAL_IP -i $IN_ETH -p udp --dport 10200:10259 -j ACCEPT


#iptables -I PREROUTING -t nat -p tcp --dport 1720 -j REDIRECT
#iptables -I INPUT -p tcp --dport 1720 -j LOG --log-prefix "hello"
iptables -I INPUT -p tcp --dport 1720 -j ACCEPT
iptables -I INPUT -p tcp --dport 10200:10209 -j ACCEPT
iptables -I INPUT -p udp --dport 10200:10259 -j ACCEPT


iptables -I OUTPUT -p tcp -j ACCEPT
iptables -I OUTPUT -p udp -j ACCEPT

iptables -I INPUT -p tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT


#iptables -I PREROUTING -t nat -p tcp --dport 10200:10209 -d $EXTERNAL_NET -j DNAT --to-destination $LOCAL_IP
#iptables -I PREROUTING -t nat -p udp --dport 10200:10259 -d $EXTERNAL_NET -j DNAT --to-destination $LOCAL_IP
#iptables -I PREROUTING -t nat -p tcp --dport 5060 ! -s $EXTERNAL_NET -j DNAT --to-destination 192.168.1.200

#iptables -t nat -I PREROUTING -p tcp --dport 5060 -i $IN_ETH -j DNAT --to-dest 192.168.1.200:5060
#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 7101 -j ACCEPT


#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 7102 -j DNAT --to-dest 192.168.1.200:7102
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 7102 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -p tcp -d 64.4.13.0/24 -j DROP

# Turn on IP forwarding
#echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables -A FORWARD -i eth0 -o eth0 -j LOG --log-prefix "external try"
#iptables -A FORWARD -i eth0 -o eth0 -j REJECT
#iptables -A OUTPUT -j LOG -o eth0
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG --log-prefix "forward only"

hi please see my iptables script....!