iptables are not run automatically
Hi friends....
I need a help ... I made a Linux server for proxy (Squid) and fire wall (iptables) .Now my problem is when i boot my server my firewall script are not started automatically.I want the firewall script run when the system boot.Already I done some steps for that...like copy my script and paste on "etc/sysconfig/iptables"... This are all the steps I done ...! "cp /root/primary_firewall /etc/sysconfig/iptables" "vi /etc/rc.local" add the following line: /sbin/insmod ip_conntrack_ftp Save and exit the file. but still my iptables not started when the system boot... so here every time I have to log in and run the iptables like ./iptables so I want to put this job to cron... so please help me. |
add the command to run your iptables script to /etc/rc.local
Though, if this is fedora, there is a special method. Note: I hope you are not logging as root routinely... |
hello ...wher i can add tis....
my iptable path is "/"
"cp /etc/rc.local /etc/sysconfig/iptables" "vi /etc/rc.local" add the following line: /sbin/insmod ip_conntrack_ftp Save and exit the file. so now where i have to put /etc/rc.local tis... on /etc/rc.local or /root/primary_firewall please reply ... |
my iptables path is "/"
"cp /etc/rc.local /etc/sysconfig/iptables" "vi /etc/rc.local" add the following line: /sbin/insmod ip_conntrack_ftp Save and exit the file. so now where i have to put /etc/rc.local tis... on /etc/rc.local or /root/primary_firewall please reply ... |
The command you ran to start your firewall manually was:
./iptables The ./ tells the shell to look in the current working directory. In the example you gave, the working directory was /root so I,m guessing that the iptables script is /root/iptables... so the relevant line in /etc/rc.local would be /root/iptables. |
s ..my iptables
hi /...
my iptables path is "/"(root) in this case when i add "/etc/rc.local" this line i get an error.. "insmod:ipconntrack_ftp:no module by that name found" so i re open my iptables and comment the line..."/etc/rc.local" selvam |
"insmod:ipconntrack_ftp:no module by that name found"
... remove the insmod line from /etc/rc.local |
Please clarify your statements.
Quote:
Could it be that you have your firewall script in the root directory? Why would you put this in such an odd place? Quote:
Quote:
What you do is vi /etc/rc.local find the line that says: /sbin/insmod ip_conntrack_ftp delete that line, thed add a new line in its place that gives the full path to the command you used to start your firewall. i.e. if you start your firewall with the following commands: cd /root ./firewall.sh ... then the new line will say: /root/firewall.sh |
get tis error....!
i was just removed "insmod line from /etc/rc.local"
and go to my iptables. # CD / # vi iptables here i just add "/etc/rc.local" then save this file(wq) and ran the script ./iptables. now i get an error. "/etc/rc.local:line7:bin/touch:too many open files in system. /etc/rc.local:/bin/sh:bad interpreter:too many open files in system. flushing al chains:{ok} removing user defined chains:(ok) Resetting built-in chains to the default ACCEPT policy{ok} just restart the system but Stil my iptable not start automatically ..... just go to terminal and ran manually :./iptables. |
i just explain u r quotes....!
Quote 1:
my iptables path is "/"(root) Actually my iptables script path is :/" Quote 2: in this case when i add "/etc/rc.local" this line i get an error.. i mean i was just add the line on my iptables script like this... [root@earth root] [root@earth root] cd / (press enter) [root@earth /]vi iptables (press enter) in these script i was added these line... "/etc/rc.local" and just save (wq) and run the script [root@earth /]./iptables now also i am getting the same problem...these iptables not start automatically. " |
Quote:
1) Remove the line /etc/rc.local from your iptables script. 2) vi /etc/rc.local and add the line: /etc/sysconfig/iptables then save it and restart If that doesn't work, try the following: 1) Remove the line /etc/rc.local from your iptables script 2) run the iptables script how you normally run it. ./iptables 3) type service iptables save 4) type chkconfig iptables on 5) reboot |
hi James Dewar
i was tried .but again it's not work automatically ... manually i am strting(./iptables) thanks for u r advice..need help...else can i put the job to cron...? need some advice selvam |
Please post your iptables script. You don't want to use cron for this!
|
#!/bin/bash
# /usr/local/sbin/setiptables.bash # Acceptable ports APORTS=" 23 1720 80 389 522 1503 1720 1731 1433 8383 110 3128 5060 1503 3129 4311 1433 554 1755" # Reject ports Kazaa(1214), Gnnutella (6346 6347) RPORTS=" 1214 443 445 135 25 6346 6347 81" EX_ETH=eth0 # External Interface IN_ETH=eth1 # Local Interface LOCAL_IP=192.168.1.100 # Local Host IP LOCAL_NET=192.168.1.0/192.168.1.120 # Local Network #EXTERNAL_NET=202.144.158.192/28 # External Network EXTERNAL_NET=61.247.252.125 # External Networki EXTERNAL_IP=61.247.252.125 PROXY_IP=192.168.1.100 # Proxy Server IP (Transparent Proxy) PROXY_PORT=3128 # Proxy Server Port No # Clear all iptables #/etc/init.d/iptables stop #comment on 03/04/2006 /etc/init.d/iptables stop #created on 03/04/2006 iptables --flush iptables --delete-chain #iptables -P INPUT DROP #iptables -P OUTPUT ACCEPT #iptables -P FORWARD ACCEPT #iptables -A INPUT --dport 25 -j DROP # Masquerade #iptables -t nat -A PREROUTING -p tcp -i $EX_ETH -d $EXTERNAL_NET --dport 5060 -j DNAT --to 192.168.1.200:80 #iptables -A FORWARD -p tcp -i $EX_ETH -d 192.168.1.200 --dport 80 -j ACCEPT #iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389 iptables -t nat -A POSTROUTING -s 192.168.1.100 -o $EX_ETH -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337 iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900 iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 21 iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433 iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE #iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 #iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 #iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337 iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 21 iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 21 iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433 iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1434 iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389 iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337 iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.3 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.3 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 #iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389 iptables -t nat -A POSTROUTING -s 192.168.1.1 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.1 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 1434 iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433 iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389 iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900 iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433 iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337 iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433 #iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433 #iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 21 iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337 iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900 iptables -t nat -A POSTROUTING -s 192.168.1.10 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.10 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 #iptables -t nat -A POSTROUTING -s 192.168.1.2 -o $EX_ETH -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.24 -o $EX_ETH -j MASQUERADE iptables -t nat -A POSTROUTING -s 192.168.1.2 -o $EX_ETH -j MASQUERAD E iptables -t nat -A POSTROUTING -s 192.168.1.14 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.14 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 25 iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 110 iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337 # Transparent Proxy #iptables -t nat -A PREROUTING -i $IN_ETH \ # -p tcp --dport 80 -j REDIRECT --to-port $PROXY_PORT # Transparent Proxy (to a Remote Box) # iptables -t nat -A PREROUTING -i $IN_ETH -s ! $LOCAL_IP -p tcp \ # --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT # iptables -t nat -A POSTROUTING -o eth0 -s $LOCAL_NET -d $PROXY_IP \ # -j SNAT --to $LOCAL_IP # iptables -A FORWARD -s $LOCAL_NET -d $PROXY_IP -i $IN_ETH -o $EX_ETH # -p tcp --dport $PROXY_PORT -j ACCEPT #packets for established connections iptables -A INPUT -p tcp -d 61.247.252.125 -m state --state \ NEW,ESTABLISHED,RELATED -j ACCEPT #iptables -A INPUT -p tcp -d 61.247.252.125 -i eth0 -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]' # Accept for AP in $APORTS do #iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -s $LOCAL_NET -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]' #iptables -A INPUT -i $EX_ETH -p udp --dport $AP -s $LOCAL_NET -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]' iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -s $LOCAL_NET -j ACCEPT iptables -A INPUT -i $EX_ETH -p udp --dport $AP -s $LOCAL_NET -j ACCEPT # iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/192.168.1.120 -i eth1 # iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/192.168.1.120 -o eth1 done #iptables -A OUTPUT -p ALL -s 192.168.1.100 -j ACCEPT #iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT #iptables -A INPUT -i eth1 -s 0/0 -d 192.168.1.42 -j REJECT #for AP in $APORTS #do iptables -A INPUT -d 61.247.252.125 -i $EX_ETH -p tcp --dport $AP -j ACCEPT iptables -A INPUT -d 61.247.252.125 -i $EX_ETH -p udp --dport $AP -j ACCEPT #done # Reject #for RP in $RPORTS #do # iptables -A INPUT -p tcp --dport $RP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]' # iptables -A INPUT -p tcp --dport $RP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]' # iptables -A INPUT -p tcp --dport $RP -j REJECT # iptables -A INPUT -p udp --dport $RP -j REJECT # iptables -A INPUT -i eth1 -p tcp --dport $RP -j REJECT # iptables -A INPUT -i eth1 -p udp --dport $RP -j REJECT #done #iptables -A INPUT -i $IN_ETH -p tcp --dport 5060 -j ACCEPT #iptables -A INPUT -i $IN_ETH -p udp -m udp --dport 7070:7080 -j ACCEPT #iptables -A FORWARD -o eth1 -p tcp --dport 5000:5050 -j DROP # Any other packets must be dropped. #iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]' #iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j DROP # FORWARD Chain #:iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]' #iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j DROP echo 1 > /proc/sys/net/ipv4/ip_forward #iptables -A INPUT -i $EX_ETH -p tcp --dport 80 -j LOG #iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 80 -j DNAT --to-dest 192.168.1.200:80 #iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 8081 -j DNAT --to-dest 192.168.1.200:8081 #iptables -t nat -A PREROUTING -j ACCEPT #iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 80 -j LOG #iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 554 -j ACCEPT #iptables -A INPUT -i $EX_ETH -p tcp --dport 1433 -j LOG #iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 1433 -j DNAT --to-dest 192.168.1.200:1433 #iptables -t nat -A PREROUTING -j ACCEPT #iptables -t nat -A PREROUTING -s any/0 -d 61.247.252.125 -p tcp --dport 554 -j DNAT --to-dest 192.168.1.200:554 #iptables -A FORWARD -i $EX_ETH -j ACCEPT #iptables -A FORWARD -i $IN_ETH -j ACCEPT #iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp -d 192.168.1.200 --dport 554 -j ACCEPT #iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp -d 192.168.1.200 --dport 7070 -j ACCEPT #iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 554 -j ACCEPT #iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 7070 -j ACCEPT #iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 6970:6999 -j ACCEPT #iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p tcp --dport 554 -j DNAT --to-destination 192.168.1.200:554 #iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p tcp --dport 7070 -j DNAT --to-destination 192.168.1.200:7070 #iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 554 -j DNAT --to-destination 192.168.1.200:554 #iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 7070 -j DNAT --to-destination 192.168.1.200:7070 #iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 6970:6999 -j DNAT --to-destination 192.168.1.200:6970-6999 #echo 1 > /proc/sys/net/ipv4/ip_forward #iptables -t nat -A PREROUTING -i $IN_ETH -p tcp --dport 5060 -j DNAT --to-dest 192.168.1.200:5060 #iptables -t nat -A PREROUTING -j ACCEPT #iptables -A FORWARD -i $IN_ETH -p tcp -s 192.168.1.200 \ #-o $IN_ETH --dport 5060 -m state --state NEW -j ACCEPT #iptables -A FORWARD -t filter -o $IN_ETH -m state \ # --state NEW,ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -t filter -i $IN_ETH -m state \ # --state ESTABLISHED,RELATED -j ACCEPT #iptables -A FORWARD -p tcp --dport 5060 -j LOG --log-prefix "test" #iptables -A FORWARD -s 192.168.1.200 -i $IN_ETH -o $IN_ETH -p tcp -j ACCEPT #iptables -t nat -A FORWARD -i $IN_ETH -o $IN_ETH -p tcp --dport 5060 -m state --state ESTABLISHED -j ACCEPT #iptables -A INPUT -p tcp -i $EX_ETH --dport 1720 -j LOG --log-prefix "mytest" iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP --dport 1720 -j DNAT --to-dest 192.168.1.200:1720 iptables -t nat -A PREROUTING -j ACCEPT iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 1720 -j ACCEPT #iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 10200:10209 -j DNAT --to-destination 192.168.1.100 #iptables -A FORWARD -d $LOCAL_IP -o $IN_ETH -p tcp --dport 10200:10209 -j ACCEPT #iptables -t nat -A PREROUTING -i $EX_ETH -p udp --dport 10200:10259 -j DNAT --to-destination 192.168.1.100 #iptables -A FORWARD -d $LOCAL_IP -i $IN_ETH -p udp --dport 10200:10259 -j ACCEPT #iptables -I PREROUTING -t nat -p tcp --dport 1720 -j REDIRECT #iptables -I INPUT -p tcp --dport 1720 -j LOG --log-prefix "hello" iptables -I INPUT -p tcp --dport 1720 -j ACCEPT iptables -I INPUT -p tcp --dport 10200:10209 -j ACCEPT iptables -I INPUT -p udp --dport 10200:10259 -j ACCEPT iptables -I OUTPUT -p tcp -j ACCEPT iptables -I OUTPUT -p udp -j ACCEPT iptables -I INPUT -p tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT #iptables -I PREROUTING -t nat -p tcp --dport 10200:10209 -d $EXTERNAL_NET -j DNAT --to-destination $LOCAL_IP #iptables -I PREROUTING -t nat -p udp --dport 10200:10259 -d $EXTERNAL_NET -j DNAT --to-destination $LOCAL_IP #iptables -I PREROUTING -t nat -p tcp --dport 5060 ! -s $EXTERNAL_NET -j DNAT --to-destination 192.168.1.200 #iptables -t nat -I PREROUTING -p tcp --dport 5060 -i $IN_ETH -j DNAT --to-dest 192.168.1.200:5060 #iptables -t nat -A PREROUTING -j ACCEPT #iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 7101 -j ACCEPT #iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 7102 -j DNAT --to-dest 192.168.1.200:7102 #iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 7102 -j ACCEPT #iptables -A FORWARD -p tcp --dport 1863 -j DROP #iptables -A FORWARD -p tcp -d 64.4.13.0/24 -j DROP # Turn on IP forwarding #echo 1 > /proc/sys/net/ipv4/ip_forward #iptables -A FORWARD -i eth0 -o eth0 -j LOG --log-prefix "external try" #iptables -A FORWARD -i eth0 -o eth0 -j REJECT #iptables -A OUTPUT -j LOG -o eth0 #iptables -A INPUT -j LOG #iptables -A FORWARD -j LOG --log-prefix "forward only" |
hi please see my iptables script....!
|
Is it just me or are you a wee bit confused about how to write an iptables script?
i.e. you set default ACCEPT policy on output and have ACCEPT output rules... but it shouldn't stop it working. How can you tell that this script isn't starting at boot? (Have you tried iptables -L ?) Could it be that your iptables script is: /usr/local/sbin/setiptables.bash It would help a lot if we knew which distribution you are running. |
Wow, what a firewall script. Thank god most of it is commented out...
No, seriously though -- you'll never get happy if you just keep aimlessly throwing things around and hope they'll just magically work somehow. Some hints: 1. Decide for a name and location of your firewall script. I have lost count of how many names you have already given for it in this thread. And make sensible choices. ('iptables' is *not* a good name for your script.) I'd suggest something like '/usr/local/sbin/firewall'. 2. There is a difference between "/" and "/root", even though "/" is pronounced "root". Yes, it's confusing. Well, not really. Only when you speak about it. 3. As others have already pointed out: you want to call your script from rc.local -- not the other way around. I.e. add a line '/usr/local/sbin/firewall' to your rc.local. Do not add any reference to rc.local to your firewall script. It does not make sense! 4. You want to use modprobe, not insmod. 5. As to your actual firewall script: I don't think it does what you think it does. Here is a suggestion to get you started: (you need to edit the settings in the top section) Code:
#!/bin/sh Rupert |
hi simon ....
i just check iptables -L on my terminal. it's show some detail about my firewall details. chain INput policy target prot opt source desination .. . . . .. . . chain FORWARD (policy Accept) target prot opt source desination . . . . ... chain FORWARD (POLICY aCCEPT) target prot opt source desination chain OUTPUT (POLICY ACCEPT) target prot opt source desination my iptables script path is "/" not /usr/local/sbin/setiptables.bash" WHAT SHOULD I DO....? |
hi simon .....
my iptables script path is "/" not /usr/local/sbin/setiptables.bash" |
Show the following command and the output:
cat /usr/local/sbin/setiptables.bash ... I'll explain: At the hop of your iptables script, there is a line which goes; # /usr/local/sbin/setiptables.bash i.e. a commented filename. This is usually the name of the script file. If this is the case, then your iptables script is actually /usr/local/sbin/setiptables.bash and not /iptables as previously stated. I'd like to verify this. |
Quote:
have you tried sudo iptables -L |
cat /usr/local/sbin/setiptables.bash
out put is cat: /usr/local/sbin/setiptables.bash :no such file or directory. |
i was tried " sudo iptables -L"
it's show some detail about my firewall details. chain INput policy target prot opt source desination .. . . . .. . . chain FORWARD (policy Accept) target prot opt source desination . . . . ... chain FORWARD (POLICY aCCEPT) target prot opt source desination chain OUTPUT (POLICY ACCEPT) target prot opt source desination |
This is funny ... is that a direct paste or did you edit it?
From that script you should have Chain INPUT (policy DROP) target prot opt source desination ... input rules chain FORWARD (policy ACCEPT) ... forward rules chain OUTPUT (policy ACCEPT) ... output rules ... this means that the firewall you designed is loaded. If they are all "policy ACCEPT" and no rules, then the firewall has not loaded. |
It's not direct paste....
and also the output is not noraml.... and also i get the report after i run my script only..... selvam. |
I just reboot the machine...
and go to terminal... and type "sudo iptables -L out put is chain Input (POLICY aCCEPT) target prot opt source desination (blank) chain FORWARD (POLICY aCCEPT) target prot opt source desination (blank) chain output (POLICY aCCEPT) target prot opt source desination (blank) but once i run my script.... ./iptables. now just type "sudo iptables -L out put is chain Input (POLICY aCCEPT) target prot opt source desination some ip datails and tcpor udp details and iprange come... chain FORWARD (POLICY aCCEPT) some ip datails and tcpor udp details and iprange come... target prot opt source desination some ip datails and tcpor udp details and iprange come... chain output (POLICY aCCEPT) target prot opt source desination some ip datails and tcpor udp details and iprange come... |
Well reboot then show result of:
sudo iptables -L [post edit: done while I was typing] cat /iptables cat /etc/rc.local This time, provide direct pastes which include the command with the output. In future, this is how you show someone your results: direct pastes which include the commands. Unless you report exactly what is there, you are wasting my time and yours. Pull your act together! (It's 1am and I'm getting cranky ... bed time! |
All times are GMT -5. The time now is 04:14 PM. |