LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables are not run automatically (https://www.linuxquestions.org/questions/linux-security-4/iptables-are-not-run-automatically-554536/)

suvashan 05-17-2007 01:49 AM
iptables are not run automatically
 
Hi friends....

I need a help ...

I made a Linux server for proxy (Squid) and fire wall (iptables) .Now my problem is when i boot my server my firewall script are not started automatically.I want the firewall script run when the system boot.Already I done some steps for that...like copy my script and paste on "etc/sysconfig/iptables"...

This are all the steps I done ...!

"cp /root/primary_firewall /etc/sysconfig/iptables"

"vi /etc/rc.local"

add the following line:

/sbin/insmod ip_conntrack_ftp

Save and exit the file.


but still my iptables not started when the system boot...

so here every time I have to log in and run the iptables like

./iptables

so I want to put this job to cron...

so please help me.

Simon Bridge 05-17-2007 02:00 AM
add the command to run your iptables script to /etc/rc.local

Though, if this is fedora, there is a special method.
Note: I hope you are not logging as root routinely...

suvashan 05-17-2007 02:31 AM
hello ...wher i can add tis....
 
my iptable path is "/"

"cp /etc/rc.local /etc/sysconfig/iptables"

"vi /etc/rc.local"

add the following line:

/sbin/insmod ip_conntrack_ftp

Save and exit the file.


so now where i have to put /etc/rc.local tis...

on /etc/rc.local
or

/root/primary_firewall

please reply ...

suvashan 05-17-2007 02:51 AM
my iptables path is "/"

"cp /etc/rc.local /etc/sysconfig/iptables"

"vi /etc/rc.local"

add the following line:

/sbin/insmod ip_conntrack_ftp

Save and exit the file.


so now where i have to put /etc/rc.local tis...

on /etc/rc.local

or

/root/primary_firewall

please reply ...

Simon Bridge 05-17-2007 03:49 AM
The command you ran to start your firewall manually was:

./iptables

The ./ tells the shell to look in the current working directory. In the example you gave, the working directory was /root so I,m guessing that the iptables script is /root/iptables... so the relevant line in /etc/rc.local would be /root/iptables.

suvashan 05-17-2007 03:57 AM
s ..my iptables
 
hi /...

my iptables path is "/"(root)

in this case when i add "/etc/rc.local"

this line i get an error..

"insmod:ipconntrack_ftp:no module by that name found"

so i re open my iptables and comment the line..."/etc/rc.local"

selvam

Simon Bridge 05-17-2007 05:43 AM
"insmod:ipconntrack_ftp:no module by that name found"

... remove the insmod line from /etc/rc.local

Simon Bridge 05-17-2007 06:00 AM
Please clarify your statements.
Quote:
my iptables path is "/"(root)
Excuse me? How can this be? Surely the iptables program is /sbin/iptables ???
Could it be that you have your firewall script in the root directory? Why would you put this in such an odd place?
Quote:
in this case when i add "/etc/rc.local"
this line i get an error..
Excuse me? This sentence is incomplete... when you add "/etc/rc.local" to what? ... to this line? What line?
Quote:
so i re open my iptables and comment the line..."/etc/rc.local"
How are you opening your iptables and why wuold yau have any mention of /etc/rc.local in there?

What you do is

vi /etc/rc.local

find the line that says:

/sbin/insmod ip_conntrack_ftp

delete that line, thed add a new line in its place that gives the full path to the command you used to start your firewall. i.e. if you start your firewall with the following commands:

cd /root
./firewall.sh

... then the new line will say:

/root/firewall.sh

suvashan 05-17-2007 06:02 AM
get tis error....!
 
i was just removed "insmod line from /etc/rc.local"

and go to my iptables.

# CD /
# vi iptables
here i just add "/etc/rc.local"

then save this file(wq)

and ran the script ./iptables.

now i get an error.

"/etc/rc.local:line7:bin/touch:too many open files in system.
/etc/rc.local:/bin/sh:bad interpreter:too many open files in system.
flushing al chains:{ok}
removing user defined chains:(ok)
Resetting built-in chains to the default ACCEPT policy{ok}


just restart the system but Stil my iptable not start automatically .....

just go to terminal and ran manually :./iptables.

suvashan 06-05-2007 02:51 AM
i just explain u r quotes....!
 
Quote 1:
my iptables path is "/"(root)

Actually my iptables script path is :/"

Quote 2:

in this case when i add "/etc/rc.local"
this line i get an error..

i mean i was just add the line on my iptables script

like this...

[root@earth root]


[root@earth root] cd / (press enter)


[root@earth /]vi iptables (press enter)

in these script i was added these line...

"/etc/rc.local"

and just save (wq)

and run the script

[root@earth /]./iptables

now also i am getting the same problem...these iptables not start automatically.

"

SlackDaemon 06-05-2007 03:44 AM
Quote:
Originally Posted by suvashan
Quote 1:
my iptables path is "/"(root)

Actually my iptables script path is :/"

Quote 2:
inn these script i was added these line...

"/etc/rc.local"

and just save (wq)

now also i am getting the same problem...these iptables not start automatically.
Okay I think you misunderstood Simon_bridge's instructions.

1) Remove the line /etc/rc.local from your iptables script.

2) vi /etc/rc.local and add the line:

/etc/sysconfig/iptables then save it and restart


If that doesn't work, try the following:

1) Remove the line /etc/rc.local from your iptables script

2) run the iptables script how you normally run it. ./iptables

3) type service iptables save

4) type chkconfig iptables on

5) reboot

suvashan 06-05-2007 04:46 AM
hi James Dewar

i was tried .but again it's not work automatically ...

manually i am strting(./iptables)

thanks for u r advice..need help...else can i put the job to cron...?


need some advice

selvam

SlackDaemon 06-05-2007 05:00 AM
Please post your iptables script. You don't want to use cron for this!

suvashan 06-05-2007 05:50 AM
#!/bin/bash
# /usr/local/sbin/setiptables.bash


# Acceptable ports


APORTS=" 23 1720 80 389 522 1503 1720 1731 1433 8383 110 3128 5060 1503 3129 4311 1433 554 1755"
# Reject ports Kazaa(1214), Gnnutella (6346 6347)
RPORTS=" 1214 443 445 135 25 6346 6347 81"

EX_ETH=eth0 # External Interface
IN_ETH=eth1 # Local Interface
LOCAL_IP=192.168.1.100 # Local Host IP
LOCAL_NET=192.168.1.0/192.168.1.120 # Local Network
#EXTERNAL_NET=202.144.158.192/28 # External Network
EXTERNAL_NET=61.247.252.125 # External Networki
EXTERNAL_IP=61.247.252.125
PROXY_IP=192.168.1.100 # Proxy Server IP (Transparent Proxy)
PROXY_PORT=3128 # Proxy Server Port No

# Clear all iptables

#/etc/init.d/iptables stop
#comment on 03/04/2006

/etc/init.d/iptables stop
#created on 03/04/2006

iptables --flush
iptables --delete-chain

#iptables -P INPUT DROP
#iptables -P OUTPUT ACCEPT
#iptables -P FORWARD ACCEPT

#iptables -A INPUT --dport 25 -j DROP

# Masquerade


#iptables -t nat -A PREROUTING -p tcp -i $EX_ETH -d $EXTERNAL_NET --dport 5060 -j DNAT --to 192.168.1.200:80

#iptables -A FORWARD -p tcp -i $EX_ETH -d 192.168.1.200 --dport 80 -j ACCEPT





#iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389

iptables -t nat -A POSTROUTING -s 192.168.1.100 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.200 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE
#iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
#iptables -t nat -A POSTROUTING -s 192.168.1.68 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

#iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.55 -o $EX_ETH -j MASQUERADE -p tcp --dport 110


iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.15 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1434
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.3 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.3 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
#iptables -t nat -A POSTROUTING -s 192.168.1.46 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389

iptables -t nat -A POSTROUTING -s 192.168.1.1 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.1 -o $EX_ETH -j MASQUERADE -p tcp --dport 110


iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 1434
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 3389
iptables -t nat -A POSTROUTING -s 192.168.1.45 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900



iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
iptables -t nat -A POSTROUTING -s 192.168.1.44 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337

iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433
#iptables -t nat -A POSTROUTING -s 192.168.1.48 -o $EX_ETH -j MASQUERADE -p tcp --dport 1433


#iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 21
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.12 -o $EX_ETH -j MASQUERADE -p tcp --dport 110


iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337
iptables -t nat -A POSTROUTING -s 192.168.1.37 -o $EX_ETH -j MASQUERADE -p tcp --dport 5900

iptables -t nat -A POSTROUTING -s 192.168.1.10 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.10 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
#iptables -t nat -A POSTROUTING -s 192.168.1.2 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.24 -o $EX_ETH -j MASQUERADE

iptables -t nat -A POSTROUTING -s 192.168.1.2 -o $EX_ETH -j MASQUERAD
E
iptables -t nat -A POSTROUTING -s 192.168.1.14 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.14 -o $EX_ETH -j MASQUERADE -p tcp --dport 110

iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 25
iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 110
iptables -t nat -A POSTROUTING -s 192.168.1.57 -o $EX_ETH -j MASQUERADE -p tcp --dport 1337


# Transparent Proxy
#iptables -t nat -A PREROUTING -i $IN_ETH \
# -p tcp --dport 80 -j REDIRECT --to-port $PROXY_PORT

# Transparent Proxy (to a Remote Box)
# iptables -t nat -A PREROUTING -i $IN_ETH -s ! $LOCAL_IP -p tcp \
# --dport 80 -j DNAT --to $PROXY_IP:$PROXY_PORT
# iptables -t nat -A POSTROUTING -o eth0 -s $LOCAL_NET -d $PROXY_IP \
# -j SNAT --to $LOCAL_IP
# iptables -A FORWARD -s $LOCAL_NET -d $PROXY_IP -i $IN_ETH -o $EX_ETH
# -p tcp --dport $PROXY_PORT -j ACCEPT

#packets for established connections

iptables -A INPUT -p tcp -d 61.247.252.125 -m state --state \
NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A INPUT -p tcp -d 61.247.252.125 -i eth0 -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'
# Accept
for AP in $APORTS
do
#iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -s $LOCAL_NET -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'

#iptables -A INPUT -i $EX_ETH -p udp --dport $AP -s $LOCAL_NET -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES ACCEPT]'
iptables -A INPUT -i $EX_ETH -p tcp --dport $AP -s $LOCAL_NET -j ACCEPT
iptables -A INPUT -i $EX_ETH -p udp --dport $AP -s $LOCAL_NET -j ACCEPT
# iptables -A INPUT -j ACCEPT -p all -s 192.168.1.0/192.168.1.120 -i eth1
# iptables -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/192.168.1.120 -o eth1
done



#iptables -A OUTPUT -p ALL -s 192.168.1.100 -j ACCEPT
#iptables -A OUTPUT -p ALL -s 192.168.1.1 -j ACCEPT
#iptables -A INPUT -i eth1 -s 0/0 -d 192.168.1.42 -j REJECT


#for AP in $APORTS
#do
iptables -A INPUT -d 61.247.252.125 -i $EX_ETH -p tcp --dport $AP -j ACCEPT
iptables -A INPUT -d 61.247.252.125 -i $EX_ETH -p udp --dport $AP -j ACCEPT
#done

# Reject
#for RP in $RPORTS
#do
# iptables -A INPUT -p tcp --dport $RP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
# iptables -A INPUT -p tcp --dport $RP -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
# iptables -A INPUT -p tcp --dport $RP -j REJECT
# iptables -A INPUT -p udp --dport $RP -j REJECT
# iptables -A INPUT -i eth1 -p tcp --dport $RP -j REJECT
# iptables -A INPUT -i eth1 -p udp --dport $RP -j REJECT
#done

#iptables -A INPUT -i $IN_ETH -p tcp --dport 5060 -j ACCEPT
#iptables -A INPUT -i $IN_ETH -p udp -m udp --dport 7070:7080 -j ACCEPT
#iptables -A FORWARD -o eth1 -p tcp --dport 5000:5050 -j DROP


# Any other packets must be dropped.
#iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
#iptables -A INPUT -i $EX_ETH -m state --state NEW,INVALID -j DROP


# FORWARD Chain
#:iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j LOG --log-tcp-options --log-ip-options --log-prefix '[IPTABLES DROP]'
#iptables -A FORWARD -i $EX_ETH -m state --state NEW,INVALID -j DROP

echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables -A INPUT -i $EX_ETH -p tcp --dport 80 -j LOG
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 80 -j DNAT --to-dest 192.168.1.200:80
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 8081 -j DNAT --to-dest 192.168.1.200:8081
#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 80 -j LOG
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 554 -j ACCEPT

#iptables -A INPUT -i $EX_ETH -p tcp --dport 1433 -j LOG
#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 1433 -j DNAT --to-dest 192.168.1.200:1433
#iptables -t nat -A PREROUTING -j ACCEPT


#iptables -t nat -A PREROUTING -s any/0 -d 61.247.252.125 -p tcp --dport 554 -j DNAT --to-dest 192.168.1.200:554

#iptables -A FORWARD -i $EX_ETH -j ACCEPT
#iptables -A FORWARD -i $IN_ETH -j ACCEPT
#iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp -d 192.168.1.200 --dport 554 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp -d 192.168.1.200 --dport 7070 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 554 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 7070 -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p udp -d 192.168.1.200 --dport 6970:6999 -j ACCEPT

#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p tcp --dport 554 -j DNAT --to-destination 192.168.1.200:554
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p tcp --dport 7070 -j DNAT --to-destination 192.168.1.200:7070
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 554 -j DNAT --to-destination 192.168.1.200:554
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 7070 -j DNAT --to-destination 192.168.1.200:7070
#iptables -t nat -A PREROUTING --dst $EXTERNAL_IP -p udp --dport 6970:6999 -j DNAT --to-destination 192.168.1.200:6970-6999



#echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables -t nat -A PREROUTING -i $IN_ETH -p tcp --dport 5060 -j DNAT --to-dest 192.168.1.200:5060

#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $IN_ETH -p tcp -s 192.168.1.200 \
#-o $IN_ETH --dport 5060 -m state --state NEW -j ACCEPT

#iptables -A FORWARD -t filter -o $IN_ETH -m state \
# --state NEW,ESTABLISHED,RELATED -j ACCEPT

#iptables -A FORWARD -t filter -i $IN_ETH -m state \
# --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -p tcp --dport 5060 -j LOG --log-prefix "test"
#iptables -A FORWARD -s 192.168.1.200 -i $IN_ETH -o $IN_ETH -p tcp -j ACCEPT



#iptables -t nat -A FORWARD -i $IN_ETH -o $IN_ETH -p tcp --dport 5060 -m state --state ESTABLISHED -j ACCEPT

#iptables -A INPUT -p tcp -i $EX_ETH --dport 1720 -j LOG --log-prefix "mytest"
iptables -A PREROUTING -t nat -p tcp -d $EXTERNAL_IP --dport 1720 -j DNAT --to-dest 192.168.1.200:1720
iptables -t nat -A PREROUTING -j ACCEPT

iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 1720 -j ACCEPT


#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 10200:10209 -j DNAT --to-destination 192.168.1.100
#iptables -A FORWARD -d $LOCAL_IP -o $IN_ETH -p tcp --dport 10200:10209 -j ACCEPT


#iptables -t nat -A PREROUTING -i $EX_ETH -p udp --dport 10200:10259 -j DNAT --to-destination 192.168.1.100
#iptables -A FORWARD -d $LOCAL_IP -i $IN_ETH -p udp --dport 10200:10259 -j ACCEPT


#iptables -I PREROUTING -t nat -p tcp --dport 1720 -j REDIRECT
#iptables -I INPUT -p tcp --dport 1720 -j LOG --log-prefix "hello"
iptables -I INPUT -p tcp --dport 1720 -j ACCEPT
iptables -I INPUT -p tcp --dport 10200:10209 -j ACCEPT
iptables -I INPUT -p udp --dport 10200:10259 -j ACCEPT


iptables -I OUTPUT -p tcp -j ACCEPT
iptables -I OUTPUT -p udp -j ACCEPT

iptables -I INPUT -p tcp ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT


#iptables -I PREROUTING -t nat -p tcp --dport 10200:10209 -d $EXTERNAL_NET -j DNAT --to-destination $LOCAL_IP
#iptables -I PREROUTING -t nat -p udp --dport 10200:10259 -d $EXTERNAL_NET -j DNAT --to-destination $LOCAL_IP
#iptables -I PREROUTING -t nat -p tcp --dport 5060 ! -s $EXTERNAL_NET -j DNAT --to-destination 192.168.1.200

#iptables -t nat -I PREROUTING -p tcp --dport 5060 -i $IN_ETH -j DNAT --to-dest 192.168.1.200:5060
#iptables -t nat -A PREROUTING -j ACCEPT
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 7101 -j ACCEPT


#iptables -t nat -A PREROUTING -i $EX_ETH -p tcp --dport 7102 -j DNAT --to-dest 192.168.1.200:7102
#iptables -A FORWARD -i $EX_ETH -o $IN_ETH -p tcp --dport 7102 -j ACCEPT
#iptables -A FORWARD -p tcp --dport 1863 -j DROP
#iptables -A FORWARD -p tcp -d 64.4.13.0/24 -j DROP

# Turn on IP forwarding
#echo 1 > /proc/sys/net/ipv4/ip_forward

#iptables -A FORWARD -i eth0 -o eth0 -j LOG --log-prefix "external try"
#iptables -A FORWARD -i eth0 -o eth0 -j REJECT
#iptables -A OUTPUT -j LOG -o eth0
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG --log-prefix "forward only"

suvashan 06-05-2007 05:50 AM
hi please see my iptables script....!

Simon Bridge 06-05-2007 06:40 AM
Is it just me or are you a wee bit confused about how to write an iptables script?
i.e. you set default ACCEPT policy on output and have ACCEPT output rules... but it shouldn't stop it working.

How can you tell that this script isn't starting at boot?
(Have you tried iptables -L ?)

Could it be that your iptables script is: /usr/local/sbin/setiptables.bash

It would help a lot if we knew which distribution you are running.

rupertwh 06-05-2007 12:55 PM
Wow, what a firewall script. Thank god most of it is commented out...

No, seriously though -- you'll never get happy if you just keep aimlessly throwing things around and hope they'll just magically work somehow.

Some hints:

1. Decide for a name and location of your firewall script. I have lost count of how many names you have already given for it in this thread.
And make sensible choices. ('iptables' is *not* a good name for your script.)
I'd suggest something like '/usr/local/sbin/firewall'.

2. There is a difference between "/" and "/root", even though "/" is pronounced "root". Yes, it's confusing. Well, not really. Only when you speak about it.

3. As others have already pointed out: you want to call your script from rc.local -- not the other way around. I.e. add a line '/usr/local/sbin/firewall' to your rc.local. Do not add any reference to rc.local to your firewall script. It does not make sense!

4. You want to use modprobe, not insmod.

5. As to your actual firewall script: I don't think it does what you think it does.

Here is a suggestion to get you started: (you need to edit the settings in the top section)
Code:
#!/bin/sh

############# Settings: ######################################################

PUB_IF="ppp0"
PUB_IP=""
PUB_GW=""

PRV_IF="eth1"
PRV_IP="192.168.30.1"
PRV_NET="192.168.30.0/24"

IPT="/sbin/iptables"


#### Public services to allow from anywhere: ####

PUB_TCP_OK="ssh"
PUB_UDP_OK=""

#### End of public services #####################


#### Port forwarding: ###########

# Uncomment the following line to enable port forwarding:
# (and of course adjust this line and the following sections
#  according to your setup...)
#PF_HOSTS="DESKTOP SERVER1 SERVER2"

# to Desktop: forward skype, AOE, BitTorrent
PF_DESKTOP_IP="192.168.30.2"
PF_DESKTOP_PORTS_TCP="1573 2300 6881"
PF_DESKTOP_PORTS_UDP="2350 6881"

# to Server1: dns and smtp
PF_SERVER1_IP="192.168.30.5"
PF_SERVER1_PORTS_TCP="domain smtp"
PF_SERVER1_PORTS_UDP="domain"

# to Server2: www
PF_SERVER2_IP="192.168.30.7"
PF_SERVER2_PORTS_TCP="www"
PF_SERVER2_PORTS_UDP=""

#### End of port forwarding ####

############ End of settings #################################################


if ! [ -x "$IPT" ] ; then
        echo "Cannot find iptables! Disabling all forwarding and aborting!"
        echo 0 > /proc/sys/net/ipv4/ip_forward
        echo 0 > /proc/sys/net/ipv4/conf/all/forwarding
        exit 1
fi


LOCAL="127.0.0.0/8"
PRIV_A="10.0.0.0/8"
PRIV_B="172.16.0.0/12"
PRIV_C="192.168.0.0/16"


echo "Setting policies..."
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP

$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT


echo "Flushing/deleting chains..."

$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush

$IPT --delete-chain
$IPT -t nat --delete-chain
$IPT -t mangle --delete-chain


################## src_check_pub #############################################

CURR=src_check_pub_drop
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j LOG --log-prefix "Inv. src on $PUB_IF: "
$IPT -A $CURR -j DROP

CURR=src_check_pub
echo $CURR...
$IPT -N $CURR
test -n "$PUB_GW" && $IPT -A $CURR --src $PUB_GW/32 -j RETURN
$IPT -A $CURR --src $PRIV_A -j src_check_pub_drop
$IPT -A $CURR --src $PRIV_B -j src_check_pub_drop
$IPT -A $CURR --src $PRIV_C -j src_check_pub_drop
$IPT -A $CURR --src $LOCAL -j src_check_pub_drop
$IPT -A $CURR -j RETURN


################## src_check_prv #############################################

CURR=src_check_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR --src $PRV_NET -j RETURN

# Don't block DHCP broadcasts:
$IPT -A $CURR --src 0.0.0.0/32 --dst 255.255.255.255/32 \
        -p udp --sport bootpc --dport bootps -j RETURN

$IPT -A $CURR -j LOG --log-prefix "Inv. src on $PRV_IF: "
$IPT -A $CURR -j REJECT --reject-with icmp-host-prohibited


################## input_pub #################################################

CURR=input_pub
echo "$CURR..."
$IPT -N $CURR
$IPT -A $CURR -j src_check_pub
$IPT -A $CURR -m state --state ESTABLISHED,RELATED -j ACCEPT

for i in echo-request destination-unreachable \
        time-exceeded parameter-problem ; do
        $IPT -A $CURR -p icmp --icmp-type $i -j ACCEPT
done

if [ -n "$PUB_TCP_OK" ] ; then
        for PORT in $PUB_TCP_OK ; do
                $IPT -A $CURR -p tcp --dport $PORT -j ACCEPT
        done
fi

if [ -n "$PUB_UDP_OK" ] ; then
        for PORT in $PUB_UDP_OK ; do
                $IPT -A $CURR -p udp --dport $PORT -j ACCEPT
        done
fi

$IPT -A $CURR -p tcp --dport ident -j REJECT --reject-with tcp-reset

$IPT -A $CURR -j LOG --log-prefix "Conn. attempt on $PUB_IF: "
$IPT -A $CURR -j DROP



################## input_prv #################################################

CURR=input_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j src_check_prv
$IPT -A $CURR -p tcp -j ACCEPT
$IPT -A $CURR -p udp -j ACCEPT
$IPT -A $CURR -p icmp -j ACCEPT
$IPT -A $CURR -j LOG --log-prefix "Invalid protocol on $PRV_IF: "
$IPT -A $CURR -j REJECT


################## forward_pub ###############################################

CURR=forward_pub
echo $CURR
$IPT -N $CURR
$IPT -A $CURR -j src_check_pub

$IPT -A $CURR -m state --state ESTABLISHED,RELATED -j ACCEPT
for i in destination-unreachable \
        time-exceeded parameter-problem ; do
        $IPT -A $CURR -p icmp --icmp-type $i -j ACCEPT
done

# Allow packets from port forwarding:
for HOST in $PF_HOSTS ; do
        eval IP=\${PF_${HOST}_IP}
        eval TPORTS=\${PF_${HOST}_PORTS_TCP}
        eval UPORTS=\${PF_${HOST}_PORTS_UDP}
        if [ -n "$TPORTS" ] ; then
                for PORT in $TPORTS; do
                        $IPT -A $CURR -p tcp --dst $IP/32 --dport $PORT \
                                -j ACCEPT
                done
        fi
        if [ -n "$UPORTS" ] ; then
                for PORT in $UPORTS; do
                        $IPT -A $CURR -p udp --dst $IP/32 --dport $PORT \
                                -j ACCEPT
                done
        fi
done

$IPT -A $CURR -j LOG --log-prefix "Fwd attempt on $PUB_IF: "
$IPT -A $CURR -j DROP


################## forward_prv ###############################################

CURR=forward_prv
echo $CURR...
$IPT -N $CURR
$IPT -A $CURR -j src_check_prv
$IPT -A $CURR -p tcp -j ACCEPT
$IPT -A $CURR -p udp -j ACCEPT
$IPT -A $CURR -p icmp -j ACCEPT
$IPT -A $CURR -j LOG --log-prefix "Fwd attempt from $PRV_IF: "
$IPT -A $CURR -j REJECT --reject-with icmp-net-prohibited


################## INPUT #####################################################

echo "INPUT..."
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -i $PUB_IF -j input_pub
$IPT -A INPUT -i $PRV_IF -j input_prv

$IPT -A INPUT -j LOG --log-prefix "Unexpected INPUT packet: "
$IPT -A INPUT -j DROP


################## FORWARD ###################################################

echo "FORWARD..."
$IPT -A FORWARD -i $PUB_IF -j forward_pub
$IPT -A FORWARD -i $PRV_IF -j forward_prv

$IPT -A FORWARD -j LOG --log-prefix "Unexpectd FORWARD package: "
$IPT -A FORWARD -j DROP


################## OUTPUT ####################################################

echo "OUTPUT..."
$IPT -A OUTPUT -j ACCEPT


################## PREROUTING ################################################

echo "PREROUTING..."

# Port forwarding:
for HOST in $PF_HOSTS ; do
        eval IP=\${PF_${HOST}_IP}
        eval TPORTS=\${PF_${HOST}_PORTS_TCP}
        eval UPORTS=\${PF_${HOST}_PORTS_UDP}
        if [ -n "$TPORTS" ] ; then
                for PORT in $TPORTS; do
                        $IPT -t nat -A PREROUTING -p tcp --dport $PORT \
                                -j DNAT --to $IP
                done
        fi
        if [ -n "$UPORTS" ] ; then
                for PORT in $UPORTS; do
                        $IPT -t nat -A PREROUTING -p udp --dport $PORT \
                                -j DNAT --to $IP
                done
        fi
done


################## POSTROUTING  ##############################################

echo "POSTROUTING..."
$IPT -t nat -A POSTROUTING -o $PUB_IF -s $PRV_NET -j MASQUERADE
Cheers

Rupert

suvashan 06-06-2007 12:49 AM
hi simon ....

i just check iptables -L on my terminal.

it's show some detail about my firewall details.


chain INput policy
target prot opt source desination
..

.
.
.
..
.
.
chain FORWARD (policy Accept)
target prot opt source desination
.
.
.
.
...

chain FORWARD (POLICY aCCEPT)
target prot opt source desination





chain OUTPUT (POLICY ACCEPT)
target prot opt source desination





my iptables script path is "/"

not /usr/local/sbin/setiptables.bash"

WHAT SHOULD I DO....?

suvashan 06-06-2007 02:37 AM
hi simon .....

my iptables script path is "/"

not /usr/local/sbin/setiptables.bash"

Simon Bridge 06-06-2007 03:36 AM
Show the following command and the output:

cat /usr/local/sbin/setiptables.bash

... I'll explain:
At the hop of your iptables script, there is a line which goes;

# /usr/local/sbin/setiptables.bash

i.e. a commented filename. This is usually the name of the script file. If this is the case, then your iptables script is actually /usr/local/sbin/setiptables.bash and not /iptables as previously stated. I'd like to verify this.

Simon Bridge 06-06-2007 03:38 AM
Quote:
my iptables script path is "/" not /usr/local/sbin/setiptables.bash"
OK... so it is the result of a previous setting getting deleted.

have you tried

sudo iptables -L

suvashan 06-06-2007 04:20 AM
cat /usr/local/sbin/setiptables.bash

out put is

cat: /usr/local/sbin/setiptables.bash :no such file or directory.

suvashan 06-06-2007 04:41 AM
i was tried " sudo iptables -L"

it's show some detail about my firewall details.


chain INput policy
target prot opt source desination
..

.
.
.
..
.
.
chain FORWARD (policy Accept)
target prot opt source desination
.
.
.
.
...

chain FORWARD (POLICY aCCEPT)
target prot opt source desination





chain OUTPUT (POLICY ACCEPT)
target prot opt source desination

Simon Bridge 06-06-2007 05:05 AM
This is funny ... is that a direct paste or did you edit it?
From that script you should have

Chain INPUT (policy DROP)
target prot opt source desination
... input rules
chain FORWARD (policy ACCEPT)
... forward rules
chain OUTPUT (policy ACCEPT)
... output rules

... this means that the firewall you designed is loaded.

If they are all "policy ACCEPT" and no rules, then the firewall has not loaded.

suvashan 06-06-2007 07:24 AM
It's not direct paste....

and also the output is not noraml....

and also i get the report after i run my script only.....

selvam.

suvashan 06-06-2007 07:49 AM
I just reboot the machine...
and go to terminal...

and type "sudo iptables -L
out put is

chain Input (POLICY aCCEPT)
target prot opt source desination
(blank)
chain FORWARD (POLICY aCCEPT)
target prot opt source desination
(blank)
chain output (POLICY aCCEPT)
target prot opt source desination
(blank)




but once i run my script....

./iptables.

now just type "sudo iptables -L
out put is

chain Input (POLICY aCCEPT)
target prot opt source desination

some ip datails and tcpor udp details and iprange come...
chain FORWARD (POLICY aCCEPT)

some ip datails and tcpor udp details and iprange come...

target prot opt source desination
some ip datails and tcpor udp details and iprange come...

chain output (POLICY aCCEPT)
target prot opt source desination
some ip datails and tcpor udp details and iprange come...

Simon Bridge 06-06-2007 07:54 AM
Well reboot then show result of:

sudo iptables -L [post edit: done while I was typing]

cat /iptables

cat /etc/rc.local

This time, provide direct pastes which include the command with the output. In future, this is how you show someone your results: direct pastes which include the commands. Unless you report exactly what is there, you are wasting my time and yours. Pull your act together!

(It's 1am and I'm getting cranky ... bed time!


All times are GMT -5. The time now is 04:14 PM.