Voice IP

Voice IP

[Manuel Tato]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi, i'm configuring a firewall/router with a static ip ADSL and a voice
IP gateway.
The voiceip gw es in configured at 192.168.1.40.
With this script i can make calls, but i cant recive any.

- ---------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward

modprobe ip_conntrack_h323
modprobe ip_nat_h323

iptables -A INPUT -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -A OUTPUT -j ACCEPT

iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

iptables -t nat -A PREROUTING -p tcp --dport 1726:1789 -i eth1 -j DNAT
- --to 192.168.1.40:1726:1789
iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 1726:1789 -j
ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 1726:1789 -i eth1 -j DNAT
- --to 192.168.1.40:1726:1789
iptables -A FORWARD -i eth1 -p udp -d 192.168.1.40 --dport  1726:1789 -j
ACCEPT
- -----------------------------------------------------

Any idea?
i'm blocking ports?
i need any other module??
thanks in advance
thanks a lot...


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQE/nY98W/G6GKzQKp4RAndEAJ4pYh04AZuTc/f8MQ8Ae6RB/GpRFgCgkaCg
SwAh5HHLSdd0rj68FzTPdXY=
=RcOK
-----END PGP SIGNATURE-----

Re: Voice IP

[Evan Davies]

[-- Attachment #1.1: Type: text/plain, Size: 2603 bytes --]

If you are using H323, there is a module for H323 in the patch-o-matic.
As for SIP I cannot help you.

On Tue, 2003-10-28 at 08:34, Manuel Tato wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hi, i'm configuring a firewall/router with a static ip ADSL and a voice
> IP gateway.
> The voiceip gw es in configured at 192.168.1.40.
> With this script i can make calls, but i cant recive any.
> 
> - ---------------------------------------------------
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> modprobe ip_conntrack_h323
> modprobe ip_nat_h323
> 
> iptables -A INPUT -j ACCEPT
> iptables -A FORWARD -j ACCEPT
> iptables -A OUTPUT -j ACCEPT
> 
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> 
> iptables -t nat -A PREROUTING -p tcp --dport 1726:1789 -i eth1 -j DNAT
> - --to 192.168.1.40:1726:1789
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 1726:1789 -j
> ACCEPT
> iptables -t nat -A PREROUTING -p udp --dport 1726:1789 -i eth1 -j DNAT
> - --to 192.168.1.40:1726:1789
> iptables -A FORWARD -i eth1 -p udp -d 192.168.1.40 --dport  1726:1789 -j
> ACCEPT
> - -----------------------------------------------------
> 
> Any idea?
> i'm blocking ports?
> i need any other module??
> thanks in advance
> thanks a lot...
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE/nY98W/G6GKzQKp4RAndEAJ4pYh04AZuTc/f8MQ8Ae6RB/GpRFgCgkaCg
> SwAh5HHLSdd0rj68FzTPdXY=
> =RcOK
> -----END PGP SIGNATURE-----
> 

Regards
Evan Davies.
Network and System Administrator.

VoicePlus Data Pty Ltd.
1 / 34 Burton St,
Milsons Point. NSW
2061.

Tel: +61 2 9955 3429
Fax: +61 2 9955 3465
Mobile: 0414 422 234
Email: evand@voiceplus.com.au


The email address used for sending this message is not to be added to
any database, list or mailing list without my prior, explicit
permission.

This e-mail is intended for use of the individual or entity above and
may contain information that is confidential and privileged.  Note if
you are the intended recipient, you are hereby notified that any
dissemination, distribution or copying of the e-mail is strictly
prohibited.  If you have received this e-mail in error, please notify us
immediately at evand@voiceplus.com.au and destroy the original message. 
While this e-mail and any attachments have been scanned for common
computer viruses and found to be virus free, we recommend you also
perform your own virus checking processes before opening any
attachments.

[-- Attachment #1.2: Type: text/html, Size: 3453 bytes --]

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: Voice IP

[George Vieira]

I have this working at home using these rules...


        if [ $H323 ]; then
                $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 389    -j DNAT --to 192.168.1.1        # H323
                $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 522    -j DNAT --to 192.168.1.1        # H323
                $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1503   -j DNAT --to 192.168.1.1        # H323
                $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1720   -j DNAT --to 192.168.1.1        # H323
                $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1731   -j DNAT --to 192.168.1.1        # H323
                $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 8080   -j DNAT --to 192.168.1.1        # H323
                $IPTABLES -t nat -A PREROUTING -i $EXTDEV -p tcp --dport 1469   -j DNAT --to 192.168.1.1        # H323aud
        fi

What I did notice is that I couldn't get people to call me unless I was in a meeting call or something (soz, it's been months since I've used netmeeting ;) )...

Thanks,
____________________________________________
George Vieira
Systems Manager
georgev@citadelcomputer.com.au

Citadel Computer Systems Pty Ltd
http://www.citadelcomputer.com.au

Phone   : +61 2 9955 2644
HelpDesk: +61 2 9955 2698
 

> -----Original Message-----
> From: Manuel Tato [mailto:madness@adinet.com.uy]
> Sent: Tuesday, 28 October 2003 8:35 AM
> To: netfilter@lists.netfilter.org
> Subject: Voice IP
> 
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> 
> Hi, i'm configuring a firewall/router with a static ip ADSL 
> and a voice
> IP gateway.
> The voiceip gw es in configured at 192.168.1.40.
> With this script i can make calls, but i cant recive any.
> 
> - ---------------------------------------------------
> echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> modprobe ip_conntrack_h323
> modprobe ip_nat_h323
> 
> iptables -A INPUT -j ACCEPT
> iptables -A FORWARD -j ACCEPT
> iptables -A OUTPUT -j ACCEPT
> 
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> 
> iptables -t nat -A PREROUTING -p tcp --dport 1726:1789 -i eth1 -j DNAT
> - --to 192.168.1.40:1726:1789
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 
> 1726:1789 -j
> ACCEPT
> iptables -t nat -A PREROUTING -p udp --dport 1726:1789 -i eth1 -j DNAT
> - --to 192.168.1.40:1726:1789
> iptables -A FORWARD -i eth1 -p udp -d 192.168.1.40 --dport  
> 1726:1789 -j
> ACCEPT
> - -----------------------------------------------------
> 
> Any idea?
> i'm blocking ports?
> i need any other module??
> thanks in advance
> thanks a lot...
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.2 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
> 
> iD8DBQE/nY98W/G6GKzQKp4RAndEAJ4pYh04AZuTc/f8MQ8Ae6RB/GpRFgCgkaCg
> SwAh5HHLSdd0rj68FzTPdXY=
> =RcOK
> -----END PGP SIGNATURE-----
> 
> 
> 
> 

Re: voice IP

[Herman]

Hmm, it looks to me as if the very first rules in your INPUT, OUTPUT and 
FORWARD chains are all ACCEPT, so this is pretty much a do-nothing firewall.  
It will let everything through unchanged in both directions.  So if you can 
only initiate things in one direction, it is not the fault of this particular 
setup...

So, why do you have all those prerouting and postrouting rules? Do you have 
any idea what they are supposed to do?

Normally, the first thing to do is to flush the existing rules, then set the 
default policies to DROP and finally start to build a rule set.  You can do 
this manually from the command line:

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

Now start to add rules to do something useful.
List the rules with iptables -L to see wat you got.

Monitor your progress with tcpdump:
tcpdump -i eth1
tcpdump -i eth0

Open a gazillion console windows for each tcpdump and iptables experimentation 
area and start playing.

Cheers,

H.

On Monday 03 November 2003 8:25 pm, Manuel Tato wrote:
> i have this firewall, i have at 192.168.1.40 a voice ip gateway, i'm
> doing portforward to this ip.
> i make phone calls with out major problems, but i can´t recive any...
> someone have voip experience trough linux fw/routers?
> thanks in advance
> manuel
>
>
> #!/bin/bash
> # eth1--> Modem/ADSL
> # eth0--> LAN
> #
> echo 1 > /proc/sys/net/ipv4/ip_forward
> modprobe ipt_MASQUERADE
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe iptable_nat
> modprobe ip_conntrack_h323
> modprobe ip_nat_h323
> #
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -A INPUT -j ACCEPT
> iptables -A FORWARD -j ACCEPT
> iptables -A OUTPUT -j ACCEPT
>
> iptables -A FORWARD -p tcp --sport 137:139 -j DROP
> iptables -A FORWARD -p udp --sport 137:139 -j DROP
> #    NFS Mount Service (TCP/UDP 635)
> iptables -A FORWARD -p tcp --sport 635 -j DROP
> iptables -A FORWARD -p udp --sport 635 -j DROP
> #    NFS (TCP/UDP 2049)
> iptables -A FORWARD -p tcp --sport 2049 -j DROP
> iptables -A FORWARD -p udp --sport 2049 -j DROP
> #    Portmapper (TCP/UDP 111)
> iptables -A FORWARD -p tcp --sport 111 -j DROP
> iptables -A FORWARD -p udp --sport 111 -j DROP
> # Block incoming syslog, lpr, rsh, rexec...
> iptables -A FORWARD -i eth1 -p udp --dport syslog -j DROP
> iptables -A FORWARD -i eth1 -p tcp --dport 515 -j DROP
> iptables -A FORWARD -i eth1 -p tcp --dport 514 -j DROP
> iptables -A FORWARD -i eth1 -p tcp --dport 512 -j DROP
> ###
> #
> # NAT
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> ######
> #####
> #######
> iptables -A FORWARD -p tcp --sport 1719:1789 -j ACCEPT
> iptables -A FORWARD -p udp --sport 1719:1789 -j ACCEPT
>
> iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to
> 192.168.1.40:80
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 23 -i eth1 -j DNAT --to
> 192.168.1.40:23
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 23 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 161 -i eth1 -j DNAT --to
> 192.168.1.40:161
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 161 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 1726:1789 -i eth1 -j DNAT
> --to 192.168.1.40:1726:1789
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 1726:1789 -j
> ACCEPT
> iptables -t nat -A PREROUTING -p udp --dport 1726:1789 -i eth1 -j DNAT
> --to 192.168.1.40:1726:1789
> iptables -A FORWARD -i eth1 -p udp -d 192.168.1.40 --dport  1726:1789 -j
> ACCEPT

voice IP

[Manuel Tato]

i have this firewall, i have at 192.168.1.40 a voice ip gateway, i'm 
doing portforward to this ip.
i make phone calls with out major problems, but i can´t recive any...
someone have voip experience trough linux fw/routers?
thanks in advance
manuel


#!/bin/bash
# eth1--> Modem/ADSL
# eth0--> LAN
#
echo 1 > /proc/sys/net/ipv4/ip_forward
modprobe ipt_MASQUERADE
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe iptable_nat
modprobe ip_conntrack_h323
modprobe ip_nat_h323
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -A INPUT -j ACCEPT
iptables -A FORWARD -j ACCEPT
iptables -A OUTPUT -j ACCEPT

iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
#    NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
#    NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
#    Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP
# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth1 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth1 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth1 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth1 -p tcp --dport 512 -j DROP
###
#
# NAT
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
######
#####
#######
iptables -A FORWARD -p tcp --sport 1719:1789 -j ACCEPT
iptables -A FORWARD -p udp --sport 1719:1789 -j ACCEPT

iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 
192.168.1.40:80
iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 80 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 23 -i eth1 -j DNAT --to 
192.168.1.40:23
iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 23 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 161 -i eth1 -j DNAT --to 
192.168.1.40:161
iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 161 -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 1726:1789 -i eth1 -j DNAT 
--to 192.168.1.40:1726:1789
iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 1726:1789 -j 
ACCEPT
iptables -t nat -A PREROUTING -p udp --dport 1726:1789 -i eth1 -j DNAT 
--to 192.168.1.40:1726:1789
iptables -A FORWARD -i eth1 -p udp -d 192.168.1.40 --dport  1726:1789 -j 
ACCEPT

Re: voice IP

[Manuel Tato]

OK further information

mandrake linux 9.1
kernel 2.4.21

running over a celeron 300 mhz, 64 mb ram + 2 realtek NICs.
tthe voip gateway, has no brand, and i dont have more information...

regards
manuel

pd: gatekeeper its mi solution??

Manuel Tato wrote:

> i have this firewall, i have at 192.168.1.40 a voice ip gateway, i'm 
> doing portforward to this ip.
> i make phone calls with out major problems, but i can´t recive any...
> someone have voip experience trough linux fw/routers?
> thanks in advance
> manuel
> 
> 
> #!/bin/bash
> # eth1--> Modem/ADSL
> # eth0--> LAN
> #
> echo 1 > /proc/sys/net/ipv4/ip_forward
> modprobe ipt_MASQUERADE
> modprobe ip_conntrack
> modprobe ip_conntrack_ftp
> modprobe iptable_nat
> modprobe ip_conntrack_h323
> modprobe ip_nat_h323
> #
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -A INPUT -j ACCEPT
> iptables -A FORWARD -j ACCEPT
> iptables -A OUTPUT -j ACCEPT
> 
> iptables -A FORWARD -p tcp --sport 137:139 -j DROP
> iptables -A FORWARD -p udp --sport 137:139 -j DROP
> #    NFS Mount Service (TCP/UDP 635)
> iptables -A FORWARD -p tcp --sport 635 -j DROP
> iptables -A FORWARD -p udp --sport 635 -j DROP
> #    NFS (TCP/UDP 2049)
> iptables -A FORWARD -p tcp --sport 2049 -j DROP
> iptables -A FORWARD -p udp --sport 2049 -j DROP
> #    Portmapper (TCP/UDP 111)
> iptables -A FORWARD -p tcp --sport 111 -j DROP
> iptables -A FORWARD -p udp --sport 111 -j DROP
> # Block incoming syslog, lpr, rsh, rexec...
> iptables -A FORWARD -i eth1 -p udp --dport syslog -j DROP
> iptables -A FORWARD -i eth1 -p tcp --dport 515 -j DROP
> iptables -A FORWARD -i eth1 -p tcp --dport 514 -j DROP
> iptables -A FORWARD -i eth1 -p tcp --dport 512 -j DROP
> ###
> #
> # NAT
> iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
> ######
> #####
> #######
> iptables -A FORWARD -p tcp --sport 1719:1789 -j ACCEPT
> iptables -A FORWARD -p udp --sport 1719:1789 -j ACCEPT
> 
> iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 
> 192.168.1.40:80
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 80 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 23 -i eth1 -j DNAT --to 
> 192.168.1.40:23
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 23 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 161 -i eth1 -j DNAT --to 
> 192.168.1.40:161
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 161 -j ACCEPT
> iptables -t nat -A PREROUTING -p tcp --dport 1726:1789 -i eth1 -j DNAT 
> --to 192.168.1.40:1726:1789
> iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 1726:1789 -j 
> ACCEPT
> iptables -t nat -A PREROUTING -p udp --dport 1726:1789 -i eth1 -j DNAT 
> --to 192.168.1.40:1726:1789
> iptables -A FORWARD -i eth1 -p udp -d 192.168.1.40 --dport  1726:1789 -j 
> ACCEPT
> 
> 
> 
> 
> 
> 

Re: voice IP

[Jörg Schütter]

Hallo Manuel,

On Mon, 03 Nov 2003 17:25:28 -0300
Manuel Tato <madness@adinet.com.uy> wrote:

> i have this firewall, i have at 192.168.1.40 a voice ip gateway, i'm 
> doing portforward to this ip.
> i make phone calls with out major problems, but i can´t recive any...
> someone have voip experience trough linux fw/routers?
> thanks in advance
> manuel
> 
> 
[...]
> #
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -A INPUT -j ACCEPT
> iptables -A FORWARD -j ACCEPT
> iptables -A OUTPUT -j ACCEPT

after accepting all the traffic (INPUT/FORWARD/OUTPUT) there is no
"need" in adding the following lines regarding the filter table.
[...]


Jörg

-- 
Jörg Schütter           http://www.lug-untermain.de/
joerg@schuetter.org     http://www.schuetter.org/joerg/
ICQ: 298982789          http://mypenguin.bei.t-online.de/

Re: voice IP

[Thierry ITTY]

it looks to me that, for getting incoming calls, you try to reach your voip
gateway from "outside" with a private address (192.168.1.40) which your
firewall is aware of, but as private addresses are not routed on the
internet, you'll never get any incoming packets. 
outgoing calls work fine because of the masquerade rule and the h323 helpers.
this is actually not an iptables problem.
due to h323 protocol you can't just do a static port forwarding to handle
incoming calls 
maybe you could try to redirect a broad range of ports and configuring your
gateway to negociate only ports within this range, if possible
maybe also you could try to redirect the known h323 ports, and all
unrelated/unestablished incoming udp packets, considering such packets to
be voip traffic, or do a redirection based on some diffserv value, doing
the same assumption...
of course such port redirections need that the incoming packets are sent to
the public address of your firewall (which is the only one reachable from
outside) thus need an additional DNAT rule with redirection, and of course
an SNAT rule for outgoing packets (and NO masquerading)

hth

please let me know




A 17:25 03/11/2003 -0300, vous avez écrit :
>i have this firewall, i have at 192.168.1.40 a voice ip gateway, i'm 
>doing portforward to this ip.
>i make phone calls with out major problems, but i can´t recive any...
>someone have voip experience trough linux fw/routers?
>thanks in advance
>manuel
>
>
>#!/bin/bash
># eth1--> Modem/ADSL
># eth0--> LAN
>#
>echo 1 > /proc/sys/net/ipv4/ip_forward
>modprobe ipt_MASQUERADE
>modprobe ip_conntrack
>modprobe ip_conntrack_ftp
>modprobe iptable_nat
>modprobe ip_conntrack_h323
>modprobe ip_nat_h323
>#
>iptables -F
>iptables -t nat -F
>iptables -t mangle -F
>iptables -A INPUT -j ACCEPT
>iptables -A FORWARD -j ACCEPT
>iptables -A OUTPUT -j ACCEPT
>
>iptables -A FORWARD -p tcp --sport 137:139 -j DROP
>iptables -A FORWARD -p udp --sport 137:139 -j DROP
>#    NFS Mount Service (TCP/UDP 635)
>iptables -A FORWARD -p tcp --sport 635 -j DROP
>iptables -A FORWARD -p udp --sport 635 -j DROP
>#    NFS (TCP/UDP 2049)
>iptables -A FORWARD -p tcp --sport 2049 -j DROP
>iptables -A FORWARD -p udp --sport 2049 -j DROP
>#    Portmapper (TCP/UDP 111)
>iptables -A FORWARD -p tcp --sport 111 -j DROP
>iptables -A FORWARD -p udp --sport 111 -j DROP
># Block incoming syslog, lpr, rsh, rexec...
>iptables -A FORWARD -i eth1 -p udp --dport syslog -j DROP
>iptables -A FORWARD -i eth1 -p tcp --dport 515 -j DROP
>iptables -A FORWARD -i eth1 -p tcp --dport 514 -j DROP
>iptables -A FORWARD -i eth1 -p tcp --dport 512 -j DROP
>###
>#
># NAT
>iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
>######
>#####
>#######
>iptables -A FORWARD -p tcp --sport 1719:1789 -j ACCEPT
>iptables -A FORWARD -p udp --sport 1719:1789 -j ACCEPT
>
>iptables -t nat -A PREROUTING -p tcp --dport 80 -i eth1 -j DNAT --to 
>192.168.1.40:80
>iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 80 -j ACCEPT
>iptables -t nat -A PREROUTING -p tcp --dport 23 -i eth1 -j DNAT --to 
>192.168.1.40:23
>iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 23 -j ACCEPT
>iptables -t nat -A PREROUTING -p tcp --dport 161 -i eth1 -j DNAT --to 
>192.168.1.40:161
>iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 161 -j ACCEPT
>iptables -t nat -A PREROUTING -p tcp --dport 1726:1789 -i eth1 -j DNAT 
>--to 192.168.1.40:1726:1789
>iptables -A FORWARD -i eth1 -p tcp -d 192.168.1.40 --dport 1726:1789 -j 
>ACCEPT
>iptables -t nat -A PREROUTING -p udp --dport 1726:1789 -i eth1 -j DNAT 
>--to 192.168.1.40:1726:1789
>iptables -A FORWARD -i eth1 -p udp -d 192.168.1.40 --dport  1726:1789 -j 
>ACCEPT
>
>
>
>
>
>
>