From: "Stiven Andre" <stiven_a@hotmail.com>
To: netfilter@lists.netfilter.org
Subject: Strange iptables behavior
Date: Thu, 28 Nov 2002 01:26:33 +0200 [thread overview]
Message-ID: <F2230AmSS7U1Pd1DTM100010c28@hotmail.com> (raw)
>From: "Stiven Andre" <stiven_a@hotmail.com>
>To: linux-il@linux.org.il
>Subject: Strange iptables behavior
>Date: Wed, 27 Nov 2002 17:28:05 +0200
>
>Hi List.
>
>I have my home network being masqueraded by linux router(RH8.0).
>Network topology:
>Linux router(192.168.1.1): eth0 to LAN, eth1 to adsl modem.
>LAN = 192.168.1.*
>
>I wrote iptables script that masquerades my network, but the problem is
>when I run the script from the first time from /etc/rc.d/rc.local it works.
>But if I then rerun it manualy (by root of couse) it stops working. Inside
>hosts don't have access to the internet. My script does clear all old rules
>at the start of it but it doesn't help or else...
>I tryed to clear all old rules manualy and then run the script, no luck
>still not working. I tryed to unload all iptables modules then "insmod
>ip_tables" and after that to run the script again, nothing it doesn't help
>too... Can someone understand what is going on ? Why it works only the
>first time ? After the second excution the rules are seem to be the same
>but inside hosts can't ping internet.
>There is 2 LOG targets in the script, first with prefix "FORWARD PACKET"
>and second with prefix "MASQ RULE MATCHED", after the first excution of the
>script. I see 2 logs for each packet, first "FORWARD PACKET" and then "MASQ
>RULE MATCHED" but after the second excution, when the NAT doesn't work the
>logs doesn't show "MASQ RULE MATCHED"...
>
>Best Regards.
>S.A.
>
>The script:
>
>
>#!/bin/sh
>IPTABLES="/sbin/iptables"
>
># Reset all.
>$IPTABLES -P INPUT ACCEPT
>$IPTABLES -P OUTPUT ACCEPT
>$IPTABLES -P FORWARD ACCEPT
>$IPTABLES -F
>$IPTABLES -X
>$IPTABLES -t nat -F
>
># Modules and targets:
>/sbin/modprobe ipt_LOG
>/sbin/modprobe ipt_REJECT
>/sbin/modprobe ipt_MASQUERADE
>/sbin/modprobe ip_nat_ftp
>/sbin/modprobe ip_nat_irc
>/sbin/modprobe ip_conntrack_ftp
>/sbin/modprobe ip_conntrack_irc
>
># IP Forwarding And Dynamic IP support:
>echo "1" > /proc/sys/net/ipv4/ip_forward
>echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
># Create chains for packet types:
>$IPTABLES -N tcp_packets
>$IPTABLES -N udp_packets
>$IPTABLES -N icmp_packets
>
># INPUT TABLE:
># Permit ADSL, gre Tunnel (Protocol 47), loopback and a broadcast.
>$IPTABLES -A INPUT -p 47 -s 10.0.0.138 -j ACCEPT
>$IPTABLES -A INPUT -p tcp -s 10.0.0.138 --sport 1723 -j ACCEPT
>$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
>$IPTABLES -A INPUT -p ALL -d 192.168.1.255 -j ACCEPT
># Ensure that established sessions will not die
>$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
># Allow FTP active and passive port commands:
>#$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j
>ACCEPT
>#$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED
>-j ACCEPT
># Send all other traffic to it's chain:
>$IPTABLES -A INPUT -p tcp -j tcp_packets
>$IPTABLES -A INPUT -p udp -j udp_packets
>$IPTABLES -A INPUT -p icmp -j icmp_packets
>
># OUTPUT TABLE:
># Permit all.
>$IPTABLES -A OUTPUT -j ACCEPT
>
># FORWARD TABLE:
>$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
># tcp_packets TABLE:
># World accessible services:
>#$IPTABLES -A tcp_packets -p tcp --dport 21 --syn -j ACCEPT # FTP
>#$IPTABLES -A tcp_packets -p tcp --dport 80 --syn -j ACCEPT # HTTP
># Private services:
>$IPTABLES -A tcp_packets -s 192.168.1.10/32 -p tcp --dport 23 --syn -j
>ACCEPT # Telnet
>$IPTABLES -A tcp_packets -s 192.168.1.10/24 -p tcp --dport 139 --syn -j
>ACCEPT # NetBIOS-ssn
>
># udp_packets TABLE:
># Private services:
>$IPTABLES -A udp_packets -s 192.168.1.10/24 -p udp --dport 137 -j ACCEPT #
>NetBIOS-sn
>$IPTABLES -A udp_packets -s 192.168.1.10/24 -p udp --dport 138 -j ACCEPT #
>NetBIOS-dgm
>
># MASQUERADING:
>$IPTABLES -t nat -A POSTROUTING -o ppp0 -j LOG --log-level DEBUG
>--log-prefix "matched MASQ RULE: "
>$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
># Set defaults to drop:
>$IPTABLES -P INPUT ACCEPT
>$IPTABLES -P OUTPUT ACCEPT
>$IPTABLES -P FORWARD ACCEPT
>
># Debug
>$IPTABLES -A FORWARD -j LOG --log-level DEBUG --log-prefix "FORWARD PACKET:
>"
>$IPTABLES -A INPUT -j LOG --log-level DEBUG --log-prefix "INPUT PACKET: "
>$IPTABLES -A OUTPUT -j LOG --log-level DEBUG --log-prefix "OUTPUT PACKET: "
>
>_________________________________________________________________
>STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
>http://join.msn.com/?page=features/junkmail
>
>
>=================================================================
>To unsubscribe, send mail to linux-il-request@linux.org.il with
>the word "unsubscribe" in the message body, e.g., run the command
>echo unsubscribe | mail linux-il-request@linux.org.il
_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE*
http://join.msn.com/?page=features/junkmail
reply other threads:[~2002-11-27 23:26 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=F2230AmSS7U1Pd1DTM100010c28@hotmail.com \
--to=stiven_a@hotmail.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.