Strange iptables behavior

All of lore.kernel.org
 help / color / mirror / Atom feed

* Strange iptables behavior
@ 2002-11-27 23:26 Stiven Andre
  0 siblings, 0 replies; only message in thread
From: Stiven Andre @ 2002-11-27 23:26 UTC (permalink / raw)
  To: netfilter

>From: "Stiven Andre" <stiven_a@hotmail.com>
>To: linux-il@linux.org.il
>Subject: Strange iptables behavior
>Date: Wed, 27 Nov 2002 17:28:05 +0200
>
>Hi List.
>
>I have my home network being masqueraded by linux router(RH8.0).
>Network topology:
>Linux router(192.168.1.1): eth0 to LAN, eth1 to adsl modem.
>LAN = 192.168.1.*
>
>I wrote iptables script that masquerades my network, but the problem is 
>when I run the script from the first time from /etc/rc.d/rc.local it works. 
>But if I then rerun it manualy (by root of couse) it stops working. Inside 
>hosts don't have access to the internet. My script does clear all old rules 
>at the start of it but it doesn't help or else...
>I tryed to clear all old rules manualy and then run the script, no luck 
>still not working. I tryed to unload all iptables modules then "insmod 
>ip_tables" and after that to run the script again, nothing it doesn't help 
>too... Can someone understand what is going on ? Why it works only the 
>first time ? After the second excution the rules are seem to be the same 
>but inside hosts can't ping internet.
>There is 2 LOG targets in the script, first with prefix "FORWARD PACKET" 
>and second with prefix "MASQ RULE MATCHED", after the first excution of the 
>script. I see 2 logs for each packet, first "FORWARD PACKET" and then "MASQ 
>RULE MATCHED" but after the second excution, when the NAT doesn't work the 
>logs doesn't show "MASQ RULE MATCHED"...
>
>Best Regards.
>S.A.
>
>The script:
>
>
>#!/bin/sh
>IPTABLES="/sbin/iptables"
>
># Reset all.
>$IPTABLES -P INPUT ACCEPT
>$IPTABLES -P OUTPUT ACCEPT
>$IPTABLES -P FORWARD ACCEPT
>$IPTABLES -F
>$IPTABLES -X
>$IPTABLES -t nat -F
>
># Modules and targets:
>/sbin/modprobe ipt_LOG
>/sbin/modprobe ipt_REJECT
>/sbin/modprobe ipt_MASQUERADE
>/sbin/modprobe ip_nat_ftp
>/sbin/modprobe ip_nat_irc
>/sbin/modprobe ip_conntrack_ftp
>/sbin/modprobe ip_conntrack_irc
>
># IP Forwarding And Dynamic IP support:
>echo "1" > /proc/sys/net/ipv4/ip_forward
>echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
># Create chains for packet types:
>$IPTABLES -N tcp_packets
>$IPTABLES -N udp_packets
>$IPTABLES -N icmp_packets
>
># INPUT TABLE:
># Permit ADSL, gre Tunnel (Protocol 47), loopback and a broadcast.
>$IPTABLES -A INPUT -p 47 -s 10.0.0.138 -j ACCEPT
>$IPTABLES -A INPUT -p tcp -s 10.0.0.138 --sport 1723 -j ACCEPT
>$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
>$IPTABLES -A INPUT -p ALL -d 192.168.1.255 -j ACCEPT
># Ensure that established sessions will not die
>$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
># Allow FTP active and passive port commands:
>#$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j 
>ACCEPT
>#$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED 
>-j ACCEPT
># Send all other traffic to it's chain:
>$IPTABLES -A INPUT -p tcp -j tcp_packets
>$IPTABLES -A INPUT -p udp -j udp_packets
>$IPTABLES -A INPUT -p icmp -j icmp_packets
>
># OUTPUT TABLE:
># Permit all.
>$IPTABLES -A OUTPUT -j ACCEPT
>
># FORWARD TABLE:
>$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
># tcp_packets TABLE:
># World accessible services:
>#$IPTABLES -A tcp_packets -p tcp --dport 21 --syn -j ACCEPT # FTP
>#$IPTABLES -A tcp_packets -p tcp --dport 80 --syn -j ACCEPT # HTTP
># Private services:
>$IPTABLES -A tcp_packets -s 192.168.1.10/32 -p tcp --dport 23 --syn -j 
>ACCEPT # Telnet
>$IPTABLES -A tcp_packets -s 192.168.1.10/24 -p tcp --dport 139 --syn -j 
>ACCEPT # NetBIOS-ssn
>
># udp_packets TABLE:
># Private services:
>$IPTABLES -A udp_packets -s 192.168.1.10/24 -p udp --dport 137 -j ACCEPT # 
>NetBIOS-sn
>$IPTABLES -A udp_packets -s 192.168.1.10/24 -p udp --dport 138 -j ACCEPT # 
>NetBIOS-dgm
>
># MASQUERADING:
>$IPTABLES -t nat -A POSTROUTING -o ppp0 -j LOG --log-level DEBUG 
>--log-prefix "matched MASQ RULE: "
>$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
># Set defaults to drop:
>$IPTABLES -P INPUT ACCEPT
>$IPTABLES -P OUTPUT ACCEPT
>$IPTABLES -P FORWARD ACCEPT
>
># Debug
>$IPTABLES -A FORWARD -j LOG --log-level DEBUG --log-prefix "FORWARD PACKET: 
>"
>$IPTABLES -A INPUT -j LOG --log-level DEBUG --log-prefix "INPUT PACKET: "
>$IPTABLES -A OUTPUT -j LOG --log-level DEBUG --log-prefix "OUTPUT PACKET: "
>
>_________________________________________________________________
>STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
>http://join.msn.com/?page=features/junkmail
>
>
>=================================================================
>To unsubscribe, send mail to linux-il-request@linux.org.il with
>the word "unsubscribe" in the message body, e.g., run the command
>echo unsubscribe | mail linux-il-request@linux.org.il


_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2002-11-27 23:26 UTC | newest]

Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-11-27 23:26 Strange iptables behavior Stiven Andre

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.