From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Andrew B. Cramer" Subject: IP_TABLES Q Date: Mon, 17 Feb 2003 07:07:52 -0600 Sender: linux-admin-owner@vger.kernel.org Message-ID: <3E508A48.29474.B592241@localhost> Reply-To: andrew.cramer@cramer-ts.com Mime-Version: 1.0 Content-Transfer-Encoding: 7BIT Return-path: Content-description: Mail message body List-Id: Content-Type: text/plain; charset="us-ascii" To: linux-admin Hi All, Please look at this and explain where I make the mistake that none of the workstations Masq'd are able to establish a FTP session. Telnet, email, and web browsing work just fine. TIA - Andrew Cramer #!/bin/sh # # rc.firewall-2.4 FWVER=0.70 # # Thanks to David Ranch's IPMasq HowTo # Initial SIMPLE IP Masquerade test for 2.4.x kernels # using IPTABLES. # echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" IPTABLES=/usr/sbin/iptables DEPMOD=/sbin/depmod INSMOD=/sbin/insmod EXTIP="xxx.yyy.zzz.1" # your external IP here. EXTIF="ppp0" INTIF="eth0" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" $DEPMOD -a echo "---------------------------------------------------------------- ------" echo -en "ip_tables, " $INSMOD ip_tables echo -en "ip_conntrack, " $INSMOD ip_conntrack echo -en "iptable_nat, " $INSMOD iptable_nat echo "---------------------------------------------------------------- ------" echo ". Done loading modules." echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD ACCEPT $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 25 -j ACCEPT $IPTABLES -A INPUT -p TCP -s 0/0 --destination-port 110 -j ACCEPT # Reject telnet sessions from outside (Shouldn't it be 23 ?!?) $IPTABLES -A INPUT -p TCP -i $EXTIF --destination-port 21 -j REJECT # Forward HTTPS requests (change the port number to suit yourself) $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 443 -m state \ --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 \ -j DNAT --to 192.168.1.1:443 $IPTABLES -t nat -A PREROUTING -d $EXTIP -p tcp --dport 443 \ -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1 echo " FWD: Allow all connections OUT and only existing and related ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-2.4 v$FWVER done.\n" root@home:/etc/rc.d# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 REJECT tcp -- anywhere anywhere tcp dpt:ftp reject-with icmp-port-unreachable Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT tcp -- anywhere anywhere tcp dpt:https state NEW,RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere LOG level warning Chain OUTPUT (policy ACCEPT) target prot opt source destination