Problem with Forward - Sebastian Rodriguez

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: Sebastian Rodriguez <sniper.mdr@gmail.com>
To: netfilter@lists.netfilter.org
Subject: Problem with Forward
Date: Tue, 8 Mar 2005 18:36:19 +0000	[thread overview]
Message-ID: <8568e72d050308103614b8fa93@mail.gmail.com> (raw)

First of all, little description of my situation.
I am in a Hight school room, where we acces to the lan via a proxy.
I have also behind the school connection and adsl connection (ppp0)
I am using a Server (connected to the school lan, to the adsl and to
my computer) to determine the connection I use. I 've set up iptables
rules who works fine for me.
I wanted also to share my connection with a friend. 
The problem is that I dont want to give him ful acces to the adsl
connection (don't want him to use emule or Bittorrent, for eg)
If I give him full acces to my connection, everything is all right,
but if I put my restrictions, he can't even go to IRC.
His configuration is: he puted my server as a gateway, and he put the
official internal ip and dns.
the strange part its that if I give him full rigths, establish
conection and after put therestrictions on (commenting the general
forward line) the connection works (he can only use bnet and irc as i
wanted, but not BT)
Maybe it's just a stupid errr, but i don't understand what is wrong :'(
here is my "little" script:


-- #!/bin/sh

#-------------------------------------------------
#eth0--> 00:0C:6E:2B:CF:94   Internal LAN (my Pc to server) IP fixe
#eth1--> 00:02:44:29:C7:45    School LAN DHCPD
#eth2--> 00:26:54:0C:04:18    ADSL
#-------------------------------------------------

# Configuration des routes
route del default gw 10.133.15.254
route add -host 10.133.15.254 dev eth1
route add -net 10.0.0.0/8 gw 10.133.15.254
route add -net 192.168.2.0/24 gw 10.133.15.254
route add default gw 84.97.32.1

# On efface tout
iptables -F
iptables -t nat -F
# Regles pour le NAT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 10.0.0.0/8 -o eth1
-j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d 192.168.2.0/24 -o
eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o ppp0 -j MASQUERADE

# Anti Ping OF Death
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT
#---------------------------
# ETH1
#--------------------------
# Refuser les ports sur eth1
iptables -A INPUT -i eth1 -m state --state NEW,INVALID -j REJECT
iptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j REJECT

#Ouverture de ports
iptables -I INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i eth1 -p udp --dport 80 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 20:21 -j ACCEPT
iptables -I INPUT -i eth1 -p udp --dport 20:21 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 6666:6670 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 7000 -j ACCEPT

#---------------------------
# PPP0
#--------------------------

# Refuser les ports sur ppp0
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP

#Ouverture de ports
iptables -I INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i ppp0 -p udp --dport 80 -j ACCEPT
iptables -I INPUT -i ppp0 -p tcp --dport 20:21 -j ACCEPT
iptables -I INPUT -i ppp0 -p udp --dport 20:21 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 6666:6670 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 7000 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 4000 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 6112:6119 -j ACCEPT
iptables -I INPUT -i eth1 -p udp --dport 4000 -j ACCEPT
iptables -I INPUT -i eth1 -p udp --dport 6112:6119 -j ACCEPT

#-------------------------
# Routage Programmes
#------------------------
# Partage Direct Connect
iptables -I FORWARD -i eth1 -p tcp --dport 4120:4121 -j ACCEPT
iptables -I FORWARD -i eth1 -p udp --dport 4120:4121 -j ACCEPT
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 4120 -j DNAT --to
192.168.1.111:4120
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 4121 -j DNAT --to
192.168.1.111:4121
iptables -A PREROUTING -t nat -i eth1 -p udp --dport 4120 -j DNAT --to
192.168.1.111:4120
iptables -A PREROUTING -t nat -i eth1 -p udp --dport 4121 -j DNAT --to
192.168.1.111:4121

# Routage Emule
iptables -I FORWARD -i ppp0 -p tcp --dport 4662 -j ACCEPT
iptables -I FORWARD -i ppp0 -p udp --dport 4672 -j ACCEPT
iptables -I FORWARD -i ppp0 -p udp --dport 4665 -j ACCEPT
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 4662 -j DNAT --to
192.168.1.111:4662
iptables -A PREROUTING -t nat -i ppp0 -p udp --dport 4672 -j DNAT --to
192.168.1.111:4672
iptables -A PREROUTING -t nat -i ppp0 -p udp --dport 4665 -j DNAT --to
192.168.1.111:4665

# Routage BitTorrent
iptables -I FORWARD -i ppp0 -p tcp --dport 6881:6889 -j ACCEPT
iptables -I FORWARD -i ppp0 -p udp --dport 6881:6889 -j ACCEPT
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6881 -j DNAT --to
192.168.1.111:6881
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6882 -j DNAT --to
192.168.1.111:6882
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6883 -j DNAT --to
192.168.1.111:6883
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6884 -j DNAT --to
192.168.1.111:6884
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6885 -j DNAT --to
192.168.1.111:6885
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6886 -j DNAT --to
192.168.1.111:6886
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6887 -j DNAT --to
192.168.1.111:6887
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6888 -j DNAT --to
192.168.1.111:6888
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6889 -j DNAT --to
192.168.1.111:6889

#-----------------------------------
#Partage nk IP:10.133.8.1
#------------------------#-----------------------------------
#Partage nk IP:10.133.8.1
#----------------------------------
#Regles Generales
iptables -I INPUT -i eth1 -s 10.133.8.1 -j ACCEPT
#iptables -t nat -A POSTROUTING -s 10.133.8.1/32 -d 192.168.2.0/24 -o
eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.133.8.1 -o ppp0 -j MASQUERADE
#iptables -I FORWARD -i eth1 -s 10.133.8.1 -j ACCEPT

#IRC
iptables -I FORWARD -i eth1 -s 10.133.8.1 -p tcp --dport  6666:6670 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 -p tcp --dport  7000 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 -p udp --dport  6666:6670 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 -p udp --dport  7000 -j ACCEPT

#Battle.net
iptables -I FORWARD -i eth1 -s 10.133.8.1 -p tcp --dport  4000 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 -p udp --dport  4000 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 -p tcp --dport  6112:6119 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 -p udp --dport  6112:6119 -j ACCEPT

iptables -I FORWARD -i eth1 -s 10.133.8.1 -p tcp --dport  20:21 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 -p udp --dport  20:21 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 -p tcp --dport  80 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 -p udp --dport  80 -j ACCEPT


Thxs for your answers :D


----------

Sébastien Rodriguez

next             reply	other threads:[~2005-03-08 18:36 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2005-03-08 18:36 Sebastian Rodriguez [this message]
2005-03-08 18:42 ` Problem with Forward it clown

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8568e72d050308103614b8fa93@mail.gmail.com \
    --to=sniper.mdr@gmail.com \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox