Still having problems with forwadding

Still having problems with forwadding

[netfilter]

[-- Attachment #1: Type: text/plain, Size: 373 bytes --]

Hi,

i still having a lot of problems with the forwading of my vpn tunnel.
Now i can't connect to my system anyway?
The rest of my script (emule) has problems to, after i aplied the pptp patch with pom
and copiled the newest iptables version to my kernel.

Systemcheme:
http://support.sbgit.com/Firewall.jpg

Firewall Script:
http://support.sbgit.com/firewall

Thanx Peter

[-- Attachment #2: Type: text/html, Size: 1010 bytes --]

Re: Still having problems with forwarding

[Antony Stone]

On Monday 15 March 2004 8:36 am, Peter <netfilter@sbgit.com> wrote:

> Hi,
>
> i still having a lot of problems with the forwading of my vpn tunnel.
> Now i can't connect to my system anyway?
> The rest of my script (emule) has problems to, after i aplied the pptp
> patch with pom and copiled the newest iptables version to my kernel.

1. Can you be more specific about exactly what problems you are having - what 
does work, what does not work, how are you testing it?

2. Is it possible that you can simplify your ruleset by removing rules which 
are nice to have, but have nothing to do with this problem (eg: the 
rate-limited DROP rules, and the TCP flag matches), so that it is easier to 
know what to focus on, and what is unimportant?

Regards,

Antony.

-- 
Most people are aware that the Universe is big.

 - Paul Davies, Professor of Theoretical Physics

                                                     Please reply to the list;
                                                           please don't CC me.

Still having problems with forwadding

[peter.gehle]

Is this a good and secure Firewall Script?

Thanx Peter
----------------------------------------------------
#! /bin/sh

echo "1" > /proc/sys/net/ipv4/ip_forward # Initialising of Forwarding

# Flushen, Deleting, Create#
################################################################
iptables -F
iptables -F -t nat

iptables -F sperre
iptables -X sperre
iptables -N sperre
iptables -F sperre

# first contact #
#################
iptables -A sperre -i eth1 -s ! 192.168.1.0/255.255.255.0 -j DROP                 # Drop everything how not comes from lokal LAN
iptables -A sperre -i eth1 --dport 22,19,21,22,25,3389,1723,23000:23001 -j ACCEPT # Allow outbound only for specific ports
iptables -A sperre -i lo -s 127.0.0.1/255.0.0.0 -j ACCEPT                         # Allow everything from loopback
iptables -A sperre -i eth0 -s 192.168.1.0/255.255.255.0 -j DROP                   # Drop everyting how comes fro outside to inside  with LAN IP's

# acceptstuff #
###############
iptables -A sperre -p tcp --dport 21 -j ACCEPT             # ftp 
iptables -A sperre -p tcp --dport 23001:23001 -j ACCEPT    # Battlefield Server
iptables -A sperre -p tcp --dport 90 -j ACCEPT             # DVISE
iptables -A sperre -p tcp --dport 80 -j ACCEPT             # HTTP
iptables -A sperre -p tcp --dport 3389 -j ACCEPT           # VPN

# Antworten zulassen #
######################
iptables -A sperre -m state --state ESTABLISHED,RELATED -j ACCEPT

# Reject everything else (RFC-conform) #
#######################################
iptables -A sperre -p tcp -j REJECT --reject-with tcp-reset
iptables -A sperre -p udp -j REJECT --reject-with icmp-port-unreachable

# activating sperre#
#####################
iptables -A INPUT -j sperre
iptables -A FORWARD -j sperre
iptables -P INPUT DROP
iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT # output accept
iptables -P OUTPUT ACCEPT -t nat

# NAT #
#######
iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE 
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 21 -j DNAT --to 192.168.1.198        # FTP to FTP-Server
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.1.220      # Terminal Server
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1723 -j DNAT --to 192.168.1.2        # VPN Server
iptables -A PREROUTING -t nat -i eth0 -p 47  -j DNAT --to 192.168.1.220                   # VPN Server
iptables -A PREROUTING -t nat -i eth0 -p 37  -j DNAT --to 192.168.1.220                   # VPN Server
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 4661:4662 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6343 -j DNAT --to 192.168.1.198      # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6300 -j DNAT --to 192.168.1.198      # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 4242 -j DNAT --to 192.168.1.198      # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8888 -j DNAT --to 192.168.1.198      # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6661:6662 -j DNAT --to 192.168.1.198 # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 4665 -j DNAT --to 192.168.1.198      # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 4672 -j DNAT --to 192.168.1.198      # EDONKEY
iptables -A PREROUTING -t nat -i eth0 -p udp --dport 6665 -j DNAT --to 192.168.1.198      # EDONKEY

# Special Rules
iptables -A INPUT -i eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
iptables -A OUTPUT -o eth1 -s 0/0 -p tcp --destination-port 25 -j ACCEPT
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 25 -j ACCEPT
iptables -A OUTPUT -o eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT

iptables -A INPUT lo -p tcp --destination-port 10024 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp --destination-port 10024 -j ACCEPT

iptables -A INPUT -i lo -p tcp --destination-port 10025 -j ACCEPT
iptables -A OUTPUT -o lo -p tcp --destination-port 10025 -j ACCEPT

echo "Firewall started"