From mboxrd@z Thu Jan 1 00:00:00 1970 From: Subject: Still having problems with forwadding Date: 15 Mar 2004 08:36:00 UT Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_000_00002A57.405578FF" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: netfilter@lists.netfilter.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_000_00002A57.405578FF Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 7Bit Hi, i still having a lot of problems with the forwading of my vpn tunnel. Now i can't connect to my system anyway? The rest of my script (emule) has problems to, after i aplied the pptp patch with pom and copiled the newest iptables version to my kernel. Systemcheme: http://support.sbgit.com/Firewall.jpg Firewall Script: http://support.sbgit.com/firewall Thanx Peter ------_=_NextPart_000_00002A57.405578FF Content-Type: text/html; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable

Hi,

i still having a lot of problems with the forwading of my vpn tunnel.

Now i can't connect to my system anyway?

The rest of my script (emule) has problems to, after i aplied the pptp patch with pom

and copiled the newest iptables version to my kernel.

Systemcheme:

http://support.sbgit.com/Firewall.jpg

Firewall Script:

http://support.sbgit.com/firewall

Thanx Peter

------_=_NextPart_000_00002A57.405578FF-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Antony Stone Subject: Re: Still having problems with forwarding Date: Mon, 15 Mar 2004 08:50:29 +0000 Sender: netfilter-admin@lists.netfilter.org Message-ID: <200403150850.29824.Antony@Soft-Solutions.co.uk> References: Mime-Version: 1.0 Content-Transfer-Encoding: 8bit Return-path: In-Reply-To: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org On Monday 15 March 2004 8:36 am, Peter wrote: > Hi, > > i still having a lot of problems with the forwading of my vpn tunnel. > Now i can't connect to my system anyway? > The rest of my script (emule) has problems to, after i aplied the pptp > patch with pom and copiled the newest iptables version to my kernel. 1. Can you be more specific about exactly what problems you are having - what does work, what does not work, how are you testing it? 2. Is it possible that you can simplify your ruleset by removing rules which are nice to have, but have nothing to do with this problem (eg: the rate-limited DROP rules, and the TCP flag matches), so that it is easier to know what to focus on, and what is unimportant? Regards, Antony. -- Most people are aware that the Universe is big. - Paul Davies, Professor of Theoretical Physics Please reply to the list; please don't CC me. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Subject: Still having problems with forwadding Date: 15 Mar 2004 13:26:22 UT Sender: netfilter-admin@lists.netfilter.org Message-ID: Mime-Version: 1.0 Content-Transfer-Encoding: 7Bit Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: Content-Type: text/plain; charset="us-ascii" To: netfilter@lists.netfilter.org Is this a good and secure Firewall Script? Thanx Peter ---------------------------------------------------- #! /bin/sh echo "1" > /proc/sys/net/ipv4/ip_forward # Initialising of Forwarding # Flushen, Deleting, Create# ################################################################ iptables -F iptables -F -t nat iptables -F sperre iptables -X sperre iptables -N sperre iptables -F sperre # first contact # ################# iptables -A sperre -i eth1 -s ! 192.168.1.0/255.255.255.0 -j DROP # Drop everything how not comes from lokal LAN iptables -A sperre -i eth1 --dport 22,19,21,22,25,3389,1723,23000:23001 -j ACCEPT # Allow outbound only for specific ports iptables -A sperre -i lo -s 127.0.0.1/255.0.0.0 -j ACCEPT # Allow everything from loopback iptables -A sperre -i eth0 -s 192.168.1.0/255.255.255.0 -j DROP # Drop everyting how comes fro outside to inside with LAN IP's # acceptstuff # ############### iptables -A sperre -p tcp --dport 21 -j ACCEPT # ftp iptables -A sperre -p tcp --dport 23001:23001 -j ACCEPT # Battlefield Server iptables -A sperre -p tcp --dport 90 -j ACCEPT # DVISE iptables -A sperre -p tcp --dport 80 -j ACCEPT # HTTP iptables -A sperre -p tcp --dport 3389 -j ACCEPT # VPN # Antworten zulassen # ###################### iptables -A sperre -m state --state ESTABLISHED,RELATED -j ACCEPT # Reject everything else (RFC-conform) # ####################################### iptables -A sperre -p tcp -j REJECT --reject-with tcp-reset iptables -A sperre -p udp -j REJECT --reject-with icmp-port-unreachable # activating sperre# ##################### iptables -A INPUT -j sperre iptables -A FORWARD -j sperre iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # output accept iptables -P OUTPUT ACCEPT -t nat # NAT # ####### iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 21 -j DNAT --to 192.168.1.198 # FTP to FTP-Server iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 3389 -j DNAT --to 192.168.1.220 # Terminal Server iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 1723 -j DNAT --to 192.168.1.2 # VPN Server iptables -A PREROUTING -t nat -i eth0 -p 47 -j DNAT --to 192.168.1.220 # VPN Server iptables -A PREROUTING -t nat -i eth0 -p 37 -j DNAT --to 192.168.1.220 # VPN Server iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 4661:4662 -j DNAT --to 192.168.1.198 # EDONKEY iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6343 -j DNAT --to 192.168.1.198 # EDONKEY iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6300 -j DNAT --to 192.168.1.198 # EDONKEY iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 4242 -j DNAT --to 192.168.1.198 # EDONKEY iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 8888 -j DNAT --to 192.168.1.198 # EDONKEY iptables -A PREROUTING -t nat -i eth0 -p tcp --dport 6661:6662 -j DNAT --to 192.168.1.198 # EDONKEY iptables -A PREROUTING -t nat -i eth0 -p udp --dport 4665 -j DNAT --to 192.168.1.198 # EDONKEY iptables -A PREROUTING -t nat -i eth0 -p udp --dport 4672 -j DNAT --to 192.168.1.198 # EDONKEY iptables -A PREROUTING -t nat -i eth0 -p udp --dport 6665 -j DNAT --to 192.168.1.198 # EDONKEY # Special Rules iptables -A INPUT -i eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT iptables -A OUTPUT -o eth1 -s 0/0 -p tcp --destination-port 25 -j ACCEPT iptables -A INPUT -i eth0 -s 192.168.1.0/24 -p tcp --destination-port 25 -j ACCEPT iptables -A OUTPUT -o eth0 -s 0/0 -p tcp --destination-port 25 -j ACCEPT iptables -A INPUT lo -p tcp --destination-port 10024 -j ACCEPT iptables -A OUTPUT -o lo -p tcp --destination-port 10024 -j ACCEPT iptables -A INPUT -i lo -p tcp --destination-port 10025 -j ACCEPT iptables -A OUTPUT -o lo -p tcp --destination-port 10025 -j ACCEPT echo "Firewall started"