iptables and pptp server problem [Long Post]
Trevor
trevor at gnuguy.com
Wed Jul 28 19:48:52 UTC 2004
>The script is taken from http://martybugs.net/smoothwall/vpn.cgi
>which is for Smoothwall.
>> With no success. I suspect that it could be the mppe-ppp modules causing
>> problems. I'm sure that TCP/port 1723 is forwarding properly... but
that's
>> all I see when I do a "iptstate" when trying to connect.
>Do you have Smoothwall installed or do you have any other iptables rules
>active which may block previous to your VPN rules? Your host is directly
>connected to the net through eth1?
>Alexander
iptables v1.2.5 on 2.4 kernel
No, it's not smoothwall. Here is the current output of my firewall. Can
you see if there is something else blocking my PPTP GRE forwarding. BTW,
sorry for hijacking the thread. I won't do it again. :-)
$ service masq status
Table: filter
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 224.0.0.0/4 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 224.0.0.0/4
DROP all -- 224.0.0.0/4 0.0.0.0/0
DROP all -- 0.0.0.0/0 224.0.0.0/4
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state
RELATED,ESTABLISHED
icmpIn icmp -- 0.0.0.0/0 0.0.0.0/0
InputAllowIPSEC all -- 0.0.0.0/0 0.0.0.0/0
InputAllowLocals all -- 0.0.0.0/0 0.0.0.0/0
InboundTCP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x16/0x02
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x16/0x02
InboundUDP udp -- 0.0.0.0/0 0.0.0.0/0
denylog udp -- 0.0.0.0/0 0.0.0.0/0
esp-in esp -- 0.0.0.0/0 0.0.0.0/0
denylog esp -- 0.0.0.0/0 0.0.0.0/0
gre-in 47 -- 0.0.0.0/0 0.0.0.0/0
denylog 47 -- 0.0.0.0/0 0.0.0.0/0
denylog all -- 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy DROP)
target prot opt source destination
ForwardAllowIPSEC all -- 0.0.0.0/0 0.0.0.0/0
ForwardAllowLocals all -- 0.0.0.0/0 0.0.0.0/0
denylog all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 224.0.0.0/4 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 224.0.0.0/4
DROP all -- 224.0.0.0/4 0.0.0.0/0
DROP all -- 0.0.0.0/0 224.0.0.0/4
icmpOut icmp -- 0.0.0.0/0 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain ForwardAllowIPSEC (1 references)
target prot opt source destination
Chain ForwardAllowLocals (1 references)
target prot opt source destination
ForwardAllowLocals_18960 all -- 0.0.0.0/0 0.0.0.0/0
Chain ForwardAllowLocals_18960 (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0
ACCEPT all -- 0.0.0.0/0 192.168.0.0/24
Chain InboundTCP (1 references)
target prot opt source destination
InboundTCP_18960 all -- 0.0.0.0/0 0.0.0.0/0
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
flags:0x16/0x02
Chain InboundTCP_18960 (1 references)
target prot opt source destination
denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:443
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:143
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:389
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
denylog tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23
Chain InboundUDP (1 references)
target prot opt source destination
InboundUDP_18960 all -- 0.0.0.0/0 0.0.0.0/0
denylog udp -- 0.0.0.0/0 0.0.0.0/0
Chain InboundUDP_18960 (1 references)
target prot opt source destination
denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx
denylog udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:500
Chain InputAllowIPSEC (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain InputAllowLocals (1 references)
target prot opt source destination
InputAllowLocals_18960 all -- 0.0.0.0/0 0.0.0.0/0
Chain InputAllowLocals_18960 (1 references)
target prot opt source destination
ACCEPT all -- 192.168.0.0/24 0.0.0.0/0
Chain denylog (22 references)
target prot opt source destination
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:520
DROP udp -- 0.0.0.0/0 0.0.0.0/0 udp dpts:137:139
DROP tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpts:137:139
LOG all -- 0.0.0.0/0 0.0.0.0/0 LOG flags 0
level 4
DROP all -- 0.0.0.0/0 0.0.0.0/0
Chain esp-in (1 references)
target prot opt source destination
denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx
denylog all -- 0.0.0.0/0 0.0.0.0/0
Chain gre-in (1 references)
target prot opt source destination
denylog all -- 0.0.0.0/0 !66.xxx.xx.xxx
ACCEPT all -- 0.0.0.0/0 0.0.0.0/0
Chain icmpIn (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12
denylog all -- 0.0.0.0/0 0.0.0.0/0
Chain icmpOut (1 references)
target prot opt source destination
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 0
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 3
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 4
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11
ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 12
denylog all -- 0.0.0.0/0 0.0.0.0/0
Table: nat
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
PreroutingBypassIPSEC all -- 0.0.0.0/0 0.0.0.0/0
TransProxy tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
PortForwarding all -- 0.0.0.0/0 0.0.0.0/0
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain PortForwarding (1 references)
target prot opt source destination
PortForwarding_18960 all -- 0.0.0.0/0 66.xxx.xx.xxx
Chain PortForwarding_18960 (1 references)
target prot opt source destination
Chain PreroutingBypassIPSEC (1 references)
target prot opt source destination
Chain TransProxy (1 references)
target prot opt source destination
ACCEPT all -- 0.0.0.0/0 127.0.0.1
ACCEPT all -- 0.0.0.0/0 192.168.0.10
ACCEPT all -- 0.0.0.0/0 66.xxx.xx.xxx
DNAT tcp -- 0.0.0.0/0 0.0.0.0/0
to:192.168.0.10:3128
Table: mangle
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS
set 0x10
TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS
set 0x10
TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:23 TOS
set 0x10
TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:25 TOS
set 0x10
TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 TOS
set 0x10
TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 TOS
set 0x10
TOS tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS
set 0x08
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
#!/bin/sh
# chkconfig: 345 82 35
# description: Configures IP masquerading.
INTERNALIF=eth0
OUTERIF=eth1
OUTERNET=66.xxx.xx.xxx
if [ -z "$OUTERNET" ]
then
# Make sure that OUTERNET value is set to syntactly valid value
# to ensure that iptables syntax is at least correct
OUTERNET=1.2.3.4
fi
adjust_tcp_in() {
local dport=$1
local target=$2
local chain=$3
# Add the rule requested.
/sbin/iptables --append $chain --protocol tcp --dport $dport \
--in-interface $OUTERIF --jump $target
# Catch any matching return, just in case.
#/sbin/iptables --append $3 --protocol tcp --dport $1 \
#--in-interface $OUTERIF --jump denylog
}
adjust_udp_in() {
local dport=$1
local target=$2
local chain=$3
# Add the rule requested.
/sbin/iptables --append $chain --protocol udp --dport $dport \
--in-interface $OUTERIF --jump $target
# Catch any matching return, just in case.
#/sbin/iptables --append $3 --protocol udp --dport $1 \
#--in-interface $OUTERIF --jump denylog
}
get_safe_id() {
# Expect arguments of, chain_name, table, mode, where mode can be
either
# find or new
local chain_name=$1
local table=$2
local mode=$3
# Find the existing numbered chain.
current=$(/sbin/iptables --table $table --list $chain_name --numeric
| s
ed -n '3s/ .*//p')
if [ "x$current" = "x" ]; then
# We didn't find it.
echo "ERROR: Cannot find chain $chain_name in table $table"
1>&2
exit 1
fi
# If we're in find mode, return this chain.
case "$mode" in
find)
echo $current ;;
new)
# Make sure the number on this chain doesn't
conflict wi
th our
# process ID.
current_id=$(echo $current | sed
's/^[a-zA-Z][a-zA-Z]*_\
([0-9][0-9]*\)/\1/')
if [ "x$current_id" = "x" ]; then
echo "ERROR: Cannot find process ID on chain
nam
e" 1>&2
exit 1
fi
# If it conflicts with our process ID, add one to
ours.
if [ $current_id -eq $$ ]; then
echo ${chain_name}_$(expr $$ + 1)
else
echo ${chain_name}_$$
fi
;;
esac
}
case "$1" in
start)
echo -n "Enabling IP masquerading: "
/sbin/iptables -F -t filter
/sbin/iptables -F -t nat
/sbin/iptables -F -t mangle
/sbin/iptables -X -t filter
/sbin/iptables -X -t nat
/sbin/iptables -X -t mangle
/sbin/iptables --flush FORWARD
/sbin/iptables --flush INPUT
/sbin/iptables --flush OUTPUT
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/iptables --new-chain denylog
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP
/sbin/iptables --append denylog --jump DROP
# Set telnet, www, smtp, pop3 and FTP for minimum delay
for port in 21 22 23 25 80 110
do
/sbin/iptables --table mangle --append OUTPUT \
--protocol tcp --dport $port \
-j TOS --set-tos Minimize-Delay
done
# Set ftp-data for maximum throughput
/sbin/iptables --table mangle --append OUTPUT \
--protocol tcp --dport 20 \
-j TOS --set-tos Maximize-Throughput
# TODO - this hasn't yet been converted for iptables - does it
# need to be?
# set timeouts for tcp tcpfin udp
#/sbin/iptables --masquerading --set 14400 60 600
# Turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
/sbin/iptables --append INPUT -i lo -j ACCEPT
/sbin/iptables --append OUTPUT -o lo -j ACCEPT
# Permit multicast traffic to and from the internal interface.
/sbin/iptables --append INPUT -s 224.0.0.0/4 \
--in-interface $INTERNALIF --jump ACCEPT
/sbin/iptables --append INPUT -d 224.0.0.0/4 \
--in-interface $INTERNALIF --jump ACCEPT
/sbin/iptables --append OUTPUT -s 224.0.0.0/4 \
--out-interface $INTERNALIF --jump ACCEPT
/sbin/iptables --append OUTPUT -d 224.0.0.0/4 \
--out-interface $INTERNALIF --jump ACCEPT
# Drop all other multicast traffic.
/sbin/iptables --append INPUT -s 224.0.0.0/4 -j DROP
/sbin/iptables --append INPUT -d 224.0.0.0/4 -j DROP
/sbin/iptables --append OUTPUT -s 224.0.0.0/4 -j DROP
/sbin/iptables --append OUTPUT -d 224.0.0.0/4 -j DROP
# Set up chains which allow us to bypass prerouting for IPSEC networks
/sbin/iptables --table nat --new-chain PreroutingBypassIPSEC
/sbin/iptables --table nat --append PREROUTING --jump
PreroutingBypassIPSEC
/sbin/iptables --table nat --new-chain TransProxy
/sbin/iptables --table nat --append PREROUTING\
-p tcp --dport 80 -j TransProxy
/sbin/iptables --table nat --append TransProxy \
--destination 127.0.0.1 --jump ACCEPT
/sbin/iptables --table nat --append TransProxy \
--destination 192.168.0.10 --jump ACCEPT
/sbin/iptables --table nat --append TransProxy \
--destination $OUTERNET --jump ACCEPT
/sbin/iptables --table nat --append TransProxy\
-p TCP -j DNAT --to 192.168.0.10:3128
# Allow any already established or related connection
/sbin/iptables --append INPUT -m state --state ESTABLISHED,RELATED -j
ACCEPT
/sbin/iptables --new-chain icmpIn
/sbin/iptables --append INPUT --protocol icmp --jump icmpIn
/sbin/iptables --append icmpIn --proto icmp --icmp-type
echo-request --jump
ACCEPT
/sbin/iptables --append icmpIn --proto icmp --icmp-type
echo-reply --jump AC
CEPT
/sbin/iptables --append icmpIn --proto icmp --icmp-type
destination-unreacha
ble --jump ACCEPT
/sbin/iptables --append icmpIn --proto icmp --icmp-type
source-quench --jump
ACCEPT
/sbin/iptables --append icmpIn --proto icmp --icmp-type
time-exceeded --jump
ACCEPT
/sbin/iptables --append icmpIn --proto icmp --icmp-type
parameter-problem --
jump ACCEPT
/sbin/iptables --new-chain icmpOut
/sbin/iptables --append OUTPUT --protocol icmp --jump icmpOut
/sbin/iptables --append icmpOut --proto icmp --icmp-type
echo-request --jump
ACCEPT
/sbin/iptables --append icmpOut --proto icmp --icmp-type
echo-reply --jump A
CCEPT
/sbin/iptables --append icmpOut --proto icmp --icmp-type
destination-unreach
able --jump ACCEPT
/sbin/iptables --append icmpOut --proto icmp --icmp-type
source-quench --jum
p ACCEPT
/sbin/iptables --append icmpOut --proto icmp --icmp-type
time-exceeded --jum
p ACCEPT
/sbin/iptables --append icmpOut --proto icmp --icmp-type
parameter-problem -
-jump ACCEPT
# Set up chains which allow us to capture IPSEC connections
/sbin/iptables --new-chain InputAllowIPSEC
/sbin/iptables --append InputAllowIPSEC -i ipsec+ -j ACCEPT
/sbin/iptables --append INPUT --jump InputAllowIPSEC
/sbin/iptables --new-chain ForwardAllowIPSEC
/sbin/iptables --append FORWARD --jump ForwardAllowIPSEC
# Set up chains which allow us to capture local networks
/sbin/iptables --new-chain InputAllowLocals
/sbin/iptables --new-chain InputAllowLocals_1
/sbin/iptables --append InputAllowLocals --jump InputAllowLocals_1
/sbin/iptables --append INPUT --jump InputAllowLocals
/sbin/iptables --new-chain ForwardAllowLocals
/sbin/iptables --new-chain ForwardAllowLocals_1
/sbin/iptables --append ForwardAllowLocals --jump ForwardAllowLocals_1
/sbin/iptables --append FORWARD --jump ForwardAllowLocals
/sbin/iptables --append POSTROUTING -t nat -o $OUTERIF -j MASQUERADE
/sbin/iptables --new-chain InboundTCP
/sbin/iptables --new-chain InboundTCP_1
/sbin/iptables --append INPUT --protocol tcp --syn --jump InboundTCP
/sbin/iptables --append InboundTCP --protocol tcp --syn --jump
InboundTCP_1
# Catch any returns, just in case
/sbin/iptables --append INPUT --protocol tcp --syn --jump denylog
/sbin/iptables --append InboundTCP --protocol tcp --syn --jump denylog
/sbin/iptables --new-chain InboundUDP
/sbin/iptables --new-chain InboundUDP_1
/sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \
--jump InboundUDP
/sbin/iptables --append InboundUDP --protocol udp --jump InboundUDP_1
# Catch any returns, just in case
/sbin/iptables --append INPUT --protocol udp --in-interface $OUTERIF \
--jump denylog
/sbin/iptables --append InboundUDP --protocol udp --jump denylog
/sbin/iptables -t nat --new-chain PortForwarding
/sbin/iptables -t nat --new-chain PortForwarding_1
/sbin/iptables -t nat --append PREROUTING --jump PortForwarding
/sbin/iptables -t nat --append PortForwarding --destination $OUTERNET \
--jump PortForwarding_1
/sbin/iptables --new-chain esp-in
/sbin/iptables --append INPUT -p 50 -j esp-in
/sbin/iptables --append INPUT -p 50 -j denylog
/sbin/iptables --append esp-in -d \! $OUTERNET -j denylog
/sbin/iptables --append esp-in -j denylog
/sbin/iptables --new-chain gre-in
/sbin/iptables --append INPUT -p 47 -j gre-in
/sbin/iptables --append INPUT -p 47 -j denylog
/sbin/iptables --append gre-in -d \! $OUTERNET -j denylog
/sbin/iptables --append gre-in -j denylog
/sbin/iptables --append icmpIn --jump denylog
/sbin/iptables --append icmpOut --jump denylog
/sbin/iptables --policy FORWARD DROP
/sbin/iptables --append FORWARD --jump denylog
/sbin/iptables --policy INPUT DROP
/sbin/iptables --append INPUT --jump denylog
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables --append OUTPUT --jump ACCEPT
$0 adjust
echo "done"
;;
adjust)
FAL=$(get_safe_id ForwardAllowLocals filter find)
IAL=$(get_safe_id InputAllowLocals filter find)
new_fal=$(get_safe_id ForwardAllowLocals filter new)
new_ial=$(get_safe_id InputAllowLocals filter new)
/sbin/iptables --new-chain $new_fal
/sbin/iptables --new-chain $new_ial
/sbin/iptables --append $new_fal \
-s 192.168.0.0/255.255.255.0 -j ACCEPT
/sbin/iptables --append $new_fal \
-d 192.168.0.0/255.255.255.0 -j ACCEPT
/sbin/iptables --append $new_ial \
-s 192.168.0.0/255.255.255.0 -j ACCEPT
/sbin/iptables --replace InputAllowLocals 1 \
--jump $new_ial
/sbin/iptables --flush $IAL
/sbin/iptables --delete-chain $IAL
/sbin/iptables --replace ForwardAllowLocals 1 \
--jump $new_fal
/sbin/iptables --flush $FAL
/sbin/iptables --delete-chain $FAL
/sbin/iptables --replace denylog 1 -p udp --dport 520 --jump DROP
/sbin/iptables --replace denylog 2 -p udp --dport 137:139 --jump DROP
/sbin/iptables --replace denylog 3 -p tcp --dport 137:139 --jump DROP
/sbin/iptables --replace denylog 4 --jump LOG
/sbin/iptables --replace esp-in 1 -d \! $OUTERNET -j denylog
/sbin/iptables --replace esp-in 2 -j denylog
/sbin/iptables --replace gre-in 1 -d \! $OUTERNET -j denylog
/sbin/iptables --replace gre-in 2 -j ACCEPT
IBT=$(get_safe_id InboundTCP filter find)
new_ibt=$(get_safe_id InboundTCP filter new)
/sbin/iptables --new-chain $new_ibt
/sbin/iptables --append $new_ibt \! --destination $OUTERNET --jump
denylog
adjust_tcp_in 113 ACCEPT $new_ibt
adjust_tcp_in 21 denylog $new_ibt
adjust_tcp_in 80 ACCEPT $new_ibt
adjust_tcp_in 443 ACCEPT $new_ibt
adjust_tcp_in 143 denylog $new_ibt
adjust_tcp_in 389 denylog $new_ibt
adjust_tcp_in 110 denylog $new_ibt
adjust_tcp_in 1723 denylog $new_ibt
adjust_tcp_in 25 ACCEPT $new_ibt
adjust_tcp_in 22 ACCEPT $new_ibt
adjust_tcp_in 23 denylog $new_ibt
/sbin/iptables --replace InboundTCP 1 \
--jump $new_ibt
/sbin/iptables --flush $IBT
/sbin/iptables --delete-chain $IBT
/sbin/iptables --table nat \
--replace TransProxy 3\
--destination $OUTERNET --jump ACCEPT
/sbin/iptables --table nat --replace TransProxy 4\
-p TCP -j DNAT --to 192.168.0.10:3128
IBU=$(get_safe_id InboundUDP filter find)
new_ibu=$(get_safe_id InboundUDP filter new)
/sbin/iptables --new-chain $new_ibu
/sbin/iptables --append $new_ibu \! --destination $OUTERNET --jump
denylog
adjust_udp_in 500 denylog $new_ibu
/sbin/iptables --replace InboundUDP 1 \
--jump $new_ibu
/sbin/iptables --flush $IBU
/sbin/iptables --delete-chain $IBU
# Create a new PortForwarding chain
PFC=$(/sbin/iptables --table nat --numeric --list PortForwarding |\
sed -n '3s/ .*//p')
/sbin/iptables --table nat --new-chain PortForwarding_$$
/sbin/iptables --table nat --replace PortForwarding 1 --destination
$OUTERNE
T --jump PortForwarding_$$
/sbin/iptables --table nat --flush $PFC
/sbin/iptables --table nat --delete-chain $PFC
;;
masqstop)
echo ""
echo -n "Shuting down IP Masquerading:"
/sbin/iptables -F FORWARD
/sbin/iptables -P FORWARD DROP
echo " Done!"
echo "" ;;
restart)
$0 stop
$0 start
;;
status)
echo $"Table: filter"
/sbin/iptables --list -n
echo $"Table: nat"
/sbin/iptables -t nat --list -n
echo $"Table: mangle"
/sbin/iptables -t mangle --list -n
;;
stop)
echo ""
echo -n "Shutting down IP masquerade and firewall rules:"
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P INPUT DROP
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F
/sbin/iptables --append FORWARD -s 192.168.0.0/255.255.255.0 -d
192.168.0.0/
255.255.255.0 -j ACCEPT
/sbin/iptables -X
echo " Done!"
echo "" ;;
*)
echo "Usage: masq {start|stop|restart|...}"
exit 1
esac
exit 0
Modules:
[root at bcpe root]# lsmod
Module Size Used by Tainted: P
ipt_LOG 4640 1 (autoclean)
ppp_mppe 12864 0 (autoclean)
ppp_async 8256 0 (autoclean)
ppp_generic 24332 0 (autoclean) [ppp_mppe ppp_async]
appletalk 24172 12 (autoclean)
slhc 6508 0 (autoclean) [ppp_generic]
printer 8160 0 (unused)
8139too 16448 1
mii 2408 0 [8139too]
3c59x 28680 1
ipt_MASQUERADE 2464 1 (autoclean)
ipt_state 1536 1 (autoclean)
ipt_TOS 1952 7 (autoclean)
ip_conntrack_ftp 5056 0 (unused)
ip_nat_ftp 4320 0 (unused)
iptable_mangle 3136 1 (autoclean)
iptable_nat 21460 2 (autoclean) [ipt_MASQUERADE ip_nat_ftp]
ip_conntrack 21836 3 (autoclean) [ipt_MASQUERADE ipt_state
ip_conntrack_ftp ip_nat_ftp iptable_nat]
iptable_filter 2752 1 (autoclean)
ip_tables 13792 9 [ipt_LOG ipt_MASQUERADE ipt_state ipt_TOS
iptable_mangle iptable_nat iptable_filter]
ide-cd 30272 0
cdrom 32032 0 [ide-cd]
ide-scsi 9664 0
hid 20832 0 (unused)
input 5792 0 [hid]
usb-uhci 24484 0 (unused)
usbcore 71904 0 [printer hid usb-uhci]
ext3 67328 2
jbd 49496 2 [ext3]
3w-xxxx 32160 3
sd_mod 12960 6
scsi_mod 109392 3 [ide-scsi 3w-xxxx sd_mod]
More information about the fedora-list
mailing list