| View previous topic :: View next topic |
| Author |
Message |
]Trix[
Apprentice
Joined: 27 Feb 2003
Posts: 184
|
 Posted: Thu Jan 06, 2005 1:03 pm Post subject: Why doesn't portforwarding work? |
 |
|
I have put together this firewalling script using various scripts as examples. It is intended for two boxes, one being gateway machine and the other workstation. But I don't know why portforwarding doesnt work for my active mode valknut. I can upload but cannot search and download files in active mode.
| Quote: |
#!/sbin/runscript
opts="${opts} showoptions showstatus panic rules restore save flush"
depend() {
need net procparm
use logger
}
rules() {
ebegin "Starting FIREWALL:"
$IPTABLES -N invalid
$IPTABLES -F invalid
$IPTABLES -A invalid -m state --state INVALID -m limit --limit 3/minute --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "Firewall: INVALID packet: "
$IPTABLES -A invalid -m state --state INVALID -j DROP
$IPTABLES -N bad_tcp
$IPTABLES -F bad_tcp
$IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -m limit --limit 3/minute --limit-burst 1 -j LOG --log-prefix "Firewall: BAD TCP packet:"
$IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -N fragmented
$IPTABLES -F fragmented
$IPTABLES -A fragmented -f -m limit --limit 3/minute -j LOG --log-level $LOGLEVEL --log-prefix "Firewall: Fragmented packet: "
$IPTABLES -A fragmented -f -j DROP
$IPTABLES -N flagscan
$IPTABLES -F flagscan
$IPTABLES -A flagscan -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level alert --log-prefix "FIREWALL: NMAP-XMAS:"
$IPTABLES -A flagscan -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A flagscan -p tcp --tcp-flags ALL ALL -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS:"
$IPTABLES -A flagscan -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level 1
--log-prefix "FIREWALL: XMAS-PSH:"
$IPTABLES -A flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A flagscan -p tcp --tcp-flags ALL NONE -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level 1 --log-prefix "FIREWALL: NULL-SCAN:"
$IPTABLES -A flagscan -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A flagscan -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/RST:"
$IPTABLES -A flagscan -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/FIN:"
$IPTABLES -A flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -N fingerprint
$IPTABLES -F fingerprint
$IPTABLES -A fingerprint
$IPTABLES -A fingerprint -p tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Firewall: TCP fingerprint: "
$IPTABLES -A fingerprint -p udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Firewall: UDP fingerprint: "
$IPTABLES -A fingerprint -j DROP
$IPTABLES -N portscan
$IPTABLES -F portscan
$IPTABLES -A portscan -p tcp --dport 7 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "
$IPTABLES -A portscan -p tcp --dport 7 -j DROP
$IPTABLES -A portscan -p udp --dport 7 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "
$IPTABLES -A portscan -p udp --dport 7 -j DROP
$IPTABLES -A portscan -p tcp --dport 11 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: sysstat test:
"
$IPTABLES -A portscan -p tcp --dport 11 -j DROP
$IPTABLES -A portscan -p tcp --dport 15 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: netstat test:
"
$IPTABLES -A portscan -p tcp --dport 15 -j DROP
$IPTABLES -A portscan -p tcp --dport 19 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test:
"
$IPTABLES -A portscan -p tcp --dport 19 -j DROP
$IPTABLES -A portscan -p udp --dport 19 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test:
"
$IPTABLES -A portscan -p udp --dport 19 -j DROP
$IPTABLES -A portscan -p tcp --dport 23 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: telnet test: " $IPTABLES -A portscan -p tcp --dport 23 -j DROP
$IPTABLES -A portscan -p tcp --dport 69 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: tftpd test: "
$IPTABLES -A portscan -p tcp --dport 69 -j DROP
$IPTABLES -A portscan -p tcp --dport 79 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: finger test: " $IPTABLES -A portscan -p tcp --dport 79 -j DROP
$IPTABLES -A portscan -p tcp --dport 87 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: link test: "
$IPTABLES -A portscan -p tcp --dport 87 -j DROP
$IPTABLES -A portscan -p tcp --dport 98 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: linuxconf test: "
$IPTABLES -A portscan -p tcp --dport 98 -j DROP
$IPTABLES -A portscan -p tcp --dport 111 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: sun-rpc test: "
$IPTABLES -A portscan -p tcp --dport 111 -j DROP
$IPTABLES -A portscan -p tcp --dport 520 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: route test: " $IPTABLES -A portscan -p tcp --dport 520 -j DROP
$IPTABLES -A portscan -p tcp --dport 540 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: uucp test: "
$IPTABLES -A portscan -p tcp --dport 540 -j DROP
$IPTABLES -A portscan -p tcp --dport 1080 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: socks test:
"
$IPTABLES -A portscan -p tcp --dport 1080 -j DROP
$IPTABLES -A portscan -p tcp --dport 1114 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: sql test: "
$IPTABLES -A portscan -p tcp --dport 1114 -j DROP
$IPTABLES -A portscan -p tcp --dport 2000 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: openwin test: "
$IPTABLES -A portscan -p tcp --dport 2000 -j DROP
$IPTABLES -A portscan -p tcp --dport 10000 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: webmin test: "
$IPTABLES -A portscan -p tcp --dport 10000 -j DROP
$IPTABLES -A portscan -p tcp --dport 6000:6063 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: X-Windows test: "
$IPTABLES -A portscan -p tcp --dport 6000:6063 -j DROP
$IPTABLES -A portscan -p udp --dport 33434:33523 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Traceroute: "
$IPTABLES -A portscan -p udp --dport 33434:33523 -j DROP
$IPTABLES -N trojanscan
$IPTABLES -F trojanscan
$IPTABLES -A trojanscan -p tcp --dport 6670 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Deepthroat scan: "
$IPTABLES -A trojanscan -p tcp --dport 6670 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 1243 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A trojanscan -p tcp --dport 1243 -j DROP
$IPTABLES -A trojanscan -p udp --dport 1243 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A trojanscan -p udp --dport 1243 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 6711:6713 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A trojanscan -p tcp --dport 6711:6713 -j DROP
$IPTABLES -A trojanscan -p udp --dport 6711:6713 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A trojanscan -p udp --dport 6711:6713 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 27374 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven
scan: "
$IPTABLES -A trojanscan -p tcp --dport 27374 -j DROP
$IPTABLES -A trojanscan -p udp --dport 27374 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven
scan: "
$IPTABLES -A trojanscan -p udp --dport 27374 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 12345:12346 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "
$IPTABLES -A trojanscan -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 20034 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "
$IPTABLES -A trojanscan -p tcp --dport 20034 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 31337:31338 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: BackOrifice scan: "
$IPTABLES -A trojanscan -p tcp --dport 31337:31338 -j DROP
$IPTABLES -A trojanscan -p udp --dport 28431 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: HackAtak2000 scan: "
$IPTABLES -A trojanscan -p udp --dport 28431 -j DROP
$IPTABLES -N drop-icmp
$IPTABLES -F drop-icmp
$IPTABLES -A drop-icmp -p icmp -j LOG --log-prefix "FIREWALL: Bad ICMP traffic:"
$IPTABLES -A drop-icmp -p icmp -j DROP
$IPTABLES -N accept-icmp
$IPTABLES -F accept-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type source-quench -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type redirect -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type router-advertisement -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type router-solicitation -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type parameter-problem -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type timestamp-request -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type timestamp-reply -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type address-mask-request -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type address-mask-reply -j drop-icmp
$IPTABLES -N allow-ping
$IPTABLES -F allow-ping
$IPTABLES -A allow-ping -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -N allow-ftp
$IPTABLES -F allow-ftp
$IPTABLES -A allow-ftp -p tcp --dport 20 -j ACCEPT
$IPTABLES -A allow-ftp -p tcp --dport 21 -j ACCEPT
$IPTABLES -N allow-ssh
$IPTABLES -F allow-ssh
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -p tcp --dport 22 -j ACCEPT
$IPTABLES -N allow-www
$IPTABLES -F allow-www
$IPTABLES -A allow-www -p tcp --dport 80 -j ACCEPT
$IPTABLES -A allow-www -p tcp --dport 443 -j ACCEPT
$IPTABLES -A allow-www -p tcp --dport 8080 -j ACCEPT
einfo "Setting secure policies"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
if [ "$ENABLE_MSS" == "1" ]; then
$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi
einfo "Accept all packets from loopback device"
$IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
einfo "Enable traffic for internal interface"
$IPTABLES -A INPUT -i $LAN_INTERFACE -j ACCEPT
if [ "$NAT" == "1" ]; then
$IPTABLES -A FORWARD -i $LAN_INTERFACE -j ACCEPT
fi
einfo "Blocking hosts that should never be able to connect to machine"
for host in $BLOCK_HOST; do
$IPTABLES -A INPUT -s $host -j DROP
$IPTABLES -A FORWARD -s $host -j DROP
done
einfo "Obvious spoofing protection"
for ip in $SPOOFED; do
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s ${ip} -j DROP
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -s ${ip} -j DROP
done
einfo "Block IANA reserved address"
for ip in $RESERVED_NET; do
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s ${ip} -j DROP
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -s ${ip} -j DROP
done
einfo "Allow established and related traffic"
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
einfo "Drop bad packets"
if [ "$INVALID_PACKETS_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -j invalid
$IPTABLES -A FORWARD -j invalid
fi
if [ "$BAD_TCP_PACKETS_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -j bad_tcp
$IPTABLES -A FORWARD -j bad_tcp
fi
if [ "$FRAGMENTED_PACKETS_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -j fragmented
$IPTABLES -A FORWARD -j fragmented
fi
einfo "Enable portscan detection"
if [ "$FLAGSCAN_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j flagscan
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -j flagscan
fi
if [ "$PORTSCAN_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j portscan
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -j portscan
fi
if [ "$TROJANSCAN_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j trojanscan
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -j trojanscan
fi
if [ "$FINGERPRINT_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j fingerprint
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -j fingerprint
fi
einfo "Enable some ICMP"
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j accept-icmp
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -j accept-icmp
if [ "$ALLOW_SSH" == "1" ]; then
einfo "Allow SSH incoming traffic"
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j allow-ssh
fi
if [ "$ALLOW_WWW" == "1" ]; then
einfo "Accept WWW connections"
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j allow-www
fi
if [ "$ALLOW_FTP" == "1" ]; then
einfo "Allow FTP"
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j allow-ftp
fi
if [ "$NAT" == "1" ]; then
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -s $LAN_SPACE -j SNAT --to-source $EXTERNAL_INTERFACE_IP
fi
if [ "$ENABLE_PORTFORWARD" == "1" ]; then
einfo "Portforwarding enabled"
for port in $TCP_PORT_FORWARD; do
$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNAL_INTERFACE_IP --dport $port -j DNAT --to-destination $WORKSTATION_IP:$port
$IPTABLES -A FORWARD -p tcp -o $LAN_INTERFACE -d $WORKSTATION_IP --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
for port in $UDP_PORT_FORWARD; do
$IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNAL_INTERFACE_IP --dport $port -j DNAT --to-destination $WORKSTATION_IP:$port
$IPTABLES -A FORWARD -p udp -o $LAN_INTERFACE -d $WORKSTATION_IP --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
else
einfo "Portforwarding disabled"
fi
if [ "$MANGLE_TOS" == "1" ]; then
einfo "Enabling TOS mangle"
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 67 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 113 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 123 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 67 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 113 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 123 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
fi
eend $?
}
|
Any other recomendations are also welcome  . If you need other parts of the script except from the rules let me know.
Thank you in advance. |
|
| Back to top |
|
 |
TheX
Guru
Joined: 31 Jul 2004
Posts: 349
Location: .de
|
| Posted: Thu Jan 06, 2005 1:50 pm Post subject: |
|
|
I didn't find this in your script :
| Code: |
# Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
|
|
|
| Back to top |
|
|
LeTene
Guru
Joined: 02 Mar 2004
Posts: 348
Location: Ah'll glass ye!
|
| Posted: Thu Jan 06, 2005 2:07 pm Post subject: |
|
|
Ugh...you could post a cut-down version of that monster...
ANyway, I see this:
| Code: | | $IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNAL_INTERFACE_IP --dport $port -j DNAT --to-destination $WORKSTATION_IP:$port |
...but I don't see any definition of what value $port actually takes. I mean, I see that it enumerates over another variable with a "for..in", but I don't see the value of that variable.
Here's a fragment of my own, working script - I prefer not to use too much $VARIABLE type stuff as it can get unreadable. 192.168.0.1 is the internal box (the firewall runs on 192.168.0.254, which is immaterial anyway ):
| Code: | # ===
# DC+
# ===
# -- Allow external clients to connect to internal machine
$IPTABLES -t nat -I PREROUTING -i ppp0 -p tcp --dport 9176 -j DNAT --to 192.168.0.1:9176
$IPTABLES -t nat -I PREROUTING -i ppp0 -p udp --dport 9176 -j DNAT --to 192.168.0.1:9176
$IPTABLES -I FORWARD -i ppp0 -p tcp -d 192.168.0.1/32 --dport 9176 -j ACCEPT
$IPTABLES -I FORWARD -i ppp0 -p udp -d 192.168.0.1/32 --dport 9176 -j ACCEPT |
_________________
Docs, Tips & Tricks at the Gentoo Wiki page. |
|
| Back to top |
|
|
]Trix[
Apprentice
Joined: 27 Feb 2003
Posts: 184
|
| Posted: Thu Jan 06, 2005 5:46 pm Post subject: |
|
|
Guess I will have to post the other part of the firewall too to skip the confusion.
/etc/init.d/procparm:
| Quote: |
#!/sbin/runscript
depend() {
before firewall
}
start() {
ebegin "Setting /proc options."
for i in /proc/sys/net/ipv4/conf/*; do
echo "1" > $i/rp_filter
done
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe ip_conntrack
echo "16376" > /proc/sys/net/ipv4/ip_conntrack_max
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "0" > $interface
done
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "64" > /proc/sys/net/ipv4/ip_default_ttl
modprobe ip_queue
echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen
echo "1" > /proc/sys/net/ipv4/tcp_ecn
eend 0
}
|
/etc/conf.d/firewall
| Quote: |
IPTABLES="/sbin/iptables"
IPTABLESSAVE="/sbin/iptables-save"
IPTABLESRESTORE="/sbin/iptables-restore"
FIREWALL=/etc/firewall.rules
# External interface
EXTERNAL_INTERFACE="ppp0"
# For STATIC IP address:
EXTERNAL_INTERFACE_IP="xxx.xxx.xxx.xxx"
# For DYNAMIC IP address
# EXTERNAL_INTERFACE_IP=`ifconfig | grep -A 1 ${EXTERNAL_INTERFACE} | grep "inet addr:" | cut -d ':' -f 2 | cut -d ' ' -f 1`
# Internal interface
LAN_INTERFACE="eth1"
LAN_INTERFACE_IP="192.168.1.1"
# Loopback device
LOOPBACK_INTERFACE="lo"
LOOPBACK_INTERFACE_IP="127.0.0.1"
# Local area network
LAN_SPACE="192.168.1.0/24"
# Workstation IP address (used for Port Forwarding)
WORKSTATION_IP="192.168.1.2"
# Blocked hosts
BLOCK_HOST=""
SPOOFED="192.168.1.0/24"
RESERVED_NET="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/8 75.0.0.0/8
76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8
117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 126.0.0.0/8 127.0.0.0/8 173.0.0.0/8 174.0.0.0/8 175.0.0.0/8 176.0.0.0/8
177.0.0.0/8 178.0.0.0/8 179.0.0.0/8 180.0.0.0/8 181.0.0.0/8 182.0.0.0/8 183.0.0.0/8 184.0.0.0/8 185.0.0.0/8 186.0.0.0/8 187.0.0.0/8 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8
240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8
255.0.0.0/8"
# Default LOGLEVEL (other options are: debug, alert, info, notice, warning, crit)
LOGLEVEL="info"
# Enable(1), Disables(0) protections
ENABLE_MSS="1"
BAD_TCP_PACKETS_PROTECTION="1"
INVALID_PACKETS_PROTECTION="1"
FRAGMENTED_PACKETS_PROTECTION="1"
SYN_FLOOD_PROTECTION="1"
ICMP_FLOOD_PROTECTION="1"
FLAGSCAN_PROTECTION="1"
PORTSCAN_PROTECTION="1"
TROJANSCAN_PROTECTION="1"
FINGERPRINT_PROTECTION="1"
MANGLE_TOS="1"
# Enable(1), Disable(0) some services to be accessed from outside
ALLOW_WWW=0
ALLOW_SSH=0
ALLOW_FTP=0
# Portforwarding
ENABLE_PORTFORWARD="1"
TCP_PORT_FORWARD="9176"
UDP_PORT_FORWARD="9176"
# Other OPEN Ports
OPEN_PORT=""
# Enable(1), Disable(0) NAT
NAT="1"
|
|
|
| Back to top |
|
|
]Trix[
Apprentice
Joined: 27 Feb 2003
Posts: 184
|
| Posted: Thu Jan 06, 2005 6:09 pm Post subject: |
|
|
I have changed portforwarding part of the script so that it resambles LeTene's portforwards rule but still nothing. People can download from me normally. I can download only hub list and I cannot search for files or download them.
So I guess the problem is somewhere else in the scipt. But I don't know where.
The rule itself does get accepted cause the iptables -t nat -L shows that:
| Quote: |
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:9176 to:192.168.1.2:9176
DNAT udp -- anywhere anywhere udp dpt:9176 to:192.168.1.2:9176
SNAT all -- 192.168.1.0/24 anywhere to:xxx.xxx.xxx.xxx (extip)
MASQUERADE all -- 192.168.1.0/24 anywhere
|
I would not want to post iptables -L... it is way too long to post it whole in here... But if you want I can  |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
