about iptables
This is a discussion on about iptables within the Linux Networking forums, part of the Linux Forums category; when i use this iptables in Fedora4, an error occur, cant apply the rules,why? ################################################## ############# ### Define interfaces here INT_DEV=eth0 ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
11-21-2005
|
|||
|
|||
about iptables
when i use this iptables in Fedora4, an error occur, cant apply the
rules,why? ################################################## ############# ### Define interfaces here INT_DEV=eth0 EXT_DEV=ppp0 INT_NET=192.168.1.0/24 ### Loading firewall modules modprobe ip_conntrack modprobe ip_conntrack_ftp ################################################## ############# ### Enable Packet Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward ### Remove all previous rules, and delete any user defined chains iptables -F iptables -X iptables -t nat -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.2:3389 echo 1 > /proc/sys/net/ipv4/ip_forward 
|
|
11-21-2005
|
|||
|
|||
|
Re: about iptables
In article <dlr7fo$26a3$1@justice.itsc.cuhk.edu.hk>,
nick <i141802596@yahoo.com> wrote: :when i use this iptables in Fedora4, an error occur, cant apply the :rules,why? : :################################################# ############## :### Define interfaces here :INT_DEV=eth0 :EXT_DEV=ppp0 :INT_NET=192.168.1.0/24 : :### Loading firewall modules :modprobe ip_conntrack :modprobe ip_conntrack_ftp : :################################################# ############## :### Enable Packet Forwarding :echo 1 > /proc/sys/net/ipv4/ip_forward : :### Remove all previous rules, and delete any user defined chains :iptables -F :iptables -X :iptables -t nat -F : :iptables -P INPUT DROP :iptables -P FORWARD DROP :iptables -P OUTPUT ACCEPT :iptables -A INPUT -i lo -j ACCEPT :iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT :iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT :iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT :iptables -A FORWARD -i eth1 -o eth0 -s 192.168.1.0/24 -j ACCEPT :iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j MASQUERADE :iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT :--to-destination 192.168.0.2:3389 :echo 1 > /proc/sys/net/ipv4/ip_forward Well, I notice that the interfaces mentioned at the top are "eth0" (internal) and "ppp0" (external), whereas the rules appear to be for: "eth1" (internal) and "eth0" (external). What do you actually have? I also notice the lack of an ESTABLISHED,RELATED rule in the INPUT chain from eth0, but that shouldn't prevent installing the ruleset -- just prevent your FC4 box from successfully using the external connection on its own behalf. -- Bob Nichols AT comcast.net I am "RNichols42"
|
|
11-21-2005
|
|||
|
|||
|
Re:[revise] about iptables
sorry, i have made some mistakes, this is the correct one:
when try to apply these rules, /etc/init.d/stables restart , arise an error : Applying iptables firewall rules: iptables-restore: line 3 failed [FAILED] the following is the content in "/etc/sysconfig/iptables" file thanks for your help. ################################################## ############# ### Define interfaces here INT_DEV=eth1 EXT_DEV=eth0 INT_NET=192.168.0.0/24 ### Loading firewall modules modprobe ip_conntrack modprobe ip_conntrack_ftp ################################################## ############# ### Enable Packet Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward ### Remove all previous rules, and delete any user defined chains iptables -F iptables -X iptables -t nat -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A FORWARD -i EXT_DEV -o INT_DEV -p tcp --dport 3389 -j ACCEPT iptables -A INPUT -i INT_DEV -s 192.168.0.0/24 -j ACCEPT iptables -A FORWARD -i EXT_DEV -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i INT_DEV -o EXT_DEV -s 192.168.0.0/24 -j ACCEPT iptables -t nat -A POSTROUTING -o EXT_DEV -s 192.168.0.0/24 -j MASQUERADE iptables -t nat -A PREROUTING -i EXT_DEV -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.2:3389
|
|
11-22-2005
|
|||
|
|||
|
Re: Re:[revise] about iptables
On Tue, 22 Nov 2005 07:55:14 +0800, nick wrote:
> the following is the content in "/etc/sysconfig/iptables" file That there is your problem. What you had listed is not supposed to be in that file. I cleaned up what you have and here is what you should do. 1: Copy all the content from CUT to END and place it in a file called myfirewall in /root. 2: su to root and do the following; 'chmod 700 myfirewall' 'cd /etc/sysconfig' 'mv iptables iptables.old' 'cd /root' 3: run './myfirewall' 4: check that you seen no errors 5: run 'service iptables save' 6: goto /etc/sysconfig 'cat iptables' You will notice that it now looks different then what you had there before. This file is the save config that iptables uses when it's started. Not the script you used to setup iptables. The modules you will want to place them in /etc/rc.local to ensure they are started everytime To enable packet forwarding edit /etc/sysctl.conf and turn it on there =====CUT===== #!/bin/bash ### Loading firewall modules ############################ modprobe ip_conntrack modprobe ip_conntrack_ftp ### Enable Packet Forwarding ############################ echo 1 > /proc/sys/net/ipv4/ip_forward ### Remove all previous rules/chains #################################### iptables -F iptables -X iptables -Z ### Create defaut policies ########################## iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT ### Input Rules ############### iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT ### Forward Rules ################# iptables -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3389 -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -s 192.168.0.0/24 -j ACCEPT ### Post/Preroute Rules ####################### iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3389 -j DNAT --to-destination 192.168.0.2:3389 =====END===== All that junk at the top is not needed and doesn't make the file look or work any better. It's also better to group things together makes following what you are trying to do easier and locating a problem faster. Another tip, alway put your ESTABLISHED,RELATED lines at the top of your chains. No sense filtering through them all went the connection has already been established. > thanks for your help. Anytime -- Regards Robert Smile... it increases your face value! ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==---- http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups ----= East and West-Coast Server Farms - Total Privacy via Encryption =----
|
Linear Mode
