Hi List.
I have my home network being masqueraded by linux router(RH8.0).
Network topology:
Linux router(192.168.1.1): eth0 to LAN, eth1 to adsl modem.
LAN = 192.168.1.*
I wrote iptables script that masquerades my network, but the problem is when
I run the script from the first time from /etc/rc.d/rc.local it works. But
if I then rerun it manualy (by root of couse) it stops working. Inside hosts
don't have access to the internet. My script does clear all old rules at the
start of it but it doesn't help or else...
I tryed to clear all old rules manualy and then run the script, no luck
still not working. I tryed to unload all iptables modules then "insmod
ip_tables" and after that to run the script again, nothing it doesn't help
too... Can someone understand what is going on ? Why it works only the first
time ? After the second excution the rules are seem to be the same but
inside hosts can't ping internet.
There is 2 LOG targets in the script, first with prefix "FORWARD PACKET" and
second with prefix "MASQ RULE MATCHED", after the first excution of the
script. I see 2 logs for each packet, first "FORWARD PACKET" and then "MASQ
RULE MATCHED" but after the second excution, when the NAT doesn't work the
logs doesn't show "MASQ RULE MATCHED"...
Best Regards.
S.A.
The script:
#!/bin/sh
IPTABLES="/sbin/iptables"
# Reset all.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
# Modules and targets:
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
# IP Forwarding And Dynamic IP support:
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Create chains for packet types:
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
# INPUT TABLE:
# Permit ADSL, gre Tunnel (Protocol 47), loopback and a broadcast.
$IPTABLES -A INPUT -p 47 -s 10.0.0.138 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 10.0.0.138 --sport 1723 -j ACCEPT
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -d 192.168.1.255 -j ACCEPT
# Ensure that established sessions will not die
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow FTP active and passive port commands:
#$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED
-j ACCEPT
# Send all other traffic to it's chain:
$IPTABLES -A INPUT -p tcp -j tcp_packets
$IPTABLES -A INPUT -p udp -j udp_packets
$IPTABLES -A INPUT -p icmp -j icmp_packets
# OUTPUT TABLE:
# Permit all.
$IPTABLES -A OUTPUT -j ACCEPT
# FORWARD TABLE:
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# tcp_packets TABLE:
# World accessible services:
#$IPTABLES -A tcp_packets -p tcp --dport 21 --syn -j ACCEPT # FTP
#$IPTABLES -A tcp_packets -p tcp --dport 80 --syn -j ACCEPT # HTTP
# Private services:
$IPTABLES -A tcp_packets -s 192.168.1.10/32 -p tcp --dport 23 --syn -j
ACCEPT # Telnet
$IPTABLES -A tcp_packets -s 192.168.1.10/24 -p tcp --dport 139 --syn -j
ACCEPT # NetBIOS-ssn
# udp_packets TABLE:
# Private services:
$IPTABLES -A udp_packets -s 192.168.1.10/24 -p udp --dport 137 -j ACCEPT #
NetBIOS-sn
$IPTABLES -A udp_packets -s 192.168.1.10/24 -p udp --dport 138 -j ACCEPT #
NetBIOS-dgm
# MASQUERADING:
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j LOG --log-level DEBUG
--log-prefix "matched MASQ RULE: "
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
# Set defaults to drop:
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
# Debug
$IPTABLES -A FORWARD -j LOG --log-level DEBUG --log-prefix "FORWARD PACKET:
"
$IPTABLES -A INPUT -j LOG --log-level DEBUG --log-prefix "INPUT PACKET: "
$IPTABLES -A OUTPUT -j LOG --log-level DEBUG --log-prefix "OUTPUT PACKET: "
_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE*
http://join.msn.com/?page=features/junkmail
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
- Re: Strange iptables behavior Stiven Andre
- Re: Strange iptables behavior Ira Abramov
- Re: Strange iptables behavior Oleg Kobets
