Welcome to Linux Forums!

With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.

Linux Forum ArticlesLinux ForumsLinux Forum DownloadsLinux HostsFree MagazinesJobs
Home|Register|FAQ|Member List|Calendar|Unanswered Posts|Forum Rules|Today's Posts|Advanced Search|
SEARCH FOR IN
Go Back   Linux Forums > GNU Linux Zone > Linux Networking
Reload this Page iptables problem
Linux Forums
Linux Forums
Welcome To The Linux Forums!
Welcome to Linux Forums. We pride ourselves in being one of the largest Linux communities on the web, we encourage you to REGISTER on our forums and participate in the community. There are over 150,000 members ready to answer your questions. JOINING US today will allow you to make new posts, get support, send messages to other members and submit downloads to our downloads directory and many other great features!

Linux Networking Hardware/Software related, Modems, Internet connection sharing, IPTables etc.

Reply
 
Thread Tools Display Modes
Old 06-08-2006   #1 (permalink)
Just Joined!
 
Join Date: Jun 2006
Location: bangalore, india
Posts: 4
Post iptables problem
hi guys,
i have writen a script for firewall(to make squid as transperent proxy) based on serching the web,the script is as follows :

-------------
# Interface connected to Internet
# Interface connected to LAN
# Squid port
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
# if it is same system
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

-------------------------------------

now squid is working as transparent proxy and localy on the network people are able to browse internet and do ftp for the local site(on the server) and other ftps on the internet.

but there are two problems
1) people outside our network ( we have branch office in another city) are not able to ftp into our server

our server has two ethernet card one connected to lan and other to the internet
ie. eth0 192.168.0.1 lan
eth1 static ip (given by the isp) internet

2) the second problem is that whole lot of text like
IN=eth0 OUT= MAC=00... SRC=196.68.45.123 DST=<STATIC IP > TTL=112 etc are printed out on the monitor screen continuesly when working on the text mode (non gui).

can anyone please help me out in solving this problem.
nesargha is offline   Reply With Quote
Old 06-09-2006   #2 (permalink)
Linux User
 
KenJackson's Avatar
 
Join Date: Jun 2006
Location: Maryland, USA
Posts: 466
virtual consoles and OpenVPN
Your second problem sounds like the status information that goes to the console. Depending on your configuration, you may be able to select a different virtual console. Try pressing CTRL-ALT-F2 to get a different one and a new login prompt. If it works, then CTRL-ALT-F1 will take you back. F3 .. F6 should also work.

As for your first problem, I don't know what the problem is, but if you have users in different cities accessing each others' servers, I would consider installing OpenVPN to create an encrypted path between the two gateways. I use it between work and home and I love it. Once it's set up, it's totally transparent.
KenJackson is offline   Reply With Quote
Old 06-15-2006   #3 (permalink)
Just Joined!
 
pcrack's Avatar
 
Join Date: May 2006
Location: Philippines
Posts: 23
Send a message via Yahoo to pcrack
transparent proxy
so let things make clearly u want that WAN can access the ftp of ur own server. here it is u only need to define eth0 for transparent proxy, for the eth1 no need to do anything just issue a command in iptables that will allow WAN side to access ur ftp through eth1.

hope this wil help
pcrack is offline   Reply With Quote
Old 06-16-2006   #4 (permalink)
Just Joined!
 
Join Date: Jun 2006
Location: bangalore, india
Posts: 4
thank u pcrack and Ken Jackson
i have already made changes to the ip tables, by my friends help i have opened the port 21 for access, earlier only guys on our LAN where able to access ftp now our branch office guys able to do that now. i have added the following lines ip tables.

#iptables -A INPUT -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT

what i was doing was that i was droping all the request that comes on to the static ip ethernet card, which is a very good practice as said by the tutorials on the net, so u can configure on those ports and allow them for our requriment.

but still i have the annoying second problem which pops up all the messages of the log file on to the console screen when i work i text mode (ie ctrl + ALT F1 ).

Ken jackson thank u for telling me about Open VPN i will try it out and check if its is fesible for our setup.

thank you once again
nesargha is offline   Reply With Quote
Old 06-18-2006   #5 (permalink)
Linux User
 
KenJackson's Avatar
 
Join Date: Jun 2006
Location: Maryland, USA
Posts: 466
If your remote office has a static IP range, you could change your rule to let them jump over the other rules. That way, everybody else still hits the wall, but the good guys get it. For example:
Code:
iptables --append INPUT --source 196.68.45.0/24 --jump ACCEPT
KenJackson is offline   Reply With Quote
Reply



Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off
 

Free Magazines
Cisco News
Receive a free quarterly e-newsletter with exclusive articles on how Cisco IT uses its own products and solutions to enable the business.
subscribe
Systems Management News, the newspaper for IT systems administration and data center managers!
Each issue of Systems Management News is chock-full of news and analysis to help you understand what's happening in your field.
subscribe
The Enterprise Newsweekly
eWeek is the essential technology information source for builders of e-business.
subscribe
Oracle Magazine
Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Oracle (NASDAQ: ORCL) is the world's largest enterprise software company.
subscribe
Total Telecom
Total Telecom is "The Economist of the communications industry".
subscribe
More free magazines »



All times are GMT. The time now is 07:54 PM.



Contact Us | Advertise | Archive | Top
© 2000 - 2008 - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.2.0