Find the answer to your Linux question:
Results 1 to 4 of 4
i have script which write rc.local but client's can't conected internet i hope friend's can check my script, what wrong wtih me internet=ip statis INternet ------ Proxy+Firewall ----- Local LAN ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Oct 2008
    Posts
    2

    Problem With script firewall, Please Checkh , thx


    i have script which write rc.local
    but client's can't conected internet

    i hope friend's can check my script, what wrong wtih me
    internet=ip statis

    INternet ------ Proxy+Firewall ----- Local LAN

    view http://indowebsiter.com/rc.local

    or bellow

    #!/bin/sh
    #
    # This script will be executed *after* all the other init scripts.
    # You can put your own initialization stuff in here if you don't
    # want to do the full Sys V style init stuff.
    touch /var/lock/subsys/local
    # 1.1 Internet Configuration.
    #--------------------------------------------------------------------------------------------------------------
    INET_IP="111.22.33.444"
    INET_IFACE="eth0"
    INET_BROADCAST="111.22.33.444"

    # 1.2 Local Area Network configuration.
    #--------------------------------------------------------------------------------------------------------------
    LAN_IP="192.168.2.4"
    NETMASK_PPE="192.168.2.0/24"
    LAN_IFACE="eth1"

    # 1.4 Localhost Configuration.
    #--------------------------------------------------------------------------------------------------------------
    LO_IFACE="lo"
    LO_IP="127.0.0.1"

    # 1.5 IPTables Configuration
    #--------------------------------------------------------------------------------------------------------------
    IPTABLES="/sbin/iptables"

    # Needed to initially load modules
    #--------------------------------------------------------------------------------------------------------------
    #/sbin/depmod -a

    # 2.1 Required modules
    #--------------------------------------------------------------------------------------------------------------
    /sbin/modprobe ip_tables
    /sbin/modprobe ip_conntrack
    /sbin/modprobe iptable_filter
    /sbin/modprobe iptable_mangle
    /sbin/modprobe iptable_nat
    /sbin/modprobe ipt_LOG
    /sbin/modprobe ipt_limit
    /sbin/modprobe ipt_state

    # 3. /proc set up.
    #--------------------------------------------------------------------------------------------------------------
    echo "1" > /proc/sys/net/ipv4/ip_forward
    echo "1" > /proc/sys/net/ipv4/ip_dynaddr

    # clear $IPTABLES
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -F
    $IPTABLES -t nat -F
    $IPTABLES -t mangle -F

    # erase all chains that's not default in filter and nat table.
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -X
    $IPTABLES -t nat -X
    $IPTABLES -t mangle -X

    # 4.1.1 Set policies
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -P INPUT DROP
    $IPTABLES -P OUTPUT DROP
    $IPTABLES -P FORWARD DROP

    # 4.1.2 Create userspecified chains
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -N bad_tcp_packets

    # Create separate chains for ICMP, TCP and UDP to traverse
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -N allowed
    $IPTABLES -N tcp_packets
    $IPTABLES -N udp_packets
    $IPTABLES -N icmp_packets

    # bad_tcp_packets chain
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
    -m state --state NEW -j REJECT --reject-with tcp-reset
    $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "New not syn:"
    $IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

    # allowed chain
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A allowed -p TCP --syn -j ACCEPT
    $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
    $IPTABLES -A allowed -p TCP -j DROP

    # TCP rules
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 443 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3128 -j allowed
    $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 10000 -j allowed

    # UDP ports
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
    $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
    #$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
    #$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

    # In Microsoft Networks you will be swamped by broadcasts.
    #These lines will prevent them from showing up in the logs.
    #--------------------------------------------------------------------------------------------------------------
    #$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST --destination-port 135:139 -j DROP

    # If we get DHCP requests from the Outside of our network, our logs will be swamped as well.
    #This rule will block them from getting logged.
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
    --destination-port 67:68 -j DROP

    # ICMP rules
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
    $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

    # Bad TCP packets we don't want.
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A INPUT -p tcp -j bad_tcp_packets

    # Special rule for DHCP requests from LAN, which are not caught properly otherwise.
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

    # Rules for special networks not part of the Internet
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
    $IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

    # Rules for incoming packets from anywhere.
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
    -j ACCEPT
    $IPTABLES -A INPUT -p TCP -j tcp_packets
    $IPTABLES -A INPUT -p UDP -j udp_packets
    $IPTABLES -A INPUT -p ICMP -j icmp_packets

    # Log weird packets that don't match the above.
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-level DEBUG --log-prefix "IPT INPUT packet died: "

    # Bad TCP packets we don't want
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

    # Accept the TCP packets we actually want to forward
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -p tcp --dport 22 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -p tcp --dport 25 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -p tcp --dport 26 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -p tcp --dport 443 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -p tcp --dport 3306 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -p tcp --dport 5432 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -p tcp --dport 5050 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -p tcp --dport 10000 -i $LAN_IFACE -j ACCEPT

    # Accept the UDP packets we actually want to forward
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A FORWARD -p udp --dport 5050 -i $LAN_IFACE -j ACCEPT
    $IPTABLES -A FORWARD -p udp --dport 5060 -i $LAN_IFACE -j ACCEPT

    # FOWARD yang statusnya udah konek
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

    # Log weird packets that don't match the above.
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

    # Bad TCP packets we don't want.
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

    # Mo keluar silahkan kan udah di filter seblumya, jadi port2 tertentu aja yg boleh
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
    $IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
    $IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

    # Special OUTPUT rules to decide which IP's to allow.
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

    # Enable simple IP Forwarding and Network Address Translation
    #--------------------------------------------------------------------------------------------------------------
    #$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -d 0/0 -j MASQUERADE
    $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
    #$IPTABLES -t nat -A POSTROUTING -s NETMASK_PPE -o $INET_IFACE -d 0/0 -j MASQUERADE
    #$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

    #PREROUTING chain
    #--------------------------------------------------------------------------------------------------------------
    $IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
    #$IPTABLES -t nat -A PREROUTING -i $LAN_IFACE -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.2.3:3128

    service iptables save



    Terimakasih/Thankyou

    SIGN

    Hermansyah - Jakarta (Indonesia)

  2. #2
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    What linux version are you running?
    Would it be possible to post that 'service iptables save' file?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

  3. #3
    Just Joined!
    Join Date
    Oct 2008
    Posts
    2

    Problem With script firewall, Please Checkh , thx

    @Robert
    tahnk you for your attention

    I used Centos 5.1
    my problem is client can't acces port 80 which direct to port 3128 via squid service, but port 22,25,110 n other port in my rule OK.

    i'm confuse because basicly 'i'm web developer, i'm studying networking.

    i hope Mr. RObert n other friend's can help me

    Thank you / Terimakasih

    SIGN

    HErmansyah - Jakarta Indonesia

    ym : syah_ajah

  4. #4
    Linux Guru Lazydog's Avatar
    Join Date
    Jun 2004
    Location
    The Keystone State
    Posts
    2,672
    Is your proxy and the firewall on the same box?

    Regards
    Robert

    Linux
    The adventure of a life time.

    Linux User #296285
    Get Counted

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •