Results 1 to 5 of 5
Thread: iptables problem
Enjoy an ad free experience by logging in. Not a member yet? Register.
- Join Date
- Jun 2006
- bangalore, india
i have writen a script for firewall(to make squid as transperent proxy) based on serching the web,the script is as follows :
# Interface connected to Internet
# Interface connected to LAN
# Squid port
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
# For win xp ftp client
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
# if it is same system
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
now squid is working as transparent proxy and localy on the network people are able to browse internet and do ftp for the local site(on the server) and other ftps on the internet.
but there are two problems
1) people outside our network ( we have branch office in another city) are not able to ftp into our server
our server has two ethernet card one connected to lan and other to the internet
ie. eth0 192.168.0.1 lan
eth1 static ip (given by the isp) internet
2) the second problem is that whole lot of text like
IN=eth0 OUT= MAC=00... SRC=22.214.171.124 DST=<STATIC IP > TTL=112 etc are printed out on the monitor screen continuesly when working on the text mode (non gui).
can anyone please help me out in solving this problem.
virtual consoles and OpenVPN
Your second problem sounds like the status information that goes to the console. Depending on your configuration, you may be able to select a different virtual console. Try pressing CTRL-ALT-F2 to get a different one and a new login prompt. If it works, then CTRL-ALT-F1 will take you back. F3 .. F6 should also work.
As for your first problem, I don't know what the problem is, but if you have users in different cities accessing each others' servers, I would consider installing OpenVPN to create an encrypted path between the two gateways. I use it between work and home and I love it. Once it's set up, it's totally transparent.
so let things make clearly u want that WAN can access the ftp of ur own server. here it is u only need to define eth0 for transparent proxy, for the eth1 no need to do anything just issue a command in iptables that will allow WAN side to access ur ftp through eth1.
hope this wil help
- Join Date
- Jun 2006
- bangalore, india
thank u pcrack and Ken Jackson
i have already made changes to the ip tables, by my friends help i have opened the port 21 for access, earlier only guys on our LAN where able to access ftp now our branch office guys able to do that now. i have added the following lines ip tables.
#iptables -A INPUT -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT
what i was doing was that i was droping all the request that comes on to the static ip ethernet card, which is a very good practice as said by the tutorials on the net, so u can configure on those ports and allow them for our requriment.
but still i have the annoying second problem which pops up all the messages of the log file on to the console screen when i work i text mode (ie ctrl + ALT F1 ).
Ken jackson thank u for telling me about Open VPN i will try it out and check if its is fesible for our setup.
thank you once again
If your remote office has a static IP range, you could change your rule to let them jump over the other rules. That way, everybody else still hits the wall, but the good guys get it. For example:Code:
iptables --append INPUT --source 126.96.36.199/24 --jump ACCEPT