iptables problem

[nesargha]

hi guys,
i have writen a script for firewall(to make squid as transperent proxy) based on serching the web,the script is as follows :

-------------
# Interface connected to Internet
# Interface connected to LAN
# Squid port
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
#modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A OUTPUT -o eth1 -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to 192.168.0.1:3128
# if it is same system
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP

-------------------------------------

now squid is working as transparent proxy and localy on the network people are able to browse internet and do ftp for the local site(on the server) and other ftps on the internet.

but there are two problems
1) people outside our network ( we have branch office in another city) are not able to ftp into our server

our server has two ethernet card one connected to lan and other to the internet
ie. eth0 192.168.0.1 lan
eth1 static ip (given by the isp) internet

2) the second problem is that whole lot of text like
IN=eth0 OUT= MAC=00... SRC=196.68.45.123 DST=<STATIC IP > TTL=112 etc are printed out on the monitor screen continuesly when working on the text mode (non gui).

can anyone please help me out in solving this problem.

[KenJackson]

Your second problem sounds like the status information that goes to the console. Depending on your configuration, you may be able to select a different virtual console. Try pressing CTRL-ALT-F2 to get a different one and a new login prompt. If it works, then CTRL-ALT-F1 will take you back. F3 .. F6 should also work.

As for your first problem, I don't know what the problem is, but if you have users in different cities accessing each others' servers, I would consider installing OpenVPN to create an encrypted path between the two gateways. I use it between work and home and I love it. Once it's set up, it's totally transparent.

[pcrack]

so let things make clearly u want that WAN can access the ftp of ur own server. here it is u only need to define eth0 for transparent proxy, for the eth1 no need to do anything just issue a command in iptables that will allow WAN side to access ur ftp through eth1.

hope this wil help

[nesargha]

thank u pcrack and Ken Jackson
i have already made changes to the ip tables, by my friends help i have opened the port 21 for access, earlier only guys on our LAN where able to access ftp now our branch office guys able to do that now. i have added the following lines ip tables.

#iptables -A INPUT -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT

what i was doing was that i was droping all the request that comes on to the static ip ethernet card, which is a very good practice as said by the tutorials on the net, so u can configure on those ports and allow them for our requriment.

but still i have the annoying second problem which pops up all the messages of the log file on to the console screen when i work i text mode (ie ctrl + ALT F1 ).

Ken jackson thank u for telling me about Open VPN i will try it out and check if its is fesible for our setup.

thank you once again

[KenJackson]

If your remote office has a static IP range, you could change your rule to let them jump over the other rules. That way, everybody else still hits the wall, but the good guys get it. For example:

Code:

iptables --append INPUT --source 196.68.45.0/24 --jump ACCEPT