Find the answer to your Linux question:
Results 1 to 5 of 5
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Jun 2006
    bangalore, india

    Post iptables problem

    hi guys,
    i have writen a script for firewall(to make squid as transperent proxy) based on serching the web,the script is as follows :

    # Interface connected to Internet
    # Interface connected to LAN
    # Squid port
    # Clean old firewall
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    # Load IPTABLES modules for NAT and IP conntrack support
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp
    # For win xp ftp client
    #modprobe ip_nat_ftp
    echo 1 > /proc/sys/net/ipv4/ip_forward
    # Setting default filter policy
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    # Unlimited access to loop back
    iptables -A INPUT -i lo -j ACCEPT
    iptables -A OUTPUT -o lo -j ACCEPT
    # Allow UDP, DNS and Passive FTP
    iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    # set this system as a router for Rest of LAN
    iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
    iptables --append FORWARD --in-interface eth1 -j ACCEPT
    # unlimited access to LAN
    iptables -A INPUT -i eth1 -j ACCEPT
    iptables -A OUTPUT -o eth1 -j ACCEPT
    # DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
    iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j DNAT --to
    # if it is same system
    iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128
    # DROP everything and Log it
    iptables -A INPUT -j LOG
    iptables -A INPUT -j DROP


    now squid is working as transparent proxy and localy on the network people are able to browse internet and do ftp for the local site(on the server) and other ftps on the internet.

    but there are two problems
    1) people outside our network ( we have branch office in another city) are not able to ftp into our server

    our server has two ethernet card one connected to lan and other to the internet
    ie. eth0 lan
    eth1 static ip (given by the isp) internet

    2) the second problem is that whole lot of text like
    IN=eth0 OUT= MAC=00... SRC= DST=<STATIC IP > TTL=112 etc are printed out on the monitor screen continuesly when working on the text mode (non gui).

    can anyone please help me out in solving this problem.

  2. #2
    Linux Enthusiast KenJackson's Avatar
    Join Date
    Jun 2006
    Maryland, USA

    virtual consoles and OpenVPN

    Your second problem sounds like the status information that goes to the console. Depending on your configuration, you may be able to select a different virtual console. Try pressing CTRL-ALT-F2 to get a different one and a new login prompt. If it works, then CTRL-ALT-F1 will take you back. F3 .. F6 should also work.

    As for your first problem, I don't know what the problem is, but if you have users in different cities accessing each others' servers, I would consider installing OpenVPN to create an encrypted path between the two gateways. I use it between work and home and I love it. Once it's set up, it's totally transparent.

  3. #3
    Just Joined! pcrack's Avatar
    Join Date
    May 2006

    transparent proxy

    so let things make clearly u want that WAN can access the ftp of ur own server. here it is u only need to define eth0 for transparent proxy, for the eth1 no need to do anything just issue a command in iptables that will allow WAN side to access ur ftp through eth1.

    hope this wil help

  4. $spacer_open
  5. #4
    Just Joined!
    Join Date
    Jun 2006
    bangalore, india
    thank u pcrack and Ken Jackson
    i have already made changes to the ip tables, by my friends help i have opened the port 21 for access, earlier only guys on our LAN where able to access ftp now our branch office guys able to do that now. i have added the following lines ip tables.

    #iptables -A INPUT -m state --state NEW -m tcp -p tcp --syn --dport 21 -j ACCEPT

    what i was doing was that i was droping all the request that comes on to the static ip ethernet card, which is a very good practice as said by the tutorials on the net, so u can configure on those ports and allow them for our requriment.

    but still i have the annoying second problem which pops up all the messages of the log file on to the console screen when i work i text mode (ie ctrl + ALT F1 ).

    Ken jackson thank u for telling me about Open VPN i will try it out and check if its is fesible for our setup.

    thank you once again

  6. #5
    Linux Enthusiast KenJackson's Avatar
    Join Date
    Jun 2006
    Maryland, USA
    If your remote office has a static IP range, you could change your rule to let them jump over the other rules. That way, everybody else still hits the wall, but the good guys get it. For example:
    iptables --append INPUT --source --jump ACCEPT

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts