Find the answer to your Linux question:
Results 1 to 5 of 5
For some reason scripts arent working on 1.2.7+ of iptables. Here is a basic script that doesnt work. I've confirmed this with gentoo and linux distros with 1.2.7+ version of ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Sep 2003
    Posts
    3

    iptables 1.2.7+ is screwed up


    For some reason scripts arent working on 1.2.7+ of iptables. Here is a basic script that doesnt work. I've confirmed this with gentoo and linux distros with 1.2.7+ version of iptables.
    Script on works with 1.2.6a



    Hello and good morning!
    I am having a heck of a time. I spent all day trying to figure out why
    my IPtables script isnt working on my new firewall machine.

    Old box ( WORKING ) Slackware 8.1 - iptables 1.2.6a
    New box ( NOT WORKING ) Gentoo - iptables 1.2.8

    I did check the gentoo kernel and it has everything the Slackware box
    has. Plus I've read the documentation and I've done this for a while. I
    did re-compile iptables to conform with the new kernel on gentoo.

    For some reason httpd is filtered on the gentoo box and open on the
    slackware box. I even tried using webmin to setup up everything
    identical but no go.


    Yes apache is bound to the internal IP. I can reach apache from any
    internal machine.

    All I want to do is keep my apache box on the local network and forward
    the requests from the firewall to my internal apache server.
    The firewall is also the gateway for internet access for the local
    workstations.


    Apache = 192.168.1.1
    Firewall - external IP = 209.145.93.99

    My current rc.firewall script works on slack but not gentoo ( 1.2.6a not
    1.2.8 of iptables):


    # !/bin/sh

    # now to flush/clear out the iptables first
    iptables -F -t nat
    iptables -F -t mangle
    iptables -F -t filter


    echo "1" > /proc/sys/net/ipv4/conf/all/forwarding

    modprobe ip_conntrack
    modprobe ip_conntrack_ftp


    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to 209.145.93.99

    echo " Forwarding http traffic to Gadaffi.solarplex.org "
    iptables -t nat -A PREROUTING -p tcp -i eth0 -d 209.145.93.99 --dport 80
    -j DNAT --to-destination 192.168.1.1:80

    iptables -A FORWARD -p tcp -i eth1 -d 192.168.1.1 --dport 80 -j ACCEPT


    # now to list the iptables
    iptables -L -t nat
    iptables -L

  2. #2
    Linux Engineer
    Join Date
    Jan 2003
    Location
    Lebanon, pa
    Posts
    994
    What is the error?

  3. #3
    Just Joined!
    Join Date
    Sep 2003
    Posts
    3
    There is no error. Read my message. Short Version:


    For some reason httpd is filtered on the gentoo box and open on the
    slackware box. I even tried using webmin to setup up everything
    identical but no go.

  4. #4
    Just Joined!
    Join Date
    Sep 2003
    Posts
    3
    Working Box:
    61/tcp open ni-mail
    62/tcp open acas

    Not Working Box:
    61/tcp filtered ni-mail
    62/tcp filtered acas


    Actual Script:
    # !/bin/sh

    # now to flush/clear out the iptables first
    iptables -F -t nat
    iptables -F -t mangle
    iptables -F -t filter


    echo "1" > /proc/sys/net/ipv4/conf/all/forwarding

    modprobe ip_conntrack
    modprobe ip_conntrack_ftp



    ptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to 209.145.93.100
    iptables -t nat -A PREROUTING -p tcp -s ! 192.168.2.0/24 --dport 61 -i eth0 -j DNAT --to 192.168.1.240:23
    iptables -t nat -A PREROUTING -p tcp -s ! 192.168.2.0/24 --dport 62 -i eth0 -j DNAT --to 192.168.1.4:23
    iptables -t nat -A PREROUTING -p tcp -s ! 192.168.2.0/24 --dport 63 -i eth0 -j DNAT --to 192.168.1.7:23



    # now to list the iptables
    iptables -L -t nat
    iptables -L

  5. #5
    Linux Guru
    Join Date
    Oct 2001
    Location
    Täby, Sweden
    Posts
    7,578
    Code:
    for t in $(cat /proc/net/ip_tables_names); do echo $t; iptables -t $t -L -n; done
    What does that return after running the script? Are the tables just empty, or has anything been entered?

    In any case, instead of having a script doing this for you, I believe that it's a better idea to generate the tables by hand, and then using iptables-save and iptables-restore to do the work of automatic configuration. Might just be me, though.

    I can't find the definition of EXTIF in your script, even though you're using it later on. Did you just leave that out accidently?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •