# iptables issue[Solved]

## iGMAS

Working with squid:

IRC

DCC

WWW

Not Working with squid(shoul it work with it?):

BT (Azureus)

IMAP 

SMTP

Worked for awhile:

oidentd

Not Working:

online games like Half-life

DC++

EDIT:with this code it should work right or where did i go wrong?

iptables:

```
#!/bin/bash

IPTABLES='/sbin/iptables'

# Set interface values

INET='ppp0'

LAN='eth1'

# enable ip forwarding in the kernel

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains

## Flush rules

$IPTABLES -F

$IPTABLES -X

$IPTABLES -t nat -F

$IPTABLES -t mangle -F

## 

$IPTABLES -t nat -A POSTROUTING -o $INET -j MASQUERADE

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -m state --state NEW -i ! $INET -j ACCEPT

$IPTABLES -A INPUT -p icmp -j ACCEPT

$IPTABLES -P INPUT DROP

$IPTABLES -A INPUT -i $LAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -o $INET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $LAN -o $INET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 

# INPUT to Server

$IPTABLES -A INPUT -i $INET -p tcp -m tcp --dport 80 -j ACCEPT

$IPTABLES -A INPUT -i $INET -p tcp -m tcp --dport 21 -j ACCEPT

#$IPTABLES -A INPUT -i $INET -p tcp -m tcp --dport 20 -j ACCEPT

$IPTABLES -A INPUT -i $INET -p tcp -m tcp --dport 22 -j ACCEPT

$IPTABLES -A INPUT -i $INET -p tcp -m tcp --dport 113 -j ACCEPT

# LOCALHOST interface

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -o lo -j ACCEPT

# SAMBA

#$IPTABLES -A INPUT -i $LAN -p udp --dport 137 -j ACCEPT 

#$IPTABLES -A INPUT -i $LAN -p udp --dport 138 -j ACCEPT 

#$IPTABLES -A INPUT -i $LAN -p tcp --dport 139 -j ACCEPT

# SMTP

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 25 -j DNAT --to 192.168.0.20:25

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 465 -j DNAT --to 192.168.0.20:465

$IPTABLES -A FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 25 -j ACCEPT

$IPTABLES -A FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 465 -j ACCEPT

$IPTABLES -A FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 25 -j ACCEPT

$IPTABLES -A FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 465 -j ACCEPT

# IMAP

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 993 -j DNAT --to 192.168.0.20:993

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 143 -j DNAT --to 192.168.0.20:143

$IPTABLES -I FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 993 -j ACCEPT

$IPTABLES -I FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 143 -j ACCEPT

$IPTABLES -I FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 993 -j ACCEPT

$IPTABLES -I FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 143 -j ACCEPT

# Bittorent

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6881 -j DNAT --to 192.168.0.20:6881

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6882 -j DNAT --to 192.168.0.20:6882

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6883 -j DNAT --to 192.168.0.20:6883

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6884 -j DNAT --to 192.168.0.20:6884

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6969 -j DNAT --to 192.168.0.20:6969

$IPTABLES -I FORWARD -i $INET -o $LAN -p tcp -d 192.168.0.20/32 --dport 6881:6999 -j ACCEPT

$IPTABLES -I FORWARD -i $LAN -o $INET -p tcp -s 192.168.0.20/32 --dport 6881:6999 -j ACCEPT

#$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6881:6999 -j DNAT --to 192.168.0.20

# DC++

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 412 -j DNAT --to 192.168.0.20:412

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 1412 -j DNAT --to 192.168.0.20:1412

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 411 -j DNAT --to 192.168.0.20:411

$IPTABLES -I FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 412 -j ACCEPT

$IPTABLES -I FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 411 -j ACCEPT

$IPTABLES -I FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 1412 -j ACCEPT

$IPTABLES -I FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 1412 -j ACCEPT

$IPTABLES -I FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 412 -j ACCEPT

$IPTABLES -I FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 411 -j ACCEPT

# Logging

$IPTABLES -A INPUT -j LOG --log-prefix "Iptables: "

#$IPTABLES -A OUTPUT -j LOG --log-prefix "Iptables: "

```

iptables -nvL

```

Chain INPUT (policy DROP 7 packets, 359 bytes)

 pkts bytes target     prot opt in     out     source               destination         

 238K  330M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

   42  2296 ACCEPT     all  --  !ppp0  *       0.0.0.0/0            0.0.0.0/0           state NEW 

    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 

    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:21 

    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:22 

    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:113 

    0     0 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           

    7   359 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `Iptables: ' 

Chain FORWARD (policy DROP 163 packets, 10959 bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 ACCEPT     tcp  --  eth1   *       192.168.0.20         0.0.0.0/0           tcp dpt:411 

    0     0 ACCEPT     tcp  --  eth1   *       192.168.0.20         0.0.0.0/0           tcp dpt:412 

    0     0 ACCEPT     tcp  --  eth1   *       192.168.0.20         0.0.0.0/0           tcp dpt:1412 

    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.0.20        tcp dpt:1412 

    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.0.20        tcp dpt:411 

    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.0.20        tcp dpt:412 

    0     0 ACCEPT     tcp  --  eth1   ppp0    192.168.0.20         0.0.0.0/0           tcp dpts:6881:6999 

    0     0 ACCEPT     tcp  --  ppp0   eth1    0.0.0.0/0            192.168.0.20        tcp dpts:6881:6999 

    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.0.20        tcp dpt:143 

    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.0.20        tcp dpt:993 

    0     0 ACCEPT     tcp  --  eth1   *       192.168.0.20         0.0.0.0/0           tcp dpt:143 

    0     0 ACCEPT     tcp  --  eth1   *       192.168.0.20         0.0.0.0/0           tcp dpt:993 

  175 11732 ACCEPT     all  --  eth1   ppp0    0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED 

    0     0 ACCEPT     tcp  --  eth1   *       192.168.0.20         0.0.0.0/0           tcp dpt:25 

    0     0 ACCEPT     tcp  --  eth1   *       192.168.0.20         0.0.0.0/0           tcp dpt:465 

    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.0.20        tcp dpt:25 

    0     0 ACCEPT     tcp  --  ppp0   *       0.0.0.0/0            192.168.0.20        tcp dpt:465 

Chain OUTPUT (policy DROP 335 packets, 134K bytes)

 pkts bytes target     prot opt in     out     source               destination         

 122K 8343K ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

 2350  130K ACCEPT     all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED 

   12  5636 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0               

```

iptables -t nat -nvL

```

Chain PREROUTING (policy ACCEPT 25908 packets, 2661K bytes)

 pkts bytes target     prot opt in     out     source               destination         

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:25 to:192.168.0.20:25 

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:465 to:192.168.0.20:465 

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:993 to:192.168.0.20:993 

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:143 to:192.168.0.20:143 

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6881 to:192.168.0.20:6881 

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6882 to:192.168.0.20:6882 

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6883 to:192.168.0.20:6883 

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6884 to:192.168.0.20:6884 

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:6969 to:192.168.0.20:6969 

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:412 to:192.168.0.20:412 

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:1412 to:192.168.0.20:1412 

    0     0 DNAT       tcp  --  ppp0   *       0.0.0.0/0            0.0.0.0/0           tcp dpt:411 to:192.168.0.20:411 

Chain POSTROUTING (policy ACCEPT 1600 packets, 137K bytes)

 pkts bytes target     prot opt in     out     source               destination         

   51  3211 MASQUERADE  all  --  *      ppp0    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy ACCEPT 12007 packets, 2231K bytes)

 pkts bytes target     prot opt in     out     source               destination   

```

Or am I doing  the same mistake again?Last edited by iGMAS on Sun Aug 08, 2004 12:43 pm; edited 7 times in total

----------

## megalomani

First question, is it the route which has sshd, httpd, squid, bt, installed on it? If not, don't allow traffic from anywhere to this ports. If yes, should the outside world be using your squid?

Now, the outside computer is PREROUTED to 192.168.0.20 correctly, but then the rule

$IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP

drops it. You need to add 

$IPTABLES -A FORWARD --protocol tcp --dport 6881:6999 -j ACCEPT

$IPTABLES -A FORWARD --protocol udp --dport 6881:6999 -j ACCEPT

BEFORE the drop rule.

these rules should do the same thing, do you get a error if you only type in these?

iptables -I FORWARD -d 192.168.0.20 -p tcp --dport 6881:6999 -j ACCEPT

iptables -I FORWARD -d 192.168.0.20 -p udp --dport 6881:6999 -j ACCEPT 

see http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html

edit: added INPUT is for the router, FORWARD is for the computers behind the router

----------

## iGMAS

```
               

###############                                         ############

# Workstation #192.168.0.20>----------<192.168.0.1(eth1)# FireWall #((eth0)(ppp0))>-internet

###############                                         ############

```

So I should forward the ports I want to 192.168.0.20 with 

$IPTABLES -A FORWARD -d 192.168.0.20 --protocol tcp --dport xx -j ACCEPT 

right?

----------

## megalomani

Yes, but you must use PREROUTING to get the destination ip correct

something like

$IPTABLES -t nat -A PREROUTING --protocol tcp --dport 6881:6999 -j DNAT --to 192.168.0.20 (I am writing this out of memory see the doc for exact syntax)

----------

## iGMAS

That code above is broken now don't know what I did wrong :/

----------

## megalomani

what does

iptables -t nat -L

and

iptables -L

show?

----------

## iGMAS

iptables -L

```

Chain INPUT (policy DROP)

target     prot opt source               destination         

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ssh 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:www 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:webcache 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6881:6999 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:412 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1412 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:ftp 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:auth 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6660:6661 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6666:6669 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:afs3-fileserver 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:65525:65535 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:smtp 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:imap2 

DROP       all  --  anywhere             anywhere            state INVALID,NEW 

LOG        all  --  anywhere             anywhere            LOG level warning prefix `Iptables: ' 

Chain FORWARD (policy ACCEPT)

target     prot opt source               destination         

ACCEPT     all  --  anywhere             anywhere            state NEW,RELATED,ESTABLISHED 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpts:6881:6999 

ACCEPT     udp  --  anywhere             anywhere            udp dpts:6881:6999 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:412 

ACCEPT     tcp  --  anywhere             anywhere            tcp dpt:1412 

DROP       all  --  anywhere             anywhere            state INVALID,NEW 

Chain OUTPUT (policy DROP)

target     prot opt source               destination         
```

iptables -t nat -L

```
Chain PREROUTING (policy ACCEPT)

target     prot opt source               destination         

DNAT       tcp  --  anywhere             anywhere            tcp dpt:412 to:192.168.0.20 

DNAT       tcp  --  anywhere             anywhere            tcp dpt:1412 to:192.168.0.20 

DNAT       tcp  --  anywhere             anywhere            tcp dpt:auth to:192.168.0.20 

DNAT       tcp  --  anywhere             anywhere            tcp dpts:6660:6670 to:192.168.0.20 

DNAT       tcp  --  anywhere             anywhere            tcp dpt:afs3-fileserver to:192.168.0.20 

DNAT       tcp  --  anywhere             anywhere            tcp dpts:65525:65535 to:192.168.0.20 

DNAT       tcp  --  anywhere             anywhere            tcp dpt:smtp to:192.168.0.20 

DNAT       tcp  --  anywhere             anywhere            tcp dpt:imap2 to:192.168.0.20 

Chain POSTROUTING (policy ACCEPT)

target     prot opt source               destination         

MASQUERADE  all  --  anywhere             anywhere            

MASQUERADE  all  --  anywhere             anywhere            

MASQUERADE  all  --  anywhere             anywhere            

MASQUERADE  all  --  anywhere             anywhere            

Chain OUTPUT (policy ACCEPT)

target     prot opt source               destination         

```

----------

## megalomani

packet from internet

PREROUTING -> (route table) -> FORWARD -> POSTROUTING -> workstation

                               |

                               -> INPUT firewall

INPUT and OUTPUT:

Which programs are on your server? Just sshd, then

$IPTABLES -A INPUT -i $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT 

$IPTABLES -A INPUT -i $INTIF1 -p tcp --dport 22 -j ACCEPT

$IPTABLES -A OUTPUT -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT 

$IPTABLES -A OUTPUT -o $INTF1 -p tcp --dport 22 -j ACCEPT                                          

these rules mean that you can connect to your firewall from your workstation. The rules for other programs are similar to these.

PREROUTING:

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 6881:6999 -j DNAT --to 192.168.0.20

this rule make request to ports 6881-6999 from the internet get destination 192.168.0.20

FORWARD:

# forward LAN traffic from $INTIF1 to Internet interface $EXTIF

$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT 

allows your workstation to send ANYTHING to the internet

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -p tcp --dport 6881:6999 -j ACCEPT

allows request to FORWARD from your firewall and to your workstation.

POSTROUTING:

# enable masquerading to allow LAN internet access

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE 

PS: sorry for the picture and check for typos

----------

## iGMAS

thanks for fixing the broken iptables but I think azureus hates my router/fw   :Crying or Very sad:  + my identd broke down :<Last edited by iGMAS on Mon Jul 19, 2004 7:45 pm; edited 1 time in total

----------

## megalomani

show iptables -L -v and iptables -t nat -L -v, look if in/out interfaces are correct. (eth0 and eth1)

----------

## iGMAS

iptables -L -v 

```
Chain INPUT (policy ACCEPT 91511 packets, 94M bytes)

 pkts bytes target     prot opt in     out     source               destination

77834 3666K ACCEPT     all  --  eth1   any     anywhere             anywhere            state RELATED,ESTABLISHED

    1    52 ACCEPT     tcp  --  eth1   any     anywhere             anywhere            tcp dpt:ssh

Chain FORWARD (policy ACCEPT 6632 packets, 391K bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 ACCEPT     all  --  eth1   eth0    anywhere             anywhere            state NEW,RELATED,ESTABLISHED

    0     0 ACCEPT     tcp  --  eth0   eth1    anywhere             anywhere            tcp dpts:6881:6999

Chain OUTPUT (policy ACCEPT 79470 packets, 5834K bytes)

 pkts bytes target     prot opt in     out     source               destination

 113K   94M ACCEPT     all  --  any    eth1    anywhere             anywhere            state RELATED,ESTABLISHED

    0     0 ACCEPT     tcp  --  any    eth1    anywhere             anywhere            tcp dpt:ssh

```

iptables -t nat -L -v

```
Chain PREROUTING (policy ACCEPT 3885 packets, 299K bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 DNAT       tcp  --  eth0   any     anywhere             anywhere            tcp dpts:6881:6999 to:192.168.0.20

    0     0 DNAT       tcp  --  eth0   any     anywhere             anywhere            tcp dpts:6881:6999 to:192.168.0.20

Chain POSTROUTING (policy ACCEPT 2210 packets, 229K bytes)

 pkts bytes target     prot opt in     out     source               destination

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere

Chain OUTPUT (policy ACCEPT 709 packets, 147K bytes)

 pkts bytes target     prot opt in     out     source               destination

```

Looks right. and if i want the ident to work should i forward the identd port right?

----------

## megalomani

yes, but why use inetd?

----------

## iGMAS

Well else i get ~host@host.com right? I'm using squid proxy btw

----------

## megalomani

Oh, IRC

If the squid proxy is in your firewall you need to add

$IPTABLES -A INPUT -i $INTIF1 -p tcp --dport 3128 -j ACCEPT (I am not sure about the port number see http://www.squid-cache.org/Doc/FAQ/FAQ.html for more info). This allow input from workstation to your firewall on port 3128. (Or delete this kind of rules and allow all traffic from your workstation to your firewall with $IPTABLES -A INPUT -i $INTIF1 -j ACCEPT)

and

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j REDIRECT --to-port 3128 

sends http to squid port

and finally 

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 3128 -j ACCEPT

----------

## megalomani

Easy solution: Open your firewall to all input from workstation and allow firewall to connect to the internet (the difference from earlier version? These rules should WORK.)

$IPTABLES -A INPUT -i $INTIF1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

the difference between these rules, firewall is permitted to send anything to the internet, but can't start a connection to your workstation

PREROUTING, FORWARD:

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 6881:6999 -j DNAT --to 192.168.0.20

$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -p tcp --dport 6881:6999 -j ACCEPT

POSTROUTING:

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

----------

## iGMAS

EDIT: I edited the first post and still I can't get bittorrent to go through the firewall, it won't even communicate with the trackers through the proxy :/

----------

## megalomani

#!/bin/bash

IPTABLES='/sbin/iptables'

# Set interface values

INET='ppp0'

LAN='eth1'

# enable ip forwarding in the kernel

/bin/echo 1 > /proc/sys/net/ipv4/ip_forward

# flush rules and delete chains

## Flush rules

$IPTABLES -F

$IPTABLES -X

$IPTABLES -t nat -F

$IPTABLES -t mangle -F

##

$IPTABLES -t nat -A POSTROUTING -o $INET -j MASQUERADE

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

1) $IPTABLES -A INPUT -m state --state NEW -i ! $INET -j ACCEPT

makes all rules mark with 1* unnecessary.

$IPTABLES -A INPUT -p icmp -j ACCEPT

$IPTABLES -P INPUT DROP

1*) $IPTABLES -A INPUT -i $LAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A OUTPUT -o $INET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

2) $IPTABLES -A FORWARD -i $LAN -o $INET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

# INPUT to Server

all of these 1*)

$IPTABLES -A INPUT -i $INET -p tcp -m tcp --dport 80 -j ACCEPT

$IPTABLES -A INPUT -i $INET -p tcp -m tcp --dport 21 -j ACCEPT

#$IPTABLES -A INPUT -i $INET -p tcp -m tcp --dport 20 -j ACCEPT

$IPTABLES -A INPUT -i $INET -p tcp -m tcp --dport 22 -j ACCEPT

$IPTABLES -A INPUT -i $INET -p tcp -m tcp --dport 113 -j ACCEPT

# LOCALHOST interface

1*) $IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A OUTPUT -o lo -j ACCEPT

# SAMBA

do you have samba on the firewall?

#$IPTABLES -A INPUT -i $LAN -p udp --dport 137 -j ACCEPT

#$IPTABLES -A INPUT -i $LAN -p udp --dport 138 -j ACCEPT

#$IPTABLES -A INPUT -i $LAN -p tcp --dport 139 -j ACCEPT

# SMTP

squid can't use smtp. What is this? Are you running a mailserver on 192.168.0.20?

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 25 -j DNAT --to 192.168.0.20:25

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 465 -j DNAT --to 192.168.0.20:465

2*) $IPTABLES -A FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 25 -j ACCEPT

2*) $IPTABLES -A FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 465 -j ACCEPT 

$IPTABLES -A FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 25 -j ACCEPT

$IPTABLES -A FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 465 -j ACCEPT

# IMAP

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 993 -j DNAT --to 192.168.0.20:993

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 143 -j DNAT --to 192.168.0.20:143

2*) $IPTABLES -I FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 993 -j ACCEPT

2*) $IPTABLES -I FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 143 -j ACCEPT

$IPTABLES -I FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 993 -j ACCEPT

$IPTABLES -I FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 143 -j ACCEPT

# Bittorent

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6881 -j DNAT --to 192.168.0.20:6881

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6882 -j DNAT --to 192.168.0.20:6882

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6883 -j DNAT --to 192.168.0.20:6883

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6884 -j DNAT --to 192.168.0.20:6884

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6969 -j DNAT --to 192.168.0.20:6969

$IPTABLES -I FORWARD -i $INET -o $LAN -p tcp -d 192.168.0.20/32 --dport 6881:6999 -j ACCEPT

$IPTABLES -I FORWARD -i $LAN -o $INET -p tcp -s 192.168.0.20/32 --dport 6881:6999 -j ACCEPT

#$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6881:6999 -j DNAT --to 192.168.0.20

Two rules to replace this section(My misstake with 6881:6999)

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 6881:6889 -j DNAT --to-destination 192.168.0.20

$IPTABLES -I FORWARD -i $INET -o $LAN -p tcp -d 192.168.0.20 --dport 6881:6889 -j ACCEPT

# DC++

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 412 -j DNAT --to 192.168.0.20:412

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 1412 -j DNAT --to 192.168.0.20:1412

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 411 -j DNAT --to 192.168.0.20:411

$IPTABLES -I FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 412 -j ACCEPT

$IPTABLES -I FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 411 -j ACCEPT

$IPTABLES -I FORWARD -i $INET -p tcp -d 192.168.0.20/32 --dport 1412 -j ACCEPT

2*) $IPTABLES -I FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 1412 -j ACCEPT

2*) $IPTABLES -I FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 412 -j ACCEPT

2*) $IPTABLES -I FORWARD -i $LAN -p tcp -s 192.168.0.20/32 --dport 411 -j ACCEPT

# Logging

$IPTABLES -A INPUT -j LOG --log-prefix "Iptables: "

#$IPTABLES -A OUTPUT -j LOG --log-prefix "Iptables: "

read

http://userpages.umbc.edu/~hamilton/btclientconfig.html

about half-life see

http://www.rowsdower.net/howto/cs_setup.html

google for a portscanner on the net to see what ports are open (or use the gentoo forum for links)

----------

## iGMAS

No I'm not running a mailserver but how can I get my mail to go through the firewall ? squid aint't working :/ 

EDIT: no I have tested diffrent port scanners , the ports open when I start azures but not will come in or go out :/

EDIT2: I think I give up looks like my fw don't want to open anything else than things that go through squid

----------

## megalomani

No I'm not running a mailserver but how can I get my mail to go through the firewall ? squid aint't working :/ 

$IPTABLES -A FORWARD -i $LAN -o $INET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

should deliver your mail, if I recall correct IMAP must have port 143 forward to your computer (please correct this if I am wrong)

$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 143 -s <your mailserver IP> -j DNAT --to 192.168.0.20

$IPTABLES -I FORWARD -i $INET -p tcp -s <your mailservers IP> -d 192.168.0.20 --dport 143 -j ACCEPT 

about 993 I don't use IMAP so I am unsure if IMAP use this port.

about squid, it handles mostly http and https, not everything. No mail.

http://www.linux-firewall-tools.com/ftp/firewall/rc.firewall.ipchains

EDIT: no I have tested diffrent port scanners , the ports open when I start azures but not will come in or go out :/

I installed azures on my windows computer (Yes, I use it sometimes)

${IPTABLES} -A PREROUTING -i ${OUT_DEV} -t nat -p TCP --dport 6881:6999 -j DNAT --to ${SERVER_IP}

${IPTABLES} -A FORWARD -p TCP -d ${SERVER_IP} --dport 6881:6999 -i ${OUT_DEV} -o ${INT_DEV} -j ACCEPT

(I was wrong when I said I was wrong, it's 6881:6999 for azures)

Smiling faces for me :), check the config for azures so it's uses the right IP-adress. That was a problem for me.

----------

## iGMAS

Thank you so very much  :Smile: 

But it looks like dc won't resolve the hostname of the server(s) I can only connect if I find out the ip first

and oh bt tracker connection not possible

----------

## megalomani

look at

http://www.dslreports.com/faq/6518

it's a problem with dynamic ip, which I guess you have because you have dial-up. I don't know how to fix it.

----------

## iGMAS

What I meant was:

Me = DCHub.hostname.something.com = Can't connect

Me = DCHub.xyz.zyx.yxz.zxy = Can connect

Btw do you got any sollution on the tracker issue is the same as the dc+ not resolving the hostname?

EDIT: I looks like it can't resolve the hostname, because when I changed th hostname to an ip it worked!!

----------

## megalomani

ME = DCHub.hostname.com

you need to buy a domain for that to work. (and host a DNS server)

Or use Dynip or DynDNS.

I don't use hostname, only IP

----------

## iGMAS

 *iGMAS wrote:*   

> What I meant was:
> 
> Me = DCHub.hostname.something.com = Can't connect
> 
> Me = DCHub.xyz.zyx.yxz.zxy = Can connect
> ...

 

EDIT:

Me Can't connect to a server with an hostname. I have to check whatsmip.org and do an Address lookup on should say this address tracker.scarywater.net

and add the ip to the tracker list, first then the bt client connect's to the tracker its the same for mail,dc etc anything that dosen't use the proxy.

I hope you did understand me this time , I tend to write diffrent from what I'm thinking :]

----------

## megalomani

That is a DNS resolve problem. That means that your firewall can use DNS, but your computer can't. The firewallsrules allow it.

Then check that /etc/resolv.conf is correct. Syntax is

nameserver xyz.xyz.xyz.xyz

the IP-number you get from your ISP

(if I understand you correctly you can ping 216.109.117.207 but not ping www.yahoo.com?)

----------

## iGMAS

Yes! So I need to forward the dns port to the workstation.

----------

## megalomani

ISP DNS <---   firewall <--- your computer

YES!

INTERNET ---> firewall ---> your computer

NO!

see the difference?

You should be able to send a UDP port 53 message to ISP DNS and get the answer to your computer. ($IPTABLES -A FORWARD -i $LAN -o $INET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT)

everyone shouldn't be able to send a UDP port 53 message TO your computer, that is what ($IPTABLES -A INPUT -m state --state NEW -i ! $INET -j ACCEPT) is for.

You should be able to send DNS request with the rules you use. It's more probable that /etc/resolv.conf is wrong. Compare the firewalls /etc/resolv.conf with your computers /etc/resolv.conf

----------

## iGMAS

Done that, both has the same ips. The workstation is a winXp machine(if that helps)

----------

## megalomani

with XP: (answering a question on XP in a gentoo forum?)

setting --> network settings --> properties --> TCP/IP properties

make sure that DNS-server settings are correct.

You can't get a DNS adress automaticly. You need to set it manually.

----------

## iGMAS

 *megalomani wrote:*   

> with XP: (answering a question on XP in a gentoo forum?)
> 
> setting --> network settings --> properties --> TCP/IP properties
> 
> make sure that DNS-server settings are correct.
> ...

 

What I tried to say was that the both ips on both machines was the same.

----------

## megalomani

try on the XP machine

cmd and then

nslookup www.yahoo.com

this shouldn't give a correct answer

----------

## iGMAS

Well it can't find the servers but that's strange because the server can ping them :/

But its only minor problem, I can always resolve the ip somehow

----------

## megalomani

I think it's a big problem. Now, you can only browse without problem.

install nmap or hping on the windows machine and send a message to the ISP-DNS. 

nmap -sU -p 53 xyz.xyz.xyz.xyz

hping I haven't used, but it's the right tool for this problem

www.insecure.org

www.hping.org

if the port is open, then it's a windows problem. If timeout it's a firewall problem. If closed, then it's the wrong IP-adress ;)

----------

## iGMAS

nmap -sU -p 53 xyz.xyz.xyz.xyz <--- Host Down

but when I tired what nmap suggested It found the host and the port was open  :Sad: 

nmap -sU -P0 -p 53 xyz.xyz.xyz.xyz <-- that worked

----------

## iGMAS

Damn Squid! made me double post :<Last edited by iGMAS on Sun Aug 08, 2004 3:00 pm; edited 1 time in total

----------

## megalomani

nmap uses a ping before starting it's search. If the ping failes, nmap doesn't start the scan. Sorry, I forgot to mention that.

This means that the firewall does it's job, ISP-DNS is working. But windows is set to the wrong DNS-server. If the settings are correct in XP, this is very strange. Find a windows guru to help with this. (contradiction windows and guru ;)).

----------

## iGMAS

Well its strange it works when I'm direct connected to the internetLast edited by iGMAS on Sun Aug 08, 2004 3:24 pm; edited 1 time in total

----------

## megalomani

Stupid question: you know that when you use a modem under windows, the settings are different from when you use the networkcard? There is at least two interface listed under network tab in XP. The modem can have one dns-server and the networkcard another.

----------

## iGMAS

They Both have the same dns.

----------

## megalomani

Next question:

nslookup www.yahoo.com doesn't work, correct?

but does

nslookup www.yahoo.com <ISP-DNS IP>

work?

just for fun try

ipconfig /flushdns

----------

## iGMAS

Didn't change anything :/

----------

## megalomani

I official give up if 

nslookup www.yahoo.com xyz.xyz.xyz.xyz

doesn't work.

Post if you ever get it to work.

----------

## iGMAS

Well its Official. I can't see the diffrense beteween an 2 and 4.   :Laughing:   I gave up a week ago and today I had a day of from work so I decided to try on last time. I had typed a 4 instead of and 2 in the windows tcp/ip , I blame the isp manual because it says 64. and not 62.

----------

