Strange iptables behavior

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



From: "Stiven Andre" <stiven_a@hotmail.com>
To: linux-il@linux.org.il
Subject: Strange iptables behavior
Date: Wed, 27 Nov 2002 17:28:05 +0200

Hi List.

I have my home network being masqueraded by linux router(RH8.0).
Network topology:
Linux router(192.168.1.1): eth0 to LAN, eth1 to adsl modem.
LAN = 192.168.1.*

I wrote iptables script that masquerades my network, but the problem is when I run the script from the first time from /etc/rc.d/rc.local it works. But if I then rerun it manualy (by root of couse) it stops working. Inside hosts don't have access to the internet. My script does clear all old rules at the start of it but it doesn't help or else...
I tryed to clear all old rules manualy and then run the script, no luck still not working. I tryed to unload all iptables modules then "insmod ip_tables" and after that to run the script again, nothing it doesn't help too... Can someone understand what is going on ? Why it works only the first time ? After the second excution the rules are seem to be the same but inside hosts can't ping internet.
There is 2 LOG targets in the script, first with prefix "FORWARD PACKET" and second with prefix "MASQ RULE MATCHED", after the first excution of the script. I see 2 logs for each packet, first "FORWARD PACKET" and then "MASQ RULE MATCHED" but after the second excution, when the NAT doesn't work the logs doesn't show "MASQ RULE MATCHED"...

Best Regards.
S.A.

The script:


#!/bin/sh
IPTABLES="/sbin/iptables"

# Reset all.
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F

# Modules and targets:
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc

# IP Forwarding And Dynamic IP support:
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Create chains for packet types:
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

# INPUT TABLE:
# Permit ADSL, gre Tunnel (Protocol 47), loopback and a broadcast.
$IPTABLES -A INPUT -p 47 -s 10.0.0.138 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 10.0.0.138 --sport 1723 -j ACCEPT
$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
$IPTABLES -A INPUT -p ALL -d 192.168.1.255 -j ACCEPT
# Ensure that established sessions will not die
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow FTP active and passive port commands:
#$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
#$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Send all other traffic to it's chain:
$IPTABLES -A INPUT -p tcp -j tcp_packets
$IPTABLES -A INPUT -p udp -j udp_packets
$IPTABLES -A INPUT -p icmp -j icmp_packets

# OUTPUT TABLE:
# Permit all.
$IPTABLES -A OUTPUT -j ACCEPT

# FORWARD TABLE:
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# tcp_packets TABLE:
# World accessible services:
#$IPTABLES -A tcp_packets -p tcp --dport 21 --syn -j ACCEPT # FTP
#$IPTABLES -A tcp_packets -p tcp --dport 80 --syn -j ACCEPT # HTTP
# Private services:
$IPTABLES -A tcp_packets -s 192.168.1.10/32 -p tcp --dport 23 --syn -j ACCEPT # Telnet
$IPTABLES -A tcp_packets -s 192.168.1.10/24 -p tcp --dport 139 --syn -j ACCEPT # NetBIOS-ssn

# udp_packets TABLE:
# Private services:
$IPTABLES -A udp_packets -s 192.168.1.10/24 -p udp --dport 137 -j ACCEPT # NetBIOS-sn
$IPTABLES -A udp_packets -s 192.168.1.10/24 -p udp --dport 138 -j ACCEPT # NetBIOS-dgm

# MASQUERADING:
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j LOG --log-level DEBUG --log-prefix "matched MASQ RULE: "
$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

# Set defaults to drop:
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

# Debug
$IPTABLES -A FORWARD -j LOG --log-level DEBUG --log-prefix "FORWARD PACKET: "
$IPTABLES -A INPUT -j LOG --log-level DEBUG --log-prefix "INPUT PACKET: "
$IPTABLES -A OUTPUT -j LOG --log-level DEBUG --log-prefix "OUTPUT PACKET: "

_________________________________________________________________
STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail


=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il

_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* http://join.msn.com/?page=features/junkmail



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux