Trying to setup EMULE and IIS on LAN machine, behind firewall.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi Boys

Hi im running RedHat 7.3 - 2.4.20 Iptables 1.2.7a on my FIREWALl/ROUTER machine.I am
having some probles creating some rules for 2 programs im running on my WIndows 2000
machine which is behind the FIREWALL/ROUTER machine (LAN). First im trying to get
EMULE(P2P) working properly, those of you who are familiar with it...I keep getting
a LOWID error even though i created a FORWARD rule. I can connect to the network but
with a LOWID for those of you who do not know what that means here is a link to what
it is. 
http://www.edonkey2000.com/documentation/lowid.html

I think i need a rule to FORWARD my connection straight to my windows 2000 machine.
Secondly i want to run IIS on my windows 2000 machine, What would be the rules soo
my LINUX(FIREWALL/ROUTER) would FORWARD request to my WINDOWS machine on the LAN.
WOuld these 2 rules for EMULE and IIS be similiar? Thanks for the help guys.

Here are my rules:

#Where my iptables are located
iptables="/usr/local/sbin/iptables"
 
# This will also update my ipaddress.
IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\  -f1`

# Remove any existing rules from all chains.
$iptables --flush
$iptables -t nat --flush
$iptables -t mangle --flush

# Unlimited access on the loopback interface.
$iptables -A INPUT  -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
	
# Set the default policy to drop.
$iptables --policy INPUT DROP
$iptables --policy FORWARD DROP
$iptables --policy OUTPUT ACCEPT

$iptables -t nat --policy PREROUTING ACCEPT
$iptables -t nat --policy OUTPUT ACCEPT
$iptables -t nat --policy POSTROUTING ACCEPT

$iptables -t mangle --policy PREROUTING ACCEPT
$iptables -t mangle --policy OUTPUT ACCEPT

# All of the bits are cleared
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set.
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j REJECT
$iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanyuing ACK
$iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j REJECT
# PSH is the only bit set, without the expected accompaying ACK
$iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j REJECT
# URG is the only bit set, without the expected accompayning ACK
$iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP

# Allow stateful connections 
$iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drop Invalid connection
$iptables -A INPUT -m state --state INVALID -j LOG \
          --log-prefix "Invalid input: "
$iptables -A INPUT -m state --state INVALID -j DROP
         
$iptables -A OUTPUT -m state --state INVALID -j LOG \
          --log-prefix "Invalid output: " 
$iptables -A OUTPUT -m state --state INVALID -j DROP

$iptables -A FORWARD -m state --state INVALID -j LOG \
          --log-prefix "Invalid forward: "
$iptables -A FORWARD -m state --state INVALID -j DROP
 
# Allow Access for DNS UDP for my ISP DNS server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
   $iptables -A OUTPUT -o eth0 -p udp \
            -s $IP_INET --sport 1024:65535 \
            -d 111.xx.4.130 --dport 53 \
            -m state --state NEW -j ACCEPT
fi

$iptables -A OUTPUT -o eth0 -p udp \
         -s $IP_INET     --sport 1024:65535 \
         -d 111.xx.4.130 --dport 53 -j ACCEPT


if [ "$CONNECTION_TRACKING" = "1" ]; then
    $iptables -A OUTPUT -o eth0 -p udp \
             -s $IP_INET --sport 1024:65535 \
             -d 111.xx.4.150 --dport 53 \
             -m state --state NEW -j ACCEPT
fi

$iptables -A OUTPUT -o eth0 -p udp \
         -s $IP_INET --sport 1024:65535 \
         -d 111.xx.4.150 --dport 53 -j ACCEPT
       
$iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT

# Allow access for my ISP DHCP server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
    $iptables -A OUTPUT -o eth0 -p udp \
             -s $IP_NET --sport 1024:65535 \
             -d 111.xx.4.129 --dport 67 \
             -m state --state NEW -j ACCEPT
fi

$iptables -A OUTPUT -o eth0 -p udp \
         -s $IP_INET      --sport 1024:65535 \
         -d 111.xx.4.129  --dport 67 -j ACCEPT

$iptables -A INPUT -i eth0 -p udp \
         -s 111.xx.4.129 --sport 67 \
         -d $IP_INET     --dport 1024:65535 -j ACCEPT

# Allow outgoing access for ftp sites
if [ "$CONNECTION_TRACKING" = "1" ]; then
    $iptables -A OUTPUT -o eth0 -p tcp \
              -s $IP_INET --sport 1024:65535 \
              --dport 21 -m state --state NEW -j ACCEPT

$iptables -A OUTPUT -o eth0 -p tcp \
          -s $IP_INET --sport 1024:65535 \
          --dport 21 -j ACCEPT
fi

# Allow my Windows machine to SSH here on Port 22
$iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT

# Allow access to remote webservers PORT 80.
if [ "$CONNECTION_TRACKING" = "1" ]; then
    $iptables -A OUTPUT -o eth0 -p tcp \
             -s $IP_INET --sport 1024:65535 \
             --dport 80 -m state --state NEW -j ACCEPT
fi

$iptables -A OUTPUT -o eth0 -p tcp \
         -s $IP_INET --sport 1024:65535 \
         --dport 80 -j ACCEPT

$iptables -A INPUT -i eth0 -p tcp ! --syn \
          --sport 80 \
          -d $IP_INET --dport 1024:65535 -j ACCEPT

#Allow access from LAN to this Webserver for ACID+WebMin
$iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT 
$iptables -A INPUT -i eth1 -p tcp --dport 10000 -j ACCEPT

# Attempt to connect to HHTPS 443 connections.
if [ "$CONNECTION_TRACKING" = "1" ]; then
    $iptables -A OUTPUT -o eth0 -p tcp \
              -m state --state NEW --dport 443 \
              --sport 1024:65535 \
              -j ACCEPT
fi

$iptables -A OUTPUT -o eth0 -p tcp \
         -s $IP_INET --sport 1024:65535 \
         --dport 443 -j ACCEPT
 
$iptables -A INPUT -i eth0 -p tcp \
          --sport 443 \
         -d $IP_INET --dport 1024:65535 -j ACCEPT

$iptables -A INPUT -i eth1 -p tcp --dport 1241 -j ACCEPT


# Allow ping ICMP coming from LAN interface.
$iptables -A INPUT -i eth1 -p icmp \
	  -s 192.168.0.0/24 -j ACCEPT	 

#These are my Forwarding rules.
$iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 25,80,110,443 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --dport 21 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --dport 22 -j ACCEPT
$iptables -A FORWARD -i eth1 -p udp --dport 1863 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --dport 1863 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --dport 1214 -j ACCEPT
$iptables -A FORWARD -i eth1 -p udp --dport 1214 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 4242,4224,4661,6667 -j
ACCEPT
$iptables -A FORWARD -i eth1 -p udp -m multiport --dport 4662,4672 -j ACCEPT

#Enables Packet Forwarding
$iptables -t nat -A POSTROUTING -o eth0  -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward 

Tasha@xxx<-----

__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux