Hiii, I tryed getting EMULE working first by adding these rules to my iptables script, i put ithese rules right above the FORWARD rules $iptables -A INPUT -p tcp --dport 4662 -j ACCEPT $iptables -A OUTPUT -p tcp --sport 4662 -j ACCEPT $iptables -t nat -A PREROUTING -d $IP_INET -p tcp --dport 4662 -j DNAT --to 192.168.0.69:4662 $iptables -t nat -A POSTROUTING -s 192.168.0.69 -p tcp --sport 4662 -j SNAT --to $IP_INET:4662 My windows machine is a PRIVATE address 192.168.0.69 and even when i take the test: http://www.thedonkeynetwork.com/connection_test And i have EMULE running on my Windows machine i get: timeout : timeout on ip 199.99.99.99 (6 sec) this means, that we even did not receive a RESET signal; maybe due to a 'stealth' firewall I tryed to TELNET to the linux(FRIEWALL/ROUTER) machine from am machine on a different network but it WONT let me connect either. Is there something else i could try??? Thanks Tasha! --- richardo@xxxxxxxxxxxxxxxx wrote: > > Hi Girl ;-) > > I don't really know much about eMule, but reading from the link you gave, > it appears that you will need to allow connections initiated from the > outside world to connect to your windows machine (which has a 192.168.x.x > address, correct ?) .... the same would be true for an IIS server > > There are two ways that you can acheive this, either by using port > forwarding or by using a valid internet IP address (if you have a spare one > available). > > Port Forwarding > This involves setting up a couple of rules in the INPUT and OUTPUT chains > of the firewall, to allow people to connect to that machine on ports 80 > (for IIS) and port 4662 ?? (for eDonkey/eMule). The firewall machine will > then forward on the request to the windows machine. This is ok, but there > could be some problems, like if you want your IIS server to be reachable on > port 80 (the normal port), but you are already running a webserver on the > firewall that uses port 80 ... in this case you will need to use the 'valid > ip address' option, or reconfigure one of the webservers to use a different > port. The same would be true for the eMule thing ..... > > So, to do this, set up some rules, as follows : > > WIN_IP=internal.ipaddress.of.windowsmachine > > # for the IIS server > $iptables -A INPUT -p tcp --dport 80 -j ACCEPT > $iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT > $iptables -t nat -A PREROUTING -d $IP_INET -p tcp --dport 80 -j DNAT --to > $WIN_IP:80 > $iptables -t nat -A POSTROUTING -s $WIN_IP -p tcp --sport 80 -j SNAT --to > $IP_INET:80 > > # for eMule > $iptables -A INPUT -p tcp --dport 4662 -j ACCEPT > $iptables -A OUTPUT -p tcp --sport 4662 -j ACCEPT > $iptables -t nat -A PREROUTING -d $IP_INET -p tcp --dport 4662 -j DNAT --to > $WIN_IP:4662 > $iptables -t nat -A POSTROUTING -s $WIN_IP -p tcp --sport 4662 -j SNAT --to > $IP_INET:4662 > > ... I've not done any port forwarding myself before, so there could be a > mistake in the rules above, but I think they should work ok .... if not > mail me back and I'll confuse us both some more ;-) Once the rules have > been set up, you would connect to the IIS server using the firewall's IP > external ip address, as follows : > > http://external.ipaddress.of.firewall > > > Valid IP Address > This involes setting up a full NAT implementation for the windows machine, > and would be the prefered option, as port forwarding can be a little messy > and also you could start other services on the windows machine and then > just add rules into the FORWARD chain on the f/w to allow people to connect > to the service ... if you have a spare external IP address, I would > recommend this way of doing it. > > So, to do this, set up some rules, as follows : > > WIN_IP_LAN=internal.ipaddress.of.windowsmachine > WIN_IP_INET=external.ipaddress.of.windowsmachine (<- this is the spare IP > address you have been assigned by your ISP) > > # for the IIS server > $iptables -A FORWARD -d $WIN_IP_LAN -p tcp --dport 80 -j ACCEPT > $iptables -A FORWARD -s $WIN_IP_LAN -p tcp --sport 80 -j ACCEPT > $iptables -t nat -A PREROUTING -d $WIN_IP_INET -j DNAT --to $WIN_IP_LAN > $iptables -t nat -A POSTROUTING -s $WIN_IP_LAN -j SNAT --to $WIN_IP_INET > > #for the eMule ting .... > $iptables -A FORWARD -d $WIN_IP_LAN -p tcp --dport 4662 -j ACCEPT > $iptables -A FORWARD -s $WIN_IP_LAN -p tcp --sport 4662 -j ACCEPT > $iptables -t nat -A PREROUTING -d $WIN_IP_INET -j DNAT --to $WIN_IP_LAN > $iptables -t nat -A POSTROUTING -s $WIN_IP_LAN -j SNAT --to $WIN_IP_INET > > .. you'll also need to setup an alias on the firewall's external network > interface to listen for requests coming in for the WIN_IP_INET address, as > follows : > > ifconfig eth0:0 external.ipaddress.of.windowsmachine netmask > external.mask.of.windowsmachine > > ... if you then wanted to run another service on the windows machine (say > telnet on port 23), you would only need to add rules to the FORWARD chain, > as follows : > > $iptables -A FORWARD -d $WIN_IP_INET -p tcp --dport 23 -j ACCEPT > $iptables -A FORWARD -s $WIN_IP_LAN -p tcp --sport 23 -j ACCEPT > > ... and you could then telnet to the machine from the internet ... ie the > NAT setup hasn't changed, you've just allowed people to connect through on > 23, to do this using port forwarding you would need to change not only the > filter rules in the OUTPUT and INPUT chains, but also the PREROUTING and > POSTROUTING nat rules .... > > Once the rules have been set up, you would connect to the IIS server using > the external IP address assigned to the windows machine, as follows : > > http://external.ipaddress.of.windowsmachine > > Hope this helps, > Richard. > > Richard Oatridge > Head of IT, Start-global Ltd > http://www.start-global.com > tel : +44 1564 779297 > email : richardo@xxxxxxxxxxxxxxxx > > > |--------+-----------------------------------> > | | Tasha Smith | > | | <tashamaillist@xxxxxxxxx>| > | | Sent by: | > | | netfilter-admin@xxxxxxxxx| > | | filter.org | > | | | > | | | > | | 18/06/2003 09:31 | > | | | > |--------+-----------------------------------> > > >-------------------------------------------------------------------------------------------------------------------------| > | > | > | To: netfilter@xxxxxxxxxxxxxxxxxxx > | > | cc: > | > | Subject: Trying to setup EMULE and IIS on LAN machine, behind > firewall. | > > >-------------------------------------------------------------------------------------------------------------------------| > > > > > Hi Boys > > Hi im running RedHat 7.3 - 2.4.20 Iptables 1.2.7a on my FIREWALl/ROUTER > machine.I am > having some probles creating some rules for 2 programs im running on my > WIndows 2000 > machine which is behind the FIREWALL/ROUTER machine (LAN). First im trying > to get > EMULE(P2P) working properly, those of you who are familiar with it...I keep > getting > a LOWID error even though i created a FORWARD rule. I can connect to the > network but > with a LOWID for those of you who do not know what that means here is a > link to what > it is. > http://www.edonkey2000.com/documentation/lowid.html > > I think i need a rule to FORWARD my connection straight to my windows 2000 > machine. > Secondly i want to run IIS on my windows 2000 machine, What would be the > rules soo > my LINUX(FIREWALL/ROUTER) would FORWARD request to my WINDOWS machine on > the LAN. > WOuld these 2 rules for EMULE and IIS be similiar? Thanks for the help > guys. > > Here are my rules: > > #Where my iptables are located > iptables="/usr/local/sbin/iptables" > > # This will also update my ipaddress. > IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\ -f1` > > # Remove any existing rules from all chains. > $iptables --flush > $iptables -t nat --flush > $iptables -t mangle --flush > > # Unlimited access on the loopback interface. > $iptables -A INPUT -i lo -j ACCEPT > $iptables -A OUTPUT -o lo -j ACCEPT > > # Set the default policy to drop. > $iptables --policy INPUT DROP > $iptables --policy FORWARD DROP > $iptables --policy OUTPUT ACCEPT > > $iptables -t nat --policy PREROUTING ACCEPT > $iptables -t nat --policy OUTPUT ACCEPT > $iptables -t nat --policy POSTROUTING ACCEPT > > $iptables -t mangle --policy PREROUTING ACCEPT > $iptables -t mangle --policy OUTPUT ACCEPT > > # All of the bits are cleared > $iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > $iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP > # SYN and FIN are both set > $iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP > $iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP > === message truncated === __________________________________ Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! http://sbc.yahoo.com
