Why doesn't portforwarding work?

Message

]Trix[ · Post by **]Trix[** » Thu Jan 06, 2005 1:03 pm

I have put together this firewalling script using various scripts as examples. It is intended for two boxes, one being gateway machine and the other workstation. But I don't know why portforwarding doesnt work for my active mode valknut. I can upload but cannot search and download files in active mode.

#!/sbin/runscript

opts="${opts} showoptions showstatus panic rules restore save flush"

depend() {
need net procparm
use logger
}

rules() {
ebegin "Starting FIREWALL:"

$IPTABLES -N invalid
$IPTABLES -F invalid
$IPTABLES -A invalid -m state --state INVALID -m limit --limit 3/minute --limit-burst 2 -j LOG --log-level $LOGLEVEL --log-prefix "Firewall: INVALID packet: "
$IPTABLES -A invalid -m state --state INVALID -j DROP

$IPTABLES -N bad_tcp
$IPTABLES -F bad_tcp
$IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -m limit --limit 3/minute --limit-burst 1 -j LOG --log-prefix "Firewall: BAD TCP packet:"
$IPTABLES -A bad_tcp -p tcp ! --syn -m state --state NEW -j DROP

$IPTABLES -N fragmented
$IPTABLES -F fragmented
$IPTABLES -A fragmented -f -m limit --limit 3/minute -j LOG --log-level $LOGLEVEL --log-prefix "Firewall: Fragmented packet: "
$IPTABLES -A fragmented -f -j DROP

$IPTABLES -N flagscan
$IPTABLES -F flagscan
$IPTABLES -A flagscan -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level alert --log-prefix "FIREWALL: NMAP-XMAS:"
$IPTABLES -A flagscan -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A flagscan -p tcp --tcp-flags ALL ALL -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS:"
$IPTABLES -A flagscan -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level 1
--log-prefix "FIREWALL: XMAS-PSH:"
$IPTABLES -A flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A flagscan -p tcp --tcp-flags ALL NONE -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level 1 --log-prefix "FIREWALL: NULL-SCAN:"
$IPTABLES -A flagscan -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A flagscan -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/RST:"
$IPTABLES -A flagscan -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/minute --limit-burst 5 -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/FIN:"
$IPTABLES -A flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

$IPTABLES -N fingerprint
$IPTABLES -F fingerprint
$IPTABLES -A fingerprint
$IPTABLES -A fingerprint -p tcp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Firewall: TCP fingerprint: "
$IPTABLES -A fingerprint -p udp --dport 0 -m limit --limit 6/hour --limit-burst 1 -j LOG --log-level $LOGLEVEL --log-prefix "Firewall: UDP fingerprint: "
$IPTABLES -A fingerprint -j DROP

$IPTABLES -N portscan
$IPTABLES -F portscan
$IPTABLES -A portscan -p tcp --dport 7 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "
$IPTABLES -A portscan -p tcp --dport 7 -j DROP
$IPTABLES -A portscan -p udp --dport 7 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "
$IPTABLES -A portscan -p udp --dport 7 -j DROP
$IPTABLES -A portscan -p tcp --dport 11 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: sysstat test:
"
$IPTABLES -A portscan -p tcp --dport 11 -j DROP
$IPTABLES -A portscan -p tcp --dport 15 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: netstat test:
"
$IPTABLES -A portscan -p tcp --dport 15 -j DROP
$IPTABLES -A portscan -p tcp --dport 19 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test:
"
$IPTABLES -A portscan -p tcp --dport 19 -j DROP
$IPTABLES -A portscan -p udp --dport 19 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test:
"
$IPTABLES -A portscan -p udp --dport 19 -j DROP
$IPTABLES -A portscan -p tcp --dport 23 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: telnet test: " $IPTABLES -A portscan -p tcp --dport 23 -j DROP
$IPTABLES -A portscan -p tcp --dport 69 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: tftpd test: "
$IPTABLES -A portscan -p tcp --dport 69 -j DROP
$IPTABLES -A portscan -p tcp --dport 79 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: finger test: " $IPTABLES -A portscan -p tcp --dport 79 -j DROP
$IPTABLES -A portscan -p tcp --dport 87 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: link test: "
$IPTABLES -A portscan -p tcp --dport 87 -j DROP
$IPTABLES -A portscan -p tcp --dport 98 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: linuxconf test: "
$IPTABLES -A portscan -p tcp --dport 98 -j DROP
$IPTABLES -A portscan -p tcp --dport 111 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: sun-rpc test: "
$IPTABLES -A portscan -p tcp --dport 111 -j DROP
$IPTABLES -A portscan -p tcp --dport 520 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: route test: " $IPTABLES -A portscan -p tcp --dport 520 -j DROP
$IPTABLES -A portscan -p tcp --dport 540 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: uucp test: "
$IPTABLES -A portscan -p tcp --dport 540 -j DROP
$IPTABLES -A portscan -p tcp --dport 1080 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: socks test:
"
$IPTABLES -A portscan -p tcp --dport 1080 -j DROP
$IPTABLES -A portscan -p tcp --dport 1114 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: sql test: "
$IPTABLES -A portscan -p tcp --dport 1114 -j DROP
$IPTABLES -A portscan -p tcp --dport 2000 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: openwin test: "
$IPTABLES -A portscan -p tcp --dport 2000 -j DROP
$IPTABLES -A portscan -p tcp --dport 10000 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: webmin test: "
$IPTABLES -A portscan -p tcp --dport 10000 -j DROP
$IPTABLES -A portscan -p tcp --dport 6000:6063 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: X-Windows test: "
$IPTABLES -A portscan -p tcp --dport 6000:6063 -j DROP
$IPTABLES -A portscan -p udp --dport 33434:33523 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Traceroute: "
$IPTABLES -A portscan -p udp --dport 33434:33523 -j DROP

$IPTABLES -N trojanscan
$IPTABLES -F trojanscan
$IPTABLES -A trojanscan -p tcp --dport 6670 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Deepthroat scan: "
$IPTABLES -A trojanscan -p tcp --dport 6670 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 1243 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A trojanscan -p tcp --dport 1243 -j DROP
$IPTABLES -A trojanscan -p udp --dport 1243 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A trojanscan -p udp --dport 1243 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 6711:6713 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A trojanscan -p tcp --dport 6711:6713 -j DROP
$IPTABLES -A trojanscan -p udp --dport 6711:6713 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A trojanscan -p udp --dport 6711:6713 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 27374 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven
scan: "
$IPTABLES -A trojanscan -p tcp --dport 27374 -j DROP
$IPTABLES -A trojanscan -p udp --dport 27374 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven
scan: "
$IPTABLES -A trojanscan -p udp --dport 27374 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 12345:12346 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "
$IPTABLES -A trojanscan -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 20034 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "
$IPTABLES -A trojanscan -p tcp --dport 20034 -j DROP
$IPTABLES -A trojanscan -p tcp --dport 31337:31338 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: BackOrifice scan: "
$IPTABLES -A trojanscan -p tcp --dport 31337:31338 -j DROP
$IPTABLES -A trojanscan -p udp --dport 28431 -m limit --limit 3/minute -j LOG --log-level info --log-prefix "FIREWALL: HackAtak2000 scan: "
$IPTABLES -A trojanscan -p udp --dport 28431 -j DROP

$IPTABLES -N drop-icmp
$IPTABLES -F drop-icmp
$IPTABLES -A drop-icmp -p icmp -j LOG --log-prefix "FIREWALL: Bad ICMP traffic:"
$IPTABLES -A drop-icmp -p icmp -j DROP

$IPTABLES -N accept-icmp
$IPTABLES -F accept-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type source-quench -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type redirect -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type router-advertisement -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type router-solicitation -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type parameter-problem -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type timestamp-request -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type timestamp-reply -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type address-mask-request -j drop-icmp
$IPTABLES -A accept-icmp -m state --state NEW -p icmp --icmp-type address-mask-reply -j drop-icmp

$IPTABLES -N allow-ping
$IPTABLES -F allow-ping
$IPTABLES -A allow-ping -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT

$IPTABLES -N allow-ftp
$IPTABLES -F allow-ftp
$IPTABLES -A allow-ftp -p tcp --dport 20 -j ACCEPT
$IPTABLES -A allow-ftp -p tcp --dport 21 -j ACCEPT

$IPTABLES -N allow-ssh
$IPTABLES -F allow-ssh
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -p tcp --dport 22 -j ACCEPT

$IPTABLES -N allow-www
$IPTABLES -F allow-www
$IPTABLES -A allow-www -p tcp --dport 80 -j ACCEPT
$IPTABLES -A allow-www -p tcp --dport 443 -j ACCEPT
$IPTABLES -A allow-www -p tcp --dport 8080 -j ACCEPT

einfo "Setting secure policies"
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

if [ "$ENABLE_MSS" == "1" ]; then
$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -A OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi

einfo "Accept all packets from loopback device"
$IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT

einfo "Enable traffic for internal interface"
$IPTABLES -A INPUT -i $LAN_INTERFACE -j ACCEPT

if [ "$NAT" == "1" ]; then
$IPTABLES -A FORWARD -i $LAN_INTERFACE -j ACCEPT
fi

einfo "Blocking hosts that should never be able to connect to machine"
for host in $BLOCK_HOST; do
$IPTABLES -A INPUT -s $host -j DROP
$IPTABLES -A FORWARD -s $host -j DROP
done

einfo "Obvious spoofing protection"
for ip in $SPOOFED; do
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s ${ip} -j DROP
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -s ${ip} -j DROP
done

einfo "Block IANA reserved address"
for ip in $RESERVED_NET; do
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -s ${ip} -j DROP
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -s ${ip} -j DROP
done

einfo "Allow established and related traffic"
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

einfo "Drop bad packets"
if [ "$INVALID_PACKETS_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -j invalid
$IPTABLES -A FORWARD -j invalid
fi

if [ "$BAD_TCP_PACKETS_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -j bad_tcp
$IPTABLES -A FORWARD -j bad_tcp
fi

if [ "$FRAGMENTED_PACKETS_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -j fragmented
$IPTABLES -A FORWARD -j fragmented
fi

einfo "Enable portscan detection"

if [ "$FLAGSCAN_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j flagscan
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -j flagscan
fi

if [ "$PORTSCAN_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j portscan
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -j portscan
fi

if [ "$TROJANSCAN_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j trojanscan
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -j trojanscan
fi

if [ "$FINGERPRINT_PROTECTION" == "1" ]; then
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j fingerprint
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -j fingerprint
fi

einfo "Enable some ICMP"
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j accept-icmp
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -j accept-icmp

if [ "$ALLOW_SSH" == "1" ]; then
einfo "Allow SSH incoming traffic"
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j allow-ssh
fi

if [ "$ALLOW_WWW" == "1" ]; then
einfo "Accept WWW connections"
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j allow-www
fi

if [ "$ALLOW_FTP" == "1" ]; then
einfo "Allow FTP"
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -j allow-ftp
fi

if [ "$NAT" == "1" ]; then
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -o $LAN_INTERFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_INTERFACE -o $EXTERNAL_INTERFACE -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -s $LAN_SPACE -j SNAT --to-source $EXTERNAL_INTERFACE_IP
fi

if [ "$ENABLE_PORTFORWARD" == "1" ]; then
einfo "Portforwarding enabled"
for port in $TCP_PORT_FORWARD; do
$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNAL_INTERFACE_IP --dport $port -j DNAT --to-destination $WORKSTATION_IP:$port
$IPTABLES -A FORWARD -p tcp -o $LAN_INTERFACE -d $WORKSTATION_IP --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
for port in $UDP_PORT_FORWARD; do
$IPTABLES -t nat -A PREROUTING -p udp -d $EXTERNAL_INTERFACE_IP --dport $port -j DNAT --to-destination $WORKSTATION_IP:$port
$IPTABLES -A FORWARD -p udp -o $LAN_INTERFACE -d $WORKSTATION_IP --dport $port -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
done
else
einfo "Portforwarding disabled"
fi

if [ "$MANGLE_TOS" == "1" ]; then
einfo "Enabling TOS mangle"
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p udp --dport 53 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 67 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 113 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 123 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A OUTPUT -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput

$IPTABLES -t mangle -A PREROUTING -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p udp --dport 53 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 67 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 110 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 113 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 123 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 143 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 443 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 993 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 995 -j TOS --set-tos Maximize-Throughput
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 1080 -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 6000:6063 -j TOS --set-tos Maximize-Throughput
fi

eend $?
}

Any other recomendations are also welcome

. If you need other parts of the script except from the rules let me know.
Thank you in advance.

TheX · Post by **TheX** » Thu Jan 06, 2005 1:50 pm

I didn't find this in your script :

Code: Select all

# Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done

LeTene · Post by **LeTene** » Thu Jan 06, 2005 2:07 pm

Ugh...you could post a cut-down version of that monster...

ANyway, I see this:

Code: Select all

$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTERNAL_INTERFACE_IP --dport $port -j DNAT --to-destination $WORKSTATION_IP:$port

...but I don't see any definition of what value $port actually takes. I mean, I see that it enumerates over another variable with a "for..in", but I don't see the value of that variable.

Here's a fragment of my own, working script - I prefer not to use too much $VARIABLE type stuff as it can get unreadable. 192.168.0.1 is the internal box (the firewall runs on 192.168.0.254, which is immaterial anyway

):

Code: Select all

# ===
# DC+
# ===
# -- Allow external clients to connect to internal machine
$IPTABLES -t nat -I PREROUTING -i ppp0 -p tcp --dport 9176 -j DNAT --to 192.168.0.1:9176
$IPTABLES -t nat -I PREROUTING -i ppp0 -p udp --dport 9176 -j DNAT --to 192.168.0.1:9176
$IPTABLES -I FORWARD -i ppp0 -p tcp -d 192.168.0.1/32 --dport 9176 -j ACCEPT
$IPTABLES -I FORWARD -i ppp0 -p udp -d 192.168.0.1/32 --dport 9176 -j ACCEPT

]Trix[ · Post by **]Trix[** » Thu Jan 06, 2005 5:46 pm

Guess I will have to post the other part of the firewall too to skip the confusion.

/etc/init.d/procparm:

#!/sbin/runscript

depend() {
before firewall
}

start() {
ebegin "Setting /proc options."
for i in /proc/sys/net/ipv4/conf/*; do
echo "1" > $i/rp_filter
done
echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/ip_forward
modprobe ip_conntrack
echo "16376" > /proc/sys/net/ipv4/ip_conntrack_max
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
for interface in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo "0" > $interface
done
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
echo "64" > /proc/sys/net/ipv4/ip_default_ttl
modprobe ip_queue
echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen
echo "1" > /proc/sys/net/ipv4/tcp_ecn
eend 0
}

/etc/conf.d/firewall

IPTABLES="/sbin/iptables"
IPTABLESSAVE="/sbin/iptables-save"
IPTABLESRESTORE="/sbin/iptables-restore"
FIREWALL=/etc/firewall.rules

# External interface
EXTERNAL_INTERFACE="ppp0"

# For STATIC IP address:
EXTERNAL_INTERFACE_IP="xxx.xxx.xxx.xxx"
# For DYNAMIC IP address
# EXTERNAL_INTERFACE_IP=`ifconfig | grep -A 1 ${EXTERNAL_INTERFACE} | grep "inet addr:" | cut -d ':' -f 2 | cut -d ' ' -f 1`

# Internal interface
LAN_INTERFACE="eth1"
LAN_INTERFACE_IP="192.168.1.1"

# Loopback device
LOOPBACK_INTERFACE="lo"
LOOPBACK_INTERFACE_IP="127.0.0.1"

# Local area network
LAN_SPACE="192.168.1.0/24"

# Workstation IP address (used for Port Forwarding)
WORKSTATION_IP="192.168.1.2"

# Blocked hosts
BLOCK_HOST=""
SPOOFED="192.168.1.0/24"
RESERVED_NET="0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 5.0.0.0/8 7.0.0.0/8 23.0.0.0/8 27.0.0.0/8 31.0.0.0/8 36.0.0.0/8 37.0.0.0/8 39.0.0.0/8 41.0.0.0/8 42.0.0.0/8 73.0.0.0/8 74.0.0.0/8 75.0.0.0/8
76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8
102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8
117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 126.0.0.0/8 127.0.0.0/8 173.0.0.0/8 174.0.0.0/8 175.0.0.0/8 176.0.0.0/8
177.0.0.0/8 178.0.0.0/8 179.0.0.0/8 180.0.0.0/8 181.0.0.0/8 182.0.0.0/8 183.0.0.0/8 184.0.0.0/8 185.0.0.0/8 186.0.0.0/8 187.0.0.0/8 189.0.0.0/8 190.0.0.0/8 197.0.0.0/8 223.0.0.0/8
240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8
255.0.0.0/8"

# Default LOGLEVEL (other options are: debug, alert, info, notice, warning, crit)
LOGLEVEL="info"

# Enable(1), Disables(0) protections
ENABLE_MSS="1"
BAD_TCP_PACKETS_PROTECTION="1"
INVALID_PACKETS_PROTECTION="1"
FRAGMENTED_PACKETS_PROTECTION="1"
SYN_FLOOD_PROTECTION="1"
ICMP_FLOOD_PROTECTION="1"
FLAGSCAN_PROTECTION="1"
PORTSCAN_PROTECTION="1"
TROJANSCAN_PROTECTION="1"
FINGERPRINT_PROTECTION="1"
MANGLE_TOS="1"

# Enable(1), Disable(0) some services to be accessed from outside
ALLOW_WWW=0
ALLOW_SSH=0
ALLOW_FTP=0

# Portforwarding
ENABLE_PORTFORWARD="1"
TCP_PORT_FORWARD="9176"
UDP_PORT_FORWARD="9176"

# Other OPEN Ports
OPEN_PORT=""

# Enable(1), Disable(0) NAT
NAT="1"

]Trix[ · Post by **]Trix[** » Thu Jan 06, 2005 6:09 pm

I have changed portforwarding part of the script so that it resambles LeTene's portforwards rule but still nothing. People can download from me normally. I can download only hub list and I cannot search for files or download them.
So I guess the problem is somewhere else in the scipt. But I don't know where.

The rule itself does get accepted cause the iptables -t nat -L shows that:

Chain PREROUTING (policy ACCEPT)
target prot opt source destination
DNAT tcp -- anywhere anywhere tcp dpt:9176 to:192.168.1.2:9176
DNAT udp -- anywhere anywhere udp dpt:9176 to:192.168.1.2:9176
SNAT all -- 192.168.1.0/24 anywhere to:xxx.xxx.xxx.xxx (extip)
MASQUERADE all -- 192.168.1.0/24 anywhere

I would not want to post iptables -L... it is way too long to post it whole in here... But if you want I can