I cant ping any machins wheter internalor external and the internet doesnt work at the linuz box when I haverun the script below.
Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok#!/bin/sh # # In order to use this IPTables firewall script you # must have IPTables installed. You also must be using # a 2.4.x series Kernel, with IPTables support complied # into it, which is standard for most newer Linux distributions. # # If you need help compiling IPtables into your kernel, please # see our Kernel Compile/Upgrade Guide located at # www.linuxhelp.net/guides/ # # Once the script has been edited with all your relevant # information (IP's, Network Interfaces, etc..) simply # make the script executable and run it as root. # # chmod 700 iptables-firewall # ./iptables-firewall # # If you would like to see what rules are currently set, as # root run iptables -L # # If you've messed up and need to bring down the firewall # for whatever reason, run iptables -F # # If you would like to have the firewall automatically # come up at boot time, add the path to the script to # the bottom of your /etc/rc.d/rc.local file. For instance # /root/bin/iptables-firewall # # If you're not sure about something, check out the iptables # man page by typing 'man iptables' (without the ''s) at the # command prompt. # # This script is an enhanced/modified version of the # iptables-script written by Davion # # If you have any questions, please come see us in #Linuxhelp.net # on the DALnet IRC network. (www.linuxhelp.net/ircinfo.shtml) # The location of the IPtables binary file on your system. IPT="/sbin/iptables" # The Network Interface you will be protecting. For ADSL/dialup users, # ppp0 should be fine. If you are using a cable internet connection or # are connected to a LAN, you will have to change this to "eth0". INT="eth1" # The following rules will clear out any existing firewall rules, # and any chains that might have been created. $IPT -F $IPT -F INPUT $IPT -F OUTPUT $IPT -F FORWARD #$IPT -F -t mangle Gave error messages if I didnt comment it out $IPT -F -t nat $IPT -X # These will setup our policies. $IPT -P INPUT DROP $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT # The following line below enables IP forwarding and thus # by extension, NAT. Turn this on if you're going to be # doing NAT or IP Masquerading. echo 1 > /proc/sys/net/ipv4/ip_forward # Source NAT everything heading out the $INT (external) # interface to be the given IP. If you have a dynamic IP # address or a DHCP IP that changes semi-regularly, comment out # the first line and uncomment the second line. # # Remember to change the ip address below to your static ip. # #$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 216.138.195.197 $IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE # This rule protects your fowarding rule. $IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP # If you would like to forward specific ports to other machines # on your home network, edit and uncomment the rules below. They are # currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51. # Anything incoming over your $INT through your gateway will # be automatically redirected invisibly to port 25 & 53 on 10.1.1.51 $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to 192.168.0.3:25 $IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to 192.168.0.3:53 $IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to 192.168.0.3:53 # These two redirect a block of ports, in both udp and tcp. #$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 2300:2400 -j DNAT --to 10.1.1.50 #$IPT -t nat -A PREROUTING -i $INT -p udp --dport 2300:2400 -j DNAT --to 10.1.1.50 # Now, our firewall chain. We use the limit commands to # cap the rate at which it alerts to 15 log messages per minute. $IPT -N firewall $IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall: $IPT -A firewall -j DROP # Now, our dropwall chain, for the final catchall filter. $IPT -N dropwall $IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall: $IPT -A dropwall -j DROP # Our "hey, them's some bad tcp flags!" chain. $IPT -N badflags $IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags: $IPT -A badflags -j DROP # And our silent logging chain. $IPT -N silent $IPT -A silent -j DROP # This rule will accept connections from local machines. If you have # a home network, enter in the IP's of the machines on the # network below. $IPT -A INPUT -i lo -j ACCEPT $IPT -A INPUT -s 192.168.0.3 -d 0/0 -p all -j ACCEPT $IPT -A INPUT -s 192.168.0.3 -d 0/0 -p all -j ACCEPT $IPT -A INPUT -s 192.168.0.3 -d 0/0 -p all -j ACCEPT # Drop those nasty packets! These are all TCP flag # combinations that should never, ever occur in the # wild. All of these are illegal combinations that # are used to attack a box in various ways, so we # just drop them and log them here. $IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags $IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags $IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags $IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags $IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags $IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags # Drop icmp, but only after letting certain types through. $IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT $IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT $IPT -A INPUT -p icmp -j firewall # If you would like to open up port 22 (SSH Access) to various IP's # simply edit the IP's below and uncomment the line. If youw wish to # enable SSH access from anywhere, uncomment the second line only. #$IPT -A INPUT -i $INT -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT #$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT # If you are running a Web Server, uncomment the next line to open # up port 80 on your machine. #$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT # Lets do some basic state-matching. This allows us # to accept related and established connections, so # client-side things like ftp work properly, for example. $IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # Uncomment to drop port 137 netbios packets silently. # We don't like that netbios stuff, and it's way too # spammy with windows machines on the network. $IPT -A INPUT -p udp --sport 137 --dport 137 -j silent # Our final trap. Everything on INPUT goes to the dropwall # so we don't get silent drops. $IPT -A INPUT -j dropwall --- Saul Arias <[EMAIL PROTECTED]> skrev: > At 04:35 AM 30-08-02, Knut Ove Hauge wrote: > >I have just installed iptables as a replacement for ipchains in my > rh > >7.2 system. I downloaded a shell script with the rules but I cant > >access internet nor from my linuze or windoze client. > >I use eth1 for my adsl line and eth0 (ip address 192.168.0.1) for my > >lan card. The windoze has ip address 192.168.0.3. > >I have enabled ip forwarding and can flush the rules in iptables in > the > >beginning of the script. The input policy is set to DROP while the > >other two is set to accept. > >I cant ping any machines nor external or internal. > >I'am new to iptables so I need some help on setting it up. > > Can you ping from the Linux box to, say, www.yahoo.com? > Can you ping from the Linux box to 192.168.0.3? > > Can you do the pings above with iptables shut down? > > Can we see your script? > > > -- > Saul Arias <[EMAIL PROTECTED]> > > > > -- > redhat-list mailing list > unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe > https://listman.redhat.com/mailman/listinfo/redhat-list ===== Investigating the Norwegain 4.th Secret Service The multiheaded beast. http://hjem.sol.no/altiett/knut_ove_hauge_kuren.htm ______________________________________________________ Se den nye Yahoo! Mail på http://no.yahoo.com/ Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
