Ok here's what I have (the long version). RH8 firewall/VPN server Winblows clients connect to vpn server. We have an Exchange server running to handle the email etc.. I have another vpn with ipchains and everything is great. I have tried to "convert" the chains to tables but it's not that easy. I've tried SNAT and forward and some how I'm missing Packets when I view the logs. Here's what I have so far.
The clients can connect but that's it. No drive mapping to the domain server or Exchange email. I have used the LOGs but I get to the point when I think I'm adding my Last rule and then everything disappears. # Generated by iptables-save v1.2.6a on Fri Nov 15 16:53:31 2002 *filter :INPUT DROP [1514:251666] :FORWARD DROP [487:46536] :OUTPUT DROP [36:2231] :logit - [0:0] -A INPUT -s 192.9.199.0/255.255.255.0 -p tcp -m tcp --dport 22 -j ACCEPT -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT -A INPUT -s 192.9.199.0/255.255.255.0 -d 192.9.199.231 -i eth0 -p tcp -m tcp --dport 10000 -j ACCEPT -A INPUT -d 111.222.333.444 -i eth1 -p tcp -m tcp --dport 1723 -j ACCEPT -A INPUT -d 111.222.333.444 -i eth1 -p 47 -j ACCEPT -A INPUT -s 192.9.199.0/255.255.255.0 -d 255.255.255.255 -i ppp+ -p udp -m udp --sport 137 --dport 137 -j ACCEPT -A INPUT -s 192.9.199.0/255.255.255.0 -d 255.255.255.255 -i ppp+ -p udp -m udp --sport 138 --dport 138 -j ACCEPT -A INPUT -s 192.9.199.0/255.255.255.0 -d 192.9.199.231 -i ppp+ -p tcp -m tcp --sport 1024:65535 --dport 139 -j ACCEPT -A INPUT -s 192.9.199.0/255.255.255.0 -d 192.9.199.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 445 --dport 1024:65535 -j ACCEPT -A INPUT -s 192.9.199.0/255.255.255.0 -d 192.9.199.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 139 --dport 1024:65535 -j ACCEPT -A INPUT -s 192.9.199.0/255.255.255.0 -d 192.9.199.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 135 --dport 1024:65535 -j ACCEPT -A INPUT -d 192.9.199.231 -i eth0 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT -A INPUT -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -s 192.9.199.0/255.255.255.0 -i eth0 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT -A INPUT -s 192.9.199.0/255.255.255.0 -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 139 -j ACCEPT -A FORWARD -s 192.9.199.0/255.255.255.0 -d 192.9.199.0/255.255.255.0 -p tcp -m tcp --sport 1024:65535 --dport 80 -j ACCEPT -A FORWARD -s 192.9.199.0/255.255.255.0 -d 192.9.199.0/255.255.255.0 -p tcp -m tcp --sport 1024:65535 --dport 445 -j ACCEPT -A FORWARD -s 192.9.199.0/255.255.255.0 -d 192.9.199.0/255.255.255.0 -p tcp -m tcp --sport 1024:65535 --dport 139 -j ACCEPT -A OUTPUT -s 192.9.199.0/255.255.255.0 -p tcp -m tcp --sport 22 -j ACCEPT -A OUTPUT -p tcp -m tcp --sport 80 -j ACCEPT -A OUTPUT -s 192.9.199.0/255.255.255.0 -d 192.9.199.0/255.255.255.0 -o eth0 -p tcp -m tcp --sport 10000 -j ACCEPT -A OUTPUT -s 111.222.333.444 -o eth1 -p 47 -j ACCEPT -A OUTPUT -s 111.222.333.444 -o eth1 -p tcp -m tcp --sport 1723 --dport 1024:65535 -j ACCEPT -A OUTPUT -s 192.9.199.231 -d 192.9.199.0/255.255.255.0 -o ppp+ -p udp -m udp --sport 138 --dport 138 -j ACCEPT -A OUTPUT -s 192.9.199.231 -d 192.9.199.0/255.255.255.0 -o ppp+ -p udp -m udp --sport 137 --dport 137 -j ACCEPT -A OUTPUT -s 192.9.199.231 -d 192.9.199.0/255.255.255.0 -o eth0 -p udp -m udp --sport 137 --dport 137 -j ACCEPT -A OUTPUT -s 192.9.199.231 -d 192.9.199.0/255.255.255.0 -o eth0 -p udp -m udp --sport 138 --dport 138 -j ACCEPT -A OUTPUT -s 192.9.199.231 -d 192.9.199.0/255.255.255.0 -o ppp+ -p tcp -m tcp --sport 139 --dport 1024:65535 -j ACCEPT -A OUTPUT -s 192.9.199.0/255.255.255.0 -d 192.9.199.0/255.255.255.0 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 445 -j ACCEPT -A OUTPUT -s 192.9.199.0/255.255.255.0 -d 192.9.199.0/255.255.255.0 -o eth0 -p tcp -m tcp --sport 1024:65535 --dport 135 -j ACCEPT -A OUTPUT -s 192.9.199.231 -o eth0 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT -A OUTPUT -o lo -j ACCEPT -A OUTPUT -d 192.9.199.0/255.255.255.0 -o eth0 -p udp -m udp --sport 53 --dport 1024:65535 -j ACCEPT -A OUTPUT -d 192.9.199.0/255.255.255.0 -o eth0 -p tcp -m tcp --sport 139 --dport 1024:65535 -j ACCEPT -A logit -m state --state ESTABLISHED -j RETURN -A logit -j LOG -A logit -j RETURN COMMIT # Completed on Fri Nov 15 16:53:31 2002 # Generated by iptables-save v1.2.6a on Fri Nov 15 16:53:31 2002 *nat :PREROUTING ACCEPT [1886:285229] :POSTROUTING ACCEPT [46:4712] :OUTPUT ACCEPT [66:5972] -A POSTROUTING -o ppp+ -j MASQUERADE -A POSTROUTING -o eth1 -j MASQUERADE COMMIT # Completed on Fri Nov 15 16:53:31 2002 -----Original Message----- From: Jason Costomiris [mailto:[EMAIL PROTECTED]] Sent: Saturday, November 16, 2002 9:45 AM To: [EMAIL PROTECTED] Subject: Re: Iptables HELP vpn On Friday, November 15, 2002, at 09:00 PM, Yoink! wrote: > Try something like this if it's imap you are after: > > iptables -A INPUT -i ppp0 -p tcp --sport 143 -m state -j ACCEPT > iptables -A OUTPUT -o ppp0 -p tcp --dport 143 -m state -j ACCEPT That would only work if the IMAP server was running on the firewall (and you've got the sport/dport backwards :) ). You most likely want to use the FORWARD chain. -- Jason Costomiris <>< E: jcostom {at} jasons {dot} org / W: http://www.jasons.org/ Quidquid latine dictum sit, altum viditur. -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED]?subject=unsubscribe https://listman.redhat.com/mailman/listinfo/redhat-list
