Firewall Issue

Taking care of your Linux box.
Post Reply
refra
Naik
Posts: 70
Joined: Wed Dec 06, 2006 3:51 pm

Firewall Issue

Post by refra »

Dear Allz,


I made a Following Firewall script:

#######################
## Defining Variable ##
#######################
IPT="/sbin/iptables"
FILE="/etc/squid/mac-list"
NW="192.168.1.0/24"

###################
## ADMINS ##
###################
ADMIN1="10.1.2.211"
ADMIN2="10.1.2.212"

####################
## PORTS ##
####################
SSH="22"
FTP="21"
SMTP="25"
VNC1="5801:5810"
VNC2="5901:5910"
VNC3="6001:6010"

####################################
echo "Flush Existing Firewall Rules"
####################################
$IPT -F
$IPT -Z

sleep 2
echo
######################
echo "Defining Chains"
######################
$IPT -P INPUT ACCEPT
echo
########################
echo "Defining Policies"
########################
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A INPUT -i lo -j ACCEPT
echo
###############################
echo "Now enable IP Forwarding"
###############################
echo "1" > /proc/sys/net/ipv4/ip_forward
echo
##########################################
echo "Configuring NAT & Transparent Proxy"
##########################################
cat $FILE | while read MAC
do
$IPT -A FORWARD -m mac --mac-source $MAC -j ACCEPT
$IPT -t nat -A POSTROUTING -m mac --mac-source $MAC -j MASQUERADE
#$IPT -t nat -A PREROUTING -p tcp --dport 80 -s $NW -j REDIRECT --to-port 8080
done
########################### SSH RULES #####################################################
$IPT -A INPUT -p tcp --dport $SSH -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN1-j ACCEPT
################################ VNC RULES #####################################################
$IPT -A INPUT -p tcp --dport $VNC1 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN1 -j ACCEPT
$IPT -A INPUT -p tcp --dport $VNC2 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN1-j ACCEPT
$IPT -A INPUT -p tcp --dport $VNC3 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN1 -j ACCEPT
$IPT -A INPUT -p tcp --dport $VNC1 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN2 -j ACCEPT
$IPT -A INPUT -p tcp --dport $VNC2 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN2-j ACCEPT
$IPT -A INPUT -p tcp --dport $VNC3 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN2 -j ACCEPT
############################### DROP EVERYTHING EXCEPT ABOVE ##################################
$IPT -A INPUT -p tcp --dport $SSH -j DROP
$IPT -A INPUT -p tcp --dport $VNC1 -j DROP
$IPT -A INPUT -p tcp --dport $VNC2 -j DROP
$IPT -A INPUT -p tcp --dport $VNC3 -j DROP
$IPT -A FORWARD -i eth1 -j DROP



But when i run the script its gives me like:

Configuring NAT & Transparent Proxy
iptables: Invalid argument
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

run the script as "bash -ex scriptfile" and see where it stops.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
refra
Naik
Posts: 70
Joined: Wed Dec 06, 2006 3:51 pm

Post by refra »

+ /sbin/iptables -t nat -A POSTROUTING -m mac --mac-source 00:0C:29:0A:CE:08 -j MASQUERADE
iptables: Invalid argument
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

you probably need to tell iptables which output interface (something like "-o eth1") to use on that line.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
Post Reply