Firewall Issue

Taking care of your Linux box.

Firewall Issue

Postby refra » Thu Jul 01, 2010 5:36 pm

Dear Allz,


I made a Following Firewall script:

#######################
## Defining Variable ##
#######################
IPT="/sbin/iptables"
FILE="/etc/squid/mac-list"
NW="192.168.1.0/24"

###################
## ADMINS ##
###################
ADMIN1="10.1.2.211"
ADMIN2="10.1.2.212"

####################
## PORTS ##
####################
SSH="22"
FTP="21"
SMTP="25"
VNC1="5801:5810"
VNC2="5901:5910"
VNC3="6001:6010"

####################################
echo "Flush Existing Firewall Rules"
####################################
$IPT -F
$IPT -Z

sleep 2
echo
######################
echo "Defining Chains"
######################
$IPT -P INPUT ACCEPT
echo
########################
echo "Defining Policies"
########################
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A INPUT -i lo -j ACCEPT
echo
###############################
echo "Now enable IP Forwarding"
###############################
echo "1" > /proc/sys/net/ipv4/ip_forward
echo
##########################################
echo "Configuring NAT & Transparent Proxy"
##########################################
cat $FILE | while read MAC
do
$IPT -A FORWARD -m mac --mac-source $MAC -j ACCEPT
$IPT -t nat -A POSTROUTING -m mac --mac-source $MAC -j MASQUERADE
#$IPT -t nat -A PREROUTING -p tcp --dport 80 -s $NW -j REDIRECT --to-port 8080
done
########################### SSH RULES #####################################################
$IPT -A INPUT -p tcp --dport $SSH -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN1-j ACCEPT
################################ VNC RULES #####################################################
$IPT -A INPUT -p tcp --dport $VNC1 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN1 -j ACCEPT
$IPT -A INPUT -p tcp --dport $VNC2 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN1-j ACCEPT
$IPT -A INPUT -p tcp --dport $VNC3 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN1 -j ACCEPT
$IPT -A INPUT -p tcp --dport $VNC1 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN2 -j ACCEPT
$IPT -A INPUT -p tcp --dport $VNC2 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN2-j ACCEPT
$IPT -A INPUT -p tcp --dport $VNC3 -m state --state NEW,ESTABLISHED,RELATED -s $ADMIN2 -j ACCEPT
############################### DROP EVERYTHING EXCEPT ABOVE ##################################
$IPT -A INPUT -p tcp --dport $SSH -j DROP
$IPT -A INPUT -p tcp --dport $VNC1 -j DROP
$IPT -A INPUT -p tcp --dport $VNC2 -j DROP
$IPT -A INPUT -p tcp --dport $VNC3 -j DROP
$IPT -A FORWARD -i eth1 -j DROP



But when i run the script its gives me like:

Configuring NAT & Transparent Proxy
iptables: Invalid argument
refra
Naik
 
Posts: 69
Joined: Wed Dec 06, 2006 3:51 pm

Postby lambda » Thu Jul 01, 2010 10:43 pm

run the script as "bash -ex scriptfile" and see where it stops.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore

Postby refra » Fri Jul 02, 2010 3:04 pm

+ /sbin/iptables -t nat -A POSTROUTING -m mac --mac-source 00:0C:29:0A:CE:08 -j MASQUERADE
iptables: Invalid argument
refra
Naik
 
Posts: 69
Joined: Wed Dec 06, 2006 3:51 pm

Postby lambda » Fri Jul 02, 2010 8:17 pm

you probably need to tell iptables which output interface (something like "-o eth1") to use on that line.
Watch out for the Manners Taliban!
Isn't it amazing how so many people can type "linuxpakistan.net" into their browsers but not "google.com"?
lambda
Major General
 
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Website: http://www.hungry.com/~fn/
Location: Lahore


Return to “%s” Administration

Who is online

Users browsing this forum: No registered users and 2 guests

cron