[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Portforwarding doesnt work on an specific port



hi!
 
im trying hard to get my port 12345 forwarded to 192.168.0.2
with the same settings port 7662 works, but no chance to get 12345 forwarded ... ):
 
it would be also nice if anybody could tell me how i can close all ports on eth0 and then how i can allow them ...
 
thanx anyway! (hope all is okay, this is my first mailinglist-use ...)
 
>>>Alois
 
here is my nmasq and my portfw-file:
 
nmasq:
#!/bin/sh
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
IPTABLES=/sbin/iptables
EXTIF="eth0"
INTIF="eth1"
echo "   External Interface:  $EXTIF"
echo "   Internal Interface:  $INTIF"
echo "   enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "   clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo "   FWD: Allow all connections OUT and only existing and related ones IN"
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
echo "   Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo "65536" > /proc/sys/net/ipv4/ip_conntrack_max
echo -e "\nDone.\n"
 
portfw:
#!/bin/sh
 
echo "Enabling PORTFW Redirection on the external LAN.."
 
IPTABLES="/sbin/iptables"
INTIF="eth1"
EXTIF="eth0"
EXTIP=`/sbin/ifconfig eth0 | grep 'inet addr:' | cut -f2 -d":" | awk '{ print $1 }'`
WORKSTATION="192.168.0.2"
 
#------------------------
#Portforwarding Programme
#------------------------
 
#eMule
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 7662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 7662 -j DNAT --to $WORKSTATION:7662
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 7662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 7662 -j DNAT --to $WORKSTATION:7662
#eMule Webserver
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 57662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 57662 -j DNAT --to $WORKSTATION:57662
 
#FSWeMule
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 9662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 9662 -j DNAT --to $WORKSTATION:9662
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 9662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 9662 -j DNAT --to $WORKSTATION:9662
#FSWeMule Webserver
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 59662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 59662 -j DNAT --to $WORKSTATION:59662
 
#FTP WORKSTATION
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 12345 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 12345 -j DNAT --to $WORKSTATION:12345
#Passive Port Range für FTP WORKSTATION
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 49152:51199 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 49152:51199 -j DNAT --to $WORKSTATION
 
#VNC WORKSTATION
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 5800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 5800 -j DNAT --to $WORKSTATION:5800
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 5900 -j DNAT --to $WORKSTATION:5900
 
#--------------------
#Portforwarding Games
#--------------------
 
#rise of nations
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 34987 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 34987 -j DNAT --to $WORKSTATION:34987
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 34987 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 34987 -j DNAT --to $WORKSTATION:34987
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 28293 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 28293 -j DNAT --to $WORKSTATION:28293
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 28293 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 28293 -j DNAT --to $WORKSTATION:28293
 
#UnrealTournament
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 28902 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 28902 -j DNAT --to $WORKSTATION:28902
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 7777:7787 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 7777:7787 -j DNAT --to $WORKSTATION
#$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 27900 -j DNAT --to $WORKSTATION:27900
#$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 7777:7787 -j DNAT --to $WORKSTATION
 
#Diablo II
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 4000 -j DNAT --to $WORKSTATION
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6112 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6112 -j DNAT --to $WORKSTATION
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6119 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6119 -j DNAT --to $WORKSTATION
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 4000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 4000 -j DNAT --to $WORKSTATION
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 6112 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 6112 -j DNAT --to $WORKSTATION
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 6119 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 6119 -j DNAT --to $WORKSTATION
 
#Serious Sam 2
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 25600 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25600 -j DNAT --to $WORKSTATION:25600
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 25600 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 25600 -j DNAT --to $WORKSTATION:25600
 
#------------------------
#Sicherheitssperren / etc
#------------------------
 
#IPs sperren
$IPTABLES -I FORWARD -s 194.158.136.95 -j DROP
$IPTABLES -I FORWARD -s 194.158.136.96 -j DROP
$IPTABLES -I FORWARD -s 212.88.169.23 -j DROP
$IPTABLES -I FORWARD -s 194.112.167.226 -j DROP
$IPTABLES -I FORWARD -s 195.58.165.220 -j DROP
$IPTABLES -I FORWARD -s 195.58.165.219 -j DROP
$IPTABLES -I FORWARD -s 194.129.73.179 -j DROP
#$IPTABLES -I FORWARD -s 194.48.124.50 -j DROP
 
#Ports schließen
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 9 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 9 -j DROP
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 13 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 13 -j DROP
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 37 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 37 -j DROP
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 113 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 113 -j DROP
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 515 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 515 -j DROP
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 32768 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 32768 -j DROP
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 6543 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 6543 -j DROP
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 4446 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 4446 -j DROP
 
#Samba auf LAN beschränken
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 139 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 139 -j DROP
 
#Webmin auf LAN beschränken
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 10000 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 10000 -j DROP
 
#Portmap von aussen abstellen
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 111 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 111 -j DROP
$IPTABLES -A INPUT -p udp -s 192.168.0.1/24 --dport 111 -j ACCEPT
$IPTABLES -A INPUT -p udp --dport 111 -j DROP
 
#x11 auf LAN beschränken
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 6001 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 6001 -j DROP
 
# MY_DROP-Chain
iptables -N MY_DROP
iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP "
iptables -A MY_DROP -j DROP
 
# Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID "
iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID "
iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID "
 
# Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
 
# Stealth Scans etc. DROPpen
# Keine Flags gesetzt
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP
 
# SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP
 
# SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP
 
# FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP
 
# FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP
 
# PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP
 
# URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP
 
# Maximum Segment Size (MSS) für das Forwarding an PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
 
# Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done
 
# Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done
 
# Ungültige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null
 
# ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null
 
# Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit
 
# Speicherallozierung und -timing für IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh
echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh
echo 30 > /proc/sys/net/ipv4/ipfrag_time
 
# TCP-FIN-Timeout zum Schutz vor DoS-Attacken setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
 
# Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1
 
# TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2

Reply to: