Re: Abrir puertos para el donkey - solucionado -
At 07:22 27/12/2002 -0300, Ariel Nardelli wrote:
YA ESTA!!!!
Perdonnnnnn
Tenia mal una ip, lo revise, encontre el error y correji las ip y ahora
anda.
Utilizo el mismo forward que esta ahora comentado para mandar el puerto
4662 a la ip del windows y anda perfecto...
Perdon por la pregunta "al cuete"
Hola a todos...
Tengo una debian woody instalada y conectada a internet por modem, ,y
tengo una pequeña red con un windows detras a la cual accedo a internet
pasando por la woody que esta haciendo masquerade.
Todo funciona bien, excepto por el donkey que siempre que conecto a un
servidor me da un uid bajo con el consiguiente problema de no poder bajar
directamente.
En teoria el problema del uid bajo es por que el servidor no puede
conectarse con el cliente en forma directa, eso es por que en teoria yo
no tengo abierto el puerto 4662 que es el que usa el donkey por
defecto.
Pero el tema es que si lo tengo abierto, lo abro con el iptables, pero me
parece que el problema es que se abre el puerto pero mi windows que esta
detras no lo detecta por asi decirlo y por eso me ligo el mensaje, o bien
los paquetes se quedan perdidos en el linux y no se redirecciona hacia mi
windows.
Realmente no encuentro la explicacion.
Lo que yo necesitaria es lograr que el puerto 4662 sea escuchado por el
win o bien que le lleguen al win, se entiende?
Teniendo lowid todo el tiempo se me hace casi imposible bajar
cosas...
Trate de hacer un ipforward pero no logre nada :(
El linux tiene una ip 192.168.1.1 y mi windows tiene la ip
192.168.1.3.
Acepto cualquier tipo de ideas o sugerencias...
Aca va mi scrip de iptables para ver si alguien encuentra
algo...
#!/bin/sh
#
# rc.firewall-2.4-stronger
FWVER=0.63s
# An example of a
stronger IPTABLES firewall with IP Masquerade
# support for 2.4.x
kernels.
#
# Log:
# 0.63s - Added support for the IRC
module
# 0.62s - Initial version based upon
the basic 2.4.x rc.firewall
echo -e "\nLoading STRONGER rc.firewall - version
$FWVER..\n"
#Setting the EXTERNAL and INTERNAL interfaces for the network
#
# Each IP Masquerade network needs to have at least one
# external and one internal network. The external
network
# is where the natting will occur and the internal network
# should preferably be addressed with a RFC1918 private
address
# scheme.
#
# For this example, "eth0" is external and
"eth1" is internal"
#
# NOTE: If this doesnt EXACTLY fit your configuration, you
must
# change the EXTIF or
INTIF variables above. For example:
#
#
EXTIF="ppp0"
#
# if
you are a modem user.
#
EXTIF="ppp0"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " ---"
# Specify your Static IP address here or let the script take care of it
# for you.
#
# If you prefer to use STATIC addresses in your firewalls,
un-# out the
# static example below and # out the dynamic line. If
you don't care,
# just leave this section alone.
#
# If you have a DYNAMIC IP address, the ruleset already takes
care of
# this for you. Please note that the different single
and double quote
# characters and the script MATTER.
#
#
# DHCP users:
# -----------
# If you get your TCP/IP address via DHCP, **you will need **
to enable the
# #ed out command below underneath the PPP section AND
replace the word
# "eth0" with the name of your EXTERNAL Internet
connection (ppp0, ippp0,
# etc) on the lines for "ppp-ip" and
"extip". You should also note that the
# DHCP server can and will change IP addresses on you.
To deal with this,
# users should configure their DHCP client to re-run the
rc.firewall ruleset
# everytime the DHCP lease is renewed.
#
# NOTE #1: Some DHCP clients like the
original "pump" (the newer
#
versions have been fixed) did NOT have the ability to run
#
scripts after a lease-renew. Because of this, you need to
#
replace it with something like "dhcpcd" or
"dhclient".
#
# NOTE #2: The syntax for
"dhcpcd" has changed in recent versions.
#
#
Older versions used syntax like:
#
dhcpcd -c /etc/rc.d/rc.firewall eth0
#
#
Newer versions execute a file called /etc/dhcpc/dhcpcd-eth0.exe
#
# NOTE #3: For Pump users, put the
following line in /etc/pump.conf:
#
#
script /etc/rc.d/rc.firewall
#
# PPP users:
# ----------
# If you aren't already aware, the /etc/ppp/ip-up script is
always run when
# a PPP connection comes up. Because of this, we can
make the ruleset go and
# get the new PPP IP address and update the strong firewall
ruleset.
#
# If the /etc/ppp/ip-up file already exists, you should edit
it and add a line
# containing "/etc/rc.d/rc.firewall" near the end
of the file.
#
# If you don't already have a /etc/ppp/ip-up sccript, you
need to create the
# following link to run the /etc/rc.d/rc.firewall
script.
#
# ln -s /etc/rc.d/rc.firewall
/etc/ppp/ip-up
#
# * You then want to enable the #ed out shell command below
*
#
#
# Determine the external IP automatically:
# ----------------------------------------
#
EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}'
| sed -e 's/.*://'`"
# For users who with to use STATIC IP addresses:
#
# # out the EXTIP line above and un-# out the EXTIP line
below
#
#EXTIP="your.static.PPP.address"
echo " External IP: $EXTIP"
echo " ---"
# Assign the internal TCP/IP network and IP address
INTNET="192.168.1.0/24"
INTIP="192.168.1.2/24"
PORTFWIP="192.168.1.2"
echo " Internal Network: $INTNET"
echo " Internal IP:
$INTIP"
echo " Apache LAN IP: $PORTFWIP"
echo " ---"
# The location of various iptables and other shell programs
#
# If your Linux distribution came with a copy of iptables,
most
# likely it is located in /sbin. If you manually
compiled
# iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
#
LSMOD=/sbin/lsmod
GREP=/bin/grep
AWK=/usr/bin/awk
# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"
#======================================================================
#== No editing beyond this line is required for initial MASQ testing
==
# Need to verify that all modules have all required dependencies
#
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en " Loading kernel modules:
"
# With the new IPTABLES code, the core MASQ functionality is now
either
# modular or compiled into the kernel. This HOWTO shows ALL
IPTABLES
# options as MODULES. If your kernel is compiled correctly, there
is
# NO need to load the kernel modules manually.
#
# NOTE: The following items are listed ONLY for informational
reasons.
# There is no reason to manual
load these modules unless your
# kernel is either
mis-configured or you intentionally disabled
# the kernel module
autoloader.
#
# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE: Only load the IP MASQ modules you need. All current
IP MASQ
# modules are shown below but
are commented out from loading.
#
===============================================================
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is
invoked
#
# - Loaded manually to clean up kernel auto-loading timing
issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ];
then
/sbin/insmod ip_tables
fi
#Load the IPTABLES filtering module - "iptable_filter"
#
# - Loaded automatically when filter policies are
activated
#Load the stateful connection tracking framework -
"ip_conntrack"
#
# The conntrack module in itself does nothing without other
specific
# conntrack modules being loaded afterwards such as the
"ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing
issues
#
echo -en "ip_conntrack, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `"
]; then
/sbin/insmod ip_conntrack
fi
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to
deactivate
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'}
`" ]; then
/sbin/insmod ip_conntrack_ftp
fi
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to
deactivate
#
echo -en
"
ip_conntrack_irc, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'}
`" ]; then
/sbin/insmod ip_conntrack_irc
fi
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing
issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ];
then
/sbin/insmod iptable_nat
fi
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to
deactivate
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ];
then
/sbin/insmod ip_nat_ftp
fi
echo " ---"
# Just to be complete, here is a list of the remaining kernel modules
# and their function. Please note that several modules should be
only
# loaded by the correct master kernel module for proper operation.
#
--------------------------------------------------------------------
#
# ipt_mark - this
target marks a given packet for future action.
#
This automatically loads the ipt_MARK module
#
# ipt_tcpmss - this target
allows to manipulate the TCP MSS
#
option for braindead remote firewalls.
#
This automatically loads the ipt_TCPMSS module
#
# ipt_limit - this target
allows for packets to be limited to
#
to many hits per sec/min/hr
#
# ipt_multiport - this match allows for targets
within a range
#
of port numbers vs. listing each port individually
#
# ipt_state - this match
allows to catch packets with various
#
IP and TCP flags set/unset
#
# ipt_unclean - this match allows to
catch packets that have invalid
#
IP/TCP flags set
#
# iptable_filter - this module allows for packets to be
DROPped,
#
REJECTed, or LOGged. This module automatically
#
loads the following modules:
#
#
ipt_LOG - this target allows for packets to be
#
logged
#
#
ipt_REJECT - this target DROPs the packet and returns
#
a configurable ICMP packet back to the
#
sender.
#
# iptable_mangle - this target allows for packets to be
manipulated
#
for things like the TCPMSS option, etc.
#CRITICAL: Enable IP forwarding since it is disabled by default
since
#
# Redhat
Users: you may try changing the options in
#
/etc/sysconfig/network from:
#
#
FORWARD_IPV4=false
#
to
#
FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Dynamic IP users:
#
# If you get your IP address dynamically from SLIP, PPP, or
DHCP,
# enable this following option. This enables
dynamic-address hacking
# which makes the life with Diald and similar programs much
easier.
#
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " ---"
#############################################################################
#
# Enable Stronger IP forwarding and Masquerading
#
# NOTE: In IPTABLES speak, IP Masquerading is a form of
SourceNAT or SNAT.
#
# NOTE #2: The following is an example for an internal LAN
address in the
#
192.168.0.x network with a 255.255.255.0 or a "24" bit subnet
# mask
connecting to the Internet on external interface "eth0".
# This
example will MASQ internal traffic out to the Internet
# not
not allow non-initiated traffic into your internal network.
#
#
# ** Please change the
above network numbers, subnet mask, and your
# *** Internet connection
interface name to match your setup
#
#Clearing any previous configuration
#
# Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to
DROP.
#
# You CANNOT change this to REJECT as it isn't a vaild
setting for a
# policy. If you want REJECT, you must explictly
REJECT at the end
# of a giving INPUT, OUTPUT, or FORWARD chain
#
echo " Clearing any existing rules and setting default policy
to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle
#
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
#
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z
#Configuring specific CHAINS for later use in the ruleset
#
# NOTE: Some users prefer to have their firewall
silently
# "DROP"
packets while others prefer to use "REJECT"
# to send ICMP error
messages back to the remote
# machine. The
default is "REJECT" but feel free to
# change this
below.
#
# NOTE: Without the --log-level set to "info", every
single
# firewall hit will goto ALL
vtys. This is a very big
# pain.
#
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
#$IPTABLES -A drop-and-log-it -j LOG --log-level 3
#$IPTABLES -A drop-and-log-it -j LOG
$IPTABLES -A drop-and-log-it -j DROP
echo -e "\n - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various internfaces. All rulesets
are
# already flushed and set to a
default policy of DROP.
#
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
# regla de entrada para la interfase del VMware (vmnet8)
#
#$IPTABLES -A INPUT -i vmnet8 -s 172.16.83.1/32 -d 172.16.83.1/24 -j
ACCEPT
# regla en la intranet para permitir broadcast dhcp
#
$IPTABLES -A INPUT -i $INTIF -s $UNIVERSE -d 255.255.255.255/32 -j
ACCEPT
# permito acceso a dhcp solo a PCs de la LAN
#
#$IPTABLES -A INPUT -i $INTIF -s $UNIVERSE -d $INTNET -p udp --dport 67
-j ACCEPT
#$IPTABLES -A INPUT -i $INTIF -s $UNIVERSE -d $INTNET -p udp --dport 68
-j ACCEPT
# permito acceso desde inet (sólo un host) via ftp (port 21)
#
# $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 21
-j ACCEPT
# permito acceso desde inet via ssh (port 22)
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 22 -j
ACCEPT
# permito acceso desde inet a mi proxy (port 3128)
#
# $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 3128
-j ACCEPT
# permito acceso desde inet a sendmail (port 25)
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 25 -j
ACCEPT
# permito acceso desde inet al port 526 que no se que es
#
# $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport
5269 -j ACCEPT
# Permito acceso al port 24554 que creo es el binkd
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 24554
-j ACCEPT
# permito acceso al port 4662 para eDonkey
# $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 4661
-j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 4662
-j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p udp --dport 4666
-j ACCEPT
# permito acceso desde inet al port 80
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 80 -j
ACCEPT
# $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -p tcp --dport 3128
-j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get
lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j
drop-and-log-it
# external interface, from any source, for ICMP traffic is valid
#
# If you would like your machine to "ping" from the
Internet,
# enable this next line
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j
ACCEPT
# remote interface, any source, going to permanent PPP address is
valid
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ serer in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state
\
ESTABLISHED,RELATED -j ACCEPT
# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various internfaces. All rulesets
are
# already flushed and set
to a default policy of DROP.
#
# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
# local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
# regla de salida para la interfase del VMware (vmnet8)
#
# $IPTABLES -A OUTPUT -o vmnet8 -s 172.16.83.1/32 -d 172.16.83.1/24 -j
ACCEPT
# regla de salida para la interfase del VMware (vmnet8)
#
# $IPTABLES -A OUTPUT -o $INTIF -s $UNIVERSE -d 255.255.255.255/32 -j
ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j
drop-and-log-it
# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j
drop-and-log-it
echo -e " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
echo " - FWD: Allow all connections OUT and
only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Port forward del port 80 hacia una máquina de la LAN:
# $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state
\
# --state NEW,ESTABLISHED,RELATED -j ACCEPT
# $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 \
# -j DNAT --to $PORTFWIP:80
# Proxy Transparente con Squid
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 \
-j REDIRECT --to-port 3128
$IPTABLES -A FORWARD -j drop-and-log-it
echo " - NAT: Enabling SNAT (MASQUERADE)
functionality on $EXTIF"
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
#######################################################################
echo -e "\nDone.\n"
Reply to: