* Re: Trying to setup EMULE and IIS on LAN machine, behind firewall.
[not found] <OF5E019209.0D837F1C-ON80256D4A.002AE9A2@start-global.com>
@ 2003-06-22 6:27 ` Tasha Smith
0 siblings, 0 replies; 3+ messages in thread
From: Tasha Smith @ 2003-06-22 6:27 UTC (permalink / raw)
To: richardo, netfilter
Hi Guys....
Well after playing around with some RULES and EMULE not working properly...i tryed
this combination....and it worked! I got a "HIGH ID" for those of you using EMULE
here it is for future reference. Im not saying it is right or not sure how secure
this is...Soo any feedback would be good -Suggestions-
Well here the end part of my SCRIPT where i added the rules...for port 4662 and
stuff!
####################################################################################
#My rules for EMULE;
$iptables -A INPUT -p tcp --dport 4662 -j ACCEPT <------
$iptables -A OUTPUT -p tcp --sport 4662 -j ACCEPT <------
$iptables -t nat -A PREROUTING -d $IP_INET -p tcp --dport 4662 -j DNAT --to
192.168.0.69:4662 <------
#These are my Forwarding rules.
$iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 25,80,110,443 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --dport 21 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --dport 1863 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --dport 1214 -j ACCEPT
$iptables -A FORWARD -i eth1 -p udp --dport 1214 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 4242,4661,4662 -j ACCEPT
<---
$iptables -A FORWARD -i eth1 -p udp -m multiport --dport 4661,4662,4772 -j ACCEPT
<---
$iptables -A FORWARD -p tcp --dport 4662 -i eth0 -o eth1 -j ACCEPT <-----
$iptables -A FORWARD -p udp --dport 4662 -i eth0 -o eth1 -j ACCEPT <-----
####################################################################################
Does it make sense or did i open up a "HOLE" !!!
Tasha@---<------
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Trying to setup EMULE and IIS on LAN machine, behind firewall.
[not found] <OF7BE6399D.A8C699DB-ON80256D49.005627FB@start-global.com>
@ 2003-06-19 5:58 ` Tasha Smith
0 siblings, 0 replies; 3+ messages in thread
From: Tasha Smith @ 2003-06-19 5:58 UTC (permalink / raw)
To: richardo, netfilter
Hiii,
I tryed getting EMULE working first by adding these rules to my iptables script, i
put ithese rules right above the FORWARD rules
$iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 4662 -j ACCEPT
$iptables -t nat -A PREROUTING -d $IP_INET -p tcp --dport 4662 -j DNAT --to
192.168.0.69:4662
$iptables -t nat -A POSTROUTING -s 192.168.0.69 -p tcp --sport 4662 -j SNAT --to
$IP_INET:4662
My windows machine is a PRIVATE address 192.168.0.69 and even when i take the test:
http://www.thedonkeynetwork.com/connection_test
And i have EMULE running on my Windows machine i get:
timeout : timeout on ip 199.99.99.99 (6 sec)
this means, that we even did not receive a
RESET signal; maybe due to a 'stealth' firewall
I tryed to TELNET to the linux(FRIEWALL/ROUTER) machine from am machine on a
different network but it WONT let me connect either. Is there something else i could
try???
Thanks
Tasha!
--- richardo@start-global.com wrote:
>
> Hi Girl ;-)
>
> I don't really know much about eMule, but reading from the link you gave,
> it appears that you will need to allow connections initiated from the
> outside world to connect to your windows machine (which has a 192.168.x.x
> address, correct ?) .... the same would be true for an IIS server
>
> There are two ways that you can acheive this, either by using port
> forwarding or by using a valid internet IP address (if you have a spare one
> available).
>
> Port Forwarding
> This involves setting up a couple of rules in the INPUT and OUTPUT chains
> of the firewall, to allow people to connect to that machine on ports 80
> (for IIS) and port 4662 ?? (for eDonkey/eMule). The firewall machine will
> then forward on the request to the windows machine. This is ok, but there
> could be some problems, like if you want your IIS server to be reachable on
> port 80 (the normal port), but you are already running a webserver on the
> firewall that uses port 80 ... in this case you will need to use the 'valid
> ip address' option, or reconfigure one of the webservers to use a different
> port. The same would be true for the eMule thing .....
>
> So, to do this, set up some rules, as follows :
>
> WIN_IP=internal.ipaddress.of.windowsmachine
>
> # for the IIS server
> $iptables -A INPUT -p tcp --dport 80 -j ACCEPT
> $iptables -A OUTPUT -p tcp --sport 80 -j ACCEPT
> $iptables -t nat -A PREROUTING -d $IP_INET -p tcp --dport 80 -j DNAT --to
> $WIN_IP:80
> $iptables -t nat -A POSTROUTING -s $WIN_IP -p tcp --sport 80 -j SNAT --to
> $IP_INET:80
>
> # for eMule
> $iptables -A INPUT -p tcp --dport 4662 -j ACCEPT
> $iptables -A OUTPUT -p tcp --sport 4662 -j ACCEPT
> $iptables -t nat -A PREROUTING -d $IP_INET -p tcp --dport 4662 -j DNAT --to
> $WIN_IP:4662
> $iptables -t nat -A POSTROUTING -s $WIN_IP -p tcp --sport 4662 -j SNAT --to
> $IP_INET:4662
>
> ... I've not done any port forwarding myself before, so there could be a
> mistake in the rules above, but I think they should work ok .... if not
> mail me back and I'll confuse us both some more ;-) Once the rules have
> been set up, you would connect to the IIS server using the firewall's IP
> external ip address, as follows :
>
> http://external.ipaddress.of.firewall
>
>
> Valid IP Address
> This involes setting up a full NAT implementation for the windows machine,
> and would be the prefered option, as port forwarding can be a little messy
> and also you could start other services on the windows machine and then
> just add rules into the FORWARD chain on the f/w to allow people to connect
> to the service ... if you have a spare external IP address, I would
> recommend this way of doing it.
>
> So, to do this, set up some rules, as follows :
>
> WIN_IP_LAN=internal.ipaddress.of.windowsmachine
> WIN_IP_INET=external.ipaddress.of.windowsmachine (<- this is the spare IP
> address you have been assigned by your ISP)
>
> # for the IIS server
> $iptables -A FORWARD -d $WIN_IP_LAN -p tcp --dport 80 -j ACCEPT
> $iptables -A FORWARD -s $WIN_IP_LAN -p tcp --sport 80 -j ACCEPT
> $iptables -t nat -A PREROUTING -d $WIN_IP_INET -j DNAT --to $WIN_IP_LAN
> $iptables -t nat -A POSTROUTING -s $WIN_IP_LAN -j SNAT --to $WIN_IP_INET
>
> #for the eMule ting ....
> $iptables -A FORWARD -d $WIN_IP_LAN -p tcp --dport 4662 -j ACCEPT
> $iptables -A FORWARD -s $WIN_IP_LAN -p tcp --sport 4662 -j ACCEPT
> $iptables -t nat -A PREROUTING -d $WIN_IP_INET -j DNAT --to $WIN_IP_LAN
> $iptables -t nat -A POSTROUTING -s $WIN_IP_LAN -j SNAT --to $WIN_IP_INET
>
> .. you'll also need to setup an alias on the firewall's external network
> interface to listen for requests coming in for the WIN_IP_INET address, as
> follows :
>
> ifconfig eth0:0 external.ipaddress.of.windowsmachine netmask
> external.mask.of.windowsmachine
>
> ... if you then wanted to run another service on the windows machine (say
> telnet on port 23), you would only need to add rules to the FORWARD chain,
> as follows :
>
> $iptables -A FORWARD -d $WIN_IP_INET -p tcp --dport 23 -j ACCEPT
> $iptables -A FORWARD -s $WIN_IP_LAN -p tcp --sport 23 -j ACCEPT
>
> ... and you could then telnet to the machine from the internet ... ie the
> NAT setup hasn't changed, you've just allowed people to connect through on
> 23, to do this using port forwarding you would need to change not only the
> filter rules in the OUTPUT and INPUT chains, but also the PREROUTING and
> POSTROUTING nat rules ....
>
> Once the rules have been set up, you would connect to the IIS server using
> the external IP address assigned to the windows machine, as follows :
>
> http://external.ipaddress.of.windowsmachine
>
> Hope this helps,
> Richard.
>
> Richard Oatridge
> Head of IT, Start-global Ltd
> http://www.start-global.com
> tel : +44 1564 779297
> email : richardo@start-global.com
>
>
> |--------+----------------------------------->
> | | Tasha Smith |
> | | <tashamaillist@yahoo.com>|
> | | Sent by: |
> | | netfilter-admin@lists.net|
> | | filter.org |
> | | |
> | | |
> | | 18/06/2003 09:31 |
> | | |
> |--------+----------------------------------->
>
>
>-------------------------------------------------------------------------------------------------------------------------|
> |
> |
> | To: netfilter@lists.netfilter.org
> |
> | cc:
> |
> | Subject: Trying to setup EMULE and IIS on LAN machine, behind
> firewall. |
>
>
>-------------------------------------------------------------------------------------------------------------------------|
>
>
>
>
> Hi Boys
>
> Hi im running RedHat 7.3 - 2.4.20 Iptables 1.2.7a on my FIREWALl/ROUTER
> machine.I am
> having some probles creating some rules for 2 programs im running on my
> WIndows 2000
> machine which is behind the FIREWALL/ROUTER machine (LAN). First im trying
> to get
> EMULE(P2P) working properly, those of you who are familiar with it...I keep
> getting
> a LOWID error even though i created a FORWARD rule. I can connect to the
> network but
> with a LOWID for those of you who do not know what that means here is a
> link to what
> it is.
> http://www.edonkey2000.com/documentation/lowid.html
>
> I think i need a rule to FORWARD my connection straight to my windows 2000
> machine.
> Secondly i want to run IIS on my windows 2000 machine, What would be the
> rules soo
> my LINUX(FIREWALL/ROUTER) would FORWARD request to my WINDOWS machine on
> the LAN.
> WOuld these 2 rules for EMULE and IIS be similiar? Thanks for the help
> guys.
>
> Here are my rules:
>
> #Where my iptables are located
> iptables="/usr/local/sbin/iptables"
>
> # This will also update my ipaddress.
> IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\ -f1`
>
> # Remove any existing rules from all chains.
> $iptables --flush
> $iptables -t nat --flush
> $iptables -t mangle --flush
>
> # Unlimited access on the loopback interface.
> $iptables -A INPUT -i lo -j ACCEPT
> $iptables -A OUTPUT -o lo -j ACCEPT
>
> # Set the default policy to drop.
> $iptables --policy INPUT DROP
> $iptables --policy FORWARD DROP
> $iptables --policy OUTPUT ACCEPT
>
> $iptables -t nat --policy PREROUTING ACCEPT
> $iptables -t nat --policy OUTPUT ACCEPT
> $iptables -t nat --policy POSTROUTING ACCEPT
>
> $iptables -t mangle --policy PREROUTING ACCEPT
> $iptables -t mangle --policy OUTPUT ACCEPT
>
> # All of the bits are cleared
> $iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
> $iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
> # SYN and FIN are both set
> $iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
> $iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
>
=== message truncated ===
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Trying to setup EMULE and IIS on LAN machine, behind firewall.
@ 2003-06-18 8:31 Tasha Smith
0 siblings, 0 replies; 3+ messages in thread
From: Tasha Smith @ 2003-06-18 8:31 UTC (permalink / raw)
To: netfilter
Hi Boys
Hi im running RedHat 7.3 - 2.4.20 Iptables 1.2.7a on my FIREWALl/ROUTER machine.I am
having some probles creating some rules for 2 programs im running on my WIndows 2000
machine which is behind the FIREWALL/ROUTER machine (LAN). First im trying to get
EMULE(P2P) working properly, those of you who are familiar with it...I keep getting
a LOWID error even though i created a FORWARD rule. I can connect to the network but
with a LOWID for those of you who do not know what that means here is a link to what
it is.
http://www.edonkey2000.com/documentation/lowid.html
I think i need a rule to FORWARD my connection straight to my windows 2000 machine.
Secondly i want to run IIS on my windows 2000 machine, What would be the rules soo
my LINUX(FIREWALL/ROUTER) would FORWARD request to my WINDOWS machine on the LAN.
WOuld these 2 rules for EMULE and IIS be similiar? Thanks for the help guys.
Here are my rules:
#Where my iptables are located
iptables="/usr/local/sbin/iptables"
# This will also update my ipaddress.
IP_INET=`/sbin/ifconfig eth0 | grep inet | cut -d: -f2 | cut -d\ -f1`
# Remove any existing rules from all chains.
$iptables --flush
$iptables -t nat --flush
$iptables -t mangle --flush
# Unlimited access on the loopback interface.
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT
# Set the default policy to drop.
$iptables --policy INPUT DROP
$iptables --policy FORWARD DROP
$iptables --policy OUTPUT ACCEPT
$iptables -t nat --policy PREROUTING ACCEPT
$iptables -t nat --policy OUTPUT ACCEPT
$iptables -t nat --policy POSTROUTING ACCEPT
$iptables -t mangle --policy PREROUTING ACCEPT
$iptables -t mangle --policy OUTPUT ACCEPT
# All of the bits are cleared
$iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
$iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set.
$iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
$iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j REJECT
$iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanyuing ACK
$iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j REJECT
# PSH is the only bit set, without the expected accompaying ACK
$iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j REJECT
# URG is the only bit set, without the expected accompayning ACK
$iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
$iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
# Allow stateful connections
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop Invalid connection
$iptables -A INPUT -m state --state INVALID -j LOG \
--log-prefix "Invalid input: "
$iptables -A INPUT -m state --state INVALID -j DROP
$iptables -A OUTPUT -m state --state INVALID -j LOG \
--log-prefix "Invalid output: "
$iptables -A OUTPUT -m state --state INVALID -j DROP
$iptables -A FORWARD -m state --state INVALID -j LOG \
--log-prefix "Invalid forward: "
$iptables -A FORWARD -m state --state INVALID -j DROP
# Allow Access for DNS UDP for my ISP DNS server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
$iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 111.xx.4.130 --dport 53 \
-m state --state NEW -j ACCEPT
fi
$iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 111.xx.4.130 --dport 53 -j ACCEPT
if [ "$CONNECTION_TRACKING" = "1" ]; then
$iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 111.xx.4.150 --dport 53 \
-m state --state NEW -j ACCEPT
fi
$iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 111.xx.4.150 --dport 53 -j ACCEPT
$iptables -A INPUT -i eth1 -p udp --dport 53 -j ACCEPT
# Allow access for my ISP DHCP server.
if [ "$CONNECTION_TRACKING" = "1" ]; then
$iptables -A OUTPUT -o eth0 -p udp \
-s $IP_NET --sport 1024:65535 \
-d 111.xx.4.129 --dport 67 \
-m state --state NEW -j ACCEPT
fi
$iptables -A OUTPUT -o eth0 -p udp \
-s $IP_INET --sport 1024:65535 \
-d 111.xx.4.129 --dport 67 -j ACCEPT
$iptables -A INPUT -i eth0 -p udp \
-s 111.xx.4.129 --sport 67 \
-d $IP_INET --dport 1024:65535 -j ACCEPT
# Allow outgoing access for ftp sites
if [ "$CONNECTION_TRACKING" = "1" ]; then
$iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 21 -m state --state NEW -j ACCEPT
$iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 21 -j ACCEPT
fi
# Allow my Windows machine to SSH here on Port 22
$iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
# Allow access to remote webservers PORT 80.
if [ "$CONNECTION_TRACKING" = "1" ]; then
$iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 80 -m state --state NEW -j ACCEPT
fi
$iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 80 -j ACCEPT
$iptables -A INPUT -i eth0 -p tcp ! --syn \
--sport 80 \
-d $IP_INET --dport 1024:65535 -j ACCEPT
#Allow access from LAN to this Webserver for ACID+WebMin
$iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT
$iptables -A INPUT -i eth1 -p tcp --dport 10000 -j ACCEPT
# Attempt to connect to HHTPS 443 connections.
if [ "$CONNECTION_TRACKING" = "1" ]; then
$iptables -A OUTPUT -o eth0 -p tcp \
-m state --state NEW --dport 443 \
--sport 1024:65535 \
-j ACCEPT
fi
$iptables -A OUTPUT -o eth0 -p tcp \
-s $IP_INET --sport 1024:65535 \
--dport 443 -j ACCEPT
$iptables -A INPUT -i eth0 -p tcp \
--sport 443 \
-d $IP_INET --dport 1024:65535 -j ACCEPT
$iptables -A INPUT -i eth1 -p tcp --dport 1241 -j ACCEPT
# Allow ping ICMP coming from LAN interface.
$iptables -A INPUT -i eth1 -p icmp \
-s 192.168.0.0/24 -j ACCEPT
#These are my Forwarding rules.
$iptables -A FORWARD -i eth1 -p tcp --dport 80 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 25,80,110,443 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --dport 21 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --dport 22 -j ACCEPT
$iptables -A FORWARD -i eth1 -p udp --dport 1863 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --dport 1863 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp --dport 1214 -j ACCEPT
$iptables -A FORWARD -i eth1 -p udp --dport 1214 -j ACCEPT
$iptables -A FORWARD -i eth1 -p tcp -m multiport --dport 4242,4224,4661,6667 -j
ACCEPT
$iptables -A FORWARD -i eth1 -p udp -m multiport --dport 4662,4672 -j ACCEPT
#Enables Packet Forwarding
$iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward
Tasha@---<-----
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2003-06-22 6:27 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
[not found] <OF5E019209.0D837F1C-ON80256D4A.002AE9A2@start-global.com>
2003-06-22 6:27 ` Trying to setup EMULE and IIS on LAN machine, behind firewall Tasha Smith
[not found] <OF7BE6399D.A8C699DB-ON80256D49.005627FB@start-global.com>
2003-06-19 5:58 ` Tasha Smith
2003-06-18 8:31 Tasha Smith
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.