From mboxrd@z Thu Jan  1 00:00:00 1970
From: Goke Aruna <goksie@gmail.com>
Subject: iptables h323 rrq and sip 5060
Date: Fri, 24 Jun 2005 19:42:37 +0100
Message-ID: <e3b0905d050624114245f0b426@mail.gmail.com>
Reply-To: Goke Aruna <goksie@gmail.com>
Mime-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Return-path: <netfilter-bounces@lists.netfilter.org>
Content-Disposition: inline
List-Id: <netfilter.vger.kernel.org>
List-Unsubscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=unsubscribe>
List-Archive: </pipermail/netfilter>
List-Post: <mailto:netfilter@lists.netfilter.org>
List-Help: <mailto:netfilter-request@lists.netfilter.org?subject=help>
List-Subscribe: <https://lists.netfilter.org/mailman/listinfo/netfilter>,
	<mailto:netfilter-request@lists.netfilter.org?subject=subscribe>
Sender: netfilter-bounces@lists.netfilter.org
Errors-To: netfilter-bounces@lists.netfilter.org
Content-Type: text/plain; charset="us-ascii"
To: netfilter@lists.netfilter.org

kindly help,

 I am new to iptables and I wish to allow my workstations behind a firewall

to get registred to h323 gatekeeper and sip proxy (the two servers are on=
=20
public ip i.e. outside nat).

 And for h323 gatekeeper, the workstation need to connect with port 1720 an=
d

iptables does not allow this.

 And again the sip proxy too needs port 5060. can somebody please help. My

firewall tables is as below.

 Aruna

   *mangle

:PREROUTING ACCEPT [693725:269731615]

:INPUT ACCEPT [17143:2024798]

:FORWARD ACCEPT [668493:267392562]

:OUTPUT ACCEPT [12304:1113266]

:POSTROUTING ACCEPT [681449:268539732]

COMMIT

# Completed on Fri Jun 24 13:42:48 2005

# Generated by iptables-save v1.2.7a on Fri Jun 24 13:42:48 2005

*nat

:PREROUTING ACCEPT [89368:5853018]

:POSTROUTING ACCEPT [36:5295]

:OUTPUT ACCEPT [767:52073]

-A PREROUTING -i eth0 -p udp -m udp --dport 0 -j REDIRECT --to-ports 5060

-A PREROUTING -i eth1 -p udp -m udp --dport 0 -j REDIRECT --to-ports 5060

-A PREROUTING -p tcp -m tcp --dport 1719 -j DNAT --to-destination

62.193.164.82:1719 <http://62.193.164.82:1719>

-A PREROUTING -p tcp -m tcp --dport 1720 -j DNAT --to-destination

62.193.164.82:1720 <http://62.193.164.82:1720>

-A PREROUTING -p udp -m udp --dport 1720 -j DNAT --to-destination

62.193.164.82:1720 <http://62.193.164.82:1720>

-A PREROUTING -p udp -m udp --dport 1719 -j DNAT --to-destination

62.193.164.82:1719 <http://62.193.164.82:1719>

-A PREROUTING -p udp -m udp --dport 1720 -j DNAT --to-destination

62.193.164.82:1719 <http://62.193.164.82:1719>

-A PREROUTING -p tcp -m tcp --dport 1720 -j DNAT --to-destination

62.193.164.82:1719 <http://62.193.164.82:1719>

-A POSTROUTING -o eth1 -j MASQUERADE

-A POSTROUTING -o eth0 -j MASQUERADE

-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

# Completed on Fri Jun 24 13:42:48 2005

# Generated by iptables-save v1.2.7a on Fri Jun 24 13:42:48 2005

*filter

:INPUT DROP [8020:1171278]

:FORWARD ACCEPT [111159:6603935]

:OUTPUT ACCEPT [12403:1157055]

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m tcp --dport 6000:6009 -j DROP

-A INPUT -p tcp -m tcp --dport 7100 -j DROP

-A INPUT -p tcp -m tcp --dport 111 -j DROP

-A INPUT -p udp -m udp --dport 111 -j DROP

-A INPUT -s 127.0.0.1 <http://127.0.0.1> -i eth0 -j DROP

-A INPUT -i lo -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m tcp --dport 6000:6009 -j DROP

-A INPUT -p tcp -m tcp --dport 7100 -j DROP

-A INPUT -p tcp -m tcp --dport 111 -j DROP

-A INPUT -p udp -m udp --dport 111 -j DROP

-A INPUT -s 127.0.0.1 <http://127.0.0.1> -i eth0 -j DROP

-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT

-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m tcp --dport 6000:6009 -j DROP

-A INPUT -p tcp -m tcp --dport 7100 -j DROP

-A INPUT -p tcp -m tcp --dport 111 -j DROP

-A INPUT -p udp -m udp --dport 111 -j DROP

-A INPUT -s 127.0.0.1 <http://127.0.0.1> -i eth0 -j DROP

-A INPUT -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -p tcp -m tcp ! --tcp-option 2 -j REJECT --reject-with tcp-reset

-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT

-A INPUT -i eth1 -p udp -m udp --dport 21 -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --dport 21 -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT

-A INPUT -i eth1 -p udp -m udp --dport 80 -j ACCEPT

-A INPUT -s 10.60.0.0/255.255.0.0 <http://10.60.0.0/255.255.0.0> -p tcp -m=
=20
tcp --dport 139 --tcp-flags

SYN,RST,ACK SYN -j ACCEPT

-A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -i eth0 -p icmp -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

COMMIT