jducharme23
asked on
forwarding two UDP ports to multiple IP addresses
I have 1 public static IP going to one sever then from the server I'm using NAT through a second NIC for the rest of my network and on some of my machines I need to be able to recieve on UDP ports 5198 and 5199, I don't want to open up the rest of my network to these port
I am using IPtables and am trying to forward UDP port 5198 and 5199 to 10.10.11.1 - 10.10.11.46 and 10.10.12.1 - 10.10.12.46.
I have no trouble forwarding the ports to any one of these addresses, but when I try to forward them to all the address, I get no error from the IPtables but none of my machines can see that the ports are open.
Any help would be great.
Thank You
I am using IPtables and am trying to forward UDP port 5198 and 5199 to 10.10.11.1 - 10.10.11.46 and 10.10.12.1 - 10.10.12.46.
I have no trouble forwarding the ports to any one of these addresses, but when I try to forward them to all the address, I get no error from the IPtables but none of my machines can see that the ports are open.
Any help would be great.
Thank You
Pablo Allietti
;paste the rules of iptables for open this ports and forward please
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
##########################
# You should put this config-file (iptables-firewall.conf) in for example in /etc/ #
# Make sure it's only root readable! -> "chmod 600" & "chown root" it!) #
##########################
# --------------------------
# Configuration file for Arno's iptables single- & multi-homed firewall script (rc.iptables)
# (C) Copyright 2001-2003 by Arno van Amersfoort
# Homepage : http://rocky.molphys.leidenuniv.nl/
# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email : a r n o v a AT x s 4 a l l DOT n l
# --------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# --------------------------
##########################
# Required variables for correct operation #
##########################
IPTABLES="/sbin/iptables" # Location of the iptables-binary (use 'locate iptables' or 'whereis iptables'
# to manually locate it).
EXT_IF="eth0" # The external interface that will be protected (and used as internet connection)
# This is probably ppp+ for (A)DSL (for non-transparant (A)DSL routers!)
# otherwise it should be "ethX" (ex. eth0)
EXT_IF_DHCP_IP=0 # Enable if THIS machines (dynamically) obtains its IP through DHCP (from your ISP)
##########################
# These options should (only) be used when you have an ADSL/DSL modem which works with a #
# PPPoE (PPP-over-Ethernet) or a PPPoA (PPP-over-ATM) connection (or simular 'ppp' connection). #
# #
# You can check whether this applies for your (hardware) setup with 'ifconfig' (a 'ppp' device is shown). #
# This means that if your modem is bridging (a transparant (NAT) router) or the network interface the modem is #
# connected to doesn't have an IP, you should leave the MODEM_xxx options disabled (default)! #
##########################
#MODEM_IF="eth1" # The physical(!) network interface your ADSL modem is connected to (this is not ppp0!)
#MODEM_IF_IP="10.0.0.150" # (OPTIONAL!) The IP of the network interface (MODEM_IF) your ADSL modem is connected
# to (IP shown for the modem interface (MODEM_IF) in 'ifconfig')
#MODEM_IP="10.0.0.138" # (OPTIONAL!) The IP of your (A)DSL modem itself
##########################
# LAN & NAT (masquerading) settings #
##########################
INT_IF="eth1" # Internal network interface or interfaces (multiple(!) interfaces should be
# space seperated). Remark this if you don't have any internal network interfaces.
INTERNAL_NET="10.0.0.0/8" # Your internal subnet which is connected to the internal interface (INT_IF. For
# multiple interfaces(!) you can either specify multiple subnets here or specify one
# big subnet for all internal interfaces. Note that packets from these subnets are always
# accepted!
NAT=1 # Enable this if you want to perform NAT for your internal network (LAN)
# (ie, share your internet connection with your internal net(s) connected to INT_IF)
#NAT_STATIC_IP="193.2.1.1"
# uncomment and set the IP here of your static external IP-address.
# (EXPERT SETTING!). Use this variable only if you want specific subnets or hosts to
NAT_INTERNAL_NET="10.10.9.
# be able to access the internet. When no value is specified, you're whole internal LAN
# will have access. In both cases its only meaningful of course when NAT is enabled.
MODEM_INTERNAL_NET=$INTERN
# access to the (A)DSL modem itself (manage modem settings). The default setting
# ($INTERNAL_NET) allows access from everybody on your LAN.
#PROXY_PORT="3128" # Enable this if you want to use a transparent proxy for your internal network
# (auto redirect of HTTP (port 80) traffic). You can optionally specify another
# proxy port (the default is set to 3128). Note that transparent proxies don't support
# username/password verification!
####################
# General settings #
####################
MANGLE_TOS=1 # Enable this if you want TOS mangling (RFC)
SET_MSS=1 # Set the maximum packet size via the Maximum Segment Size(MSS field)
RESOLV_IPS=0 # Enable this to resolve names of DNS/TH IP's etc.
USE_IRC=1 # Enable support for the IRC-protocol
LOOSE_FORWARD=0 # Forward loosen. Enable this option to allow the use of protocols like UPnP. Note
# that it *could* be less secure.
DROP_PRIVATE_ADDRESSES=1 # Enable this if you want to drop packets originating from a private address. Normally
# this should be enabled(1).
DROP_IANA_RESERVED=0 # Enable this if you want to drop addresses which are registered as reserved by IANA.
# This option exists as the IANA list simply changes too often.
DRDOS_PROTECT=1 # Protect this machine from being abused for a DRDOS-attack (Distributed Denial Of
# Service attack).
DHCP_BOOTP_NET="" # Enter the subnet here you running a DHCP/BOOTP service (server) for on the
# external interface(!). Note that you don't need this for internal networks, as for
# these nets all protocols (also DHCP) are accepted by default.
FREESWAN_NET="" # Enter your remote Freeswan subnet(s) here to enable "Virtual IP"
# support for Freeswan. This allows you to have remote Virtual IP's which are in the
# same subnet as yourself, to be routed into your network.
##########################
# Logging options - All logging is rate limited to prevent log flooding #
##########################
BLOCKED_HOST_LOG=0 # Enable logging for explicitly blocked hosts
SCAN_LOG=1 # Enable logging for various stealth scans (reliable)
POSSIBLE_SCAN_LOG=0 # Enable logging for possible stealth scans (less reliable)
BAD_FLAGS_LOG=0 # Enable logging for TCP-packets with bad flags
INVALID_PACKET_LOG=0 # Enable logging of invalid packets
RESERVED_NET_LOG=0 # Enable logging of source IP's with reserved addresses
FRAG_LOG=0 # Enable logging of fragmented packets
DHCP_BROADCAST_LOG=0 # Enable logging of DHCP broadcasts. You probably want to disable(0) this if you
# have a DHCP server in your subnet but don't use it yourself.
LOST_CONNECTION_LOG=0 # Enable logging of (probable) "lost connections". Keep disabled to reduce false alarms
DENY_LOG=1 # Enable logging for explicitly DENIED packets (ports / protocols)
REJECT_LOG=0 # Enable logging for explicitly REJECTED packets (ports)
OUTPUT_DENY_LOG=1 # Enable logging of denied OUTPUT(local) or FORWARD(internal network) connections.
ICMP_DROP_LOG=0 # Enable logging for dropped ICMP-requests
PRIV_TCP_LOG=0 # Enable logging of (other) connection attempts to privileged TCP ports
PRIV_UDP_LOG=0 # Enable logging of (other) connection attempts to privileged UDP ports
UNPRIV_TCP_LOG=0 # Enable logging of (other) connection attempts to unprivileged TCP ports
UNPRIV_UDP_LOG=0 # Enable logging of (other) connection attempts to unprivileged UDP ports
OTHER_IP_LOG=0 # Enable logging of (other) connection attempts to "other-IP"-protocols (non TCP/UDP/ICMP)
ICMP_FLOOD_LOG=0 # Enable logging for ICMP flooding
#FIREWALL_LOG=/var/log/fir
# the firewall script will also log start/stop etc. info to this file as well.
# Note that in order to make this work, you should also configure syslogd to log
# firewall messages to this file (see LOGELVEL below for further info)
LOGLEVEL=info # Current log-level ("info": default kernel syslog level)
# "debug": can be used to log to /var/log/firewall,
# but you have to configure syslogd accordingly (see included syslogd.conf example)
##########################
# /proc based settings (EXPERT SETTINGS!) #
##########################
SYN_PROT=1 # Enable if you want synflood protection (through /proc/.../tcp_syncookies)
REDUCE_DOS_ABILITY=1 # Enable this to reduce the ability of others DOS'ing your machine
ECHO_IGNORE=1 # Enable if you want to automatically ignore all ICMP echo-requests (IPv4)
# this is very useful in stopping lame DoS-Attacks (aka ping -f's)
LOG_MARTIANS=0 # Enable if you want to log packets with impossible addresses to the kernel log
ICMP_REDIRECT=0 # Enable if you want to accept ICMP redirect messages
# Should be set to "0" in case of a router
HIGHER_CONNTRACK=1 # Enable if you want to handle a huge number of simultanteous connections
# (uses more memory but recommended for (high-traffic) servers)
LOOSE_UDP_PATCH=0 # You may need to enable this to get some internet games to work,
# but note that it's *less* secure
ECN=0 # Enable ECN (Explicit Congestion Notification) TCP flag
# Disabled by default, as some routers are still not compatible with this
RP_FILTER=1 # Use the rp_filter to drop connections from non-routable IPs. This should be
# disabled(0) when you for example want to use Freeswan (VPN) to route external private
# addresses into your network.
##########################
# (EXPERT SETTING!). Put in the following variable to specify the subnets that are DMZ-classified. #
# This means that any FORWARD traffic from the external interface (in)to these interfaces is allowed. #
##########################
DMZ_IF=""
##########################
# (EXPERT SETTING!). (Other) trusted network interfaces for which ALL IP traffic should be ACCEPTED. #
# (multiple(!) interfaces should be space seperated). Be warned that anything TO and FROM these interfaces is #
# allowed (ACCEPTED) so make sure its NOT routable(accessible) from the outside world (internet)! #
##########################
TRUSTED_IF=""
##########################
# Put in the following variable which hosts (subnets) you want have full access via your internet (EXT_IF) #
# connection(!). NOTE: Don't mistake this variable with the one used for internal nets (INT_IF) #
##########################
FULL_ACCESS_HOSTS=""
##########################
# Put in the following variable which DNS servers you use #
# Only required when you run your own DNS server (for example BIND) #
##########################
DNS_SERVERS="198.235.216.1
# These are the root DNS-servers (uncomment lineS(!) below if you want to use them for BIND)
ROOT_DNS_SERVERS="128.63.2
198.41.0.10 193.0.14.129 198.32.64.12 202.12.27.33 192.36.148.17 \
192.203.230.10 128.8.10.90 198.41.0.4"
##########################
# Put in the following variables which ports or IP protocols you want to leave open to the whole world #
##########################
OPEN_TCP="22 10001"
OPEN_UDP="53"
OPEN_IP=""
OPEN_ICMP=0
##########################
# Put in the following variables the TCP/UDP ports you want to block for everyone. Also use these variables #
# if you want to log connection attempts to these ports from everyone (also trusted & full access hosts) #
##########################
DENY_TCP=""
DENY_UDP=""
##########################
# Put in the following variables which hosts you want to allow for certain services #
# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
# IP protocol format (HOST_OPEN_IP) : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
##########################
HOST_OPEN_TCP=""
HOST_OPEN_UDP=""
HOST_OPEN_IP=""
HOST_OPEN_ICMP=""
##########################
# Put in the following variables which TCP/UDP ports you want to REJECT (instead of DROP) for certain hosts. #
# TCP/UDP port format (HOST_REJECT_xxx) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
##########################
HOST_REJECT_TCP=""
HOST_REJECT_UDP=""
##########################
# Put in the following variables which ports you want to block for everyone but NOT logged. #
# This is very useful if you have constant probes on the same port(s) over and over again (code red worm) #
# and don't want your logs flooded with it. #
##########################
DENY_TCP_NOLOG=""
DENY_UDP_NOLOG=""
##########################
# Put in the following variables which TCP/UDP ports or IP protocols you DON'T want to log connection attempts #
# to from certain hosts. #
# TCP/UDP port format (HOST_xxx_NOLOG) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
# IP protocol format (HOST_IP_LOG) : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
##########################
HOST_DENY_TCP_NOLOG=""
HOST_DENY_UDP_NOLOG=""
HOST_DENY_IP_NOLOG=""
##########################
# Put in the following variables which hosts you want to deny for certain services #
# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
##########################
HOST_DENY_TCP=""
HOST_DENY_UDP=""
HOST_DENY_IP=""
HOST_DENY_ICMP=""
##########################
# Put in the following variables which ports/protocols THIS machine is NOT permitted to connect TO #
# (remote end-point) via the external (internet) interface. Example of usage is for blocking IRC (tcp 6666:6669)#
##########################
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
DENY_IP_OUTPUT=""
##########################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log connection attempts to #
# from certain hosts. #
# TCP/UDP port format (LOG_HOST_xxx) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
# IP protocol format (LOG_HOST_IP) : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
##########################
LOG_HOST_TCP=""
LOG_HOST_UDP=""
LOG_HOST_IP=""
##########################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log outgoing connections #
# (attempts) of (packet watch). #
##########################
LOG_TCP_OUTPUT=""
LOG_UDP_OUTPUT=""
LOG_IP_OUTPUT=""
##########################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log incoming connections #
# (attempts) of (packet watch). #
##########################
LOG_TCP_INPUT=""
LOG_UDP_INPUT=""
LOG_IP_INPUT=""
##########################
# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to an internal client through (D)NAT #
# TCP/UDP form : "{SRCIP1,SRCIP2,...:}PORT1
# IP form : "{SRCIP1,SRCIP2,...:}PROTO
# NOTE 1: {:port} is optional. Use it to redirect a specific port to a different port on the internal client #
# NOTE 2: {SRCIPx} is optional. Use it to restrict access to specific source IP addresses #
# NOTE 3: Port ranges MUST be written as "PORT1-PORT3" (ie. "1024-1030" would include ports 1024 until 1030) #
##########################
# NAT TCP port-forward(s).
#NAT_TCP_FORWARD="25>10.10
NAT_TCP_FORWARD="20,21,25,
NAT_UDP_FORWARD="5198-5199
# TCP/UDP port forward examples:
# Simple : NAT_xxx_FORWARD="80>192.16
# Advanced : NAT_xxx_FORWARD="20,21>192
NAT_IP_FORWARD="" # NAT IP protocol forward(s) (useful for forwarding non-TCP/UDP/ICMP protocols).
# NAT IP protocol forward example: "47,48>192.168.0.10"
##########################
# (EXPERT SETTING!) Put in the following variables the TCP/UDP ports or IP protocols TO (remote end-point) #
# which the MASQUERADED hosts(LAN) are permitted to connect to via the external (internet) interface. When #
# these variables are empty (""), these hosts are permitted to connect ANY port/protocol. #
##########################
LAN_ALLOW_TCP=""
LAN_ALLOW_UDP=""
LAN_ALLOW_IP=""
##########################
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote end-point) which the MASQUERADED #
# hosts(LAN) are NOT permitted to connect to via the external (internet) interface. Examples of usage are for #
# blocking IRC (TCP 6666:6669) for the internal network #
##########################
LAN_DENY_TCP="25"
LAN_DENY_UDP=""
LAN_DENY_IP="25"
##########################
# Put in the following variable which hosts you want to block (blackhole, dropping every packet from the host) #
##########################
BLOCK_HOSTS=""
# Location of the BLOCKED HOSTS file (if any). Note that the last line of this file should always contain a
# carriage-return (enter)!
##########################
BLOCK_HOSTS_FILE=/etc/ipta
# Location of the custom IPTABLES rules file (if any):
##########################
CUSTOM_RULES=/etc/iptables
# You should put this config-file (iptables-firewall.conf) in for example in /etc/ #
# Make sure it's only root readable! -> "chmod 600" & "chown root" it!) #
##########################
# --------------------------
# Configuration file for Arno's iptables single- & multi-homed firewall script (rc.iptables)
# (C) Copyright 2001-2003 by Arno van Amersfoort
# Homepage : http://rocky.molphys.leidenuniv.nl/
# Freshmeat homepage : http://freshmeat.net/projects/iptables-firewall/?topic_id=151
# Email : a r n o v a AT x s 4 a l l DOT n l
# --------------------------
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
# --------------------------
##########################
# Required variables for correct operation #
##########################
IPTABLES="/sbin/iptables" # Location of the iptables-binary (use 'locate iptables' or 'whereis iptables'
# to manually locate it).
EXT_IF="eth0" # The external interface that will be protected (and used as internet connection)
# This is probably ppp+ for (A)DSL (for non-transparant (A)DSL routers!)
# otherwise it should be "ethX" (ex. eth0)
EXT_IF_DHCP_IP=0 # Enable if THIS machines (dynamically) obtains its IP through DHCP (from your ISP)
##########################
# These options should (only) be used when you have an ADSL/DSL modem which works with a #
# PPPoE (PPP-over-Ethernet) or a PPPoA (PPP-over-ATM) connection (or simular 'ppp' connection). #
# #
# You can check whether this applies for your (hardware) setup with 'ifconfig' (a 'ppp' device is shown). #
# This means that if your modem is bridging (a transparant (NAT) router) or the network interface the modem is #
# connected to doesn't have an IP, you should leave the MODEM_xxx options disabled (default)! #
##########################
#MODEM_IF="eth1" # The physical(!) network interface your ADSL modem is connected to (this is not ppp0!)
#MODEM_IF_IP="10.0.0.150" # (OPTIONAL!) The IP of the network interface (MODEM_IF) your ADSL modem is connected
# to (IP shown for the modem interface (MODEM_IF) in 'ifconfig')
#MODEM_IP="10.0.0.138" # (OPTIONAL!) The IP of your (A)DSL modem itself
##########################
# LAN & NAT (masquerading) settings #
##########################
INT_IF="eth1" # Internal network interface or interfaces (multiple(!) interfaces should be
# space seperated). Remark this if you don't have any internal network interfaces.
INTERNAL_NET="10.0.0.0/8" # Your internal subnet which is connected to the internal interface (INT_IF. For
# multiple interfaces(!) you can either specify multiple subnets here or specify one
# big subnet for all internal interfaces. Note that packets from these subnets are always
# accepted!
NAT=1 # Enable this if you want to perform NAT for your internal network (LAN)
# (ie, share your internet connection with your internal net(s) connected to INT_IF)
#NAT_STATIC_IP="193.2.1.1"
# uncomment and set the IP here of your static external IP-address.
# (EXPERT SETTING!). Use this variable only if you want specific subnets or hosts to
NAT_INTERNAL_NET="10.10.9.
# be able to access the internet. When no value is specified, you're whole internal LAN
# will have access. In both cases its only meaningful of course when NAT is enabled.
MODEM_INTERNAL_NET=$INTERN
# access to the (A)DSL modem itself (manage modem settings). The default setting
# ($INTERNAL_NET) allows access from everybody on your LAN.
#PROXY_PORT="3128" # Enable this if you want to use a transparent proxy for your internal network
# (auto redirect of HTTP (port 80) traffic). You can optionally specify another
# proxy port (the default is set to 3128). Note that transparent proxies don't support
# username/password verification!
####################
# General settings #
####################
MANGLE_TOS=1 # Enable this if you want TOS mangling (RFC)
SET_MSS=1 # Set the maximum packet size via the Maximum Segment Size(MSS field)
RESOLV_IPS=0 # Enable this to resolve names of DNS/TH IP's etc.
USE_IRC=1 # Enable support for the IRC-protocol
LOOSE_FORWARD=0 # Forward loosen. Enable this option to allow the use of protocols like UPnP. Note
# that it *could* be less secure.
DROP_PRIVATE_ADDRESSES=1 # Enable this if you want to drop packets originating from a private address. Normally
# this should be enabled(1).
DROP_IANA_RESERVED=0 # Enable this if you want to drop addresses which are registered as reserved by IANA.
# This option exists as the IANA list simply changes too often.
DRDOS_PROTECT=1 # Protect this machine from being abused for a DRDOS-attack (Distributed Denial Of
# Service attack).
DHCP_BOOTP_NET="" # Enter the subnet here you running a DHCP/BOOTP service (server) for on the
# external interface(!). Note that you don't need this for internal networks, as for
# these nets all protocols (also DHCP) are accepted by default.
FREESWAN_NET="" # Enter your remote Freeswan subnet(s) here to enable "Virtual IP"
# support for Freeswan. This allows you to have remote Virtual IP's which are in the
# same subnet as yourself, to be routed into your network.
##########################
# Logging options - All logging is rate limited to prevent log flooding #
##########################
BLOCKED_HOST_LOG=0 # Enable logging for explicitly blocked hosts
SCAN_LOG=1 # Enable logging for various stealth scans (reliable)
POSSIBLE_SCAN_LOG=0 # Enable logging for possible stealth scans (less reliable)
BAD_FLAGS_LOG=0 # Enable logging for TCP-packets with bad flags
INVALID_PACKET_LOG=0 # Enable logging of invalid packets
RESERVED_NET_LOG=0 # Enable logging of source IP's with reserved addresses
FRAG_LOG=0 # Enable logging of fragmented packets
DHCP_BROADCAST_LOG=0 # Enable logging of DHCP broadcasts. You probably want to disable(0) this if you
# have a DHCP server in your subnet but don't use it yourself.
LOST_CONNECTION_LOG=0 # Enable logging of (probable) "lost connections". Keep disabled to reduce false alarms
DENY_LOG=1 # Enable logging for explicitly DENIED packets (ports / protocols)
REJECT_LOG=0 # Enable logging for explicitly REJECTED packets (ports)
OUTPUT_DENY_LOG=1 # Enable logging of denied OUTPUT(local) or FORWARD(internal network) connections.
ICMP_DROP_LOG=0 # Enable logging for dropped ICMP-requests
PRIV_TCP_LOG=0 # Enable logging of (other) connection attempts to privileged TCP ports
PRIV_UDP_LOG=0 # Enable logging of (other) connection attempts to privileged UDP ports
UNPRIV_TCP_LOG=0 # Enable logging of (other) connection attempts to unprivileged TCP ports
UNPRIV_UDP_LOG=0 # Enable logging of (other) connection attempts to unprivileged UDP ports
OTHER_IP_LOG=0 # Enable logging of (other) connection attempts to "other-IP"-protocols (non TCP/UDP/ICMP)
ICMP_FLOOD_LOG=0 # Enable logging for ICMP flooding
#FIREWALL_LOG=/var/log/fir
# the firewall script will also log start/stop etc. info to this file as well.
# Note that in order to make this work, you should also configure syslogd to log
# firewall messages to this file (see LOGELVEL below for further info)
LOGLEVEL=info # Current log-level ("info": default kernel syslog level)
# "debug": can be used to log to /var/log/firewall,
# but you have to configure syslogd accordingly (see included syslogd.conf example)
##########################
# /proc based settings (EXPERT SETTINGS!) #
##########################
SYN_PROT=1 # Enable if you want synflood protection (through /proc/.../tcp_syncookies)
REDUCE_DOS_ABILITY=1 # Enable this to reduce the ability of others DOS'ing your machine
ECHO_IGNORE=1 # Enable if you want to automatically ignore all ICMP echo-requests (IPv4)
# this is very useful in stopping lame DoS-Attacks (aka ping -f's)
LOG_MARTIANS=0 # Enable if you want to log packets with impossible addresses to the kernel log
ICMP_REDIRECT=0 # Enable if you want to accept ICMP redirect messages
# Should be set to "0" in case of a router
HIGHER_CONNTRACK=1 # Enable if you want to handle a huge number of simultanteous connections
# (uses more memory but recommended for (high-traffic) servers)
LOOSE_UDP_PATCH=0 # You may need to enable this to get some internet games to work,
# but note that it's *less* secure
ECN=0 # Enable ECN (Explicit Congestion Notification) TCP flag
# Disabled by default, as some routers are still not compatible with this
RP_FILTER=1 # Use the rp_filter to drop connections from non-routable IPs. This should be
# disabled(0) when you for example want to use Freeswan (VPN) to route external private
# addresses into your network.
##########################
# (EXPERT SETTING!). Put in the following variable to specify the subnets that are DMZ-classified. #
# This means that any FORWARD traffic from the external interface (in)to these interfaces is allowed. #
##########################
DMZ_IF=""
##########################
# (EXPERT SETTING!). (Other) trusted network interfaces for which ALL IP traffic should be ACCEPTED. #
# (multiple(!) interfaces should be space seperated). Be warned that anything TO and FROM these interfaces is #
# allowed (ACCEPTED) so make sure its NOT routable(accessible) from the outside world (internet)! #
##########################
TRUSTED_IF=""
##########################
# Put in the following variable which hosts (subnets) you want have full access via your internet (EXT_IF) #
# connection(!). NOTE: Don't mistake this variable with the one used for internal nets (INT_IF) #
##########################
FULL_ACCESS_HOSTS=""
##########################
# Put in the following variable which DNS servers you use #
# Only required when you run your own DNS server (for example BIND) #
##########################
DNS_SERVERS="198.235.216.1
# These are the root DNS-servers (uncomment lineS(!) below if you want to use them for BIND)
ROOT_DNS_SERVERS="128.63.2
198.41.0.10 193.0.14.129 198.32.64.12 202.12.27.33 192.36.148.17 \
192.203.230.10 128.8.10.90 198.41.0.4"
##########################
# Put in the following variables which ports or IP protocols you want to leave open to the whole world #
##########################
OPEN_TCP="22 10001"
OPEN_UDP="53"
OPEN_IP=""
OPEN_ICMP=0
##########################
# Put in the following variables the TCP/UDP ports you want to block for everyone. Also use these variables #
# if you want to log connection attempts to these ports from everyone (also trusted & full access hosts) #
##########################
DENY_TCP=""
DENY_UDP=""
##########################
# Put in the following variables which hosts you want to allow for certain services #
# TCP/UDP port format (HOST_OPEN_TCP & HOST_OPEN_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
# IP protocol format (HOST_OPEN_IP) : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
##########################
HOST_OPEN_TCP=""
HOST_OPEN_UDP=""
HOST_OPEN_IP=""
HOST_OPEN_ICMP=""
##########################
# Put in the following variables which TCP/UDP ports you want to REJECT (instead of DROP) for certain hosts. #
# TCP/UDP port format (HOST_REJECT_xxx) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
##########################
HOST_REJECT_TCP=""
HOST_REJECT_UDP=""
##########################
# Put in the following variables which ports you want to block for everyone but NOT logged. #
# This is very useful if you have constant probes on the same port(s) over and over again (code red worm) #
# and don't want your logs flooded with it. #
##########################
DENY_TCP_NOLOG=""
DENY_UDP_NOLOG=""
##########################
# Put in the following variables which TCP/UDP ports or IP protocols you DON'T want to log connection attempts #
# to from certain hosts. #
# TCP/UDP port format (HOST_xxx_NOLOG) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
# IP protocol format (HOST_IP_LOG) : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
##########################
HOST_DENY_TCP_NOLOG=""
HOST_DENY_UDP_NOLOG=""
HOST_DENY_IP_NOLOG=""
##########################
# Put in the following variables which hosts you want to deny for certain services #
# TCP/UDP port format (HOST_DENY_TCP & HOST_DENY_UDP) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
##########################
HOST_DENY_TCP=""
HOST_DENY_UDP=""
HOST_DENY_IP=""
HOST_DENY_ICMP=""
##########################
# Put in the following variables which ports/protocols THIS machine is NOT permitted to connect TO #
# (remote end-point) via the external (internet) interface. Example of usage is for blocking IRC (tcp 6666:6669)#
##########################
DENY_TCP_OUTPUT=""
DENY_UDP_OUTPUT=""
DENY_IP_OUTPUT=""
##########################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log connection attempts to #
# from certain hosts. #
# TCP/UDP port format (LOG_HOST_xxx) : host1,host2>port1,port2 host3,host4>port3,port4 ... #
# IP protocol format (LOG_HOST_IP) : host1,host2>proto1,proto2 host3,host4>proto4,proto4 ... #
##########################
LOG_HOST_TCP=""
LOG_HOST_UDP=""
LOG_HOST_IP=""
##########################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log outgoing connections #
# (attempts) of (packet watch). #
##########################
LOG_TCP_OUTPUT=""
LOG_UDP_OUTPUT=""
LOG_IP_OUTPUT=""
##########################
# Put in the following variables which TCP/UDP ports or IP protocols you want to log incoming connections #
# (attempts) of (packet watch). #
##########################
LOG_TCP_INPUT=""
LOG_UDP_INPUT=""
LOG_IP_INPUT=""
##########################
# NAT TCP/UDP/IP forwards. Forward ports or protocols from the gateway to an internal client through (D)NAT #
# TCP/UDP form : "{SRCIP1,SRCIP2,...:}PORT1
# IP form : "{SRCIP1,SRCIP2,...:}PROTO
# NOTE 1: {:port} is optional. Use it to redirect a specific port to a different port on the internal client #
# NOTE 2: {SRCIPx} is optional. Use it to restrict access to specific source IP addresses #
# NOTE 3: Port ranges MUST be written as "PORT1-PORT3" (ie. "1024-1030" would include ports 1024 until 1030) #
##########################
# NAT TCP port-forward(s).
#NAT_TCP_FORWARD="25>10.10
NAT_TCP_FORWARD="20,21,25,
NAT_UDP_FORWARD="5198-5199
# TCP/UDP port forward examples:
# Simple : NAT_xxx_FORWARD="80>192.16
# Advanced : NAT_xxx_FORWARD="20,21>192
NAT_IP_FORWARD="" # NAT IP protocol forward(s) (useful for forwarding non-TCP/UDP/ICMP protocols).
# NAT IP protocol forward example: "47,48>192.168.0.10"
##########################
# (EXPERT SETTING!) Put in the following variables the TCP/UDP ports or IP protocols TO (remote end-point) #
# which the MASQUERADED hosts(LAN) are permitted to connect to via the external (internet) interface. When #
# these variables are empty (""), these hosts are permitted to connect ANY port/protocol. #
##########################
LAN_ALLOW_TCP=""
LAN_ALLOW_UDP=""
LAN_ALLOW_IP=""
##########################
# Put in the following variables the TCP/UDP ports or IP protocols TO (remote end-point) which the MASQUERADED #
# hosts(LAN) are NOT permitted to connect to via the external (internet) interface. Examples of usage are for #
# blocking IRC (TCP 6666:6669) for the internal network #
##########################
LAN_DENY_TCP="25"
LAN_DENY_UDP=""
LAN_DENY_IP="25"
##########################
# Put in the following variable which hosts you want to block (blackhole, dropping every packet from the host) #
##########################
BLOCK_HOSTS=""
# Location of the BLOCKED HOSTS file (if any). Note that the last line of this file should always contain a
# carriage-return (enter)!
##########################
BLOCK_HOSTS_FILE=/etc/ipta
# Location of the custom IPTABLES rules file (if any):
##########################
CUSTOM_RULES=/etc/iptables
If you only have one IP address on the outside then you can only forward a given port to one IP address on the inside at any given time.
JN
JN
> but when I try to forward them to all the address,
that's what masquerading is for, but it works for related packets only
otherwise you've to bracke down you destination to a subnet, for example 10.10.12.0/192 and simply ACCEPT these packets
that's what masquerading is for, but it works for related packets only
otherwise you've to bracke down you destination to a subnet, for example 10.10.12.0/192 and simply ACCEPT these packets