ammadeyy2020
asked on
need a iptable script
can someone write a script for the following
default script drop all INPUT, FORWARD
allow all OUTPUT
FORWARD tcp port 110 and 25, to ip address 192.168.20.20 (Email)
FORWARD tcp port 3000 to ip address 192.168.20.20 (WorldClient)
default script drop all INPUT, FORWARD
allow all OUTPUT
FORWARD tcp port 110 and 25, to ip address 192.168.20.20 (Email)
FORWARD tcp port 3000 to ip address 192.168.20.20 (WorldClient)
iptables -P -tcp --dport 25 -j ACCEPT
iptables -P -tcp --dport 110 -j ACEPT
iptables -P -tcp --dport 3000 -j ACCEPT
iptables -P -tcp --dport 110 -j ACEPT
iptables -P -tcp --dport 3000 -j ACCEPT
but you dont need to block all output and forward rules
just blocking input is enough
just blocking input is enough
sorry there is small problem of syntax
try the bellow one
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000-j ACCEPT
or you can copy from here
http://fosiul.co.uk/KnowledgeCategories.php?CID=71
try the bellow one
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 3000-j ACCEPT
or you can copy from here
http://fosiul.co.uk/KnowledgeCategories.php?CID=71
One more thing
before adding those,
can you past the result here
go to
cd /etc
cd sysconfig
cat iptables
copy the output and past here , i just want to see incase if you have any RH rules there, then you will have to add those under RH rules
before adding those,
can you past the result here
go to
cd /etc
cd sysconfig
cat iptables
copy the output and past here , i just want to see incase if you have any RH rules there, then you will have to add those under RH rules
ASKER
192.168.20.20 is email server
cd /etc
cd sysconfig
cat iptables
no such file or directory
cd /etc
cd sysconfig
cat iptables
no such file or directory
cat /etc/sysconfig/iptables
or cd /etc/sys.config
then cat iptables
if you dont see anything that mean, you dont have iptables installed
if you type, service iptables restart
does iptables restart ??
also type : whereis iptables
past the result here
or cd /etc/sys.config
then cat iptables
if you dont see anything that mean, you dont have iptables installed
if you type, service iptables restart
does iptables restart ??
also type : whereis iptables
past the result here
ASKER
when i type
service iptables restart
iptables : unrecorganized service
whereis iptables
iptables: /sbin/iptables /lib/iptables /usr/share/man/man8/iptabl es.8gz
service iptables restart
iptables : unrecorganized service
whereis iptables
iptables: /sbin/iptables /lib/iptables /usr/share/man/man8/iptabl
ok from output of iptables is saying iptables is installed
are you trying to restart iptables as root ??
try to do this as root .
iptables -L
does it return any output ??
are you trying to restart iptables as root ??
try to do this as root .
iptables -L
does it return any output ??
If all input is to be dropped then what is the point of forwarding?
ASKER
yes im in root
iptables -L does return existing rules
Chain INPUT (policy DROP)
tarket .........................e tc
iptables -L does return existing rules
Chain INPUT (policy DROP)
tarket .........................e
ok what happeded is you didnot save your uptables
do this
service iptables save
then restart iptables , service iptables restart
did you add all those rule i have sent before ??
as i said earlier you dont need to block all ports , just block input
do this
service iptables save
then restart iptables , service iptables restart
did you add all those rule i have sent before ??
as i said earlier you dont need to block all ports , just block input
ASKER
can you write again
INPUT DROP all
OUTPUT ACCEPT all
FORWARD, 110, 25, 3000 to 192.168.20.20
INPUT DROP all
OUTPUT ACCEPT all
FORWARD, 110, 25, 3000 to 192.168.20.20
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
service iptables save
iptables: unrecorgnized service
do i have to write those rules in /lib/iptables
or in root?
i did in root, and cannot save
iptables: unrecorgnized service
do i have to write those rules in /lib/iptables
or in root?
i did in root, and cannot save
I don't think the script given in comment 23020513 will work, as it only allows output for established sessions, which means that it will not be possible to establish a session in the first place. It would make more sense to set the output policy to ACCEPT and not add any entries to the OUTPUT table.
ok if you do this
iptables -L
do you see all the rules , you added ??
try this
/etc/init.d/iptables save
/etc/init.d/iptables restart
iptables -L
do you see all the rules , you added ??
try this
/etc/init.d/iptables save
/etc/init.d/iptables restart
and also you logon to the server as root user right ??
hi chris_barry, the script i have sent, its works with me perfectly always
hi chris_barry, the script i have sent, its works with me perfectly always
ASKER
yes, root user
iptables -L
its still the previous rules
it doesnt flush i guess
/etc/init.d/iptables save
no such file or directory
untitled.JPG
iptables -L
its still the previous rules
it doesnt flush i guess
/etc/init.d/iptables save
no such file or directory
untitled.JPG
ommm
did you install iptables by your self or was it installed from before ??
if you do yum install iptables , what it say ?? [ i know your iptables is installed but i just want to see]
also
locate iptables
past the result here please
did you install iptables by your self or was it installed from before ??
if you do yum install iptables , what it say ?? [ i know your iptables is installed but i just want to see]
also
locate iptables
past the result here please
ASKER
you typed wrong command
its locate iptables
and what Os are you using ??
its locate iptables
and what Os are you using ??
ASKER
[root@proxy ~]# locate iptables
/lib/iptables
/lib/iptables/libipt_connl imit.so
/lib/iptables/libipt_hashl imit.so
/lib/iptables/libipt_ttl.s o
/lib/iptables/libipt_state .so
/lib/iptables/libipt_comme nt.so
/lib/iptables/libipt_ipp2p .so
/lib/iptables/libipt_MIRRO R.so
/lib/iptables/libipt_pktty pe.so
/lib/iptables/libipt_DSCP. so
/lib/iptables/libipt_NETMA P.so
/lib/iptables/libipt_TTL.s o
/lib/iptables/libipt_tos.s o
/lib/iptables/libipt_mark. so
/lib/iptables/libipt_mac.s o
/lib/iptables/libipt_CONNM ARK.so
/lib/iptables/libipt_limit .so
/lib/iptables/libipt_connt rack.so
/lib/iptables/libipt_dscp. so
/lib/iptables/libipt_tcp.s o
/lib/iptables/libipt_ecn.s o
/lib/iptables/libipt_REDIR ECT.so
/lib/iptables/libipt_TOS.s o
/lib/iptables/libipt_REJEC T.so
/lib/iptables/libipt_SNAT. so
/lib/iptables/libipt_rpc.s o
/lib/iptables/libipt_TRACE .so
/lib/iptables/libipt_multi port.so
/lib/iptables/libipt_ipran ge.so
/lib/iptables/libipt_lengt h.so
/lib/iptables/libipt_addrt ype.so
/lib/iptables/libipt_ECN.s o
/lib/iptables/libipt_stand ard.so
/lib/iptables/libipt_NOTRA CK.so
/lib/iptables/libipt_polic y.so
/lib/iptables/libipt_uncle an.so
/lib/iptables/libipt_NFQUE UE.so
/lib/iptables/libipt_udp.s o
/lib/iptables/libipt_MASQU ERADE.so
/lib/iptables/libipt_tcpms s.so
/lib/iptables/libipt_esp.s o
/lib/iptables/libipt_ULOG. so
/lib/iptables/libipt_connm ark.so
/lib/iptables/libipt_MARK. so
/lib/iptables/libipt_helpe r.so
/lib/iptables/libipt_physd ev.so
/lib/iptables/libipt_owner .so
/lib/iptables/libipt_DNAT. so
/lib/iptables/libipt_realm .so
/lib/iptables/libipt_CLASS IFY.so
/lib/iptables/libipt_TCPMS S.so
/lib/iptables/libipt_LOG.s o
/lib/iptables/libipt_icmp. so
/lib/iptables/libipt_ah.so
/lib/iptables/libipt_TARPI T.so
/lib/iptables/libipt_SAME. so
/lib/iptables/libipt_sctp. so
/lib/iptables/libipt_recen t.so
/usr/share/doc/iptables-1. 3.5
/usr/share/doc/iptables-1. 3.5/COPYIN G
/usr/share/doc/iptables-1. 3.5/INSTAL L
/usr/share/doc/iptables-1. 3.5/INCOMP ATIBILITIE S
/usr/share/doc/mrtg-2.10.1 5/contrib/ iptables_a cc_snmp
/usr/share/doc/mrtg-2.10.1 5/contrib/ iptables_a cc_snmp/ip tables_acc _snmp
/usr/share/doc/mrtg-2.10.1 5/contrib/ iptables_a cc_snmp/RE ADME
/usr/share/doc/mrtg-2.10.1 5/contrib/ iptables_a cc_snmp/HA NDCO-SNMP- MIB.txt
/usr/share/doc/mrtg-2.10.1 5/contrib/ iptables-a ccounting
/usr/share/doc/mrtg-2.10.1 5/contrib/ iptables-a ccounting/ iptables-a ccounting
/usr/share/doc/mrtg-2.10.1 5/contrib/ iptables-a ccounting/ README
/usr/share/doc/mrtg-2.10.1 5/contrib/ iptables_a cc
/usr/share/doc/mrtg-2.10.1 5/contrib/ iptables_a cc/README
/usr/share/doc/mrtg-2.10.1 5/contrib/ iptables_a cc/iptable s_acc
/usr/share/man/man8/iptabl es.8.gz
/usr/share/man/man8/iptabl es-save.8. gz
/usr/share/man/man8/iptabl es-restore .8.gz
/sbin/iptables-restore
/sbin/iptables
/sbin/iptables-save
/sbin/iptables-bin
/var/lock/subsys/iptables
OS
CentOS release 4.4 (Final)
/lib/iptables
/lib/iptables/libipt_connl
/lib/iptables/libipt_hashl
/lib/iptables/libipt_ttl.s
/lib/iptables/libipt_state
/lib/iptables/libipt_comme
/lib/iptables/libipt_ipp2p
/lib/iptables/libipt_MIRRO
/lib/iptables/libipt_pktty
/lib/iptables/libipt_DSCP.
/lib/iptables/libipt_NETMA
/lib/iptables/libipt_TTL.s
/lib/iptables/libipt_tos.s
/lib/iptables/libipt_mark.
/lib/iptables/libipt_mac.s
/lib/iptables/libipt_CONNM
/lib/iptables/libipt_limit
/lib/iptables/libipt_connt
/lib/iptables/libipt_dscp.
/lib/iptables/libipt_tcp.s
/lib/iptables/libipt_ecn.s
/lib/iptables/libipt_REDIR
/lib/iptables/libipt_TOS.s
/lib/iptables/libipt_REJEC
/lib/iptables/libipt_SNAT.
/lib/iptables/libipt_rpc.s
/lib/iptables/libipt_TRACE
/lib/iptables/libipt_multi
/lib/iptables/libipt_ipran
/lib/iptables/libipt_lengt
/lib/iptables/libipt_addrt
/lib/iptables/libipt_ECN.s
/lib/iptables/libipt_stand
/lib/iptables/libipt_NOTRA
/lib/iptables/libipt_polic
/lib/iptables/libipt_uncle
/lib/iptables/libipt_NFQUE
/lib/iptables/libipt_udp.s
/lib/iptables/libipt_MASQU
/lib/iptables/libipt_tcpms
/lib/iptables/libipt_esp.s
/lib/iptables/libipt_ULOG.
/lib/iptables/libipt_connm
/lib/iptables/libipt_MARK.
/lib/iptables/libipt_helpe
/lib/iptables/libipt_physd
/lib/iptables/libipt_owner
/lib/iptables/libipt_DNAT.
/lib/iptables/libipt_realm
/lib/iptables/libipt_CLASS
/lib/iptables/libipt_TCPMS
/lib/iptables/libipt_LOG.s
/lib/iptables/libipt_icmp.
/lib/iptables/libipt_ah.so
/lib/iptables/libipt_TARPI
/lib/iptables/libipt_SAME.
/lib/iptables/libipt_sctp.
/lib/iptables/libipt_recen
/usr/share/doc/iptables-1.
/usr/share/doc/iptables-1.
/usr/share/doc/iptables-1.
/usr/share/doc/iptables-1.
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/man/man8/iptabl
/usr/share/man/man8/iptabl
/usr/share/man/man8/iptabl
/sbin/iptables-restore
/sbin/iptables
/sbin/iptables-save
/sbin/iptables-bin
/var/lock/subsys/iptables
OS
CentOS release 4.4 (Final)
ok so before lib , you dont have any lines like this , is not it ??
/etc/rc.d/init.d/iptables
/etc/rc.d/rc0.d/K92iptable s
/etc/rc.d/rc1.d/K92iptable s
/etc/rc.d/rc2.d/S08iptable s
/etc/rc.d/rc3.d/S08iptable s
/etc/rc.d/rc4.d/S08iptable s
/etc/rc.d/rc5.d/S08iptable s
/etc/rc.d/rc6.d/K92iptable s
/etc/sysconfig/iptables
/etc/sysconfig/iptables-co nfig
/etc/sysconfig/iptables.sa ve
Some time, if you type locate iptables, its does not comeup screen properly so you might miss the first section so try this
locate iptables | less
you need to press enter to go down
i just need to know that if you have those lines or not as i mentioned
/etc/rc.d/init.d/iptables
/etc/rc.d/rc0.d/K92iptable
/etc/rc.d/rc1.d/K92iptable
/etc/rc.d/rc2.d/S08iptable
/etc/rc.d/rc3.d/S08iptable
/etc/rc.d/rc4.d/S08iptable
/etc/rc.d/rc5.d/S08iptable
/etc/rc.d/rc6.d/K92iptable
/etc/sysconfig/iptables
/etc/sysconfig/iptables-co
/etc/sysconfig/iptables.sa
Some time, if you type locate iptables, its does not comeup screen properly so you might miss the first section so try this
locate iptables | less
you need to press enter to go down
i just need to know that if you have those lines or not as i mentioned
ASKER
[root@proxy ~]# locate iptables | less
/lib/iptables/libipt_uncle
/lib/iptables/libipt_NFQUE
/lib/iptables/libipt_udp.s
/lib/iptables/libipt_MASQU
/lib/iptables/libipt_tcpms
/lib/iptables/libipt_esp.s
/lib/iptables/libipt_ULOG.
/lib/iptables/libipt_connm
/lib/iptables/libipt_MARK.
/lib/iptables/libipt_helpe
/lib/iptables/libipt_physd
/lib/iptables/libipt_owner
/lib/iptables/libipt_DNAT.
/lib/iptables/libipt_realm
/lib/iptables/libipt_CLASS
/lib/iptables/libipt_TCPMS
/lib/iptables/libipt_LOG.s
/lib/iptables/libipt_icmp.
/lib/iptables/libipt_ah.so
/lib/iptables/libipt_TARPI
/lib/iptables/libipt_SAME.
/lib/iptables/libipt_sctp.
/lib/iptables/libipt_recen
/usr/share/doc/iptables-1.
/usr/share/doc/iptables-1.
/usr/share/doc/iptables-1.
/usr/share/doc/iptables-1.
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/doc/mrtg-2.10.1
/usr/share/man/man8/iptabl
/usr/share/man/man8/iptabl
/usr/share/man/man8/iptabl
/sbin/iptables-restore
/sbin/iptables
/sbin/iptables-save
/sbin/iptables-bin
/var/lock/subsys/iptables
(END)
There is something wrong in your iptables setup
ommm
i would of suggest you to intall iptables again by yum
but your yum is not working!! its wired!!
i am using centos aswell
who setup this server ??
ommm
i would of suggest you to intall iptables again by yum
but your yum is not working!! its wired!!
i am using centos aswell
who setup this server ??
ASKER
i did, with default installation
omm for Centos , yum would be installed by default omm but your one yum is not even installed
ok let me check something
ok let me check something
Is the situation more complex than you original question implied? You refered only to addresses in the private 192.168 range but your iptables rules refer to a public Internet address. Do you need Network Address Translation (NAT)? Are you expecting mail from the Internet to be forwarded to your local SMTP server?
Hi fosiul01,
If you are using it then I have to accept that it works, but it certainly looks to me as if it shouldn't. I normally start by flushing each table before defining new rules. Is it possible that you have some rules already defined?
A final thought. Don't forget to
echo 1 >/proc/sys/net/ipv4/ip_for ward
to tell the kernel to enable forwarding.
Hi fosiul01,
If you are using it then I have to accept that it works, but it certainly looks to me as if it shouldn't. I normally start by flushing each table before defining new rules. Is it possible that you have some rules already defined?
A final thought. Don't forget to
echo 1 >/proc/sys/net/ipv4/ip_for
to tell the kernel to enable forwarding.
Hi Chris:, if you check this comments : id 23021149
that i have flushed all the rules then i start to type one by one.
but problem is, its taking the rules but when he did Iptables -L
those rules is not showing.
what i am seeing is, those rules is already there
hi ammadeyy2: when you typed iptables -L , the rule you see
did you typed those rule ?? i guess not .
that i have flushed all the rules then i start to type one by one.
but problem is, its taking the rules but when he did Iptables -L
those rules is not showing.
what i am seeing is, those rules is already there
hi ammadeyy2: when you typed iptables -L , the rule you see
did you typed those rule ?? i guess not .
whats up ?? you closed this question ?? is your problem solved ??
There is no /etc/init.d/iptables. This may be a good time toa sk what distribution you are using.
It would be more tidy to use the existing mechanism for setting iptables, if you can find it, but you could simply create a new iptables script in init.d. Since you don't need to stop or reload it could be much simpler than the usual init.d script. You should then create a symbolic link to it in /etc/rcn.d (Where n is your usual run level, normally 2 or 3 but use the runlevel command to find out.) with a name like S90iptables.
It would be more tidy to use the existing mechanism for setting iptables, if you can find it, but you could simply create a new iptables script in init.d. Since you don't need to stop or reload it could be much simpler than the usual init.d script. You should then create a symbolic link to it in /etc/rcn.d (Where n is your usual run level, normally 2 or 3 but use the runlevel command to find out.) with a name like S90iptables.
sorry i posted wrong link here
it suppose to be for another question
sorry
it suppose to be for another question
sorry
he is using Centos 4
ASKER
problem not solved, opening second question
haahahaah good
since your yum install installed
at first install it
check this tutorial
http://maimon-it.blogspot.com/2005/06/install-yum-on-redhat-enterprise-linux.html
http://yum.baseurl.org/
when yum would be installed then install iptables again
your problem would be solved
at first install it
check this tutorial
http://maimon-it.blogspot.com/2005/06/install-yum-on-redhat-enterprise-linux.html
http://yum.baseurl.org/
when yum would be installed then install iptables again
your problem would be solved
fosiul01,
Please please please dont take this the wrong way but when you respond to questions can you take some time to type out a complete answer.
You are a quite capable individual and has assisted lots of people and you always contribute well to questions but whenever you do get involved in a thread the multiple responses here and there before the asker has been able to respond is like being mail bombed.
I'm just asking for you to take a little time and perhaps switch to decaff coffee :-)
Please please please dont take this the wrong way but when you respond to questions can you take some time to type out a complete answer.
You are a quite capable individual and has assisted lots of people and you always contribute well to questions but whenever you do get involved in a thread the multiple responses here and there before the asker has been able to respond is like being mail bombed.
I'm just asking for you to take a little time and perhaps switch to decaff coffee :-)
haahahah
sorry didnot understand!! what have i done wrong here ??
sorry didnot understand!! what have i done wrong here ??
actually, you've done nothing wrong, it's more your enthusiastic approach to responding to questions.
post a comment here and I'll give you a demo (you seem to have a sense of humor which is good :-))
https://www.experts-exchange.com/questions/23927967/multiple-responses-demo.html
post a comment here and I'll give you a demo (you seem to have a sense of humor which is good :-))
https://www.experts-exchange.com/questions/23927967/multiple-responses-demo.html
u told me to have decaffe! So went out 4r 3 hrs to cafee. Let me bk!
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
what is this 192.168.20.20 ?? is your mail server address ??