Strange iptables behavior

Stiven Andre stiven_a@hotmail.com
Thu, 28 Nov 2002 01:26:33 +0200 

>From: "Stiven Andre" <stiven_a@hotmail.com>
>To: linux-il@linux.org.il
>Subject: Strange iptables behavior
>Date: Wed, 27 Nov 2002 17:28:05 +0200
>
>Hi List.
>
>I have my home network being masqueraded by linux router(RH8.0).
>Network topology:
>Linux router(192.168.1.1): eth0 to LAN, eth1 to adsl modem.
>LAN = 192.168.1.*
>
>I wrote iptables script that masquerades my network, but the problem is 
>when I run the script from the first time from /etc/rc.d/rc.local it works. 
>But if I then rerun it manualy (by root of couse) it stops working. Inside 
>hosts don't have access to the internet. My script does clear all old rules 
>at the start of it but it doesn't help or else...
>I tryed to clear all old rules manualy and then run the script, no luck 
>still not working. I tryed to unload all iptables modules then "insmod 
>ip_tables" and after that to run the script again, nothing it doesn't help 
>too... Can someone understand what is going on ? Why it works only the 
>first time ? After the second excution the rules are seem to be the same 
>but inside hosts can't ping internet.
>There is 2 LOG targets in the script, first with prefix "FORWARD PACKET" 
>and second with prefix "MASQ RULE MATCHED", after the first excution of the 
>script. I see 2 logs for each packet, first "FORWARD PACKET" and then "MASQ 
>RULE MATCHED" but after the second excution, when the NAT doesn't work the 
>logs doesn't show "MASQ RULE MATCHED"...
>
>Best Regards.
>S.A.
>
>The script:
>
>
>#!/bin/sh
>IPTABLES="/sbin/iptables"
>
># Reset all.
>$IPTABLES -P INPUT ACCEPT
>$IPTABLES -P OUTPUT ACCEPT
>$IPTABLES -P FORWARD ACCEPT
>$IPTABLES -F
>$IPTABLES -X
>$IPTABLES -t nat -F
>
># Modules and targets:
>/sbin/modprobe ipt_LOG
>/sbin/modprobe ipt_REJECT
>/sbin/modprobe ipt_MASQUERADE
>/sbin/modprobe ip_nat_ftp
>/sbin/modprobe ip_nat_irc
>/sbin/modprobe ip_conntrack_ftp
>/sbin/modprobe ip_conntrack_irc
>
># IP Forwarding And Dynamic IP support:
>echo "1" > /proc/sys/net/ipv4/ip_forward
>echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
># Create chains for packet types:
>$IPTABLES -N tcp_packets
>$IPTABLES -N udp_packets
>$IPTABLES -N icmp_packets
>
># INPUT TABLE:
># Permit ADSL, gre Tunnel (Protocol 47), loopback and a broadcast.
>$IPTABLES -A INPUT -p 47 -s 10.0.0.138 -j ACCEPT
>$IPTABLES -A INPUT -p tcp -s 10.0.0.138 --sport 1723 -j ACCEPT
>$IPTABLES -A INPUT -s 127.0.0.1 -j ACCEPT
>$IPTABLES -A INPUT -p ALL -d 192.168.1.255 -j ACCEPT
># Ensure that established sessions will not die
>$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
># Allow FTP active and passive port commands:
>#$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j 
>ACCEPT
>#$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED 
>-j ACCEPT
># Send all other traffic to it's chain:
>$IPTABLES -A INPUT -p tcp -j tcp_packets
>$IPTABLES -A INPUT -p udp -j udp_packets
>$IPTABLES -A INPUT -p icmp -j icmp_packets
>
># OUTPUT TABLE:
># Permit all.
>$IPTABLES -A OUTPUT -j ACCEPT
>
># FORWARD TABLE:
>$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
>
># tcp_packets TABLE:
># World accessible services:
>#$IPTABLES -A tcp_packets -p tcp --dport 21 --syn -j ACCEPT # FTP
>#$IPTABLES -A tcp_packets -p tcp --dport 80 --syn -j ACCEPT # HTTP
># Private services:
>$IPTABLES -A tcp_packets -s 192.168.1.10/32 -p tcp --dport 23 --syn -j 
>ACCEPT # Telnet
>$IPTABLES -A tcp_packets -s 192.168.1.10/24 -p tcp --dport 139 --syn -j 
>ACCEPT # NetBIOS-ssn
>
># udp_packets TABLE:
># Private services:
>$IPTABLES -A udp_packets -s 192.168.1.10/24 -p udp --dport 137 -j ACCEPT # 
>NetBIOS-sn
>$IPTABLES -A udp_packets -s 192.168.1.10/24 -p udp --dport 138 -j ACCEPT # 
>NetBIOS-dgm
>
># MASQUERADING:
>$IPTABLES -t nat -A POSTROUTING -o ppp0 -j LOG --log-level DEBUG 
>--log-prefix "matched MASQ RULE: "
>$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
>
># Set defaults to drop:
>$IPTABLES -P INPUT ACCEPT
>$IPTABLES -P OUTPUT ACCEPT
>$IPTABLES -P FORWARD ACCEPT
>
># Debug
>$IPTABLES -A FORWARD -j LOG --log-level DEBUG --log-prefix "FORWARD PACKET: 
>"
>$IPTABLES -A INPUT -j LOG --log-level DEBUG --log-prefix "INPUT PACKET: "
>$IPTABLES -A OUTPUT -j LOG --log-level DEBUG --log-prefix "OUTPUT PACKET: "
>
>_________________________________________________________________
>STOP MORE SPAM with the new MSN 8 and get 2 months FREE* 
>http://join.msn.com/?page=features/junkmail
>
>
>=================================================================
>To unsubscribe, send mail to linux-il-request@linux.org.il with
>the word "unsubscribe" in the message body, e.g., run the command
>echo unsubscribe | mail linux-il-request@linux.org.il


_________________________________________________________________
The new MSN 8: advanced junk mail protection and 2 months FREE* 
http://join.msn.com/?page=features/junkmail