New subject: AW: iptables und ICQ Filetransfer

6 Jun 2002

      Hallo,

ich habe ein iptables skript ummasquarading betreiben warum geht mein icq
filetransfer weder in noch outbound???

was muss ich noch verändern??

hier das skript:

#! /bin/sh
#
# Author: Tobias Korb
#
# init.d/maske
#
#   and symbolic its link
#
# /sbin/rcmaske
#
# System startup script for Masquerading
#
### BEGIN INIT INFO
# Provides: maske
# Required-Start: serial
# Required-Stop:
# Default-Start:  2 3 4 5
# Default-Stop:
# Description:    Start simple Firewall- Skript
### END INIT INFO

# Source SuSE config
. /etc/rc.config

# die folgende Datei muss extra angelegt werden mit dem Inhalt:
# START_MASKE="yes"
. /etc/rc.config.local

# Determine the base and follow a runlevel link name.
base=${0##*/}
link=${base#*[SK][0-9][0-9]}

# Force execution if not called by a runlevel directory.
test $link = $base && START_MASKE=yes
test "$START_MASKE" = yes || exit 0

IPTABLES=/usr/sbin/iptables
MODPROBE=/sbin/modprobe
test -x $IPTABLES || exit 5
test -x $MODPROBE || exit 5

. /etc/rc.status

rc_reset

# Anpassung an das Interface (hier DSL oder Modem)
fw_dev="ppp0"

case "$1" in
    start)
	echo -n "Starting Maske Firewall Skript"
	$MODPROBE iptable_nat
	$MODPROBE ip_nat_ftp
	$MODPROBE ip_conntrack
	$MODPROBE ip_conntrack_ftp
	$IPTABLES -F

	$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j
TCPMSS --clamp-mss-to-pmtu

        $IPTABLES -A INPUT -i $fw_dev -p icmp --icmp-type echo-request -m
limit --limit 1/sec -j ACCEPT
        $IPTABLES -A INPUT -i $fw_dev -p tcp --dport 22 -m limit --limit
1/sec -m state --state NEW -j ACCEPT
        $IPTABLES -A INPUT -i $fw_dev -p tcp --dport 21 -m limit --limit
1/sec -m state --state NEW -j ACCEPT
	$IPTABLES -A INPUT -i $fw_dev -p tcp --dport 25 -j ACCEPT
        $IPTABLES -A INPUT -i $fw_dev -p tcp --dport 80 -j ACCEPT
	$IPTABLES -A INPUT -i $fw_dev -p icmp --icmp-type
destination-unreachable -j ACCEPT
	$IPTABLES -A INPUT -i $fw_dev -p tcp --dport 3430 -j ACCEPT
#        $IPTABLES -A OUTPUT -o $fw_dev -p tcp --dport 80 -j
REDIRECT --to-port 3128
	$IPTABLES -A OUTPUT -o $fw_dev -p tcp --dport 137:139 -j DROP
	$IPTABLES -A OUTPUT -o $fw_dev -p udp --dport 137:139 -j DROP
	$IPTABLES -A FORWARD -o $fw_dev -p tcp --dport 137:139 -j DROP
	$IPTABLES -A FORWARD -o $fw_dev -p udp --dport 137:139 -j DROP
	$IPTABLES -N block
	$IPTABLES -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
	$IPTABLES -A block -m state --state NEW -i ! $fw_dev -j ACCEPT
	$IPTABLES -A block -j DROP
	$IPTABLES -A INPUT -j block
	$IPTABLES -A FORWARD -j block
#        $IPTABLES -t nat -A  PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 3128
	$IPTABLES -t nat -A POSTROUTING -o $fw_dev -j MASQUERADE
	# Remember status and be verbose
	rc_status -v
	;;
    stop)
	echo -n "Shutting down Maske Skript"
	$IPTABLES -F
	$IPTABLES -t nat -F
        $IPTABLES -X

	# Remember status and be verbose
	rc_status -v
	;;
    try-restart)
	## Stop the service and if this succeeds (i.e. the
	## service was running before), start it again.
	## Note: try-restart is not (yet) part of LSB (as of 0.7.5)
	$0 status >/dev/null &&  $0 restart

	# Remember status and be quiet
	rc_status
	;;
    restart)
	## Stop the service and regardless of whether it was
	## running or not, start it again.
	$0 stop
	$0 start

	# Remember status and be quiet
	rc_status
	;;
    force-reload)
	## Signal the daemon to reload its config. Most daemons
	## do this on signal 1 (SIGHUP).
	## If it does not support it, restart.

	echo -n "Reload service MASKE"
	## if it supports it:
	# killproc -HUP $FOO_BIN
	# touch /var/run/FOO.pid
	# rc_status -v

	## Otherwise:
	$0 stop  &&  $0 start
	rc_status
	;;
    reload)
	## Like force-reload, but if daemon does not support
	## signalling, do nothing (!)

	# If it supports signalling:
	# echo -n "Reload service FOO"
	# killproc -HUP $FOO_BIN
	#touch /var/run/FOO.pid
	# rc_status -v

	## Otherwise if it does not support reload:
	rc_failed 3
	rc_status -v
	;;
    status)
	echo  "Maske Rules: "
	$IPTABLES -v -L
	$IPTABLES -v -t nat -L
	echo  -n "Status of MASKE Skript"

	rc_status -v
	;;
    probe)
	## Optional: Probe for the necessity of a reload,
	## give out the argument which is required for a reload.

	# test /etc/FOO/FOO.conf -nt /var/run/FOO.pid && echo reload
	;;
    *)
	echo "Usage: $0
{start|stop|status|try-restart|restart|force-reload|reload|probe}"
	exit 1
	;;
esac
rc_exit

iptables und ICQ Filetransfer

Tobias Korb

Michael Raab

Tobias Korb

Michael Raab

Alex Klein

Michael Raab

Alex Klein

Christopher S.

Tobias Korb

Robert Szentmihalyi

tags

participants (5)