Re: Port "triggering"

From: Jeff Franks (jfranks1970_at_charter.net)
Date: 12/23/04 

Date: Thu, 23 Dec 2004 15:05:37 -0600

You asked for it ;)

# Generated by iptables-save v1.2.7a on Thu Dec 23 15:01:25 2004
*nat
:PREROUTING ACCEPT [633967:155144579]
:POSTROUTING ACCEPT [190546:11830040]
:OUTPUT ACCEPT [183074:11641523]
-A PREROUTING -i eth1 -p udp -m udp --dport 3100:3105 -j
DNAT --to-destination 192.168.0.201
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3100:3105 -j
DNAT --to-destination 192.168.0.201
-A PREROUTING -p udp -m udp --dport 3783 -j DNAT --to-destination
192.168.0.201
-A PREROUTING -p tcp -m tcp --dport 3783 -j DNAT --to-destination
192.168.0.201
-A PREROUTING -s 67.159.2.0/255.255.255.0 -p tcp -m tcp --dport 15000 -j
DNAT --to-destination 192.168.0.201
-A PREROUTING -s 67.159.2.0/255.255.255.0 -p tcp -m tcp --dport 5800 -j
DNAT --to-destination 192.168.0.252
-A PREROUTING -s 67.159.2.0/255.255.255.0 -p tcp -m tcp --dport 21 -j
DNAT --to-destination 192.168.0.201
-A PREROUTING -s 67.159.2.0/255.255.255.0 -p tcp -m tcp --dport 14000 -j
DNAT --to-destination 192.168.0.201
-A PREROUTING -i eth1 -p udp -m udp --dport 3568 -j DNAT --to-destination
192.168.0.201
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3568 -j DNAT --to-destination
192.168.0.201
-A PREROUTING -s 68.202.140.241 -p tcp -m tcp --dport 15000 -j
DNAT --to-destination 192.168.0.201
-A PREROUTING -s 68.202.140.241 -p tcp -m tcp --dport 14000 -j
DNAT --to-destination 192.168.0.201
-A PREROUTING -s 24.35.72.2 -p tcp -m tcp --dport 15000 -j
DNAT --to-destination 192.168.0.201
-A PREROUTING -i eth1 -p udp -m udp --dport 3568 -j DNAT --to-destination
192.168.0.201
-A PREROUTING -i eth1 -p udp -m udp --dport 3568 -j DNAT --to-destination
192.168.0.252
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3568 -j DNAT --to-destination
192.168.0.252
-A PREROUTING -i eth1 -p tcp -m tcp --dport 3100:3105 -j
DNAT --to-destination 192.168.0.252
-A PREROUTING -i eth1 -p udp -m udp --dport 3100:3105 -j
DNAT --to-destination 192.168.0.252
-A PREROUTING -s 64.16.173.0/255.255.255.0 -p tcp -m tcp --dport 21 -j
DNAT --to-destination 192.168.0.201
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
# Completed on Thu Dec 23 15:01:25 2004
# Generated by iptables-save v1.2.7a on Thu Dec 23 15:01:25 2004
*filter
:INPUT DROP [16831:4954766]
:FORWARD ACCEPT [43220375:8418702232]
:OUTPUT ACCEPT [7114267:571537291]
-A INPUT -s 192.168.100.0/255.255.255.0 -j REJECT --reject-with
icmp-port-unreachable
-A INPUT -i eth1 -p icmp -j DROP
-A INPUT -s 67.159.2.0/255.255.255.0 -j ACCEPT
-A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT
-A FORWARD -s 62.136.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 62.135.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 62.134.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 208.60.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 65.65.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 200.153.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 219.88.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 65.244.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 83.242.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 65.65.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 207.38.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 201.246.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 83.176.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 213.61.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 212.144.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 62.158.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 84.128.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A FORWARD -s 217.235.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A OUTPUT -s 83.242.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A OUTPUT -s 65.65.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A OUTPUT -s 207.38.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A OUTPUT -s 201.246.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A OUTPUT -s 83.176.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A OUTPUT -s 213.61.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
-A OUTPUT -s 212.144.0.0/255.255.0.0 -j REJECT --reject-with
icmp-port-unreachable
COMMIT
# Completed on Thu Dec 23 15:01:25 2004

Relevant Pages

  • Blocking incoming IP address immediately
    ... I have a gaming server and am trying to create an IPTABLES firewall that ... I have been able to do this, but the ban only ... BTW, the game works fine, all the port forwarding and NAT ... DNAT --to-des ...
    (comp.os.linux.security)
  • Re: Forward ftp request another server
    ... > That's why you have to be smarter than this, using some NAT stuff (DNAT ... > using iptables) or FTP proxy, such as the one included in TIS. ...
    (Focus-Linux)
  • Re: openinng port 80
    ... -j DNAT --to 192.168.x.x:80 ... using NAT. ... I'd be interested in seeing your firewall script. ...
    (comp.security.firewalls)
  • iptables and dnat
    ... :PREROUTING ACCEPT ... :POSTROUTING ACCEPT ... -A FORWARD -j LOGDROP ...
    (Debian-User)
  • Re: iptables: DNAT (?)
    ... in der PREROUTING Kette per "iptables ... ... "Nein, nicht durch die Prerouting, nur durch die Forward", dann ... passen, da ich den DNAT Eintrag doch in der Prerouting Kette mache, ...
    (de.comp.os.unix.networking.misc)