Avatar billede ljm21 Praktikant
13. april 2012 - 13:26 Der er 4 kommentarer og
1 løsning

Portforwarding med IPtables

Jeg har lavet en iptables opsætning, hvor min server skal være router og firewall for internt net, samt lave portforwarding til nogle servere.

Desværre virker portforwardingdelen ikke.
Når jeg laver en portscanning udefra er alle porte stealth, og hvis jeg fjerner alle iptabels er de fleste porte lukkede.

Iptables scriptet er lavet med: http://easyfwgen.morizot.net/ (...) og er indsat nedenfor sammen med output fra iptables status.

Er der nogen der kan spotte fejlen i mine iptables?

iptabels.sh:
#!/bin/sh
#
# Generated iptables firewall script for the Linux 2.4 kernel
# Script generated by Easy Firewall Generator for IPTables 1.15
# copyright 2002 Timothy Scott Morizot
#
# Redhat chkconfig comments - firewall applied early,
#                            removed late
# chkconfig: 2345 08 92
# description: This script applies or removes iptables firewall rules
#
# This generator is primarily designed for RedHat installations,
# although it should be adaptable for others.
#
# It can be executed with the typical start and stop arguments.
# If used with stop, it will stop after flushing the firewall.
# The save and restore arguments will save or restore the rules
# from the /etc/sysconfig/iptables file.  The save and restore
# arguments are included to preserve compatibility with
# Redhat's or Fedora's init.d script if you prefer to use it.

# Redhat/Fedora installation instructions
#
# 1. Have the system link the iptables init.d startup script into run states
#    2, 3, and 5.
#    chkconfig --level 235 iptables on
#
# 2. Save this script and execute it to load the ruleset from this file.
#    You may need to run the dos2unix command on it to remove carraige returns.
#
# 3. To have it applied at startup, copy this script to
#    /etc/init.d/iptables.  It accepts stop, start, save, and restore
#    arguments.  (You may wish to save the existing one first.)
#    Alternatively, if you issue the 'service iptables save' command
#    the init.d script should save the rules and reload them at runtime.
#
# 4. For non-Redhat systems (or Redhat systems if you have a problem), you
#    may want to append the command to execute this script to rc.local.
#    rc.local is typically located in /etc and /etc/rc.d and is usually
#    the last thing executed on startup.  Simply add /path/to/script/script_name
#    on its own line in the rc.local file.

###############################################################################
#
# Local Settings
#

# sysctl location.  If set, it will use sysctl to adjust the kernel parameters.
# If this is set to the empty string (or is unset), the use of sysctl
# is disabled.

SYSCTL="/sbin/sysctl -w"

# To echo the value directly to the /proc file instead
# SYSCTL=""

# IPTables Location - adjust if needed

IPT="/sbin/iptables"
IPTS="/sbin/iptables-save"
IPTR="/sbin/iptables-restore"

# Internet Interface
INET_IFACE="eth1"

# Local Interface Information
LOCAL_IFACE="eth0"
LOCAL_IP="192.168.0.3"
LOCAL_NET="192.168.0.0/24"
LOCAL_BCAST="192.168.0.255"

# Localhost Interface

LO_IFACE="lo"
LO_IP="127.0.0.1"

# Save and Restore arguments handled here
if [ "$1" = "save" ]
then
    echo -n "Saving firewall to /etc/sysconfig/iptables ... "
    $IPTS > /etc/sysconfig/iptables
    echo "done"
    exit 0
elif [ "$1" = "restore" ]
then
    echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
    $IPTR < /etc/sysconfig/iptables
    echo "done"
    exit 0
fi

###############################################################################
#
# Load Modules
#

echo "Loading kernel modules ..."

# You should uncomment the line below and run it the first time just to
# ensure all kernel module dependencies are OK.  There is no need to run
# every time, however.

# /sbin/depmod -a

# Unless you have kernel module auto-loading disabled, you should not
# need to manually load each of these modules.  Other than ip_tables,
# ip_conntrack, and some of the optional modules, I've left these
# commented by default.  Uncomment if you have any problems or if
# you have disabled module autoload.  Note that some modules must
# be loaded by another kernel module.

# core netfilter module
/sbin/modprobe ip_tables

# the stateful connection tracking module
/sbin/modprobe ip_conntrack

# filter table module
# /sbin/modprobe iptable_filter

# mangle table module
# /sbin/modprobe iptable_mangle

# nat table module
# /sbin/modprobe iptable_nat

# LOG target module
# /sbin/modprobe ipt_LOG

# This is used to limit the number of packets per sec/min/hr
# /sbin/modprobe ipt_limit

# masquerade target module
# /sbin/modprobe ipt_MASQUERADE

# filter using owner as part of the match
# /sbin/modprobe ipt_owner

# REJECT target drops the packet and returns an ICMP response.
# The response is configurable.  By default, connection refused.
# /sbin/modprobe ipt_REJECT

# This target allows packets to be marked in the mangle table
# /sbin/modprobe ipt_mark

# This target affects the TCP MSS
# /sbin/modprobe ipt_tcpmss

# This match allows multiple ports instead of a single port or range
# /sbin/modprobe multiport

# This match checks against the TCP flags
# /sbin/modprobe ipt_state

# This match catches packets with invalid flags
# /sbin/modprobe ipt_unclean

# The ftp nat module is required for non-PASV ftp support
/sbin/modprobe ip_nat_ftp

# the module for full ftp connection tracking
/sbin/modprobe ip_conntrack_ftp

# the module for full irc connection tracking
/sbin/modprobe ip_conntrack_irc


###############################################################################
#
# Kernel Parameter Configuration
#
# See http://ipsysctl-tutorial.frozentux.net/ (...)
# for a detailed tutorial on sysctl and the various settings
# available.

# Required to enable IPv4 forwarding.
# Redhat users can try setting FORWARD_IPV4 in /etc/sysconfig/network to true
# Alternatively, it can be set in /etc/sysctl.conf
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_forward
else
    $SYSCTL net.ipv4.ip_forward="1"
fi

# This enables dynamic address hacking.
# This may help if you have a dynamic IP address \(e.g. slip, ppp, dhcp\).
#if [ "$SYSCTL" = "" ]
#then
#    echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#else
#    $SYSCTL net.ipv4.ip_dynaddr="1"
#fi

# This enables SYN flood protection.
# The SYN cookies activation allows your system to accept an unlimited
# number of TCP connections while still trying to give reasonable
# service during a denial of service attack.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi

# This enables source validation by reversed path according to RFC1812.
# In other words, did the response packet originate from the same interface
# through which the source packet was sent?  It's recommended for single-homed
# systems and routers on stub networks.  Since those are the configurations
# this firewall is designed to support, I turn it on by default.
# Turn it off if you use multiple NICs connected to the same network.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi

# This option allows a subnet to be firewalled with a single IP address.
# It's used to build a DMZ.  Since that's not a focus of this firewall
# script, it's not enabled by default, but is included for reference.
# See: http://www.sjdjweis.com/ (...)
#if [ "$SYSCTL" = "" ]
#then
#    echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#else
#    $SYSCTL net.ipv4.conf.all.proxy_arp="1"
#fi

# The following kernel settings were suggested by Alex Weeks. Thanks!

# This kernel parameter instructs the kernel to ignore all ICMP
# echo requests sent to the broadcast address.  This prevents
# a number of smurfs and similar DoS nasty attacks.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
    $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi

# This option can be used to accept or refuse source routed
# packets.  It is usually on by default, but is generally
# considered a security risk.  This option turns it off.
if [ "$SYSCTL" = "" ]
then
    echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
    $SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi

# This option can disable ICMP redirects.  ICMP redirects
# are generally considered a security risk and shouldn't be
# needed by most systems using this generator.
#if [ "$SYSCTL" = "" ]
#then
#    echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
#else
#    $SYSCTL net.ipv4.conf.all.accept_redirects="0"
#fi

# However, we'll ensure the secure_redirects option is on instead.
# This option accepts only from gateways in the default gateways list.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
    $SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi

# This option logs packets from impossible addresses.
if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
    $SYSCTL net.ipv4.conf.all.log_martians="1"
fi


###############################################################################
#
# Flush Any Existing Rules or Chains
#

echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

if [ "$1" = "stop" ]
then
    echo "Firewall completely flushed!  Now running with no firewall."
    exit 0
fi

###############################################################################
#
# Rules Configuration
#

###############################################################################
#
# Filter Table
#
###############################################################################

# Set Policies

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.

echo "Create and populate custom rule chains ..."

# Create a chain to filter INVALID packets

$IPT -N bad_packets

# Create another chain to filter bad tcp packets

$IPT -N bad_tcp_packets

# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.

$IPT -N icmp_packets

# Used for UDP packets inbound from the Internet
$IPT -N udp_inbound

# Used to block outbound UDP services from internal network
# Default to allow all
$IPT -N udp_outbound

# Used to allow inbound services if desired
# Default fail except for established sessions
$IPT -N tcp_inbound

# Used to block outbound services from internal network
# Default to allow all
$IPT -N tcp_outbound

###############################################################################
#
# Populate User Chains
#

# bad_packets chain
#

# Drop packets received on the external interface
# claiming a source of the local network
$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j LOG \
    --log-prefix "Illegal source: "

$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP

# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j LOG \
    --log-prefix "Invalid packet: "

$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet.  If it doesn't, it is likely a
# port scan.  This drops packets in state
# NEW that are not flagged as syn packets.

# Return to the calling chain if the bad packets originate
# from the local interface. This maintains the approach
# throughout this firewall of a largely trusted internal
# network.
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN

# However, I originally did apply this filter to the forward chain
# for packets originating from the internal network.  While I have
# not conclusively determined its effect, it appears to have the
# interesting side effect of blocking some of the ad systems.
# Apparently some ad systems have the browser initiate a NEW
# connection that is not flagged as a syn packet to retrieve
# the ad image.  If you wish to experiment further comment the
# rule above. If you try it, you may also wish to uncomment the
# rule below.  It will keep those packets from being logged.
# There are a lot of them.
# $IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state \
#    --state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
    --log-prefix "New not syn: "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG \
    --log-prefix "Stealth scan: "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN

# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (Echo Request) is not accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule.  Applied to INPUT on the external interface.
#
# See: http://www.ee.siue.edu/ (...)
# for more info on ICMP types.
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.

# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented.  Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPT -A icmp_packets --fragment -p ICMP -j LOG \
    --log-prefix "ICMP Fragment: "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

# Echo - uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
#
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
#    --log-prefix "Ping detected: "
# $IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

# By default, however, drop pings without logging. Blaster
# and other worms have infected systems blasting pings.
# Comment the line below if you want pings logged, but it
# will likely fill your logs.
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP

# Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

# Not matched, so return so it will be logged
$IPT -A icmp_packets -p ICMP -j RETURN

# TCP & UDP
# Identify ports at:
#    http://www.chebucto.ns.ca/ (...)
#    http://www.iana.org/ (...)

# udp_inbound chain
#
# This chain describes the inbound UDP packets it will accept.
# It's applied to INPUT on the external or Internet interface.
# Note that the stateful settings allow replies.
# These rules are for new requests.
# It drops netbios packets (windows) immediately without logging.

# Drop netbios calls
# Please note that these rules do not really change the way the firewall
# treats netbios connections.  Connections from the localhost and
# internal interface (if one exists) are accepted by default.
# Responses from the Internet to requests initiated by or through
# the firewall are also accepted by default.  To get here, the
# packets would have to be part of a new request received by the
# Internet interface.  You would have to manually add rules to
# accept these.  I added these rules because some network connections,
# such as those via cable modems, tend to be filled with noise from
# unprotected Windows machines.  These rules drop those packets
# quickly and without logging them.  This prevents them from traversing
# the whole chain and keeps the log from getting cluttered with
# chatter from Windows systems.
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP

# Dynamic Address
# If DHCP, the initial request is a broadcast. The response
# doesn't exactly match the outbound packet.  This explicitly
# allow the DHCP ports to alleviate this problem.
# If you receive your dynamic address by a different means, you
# can probably comment this line.
$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 \
    -j ACCEPT


# Not matched, so return for logging
$IPT -A udp_inbound -p UDP -j RETURN

# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols.  Applied to the FORWARD rule from
# the internal network.  Ends with an ACCEPT


# No match, so ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway.  Use with care.  It defaults to none.
# It's applied on INPUT from the external or Internet interface.


# Not matched, so return so it will be logged
$IPT -A tcp_inbound -p TCP -j RETURN

# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols.  Applied to the FORWARD rule from
# the internal network.  Ends with an ACCEPT


# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

###############################################################################
#
# INPUT Chain
#

echo "Process INPUT chain ..."

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# DOCSIS compliant cable modems
# Some DOCSIS compliant cable modems send IGMP multicasts to find
# connected PCs.  The multicast packets have the destination address
# 224.0.0.1.  You can accept them.  If you choose to do so,
# Uncomment the rule to ACCEPT them and comment the rule to DROP
# them  The firewall will drop them here by default to avoid
# cluttering the log.  The firewall will drop all multicasts
# to the entire subnet (224.0.0.1) by default.  To only affect
# IGMP multicasts, change '-p ALL' to '-p 2'.  Of course,
# if they aren't accepted elsewhere, it will only ensure that
# multicasts on other protocols are logged.
# Drop them without logging.
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPT -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT

# Rules for the private network (accessing gateway system itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT

# Allow DHCP client request packets inbound from internal network
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 \
    -j ACCEPT


# Inbound Internet Packet Rules

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
    -j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

# Log packets that still don't match
$IPT -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "INPUT packet died: "

###############################################################################
#
# FORWARD Chain
#

echo "Process FORWARD chain ..."

# Used if forwarding for a private network

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
    -j ACCEPT

# Port Forwarding is enabled, so accept forwarded traffic
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 25 \
    --destination 192.168.0.11 -j ACCEPT
 
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 80 \
    --destination 192.168.0.10 -j ACCEPT
 
$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 143 \
    --destination 192.168.0.11 -j ACCEPT

$IPT -A FORWARD -p udp -i $INET_IFACE --destination-port 143 \
    --destination 192.168.0.11 -j ACCEPT

$IPT -A FORWARD -p tcp -i $INET_IFACE --destination-port 21 \
    --destination 192.168.0.12 -j ACCEPT
 
# Log packets that still don't match
$IPT -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "FORWARD packet died: "

###############################################################################
#
# OUTPUT Chain
#

echo "Process OUTPUT chain ..."

# Generally trust the firewall on output

# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internal network
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Log packets that still don't match
$IPT -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
    --log-prefix "OUTPUT packet died: "

###############################################################################
#
# nat table
#
###############################################################################

# The nat table is where network address translation occurs if there
# is a private network.  If the gateway is connected to the Internet
# with a static IP, snat is used.  If the gateway has a dynamic address,
# masquerade must be used instead.  There is more overhead associated
# with masquerade, so snat is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
# Another, POSTROUTING, handles snat and masquerade.

echo "Load rules for nat table ..."

###############################################################################
#
# PREROUTING chain
#

# Port Forwarding
#
# Port forwarding forwards all traffic on a port or ports from
# the firewall to a computer on the internal LAN.  This can
# be required to support special situations.  For instance,
# this is the only way to support file transfers with an ICQ
# client on an internal computer.  It's also required if an internal
# system hosts a service such as a web server.  However, it's also
# a dangerous option.  It allows Internet computers access to
# your internal network.  Use it carefully and only if you're
# certain you know what you're doing.

$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 25 -j DNAT --to-destination 192.168.0.11

$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 80 -j DNAT --to-destination 192.168.0.10

$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 143 -j DNAT --to-destination 192.168.0.11
 
$IPT -t nat -A PREROUTING -p udp -i $INET_IFACE --destination-port 143 -j DNAT --to-destination 192.168.0.11
 
$IPT -t nat -A PREROUTING -p tcp -i $INET_IFACE --destination-port 21 -j DNAT --to-destination 192.168.0.12
 
 
###############################################################################
#
# POSTROUTING chain
#

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

###############################################################################
#
# mangle table
#
###############################################################################

# The mangle table is used to alter packets.  It can alter or mangle them in
# several ways.  For the purposes of this generator, we only use its ability
# to alter the TTL in packets.  However, it can be used to set netfilter
# mark values on specific packets.  Those marks could then be used in another
# table like filter, to limit activities associated with a specific host, for
# instance.  The TOS target can be used to set the Type of Service field in
# the IP header.  Note that the TTL target might not be included in the
# distribution on your system.  If it is not and you require it, you will
# have to add it.  That may require that you build from source.









echo "Load rules for mangle table ..."

/etc/init.d/iptables status
Tabel: mangle
Chain PREROUTING (policy ACCEPT)
target    prot opt source              destination     

Chain INPUT (policy ACCEPT)
target    prot opt source              destination     

Chain FORWARD (policy ACCEPT)
target    prot opt source              destination     

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination     

Chain POSTROUTING (policy ACCEPT)
target    prot opt source              destination     
Tabel: nat
Chain PREROUTING (policy ACCEPT)
target    prot opt source              destination     
DNAT      tcp  --  anywhere            anywhere            tcp dpt:smtp to:192.168.0.11
DNAT      tcp  --  anywhere            anywhere            tcp dpt:www to:192.168.0.10
DNAT      tcp  --  anywhere            anywhere            tcp dpt:imap2 to:192.168.0.11
DNAT      udp  --  anywhere            anywhere            udp dpt:imap2 to:192.168.0.11
DNAT      tcp  --  anywhere            anywhere            tcp dpt:ftp to:192.168.0.12

Chain POSTROUTING (policy ACCEPT)
target    prot opt source              destination     
MASQUERADE  all  --  anywhere            anywhere         

Chain OUTPUT (policy ACCEPT)
target    prot opt source              destination     
Tabel: filter
Chain INPUT (policy DROP)
target    prot opt source              destination     
ACCEPT    all  --  anywhere            anywhere         
bad_packets  all  --  anywhere            anywhere         
DROP      all  --  anywhere            all-systems.mcast.net
ACCEPT    all  --  192.168.0.0/24      anywhere         
ACCEPT    all  --  anywhere            192.168.0.255   
ACCEPT    udp  --  anywhere            anywhere            udp spt:bootpc dpt:bootps
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
tcp_inbound  tcp  --  anywhere            anywhere         
udp_inbound  udp  --  anywhere            anywhere         
icmp_packets  icmp --  anywhere            anywhere         
DROP      all  --  anywhere            anywhere            PKTTYPE = broadcast
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 3 LOG level warning prefix `INPUT packet died: '

Chain FORWARD (policy DROP)
target    prot opt source              destination     
bad_packets  all  --  anywhere            anywhere         
tcp_outbound  tcp  --  anywhere            anywhere         
udp_outbound  udp  --  anywhere            anywhere         
ACCEPT    all  --  anywhere            anywhere         
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
ACCEPT    tcp  --  anywhere            192.168.0.11        tcp dpt:smtp
ACCEPT    tcp  --  anywhere            192.168.0.10        tcp dpt:www
ACCEPT    tcp  --  anywhere            192.168.0.11        tcp dpt:imap2
ACCEPT    udp  --  anywhere            192.168.0.11        udp dpt:imap2
ACCEPT    tcp  --  anywhere            192.168.0.12        tcp dpt:ftp
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 3 LOG level warning prefix `FORWARD packet died: '

Chain OUTPUT (policy DROP)
target    prot opt source              destination     
DROP      icmp --  anywhere            anywhere            state INVALID
ACCEPT    all  --  localhost.localdomain  anywhere         
ACCEPT    all  --  anywhere            anywhere         
ACCEPT    all  --  192.168.0.3          anywhere         
ACCEPT    all  --  anywhere            anywhere         
ACCEPT    all  --  anywhere            anywhere         
LOG        all  --  anywhere            anywhere            limit: avg 3/min burst 3 LOG level warning prefix `OUTPUT packet died: '

Chain bad_packets (2 references)
target    prot opt source              destination     
LOG        all  --  192.168.0.0/24      anywhere            LOG level warning prefix `Illegal source: '
DROP      all  --  192.168.0.0/24      anywhere         
LOG        all  --  anywhere            anywhere            state INVALID LOG level warning prefix `Invalid packet: '
DROP      all  --  anywhere            anywhere            state INVALID
bad_tcp_packets  tcp  --  anywhere            anywhere         
RETURN    all  --  anywhere            anywhere         

Chain bad_tcp_packets (1 references)
target    prot opt source              destination     
RETURN    tcp  --  anywhere            anywhere         
LOG        tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `New not syn: '
DROP      tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix `Stealth scan: '
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix `Stealth scan: '
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix `Stealth scan: '
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix `Stealth scan: '
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG        tcp  --  anywhere            anywhere            tcp flags:SYN,RST/SYN,RST LOG level warning prefix `Stealth scan: '
DROP      tcp  --  anywhere            anywhere            tcp flags:SYN,RST/SYN,RST
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN/FIN,SYN LOG level warning prefix `Stealth scan: '
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN/FIN,SYN
RETURN    tcp  --  anywhere            anywhere         

Chain icmp_packets (1 references)
target    prot opt source              destination     
LOG        icmp -f  anywhere            anywhere            LOG level warning prefix `ICMP Fragment: '
DROP      icmp -f  anywhere            anywhere         
DROP      icmp --  anywhere            anywhere            icmp echo-request
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
RETURN    icmp --  anywhere            anywhere         

Chain tcp_inbound (1 references)
target    prot opt source              destination     
RETURN    tcp  --  anywhere            anywhere         

Chain tcp_outbound (1 references)
target    prot opt source              destination     
ACCEPT    tcp  --  anywhere            anywhere         

Chain udp_inbound (1 references)
target    prot opt source              destination     
DROP      udp  --  anywhere            anywhere            udp dpt:netbios-ns
DROP      udp  --  anywhere            anywhere            udp dpt:netbios-dgm
ACCEPT    udp  --  anywhere            anywhere            udp spt:bootps dpt:bootpc
RETURN    udp  --  anywhere            anywhere         

Chain udp_outbound (1 references)
target    prot opt source              destination     
ACCEPT    udp  --  anywhere            anywhere
Avatar billede lassebm Nybegynder
13. april 2012 - 16:38 #1
Hvad er outputtet af iptables -L ?
Avatar billede lassebm Nybegynder
13. april 2012 - 16:45 #2
Måske du mangler at enable port forward på selve boxen?

echo 1 > /proc/sys/net/ipv4/ip_forward
Avatar billede ljm21 Praktikant
13. april 2012 - 17:50 #3
less /proc/sys/net/ipv4/ip_forward
giver 1
- ellers et godt bud :-)

iptables -L giver:
[root@localhost ~]# iptables -L
Chain INPUT (policy DROP)
target    prot opt source              destination       
ACCEPT    all  --  anywhere            anywhere           
bad_packets  all  --  anywhere            anywhere           
DROP      all  --  anywhere            all-systems.mcast.net
ACCEPT    all  --  192.168.0.0/24      anywhere           
ACCEPT    all  --  anywhere            192.168.0.255     
ACCEPT    udp  --  anywhere            anywhere            udp spt:bootpc dpt:bootps
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED
tcp_inbound  tcp  --  anywhere            anywhere           
udp_inbound  udp  --  anywhere            anywhere           
icmp_packets  icmp --  anywhere            anywhere           
DROP      all  --  anywhere            anywhere            PKTTYPE = broadcast
LOG        all  --  anywhere            anywhere            LOG level warning prefix `fp=INPUT:99 a=DROP '                               
                                                                                                                                           
Chain FORWARD (policy DROP)                                                                                                               
target    prot opt source              destination                                                                                       
bad_packets  all  --  anywhere            anywhere                                                                                       
tcp_outbound  tcp  --  anywhere            anywhere                                                                                       
udp_outbound  udp  --  anywhere            anywhere                                                                                       
ACCEPT    all  --  anywhere            anywhere                                                                                         
ACCEPT    all  --  anywhere            anywhere            state RELATED,ESTABLISHED                                                     
ACCEPT    tcp  --  anywhere            192.168.0.11        tcp dpt:smtp
ACCEPT    tcp  --  anywhere            192.168.0.10        tcp dpt:www
ACCEPT    tcp  --  anywhere            192.168.0.11        tcp dpt:imap2
ACCEPT    tcp  --  anywhere            192.168.0.11        tcp dpt:imap2
ACCEPT    tcp  --  anywhere            192.168.0.12        tcp dpt:ftp
LOG        all  --  anywhere            anywhere            LOG level warning prefix `fp=FORWARD:99 a=DROP '

Chain OUTPUT (policy DROP)
target    prot opt source              destination       
DROP      icmp --  anywhere            anywhere            state INVALID
ACCEPT    all  --  localhost.localdomain  anywhere           
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    all  --  192.168.0.3          anywhere           
ACCEPT    all  --  anywhere            anywhere           
ACCEPT    all  --  anywhere            anywhere           
LOG        all  --  anywhere            anywhere            LOG level warning prefix `fp=OUTPUT:99 a=DROP '

Chain bad_packets (2 references)
target    prot opt source              destination       
LOG        all  --  192.168.0.0/24      anywhere            LOG level warning prefix `fp=bad_packets:2 a=DROP '
DROP      all  --  192.168.0.0/24      anywhere           
LOG        all  --  anywhere            anywhere            state INVALID LOG level warning prefix `fp=bad_packets:1 a=DROP '
DROP      all  --  anywhere            anywhere            state INVALID
bad_tcp_packets  tcp  --  anywhere            anywhere           
RETURN    all  --  anywhere            anywhere           

Chain bad_tcp_packets (1 references)
target    prot opt source              destination       
RETURN    tcp  --  anywhere            anywhere           
LOG        tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `fp=bad_tcp_packets:1 a=DROP '
DROP      tcp  --  anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix `fp=bad_tcp_packets:2 a=DROP '
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix `fp=bad_tcp_packets:3 a=DROP '
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix `fp=bad_tcp_packets:4 a=DROP '
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix `fp=bad_tcp_packets:5 a=DROP '
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
LOG        tcp  --  anywhere            anywhere            tcp flags:SYN,RST/SYN,RST LOG level warning prefix `fp=bad_tcp_packets:6 a=DROP '
DROP      tcp  --  anywhere            anywhere            tcp flags:SYN,RST/SYN,RST
LOG        tcp  --  anywhere            anywhere            tcp flags:FIN,SYN/FIN,SYN LOG level warning prefix `fp=bad_tcp_packets:7 a=DROP '
DROP      tcp  --  anywhere            anywhere            tcp flags:FIN,SYN/FIN,SYN
RETURN    tcp  --  anywhere            anywhere           

Chain icmp_packets (1 references)
target    prot opt source              destination       
LOG        icmp -f  anywhere            anywhere            LOG level warning prefix `fp=icmp_packets:1 a=DROP '
DROP      icmp -f  anywhere            anywhere           
DROP      icmp --  anywhere            anywhere            icmp echo-request
ACCEPT    icmp --  anywhere            anywhere            icmp time-exceeded
RETURN    icmp --  anywhere            anywhere           

Chain tcp_inbound (1 references)
target    prot opt source              destination       
RETURN    tcp  --  anywhere            anywhere           

Chain tcp_outbound (1 references)
target    prot opt source              destination       
ACCEPT    tcp  --  anywhere            anywhere           

Chain udp_inbound (1 references)
target    prot opt source              destination       
DROP      udp  --  anywhere            anywhere            udp dpt:netbios-ns
DROP      udp  --  anywhere            anywhere            udp dpt:netbios-dgm
ACCEPT    udp  --  anywhere            anywhere            udp spt:bootps dpt:bootpc
RETURN    udp  --  anywhere            anywhere           

Chain udp_outbound (1 references)
target    prot opt source              destination       
ACCEPT    udp  --  anywhere            anywhere
Avatar billede ljm21 Praktikant
13. april 2012 - 19:08 #4
Nedenstående er vist bedre at kigge på. Der er to netkort i maskinen. eth0 er intern og eth1 er ekstern

iptables -L -v
Chain INPUT (policy DROP 1231 packets, 170K bytes)
pkts bytes target    prot opt in    out    source              destination       
399K  52M ACCEPT    all  --  lo    any    anywhere            anywhere           
3208K 9102M bad_packets  all  --  any    any    anywhere            anywhere           
9663  309K DROP      all  --  any    any    anywhere            all-systems.mcast.net
2992K 9032M ACCEPT    all  --  eth0  any    192.168.0.0/24      anywhere           
    0    0 ACCEPT    all  --  eth0  any    anywhere            192.168.0.255     
  263  101K ACCEPT    udp  --  eth0  any    anywhere            anywhere            udp spt:bootpc dpt:bootps
93585  37M ACCEPT    all  --  eth1  any    anywhere            anywhere            state RELATED,ESTABLISHED
13564  636K tcp_inbound  tcp  --  eth1  any    anywhere            anywhere           
97908  32M udp_inbound  udp  --  eth1  any    anywhere            anywhere           
  227  8901 icmp_packets  icmp --  eth1  any    anywhere            anywhere           
    0    0 DROP      all  --  any    any    anywhere            anywhere            PKTTYPE = broadcast
16205 1180K LOG        all  --  any    any    anywhere            anywhere            LOG level warning prefix `fp=INPUT:99 a=DROP '

Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target    prot opt in    out    source              destination       
2881K 2361M bad_packets  all  --  any    any    anywhere            anywhere           
1113K  153M tcp_outbound  tcp  --  eth0  any    anywhere            anywhere           
3744  283K udp_outbound  udp  --  eth0  any    anywhere            anywhere           
    0    0 ACCEPT    all  --  eth0  any    anywhere            anywhere           
1763K 2207M ACCEPT    all  --  eth1  any    anywhere            anywhere            state RELATED,ESTABLISHED
  68  3156 ACCEPT    tcp  --  eth1  any    anywhere            192.168.0.11        tcp dpt:smtp
  166  8100 ACCEPT    tcp  --  eth1  any    anywhere            192.168.0.10        tcp dpt:www
  32  1408 ACCEPT    tcp  --  eth1  any    anywhere            192.168.0.11        tcp dpt:imap2
    0    0 ACCEPT    tcp  --  eth1  any    anywhere            192.168.0.11        tcp dpt:imap2
  61  2800 ACCEPT    tcp  --  eth1  any    anywhere            192.168.0.12        tcp dpt:ftp
    0    0 LOG        all  --  any    any    anywhere            anywhere            LOG level warning prefix `fp=FORWARD:99 a=DROP '

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target    prot opt in    out    source              destination       
    0    0 DROP      icmp --  any    any    anywhere            anywhere            state INVALID
395K  51M ACCEPT    all  --  any    any    localhost.localdomain  anywhere           
4019  576K ACCEPT    all  --  any    lo      anywhere            anywhere           
1634K  176M ACCEPT    all  --  any    any    192.168.0.3          anywhere           
  17  968 ACCEPT    all  --  any    eth0    anywhere            anywhere           
94092 7365K ACCEPT    all  --  any    eth1    anywhere            anywhere           
    0    0 LOG        all  --  any    any    anywhere            anywhere            LOG level warning prefix `fp=OUTPUT:99 a=DROP '

Chain bad_packets (2 references)
pkts bytes target    prot opt in    out    source              destination       
    0    0 LOG        all  --  eth1  any    192.168.0.0/24      anywhere            LOG level warning prefix `fp=bad_packets:2 a=DROP '
    0    0 DROP      all  --  eth1  any    192.168.0.0/24      anywhere           
1036 47443 LOG        all  --  any    any    anywhere            anywhere            state INVALID LOG level warning prefix `fp=bad_packets:1 a=DROP '
1036 47443 DROP      all  --  any    any    anywhere            anywhere            state INVALID
5492K  11G bad_tcp_packets  tcp  --  any    any    anywhere            anywhere           
6088K  11G RETURN    all  --  any    any    anywhere            anywhere           

Chain bad_tcp_packets (1 references)
pkts bytes target    prot opt in    out    source              destination       
3708K 9122M RETURN    tcp  --  eth0  any    anywhere            anywhere           
  154 61779 LOG        tcp  --  any    any    anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW LOG level warning prefix `fp=bad_tcp_packets:1 a=DROP '
  154 61779 DROP      tcp  --  any    any    anywhere            anywhere            tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
    0    0 LOG        tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE LOG level warning prefix `fp=bad_tcp_packets:2 a=DROP '
    0    0 DROP      tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    0    0 LOG        tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG LOG level warning prefix `fp=bad_tcp_packets:3 a=DROP '
    0    0 DROP      tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
    0    0 LOG        tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG LOG level warning prefix `fp=bad_tcp_packets:4 a=DROP '
    0    0 DROP      tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
    0    0 LOG        tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG LOG level warning prefix `fp=bad_tcp_packets:5 a=DROP '
    0    0 DROP      tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,ACK,URG
    0    0 LOG        tcp  --  any    any    anywhere            anywhere            tcp flags:SYN,RST/SYN,RST LOG level warning prefix `fp=bad_tcp_packets:6 a=DROP '
    0    0 DROP      tcp  --  any    any    anywhere            anywhere            tcp flags:SYN,RST/SYN,RST
    0    0 LOG        tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN/FIN,SYN LOG level warning prefix `fp=bad_tcp_packets:7 a=DROP '
    0    0 DROP      tcp  --  any    any    anywhere            anywhere            tcp flags:FIN,SYN/FIN,SYN
1784K 2219M RETURN    tcp  --  any    any    anywhere            anywhere           

Chain icmp_packets (1 references)
pkts bytes target    prot opt in    out    source              destination       
    0    0 LOG        icmp -f  any    any    anywhere            anywhere            LOG level warning prefix `fp=icmp_packets:1 a=DROP '
    0    0 DROP      icmp -f  any    any    anywhere            anywhere           
  227  8901 DROP      icmp --  any    any    anywhere            anywhere            icmp echo-request
    0    0 ACCEPT    icmp --  any    any    anywhere            anywhere            icmp time-exceeded
    0    0 RETURN    icmp --  any    any    anywhere            anywhere           

Chain tcp_inbound (1 references)
pkts bytes target    prot opt in    out    source              destination       
13564  636K RETURN    tcp  --  any    any    anywhere            anywhere           

Chain tcp_outbound (1 references)
pkts bytes target    prot opt in    out    source              destination       
1113K  153M ACCEPT    tcp  --  any    any    anywhere            anywhere           

Chain udp_inbound (1 references)
pkts bytes target    prot opt in    out    source              destination       
    0    0 DROP      udp  --  any    any    anywhere            anywhere            udp dpt:netbios-ns
    0    0 DROP      udp  --  any    any    anywhere            anywhere            udp dpt:netbios-dgm
95267  32M ACCEPT    udp  --  any    any    anywhere            anywhere            udp spt:bootps dpt:bootpc
2641  544K RETURN    udp  --  any    any    anywhere            anywhere           

Chain udp_outbound (1 references)
pkts bytes target    prot opt in    out    source              destination       
3744  283K ACCEPT    udp  --  any    any    anywhere            anywhere
Avatar billede ljm21 Praktikant
28. april 2012 - 11:16 #5
Lukker...
Avatar billede Ny bruger Nybegynder

Din løsning...

Tilladte BB-code-tags: [b]fed[/b] [i]kursiv[/i] [u]understreget[/u] Web- og emailadresser omdannes automatisk til links. Der sættes "nofollow" på alle links.

Loading billede Opret Preview
Kategori
IT-kurser om Microsoft 365, sikkerhed, personlig vækst, udvikling, digital markedsføring, grafisk design, SAP og forretningsanalyse.

Log ind eller opret profil

Hov!

For at kunne deltage på Computerworld Eksperten skal du være logget ind.

Det er heldigvis nemt at oprette en bruger: Det tager to minutter og du kan vælge at bruge enten e-mail, Facebook eller Google som login.

Du kan også logge ind via nedenstående tjenester