Login or Register to Ask a Question and Join Our Community


Cybersecurity

iptables Local Lan Issues

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Special Forums Cybersecurity iptables Local Lan Issues
# 1  
Old 06-19-2013
iptables Local Lan Issues
I recently installed Centos 6 and is my SOHO firewall/router. The small network is layout like such:
Code:
        |--eth0(WAN)
Centos 6(firewall/router)
        |---eth1(LAN)
        |
     Switch
        |
        |
       LAN(192.168.3.0/27)
        |
        |
PCs ----Laptops---Printer

I can ping my devices from the firewall and talk to all my devices from the firewall(eth1). Now the issue is when I am on my laptop(on the LAN), oddly I can only talk to a few devices on my LAN(the firewall interface(eth1) and only the AP) but nothing else. I know it has to be something that I changed inadvertently by accident in my iptables ruleset that I cannot pinpoint out. Its a bit long but here it is:
Code:
 #! /bin/sh

IPTABLES="/sbin/iptables"

case "$1" in
   stop)
      echo "Shutting down firewall..."
      $IPTABLES -F
      $IPTABLES -F -t mangle
      $IPTABLES -F -t nat
      $IPTABLES -X
      $IPTABLES -X -t mangle
      $IPTABLES -X -t nat
      
      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P OUTPUT ACCEPT
      $IPTABLES -P FORWARD ACCEPT
     echo "...done"
      ;;
   status)
      echo $"Table: filter"
      iptables --list
      echo $"Table: nat"
      iptables -t nat --list
      echo $"Table: mangle"
      iptables -t mangle --list
      ;;
   restart|reload)
      $0 stop
      $0 start
      ;;
   start)
   echo "Starting Firewall..."
    echo ""

##--------------------------Begin Firewall---------------------------------##

#----Default-Interfaces-----#
EXTIF="eth0"
INTIF="eth1"
#DMZ_IFACE="eth2"
INTLAN="192.168.3.0/27"
#DMZ_LAN="192.168.2.0/27"
#VONAGE="192.168.2.10"
#DMZ_VOIP_SERVER="192.168.2.2"
VPNIF="tun0"
VPNNET="192.168.4.0/27"
#VPNIP="192.168.4.1"
SQUID_BOX="127.0.0.1"
DG_PORT="8080"
#----Special Variables-----#

# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"

# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"

# Specification of X Window System (TCP) ports.
#XWINPORTS="6000:6063"

# Ports for IRC-Connection-Tracking
#IRCPORTS="6665,6666,6667,6668,6669,7000"

# DMZ UDP ports
#DMZUDP="1024:1030,5060:5065,10000:20000"
####PS2 PORTS####

#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"

# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"

# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"

echo "Loading IPTABLES modules"

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
#/sbin/modprobe ip_conntrack_sip
#/sbin/modprobe ip_nat_sip
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6

echo " --- "


#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "
echo "Creating user-chains"
#----Create logging chains-----#

#Invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -N LINVALID
$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP " --log-level 4
$IPTABLES -A LINVALID -j DROP
#TCP-Packets with one ore more bad flags
$IPTABLES -N LBADFLAG
$IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP " --log-level 4
$IPTABLES -A LBADFLAG -j DROP
#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
$IPTABLES -N LSPECIALPORT
$IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP " --log-level 4
$IPTABLES -A LSPECIALPORT -j DROP
	
#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " --log-level 4
$IPTABLES -A LSYNFLOOD -j DROP
	
#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " --log-level 4
$IPTABLES -A LPINGFLOOD -j DROP


#All other dropped packets
$IPTABLES -N LDROP
$IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP " --log-level 4
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP " --log-level 4
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP " --log-level 4
$IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP " --log-level 4
$IPTABLES -A LDROP -j DROP

#All other rejected packets
$IPTABLES -N LREJECT
$IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT " --log-level 4
$IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT " --log-level 4	 
$IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A LREJECT -j REJECT

#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
	
$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT

#----Create special User-Chains-----#

#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

$IPTABLES -N CHECKBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG

	#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)

#SMB-Traffic
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP
$IPTABLES -A SMB -p tcp --sport 137 -j DROP
$IPTABLES -A SMB -p tcp --sport 138 -j DROP
$IPTABLES -A SMB -p tcp --sport 139 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 137 -j DROP
$IPTABLES -A SMB -p udp --sport 138 -j DROP
$IPTABLES -A SMB -p udp --sport 139 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP

	#Inbound Special Ports
	
$IPTABLES -N SPECIALPORTS
		
#Deepthroat Scan
$IPTABLES -A SPECIALPORTS -p  tcp --dport 6670 -j LSPECIALPORT
  
#Subseven Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT  
  
#Netbus Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT
  
#Back Orifice scan
$IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT
  
#X-Win
#$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS  -j LSPECIALPORT

#Hack'a'Tack 2000
$IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT

#ICMP/TRACEROUTE FILTERING
	
#Inbound ICMP/Traceroute
	
$IPTABLES -N ICMPINBOUND
		
#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD

##Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP

#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP

#Block ICMP-address-mask (can help to prevent OS-fingerprinting)

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP

$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP


  		#Allow all other ICMP in
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT


	
	#Outbound ICMP/Traceroute
	
$IPTABLES -N ICMPOUTBOUND
	
		#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP
  
  		#Block ICMP-TTL-Expired
		#MS Traceroute (MS uses ICMP instead of UDp for tracert)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP
  
  		#Block ICMP-Parameter-Problem
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP
  
  		#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP

  		#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP


  		##Accept all other ICMP going out
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT

#----End User-Chains-----#	

echo " --- "

#----Start Ruleset-----#

echo "Implementing firewall rules..."

#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################

##GENERAL Filtering

  # Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID
  
  # Check TCP-Packets for Bad Flags 
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG


##Packets FROM FIREWALL-BOX ITSELF

  #Local IF

$IPTABLES -A INPUT -i lo -j ACCEPT


#Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)

$IPTABLES -A INPUT -d 127.0.0.0 -j LREJECT

#Tranparent proxy settings

#$IPTABLES -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP

##Packets FROM INTERNAL NET

 ##Allow unlimited traffic from internal network using legit addresses to firewall-box
 ##If protection from the internal interface is needed, alter it

$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 12022 -m state --state NEW -j ACCEPT

###################################VPN############################################################

$IPTABLES -A INPUT -i $EXTIF -p tcp -s $UNIVERSE --dport 1723 -j ACCEPT 

# Allow TUN interface connections to OpenVPN server

$IPTABLES -A INPUT -i $VPNIF -j ACCEPT
$IPTABLES -A INPUT -i $VPNIF -j DROP

##ICMP & Traceroute filtering

  #Block UDP-Traceroute

$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP

  #Drop all SMB-Traffic
$IPTABLES -A INPUT -i $EXTIF -j SMB
  
  #Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset
 
############Separate logging of special portscans/connection attempts #######################

$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS

 ##Allow ESTABLISHED/RELATED connections in
  
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j TCPACCEPT
 
#Transparent/Danguardian

#$IPTABLES -A INPUT  -i $INTIF -p tcp -s $INTLAN --dport $DG_PORT -m state --state NEW -j ACCEPT

##Catch all rule
$IPTABLES -A INPUT -j LDROP

##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################

##Packets TO FIREWALL-BOX ITSELF

  #Local IF
$IPTABLES -A OUTPUT -o lo -j ACCEPT

##Packets TO INTERNAL NET

  #Allow unlimited traffic to internal network using legit addresses

$IPTABLES -A OUTPUT -o $INTIF -s $INTLAN -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTIF -p ALL -j ACCEPT

$IPTABLES -A OUTPUT -o $INTIF -p ALL -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTIF -s $INTLAN -j ACCEPT

######################################## VPN #####################################################

$IPTABLES -A OUTPUT -o $EXTIF -s $VPNNET -j ACCEPT

$IPTABLES -A OUTPUT -o $VPNIF -s $VPNNET -j ACCEPT

$IPTABLES -A OUTPUT -o $VPNIF -j ACCEPT

$IPTABLES -A OUTPUT -o $EXTIF -j ACCEPT

$IPTABLES -A OUTPUT -j LDROP

####################
## FORWARD-Chain  ## (everything that passes the firewall, incoming)
####################

##GENERAL Filtering

  #Kill invalid packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
 
  # Check TCP-Packets for Bad Flags 
$IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG

  ##Silent Drops/Rejects (Things we don't want in our logs)

   #SMB
$IPTABLES -A FORWARD -o $EXTIF -j SMB

 ##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)

   #HTTP-Forwarding

##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp  -j ACCEPT

######################################## VPN ##################################################################

$IPTABLES -A FORWARD -i $VPNIF -m state --state NEW -j ACCEPT

$IPTABLES -A FORWARD -i $VPNIF -s $VPNNET -j ACCEPT

$IPTABLES -A FORWARD -o $VPNIF -s $INTLAN  -j ACCEPT

$IPTABLES -A FORWARD -i $VPNIF -j ACCEPT

$IPTABLES -A FORWARD -o $VPNIF -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -j SMB
  
  ##Allow replies coming in
  $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT

########################################## DMZ #########################################################################

#$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j ACCEPT 
#$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -i $INTIF -o $DMZ_IFACE -j ACCEPT
#$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT  

#$IPTABLES -A FORWARD -p tcp -i $INTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 12444 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 5050:5065 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 10000:20000 -m state --state NEW -j ACCEPT

#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $VONAGE --dport 5050:5065 -m state --state NEW -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -o $DMZ_IFACE -d $VONAGE --dport 10000:20000 -m state --state NEW -j ACCEPT

################################################## Zoneminder WEB Interface ##############################################################################3

#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $INTIF -d 192.168.3.22 --dport 8080 -m state --state NEW -j ACCEPT

################################################## VOIP ASTERISK WEB Interface ##############################################################################3

#$IPTABLES -A FORWARD -p tcp -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_SERVER --dport 80 -m state --state NEW -j ACCEPT

##Catch all rule/Deny every other forwarding

$IPTABLES -A FORWARD -j LDROP

################
## PREROUTING ##
################

##Port-Forwarding (--> Also see chain FORWARD)

######################################################## SSH ################################################################

#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 5900 -j DNAT --to-destination 192.168.3.30 
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 12022 -j DNAT --to-destination $DMZ_SSH_SERVER

#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 8080 -j DNAT --to-destination 192.168.3.22 

######################################################### HTTP ############################################################

#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j DNAT --to $WEB_FILTER:8080

#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j REDIRECT --to $WEB_FILTER:8080
#$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 3128 -j REDIRECT --to $DG_PORT

#Transparent Proxy crap

$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp -d ! $SQUID_BOX --dport 80 -j REDIRECT --to-ports $DG_PORT

######################################### ASTERISK VOIP SERVER####################################################################################################
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 513 -j DNAT --to-destination $DMZ_VOIP_SERVER


#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 12444 -j DNAT --to-destination $DMZ_VOIP_SERVER

#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $DMZ_VOIP_SERVER
#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF -d $DMZ_HTTPIP --dport 53 -j DNAT --to-destination $DMZ_PC_IP


#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $VONAGE

#$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $VONAGE

###################
##  POSTROUTING  ##
###################

#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $INTLAN -d $SQUID_FILTER -j MASQUERADE

#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s $DMZ_LAN -d $DMZ_IP -j MASQUERADE
 
  #Masquerade from Internal Net to External Net
  $IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE

#------End Ruleset------#

echo "...done"
echo ""


echo "--> IPTABLES firewall loaded/activated <--"


##--------------------------------End Firewall---------------------------------##

   ;;
   *)
      echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
      exit 1
esac

exit 0

I believe it would be an OUTPUT rule that is missing or wrong. ??

---------- Post updated at 04:25 PM ---------- Previous update was at 01:58 PM ----------

To paint a better picture, here is a nmap scan from my laptop looking for port 80 that is definately open that can be seen from the firewall itself

from the laptop sitting on the 192.168.3.0/27 subnet
Code:
Nmap scan report for 192.168.3.16
Host is up.
PORT   STATE    SERVICE
80/tcp filtered http

and respectively from the firewall
Code:
Nmap scan report for 192.168.3.16
Host is up (0.013s latency).
PORT   STATE SERVICE
80/tcp open  http

What is so weird is that there are some targets that I can see from both sides. I will have to run a sniffer and see what I can come up with.
# 2  
Old 06-19-2013
Somewhere there should be a log you can tap or turn on to see what rule is stopping which packet.
# 3  
Old 06-27-2013
update. oddly nothing show up in the logs so I created a completely different iptables ruleset using
Easy Firewall Generator for iptables
with these basic rule set:
Code:
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
  104  8828 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
  605 75520 bad_packets  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.1           
   86 14040 ACCEPT     all  --  eth1   *       192.168.3.0/27       0.0.0.0/0           
    0     0 ACCEPT     all  --  eth1   *       0.0.0.0/0            192.168.3.31        
    0     0 ACCEPT     udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           udp spt:68 dpt:67 
    0     0 ACCEPT     all  --  eth1   *       192.168.3.0/27       0.0.0.0/0           
  519 61480 ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:12022 state NEW 
    0     0 tcp_inbound  tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 udp_inbound  udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 icmp_packets  icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `fp=INPUT:99 a=DROP ' 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
19460   18M bad_packets  all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 6692  364K tcp_outbound  tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
  567 39083 udp_outbound  udp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    2   450 ACCEPT     all  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
12172   17M ACCEPT     all  --  eth0   *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `fp=FORWARD:99 a=DROP ' 
    0     0 ACCEPT     all  --  eth1   192.168.3.0/27  0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     all  --  192.168.3.0/27 eth1    0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
  100  8660 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0           
    4   168 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
  112  9065 ACCEPT     all  --  *      *       192.168.3.1          0.0.0.0/0           
    0     0 ACCEPT     all  --  *      eth1    0.0.0.0/0            0.0.0.0/0           
  385 70632 ACCEPT     all  --  *      eth0    0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `fp=OUTPUT:99 a=DROP ' 

Chain bad_packets (2 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        all  --  eth0   *       192.168.3.0/27       0.0.0.0/0           LOG flags 0 level 4 prefix `fp=bad_packets:2 a=DROP ' 
    0     0 DROP       all  --  eth0   *       192.168.3.0/27       0.0.0.0/0           
   27  1188 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID LOG flags 0 level 4 prefix `fp=bad_packets:1 a=DROP ' 
   27  1188 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
18861   17M bad_tcp_packets  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
20038   18M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain bad_tcp_packets (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 6775  377K RETURN     tcp  --  eth1   *       0.0.0.0/0            0.0.0.0/0           
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW LOG flags 0 level 4 prefix `fp=bad_tcp_packets:1 a=DROP ' 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:2 a=DROP ' 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F LOG flags 0 level 4 prefix `fp=bad_tcp_packets:3 a=DROP ' 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:4 a=DROP ' 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:5 a=DROP ' 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:6 a=DROP ' 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
    0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 LOG flags 0 level 4 prefix `fp=bad_tcp_packets:7 a=DROP ' 
    0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
12086   17M RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain icmp_packets (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 LOG        icmp -f  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `fp=icmp_packets:1 a=DROP ' 
    0     0 DROP       icmp -f  *      *       0.0.0.0/0            0.0.0.0/0           
    0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 
    0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain tcp_inbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain tcp_outbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
 6692  364K ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain udp_inbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:137 
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp dpt:138 
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           udp spt:67 dpt:68 
    0     0 RETURN     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain udp_outbound (1 references)
 pkts bytes target     prot opt in     out     source               destination         
  567 39083 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0

and I still cannot communicate but with only certain ips within my LAN:

From my firewall:
Code:
  Starting Nmap 5.51 ( http://nmap.org ) at 2013-06-27 15:04 EDT
Initiating ARP Ping Scan at 15:04
Scanning 192.168.3.0 [1 port]
Completed ARP Ping Scan at 15:04, 0.42s elapsed (1 total hosts)
Nmap scan report for 192.168.3.0 [host down]
Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.03s elapsed
Initiating ARP Ping Scan at 15:04
Scanning 30 hosts [1 port/host]
Completed ARP Ping Scan at 15:04, 1.35s elapsed (30 total hosts)
Initiating Parallel DNS resolution of 30 hosts. at 15:04
Completed Parallel DNS resolution of 30 hosts. at 15:04, 0.04s elapsed
Nmap scan report for 192.168.3.2 [host down]
Nmap scan report for 192.168.3.3 [host down]
Nmap scan report for 192.168.3.4 [host down]
Nmap scan report for 192.168.3.5 [host down]
Nmap scan report for 192.168.3.6 [host down]
Nmap scan report for 192.168.3.7 [host down]
Nmap scan report for 192.168.3.8 [host down]
Nmap scan report for 192.168.3.9 [host down]
Nmap scan report for 192.168.3.10 [host down]
Initiating Connect Scan at 15:04
Scanning 192.168.3.1 [1 port]
Completed Connect Scan at 15:04, 0.00s elapsed (1 total ports)
Nmap scan report for 192.168.3.1
Host is up (0.00013s latency).
PORT   STATE  SERVICE
80/tcp closed http

Nmap scan report for 192.168.3.12 [host down]
Nmap scan report for 192.168.3.13 [host down]
Nmap scan report for 192.168.3.15 [host down]
Nmap scan report for 192.168.3.16 [host down]
Nmap scan report for 192.168.3.17 [host down]
Nmap scan report for 192.168.3.19 [host down]
Nmap scan report for 192.168.3.21 [host down]
Nmap scan report for 192.168.3.22 [host down]
Nmap scan report for 192.168.3.23 [host down]
Nmap scan report for 192.168.3.24 [host down]
Nmap scan report for 192.168.3.25 [host down]
Nmap scan report for 192.168.3.26 [host down]
Nmap scan report for 192.168.3.27 [host down]
Nmap scan report for 192.168.3.28 [host down]
Nmap scan report for 192.168.3.29 [host down]
Nmap scan report for 192.168.3.30 [host down]
Nmap scan report for 192.168.3.31 [host down]
Initiating Connect Scan at 15:04
Scanning 4 hosts [1 port/host]
Discovered open port 80/tcp on 192.168.3.20
Completed Connect Scan at 15:04, 0.00s elapsed (4 total ports)
Nmap scan report for 192.168.3.11
Host is up (0.00068s latency).
PORT   STATE  SERVICE
80/tcp closed http
MAC Address: 02:03:05:CD:06:04 (ZyXEL Communications)

Nmap scan report for 192.168.3.14
Host is up (0.32s latency).
PORT   STATE  SERVICE
80/tcp closed http
MAC Address: A9:54:C2:0B:D1:70 (Unknown)

Nmap scan report for 192.168.3.18
Host is up (0.41s latency).
PORT   STATE  SERVICE
80/tcp closed http
MAC Address: C8:32:CA:DF:1B:79 (Unknown)

Nmap scan report for 192.168.3.20
Host is up (0.25s latency).
PORT   STATE SERVICE
80/tcp open  http
MAC Address: 7C:DD:90:39:65:3C (Unknown)

Read data files from: /usr/share/nmap
Nmap done: 32 IP addresses (5 hosts up) scanned in 1.96 seconds
           Raw packets sent: 61 (1.708KB) | Rcvd: 7 (196B)

and from a laptop within my LAN:
Code:
Starting Nmap 6.00 ( http://nmap.org ) at 2013-06-27 15:04 EDT
Initiating ARP Ping Scan at 15:04
Scanning 14 hosts [1 port/host]
Completed ARP Ping Scan at 15:04, 0.43s elapsed (14 total hosts)
Initiating Parallel DNS resolution of 14 hosts. at 15:04
Completed Parallel DNS resolution of 14 hosts. at 15:04, 0.03s elapsed
Nmap scan report for 192.168.3.0 [host down]
Nmap scan report for 192.168.3.2 [host down]
Nmap scan report for 192.168.3.3 [host down]
Nmap scan report for 192.168.3.4 [host down]
Nmap scan report for 192.168.3.5 [host down]
Nmap scan report for 192.168.3.6 [host down]
Nmap scan report for 192.168.3.7 [host down]
Nmap scan report for 192.168.3.8 [host down]
Nmap scan report for 192.168.3.9 [host down]
Nmap scan report for 192.168.3.10 [host down]
Nmap scan report for 192.168.3.12 [host down]
Nmap scan report for 192.168.3.13 [host down]
Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.02s elapsed
Initiating Connect Scan at 15:04
Scanning 2 hosts [1 port/host]
Completed Connect Scan at 15:04, 0.00s elapsed (2 total ports)
Nmap scan report for 192.168.3.1
Host is up (0.0038s latency).
PORT   STATE  SERVICE
80/tcp closed http
MAC Address: 00:19:5B:69:C3:B1 (D-Link)

Nmap scan report for 192.168.3.11
Host is up (0.0020s latency).
PORT   STATE  SERVICE
80/tcp closed http
MAC Address: 02:03:05:CD:06:04 (ZyXEL Communications)

Initiating ARP Ping Scan at 15:04
Scanning 17 hosts [1 port/host]
Completed ARP Ping Scan at 15:04, 0.81s elapsed (17 total hosts)
Nmap scan report for 192.168.3.15 [host down]
Nmap scan report for 192.168.3.16 [host down]
Nmap scan report for 192.168.3.17 [host down]
Nmap scan report for 192.168.3.18 [host down]
Nmap scan report for 192.168.3.19 [host down]
Nmap scan report for 192.168.3.20 [host down]
Nmap scan report for 192.168.3.21 [host down]
Nmap scan report for 192.168.3.22 [host down]
Nmap scan report for 192.168.3.23 [host down]
Nmap scan report for 192.168.3.24 [host down]
Nmap scan report for 192.168.3.25 [host down]
Nmap scan report for 192.168.3.26 [host down]
Nmap scan report for 192.168.3.27 [host down]
Nmap scan report for 192.168.3.28 [host down]
Nmap scan report for 192.168.3.29 [host down]
Nmap scan report for 192.168.3.30 [host down]
Nmap scan report for 192.168.3.31 [host down]
Initiating Connect Scan at 15:04
Scanning 192.168.3.14 [1 port]
Completed Connect Scan at 15:04, 0.00s elapsed (1 total ports)
Nmap scan report for 192.168.3.14
Host is up (0.00015s latency).
PORT   STATE  SERVICE
80/tcp closed http

Read data files from: /usr/bin/../share/nmap
Nmap done: 32 IP addresses (3 hosts up) scanned in 1.36 seconds
           Raw packets sent: 60 (1.680KB) | Rcvd: 2 (56B)

What rule am I missing?
# 4  
Old 06-27-2013
Well, failure to communicate due to firewalling is going to log a refused packet.

If you are lacking something basic like a route, and the ICMP report back was blocked, that can also give this sort of error, but you said it worked with the old rules?
# 5  
Old 06-27-2013
thanks for the reply. It didnt work with the old rules or the new. I am using CENTOS 6.4. Could it be something locally that is blocking packets to other host within the same subnet. This is really odd. I even did a packet capture and cant even see any icmp attempts at all orginating from the laptop in which it was envoked to the CENTOS firewall/gateway's interface.
# 6  
Old 06-28-2013
What protocols do you want to use/are you testing with?
# 7  
Old 06-28-2013
for now I am using ICMP pings and nmap SYN scans. I switched back to my original firewall rules and continue my research. These are my exact steps that I am using to test what is going on:

eth0 - internet
eth1 - LAN

On the server terminal 1:
Code:
root@cli>tail -f /var/log/*

terminal 2:
Code:
tcpdump -i eth1 -s 1600 -nvS -w sniff.pcap

and then from any laptop. I precede with my testing as normal

Code:
ping 192.168.3.18

and or
Code:
nmap -v -sT -p 80 192.168.3.18

which shows nothing from either the logs on the server and or in my packet capture that I look at through wireshark. But I can ping 192.168.3.18 find and can see TCP:80 open on the target just fine from the server. Its driving me crazy.
Last edited by metallica1973; 06-28-2013 at 09:49 PM..
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. IP Networking

Debugging NAT / prerouting issues (iptables)

Hello, Recently I discovered an issue with packet routing in the latest Android releases (4.4+ KitKat & Lollipop). It seems that the problem Android specific, but essentially it comes from the Linux kernel. I already filed a bug report to Google. You can see the details by searching for... (0 Replies)
Discussion started by: Vladislav
0 Replies

2. Red Hat

iptables applied in local machine, can't ssh remote machine after chain changed to DROP

I want to SSH to 192.168.1.15 Server from my machine, my ip was 192.168.1.99 Source Destination was UP, with IP 192.168.1.15. This is LAN Network there are 30 Machine's Connected to the network and working fine, I'm Playing around the local machine's because I need to apply the same rules in... (2 Replies)
Discussion started by: babinlonston
2 Replies

3. Shell Programming and Scripting

Block local and remote port with iptables - Script BASH

Hello I'm beginner in the linux scripting and i would like to get help. I want to create a script that can block one or more Port even see all the TCP port. The ports must be blocked even when starting my machine. Of course requires a second script which will allow the ports that you want to... (0 Replies)
Discussion started by: houstaf
0 Replies

4. UNIX for Dummies Questions & Answers

Routing issue - local vs LAN

hi guys suse 11 SP1 x64 I have a server (4 NIC ports 192.168.100.100-103) that connects point to point to a storage device (same thing 4 ports 192.168.110.100-113) but this server connects to normal LAN 10.6.100.x - gateway 10.6.100.1 the issue is when testing connectivity to the storage... (7 Replies)
Discussion started by: karlochacon
7 Replies

5. Red Hat

Different hostnames with reboot while lan cable, no lan cable

I am facing strange problem regarding hostname on my Linux(2.6.18-164.el5xen x86_64 GNU/Linux), the hostname changes if reboot with lan cable and with NO lan cable Reboot with lan cable: The hostname is ubunut Unable to connect Oracle database using sqlplus some times database is not... (2 Replies)
Discussion started by: LinuxLearner
2 Replies

6. AIX

Do I need to configure my local windows to FTP files from local windows to a UNIX AIX server?

Hi Friends, I have this script for ftping files from AIX server to local windows xp. #!/bin/sh HOST='localsystem.net' USER='myid_onlocal' PASSWD='mypwd_onlocal' FILE='file.txt' ##This is a file on server(AIX) ftp -n $HOST <<END_SCRIPT quote USER $USER quote PASS $PASSWD put $FILE... (1 Reply)
Discussion started by: rajsharma
1 Replies

7. IP Networking

Local Lan, no-ip directed DNS forward, surf within lan

Hi, We have a website running on a local centos 5.4 surfer, static IP. The domain.com uses no-ip.com to take care of the DNS, it forwards all to my server. My router receives the port 80 call, routes it to my server and the world can see domain.com perfectly fine. However, we cannot see... (3 Replies)
Discussion started by: lawstudent
3 Replies

8. Solaris

How to configure private LAN and coporate LAN on the same machine-Solaris10

Hi , I am trying to configure a private LAN and corporate LAN on the same machien on Solaris 10. How can I achieve this? Thanks (1 Reply)
Discussion started by: deedee
1 Replies

9. UNIX for Dummies Questions & Answers

Iptables, samba for bigger LAN

Hey! Iam going to set up a bigger LAN.Server have 4 network adapters. -----------*0---------- | | | | ----*1-----*2-----*3- Network adapret *0 will be for DSL, *1 for like 30 computers windows xp installed on,*1 will have to... (1 Reply)
Discussion started by: net555
1 Replies

10. UNIX for Dummies Questions & Answers

why i have local.profile, local.cshrc,local.login instead of .profile, .login ?

Hello again ! Thanks for response of my first question. there is my second quesiton why i have local.profile instead of .profile file ? my all files in pwd shoes local. before any file. is anybody can tell me about that ? Thanks Abid Malik (5 Replies)
Discussion started by: abidmalik
5 Replies
Login or Register to Ask a Question