Toon posts:

[farcry] iptables firewall instellingen

Pagina: 1
Acties:

dinsdag 16 november 2004 22:02

Acties:
  • nzyme
  • Registratie: November 2001
  • Laatst online: 28-11 23:41

nzyme

terror

Topicstarter
goed, ik probeer dus om mn server(tevens gateway voor mn netwerk) op internet te krijgen en tot nu toe heb ik het volgende:

apache is middels geportforward vanaf de speedtouch(de echte router/adsl modem) naar de server en is via inet te vinden, evenals ssh. Beide werken perfect.
Nu Farcry nog... en dat is hopeloos. Poort 49001 udp heb ik geforward naar de server... en ik zie m als "greyed out" in de lijst, wat aangeeft dat r iets fout zit in de firewall :?
code:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175

#! /bin/sh
# Ethernet Startup Script
RANGE_LO="127.0.0.0/255.0.0.0"
RANGE_LAN="192.168.168.0/255.255.255.0"
RANGE_INET="10.0.0.0/255.0.0.0"
IFACE_LO=lo
IFACE_LAN=eth0
IFACE_INET=eth1
IP_LO="127.0.0.1"
IP_LAN="192.168.168.1"
IP_INET="10.0.0.99" 
GATEWAY="10.0.0.138"
GATEWAYDEV=eth1
FWIP1="192.168.168.11"
FWIP2="192.168.168.12"
FWIP3="192.168.168.13"

echo "=========================="
echo "= Setting up firewall... ="

iptables -t filter --flush
iptables -t filter --zero
iptables -t nat --flush
iptables -t nat --zero
iptables -t mangle --flush
iptables -t mangle --zero

iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT DROP
iptables -t filter -P FORWARD DROP
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward
#for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
#    echo 1 > $f
#done
#for f in /proc/sys/net/ipv4/conf/*/accept_redirects ; do
#    echo 0 > $f
#done
#for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do
#    echo 0 > $f
#done
#for f in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
#    echo 0 > $f
#done
#for f in /proc/sys/net/ipv4/conf/*/log_martians ; do
#    echo 1 > $f
#done
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#echo 1 > /proc/sys/net/ipv4/ip_dynaddr

echo "Accept from loopback"
iptables -t filter -A INPUT -i $IFACE_LO -j ACCEPT
iptables -t filter -A OUTPUT -o $IFACE_LO -j ACCEPT
#iptables -t filter -A INPUT -i $IFACE_LAN -j ACCEPT
#iptables -t filter -A OUTPUT -o $IFACE_LAN -j ACCEPT

iptables -t filter -A INPUT -i $IFACE_INET -f -j LOG --log-prefix "FRAGMENT "
iptables -t filter -A INPUT -i $IFACE_INET -f -j DROP

echo "Masquerade (NAT)"
iptables -A POSTROUTING -t nat -o $IFACE_INET -j MASQUERADE
iptables -A FORWARD -i $IFACE_LAN -o $IFACE_INET -s $RANGE_LAN -d ! $RANGE_LAN -j ACCEPT
iptables -A FORWARD -o $IFACE_LAN -i $IFACE_INET -d $RANGE_LAN -s ! $RANGE_LAN -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -t filter -A OUTPUT -o $GATEWAYDEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A INPUT -i $GATEWAYDEV -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -o $GATEWAYDEV -p tcp --tcp-flags ACK,SYN SYN -j ACCEPT

echo "ICMP settings"
iptables -A INPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -m limit --limit 2/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 5 -m limit --limit 2/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -m limit --limit 10/s -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 3 -m limit --limit 2/s -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -m limit --limit 2/s -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 0 -m limit --limit 2/s -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 11 -m limit --limit 10/s -j ACCEPT

### LOCAL ###
echo "Local network..."
#echo "DNS requests"
# DNS REQUESTS
#iptables -A INPUT -i $IFACE_LAN -p udp --source-port 53 -j ACCEPT
#iptables -A OUTPUT -o $IFACE_LAN -p udp --destination-port 53 -j ACCEPT
echo "HTTP server"
# HTTP SERVER
iptables -A INPUT -i $IFACE_LAN -p tcp --destination-port 80 -j ACCEPT
iptables -A OUTPUT -o $IFACE_LAN -p tcp --source-port 80 -j ACCEPT
echo "SSH server"
# SSH SERVER
iptables -A INPUT -i $IFACE_LAN -p tcp --destination-port 22 -j ACCEPT
iptables -A OUTPUT -o $IFACE_LAN -p tcp --source-port 22 -j ACCEPT
#echo "FTP server"
# FTP SERVER
#iptables -A INPUT -i $IFACE_LAN -p tcp -m state --state NEW,ESTABLISHED --destination-port 20 -j ACCEPT
#iptables -A OUTPUT -o $IFACE_LAN -p tcp -m state --state ESTABLISHED,RELATED --source-port 20 -j ACCEPT
#iptables -A INPUT -i $IFACE_LAN -p tcp -m state --state NEW,ESTABLISHED --destination-port 21 -j ACCEPT
#iptables -A OUTPUT -o $IFACE_LAN -p tcp -m state --state ESTABLISHED,RELATED --source-port 21 -j ACCEPT
# PASSIVE FTP
#iptables -A INPUT -i $IFACE_LAN -p tcp -m state --state ESTABLISHED,RELATED --destination-port 1024:65535 -j ACCEPT
#iptables -A OUTPUT -o $IFACE_LAN -p tcp -m state --state ESTABLISHED,RELATED --source-port 1024:65535 -j ACCEPT
echo "SMB server"
#SMB SERVER
iptables -A INPUT -i $IFACE_LAN -p tcp --destination-port 445 -j ACCEPT
iptables -A OUTPUT -o $IFACE_LAN -p tcp --source-port 445 -j ACCEPT
iptables -A INPUT -i $IFACE_LAN -p tcp --destination-port 137:139 -j ACCEPT
iptables -A OUTPUT -o $IFACE_LAN -p tcp --source-port 137:139 -j ACCEPT
iptables -A INPUT -i $IFACE_LAN -p udp --destination-port 137:139 -j ACCEPT
iptables -A OUTPUT -o $IFACE_LAN -p udp --source-port 137:139 -j ACCEPT
### END OF LOCAL ###

### START OF INET ###
echo "Internet..."
# DNS REQUESTS
iptables -A INPUT -i $IFACE_INET -p udp --source-port 53 -j ACCEPT
iptables -A OUTPUT -o $IFACE_INET -p udp --destination-port 53 -j ACCEPT
# HTTP SERVER
iptables -A INPUT -i $IFACE_INET -p tcp --destination-port 80 -j ACCEPT
iptables -A OUTPUT -o $IFACE_INET -p tcp --source-port 80 -j ACCEPT
# SSH SERVER
iptables -A INPUT -i $IFACE_INET -p tcp --destination-port 22 -j ACCEPT
iptables -A OUTPUT -o $IFACE_INET -p tcp --source-port 22 -j ACCEPT
# FTP SERVER
#iptables -A INPUT -i $IFACE_INET -p tcp -m state --state NEW,ESTABLISHED --destination-port 20 -j ACCEPT
#iptables -A OUTPUT -o $IFACE_INET -p tcp -m state --state ESTABLISHED,RELATED --source-port 20 -j ACCEPT
#iptables -A INPUT -i $IFACE_INET -p tcp -m state --state NEW,ESTABLISHED --destination-port 21 -j ACCEPT
#iptables -A OUTPUT -o $IFACE_INET -p tcp -m state --state ESTABLISHED,RELATED --source-port 21 -j ACCEPT
# PASSIVE FTP
#iptables -A INPUT -i $IFACE_INET -p tcp -m state --state ESTABLISHED,RELATED --destination-port 1024:65535 -j ACCEPT
#iptables -A OUTPUT -o $IFACE_INET -p tcp -m state --state ESTABLISHED,RELATED --source-port 1024:65535 -j ACCEPT
### END OF INET ###

#echo "LOGGING"
#iptables -A INPUT -j LOG --log-prefix "INPUT FILTERED "
#iptables -A OUTPUT -j LOG --log-prefix "OUTPUT FILTERED "
#iptables -A FORWARD -j LOG --log-prefix "FORWARD FILTERED "

#iptables -A INPUT -i $IFACE_INET -p tcp --destination-port 1:1024 -j DROP
#iptables -A OUTPUT -o $IFACE_INET -p tcp --source-port 1:1024 -j DROP

echo "Building forwarding rules"
iptables -A INPUT -i $IFACE_INET -p tcp --source-port 40000:42999 -j ACCEPT
iptables -A OUTPUT -o $IFACE_INET -p tcp --destination-port 40000:42999 -j ACCEPT

#iptables -A INPUT -i $IFACE_INET -p udp --source-port 41005 -j ACCEPT
#iptables -A OUTPUT -o $IFACE_INET -p udp --destination-port 41005 -j ACCEPT

iptables -A INPUT -i $IFACE_INET -p udp --source-port 41006 -j ACCEPT
iptables -A OUTPUT -o $IFACE_INET -p udp --destination-port 41006 -j ACCEPT

#iptables -A INPUT -i $IFACE_INET -p udp --source-port 44000 -j ACCEPT
#iptables -A OUTPUT -o $IFACE_INET -p udp --destination-port 44000 -j ACCEPT

iptables -A INPUT -i $IFACE_INET -p udp --destination-port 49001 -j ACCEPT
iptables -A OUTPUT -o $IFACE_INET -p udp --source-port 49001 -j ACCEPT 
#iptables -A INPUT -i $IFACE_INET -p udp --source-port 49001 -j ACCEPT
#iptables -A OUTPUT -o $IFACE_INET -p udp --destination-port 49001 -j ACCEPT 

#iptables -t nat -A PREROUTING -p tcp --dport 49001 -j DNAT --to-destination $FWIP1

echo "= Firewall is running ! ="
echo "========================="

# EOF #


dr zijn nogal wat regels voorzien van een # dus je kan wel een beetje zien wat ik geprobeerd heb...

vanaf me eigen pc zou ik niet kunne connecten(wegens NAT enzo), maar maten lukt t ook niet vanaf ergens anders... connecten met deze firewallrules naar andere servers wil wel evenals normaal internetten.

verder bood de pdf die bij de linux zipfile kwam geen oplossing en ook niet enkele fora (farcry.ubi.com farcryforums farcryarena etc)...

8)7

of zou deze beter in NOS passen O-)

| Hardcore - Terror |

Reageer

Apple iPhone 17 LG OLED evo G5 Google Pixel 10 Samsung Galaxy S25 Star Wars: Outlaws Nintendo Switch 2 Apple AirPods Pro (2e generatie) Sony PlayStation 5 Pro

Tweakers is onderdeel van DPG Media B.V.
Alle rechten voorbehouden - Auteursrecht © 1998 - 2025 Hosting door TrueFullstaq