Seagate GoFlex Home Firewall Disable for Port Forwarding

İnternette bu konuyu çok aradım ve hiç bir sonuç bulamadım bu sebeple ingilizce olarak yazıyorum.

I tried to forward some ports to open access a few services (DLNA, SMB, ... etc)
However I've figured out that Seagate GoFlex Home has an internal firewall that made by script which denys the nat request from internet. For example if you want to forward port 8200 445 139 etc, it is blocked by the firewall. You can access these ports from your local lan however no chance from internet. Today my genius friend solved my issue then I wanted to share it.

Here are the steps.... Enjoy!!!

- Login your seagate goFlex Home via ssh (you can find login procedure over internet)
- type sudo -s -E
- the command for disabling firewall is:
/sbin/iptables -F
Prior to go forward, I recommend you to test it via port check tools where you can find them on google.

If you want to make the changes perminant, you can find the steps below:
Note: This is you own risk your goFlex home might not boot after change, mine is rebooted as expected.

- add /etc/rc.local file the command.
/sbin/iptables -F

my file looks like following

bash-3.2# cd /etc
bash-3.2# cat rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.

touch /var/lock/subsys/local
/sbin/ldconfig
/usr/bin/ubifs_repair.sh
/sbin/iptables -F

it is not enough to disable the firewall you might skip the above step, it is up to you.

- Modify the /etc/init.d/iptables script.You can find my original script and the modified one below.

ORIGINAL:

#!/bin/bash
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author: Joshua Jensen <joshua@redhat.com>
# -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
# Heavily modified by OEone.. No longer uses iptables-restore.
#
# config: /etc/iptables

# Source 'em up
. /etc/init.d/functions

IPTABLES_CONFIG=/etc/iptables/config

if [ -f $IPTABLES_CONFIG ] ; then
. $IPTABLES_CONFIG
fi

OEADMIN_CONFIG=/etc/oe-admin.conf
export WANIF=`grep '^WANInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
export LANIF=`grep '^LANInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
export WLANIF=`grep '^wirelessInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
export PPPIF=`grep '^PPPInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
export PROFILES_DIR=`grep '^profilesDir' $OEADMIN_CONFIG | awk '{print $2;}'`
export DEF_PROFILE=`grep '^defaultProfile' $OEADMIN_CONFIG | awk '{print $2;}'`

if [ ! -x /sbin/iptables ]; then
exit 0
fi

getipaddr() {
# Include LAN network config
. "$PROFILES_DIR/$DEF_PROFILE/ifcfg-$LANIF"
IPADDR=`ifconfig $LANIF | awk '/inet addr/' | sed 's/.*inet addr:$[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*$.*/\1/'`
NETMASK=`ifconfig $LANIF | awk '/inet addr/' | sed 's/.*Mask:$[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*$.*/\1/'`
}

getipaddr

if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
exit 0
fi

iftable() {
if fgrep -qsx $1 /proc/net/ip_tables_names; then
iptables -t "$@"
fi
}

die() {
failure $"Applying iptables firewall rules"
echo
exit
}

load_modules() {
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_pptp
# Bug 16877: we do not use or compile the nf_* modules, so comment
# out to avoid ugly errors in boot sequence
# /sbin/modprobe nf_nat_proto_gre
# /sbin/modprobe nf_conntrack_proto_gre
# /sbin/modprobe nf_conntrack_pptp
# /sbin/modprobe nf_conntrack_ftp
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe xt_state
/sbin/modprobe xt_tcpudp
/sbin/modprobe xt_mac

}

flush() {
action $"Flushing all current rules and user defined chains:" iptables -F
action $"Clearing all current rules and user defined chains:" iptables -X
tables=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $tables; do iptables -t $i -F; done && \
success $"Flushing all current rules and user defined chains:" || \
failure $"Flushing all current rules and user defined chains:"
for i in $tables; do iptables -t $i -X; done && \
success $"Clearing all current rules and user defined chains:" || \
failure $"Clearing all current rules and user defined chains:"
for i in $tables; do iptables -t $i -Z; done
}

startsmall() {
load_modules
# If we don't clear these first, we might be adding to
# pre-existing rules.
flush
echo $"Applying reduced iptables firewall rules: "

# Default policies -- start out restrictive
iptables -P INPUT DROP || die
iptables -P FORWARD DROP || die
iptables -P OUTPUT ACCEPT || die

# and allow DHCP
iptables -A INPUT -p UDP --dport bootpc -j ACCEPT || die

# allow local connections as best we can
iptables -A INPUT -i lo -j ACCEPT || echo 'no lo interface'
iptables -A INPUT -s 127.0.0.1 -j ACCEPT || echo 'no 127.0.0.1 address'

success $"Applying reduced iptables firewall rules"
echo
}

start() {
load_modules
# If we don't clear these first, we might be adding to
# pre-existing rules.
flush

echo $"Applying iptables firewall rules: "
# nat: POSTROUTING
iptables -t nat -N POSTROUTING-OUT || die
if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then
iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $WANIF -j POSTROUTING-OUT || die
fi
if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then
iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $PPPIF -j POSTROUTING-OUT || die
fi
iptables -t nat -A POSTROUTING-OUT -j MASQUERADE

# nat: PREROUTING
if [ -f /etc/iptables/alternate-ports ] ; then
. /etc/iptables/alternate-ports
# -n does not work for these
if [ ! -z $HTTP_PORT ] ; then
iptables -t nat -A PREROUTING -p tcp --dport $HTTP_PORT -j DNAT --to $IPADDR:80
fi
if [ ! -z $HTTPS_PORT ] ; then
iptables -t nat -A PREROUTING -p tcp --dport $HTTPS_PORT -j DNAT --to $IPADDR:443
fi
fi

iptables -t nat -N PREROUTING-WEB || die
iptables -t nat -A PREROUTING -i $LANIF -d $IPADDR -j ACCEPT || die
iptables -t nat -A PREROUTING -i $LANIF -p tcp --dport 80 -j PREROUTING-WEB || die

if [ -f /etc/iptables/content-filtering-macs ]; then
for mac in `cat /etc/iptables/content-filtering-macs` ; do
iptables -t nat -A PREROUTING-WEB -m mac --mac-source $mac -p tcp -j REDIRECT --to-port 3128
done || die
fi
if [ -f /etc/iptables/content-filtering-ips ]; then
for ip in `cat /etc/iptables/content-filtering-ips` ; do
iptables -t nat -A PREROUTING-WEB -s $ip -p tcp -j REDIRECT --to-port 3128
done || die
fi

if [ "${CONTENT_FILTERING}" = "yes" ]; then
iptables -t nat -A PREROUTING-WEB -p tcp -j REDIRECT --to-port 3128
else
iptables -t nat -A PREROUTING-WEB -j ACCEPT || die
fi

if [ -f /etc/iptables/port-forwarding ]; then
iptables -t nat -N PREROUTING-IN || die
if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then
iptables -t nat -A PREROUTING -i $WANIF -j PREROUTING-IN || die
fi
if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then
iptables -t nat -A PREROUTING -i $PPPIF -j PREROUTING-IN || die
fi

awk '{system("iptables -t nat -A PREROUTING-IN -p " $2 " --dport " $1 " -j DNAT --to " $3 ($4 ~ /^[0-9]+:[0-9]+$/ ? (sub( /:/, "-", $4) ? ":" $4 : "" ) : "") );}' /etc/iptables/port-forwarding || die

# forwarding GRE packets: (they go to a host that is receiving 1723 TCP packets if comment field is PPtP

awk '{ /1723:1723 tcp [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ PPtP/ && system ("iptables -t nat -A PREROUTING-IN -p 47 -j DNAT --to " $3);}' /etc/iptables/port-forwarding || die
fi

# filter: FORWARD
if [ -f /etc/iptables/no-wan-macs ]; then
for mac in `cat /etc/iptables/no-wan-macs` ; do
iptables -A FORWARD -m mac --mac-source $mac -j REJECT --reject-with icmp-admin-prohibited
done || die
fi
if [ -f /etc/iptables/no-wan-ips ]; then
for ip in `cat /etc/iptables/no-wan-ips` ; do
iptables -A FORWARD -s $ip -j REJECT --reject-with icmp-admin-prohibited
done || die
fi

if [ -f /etc/iptables/no-wan-ports ]; then
awk '{system("iptables -A FORWARD -p " $1 " --dport " $2 " -j REJECT --reject-with icmp-admin-prohibited");}' /etc/iptables/no-wan-ports || die
fi

# filter: INPUT
iptables -N INPUT-INTERNAL || die

iptables -A INPUT -i lo -j ACCEPT || die
iptables -A INPUT -p tcp --dport 515 -j REJECT || die # lpd
iptables -A INPUT -s $IPADDR/$NETMASK -j INPUT-INTERNAL || die
iptables -I INPUT -s 169.254.0.0/16 -j INPUT-INTERNAL || die
# Let the related packets in the server itself.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || die

# External blocks.
# Please note that we have changed the default policy of accept to drop.
if [ -z "${BLOCK_ICMP_ECHO_EXT}" ]; then
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT || die
fi
if [ -z "${BLOCK_HTTP_EXT}" ]; then
iptables -A INPUT -p tcp --dport 80 -j ACCEPT || die
fi
if [ -z "${BLOCK_HTTPS_EXT}" ]; then
iptables -A INPUT -p tcp --dport 443 -j ACCEPT || die
fi
if [ -z "${BLOCK_SSH_EXT}" ]; then
iptables -A INPUT -p tcp --dport 22 -j ACCEPT || die
fi
if [ -z "${BLOCK_FTP_EXT}" -o "${BLOCK_FTP_EXT}" = "no" ]; then
iptables -A INPUT -p tcp --dport 20 -j ACCEPT || die
iptables -A INPUT -p tcp --dport 21 -j ACCEPT || die
# Accept port range 50000 to 50001 for FTPS
iptables -A INPUT -p tcp --destination-port 50000:50001 -j ACCEPT || die
fi

# Accept the 3rd party ports that are set to be opened:
if [ ! -z "${TCP_OPEN_PORTS_EXT}" ]; then
for port in $TCP_OPEN_PORTS_EXT; do
iptables -A INPUT -p tcp --dport $port -j ACCEPT || die
done
fi
if [ ! -z "${UDP_OPEN_PORTS_EXT}" ]; then
for port in $UDP_OPEN_PORTS_EXT; do
iptables -A INPUT -p udp --dport $port -j ACCEPT || die
done
fi

# Make sure remote IDENT requests are rejected, so that they get
# on with whatever is happening
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-admin-prohibited || die

# Drop everything else.

iptables -A INPUT -j DROP || die

# WLAN blocks.
if [ -f /etc/iptables/wlan-allow-macs ]; then
for mac in `cat /etc/iptables/wlan-allow-macs` ; do
iptables -A INPUT -m mac --mac-source $mac -j ACCEPT || die
done || die
fi

if [ -f /etc/iptables/wlan-deny-macs ]; then
for mac in `cat /etc/iptables/wlan-deny-macs` ; do
iptables -A INPUT -m mac --mac-source $mac -j DROP || die
done || die
fi

if [ "${BLOCK_WLAN}" = "yes" ]; then
if [ -f /etc/iptables/wireless-filter ]; then
. /etc/iptables/wireless-filter
fi
fi

# Internal blocks

if [ "${BLOCK_SSH_INT}" = "yes" ]; then
iptables -A INPUT-INTERNAL -p tcp --dport 22 -j REJECT --reject-with icmp-admin-prohibited || die
fi
if [ "${BLOCK_FTP_INT}" = "yes" ]; then
iptables -A INPUT-INTERNAL -p tcp --dport 20 -j REJECT --reject-with icmp-admin-prohibited || die
iptables -A INPUT-INTERNAL -p tcp --dport 21 -j REJECT --reject-with icmp-admin-prohibited || die
fi
# Block the 3rd party ports that are set to be closed internally:
if [ ! -z "${TCP_CLOSED_PORTS_INT}" ]; then
for port in $TCP_CLOSED_PORTS_INT; do
iptables -A INPUT -p tcp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die
done
fi
if [ ! -z "${UDP_CLOSED_PORTS_INT}" ]; then
for port in $UDP_CLOSED_PORTS_INT; do
iptables -A INPUT -p udp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die
done
fi

iptables -A INPUT-INTERNAL -j ACCEPT || die

success $"Applying iptables firewall rules"
echo
touch /var/lock/subsys/iptables
}

case "$1" in
start|ifdown)
startsmall
;;

ifup)
I=0
while [ -z "$IPADDR" -a $I -lt 12 ] ; do
/bin/sleep 5s
getipaddr
I=$(($I+1))
done
if [ -n "$IPADDR" ] ; then
start
fi
;;

stop)
echo -n "NOT stopping iptables"
success
;;

restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
#start
if [ -n "$IPADDR" ]; then
start
else
startsmall
(/bin/sleep 5s ; /etc/init.d/iptables ifup) &
fi
;;

condrestart)
[ -e /var/lock/subsys/iptables ] && start
;;

status)
tables=`cat /proc/net/ip_tables_names 2>/dev/null`
for table in $tables; do
echo $"Table: $table"
iptables -t $table --list
done
;;

panic)
echo -n $"Changing target policies to DROP: "
iftable filter -P INPUT DROP && \
iftable filter -P FORWARD DROP && \
iftable filter -P OUTPUT DROP && \
iftable nat -P PREROUTING DROP && \
iftable nat -P POSTROUTING DROP && \
iftable nat -P OUTPUT DROP && \
iftable mangle -P PREROUTING DROP && \
iftable mangle -P OUTPUT DROP && \
success $"Changing target policies to DROP" || \
failure $"Changing target policies to DROP"
echo
iftable filter -F INPUT && \
iftable filter -F FORWARD && \
iftable filter -F OUTPUT && \
iftable nat -F PREROUTING && \
iftable nat -F POSTROUTING && \
iftable nat -F OUTPUT && \
iftable mangle -F PREROUTING && \
iftable mangle -F OUTPUT && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
iftable filter -X INPUT && \
iftable filter -X FORWARD && \
iftable filter -X OUTPUT && \
iftable nat -X PREROUTING && \
iftable nat -X POSTROUTING && \
iftable nat -X OUTPUT && \
iftable mangle -X PREROUTING && \
iftable mangle -X OUTPUT && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
;;

*)
echo $"Usage: $0 {start|stop|ifup|ifdown|restart|condrestart|status|panic}"
exit 1
esac

exit 0

MODIFIED:

#!/bin/bash
#
# Startup script to implement /etc/sysconfig/iptables pre-defined rules.
#
# chkconfig: 2345 08 92
#
# description: Automates a packet filtering firewall with iptables.
#
# by bero@redhat.com, based on the ipchains script:
# Script Author: Joshua Jensen <joshua@redhat.com>
# -- hacked up by gafton with help from notting
# modified by Anton Altaparmakov <aia21@cam.ac.uk>:
# modified by Nils Philippsen <nils@redhat.de>
# Heavily modified by OEone.. No longer uses iptables-restore.
#
# config: /etc/iptables

# Source 'em up
. /etc/init.d/functions

IPTABLES_CONFIG=/etc/iptables/config

if [ -f $IPTABLES_CONFIG ] ; then
. $IPTABLES_CONFIG
fi

OEADMIN_CONFIG=/etc/oe-admin.conf
export WANIF=`grep '^WANInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
export LANIF=`grep '^LANInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
export WLANIF=`grep '^wirelessInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
export PPPIF=`grep '^PPPInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
export PROFILES_DIR=`grep '^profilesDir' $OEADMIN_CONFIG | awk '{print $2;}'`
export DEF_PROFILE=`grep '^defaultProfile' $OEADMIN_CONFIG | awk '{print $2;}'`

if [ ! -x /sbin/iptables ]; then
exit 0
fi

getipaddr() {
# Include LAN network config
. "$PROFILES_DIR/$DEF_PROFILE/ifcfg-$LANIF"
IPADDR=`ifconfig $LANIF | awk '/inet addr/' | sed 's/.*inet addr:$[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*$.*/\1/'`
NETMASK=`ifconfig $LANIF | awk '/inet addr/' | sed 's/.*Mask:$[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*$.*/\1/'`
}

getipaddr

if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
# Don't do both
exit 0
fi

iftable() {
if fgrep -qsx $1 /proc/net/ip_tables_names; then
iptables -t "$@"
fi
}

die() {
failure $"Applying iptables firewall rules"
echo
exit
}

load_modules() {
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_pptp
# Bug 16877: we do not use or compile the nf_* modules, so comment
# out to avoid ugly errors in boot sequence
# /sbin/modprobe nf_nat_proto_gre
# /sbin/modprobe nf_conntrack_proto_gre
# /sbin/modprobe nf_conntrack_pptp
# /sbin/modprobe nf_conntrack_ftp
/sbin/modprobe iptable_filter
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_REDIRECT
/sbin/modprobe xt_state
/sbin/modprobe xt_tcpudp
/sbin/modprobe xt_mac

}

flush() {
action $"Flushing all current rules and user defined chains:" iptables -F
action $"Clearing all current rules and user defined chains:" iptables -X
tables=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $tables; do iptables -t $i -F; done && \
success $"Flushing all current rules and user defined chains:" || \
failure $"Flushing all current rules and user defined chains:"
for i in $tables; do iptables -t $i -X; done && \
success $"Clearing all current rules and user defined chains:" || \
failure $"Clearing all current rules and user defined chains:"
for i in $tables; do iptables -t $i -Z; done
}

startsmall() {
load_modules
# If we don't clear these first, we might be adding to
# pre-existing rules.
flush
echo $"Applying reduced iptables firewall rules: "

# Default policies -- start out restrictive
iptables -P INPUT DROP || die
iptables -P FORWARD DROP || die
iptables -P OUTPUT ACCEPT || die

# and allow DHCP
iptables -A INPUT -p UDP --dport bootpc -j ACCEPT || die

# allow local connections as best we can
iptables -A INPUT -i lo -j ACCEPT || echo 'no lo interface'
iptables -A INPUT -s 127.0.0.1 -j ACCEPT || echo 'no 127.0.0.1 address'

success $"Applying reduced iptables firewall rules"
/sbin/iptables -F
echo
}

start() {
load_modules
# If we don't clear these first, we might be adding to
# pre-existing rules.
flush

echo $"Applying iptables firewall rules: "
# nat: POSTROUTING
iptables -t nat -N POSTROUTING-OUT || die
if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then
iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $WANIF -j POSTROUTING-OUT || die
fi
if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then
iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $PPPIF -j POSTROUTING-OUT || die
fi
iptables -t nat -A POSTROUTING-OUT -j MASQUERADE

# nat: PREROUTING
if [ -f /etc/iptables/alternate-ports ] ; then
. /etc/iptables/alternate-ports
# -n does not work for these
if [ ! -z $HTTP_PORT ] ; then
iptables -t nat -A PREROUTING -p tcp --dport $HTTP_PORT -j DNAT --to $IPADDR:80
fi
if [ ! -z $HTTPS_PORT ] ; then
iptables -t nat -A PREROUTING -p tcp --dport $HTTPS_PORT -j DNAT --to $IPADDR:443
fi
fi

iptables -t nat -N PREROUTING-WEB || die
iptables -t nat -A PREROUTING -i $LANIF -d $IPADDR -j ACCEPT || die
iptables -t nat -A PREROUTING -i $LANIF -p tcp --dport 80 -j PREROUTING-WEB || die

if [ -f /etc/iptables/content-filtering-macs ]; then
for mac in `cat /etc/iptables/content-filtering-macs` ; do
iptables -t nat -A PREROUTING-WEB -m mac --mac-source $mac -p tcp -j REDIRECT --to-port 3128
done || die
fi
if [ -f /etc/iptables/content-filtering-ips ]; then
for ip in `cat /etc/iptables/content-filtering-ips` ; do
iptables -t nat -A PREROUTING-WEB -s $ip -p tcp -j REDIRECT --to-port 3128
done || die
fi

if [ "${CONTENT_FILTERING}" = "yes" ]; then
iptables -t nat -A PREROUTING-WEB -p tcp -j REDIRECT --to-port 3128
else
iptables -t nat -A PREROUTING-WEB -j ACCEPT || die
fi

if [ -f /etc/iptables/port-forwarding ]; then
iptables -t nat -N PREROUTING-IN || die
if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then
iptables -t nat -A PREROUTING -i $WANIF -j PREROUTING-IN || die
fi
if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then
iptables -t nat -A PREROUTING -i $PPPIF -j PREROUTING-IN || die
fi

awk '{system("iptables -t nat -A PREROUTING-IN -p " $2 " --dport " $1 " -j DNAT --to " $3 ($4 ~ /^[0-9]+:[0-9]+$/ ? (sub( /:/, "-", $4) ? ":" $4 : "" ) : "") );}' /etc/iptables/port-forwarding || die

# forwarding GRE packets: (they go to a host that is receiving 1723 TCP packets if comment field is PPtP

awk '{ /1723:1723 tcp [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ PPtP/ && system ("iptables -t nat -A PREROUTING-IN -p 47 -j DNAT --to " $3);}' /etc/iptables/port-forwarding || die
fi

# filter: FORWARD
if [ -f /etc/iptables/no-wan-macs ]; then
for mac in `cat /etc/iptables/no-wan-macs` ; do
iptables -A FORWARD -m mac --mac-source $mac -j REJECT --reject-with icmp-admin-prohibited
done || die
fi
if [ -f /etc/iptables/no-wan-ips ]; then
for ip in `cat /etc/iptables/no-wan-ips` ; do
iptables -A FORWARD -s $ip -j REJECT --reject-with icmp-admin-prohibited
done || die
fi

if [ -f /etc/iptables/no-wan-ports ]; then
awk '{system("iptables -A FORWARD -p " $1 " --dport " $2 " -j REJECT --reject-with icmp-admin-prohibited");}' /etc/iptables/no-wan-ports || die
fi

# filter: INPUT
iptables -N INPUT-INTERNAL || die

iptables -A INPUT -i lo -j ACCEPT || die
iptables -A INPUT -p tcp --dport 515 -j REJECT || die # lpd
iptables -A INPUT -s $IPADDR/$NETMASK -j INPUT-INTERNAL || die
iptables -I INPUT -s 169.254.0.0/16 -j INPUT-INTERNAL || die
# Let the related packets in the server itself.
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || die

# External blocks.
# Please note that we have changed the default policy of accept to drop.
if [ -z "${BLOCK_ICMP_ECHO_EXT}" ]; then
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT || die
fi
if [ -z "${BLOCK_HTTP_EXT}" ]; then
iptables -A INPUT -p tcp --dport 80 -j ACCEPT || die
fi
if [ -z "${BLOCK_HTTPS_EXT}" ]; then
iptables -A INPUT -p tcp --dport 443 -j ACCEPT || die
fi
if [ -z "${BLOCK_SSH_EXT}" ]; then
iptables -A INPUT -p tcp --dport 22 -j ACCEPT || die
fi
if [ -z "${BLOCK_FTP_EXT}" -o "${BLOCK_FTP_EXT}" = "no" ]; then
iptables -A INPUT -p tcp --dport 20 -j ACCEPT || die
iptables -A INPUT -p tcp --dport 21 -j ACCEPT || die
# Accept port range 50000 to 50001 for FTPS
iptables -A INPUT -p tcp --destination-port 50000:50001 -j ACCEPT || die
fi

# Accept the 3rd party ports that are set to be opened:
if [ ! -z "${TCP_OPEN_PORTS_EXT}" ]; then
for port in $TCP_OPEN_PORTS_EXT; do
iptables -A INPUT -p tcp --dport $port -j ACCEPT || die
done
fi
if [ ! -z "${UDP_OPEN_PORTS_EXT}" ]; then
for port in $UDP_OPEN_PORTS_EXT; do
iptables -A INPUT -p udp --dport $port -j ACCEPT || die
done
fi

# Make sure remote IDENT requests are rejected, so that they get
# on with whatever is happening
iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-admin-prohibited || die

# Drop everything else.

iptables -A INPUT -j DROP || die

# WLAN blocks.
if [ -f /etc/iptables/wlan-allow-macs ]; then
for mac in `cat /etc/iptables/wlan-allow-macs` ; do
iptables -A INPUT -m mac --mac-source $mac -j ACCEPT || die
done || die
fi

if [ -f /etc/iptables/wlan-deny-macs ]; then
for mac in `cat /etc/iptables/wlan-deny-macs` ; do
iptables -A INPUT -m mac --mac-source $mac -j DROP || die
done || die
fi

if [ "${BLOCK_WLAN}" = "yes" ]; then
if [ -f /etc/iptables/wireless-filter ]; then
. /etc/iptables/wireless-filter
fi
fi

# Internal blocks

if [ "${BLOCK_SSH_INT}" = "yes" ]; then
iptables -A INPUT-INTERNAL -p tcp --dport 22 -j REJECT --reject-with icmp-admin-prohibited || die
fi
if [ "${BLOCK_FTP_INT}" = "yes" ]; then
iptables -A INPUT-INTERNAL -p tcp --dport 20 -j REJECT --reject-with icmp-admin-prohibited || die
iptables -A INPUT-INTERNAL -p tcp --dport 21 -j REJECT --reject-with icmp-admin-prohibited || die
fi
# Block the 3rd party ports that are set to be closed internally:
if [ ! -z "${TCP_CLOSED_PORTS_INT}" ]; then
for port in $TCP_CLOSED_PORTS_INT; do
iptables -A INPUT -p tcp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die
done
fi
if [ ! -z "${UDP_CLOSED_PORTS_INT}" ]; then
for port in $UDP_CLOSED_PORTS_INT; do
iptables -A INPUT -p udp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die
done
fi

iptables -A INPUT-INTERNAL -j ACCEPT || die

success $"Applying iptables firewall rules"
echo
touch /var/lock/subsys/iptables
/sbin/iptables -F
}

case "$1" in
start|ifdown)
startsmall
;;

ifup)
I=0
while [ -z "$IPADDR" -a $I -lt 12 ] ; do
/bin/sleep 5s
getipaddr
I=$(($I+1))
done
if [ -n "$IPADDR" ] ; then
start
fi
;;

stop)
echo -n "NOT stopping iptables"
success
;;

restart)
# "restart" is really just "start" as this isn't a daemon,
# and "start" clears any pre-defined rules anyway.
# This is really only here to make those who expect it happy
#start
if [ -n "$IPADDR" ]; then
start
else
startsmall
(/bin/sleep 5s ; /etc/init.d/iptables ifup) &
fi
;;

condrestart)
[ -e /var/lock/subsys/iptables ] && start
;;

status)
tables=`cat /proc/net/ip_tables_names 2>/dev/null`
for table in $tables; do
echo $"Table: $table"
iptables -t $table --list
done
;;

panic)
echo -n $"Changing target policies to DROP: "
iftable filter -P INPUT DROP && \
iftable filter -P FORWARD DROP && \
iftable filter -P OUTPUT DROP && \
iftable nat -P PREROUTING DROP && \
iftable nat -P POSTROUTING DROP && \
iftable nat -P OUTPUT DROP && \
iftable mangle -P PREROUTING DROP && \
iftable mangle -P OUTPUT DROP && \
success $"Changing target policies to DROP" || \
failure $"Changing target policies to DROP"
echo
iftable filter -F INPUT && \
iftable filter -F FORWARD && \
iftable filter -F OUTPUT && \
iftable nat -F PREROUTING && \
iftable nat -F POSTROUTING && \
iftable nat -F OUTPUT && \
iftable mangle -F PREROUTING && \
iftable mangle -F OUTPUT && \
success $"Flushing all chains:" || \
failure $"Flushing all chains:"
iftable filter -X INPUT && \
iftable filter -X FORWARD && \
iftable filter -X OUTPUT && \
iftable nat -X PREROUTING && \
iftable nat -X POSTROUTING && \
iftable nat -X OUTPUT && \
iftable mangle -X PREROUTING && \
iftable mangle -X OUTPUT && \
success $"Removing user defined chains:" || \
failure $"Removing user defined chains:"
;;

*)
echo $"Usage: $0 {start|stop|ifup|ifdown|restart|condrestart|status|panic}"
exit 1
esac

exit 0

- Reboot your goFlex home. Thats all.

Seagate GoFlex Home Firewall Disable for Port Forwarding

Benzer içerikler