Şimdi Ara

Seagate GoFlex Home Firewall Disable for Port Forwarding

Daha Fazla
Bu Konudaki Kullanıcılar: Daha Az
2 Misafir - 2 Masaüstü
5 sn
1
Cevap
0
Favori
1.849
Tıklama
Daha Fazla
İstatistik
  • Konu İstatistikleri Yükleniyor
0 oy
Öne Çıkar
Sayfa: 1
Giriş
Mesaj
  • İnternette bu konuyu çok aradım ve hiç bir sonuç bulamadım bu sebeple ingilizce olarak yazıyorum.

    I tried to forward some ports to open access a few services (DLNA, SMB, ... etc)
    However I've figured out that Seagate GoFlex Home has an internal firewall that made by script which denys the nat request from internet. For example if you want to forward port 8200 445 139 etc, it is blocked by the firewall. You can access these ports from your local lan however no chance from internet. Today my genius friend solved my issue then I wanted to share it.

    Here are the steps.... Enjoy!!!

    - Login your seagate goFlex Home via ssh (you can find login procedure over internet)
    - type sudo -s -E
    - the command for disabling firewall is:
    /sbin/iptables -F
    Prior to go forward, I recommend you to test it via port check tools where you can find them on google.



    If you want to make the changes perminant, you can find the steps below:
    Note: This is you own risk your goFlex home might not boot after change, mine is rebooted as expected.

    - add /etc/rc.local file the command.
    /sbin/iptables -F

    my file looks like following

    bash-3.2# cd /etc
    bash-3.2# cat rc.local
    #!/bin/sh
    #
    # This script will be executed *after* all the other init scripts.
    # You can put your own initialization stuff in here if you don't
    # want to do the full Sys V style init stuff.

    touch /var/lock/subsys/local
    /sbin/ldconfig
    /usr/bin/ubifs_repair.sh
    /sbin/iptables -F

    it is not enough to disable the firewall you might skip the above step, it is up to you.

    - Modify the /etc/init.d/iptables script.You can find my original script and the modified one below.

    ORIGINAL:

    #!/bin/bash
    #
    # Startup script to implement /etc/sysconfig/iptables pre-defined rules.
    #
    # chkconfig: 2345 08 92
    #
    # description: Automates a packet filtering firewall with iptables.
    #
    # by bero@redhat.com, based on the ipchains script:
    # Script Author: Joshua Jensen <joshua@redhat.com>
    # -- hacked up by gafton with help from notting
    # modified by Anton Altaparmakov <aia21@cam.ac.uk>:
    # modified by Nils Philippsen <nils@redhat.de>
    # Heavily modified by OEone.. No longer uses iptables-restore.
    #
    # config: /etc/iptables

    # Source 'em up
    . /etc/init.d/functions

    IPTABLES_CONFIG=/etc/iptables/config

    if [ -f $IPTABLES_CONFIG ] ; then
    . $IPTABLES_CONFIG
    fi

    OEADMIN_CONFIG=/etc/oe-admin.conf
    export WANIF=`grep '^WANInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
    export LANIF=`grep '^LANInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
    export WLANIF=`grep '^wirelessInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
    export PPPIF=`grep '^PPPInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
    export PROFILES_DIR=`grep '^profilesDir' $OEADMIN_CONFIG | awk '{print $2;}'`
    export DEF_PROFILE=`grep '^defaultProfile' $OEADMIN_CONFIG | awk '{print $2;}'`


    if [ ! -x /sbin/iptables ]; then
    exit 0
    fi

    getipaddr() {
    # Include LAN network config
    . "$PROFILES_DIR/$DEF_PROFILE/ifcfg-$LANIF"
    IPADDR=`ifconfig $LANIF | awk '/inet addr/' | sed 's/.*inet addr:\([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*\).*/\1/'`
    NETMASK=`ifconfig $LANIF | awk '/inet addr/' | sed 's/.*Mask:\([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*\).*/\1/'`
    }

    getipaddr

    if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
    # Don't do both
    exit 0
    fi

    iftable() {
    if fgrep -qsx $1 /proc/net/ip_tables_names; then
    iptables -t "$@"
    fi
    }

    die() {
    failure $"Applying iptables firewall rules"
    echo
    exit
    }

    load_modules() {
    /sbin/modprobe ip_conntrack
    /sbin/modprobe iptable_nat
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_nat_irc
    /sbin/modprobe ip_conntrack_irc
    /sbin/modprobe ip_nat_pptp
    # Bug 16877: we do not use or compile the nf_* modules, so comment
    # out to avoid ugly errors in boot sequence
    # /sbin/modprobe nf_nat_proto_gre
    # /sbin/modprobe nf_conntrack_proto_gre
    # /sbin/modprobe nf_conntrack_pptp
    # /sbin/modprobe nf_conntrack_ftp
    /sbin/modprobe iptable_filter
    /sbin/modprobe ipt_MASQUERADE
    /sbin/modprobe ipt_REJECT
    /sbin/modprobe ipt_REDIRECT
    /sbin/modprobe xt_state
    /sbin/modprobe xt_tcpudp
    /sbin/modprobe xt_mac

    }

    flush() {
    action $"Flushing all current rules and user defined chains:" iptables -F
    action $"Clearing all current rules and user defined chains:" iptables -X
    tables=`cat /proc/net/ip_tables_names 2>/dev/null`
    for i in $tables; do iptables -t $i -F; done && \
    success $"Flushing all current rules and user defined chains:" || \
    failure $"Flushing all current rules and user defined chains:"
    for i in $tables; do iptables -t $i -X; done && \
    success $"Clearing all current rules and user defined chains:" || \
    failure $"Clearing all current rules and user defined chains:"
    for i in $tables; do iptables -t $i -Z; done
    }

    startsmall() {
    load_modules
    # If we don't clear these first, we might be adding to
    # pre-existing rules.
    flush
    echo $"Applying reduced iptables firewall rules: "

    # Default policies -- start out restrictive
    iptables -P INPUT DROP || die
    iptables -P FORWARD DROP || die
    iptables -P OUTPUT ACCEPT || die

    # and allow DHCP
    iptables -A INPUT -p UDP --dport bootpc -j ACCEPT || die

    # allow local connections as best we can
    iptables -A INPUT -i lo -j ACCEPT || echo 'no lo interface'
    iptables -A INPUT -s 127.0.0.1 -j ACCEPT || echo 'no 127.0.0.1 address'

    success $"Applying reduced iptables firewall rules"
    echo
    }

    start() {
    load_modules
    # If we don't clear these first, we might be adding to
    # pre-existing rules.
    flush

    echo $"Applying iptables firewall rules: "
    # nat: POSTROUTING
    iptables -t nat -N POSTROUTING-OUT || die
    if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then
    iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $WANIF -j POSTROUTING-OUT || die
    fi
    if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then
    iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $PPPIF -j POSTROUTING-OUT || die
    fi
    iptables -t nat -A POSTROUTING-OUT -j MASQUERADE

    # nat: PREROUTING
    if [ -f /etc/iptables/alternate-ports ] ; then
    . /etc/iptables/alternate-ports
    # -n does not work for these
    if [ ! -z $HTTP_PORT ] ; then
    iptables -t nat -A PREROUTING -p tcp --dport $HTTP_PORT -j DNAT --to $IPADDR:80
    fi
    if [ ! -z $HTTPS_PORT ] ; then
    iptables -t nat -A PREROUTING -p tcp --dport $HTTPS_PORT -j DNAT --to $IPADDR:443
    fi
    fi

    iptables -t nat -N PREROUTING-WEB || die
    iptables -t nat -A PREROUTING -i $LANIF -d $IPADDR -j ACCEPT || die
    iptables -t nat -A PREROUTING -i $LANIF -p tcp --dport 80 -j PREROUTING-WEB || die

    if [ -f /etc/iptables/content-filtering-macs ]; then
    for mac in `cat /etc/iptables/content-filtering-macs` ; do
    iptables -t nat -A PREROUTING-WEB -m mac --mac-source $mac -p tcp -j REDIRECT --to-port 3128
    done || die
    fi
    if [ -f /etc/iptables/content-filtering-ips ]; then
    for ip in `cat /etc/iptables/content-filtering-ips` ; do
    iptables -t nat -A PREROUTING-WEB -s $ip -p tcp -j REDIRECT --to-port 3128
    done || die
    fi

    if [ "${CONTENT_FILTERING}" = "yes" ]; then
    iptables -t nat -A PREROUTING-WEB -p tcp -j REDIRECT --to-port 3128
    else
    iptables -t nat -A PREROUTING-WEB -j ACCEPT || die
    fi

    if [ -f /etc/iptables/port-forwarding ]; then
    iptables -t nat -N PREROUTING-IN || die
    if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then
    iptables -t nat -A PREROUTING -i $WANIF -j PREROUTING-IN || die
    fi
    if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then
    iptables -t nat -A PREROUTING -i $PPPIF -j PREROUTING-IN || die
    fi

    awk '{system("iptables -t nat -A PREROUTING-IN -p " $2 " --dport " $1 " -j DNAT --to " $3 ($4 ~ /^[0-9]+:[0-9]+$/ ? (sub( /:/, "-", $4) ? ":" $4 : "" ) : "") );}' /etc/iptables/port-forwarding || die

    # forwarding GRE packets: (they go to a host that is receiving 1723 TCP packets if comment field is PPtP

    awk '{ /1723:1723 tcp [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ PPtP/ && system ("iptables -t nat -A PREROUTING-IN -p 47 -j DNAT --to " $3);}' /etc/iptables/port-forwarding || die
    fi

    # filter: FORWARD
    if [ -f /etc/iptables/no-wan-macs ]; then
    for mac in `cat /etc/iptables/no-wan-macs` ; do
    iptables -A FORWARD -m mac --mac-source $mac -j REJECT --reject-with icmp-admin-prohibited
    done || die
    fi
    if [ -f /etc/iptables/no-wan-ips ]; then
    for ip in `cat /etc/iptables/no-wan-ips` ; do
    iptables -A FORWARD -s $ip -j REJECT --reject-with icmp-admin-prohibited
    done || die
    fi

    if [ -f /etc/iptables/no-wan-ports ]; then
    awk '{system("iptables -A FORWARD -p " $1 " --dport " $2 " -j REJECT --reject-with icmp-admin-prohibited");}' /etc/iptables/no-wan-ports || die
    fi

    # filter: INPUT
    iptables -N INPUT-INTERNAL || die

    iptables -A INPUT -i lo -j ACCEPT || die
    iptables -A INPUT -p tcp --dport 515 -j REJECT || die # lpd
    iptables -A INPUT -s $IPADDR/$NETMASK -j INPUT-INTERNAL || die
    iptables -I INPUT -s 169.254.0.0/16 -j INPUT-INTERNAL || die
    # Let the related packets in the server itself.
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || die

    # External blocks.
    # Please note that we have changed the default policy of accept to drop.
    if [ -z "${BLOCK_ICMP_ECHO_EXT}" ]; then
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT || die
    fi
    if [ -z "${BLOCK_HTTP_EXT}" ]; then
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT || die
    fi
    if [ -z "${BLOCK_HTTPS_EXT}" ]; then
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT || die
    fi
    if [ -z "${BLOCK_SSH_EXT}" ]; then
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT || die
    fi
    if [ -z "${BLOCK_FTP_EXT}" -o "${BLOCK_FTP_EXT}" = "no" ]; then
    iptables -A INPUT -p tcp --dport 20 -j ACCEPT || die
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT || die
    # Accept port range 50000 to 50001 for FTPS
    iptables -A INPUT -p tcp --destination-port 50000:50001 -j ACCEPT || die
    fi

    # Accept the 3rd party ports that are set to be opened:
    if [ ! -z "${TCP_OPEN_PORTS_EXT}" ]; then
    for port in $TCP_OPEN_PORTS_EXT; do
    iptables -A INPUT -p tcp --dport $port -j ACCEPT || die
    done
    fi
    if [ ! -z "${UDP_OPEN_PORTS_EXT}" ]; then
    for port in $UDP_OPEN_PORTS_EXT; do
    iptables -A INPUT -p udp --dport $port -j ACCEPT || die
    done
    fi

    # Make sure remote IDENT requests are rejected, so that they get
    # on with whatever is happening
    iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-admin-prohibited || die

    # Drop everything else.

    iptables -A INPUT -j DROP || die

    # WLAN blocks.
    if [ -f /etc/iptables/wlan-allow-macs ]; then
    for mac in `cat /etc/iptables/wlan-allow-macs` ; do
    iptables -A INPUT -m mac --mac-source $mac -j ACCEPT || die
    done || die
    fi

    if [ -f /etc/iptables/wlan-deny-macs ]; then
    for mac in `cat /etc/iptables/wlan-deny-macs` ; do
    iptables -A INPUT -m mac --mac-source $mac -j DROP || die
    done || die
    fi

    if [ "${BLOCK_WLAN}" = "yes" ]; then
    if [ -f /etc/iptables/wireless-filter ]; then
    . /etc/iptables/wireless-filter
    fi
    fi


    # Internal blocks

    if [ "${BLOCK_SSH_INT}" = "yes" ]; then
    iptables -A INPUT-INTERNAL -p tcp --dport 22 -j REJECT --reject-with icmp-admin-prohibited || die
    fi
    if [ "${BLOCK_FTP_INT}" = "yes" ]; then
    iptables -A INPUT-INTERNAL -p tcp --dport 20 -j REJECT --reject-with icmp-admin-prohibited || die
    iptables -A INPUT-INTERNAL -p tcp --dport 21 -j REJECT --reject-with icmp-admin-prohibited || die
    fi
    # Block the 3rd party ports that are set to be closed internally:
    if [ ! -z "${TCP_CLOSED_PORTS_INT}" ]; then
    for port in $TCP_CLOSED_PORTS_INT; do
    iptables -A INPUT -p tcp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die
    done
    fi
    if [ ! -z "${UDP_CLOSED_PORTS_INT}" ]; then
    for port in $UDP_CLOSED_PORTS_INT; do
    iptables -A INPUT -p udp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die
    done
    fi

    iptables -A INPUT-INTERNAL -j ACCEPT || die

    success $"Applying iptables firewall rules"
    echo
    touch /var/lock/subsys/iptables
    }

    case "$1" in
    start|ifdown)
    startsmall
    ;;

    ifup)
    I=0
    while [ -z "$IPADDR" -a $I -lt 12 ] ; do
    /bin/sleep 5s
    getipaddr
    I=$(($I+1))
    done
    if [ -n "$IPADDR" ] ; then
    start
    fi
    ;;

    stop)
    echo -n "NOT stopping iptables"
    success
    ;;

    restart)
    # "restart" is really just "start" as this isn't a daemon,
    # and "start" clears any pre-defined rules anyway.
    # This is really only here to make those who expect it happy
    #start
    if [ -n "$IPADDR" ]; then
    start
    else
    startsmall
    (/bin/sleep 5s ; /etc/init.d/iptables ifup) &
    fi
    ;;

    condrestart)
    [ -e /var/lock/subsys/iptables ] && start
    ;;

    status)
    tables=`cat /proc/net/ip_tables_names 2>/dev/null`
    for table in $tables; do
    echo $"Table: $table"
    iptables -t $table --list
    done
    ;;

    panic)
    echo -n $"Changing target policies to DROP: "
    iftable filter -P INPUT DROP && \
    iftable filter -P FORWARD DROP && \
    iftable filter -P OUTPUT DROP && \
    iftable nat -P PREROUTING DROP && \
    iftable nat -P POSTROUTING DROP && \
    iftable nat -P OUTPUT DROP && \
    iftable mangle -P PREROUTING DROP && \
    iftable mangle -P OUTPUT DROP && \
    success $"Changing target policies to DROP" || \
    failure $"Changing target policies to DROP"
    echo
    iftable filter -F INPUT && \
    iftable filter -F FORWARD && \
    iftable filter -F OUTPUT && \
    iftable nat -F PREROUTING && \
    iftable nat -F POSTROUTING && \
    iftable nat -F OUTPUT && \
    iftable mangle -F PREROUTING && \
    iftable mangle -F OUTPUT && \
    success $"Flushing all chains:" || \
    failure $"Flushing all chains:"
    iftable filter -X INPUT && \
    iftable filter -X FORWARD && \
    iftable filter -X OUTPUT && \
    iftable nat -X PREROUTING && \
    iftable nat -X POSTROUTING && \
    iftable nat -X OUTPUT && \
    iftable mangle -X PREROUTING && \
    iftable mangle -X OUTPUT && \
    success $"Removing user defined chains:" || \
    failure $"Removing user defined chains:"
    ;;


    *)
    echo $"Usage: $0 {start|stop|ifup|ifdown|restart|condrestart|status|panic}"
    exit 1
    esac

    exit 0


    MODIFIED:

    #!/bin/bash
    #
    # Startup script to implement /etc/sysconfig/iptables pre-defined rules.
    #
    # chkconfig: 2345 08 92
    #
    # description: Automates a packet filtering firewall with iptables.
    #
    # by bero@redhat.com, based on the ipchains script:
    # Script Author: Joshua Jensen <joshua@redhat.com>
    # -- hacked up by gafton with help from notting
    # modified by Anton Altaparmakov <aia21@cam.ac.uk>:
    # modified by Nils Philippsen <nils@redhat.de>
    # Heavily modified by OEone.. No longer uses iptables-restore.
    #
    # config: /etc/iptables

    # Source 'em up
    . /etc/init.d/functions

    IPTABLES_CONFIG=/etc/iptables/config

    if [ -f $IPTABLES_CONFIG ] ; then
    . $IPTABLES_CONFIG
    fi

    OEADMIN_CONFIG=/etc/oe-admin.conf
    export WANIF=`grep '^WANInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
    export LANIF=`grep '^LANInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
    export WLANIF=`grep '^wirelessInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
    export PPPIF=`grep '^PPPInterface' $OEADMIN_CONFIG | awk '{print $2;}'`
    export PROFILES_DIR=`grep '^profilesDir' $OEADMIN_CONFIG | awk '{print $2;}'`
    export DEF_PROFILE=`grep '^defaultProfile' $OEADMIN_CONFIG | awk '{print $2;}'`


    if [ ! -x /sbin/iptables ]; then
    exit 0
    fi

    getipaddr() {
    # Include LAN network config
    . "$PROFILES_DIR/$DEF_PROFILE/ifcfg-$LANIF"
    IPADDR=`ifconfig $LANIF | awk '/inet addr/' | sed 's/.*inet addr:\([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*\).*/\1/'`
    NETMASK=`ifconfig $LANIF | awk '/inet addr/' | sed 's/.*Mask:\([0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*.[0-9][0-9]*\).*/\1/'`
    }

    getipaddr

    if /sbin/lsmod 2>/dev/null |grep -q ipchains ; then
    # Don't do both
    exit 0
    fi

    iftable() {
    if fgrep -qsx $1 /proc/net/ip_tables_names; then
    iptables -t "$@"
    fi
    }

    die() {
    failure $"Applying iptables firewall rules"
    echo
    exit
    }

    load_modules() {
    /sbin/modprobe ip_conntrack
    /sbin/modprobe iptable_nat
    /sbin/modprobe ip_nat_ftp
    /sbin/modprobe ip_conntrack_ftp
    /sbin/modprobe ip_nat_irc
    /sbin/modprobe ip_conntrack_irc
    /sbin/modprobe ip_nat_pptp
    # Bug 16877: we do not use or compile the nf_* modules, so comment
    # out to avoid ugly errors in boot sequence
    # /sbin/modprobe nf_nat_proto_gre
    # /sbin/modprobe nf_conntrack_proto_gre
    # /sbin/modprobe nf_conntrack_pptp
    # /sbin/modprobe nf_conntrack_ftp
    /sbin/modprobe iptable_filter
    /sbin/modprobe ipt_MASQUERADE
    /sbin/modprobe ipt_REJECT
    /sbin/modprobe ipt_REDIRECT
    /sbin/modprobe xt_state
    /sbin/modprobe xt_tcpudp
    /sbin/modprobe xt_mac

    }

    flush() {
    action $"Flushing all current rules and user defined chains:" iptables -F
    action $"Clearing all current rules and user defined chains:" iptables -X
    tables=`cat /proc/net/ip_tables_names 2>/dev/null`
    for i in $tables; do iptables -t $i -F; done && \
    success $"Flushing all current rules and user defined chains:" || \
    failure $"Flushing all current rules and user defined chains:"
    for i in $tables; do iptables -t $i -X; done && \
    success $"Clearing all current rules and user defined chains:" || \
    failure $"Clearing all current rules and user defined chains:"
    for i in $tables; do iptables -t $i -Z; done
    }

    startsmall() {
    load_modules
    # If we don't clear these first, we might be adding to
    # pre-existing rules.
    flush
    echo $"Applying reduced iptables firewall rules: "

    # Default policies -- start out restrictive
    iptables -P INPUT DROP || die
    iptables -P FORWARD DROP || die
    iptables -P OUTPUT ACCEPT || die

    # and allow DHCP
    iptables -A INPUT -p UDP --dport bootpc -j ACCEPT || die

    # allow local connections as best we can
    iptables -A INPUT -i lo -j ACCEPT || echo 'no lo interface'
    iptables -A INPUT -s 127.0.0.1 -j ACCEPT || echo 'no 127.0.0.1 address'

    success $"Applying reduced iptables firewall rules"
    /sbin/iptables -F
    echo
    }

    start() {
    load_modules
    # If we don't clear these first, we might be adding to
    # pre-existing rules.
    flush

    echo $"Applying iptables firewall rules: "
    # nat: POSTROUTING
    iptables -t nat -N POSTROUTING-OUT || die
    if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then
    iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $WANIF -j POSTROUTING-OUT || die
    fi
    if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then
    iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $PPPIF -j POSTROUTING-OUT || die
    fi
    iptables -t nat -A POSTROUTING-OUT -j MASQUERADE

    # nat: PREROUTING
    if [ -f /etc/iptables/alternate-ports ] ; then
    . /etc/iptables/alternate-ports
    # -n does not work for these
    if [ ! -z $HTTP_PORT ] ; then
    iptables -t nat -A PREROUTING -p tcp --dport $HTTP_PORT -j DNAT --to $IPADDR:80
    fi
    if [ ! -z $HTTPS_PORT ] ; then
    iptables -t nat -A PREROUTING -p tcp --dport $HTTPS_PORT -j DNAT --to $IPADDR:443
    fi
    fi

    iptables -t nat -N PREROUTING-WEB || die
    iptables -t nat -A PREROUTING -i $LANIF -d $IPADDR -j ACCEPT || die
    iptables -t nat -A PREROUTING -i $LANIF -p tcp --dport 80 -j PREROUTING-WEB || die

    if [ -f /etc/iptables/content-filtering-macs ]; then
    for mac in `cat /etc/iptables/content-filtering-macs` ; do
    iptables -t nat -A PREROUTING-WEB -m mac --mac-source $mac -p tcp -j REDIRECT --to-port 3128
    done || die
    fi
    if [ -f /etc/iptables/content-filtering-ips ]; then
    for ip in `cat /etc/iptables/content-filtering-ips` ; do
    iptables -t nat -A PREROUTING-WEB -s $ip -p tcp -j REDIRECT --to-port 3128
    done || die
    fi

    if [ "${CONTENT_FILTERING}" = "yes" ]; then
    iptables -t nat -A PREROUTING-WEB -p tcp -j REDIRECT --to-port 3128
    else
    iptables -t nat -A PREROUTING-WEB -j ACCEPT || die
    fi

    if [ -f /etc/iptables/port-forwarding ]; then
    iptables -t nat -N PREROUTING-IN || die
    if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then
    iptables -t nat -A PREROUTING -i $WANIF -j PREROUTING-IN || die
    fi
    if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then
    iptables -t nat -A PREROUTING -i $PPPIF -j PREROUTING-IN || die
    fi

    awk '{system("iptables -t nat -A PREROUTING-IN -p " $2 " --dport " $1 " -j DNAT --to " $3 ($4 ~ /^[0-9]+:[0-9]+$/ ? (sub( /:/, "-", $4) ? ":" $4 : "" ) : "") );}' /etc/iptables/port-forwarding || die

    # forwarding GRE packets: (they go to a host that is receiving 1723 TCP packets if comment field is PPtP

    awk '{ /1723:1723 tcp [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ PPtP/ && system ("iptables -t nat -A PREROUTING-IN -p 47 -j DNAT --to " $3);}' /etc/iptables/port-forwarding || die
    fi

    # filter: FORWARD
    if [ -f /etc/iptables/no-wan-macs ]; then
    for mac in `cat /etc/iptables/no-wan-macs` ; do
    iptables -A FORWARD -m mac --mac-source $mac -j REJECT --reject-with icmp-admin-prohibited
    done || die
    fi
    if [ -f /etc/iptables/no-wan-ips ]; then
    for ip in `cat /etc/iptables/no-wan-ips` ; do
    iptables -A FORWARD -s $ip -j REJECT --reject-with icmp-admin-prohibited
    done || die
    fi

    if [ -f /etc/iptables/no-wan-ports ]; then
    awk '{system("iptables -A FORWARD -p " $1 " --dport " $2 " -j REJECT --reject-with icmp-admin-prohibited");}' /etc/iptables/no-wan-ports || die
    fi

    # filter: INPUT
    iptables -N INPUT-INTERNAL || die

    iptables -A INPUT -i lo -j ACCEPT || die
    iptables -A INPUT -p tcp --dport 515 -j REJECT || die # lpd
    iptables -A INPUT -s $IPADDR/$NETMASK -j INPUT-INTERNAL || die
    iptables -I INPUT -s 169.254.0.0/16 -j INPUT-INTERNAL || die
    # Let the related packets in the server itself.
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || die

    # External blocks.
    # Please note that we have changed the default policy of accept to drop.
    if [ -z "${BLOCK_ICMP_ECHO_EXT}" ]; then
    iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT || die
    fi
    if [ -z "${BLOCK_HTTP_EXT}" ]; then
    iptables -A INPUT -p tcp --dport 80 -j ACCEPT || die
    fi
    if [ -z "${BLOCK_HTTPS_EXT}" ]; then
    iptables -A INPUT -p tcp --dport 443 -j ACCEPT || die
    fi
    if [ -z "${BLOCK_SSH_EXT}" ]; then
    iptables -A INPUT -p tcp --dport 22 -j ACCEPT || die
    fi
    if [ -z "${BLOCK_FTP_EXT}" -o "${BLOCK_FTP_EXT}" = "no" ]; then
    iptables -A INPUT -p tcp --dport 20 -j ACCEPT || die
    iptables -A INPUT -p tcp --dport 21 -j ACCEPT || die
    # Accept port range 50000 to 50001 for FTPS
    iptables -A INPUT -p tcp --destination-port 50000:50001 -j ACCEPT || die
    fi

    # Accept the 3rd party ports that are set to be opened:
    if [ ! -z "${TCP_OPEN_PORTS_EXT}" ]; then
    for port in $TCP_OPEN_PORTS_EXT; do
    iptables -A INPUT -p tcp --dport $port -j ACCEPT || die
    done
    fi
    if [ ! -z "${UDP_OPEN_PORTS_EXT}" ]; then
    for port in $UDP_OPEN_PORTS_EXT; do
    iptables -A INPUT -p udp --dport $port -j ACCEPT || die
    done
    fi

    # Make sure remote IDENT requests are rejected, so that they get
    # on with whatever is happening
    iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-admin-prohibited || die

    # Drop everything else.

    iptables -A INPUT -j DROP || die

    # WLAN blocks.
    if [ -f /etc/iptables/wlan-allow-macs ]; then
    for mac in `cat /etc/iptables/wlan-allow-macs` ; do
    iptables -A INPUT -m mac --mac-source $mac -j ACCEPT || die
    done || die
    fi

    if [ -f /etc/iptables/wlan-deny-macs ]; then
    for mac in `cat /etc/iptables/wlan-deny-macs` ; do
    iptables -A INPUT -m mac --mac-source $mac -j DROP || die
    done || die
    fi

    if [ "${BLOCK_WLAN}" = "yes" ]; then
    if [ -f /etc/iptables/wireless-filter ]; then
    . /etc/iptables/wireless-filter
    fi
    fi


    # Internal blocks

    if [ "${BLOCK_SSH_INT}" = "yes" ]; then
    iptables -A INPUT-INTERNAL -p tcp --dport 22 -j REJECT --reject-with icmp-admin-prohibited || die
    fi
    if [ "${BLOCK_FTP_INT}" = "yes" ]; then
    iptables -A INPUT-INTERNAL -p tcp --dport 20 -j REJECT --reject-with icmp-admin-prohibited || die
    iptables -A INPUT-INTERNAL -p tcp --dport 21 -j REJECT --reject-with icmp-admin-prohibited || die
    fi
    # Block the 3rd party ports that are set to be closed internally:
    if [ ! -z "${TCP_CLOSED_PORTS_INT}" ]; then
    for port in $TCP_CLOSED_PORTS_INT; do
    iptables -A INPUT -p tcp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die
    done
    fi
    if [ ! -z "${UDP_CLOSED_PORTS_INT}" ]; then
    for port in $UDP_CLOSED_PORTS_INT; do
    iptables -A INPUT -p udp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die
    done
    fi

    iptables -A INPUT-INTERNAL -j ACCEPT || die

    success $"Applying iptables firewall rules"
    echo
    touch /var/lock/subsys/iptables
    /sbin/iptables -F
    }

    case "$1" in
    start|ifdown)
    startsmall
    ;;

    ifup)
    I=0
    while [ -z "$IPADDR" -a $I -lt 12 ] ; do
    /bin/sleep 5s
    getipaddr
    I=$(($I+1))
    done
    if [ -n "$IPADDR" ] ; then
    start
    fi
    ;;

    stop)
    echo -n "NOT stopping iptables"
    success
    ;;

    restart)
    # "restart" is really just "start" as this isn't a daemon,
    # and "start" clears any pre-defined rules anyway.
    # This is really only here to make those who expect it happy
    #start
    if [ -n "$IPADDR" ]; then
    start
    else
    startsmall
    (/bin/sleep 5s ; /etc/init.d/iptables ifup) &
    fi
    ;;

    condrestart)
    [ -e /var/lock/subsys/iptables ] && start
    ;;

    status)
    tables=`cat /proc/net/ip_tables_names 2>/dev/null`
    for table in $tables; do
    echo $"Table: $table"
    iptables -t $table --list
    done
    ;;

    panic)
    echo -n $"Changing target policies to DROP: "
    iftable filter -P INPUT DROP && \
    iftable filter -P FORWARD DROP && \
    iftable filter -P OUTPUT DROP && \
    iftable nat -P PREROUTING DROP && \
    iftable nat -P POSTROUTING DROP && \
    iftable nat -P OUTPUT DROP && \
    iftable mangle -P PREROUTING DROP && \
    iftable mangle -P OUTPUT DROP && \
    success $"Changing target policies to DROP" || \
    failure $"Changing target policies to DROP"
    echo
    iftable filter -F INPUT && \
    iftable filter -F FORWARD && \
    iftable filter -F OUTPUT && \
    iftable nat -F PREROUTING && \
    iftable nat -F POSTROUTING && \
    iftable nat -F OUTPUT && \
    iftable mangle -F PREROUTING && \
    iftable mangle -F OUTPUT && \
    success $"Flushing all chains:" || \
    failure $"Flushing all chains:"
    iftable filter -X INPUT && \
    iftable filter -X FORWARD && \
    iftable filter -X OUTPUT && \
    iftable nat -X PREROUTING && \
    iftable nat -X POSTROUTING && \
    iftable nat -X OUTPUT && \
    iftable mangle -X PREROUTING && \
    iftable mangle -X OUTPUT && \
    success $"Removing user defined chains:" || \
    failure $"Removing user defined chains:"
    ;;


    *)
    echo $"Usage: $0 {start|stop|ifup|ifdown|restart|condrestart|status|panic}"
    exit 1
    esac

    exit 0


    - Reboot your goFlex home. Thats all.







  • Yapay Zeka’dan İlgili Konular
    Daha Fazla Göster
    
Sayfa: 1
- x
Bildirim
mesajınız kopyalandı (ctrl+v) yapıştırmak istediğiniz yere yapıştırabilirsiniz.