İnternette bu konuyu çok aradım ve hiç bir sonuç bulamadım bu sebeple ingilizce olarak yazıyorum.
I tried to forward some ports to open access a few services (DLNA, SMB, ... etc) However I've figured out that Seagate GoFlex Home has an internal firewall that made by script which denys the nat request from internet. For example if you want to forward port 8200 445 139 etc, it is blocked by the firewall. You can access these ports from your local lan however no chance from internet. Today my genius friend solved my issue then I wanted to share it.
Here are the steps.... Enjoy!!!
- Login your seagate goFlex Home via ssh (you can find login procedure over internet) - type sudo -s -E - the command for disabling firewall is: /sbin/iptables -F Prior to go forward, I recommend you to test it via port check tools where you can find them on google.
If you want to make the changes perminant, you can find the steps below: Note: This is you own risk your goFlex home might not boot after change, mine is rebooted as expected.
- add /etc/rc.local file the command. /sbin/iptables -F
my file looks like following
bash-3.2# cd /etc bash-3.2# cat rc.local #!/bin/sh # # This script will be executed *after* all the other init scripts. # You can put your own initialization stuff in here if you don't # want to do the full Sys V style init stuff.
it is not enough to disable the firewall you might skip the above step, it is up to you.
- Modify the /etc/init.d/iptables script.You can find my original script and the modified one below.
ORIGINAL:
#!/bin/bash # # Startup script to implement /etc/sysconfig/iptables pre-defined rules. # # chkconfig: 2345 08 92 # # description: Automates a packet filtering firewall with iptables. # # by bero@redhat.com, based on the ipchains script: # Script Author: Joshua Jensen <joshua@redhat.com> # -- hacked up by gafton with help from notting # modified by Anton Altaparmakov <aia21@cam.ac.uk>: # modified by Nils Philippsen <nils@redhat.de> # Heavily modified by OEone.. No longer uses iptables-restore. # # config: /etc/iptables
# Source 'em up . /etc/init.d/functions
IPTABLES_CONFIG=/etc/iptables/config
if [ -f $IPTABLES_CONFIG ] ; then . $IPTABLES_CONFIG fi
load_modules() { /sbin/modprobe ip_conntrack /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_irc /sbin/modprobe ip_conntrack_irc /sbin/modprobe ip_nat_pptp # Bug 16877: we do not use or compile the nf_* modules, so comment # out to avoid ugly errors in boot sequence # /sbin/modprobe nf_nat_proto_gre # /sbin/modprobe nf_conntrack_proto_gre # /sbin/modprobe nf_conntrack_pptp # /sbin/modprobe nf_conntrack_ftp /sbin/modprobe iptable_filter /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_REDIRECT /sbin/modprobe xt_state /sbin/modprobe xt_tcpudp /sbin/modprobe xt_mac
}
flush() { action $"Flushing all current rules and user defined chains:" iptables -F action $"Clearing all current rules and user defined chains:" iptables -X tables=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $tables; do iptables -t $i -F; done && \ success $"Flushing all current rules and user defined chains:" || \ failure $"Flushing all current rules and user defined chains:" for i in $tables; do iptables -t $i -X; done && \ success $"Clearing all current rules and user defined chains:" || \ failure $"Clearing all current rules and user defined chains:" for i in $tables; do iptables -t $i -Z; done }
startsmall() { load_modules # If we don't clear these first, we might be adding to # pre-existing rules. flush echo $"Applying reduced iptables firewall rules: "
# Default policies -- start out restrictive iptables -P INPUT DROP || die iptables -P FORWARD DROP || die iptables -P OUTPUT ACCEPT || die
# and allow DHCP iptables -A INPUT -p UDP --dport bootpc -j ACCEPT || die
# allow local connections as best we can iptables -A INPUT -i lo -j ACCEPT || echo 'no lo interface' iptables -A INPUT -s 127.0.0.1 -j ACCEPT || echo 'no 127.0.0.1 address'
start() { load_modules # If we don't clear these first, we might be adding to # pre-existing rules. flush
echo $"Applying iptables firewall rules: " # nat: POSTROUTING iptables -t nat -N POSTROUTING-OUT || die if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $WANIF -j POSTROUTING-OUT || die fi if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $PPPIF -j POSTROUTING-OUT || die fi iptables -t nat -A POSTROUTING-OUT -j MASQUERADE
# nat: PREROUTING if [ -f /etc/iptables/alternate-ports ] ; then . /etc/iptables/alternate-ports # -n does not work for these if [ ! -z $HTTP_PORT ] ; then iptables -t nat -A PREROUTING -p tcp --dport $HTTP_PORT -j DNAT --to $IPADDR:80 fi if [ ! -z $HTTPS_PORT ] ; then iptables -t nat -A PREROUTING -p tcp --dport $HTTPS_PORT -j DNAT --to $IPADDR:443 fi fi
iptables -t nat -N PREROUTING-WEB || die iptables -t nat -A PREROUTING -i $LANIF -d $IPADDR -j ACCEPT || die iptables -t nat -A PREROUTING -i $LANIF -p tcp --dport 80 -j PREROUTING-WEB || die
if [ -f /etc/iptables/content-filtering-macs ]; then for mac in `cat /etc/iptables/content-filtering-macs` ; do iptables -t nat -A PREROUTING-WEB -m mac --mac-source $mac -p tcp -j REDIRECT --to-port 3128 done || die fi if [ -f /etc/iptables/content-filtering-ips ]; then for ip in `cat /etc/iptables/content-filtering-ips` ; do iptables -t nat -A PREROUTING-WEB -s $ip -p tcp -j REDIRECT --to-port 3128 done || die fi
if [ "${CONTENT_FILTERING}" = "yes" ]; then iptables -t nat -A PREROUTING-WEB -p tcp -j REDIRECT --to-port 3128 else iptables -t nat -A PREROUTING-WEB -j ACCEPT || die fi
if [ -f /etc/iptables/port-forwarding ]; then iptables -t nat -N PREROUTING-IN || die if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then iptables -t nat -A PREROUTING -i $WANIF -j PREROUTING-IN || die fi if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then iptables -t nat -A PREROUTING -i $PPPIF -j PREROUTING-IN || die fi
# forwarding GRE packets: (they go to a host that is receiving 1723 TCP packets if comment field is PPtP
awk '{ /1723:1723 tcp [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ PPtP/ && system ("iptables -t nat -A PREROUTING-IN -p 47 -j DNAT --to " $3);}' /etc/iptables/port-forwarding || die fi
# filter: FORWARD if [ -f /etc/iptables/no-wan-macs ]; then for mac in `cat /etc/iptables/no-wan-macs` ; do iptables -A FORWARD -m mac --mac-source $mac -j REJECT --reject-with icmp-admin-prohibited done || die fi if [ -f /etc/iptables/no-wan-ips ]; then for ip in `cat /etc/iptables/no-wan-ips` ; do iptables -A FORWARD -s $ip -j REJECT --reject-with icmp-admin-prohibited done || die fi
if [ -f /etc/iptables/no-wan-ports ]; then awk '{system("iptables -A FORWARD -p " $1 " --dport " $2 " -j REJECT --reject-with icmp-admin-prohibited");}' /etc/iptables/no-wan-ports || die fi
# filter: INPUT iptables -N INPUT-INTERNAL || die
iptables -A INPUT -i lo -j ACCEPT || die iptables -A INPUT -p tcp --dport 515 -j REJECT || die # lpd iptables -A INPUT -s $IPADDR/$NETMASK -j INPUT-INTERNAL || die iptables -I INPUT -s 169.254.0.0/16 -j INPUT-INTERNAL || die # Let the related packets in the server itself. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || die
# External blocks. # Please note that we have changed the default policy of accept to drop. if [ -z "${BLOCK_ICMP_ECHO_EXT}" ]; then iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT || die fi if [ -z "${BLOCK_HTTP_EXT}" ]; then iptables -A INPUT -p tcp --dport 80 -j ACCEPT || die fi if [ -z "${BLOCK_HTTPS_EXT}" ]; then iptables -A INPUT -p tcp --dport 443 -j ACCEPT || die fi if [ -z "${BLOCK_SSH_EXT}" ]; then iptables -A INPUT -p tcp --dport 22 -j ACCEPT || die fi if [ -z "${BLOCK_FTP_EXT}" -o "${BLOCK_FTP_EXT}" = "no" ]; then iptables -A INPUT -p tcp --dport 20 -j ACCEPT || die iptables -A INPUT -p tcp --dport 21 -j ACCEPT || die # Accept port range 50000 to 50001 for FTPS iptables -A INPUT -p tcp --destination-port 50000:50001 -j ACCEPT || die fi
# Accept the 3rd party ports that are set to be opened: if [ ! -z "${TCP_OPEN_PORTS_EXT}" ]; then for port in $TCP_OPEN_PORTS_EXT; do iptables -A INPUT -p tcp --dport $port -j ACCEPT || die done fi if [ ! -z "${UDP_OPEN_PORTS_EXT}" ]; then for port in $UDP_OPEN_PORTS_EXT; do iptables -A INPUT -p udp --dport $port -j ACCEPT || die done fi
# Make sure remote IDENT requests are rejected, so that they get # on with whatever is happening iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-admin-prohibited || die
# Drop everything else.
iptables -A INPUT -j DROP || die
# WLAN blocks. if [ -f /etc/iptables/wlan-allow-macs ]; then for mac in `cat /etc/iptables/wlan-allow-macs` ; do iptables -A INPUT -m mac --mac-source $mac -j ACCEPT || die done || die fi
if [ -f /etc/iptables/wlan-deny-macs ]; then for mac in `cat /etc/iptables/wlan-deny-macs` ; do iptables -A INPUT -m mac --mac-source $mac -j DROP || die done || die fi
if [ "${BLOCK_WLAN}" = "yes" ]; then if [ -f /etc/iptables/wireless-filter ]; then . /etc/iptables/wireless-filter fi fi
# Internal blocks
if [ "${BLOCK_SSH_INT}" = "yes" ]; then iptables -A INPUT-INTERNAL -p tcp --dport 22 -j REJECT --reject-with icmp-admin-prohibited || die fi if [ "${BLOCK_FTP_INT}" = "yes" ]; then iptables -A INPUT-INTERNAL -p tcp --dport 20 -j REJECT --reject-with icmp-admin-prohibited || die iptables -A INPUT-INTERNAL -p tcp --dport 21 -j REJECT --reject-with icmp-admin-prohibited || die fi # Block the 3rd party ports that are set to be closed internally: if [ ! -z "${TCP_CLOSED_PORTS_INT}" ]; then for port in $TCP_CLOSED_PORTS_INT; do iptables -A INPUT -p tcp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die done fi if [ ! -z "${UDP_CLOSED_PORTS_INT}" ]; then for port in $UDP_CLOSED_PORTS_INT; do iptables -A INPUT -p udp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die done fi
ifup) I=0 while [ -z "$IPADDR" -a $I -lt 12 ] ; do /bin/sleep 5s getipaddr I=$(($I+1)) done if [ -n "$IPADDR" ] ; then start fi ;;
stop) echo -n "NOT stopping iptables" success ;;
restart) # "restart" is really just "start" as this isn't a daemon, # and "start" clears any pre-defined rules anyway. # This is really only here to make those who expect it happy #start if [ -n "$IPADDR" ]; then start else startsmall (/bin/sleep 5s ; /etc/init.d/iptables ifup) & fi ;;
#!/bin/bash # # Startup script to implement /etc/sysconfig/iptables pre-defined rules. # # chkconfig: 2345 08 92 # # description: Automates a packet filtering firewall with iptables. # # by bero@redhat.com, based on the ipchains script: # Script Author: Joshua Jensen <joshua@redhat.com> # -- hacked up by gafton with help from notting # modified by Anton Altaparmakov <aia21@cam.ac.uk>: # modified by Nils Philippsen <nils@redhat.de> # Heavily modified by OEone.. No longer uses iptables-restore. # # config: /etc/iptables
# Source 'em up . /etc/init.d/functions
IPTABLES_CONFIG=/etc/iptables/config
if [ -f $IPTABLES_CONFIG ] ; then . $IPTABLES_CONFIG fi
load_modules() { /sbin/modprobe ip_conntrack /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_irc /sbin/modprobe ip_conntrack_irc /sbin/modprobe ip_nat_pptp # Bug 16877: we do not use or compile the nf_* modules, so comment # out to avoid ugly errors in boot sequence # /sbin/modprobe nf_nat_proto_gre # /sbin/modprobe nf_conntrack_proto_gre # /sbin/modprobe nf_conntrack_pptp # /sbin/modprobe nf_conntrack_ftp /sbin/modprobe iptable_filter /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_REDIRECT /sbin/modprobe xt_state /sbin/modprobe xt_tcpudp /sbin/modprobe xt_mac
}
flush() { action $"Flushing all current rules and user defined chains:" iptables -F action $"Clearing all current rules and user defined chains:" iptables -X tables=`cat /proc/net/ip_tables_names 2>/dev/null` for i in $tables; do iptables -t $i -F; done && \ success $"Flushing all current rules and user defined chains:" || \ failure $"Flushing all current rules and user defined chains:" for i in $tables; do iptables -t $i -X; done && \ success $"Clearing all current rules and user defined chains:" || \ failure $"Clearing all current rules and user defined chains:" for i in $tables; do iptables -t $i -Z; done }
startsmall() { load_modules # If we don't clear these first, we might be adding to # pre-existing rules. flush echo $"Applying reduced iptables firewall rules: "
# Default policies -- start out restrictive iptables -P INPUT DROP || die iptables -P FORWARD DROP || die iptables -P OUTPUT ACCEPT || die
# and allow DHCP iptables -A INPUT -p UDP --dport bootpc -j ACCEPT || die
# allow local connections as best we can iptables -A INPUT -i lo -j ACCEPT || echo 'no lo interface' iptables -A INPUT -s 127.0.0.1 -j ACCEPT || echo 'no 127.0.0.1 address'
start() { load_modules # If we don't clear these first, we might be adding to # pre-existing rules. flush
echo $"Applying iptables firewall rules: " # nat: POSTROUTING iptables -t nat -N POSTROUTING-OUT || die if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $WANIF -j POSTROUTING-OUT || die fi if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then iptables -t nat -A POSTROUTING -s $IPADDR/$NETMASK -o $PPPIF -j POSTROUTING-OUT || die fi iptables -t nat -A POSTROUTING-OUT -j MASQUERADE
# nat: PREROUTING if [ -f /etc/iptables/alternate-ports ] ; then . /etc/iptables/alternate-ports # -n does not work for these if [ ! -z $HTTP_PORT ] ; then iptables -t nat -A PREROUTING -p tcp --dport $HTTP_PORT -j DNAT --to $IPADDR:80 fi if [ ! -z $HTTPS_PORT ] ; then iptables -t nat -A PREROUTING -p tcp --dport $HTTPS_PORT -j DNAT --to $IPADDR:443 fi fi
iptables -t nat -N PREROUTING-WEB || die iptables -t nat -A PREROUTING -i $LANIF -d $IPADDR -j ACCEPT || die iptables -t nat -A PREROUTING -i $LANIF -p tcp --dport 80 -j PREROUTING-WEB || die
if [ -f /etc/iptables/content-filtering-macs ]; then for mac in `cat /etc/iptables/content-filtering-macs` ; do iptables -t nat -A PREROUTING-WEB -m mac --mac-source $mac -p tcp -j REDIRECT --to-port 3128 done || die fi if [ -f /etc/iptables/content-filtering-ips ]; then for ip in `cat /etc/iptables/content-filtering-ips` ; do iptables -t nat -A PREROUTING-WEB -s $ip -p tcp -j REDIRECT --to-port 3128 done || die fi
if [ "${CONTENT_FILTERING}" = "yes" ]; then iptables -t nat -A PREROUTING-WEB -p tcp -j REDIRECT --to-port 3128 else iptables -t nat -A PREROUTING-WEB -j ACCEPT || die fi
if [ -f /etc/iptables/port-forwarding ]; then iptables -t nat -N PREROUTING-IN || die if [ -n "$WANIF" -a "$LANIF" != "$WANIF" ] ; then iptables -t nat -A PREROUTING -i $WANIF -j PREROUTING-IN || die fi if [ -n "$PPPIF" -a "$LANIF" != "$PPPIF" ] ; then iptables -t nat -A PREROUTING -i $PPPIF -j PREROUTING-IN || die fi
# forwarding GRE packets: (they go to a host that is receiving 1723 TCP packets if comment field is PPtP
awk '{ /1723:1723 tcp [0-9]+\.[0-9]+\.[0-9]+\.[0-9]+ PPtP/ && system ("iptables -t nat -A PREROUTING-IN -p 47 -j DNAT --to " $3);}' /etc/iptables/port-forwarding || die fi
# filter: FORWARD if [ -f /etc/iptables/no-wan-macs ]; then for mac in `cat /etc/iptables/no-wan-macs` ; do iptables -A FORWARD -m mac --mac-source $mac -j REJECT --reject-with icmp-admin-prohibited done || die fi if [ -f /etc/iptables/no-wan-ips ]; then for ip in `cat /etc/iptables/no-wan-ips` ; do iptables -A FORWARD -s $ip -j REJECT --reject-with icmp-admin-prohibited done || die fi
if [ -f /etc/iptables/no-wan-ports ]; then awk '{system("iptables -A FORWARD -p " $1 " --dport " $2 " -j REJECT --reject-with icmp-admin-prohibited");}' /etc/iptables/no-wan-ports || die fi
# filter: INPUT iptables -N INPUT-INTERNAL || die
iptables -A INPUT -i lo -j ACCEPT || die iptables -A INPUT -p tcp --dport 515 -j REJECT || die # lpd iptables -A INPUT -s $IPADDR/$NETMASK -j INPUT-INTERNAL || die iptables -I INPUT -s 169.254.0.0/16 -j INPUT-INTERNAL || die # Let the related packets in the server itself. iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT || die
# External blocks. # Please note that we have changed the default policy of accept to drop. if [ -z "${BLOCK_ICMP_ECHO_EXT}" ]; then iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT || die fi if [ -z "${BLOCK_HTTP_EXT}" ]; then iptables -A INPUT -p tcp --dport 80 -j ACCEPT || die fi if [ -z "${BLOCK_HTTPS_EXT}" ]; then iptables -A INPUT -p tcp --dport 443 -j ACCEPT || die fi if [ -z "${BLOCK_SSH_EXT}" ]; then iptables -A INPUT -p tcp --dport 22 -j ACCEPT || die fi if [ -z "${BLOCK_FTP_EXT}" -o "${BLOCK_FTP_EXT}" = "no" ]; then iptables -A INPUT -p tcp --dport 20 -j ACCEPT || die iptables -A INPUT -p tcp --dport 21 -j ACCEPT || die # Accept port range 50000 to 50001 for FTPS iptables -A INPUT -p tcp --destination-port 50000:50001 -j ACCEPT || die fi
# Accept the 3rd party ports that are set to be opened: if [ ! -z "${TCP_OPEN_PORTS_EXT}" ]; then for port in $TCP_OPEN_PORTS_EXT; do iptables -A INPUT -p tcp --dport $port -j ACCEPT || die done fi if [ ! -z "${UDP_OPEN_PORTS_EXT}" ]; then for port in $UDP_OPEN_PORTS_EXT; do iptables -A INPUT -p udp --dport $port -j ACCEPT || die done fi
# Make sure remote IDENT requests are rejected, so that they get # on with whatever is happening iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with icmp-admin-prohibited || die
# Drop everything else.
iptables -A INPUT -j DROP || die
# WLAN blocks. if [ -f /etc/iptables/wlan-allow-macs ]; then for mac in `cat /etc/iptables/wlan-allow-macs` ; do iptables -A INPUT -m mac --mac-source $mac -j ACCEPT || die done || die fi
if [ -f /etc/iptables/wlan-deny-macs ]; then for mac in `cat /etc/iptables/wlan-deny-macs` ; do iptables -A INPUT -m mac --mac-source $mac -j DROP || die done || die fi
if [ "${BLOCK_WLAN}" = "yes" ]; then if [ -f /etc/iptables/wireless-filter ]; then . /etc/iptables/wireless-filter fi fi
# Internal blocks
if [ "${BLOCK_SSH_INT}" = "yes" ]; then iptables -A INPUT-INTERNAL -p tcp --dport 22 -j REJECT --reject-with icmp-admin-prohibited || die fi if [ "${BLOCK_FTP_INT}" = "yes" ]; then iptables -A INPUT-INTERNAL -p tcp --dport 20 -j REJECT --reject-with icmp-admin-prohibited || die iptables -A INPUT-INTERNAL -p tcp --dport 21 -j REJECT --reject-with icmp-admin-prohibited || die fi # Block the 3rd party ports that are set to be closed internally: if [ ! -z "${TCP_CLOSED_PORTS_INT}" ]; then for port in $TCP_CLOSED_PORTS_INT; do iptables -A INPUT -p tcp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die done fi if [ ! -z "${UDP_CLOSED_PORTS_INT}" ]; then for port in $UDP_CLOSED_PORTS_INT; do iptables -A INPUT -p udp --dport $port -j REJECT --reject-with icmp-admin-prohibited || die done fi
ifup) I=0 while [ -z "$IPADDR" -a $I -lt 12 ] ; do /bin/sleep 5s getipaddr I=$(($I+1)) done if [ -n "$IPADDR" ] ; then start fi ;;
stop) echo -n "NOT stopping iptables" success ;;
restart) # "restart" is really just "start" as this isn't a daemon, # and "start" clears any pre-defined rules anyway. # This is really only here to make those who expect it happy #start if [ -n "$IPADDR" ]; then start else startsmall (/bin/sleep 5s ; /etc/init.d/iptables ifup) & fi ;;