How to enable ping?a litte complex

Linusolaradm1 · April 9, 2018, 5:28am

I have two networks

192.168.0.0/24 which is my home network
10.2.0.0/24 which is the second network dedicated to vm's

Without firewall I can ping all networks without problems

Client System is : Slackware 14.2 with ip 192.168.0.2
Server is OmniOS with ip 10.2.0.1(vnic) and 192.168.0.30 (bge0)

    /etc/rc.d/rc.firewall stop
    ping 10.2.0.1
    PING 10.2.0.1 (10.2.0.1) 56(84) bytes of data.
    64 bytes from 192.168.0.30: icmp_seq=1 ttl=255 time=4.34 ms
    64 bytes from 192.168.0.30: icmp_seq=2 ttl=255 time=4.81 ms

It answer the 192.168.0.30,because the network 10.2.0.0/24 is natted to permit the vm to reach internet.

With the firewall active

/etc/rc.d/rc.firewall start
        ping 10.2.0.1

No answer and syslog said...

Apr  8 12:03:58 slack64 kernel: [22092.913008] IN=bridge0 OUT= MAC=************* SRC=192.168.0.30 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=31255 DF PROTO=ICMP TYPE=0 CODE=0 ID=12441 SEQ=5 
    Apr  8 12:03:59 slack64 kernel: [22093.935986] IN=bridge0 OUT= MAC=************* SRC=192.168.0.30 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=31256 DF PROTO=ICMP TYPE=0 CODE=0 ID=12441 SEQ=6

My firewall use this script on client linux

#!/bin/sh
    # A simple script firewall
    set -e
    
    # We need this for redirection
    echo 1 > /proc/sys/net/ipv4/ip_forward
    
    firewall_start() {
    
    # Clean first
    iptables -F
    iptables -X
    iptables -Z
    iptables -t nat -F
    iptables -t nat -X
    iptables -t nat -Z
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t mangle -Z
    iptables -t raw -F
    iptables -t raw -X
    iptables -t raw -Z
    
    # Default policy
    iptables -P OUTPUT ACCEPT
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    
    # firewall rules INPUT
    iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -i lo -j ACCEPT
    
    # Bacula
    iptables -A INPUT -s 192.168.0.0/24 -p tcp -m tcp --dport 9102:9104 -j ACCEPT
    
    # Ssh 
    iptables -A INPUT  -p tcp -m tcp --dport 22 -j ACCEPT
    
    # Icmp
    iptables -A INPUT -p icmp -m icmp --icmp-type 0 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
    
    # Log on syslog
    iptables -A INPUT -j LOG
    iptables -A FORWARD -j LOG
    
    # Final input rules
    iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
    iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
    }
    
    firewall_stop() {
    # Clean
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    iptables -P OUTPUT ACCEPT
    iptables -F
    iptables -X
    iptables -Z
    iptables -t nat -F
    iptables -t nat -X
    iptables -t nat -Z
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t mangle -Z
    iptables -t raw -F
    iptables -t raw -X
    iptables -t raw -Z
    
    }
    
    
    firewall_restart() {
    firewall_stop
    firewall_start
    }
    
    case "$1" in
    'start')
      firewall_start
      ;;
    'stop')
      firewall_stop
      ;;
    'restart')
      firewall_restart
      ;;
    *)
      echo "usage $0 start|stop|restart"
    esac

And this is the ipf.conf of server

# block and quick everything by default but pass on lo0
    block in log on bge0 all
    pass in quick on lo0 all
    
    # These rules will allow connections initiated from
    # this host along with the return connection
    pass out quick proto icmp all keep state
    pass out quick proto tcp all keep state
    pass out quick proto udp all keep state
    
    # Allow SecureShell incoming connections on 2122 port 
    pass in quick proto tcp from any to any port = 2122 flags S keep state keep frags
    
    # Allow SecureShell incoming connections on 22 port 
    pass in quick proto tcp from any to any port = 22 flags S keep state keep frags
    
    # Allow Secure stunnel telnet  incoming connections on 5860 port 
    pass in quick proto tcp from any to any port = 5860 flags S keep state keep frags
    
    # Allow nfs 3 4
    pass in quick proto tcp from 192.168.0.0/24 to any port = 2049  flags S keep state keep frags
    pass in quick   proto udp from 192.168.0.0/24 to any port = 2049 keep state
    pass in quick proto tcp from 192.168.0.0/24 to any port = 4001  flags S keep state keep frags
    pass in quick   proto udp from 192.168.0.0/24 to any port = 4001 keep state
    pass in quick proto tcp from 192.168.0.0/24 to any port = 111   flags S keep state keep frags
    pass in quick   proto udp from 192.168.0.0/24 to any port = 111 keep state
    pass in quick proto tcp from 192.168.0.0/24 to any port = 48472 flags S keep state keep frags
    pass in quick   proto udp from 192.168.0.0/24 to any port = 48472 keep state
    pass in quick proto tcp from 192.168.0.0/24 to any port = 8932 flags S keep state keep frags
    pass in quick   proto udp from 192.168.0.0/24 to any port = 8932 keep state
    
    #Allow PING
    pass in quick proto icmp from any to any keep state
    
    # Samba
    pass in quick proto udp from 192.168.0.0/24 to any port = 137 keep state
    pass in quick proto udp from 192.168.0.0/24 to any port = 138 keep state
    pass in quick proto udp from 192.168.0.0/24 to any port = 139 keep state
    pass in quick proto udp from 192.168.0.0/24 to any port = 445 keep state
    pass in quick proto tcp from 192.168.0.0/24 to any port = 137 flags S keep state keep frags
    pass in quick proto tcp from 192.168.0.0/24 to any port = 138 flags S keep state keep frags
    pass in quick proto tcp from 192.168.0.0/24 to any port = 139 flags S keep state keep frags
    pass in quick proto tcp from 192.168.0.0/24 to any port = 445 flags S keep state keep frags
    
    # Dns
    pass in quick proto udp from 192.168.0.0/24 to any port = 53 keep state
    pass in quick proto tcp from 192.168.0.0/24 to any port = 53 flags S keep state keep frags

What can I do to enable ping?The other works fine, dns and ssh

rbatte1 · April 9, 2018, 7:25am

I think that this is most likely a routing problem. What is your routing table like?

Can you show us the output from ifconfig -a & netstat -rn on both sides? Remember that the target of the ping will have to be able to respond.

Robin

joker · April 9, 2018, 7:47am

# Icmp     

iptables -A INPUT -p icmp -m icmp --icmp-type 0 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT     
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

a) ICMP is stateless. So defining the state is senseless

b) ICMP Subtype 8 is echo Request, which you correctly defined on the INPUT Chain. ICMP Subtype 0 is "echo Reply" which is regulated at the OUTPUT chain since it is sent from the local host to the pinging party

c) Defining source -s 0/0 is of no use. Omit that and you have no restriction of source addresses.

d) I would assume the module icmp is automatically loaded when you specifiy -p icmp, so you can omit this too.

You can trace your paket filter more closely with additional log-rules before and after important Rules in your filter-definition.

Oh. Wait. I misunterstood. iptables is the pinging party....

Linusolaradm1 · April 9, 2018, 1:34pm

joker:

# Icmp     

iptables -A INPUT -p icmp -m icmp --icmp-type 0 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT     
iptables -A INPUT -p icmp -m icmp --icmp-type 8 -s 0/0 -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
a) ICMP is stateless. So defining the state is senseless

b) ICMP Subtype 8 is echo Request, which you correctly defined on the INPUT Chain. ICMP Subtype 0 is "echo Reply" which is regulated at the OUTPUT chain since it is sent from the local host to the pinging party

c) Defining source -s 0/0 is of no use. Omit that and you have no restriction of source addresses.

d) I would assume the module icmp is automatically loaded when you specifiy -p icmp, so you can omit this too.

You can trace your paket filter more closely with additional log-rules before and after important Rules in your filter-definition.

Oh. Wait. I misunterstood. iptables is the pinging party....

Now I use this rule..same thing.

iptables -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

---------- Post updated at 12:34 PM ---------- Previous update was at 12:32 PM ----------

The route is ok..at least I think.

10.2.0.0        192.168.0.30    255.255.255.0   UG        0 0          0 bridge0

Maybe is bridge causing problems?
I retry tomorrow wirth eth with no bridge.

joker · April 10, 2018, 6:14am

Since everything works, when you shutdown the firewall the most logical conclusion for me is that's the fw rules that is the problem.

---

Ok. Since I twisted in my unterstanding server and client, that's the following that would be needed:

client(slackware) must allow icmp-echo-reply(icmp subtype 0) inbound(INPUT-Chain)
client must allow icmp-echo-request outbound(OUTPUT-Chain), which is the case since you do not have any rules output and an accept-Policy

If you check the network packages at the client with tcpdump with this command(change eth0 to the correct device name!)...

tcpdump -i eth0 -n icmp

...you should see the echo request and echo reply packages even if the firewall is started and the ping fails. On the network level you should see them, even if they are blocked by the firewall rules, before they can get to the ping application.

This also would mean that the server is configured correctly to let icmp pass through.

As mext step I would add - as i recommended some debugging rules, like this into iptables:

iptables -I INPUT #1 -p icmp -j LOG
iptables -I INPUT #2 -p icmp --icmp-type 0 -j LOG
iptables -I INPUT #3 -p icmp --icmp-type 0 -j ACCEPT

The #1/#2/#3 means, that these rules should be laid out in the chain exactly in this order.

You can now restart your firewall at the client, start a ping in another terminal window and verify the rules that are matching with the packets by watching this command:

watch -n1 iptables -L INPUT -v -n

You can reset the counters(so diagnosis is easier) with iptables -Z .

And for having us to may have some insight on your situation and thus to be more able to help you, please provide the output of iptables -L -v -n here in the forum. It maybe better to the direct result of the ruleset not just the script creating ist, because the result may be not the way it was intended.

Linusolaradm1 · April 10, 2018, 11:20am

I have tried all your tips.
Tcpdump said..

17:14:52.804665 IP 192.168.0.2 > 10.2.0.1: ICMP echo request, id 15645, seq 1, length 64
17:14:52.806881 IP 192.168.0.30 > 192.168.0.2: ICMP echo reply, id 15645, seq 1, length 64
17:14:52.807016 IP 192.168.0.2 > 192.168.0.30: ICMP host 192.168.0.2 unreachable - admin prohibited, length 92
17:14:53.841911 IP 192.168.0.2 > 10.2.0.1: ICMP echo request, id 15645, seq 2, length 64
17:14:53.843774 IP 192.168.0.30 > 192.168.0.2: ICMP echo reply, id 15645, seq 2, length 64
17:14:53.843908 IP 192.168.0.2 > 192.168.0.30: ICMP host 192.168.0.2 unreachable - admin prohibited, length 92
17:14:54.865879 IP 192.168.0.2 > 10.2.0.1: ICMP echo request, id 15645, seq 3, length 64

syslog said

.0.30 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=31997 DF PROTO=ICMP TYPE=0 CODE=0 ID=15645 SEQ=59 
Apr 10 17:15:53 slack64 kernel: [26858.347131] IN=bridge0 OUT= MAC=***** SRC=192.168.0.30 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=32044 DF PROTO=ICMP TYPE=0 CODE=0 ID=15645 SEQ=60 
Apr 10 17:15:54 slack64 kernel: [26859.370322] IN=bridge0 OUT= MAC=***** SRC=192.168.0.30 DST=192.168.0.2 LEN=84 TOS=0x00 PREC=0x00 TTL=255 ID=32094 DF PROTO=ICMP TYPE=0 CODE=0 ID=15645 SEQ=61

The macaddress is really long,I think for packet translation

And ping are still blocked,but only for 10.2.0.0/24 network,with firewall disabled
(on slackware client) the ping works for all networks

joker · April 10, 2018, 11:36am

17:14:52.804665 IP 192.168.0.2 > 10.2.0.1: ICMP echo request, id 15645, seq 1, length 64 
17:14:52.806881 IP 192.168.0.30 > 192.168.0.2: ICMP echo reply, id 15645, seq 1, length 64 
17:14:52.807016 IP 192.168.0.2 > 192.168.0.30: ICMP host 192.168.0.2 unreachable - admin prohibited, length 92

Well that shows pretty obvious, what's going on:

The icmp echo request goes out to the target
The icmp echo reply comes back from the target
The local host rejects the echo reply and sends itself another icmp message for the failed echo reply

So this points to your client machine, sending the ping, that the paket filter is configured wrongly.

Please show the current rules as requested in my previous post( iptables -L -v- n ).

When you execute your ping, and watch the counters with the above given watch command, which rules seem to match for the icmp packages?

Linusolaradm1 · April 10, 2018, 12:34pm

Sorry,forgot to put ouput
Here's output

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
 318K   76M            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 318K   76M            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 318K   76M            all  --  *      *       0.0.0.0/0            0.0.0.0/0           
 318K   76M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            state NEW,RELATED,ESTABLISHED
    9   536 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:6000
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:3000
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:2000
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:137
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:137
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:138
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:138
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:139
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:139
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:445
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:445
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:65529
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:65530
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:65533
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:65529
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:65533
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:65530
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpts:4711:4712
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpts:4711:4712
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:25
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:631
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:631
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:515
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:515
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:111
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:111
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:662
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:662
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:2049
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:2049
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:4001
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:4001
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:32768
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpt:32768
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:2122
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:20 state ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:21 state ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp spt:2121 state ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpts:60000:65535
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpts:60000:65535
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpt:5859
    0     0 ACCEPT     tcp  --  *      *       192.168.0.0/24       0.0.0.0/0            tcp dpts:54233:54234
    0     0 ACCEPT     udp  --  *      *       192.168.0.0/24       0.0.0.0/0            udp dpts:54233:54234
   14   817 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-host-prohibited

Chain OUTPUT (policy ACCEPT 415K packets, 499M bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:20 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:21 state NEW,ESTABLISHED
    0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:2121 state NEW,ESTABLISHED

joker · April 10, 2018, 12:41pm

Ok. That'll help you a lot.

If you look at your table...

... what rules would you assume relevant for the failed ping?
... what rule, do you assume, matches for your icmp-packages(inbound and outbound)?

And last but not least, what do you think the following of your rules does accomplish?

iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

You will be suprised, what you have created. Very rare.

Hint: Look at the counters!

Linusolaradm1 · April 10, 2018, 2:20pm

Sorry, I'm a little(or more..) not too expert with firewallls.

This rule

 iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

accept connections if new,releated or already estabilished before firewall start,or i'm wrong?

 ... what rules would you assume relevant for the failed ping?

The latest,with big count.

 ... what rule, do you assume, matches for your icmp-packages(inbound and outbound)?

Mmm..the latest?
Now try to fix..

---------- Post updated at 01:20 PM ---------- Previous update was at 01:12 PM ----------

Thanks stomp for help.
I have fixed the script removing the last line

joker · April 10, 2018, 2:26pm

There is no single rule about allowing ICMP-pakets, which means it goes to the default-drop-rule(last line of INPUT Chain with packet count 14).

 iptables -A INPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT

This rule means that EVERY stateful Connection is allowed. Every possible TCP-Connection.

The only thing being not allowed is ping. (more or less )

Delete the NEW-State of the rule, so only established and related connections are matched by this rule.

And remove all -m something Elements of your iptables rules.

replace the icmp block with this:

 # Icmp
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

Linusolaradm1 · April 10, 2018, 2:29pm

Made it, thanks for help me

joker · April 10, 2018, 2:35pm

This way too, you disabled your firewall-functionality completely.

---

The first 3 rules of INPUT Chain seem defective. They have no effect and there must be some error in the rules so that the rules show up like this.

Linusolaradm1 · April 10, 2018, 2:42pm

Whoops!
I fix now.

---------- Post updated at 01:42 PM ---------- Previous update was at 01:40 PM ----------

This is the script now.
I'm testing it

#!/bin/sh
#a simple script firewall

# We need this for redirection
echo 1 > /proc/sys/net/ipv4/ip_forward

firewall_start() {
# Clean
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

# Default policy
#iptables -P PREROUTING  ACCEPT
#iptables -P OUTPUT  ACCEPT
#iptables -P POSTROUTING  ACCEPT
#iptables -P INPUT ACCEPT
#iptables -P FORWARD ACCEPT


# firewall rules INPUT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT


# X11
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 6000 -j ACCEPT

# Vdr
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 3000 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 2000 -j ACCEPT

# Samba
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 137 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 138 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 139 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 445 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 445 -j ACCEPT

# Amule
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 65529 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 65530 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 65533 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 65529 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 65533 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 65530 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 4711:4712 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 4711:4712 -j ACCEPT

# Mail
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 25 -j ACCEPT

# Print
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 631 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 515 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 515 -j ACCEPT

# Nfs
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 111 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 111 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 662 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 662 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 2049 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 2049 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 4001 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 4001 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 32768 -j ACCEPT 
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 32768 -j ACCEPT 

# Ssh 
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 2122 -j ACCEPT

# Ftp
iptables -A INPUT  -p tcp --sport 20 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 20 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT  -p tcp --sport 2121 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --dport 2121 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 60000:65535 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 60000:65535 -j ACCEPT

# Secure telnet
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 5859 -j ACCEPT

# Ktorrent
iptables -A INPUT -s 192.168.0.0/24 -p tcp  --dport 54233:54234 -j ACCEPT
iptables -A INPUT -s 192.168.0.0/24 -p udp  --dport 54233:54234 -j ACCEPT

# Firewall rules NAT/OUTPUT
iptables -t nat -A PREROUTING -s 192.168.0.0/24  -p tcp --dport 21 -j REDIRECT --to-port 2121
iptables -t nat -A OUTPUT -s 192.168.0.0/24  -p tcp -o lo --dport 21 -j REDIRECT --to-port 2121
iptables -t nat -A PREROUTING -s 192.168.0.0/24 -p tcp --dport 22 -j REDIRECT --to-ports 2122
iptables -t nat -A OUTPUT -s 192.168.0.0/24 -p tcp -o lo --dport 22 -j REDIRECT --to-ports 2122

# Icmp
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

# Log
#iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG

#Final rules
iptables -A INPUT -j REJECT --reject-with icmp-host-prohibited
iptables -A FORWARD -j REJECT --reject-with icmp-host-prohibited
}

firewall_stop() {
# Clean
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
}


firewall_restart() {
firewall_stop
firewall_start
}

case "$1" in
'start')
  firewall_start
  ;;
'stop')
  firewall_stop
  ;;
'restart')
  firewall_restart
  ;;
*)
  echo "usage $0 start|stop|restart"
esac