Iptables problem
Jag kör iptables på min debian router för att få saker o ting att fungera. Men den loggar allting i den aktiva ttyn av ngn anledning.
Så här ser rc.fwrules ut:
#!/bin/sh
LAN_IP="192.168.0.1/32"
LAN_BCAST_ADRESS="192.168.0.255/32"
LAN1_IP="192.168.1.1/32"
LAN1_BCAST_ADRESS="192.168.1.255/32"
LOCALHOST_IP="127.0.0.1/32"
#Uncomment next line if you have a static IP to the Internet.
#STATIC_IP="yourinternetip/32"
#Uncomment next line if you have a dynamic IP to the Internet. Pay attention to select the correct ethernetcard.
STATIC_IP=`/sbin/ifconfig eth0 |sed -n '/inet/s/^[ ]*inet addr:\([0-9.]*\).*/\1/p'`
INET_IFACE="eth0"
LAN_IFACE="eth2"
LAN1_IFACE="eth1"
IPTABLES="/sbin/iptables"
#This line will start the NAT.
echo "1" > /proc/sys/net/ipv4/ip_forward
#This line will protect from some DOS (Denial of service) attacks.
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#Log and drop packets that do not follow the rules bellow.
$IPTABLES -N logdrop
$IPTABLES -A logdrop -j LOG
$IPTABLES -A logdrop -j DROP
#Log and drop connections that were not started from your network.
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW NOT SYN "
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "NEW NOT SYN "
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#Log and drop connections that tried to reach your internal network.
$IPTABLES -A FORWARD --in-interface $INET_IFACE --destination $LAN_BCAST_ADRESS -j logdrop
$IPTABLES -A FORWARD --in-interface $LAN_IFACE --destination $STATIC_IP -j logdrop
#Allowing forwarding.
$IPTABLES -A FORWARD --in-interface $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD --in-interface $INET_IFACE -m state --state
#ESTABLISHED,RELATED -j ACCEPT
# Want a portforward? Note that you cannot access this port from the inside if you connect to the external IP.
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 21 -j DNAT --to-destination 192.168.0.100:21
#Want to disable access to a site on the net? This line will do this for you.
#$IPTABLES -A PREROUTING -t nat -d www.lunarstorm.se -j DROP
#Want to disable all connections from a certain ip on your network?
#$IPTABLES -A PREROUTING -t nat -s 192.168.0.3 -j DROP
#Accepting some icmptypes...
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
#Allow the server to talk to itself.
$IPTABLES -A INPUT --in-interface lo --source 127.0.0/8 -j ACCEPT
#Allow connections that starts from you network to get answer.
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Allow all connections with source from your local network. Only comment this line out if you are sure of what you are doing.
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT
# Accepting connections from the Internet to your server's tcpport
$IPTABLES -A INPUT -p tcp -m state --state NEW --destination-port 22 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to $STATIC_IP
$IPTABLES -A INPUT -j logdrop
När jag executar den så får jag följande felmeddelande:
iptables v1.2.6a: Unknown arg `--state'
Vad är det som fattas? Jag kan tyvärr inte visa loggtexten som syns hela tiden, för jag kan inte göra någonting vid den datorn pg. utav det här problemet. Men det ser ut så här ungefär:
Sep 21 06:48:50 stralbaver kernel: IN=eth0 OUT= MAC=00:00:e8:5c:3c:ce:00:10:67:00:9a:51:08:00 SRC=213.64.149.9 DST=213.64.137.64.137.160 LEN=48 TOS=0x00 PREC=0x00 TTL=123 ID=45798 DF PROTO=TCP SPT=2609 DPT=135 WINDOW=16384 RES=0x00 SYN URGP=0
Tack på förhand.
EDIT: Obs, "echo" raderna kan man inte ta bort, då fungerar ingenting.
EDIT2: Nu finns loggtexten eftersom jag har hittat logfilen.
Specs: Fräsig dator