Am Mittwoch, 30. August 2006 10:57 schrieb Ulf Volmer: > On Wed, Aug 30, 2006 at 10:48:01AM +0200, Daniel Musketa wrote: > > So, jetzt habe ich das Regelwerk komplett in _ein_ Skript gepackt und ein > > > > iptables -F -t filter > > iptables -F -t nat > > iptables -F -t mangle > > > > vorangestellt. [...] > > Aber immer noch sendet iptables die Pakete aus dem Masquerading von der > > gestrigen IP. > > Kannst du das Scipt mal irgendwo ablegen oder hier posten?
Klar. -------- 8< -------- #!/bin/sh # alte Reglen löschen iptables -v -F -t nat iptables -v -F -t mangle iptables -v -F -t filter # Kontrolle, ob wirklich leer iptables -vL -t nat echo "----------------------------" # DIE WICHTIGSTE ZEILE: iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE # RTP-Ports für SIP auf den Asterisk forwarden iptables -t nat -A PREROUTING -i ppp0 -p udp -m udp --dport 10000:10500 \ -j DNAT --to-destination 192.168.1.128 # diverse andere Relgeln iptables -t mangle -A INPUT -p tcp -m tcp --dport 22 -j MARK --set-mark 0x14 # ... # und weitere Regeln iptables -t filter -A INPUT -i tun1 -m state --state \ INVALID,NEW,RELATED,UNTRACKED -j REJECT \ --reject-with icmp-port-unreachable # ... # Kontrolle, ob Regeln neu geladen: iptables -vL -t nat -------- >8 -------- Die Ausgabe sieht so aus: -------- 8< -------- Flushing chain `PREROUTING' Flushing chain `POSTROUTING' Flushing chain `OUTPUT' Flushing chain `PREROUTING' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Flushing chain `POSTROUTING' Flushing chain `INPUT' Flushing chain `FORWARD' Flushing chain `OUTPUT' Chain PREROUTING (policy ACCEPT 2407 packets, 154K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 256 packets, 18919 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 1151 packets, 73598 bytes) pkts bytes target prot opt in out source destination ---------------------------- Chain PREROUTING (policy ACCEPT 2407 packets, 154K bytes) pkts bytes target prot opt in out source destination 0 0 DNAT udp -- ppp0 any anywhere anywhere udp dpts:10000:10500 to:192.168.1.128 Chain POSTROUTING (policy ACCEPT 256 packets, 18919 bytes) pkts bytes target prot opt in out source destination 0 0 MASQUERADE all -- any ppp0 anywhere anywhere Chain OUTPUT (policy ACCEPT 1151 packets, 73598 bytes) pkts bytes target prot opt in out source destination -------- >8 -------- Daniel