Re: Simple iptables rule to punch a hole in the firewall.

David Gardi Fri, 28 Dec 2001 12:04:27 -0600

hanasaki wrote:

Could someone help me out with a set of rules to NAT or MASQ port 500on TCP and on UDP from the internal to the external network? Onlyconnections originated on the internal network should be allowed.
I have : iptables v1.2.4

Thanks,

Here is what I used when I needed masq. you need to change it a bit tosuit your needs...

feel free.

David

#!/bin/sh
#
# Setup iptables.

test -f /sbin/iptables || exit 0

case "$1" in
  start)
        echo "Setting up iptables"
        echo "1" > /proc/sys/net/ipv4/ip_forward
        echo " IP Forwarding Enabled"
        echo "1" > /proc/sys/net/ipv4/ip_dynaddr
        echo "Dynamic Address Hacking Enabled"
## Insert connection-tracking modules (not needed if built into kernel).
        #/sbin/modprobe ip_tables
        #/sbin/modprobe ip_conntrack
        #/sbin/modprobe ip_conntrack_ftp
        #/sbin/modprobe iptable_nat
## Create chain which blocks new connections, except if coming from inside.
        /sbin/iptables -N block
        /sbin/iptables -N dlog
        /sbin/iptables -N synflood
        /sbin/iptables -A block -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j 
synflood
        /sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
        /sbin/iptables -A block -i icmp -j ACCEPT
        /sbin/iptables -A block -p tcp --source 127.0.0.1 --destination-port 
domain -j ACCEPT
        /sbin/iptables -A block -p tcp --source 192.168.1.2 --destination-port 
domain -j ACCEPT
        /sbin/iptables -A block -p tcp --source 155.245.123.31 
--destination-port 143 -j ACCEPT
        /sbin/iptables -A block -p udp -m udp --source 
205.188.153.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT
        /sbin/iptables -A block -p tcp --destination-port auth -j ACCEPT
        /sbin/iptables -A block -j dlog
## Set up the dlog chain
        /sbin/iptables -A dlog -p tcp --destination-port telnet -j LOG 
--log-level notice
        /sbin/iptables -A dlog -j DROP
## Set up the synflood chain
        /sbin/iptables -A synflood -m limit --limit 1/sec --limit-burst 4 -j 
RETURN
        /sbin/iptables -A synflood -j DROP
## Jump to that chain from INPUT and FORWARD chains.
        /sbin/iptables -A INPUT -j block
        /sbin/iptables -A FORWARD -j block
        /sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.2 -j 
MASQUERADE
        echo "SNAT (MASQ) Enabled on ppp0 Interface"
        ;;
  stop)
        echo "Stopping IP Filtering..."
        /sbin/iptables -F block
        /sbin/iptables -F dlog
        /sbin/iptables -F INPUT
        /sbin/iptables -F OUTPUT
        /sbin/iptables -F FORWARD
        /sbin/iptables -F synflood
        /sbin/iptables -X block
        /sbin/iptables -X dlog
        /sbin/iptables -X synflood
        echo "Done."
        ;;
  *)
        echo "Usage: /etc/init.d/iptables {start|stop}"
        exit 1
esac

exit 0

#!/bin/sh
#
# Setup iptables.

test -f /sbin/iptables || exit 0

case "$1" in
  start)
        echo "Setting up iptables"
        echo "1" > /proc/sys/net/ipv4/ip_forward
        echo " IP Forwarding Enabled"
        echo "1" > /proc/sys/net/ipv4/ip_dynaddr
        echo "Dynamic Address Hacking Enabled"
## Insert connection-tracking modules (not needed if built into kernel).
        #/sbin/modprobe ip_tables
        #/sbin/modprobe ip_conntrack
        #/sbin/modprobe ip_conntrack_ftp
        #/sbin/modprobe iptable_nat
## Create chain which blocks new connections, except if coming from inside.
        /sbin/iptables -N block
        /sbin/iptables -N dlog
        /sbin/iptables -N synflood
        /sbin/iptables -A block -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j 
synflood
        /sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
        /sbin/iptables -A block -i icmp -j ACCEPT
        /sbin/iptables -A block -p tcp --source 127.0.0.1 --destination-port 
domain -j ACCEPT
        /sbin/iptables -A block -p tcp --source 192.168.1.2 --destination-port 
domain -j ACCEPT
        /sbin/iptables -A block -p tcp --source 155.245.123.31 
--destination-port 143 -j ACCEPT
        /sbin/iptables -A block -p udp -m udp --source 
205.188.153.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT
        /sbin/iptables -A block -p tcp --destination-port auth -j ACCEPT
        /sbin/iptables -A block -j dlog
## Set up the dlog chain
        /sbin/iptables -A dlog -p tcp --destination-port telnet -j LOG 
--log-level notice
        /sbin/iptables -A dlog -j DROP
## Set up the synflood chain
        /sbin/iptables -A synflood -m limit --limit 1/sec --limit-burst 4 -j 
RETURN
        /sbin/iptables -A synflood -j DROP
## Jump to that chain from INPUT and FORWARD chains.
        /sbin/iptables -A INPUT -j block
        /sbin/iptables -A FORWARD -j block
        /sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.2 -j 
MASQUERADE
        echo "SNAT (MASQ) Enabled on ppp0 Interface"
        ;;
  stop)
        echo "Stopping IP Filtering..."
        /sbin/iptables -F block
        /sbin/iptables -F dlog
        /sbin/iptables -F INPUT
        /sbin/iptables -F OUTPUT
        /sbin/iptables -F FORWARD
        /sbin/iptables -F synflood
        /sbin/iptables -X block
        /sbin/iptables -X dlog
        /sbin/iptables -X synflood
        echo "Done."
        ;;
  *)
        echo "Usage: /etc/init.d/iptables {start|stop}"
        exit 1
esac

exit 0

Re: Simple iptables rule to punch a hole in the firewall.

Reply via email to