Hello, I had posted earlier and got good hints. But for keeping it simple I want to do the setup only with iptables.
I have the following Interfaces: eth0: ADSL-Modem connected and dail-up connection with pppoe package eth2: LAN connected with 192.168.1.0/24 tun0: VPN tunnel with 131.173.0.0/16 and 172.16.0.0/12 at the end, Interface gets an public IP by Gateway I have tried to set up the rules wit some safety restrictions and avoiding to set up a cirle-route. Can anyone give me a hint if ths is ok at all? I need to make all changes in theory first, the router can only be disabeld for short time. Thanks in advance, Michael Przysucha The rules: (with remarks) # used interfaces # # eth0 - Internet interface via PPPoE # eth1 - not in use # eth2 - Intranet # tun0 - VPN Tunnel to HoNOs (campus network) # #============================================================ # port remarks # # 666 - alternativ-SSH-port (hiding the system) # # #============================================================ # preparing rules -P INPUT ACCEPT -P OUTPUT ACCEPT -P FORWARD DROP -F INPUT -F OUTPUT -F FORWARD -F TRUSTED -X TRUSTED -N TRUSTED # Interfaces for I-Net -A PREROUTING -i eth0 -j REDIRECT -A PREROUTING -i tun0 -j REDIRECT # masquerading of packages -A POSTROUTING -o eth0 -j MASQUERADE -A POSTROUTING -o tun0 -j MASQUERADE # avoiding circle-route -A REDIRECT -i tun0 -d ! 192.168.1.0/255.255.255.0 -j DROP -A REDIRECT -i eth0 -d ! 192.168.1.0/255.255.255.0 -j DROP # important ports to be forewarded/opend -A REDIRECT -i eth0 -p tcp -m multiport --dports 80,666 DNAT --to-destination 192.168.1.254 -A REDIRECT -i tun0 -p tcp -m multiport --dports 80,666 DNAT --to-destination 192.168.1.254 # important safety-rules during iptables-rebuild -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 21 -j DROP -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j DROP -A INPUT -i eth0 -p tcp -m state --state NEW -m tcp --dport 23 -j DROP -A INPUT -i tun0 -p tcp -m state --state NEW -m tcp --dport 21 -j DROP -A INPUT -i tun0 -p tcp -m state --state NEW -m tcp --dport 22 -j DROP -A INPUT -i tun0 -p tcp -m state --state NEW -m tcp --dport 23 -j DROP # every client within the local zone is allowed to acces every port on the router -A INPUT -i eth2 -p tcp -m state --state NEW -m tcp --dport 0-65535 -j DROP # outgoing rules for clients # is MARK recommended? -A PREROUTING -s 192.168.1.0/255.255.255.0 -i eth2 -j REDIRECT -A FORWARD -s 192.168.1.0/255.255.255.0 -d ! 131.173.0.0/255.255.0.0 -o eth0 -j MARK --set-mark 0x4 -A FORWARD -s 192.168.1.0/255.255.255.0 -d 131.173.0.0/255.255.0.0 -o tun0 -j MARK --set-mark 0x4 # incomming rules for clients # is MARK recommended? -A POSTROUTING -s ! 131.173.0.0/255.255.0.0 -d 192.168.1.0/255.255.255.0 -i eth0 -j MARK --set-mark 0x3 -A POSTROUTING -s 131.173.0.0/255.255.0.0 -d 192.168.1.0/255.255.255.0 -i tun0 -j MARK --set-mark 0x3 # ping abuse on tun0 -A INPUT -m state --state NEW -j TRUSTED -A TRUSTED -i tun0 -p icmp -m icmp --icmp-type 8 -j DROP -A TRUSTED -i tun0 -p icmp -j DROP -A TRUSTED -j REJECT --reject-with icmp-port-unreachable # closing all open ports to the outside -P INPUT DROP -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
