--=-X1DTPcYwJufIxwnwUEGL Content-Type: text/plain Content-Transfer-Encoding: 7bit
See attached the cut-down version of the script I use. It has port forwarding examples and a bunch of things I added. Guy On Mon, 2004-04-26 at 17:17, David Suna wrote: > Yes, the problem seems to be with the IPTABLES. I used the RedHat tool > for setting up the IPTABLES but that didn't seem to work. > > I found the instructions below to clear out and set up a simple table for > maquerading. > iptables -F > iptables -t nat -F > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE > > Now I need to figure out how to add to this to include disabling any > outside connections (while still allowing the machines on the LAN to use > the services of the Linux box, i.e. telnet, http etc.). > > Also, I need to figure out how to save this so that the > > Thanks, > David Suna. > > On 26 Apr 2004 at 15:28, Shaul Karl <[EMAIL PROTECTED]> wrote: > > On Mon, Apr 26, 2004 at 09:01:40AM +0000, david wrote: > > I have all of that set up. Before I had ip_forward turned on the > > packets didn't even go out on the Internet. Now they go out but with > > the wrong IP address (i.e. they say they are coming from 192.168.0.4 > > instead of the IP address of my Internet connection). > > > iptables (the firewall rules)? > David Suna > David's Consultants R.G.A Ltd > [EMAIL PROTECTED] > 972-2-993-8613 > > > ================================================================= > To unsubscribe, send mail to [EMAIL PROTECTED] with > the word "unsubscribe" in the message body, e.g., run the command > echo unsubscribe | mail [EMAIL PROTECTED] -- Smith & Wesson - the original point and click interface --=-X1DTPcYwJufIxwnwUEGL Content-Disposition: attachment; filename=iptables.txt Content-Type: text/x-sh; name=iptables.txt; charset=UTF-8 Content-Transfer-Encoding: 7bit #!/bin/bash IPTABLES=/sbin/iptables # Servers WWWSERVER="192.168.0.3" MAILSERVER="192.168.0.101" # Network information you will need to adjust EXTIF="eth0" INTIF="eth1" INTERNALNET="192.168.0.0/16" INTERNALBCAST="192.168.0.255" MYADDR="X.Y.Z.W" # Needed for DNAT # Pathnames DMESG="/bin/dmesg" IPTABLES="`which iptables`" ########################################################### # Flush everything, start from scratch # ########################################################### $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -t nat -F $IPTABLES -F icmp_packets ########################################################### # Global settings - see /etc/sysctl.conf # ########################################################### ########################################################### # Set policies # ########################################################### $IPTABLES -P INPUT ACCEPT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD DROP ########################################################### # Declare additional tables # ########################################################### # a table for dealing with icmp traffic $IPTABLES -N icmp_packets ########################################################### # DoS - see /etc/sysctl.conf # ########################################################### ########################################################### # Set basic rules # ########################################################### #Kill ANY stupid packets, including #-Packets that are too short to have a full ICMP/UDP/TCP header #- TCP and UDP packets with zero (illegal) source and destination ports #-Illegal combinations of TCP flags #-Zero-length (illegal) or over-length TCP and IP options, # or options after the END-OF-OPTIONS option #-Fragments of illegal length or offset (e.g., Ping of Death). #Above list ripped from http://www.linux-mag.com/2000-01/bestdefense_02.html #Drop bad packets $IPTABLES -A INPUT -m unclean -j DROP $IPTABLES -A FORWARD -m unclean -j DROP #Kill invalid packets (illegal combinations of flags) $IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A FORWARD -m state --state INVALID -j DROP # Allow all connections on the internal interface $IPTABLES -A INPUT -i lo -j ACCEPT #Kill connections to the local interface from the outside world. $IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT #Allow unlimited traffic from internal network using legit addresses $IPTABLES -A INPUT -i $INTIF -s $INTERNALNET -j ACCEPT #Kill anything from outside claiming to be from internal network $IPTABLES -A INPUT -i $EXTIF -s $INTERNALNET -j REJECT #Allow ALL forwarding going out $IPTABLES -A FORWARD -o $EXTIF -i $INTIF -j ACCEPT #Allow replies coming in $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT ##Allow established connections $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ########################################################### # ICMP # ########################################################### # Send all ICMP packets from outside to the icmp_packets chain $IPTABLES -A FORWARD -i $EXTIF -p ICMP -j icmp_packets $IPTABLES -A INPUT -i $EXTIF -p ICMP -j icmp_packets # Allow all packets from the inside net to travel to outside $IPTABLES -A icmp_packets -s $INTERNALNET -i $INTIF -o $EXTIF -p ICMP -j ACCEPT # Allow return packets of certain types back in. $IPTABLES -A icmp_packets -s ! $INTERNALNET -i $EXTIF -p ICMP --icmp-type destination-unreachable -j ACCEPT $IPTABLES -A icmp_packets -s ! $INTERNALNET -i $EXTIF -p ICMP --icmp-type source-quench -j ACCEPT $IPTABLES -A icmp_packets -s ! $INTERNALNET -i $EXTIF -p ICMP --icmp-type time-exceeded -j ACCEPT $IPTABLES -A icmp_packets -s ! $INTERNALNET -i $EXTIF -p ICMP --icmp-type parameter-problem -j ACCEPT $IPTABLES -A icmp_packets -s ! $INTERNALNET -i $EXTIF -p ICMP --icmp-type echo-reply -j ACCEPT # Allow all ICMP from inside net to the inner interface $IPTABLES -A icmp_packets -s $INTERNALNET -p ICMP -i $INTIF -j ACCEPT #ping flood protection $IPTABLES -A icmp_packets -p ICMP --icmp-type echo-request -m limit --limit 1/s -j ACCEPT #Deny icmp to broadcast address $IPTABLES -A icmp_packets -p ICMP -d $INTERNALBCAST -j DROP #Drop all the rest ICMP packets $IPTABLES -A icmp_packets -p ICMP -j DROP ########################################################### # Local Servers # ########################################################### # ssh $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT ########################################################### # DNAT # ########################################################### # HTTP port forwarding to the internal web server $IPTABLES -t nat -A PREROUTING -p tcp -d $MYADDR --dport 80 -j DNAT --to $WWWSERVER:80 $IPTABLES -A FORWARD -p tcp -d $WWWSERVER --dport 80 -j ACCEPT # Mailserver port forwarding $IPTABLES -t nat -A PREROUTING -p tcp -d $MYADDR --dport 25 -j DNAT --to $MAILSERVER:25 $IPTABLES -A FORWARD -p tcp -d $MAILSERVER --dport 25 -j ACCEPT ########################################################### # Catch all rules. # # iptables reverts to these if it hasn't matched any of # # the previous rules. # # Log. There's no point logging noise. # # There's too much of it. Just log connection requests # ########################################################### $IPTABLES -A INPUT -i $EXTIF -p tcp --syn -m limit --limit 5/minute -j LOG \ --log-prefix "Firewalled packet:" $IPTABLES -A FORWARD -i $EXTIF -p tcp --syn -m limit --limit 5/minute -j LOG \ --log-prefix "Firewalled packet:" #Reject $IPTABLES -A INPUT -i $EXTIF -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT -i $EXTIF -p all -j DROP $IPTABLES -A FORWARD -p tcp -j REJECT --reject-with tcp-reset $IPTABLES -A FORWARD -p all -j DROP #Accept it anyway if it's only output $IPTABLES -A OUTPUT -j ACCEPT #Masquerade internal connections going out. $IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE --=-X1DTPcYwJufIxwnwUEGL-- ================================================================= To unsubscribe, send mail to [EMAIL PROTECTED] with the word "unsubscribe" in the message body, e.g., run the command echo unsubscribe | mail [EMAIL PROTECTED]
