Port forwarding from Internal LAN

Bodenzord bodenzord@surfcity.net
Sat Aug 21 23:03:49 CEST 2004


This is a multi-part message in MIME format.

------=_NextPart_000_0017_01C48790.10C0AEC0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Hello,

I'm trying to set up port forwarding in IPTABLES and so far it's working =
great from the internet, but when I attempt from my internal LAN using =
the External IP address, it fails.

EXTIF=3D"eth0"
INTIF=3D"eth1"
EXTIP=3D"xxx.xxx.xxx.xxx"
INTNET=3D"192.168.1.0/24"
INTIP=3D"192.168.1.1"
PORTFWIP=3D"192.168.1.13"



>From the internet, if I type in http://xxx.xxx.xxx.xxx:81 it works.

When use a computer on my LAN and type in http://192.168.1.13:81 it =
works.

However, when i type in from a computer on my LAN: =
http://xxx.xxx.xxx.xxx:81 it does not.

Any ideas? Thanks in advance.

Mike



#########################################################################=
######



#
# rc.firewall-2.4-stronger
#

FWVER=3D0.74s-4

echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"


IPTABLES=3D/sbin/iptables


LSMOD=3D/sbin/lsmod
DEPMOD=3D/sbin/depmod
INSMOD=3D/sbin/insmod
GREP=3D/bin/grep
AWK=3D/bin/awk
SED=3D/bin/sed
IFCONFIG=3D/sbin/ifconfig


EXTIF=3D"eth0"
INTIF=3D"eth1"
echo "  External Interface:  $EXTIF"
echo "  Internal Interface:  $INTIF"
echo "  ---"


# For users who wish to use STATIC IP addresses:

EXTIP=3D"xxx.xxx.xxx.xxx"
echo "  External IP: $EXTIP"
echo "  ---"


# Assign the internal TCP/IP network and IP address
INTNET=3D"192.168.1.0/24"
INTIP=3D"192.168.1.1"
echo "  Internal Network: $INTNET"
echo "  Internal IP:      $INTIP"
echo "  ---"





UNIVERSE=3D"0/0"


echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo -en "    Loading kernel modules: "


#Load the main body of the IPTABLES module - "ip_tables"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $INSMOD ip_tables
fi


#Load the IPTABLES filtering module - "iptable_filter"=20
#
#  - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack  module in itself does nothing without other specific=20
# conntrack modules being loaded afterwards such as the =
"ip_conntrack_ftp"
# module
#
#  - This module is loaded automatically when MASQ functionality is=20
#    enabled=20
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $INSMOD ip_conntrack
fi


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; =
then
   $INSMOD ip_conntrack_ftp
fi


#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "                             ip_conntrack_irc, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; =
then
   $INSMOD ip_conntrack_irc
fi


#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
#=20
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $INSMOD iptable_nat
fi


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $INSMOD ip_nat_ftp
fi

echo "  ---"








#Clearing any previous configuration

echo "  Clearing any existing rules and setting default policy to =
DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT=20
$IPTABLES -P OUTPUT DROP =20
$IPTABLES -F OUTPUT=20
$IPTABLES -P FORWARD DROP =20
$IPTABLES -F FORWARD=20
$IPTABLES -F -t nat

#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle



#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=3Dfalse
#                             to
#                       FORWARD_IPV4=3Dtrue
#
echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward



# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi


# Delete all User-specified chains
$IPTABLES -X


# Reset all IPTABLES counters
$IPTABLES -Z


#Configuring specific CHAINS for later use in the ruleset
#
#  NOTE:  Some users prefer to have their firewall silently
#         "DROP" packets while others prefer to use "REJECT"
#         to send ICMP error messages back to the remote=20
#         machine.  The default is "REJECT" but feel free to
#         change this below.
#
# NOTE: Without the --log-level set to "info", every single
#       firewall hit will goto ALL vtys.  This is a very big
#       pain.
#
echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info=20
$IPTABLES -A drop-and-log-it -j DROP

echo -e "\n   - Loading INPUT rulesets"



#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are=20
#        already flushed and set to a default policy of DROP.=20
#

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT


# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it


# external interface, from any source, for ICMP traffic is valid
#
#  If you would like your machine to "ping" from the Internet,=20
#  enable this next line
#
#$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT


# remote interface, any source, going to permanent PPP address is valid
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT


# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
 ESTABLISHED,RELATED -j ACCEPT


# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT


## FTP=20
# Allow ftp inbound:

$IPTABLES -A INPUT  -i $EXTIF -p tcp --dport 21 -m state --state =
NEW,ESTABLISHED -j ACCEPT=20

#
# Now for the connection tracking part of ftp. This is discussed more =
completely in my section=20
# on connection tracking to be found here.=20


# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
echo -e "      - Allowing EXTERNAL access to the WWW server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT




# Catch all rule, all other incoming is denied and logged.=20
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it



echo -e "   - Loading OUTPUT rulesets"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are=20
#         already flushed and set to a default policy of DROP.=20
#

# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT


# local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT


# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it


# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT



# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#         - Remove BOTH #s all the #s if you need this functionality.
#
$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
 -d 255.255.255.255 --dport 68 -j ACCEPT



# Catch all rule, all other outgoing is denied and logged.=20
#
$IPTABLES -A OUTPUT -s ! $EXTIP -d $UNIVERSE -j drop-and-log-it




echo -e "   - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#

echo "Enabling PORTFW Redirection on the external LAN.."

# This will forward ALL port 81 traffic from the external IP address
# to port 81 on the 192.168.1.13 machine
#
# Be SURE that when you add these new rules to your rc.firewall, you
# add them before a direct or implemented drop or reject

PORTFWIP=3D"192.168.1.13"

# Allow forwarding of new and existing port 81 connections
#

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 81 -m state =
--state NEW,ESTABLISHED,RELATED -j ACCEPT

# Enable PORTFW of this port 81 traffic
#

$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport 81 -j DNAT --to =
$PORTFWIP:81

echo "     - FWD: Allow all connections OUT and only existing/related =
IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state =
ESTABLISHED,RELATED \
 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

# Catch all rule, all other forwarding is denied and logged.=20
#
$IPTABLES -A FORWARD -j drop-and-log-it


echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP


#######################################################################
echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"








------=_NextPart_000_0017_01C48790.10C0AEC0
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hello,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>I'm trying to set up port forwarding in =
IPTABLES=20
and so far it's working great from the internet, but when I attempt from =
my=20
internal LAN using the External IP address, it fails.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial =
size=3D2>EXTIF=3D"eth0"<BR>INTIF=3D"eth1"</FONT></DIV>
<DIV>EXTIP=3D"xxx.xxx.xxx.xxx"<BR>INTNET=3D"192.168.1.0/24"<BR>INTIP=3D"1=
92.168.1.1"</DIV>
<DIV>
<DIV>PORTFWIP=3D"192.168.1.13"</DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>From the internet, if I type in <A=20
href=3D"http://xxx.xxx.xxx.xxx:81">http://xxx.xxx.xxx.xxx:81</A> it=20
works.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2>When use a computer on my LAN and type =
in <A=20
href=3D"http://192.168.1.13:81">http://192.168.1.13:81</A> it =
works.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>However, when i type in from a computer =
on my LAN:=20
</FONT><FONT face=3DArial size=3D2><A=20
href=3D"http://xxx.xxx.xxx.xxx:81">http://xxx.xxx.xxx.xxx:81</A>&nbsp;it =
does=20
not.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Any ideas? Thanks in =
advance.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>Mike</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial=20
size=3D2>################################################################=
###############</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>#<BR># =
rc.firewall-2.4-stronger<BR>#</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>FWVER=3D0.74s-4</FONT></DIV>
<DIV>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2>echo -e "\nLoading STRONGER rc.firewall =
- version=20
$FWVER..\n"</FONT></DIV>
<DIV>&nbsp;</DIV><FONT face=3DArial size=3D2>
<DIV><BR>IPTABLES=3D/sbin/iptables</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>LSMOD=3D/sbin/lsmod<BR>DEPMOD=3D/sbin/depmod<BR>INSMOD=3D/sbin/i=
nsmod<BR>GREP=3D/bin/grep<BR>AWK=3D/bin/awk<BR>SED=3D/bin/sed<BR>IFCONFIG=
=3D/sbin/ifconfig</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>EXTIF=3D"eth0"<BR>INTIF=3D"eth1"<BR>echo "&nbsp; External =
Interface:&nbsp;=20
$EXTIF"<BR>echo "&nbsp; Internal Interface:&nbsp; $INTIF"<BR>echo =
"&nbsp;=20
---"</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># For users who wish to use STATIC IP addresses:</DIV>
<DIV>&nbsp;</DIV>
<DIV>EXTIP=3D"xxx.xxx.xxx.xxx"<BR>echo "&nbsp; External IP: =
$EXTIP"<BR>echo=20
"&nbsp; ---"</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># Assign the internal TCP/IP network and IP=20
address<BR>INTNET=3D"192.168.1.0/24"<BR>INTIP=3D"192.168.1.1"<BR>echo =
"&nbsp;=20
Internal Network: $INTNET"<BR>echo "&nbsp; Internal=20
IP:&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; $INTIP"<BR>echo "&nbsp; ---"</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>UNIVERSE=3D"0/0"</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>echo "&nbsp; - Verifying that all kernel modules are =
ok"<BR>$DEPMOD=20
-a</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo -en "&nbsp;&nbsp;&nbsp; Loading kernel modules: "</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>#Load the main body of the IPTABLES module - =
"ip_tables"<BR>#&nbsp; -=20
Loaded automatically when the "iptables" command is =
invoked<BR>#<BR>#&nbsp; -=20
Loaded manually to clean up kernel auto-loading timing =
issues<BR>#<BR>echo -en=20
"ip_tables, "<BR>#<BR>#Verify the module isn't loaded.&nbsp; If it is, =
skip=20
it<BR>#<BR>if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; =

then<BR>&nbsp;&nbsp; $INSMOD ip_tables<BR>fi</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>#Load the IPTABLES filtering module - "iptable_filter" =
<BR>#<BR>#&nbsp;=20
- Loaded automatically when filter policies are activated</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>#Load the stateful connection tracking framework -=20
"ip_conntrack"<BR>#<BR># The conntrack&nbsp; module in itself does =
nothing=20
without other specific <BR># conntrack modules being loaded afterwards =
such as=20
the "ip_conntrack_ftp"<BR># module<BR>#<BR>#&nbsp; - This module is =
loaded=20
automatically when MASQ functionality is <BR>#&nbsp;&nbsp;&nbsp; enabled =

<BR>#<BR>#&nbsp; - Loaded manually to clean up kernel auto-loading =
timing=20
issues<BR>#<BR>echo -en "ip_conntrack, "<BR>#<BR>#Verify the module =
isn't=20
loaded.&nbsp; If it is, skip it<BR>#<BR>if [ -z "` $LSMOD | $GREP =
ip_conntrack |=20
$AWK {'print $1'} `" ]; then<BR>&nbsp;&nbsp; $INSMOD =
ip_conntrack<BR>fi</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>#Load the FTP tracking mechanism for full FTP =
tracking<BR>#<BR>#=20
Enabled by default -- insert a "#" on the next line to =
deactivate<BR>#<BR>echo=20
-e "ip_conntrack_ftp, "<BR>#<BR>#Verify the module isn't loaded.&nbsp; =
If it is,=20
skip it<BR>#<BR>if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK =
{'print $1'}=20
`" ]; then<BR>&nbsp;&nbsp; $INSMOD ip_conntrack_ftp<BR>fi</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>#Load the IRC tracking mechanism for full IRC =
tracking<BR>#<BR>#=20
Enabled by default -- insert a "#" on the next line to =
deactivate<BR>#<BR>echo=20
-en=20
"&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;=20
ip_conntrack_irc, "<BR>#<BR>#Verify the module isn't loaded.&nbsp; If it =
is,=20
skip it<BR>#<BR>if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK =
{'print $1'}=20
`" ]; then<BR>&nbsp;&nbsp; $INSMOD ip_conntrack_irc<BR>fi</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>#Load the general IPTABLES NAT code - "iptable_nat"<BR>#&nbsp; =
- Loaded=20
automatically when MASQ functionality is turned on<BR># <BR>#&nbsp; - =
Loaded=20
manually to clean up kernel auto-loading timing issues<BR>#<BR>echo -en=20
"iptable_nat, "<BR>#<BR>#Verify the module isn't loaded.&nbsp; If it is, =
skip=20
it<BR>#<BR>if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" =
];=20
then<BR>&nbsp;&nbsp; $INSMOD iptable_nat<BR>fi</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>#Loads the FTP NAT functionality into the core IPTABLES =
code<BR>#=20
Required to support non-PASV FTP.<BR>#<BR># Enabled by default -- insert =
a "#"=20
on the next line to deactivate<BR>#<BR>echo -e =
"ip_nat_ftp"<BR>#<BR>#Verify the=20
module isn't loaded.&nbsp; If it is, skip it<BR>#<BR>if [ -z "` $LSMOD | =
$GREP=20
ip_nat_ftp | $AWK {'print $1'} `" ]; then<BR>&nbsp;&nbsp; $INSMOD=20
ip_nat_ftp<BR>fi</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo "&nbsp; ---"</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>#Clearing any previous configuration</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo "&nbsp; Clearing any existing rules and setting default policy =
to=20
DROP.."<BR>$IPTABLES -P INPUT DROP<BR>$IPTABLES -F INPUT <BR>$IPTABLES =
-P OUTPUT=20
DROP&nbsp; <BR>$IPTABLES -F OUTPUT <BR>$IPTABLES -P FORWARD DROP&nbsp;=20
<BR>$IPTABLES -F FORWARD <BR>$IPTABLES -F -t nat</DIV>
<DIV>&nbsp;</DIV>
<DIV>#Not needed and it will only load the unneeded kernel =
module<BR>#$IPTABLES=20
-F -t mangle</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>#CRITICAL:&nbsp; Enable IP forwarding since it is disabled by =
default=20
since<BR>#<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;=20
Redhat Users:&nbsp; you may try changing the options=20
in<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;=20
/etc/sysconfig/network=20
from:<BR>#<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbs=
p;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp=
;=20
FORWARD_IPV4=3Dfalse<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&=
nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
to<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
FORWARD_IPV4=3Dtrue<BR>#<BR>echo "&nbsp; Enabling forwarding.."<BR>echo =
"1" &gt;=20
/proc/sys/net/ipv4/ip_forward</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV># Flush the user chain.. if it exists<BR>if [ -n "`$IPTABLES -L | =
$GREP=20
drop-and-log-it`" ]; then<BR>&nbsp;&nbsp; $IPTABLES -F=20
drop-and-log-it<BR>fi</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># Delete all User-specified chains<BR>$IPTABLES -X</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># Reset all IPTABLES counters<BR>$IPTABLES -Z</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>#Configuring specific CHAINS for later use in the=20
ruleset<BR>#<BR>#&nbsp; NOTE:&nbsp; Some users prefer to have their =
firewall=20
silently<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; "DROP" =
packets=20
while others prefer to use=20
"REJECT"<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; to send =
ICMP error=20
messages back to the remote=20
<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; machine.&nbsp; The =
default=20
is "REJECT" but feel free=20
to<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; change this=20
below.<BR>#<BR># NOTE: Without the --log-level set to "info", every=20
single<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; firewall hit will goto =
ALL=20
vtys.&nbsp; This is a very big<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;=20
pain.<BR>#<BR>echo "&nbsp; Creating a DROP chain.."<BR>$IPTABLES -N=20
drop-and-log-it<BR>$IPTABLES -A drop-and-log-it -j LOG --log-level info=20
<BR>$IPTABLES -A drop-and-log-it -j DROP</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo -e "\n&nbsp;&nbsp; - Loading INPUT rulesets"</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>####################################################################=
###<BR>#=20
INPUT: Incoming traffic from various interfaces.&nbsp; All rulesets are=20
<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; already flushed and set =
to a=20
default policy of DROP. <BR>#</DIV>
<DIV>&nbsp;</DIV>
<DIV># loopback interfaces are valid.<BR>#<BR>$IPTABLES -A INPUT -i lo =
-s=20
$UNIVERSE -d $UNIVERSE -j ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># local interface, local machines, going anywhere is=20
valid<BR>#<BR>$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j=20
ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># remote interface, claiming to be local machines, IP spoofing, =
get=20
lost<BR>#<BR>$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j=20
drop-and-log-it</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># external interface, from any source, for ICMP traffic is=20
valid<BR>#<BR>#&nbsp; If you would like your machine to "ping" from the=20
Internet, <BR>#&nbsp; enable this next line<BR>#<BR>#$IPTABLES -A INPUT =
-i=20
$EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># remote interface, any source, going to permanent PPP address =
is=20
valid<BR>#<BR>#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j=20
ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># Allow any related traffic coming back to the MASQ server=20
in<BR>#<BR>$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state =
--state=20
\<BR>&nbsp;ESTABLISHED,RELATED -j ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># DHCPd - Enable the following lines if you run an INTERNAL =
DHCPd=20
server<BR>#<BR>$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 =
-j=20
ACCEPT<BR>$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j=20
ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>## FTP <BR># Allow ftp inbound:</DIV>
<DIV>&nbsp;</DIV>
<DIV>$IPTABLES -A INPUT&nbsp; -i $EXTIF -p tcp --dport 21 -m state =
--state=20
NEW,ESTABLISHED -j ACCEPT </DIV>
<DIV>&nbsp;</DIV>
<DIV>#<BR># Now for the connection tracking part of ftp. This is =
discussed more=20
completely in my section <BR># on connection tracking to be found here. =
</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># HTTPd - Enable the following lines if you run an EXTERNAL WWW =

server<BR>#<BR>echo -e "&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; - Allowing =
EXTERNAL=20
access to the WWW server"<BR>$IPTABLES -A INPUT -i $EXTIF -m state =
--state=20
NEW,ESTABLISHED,RELATED \<BR>&nbsp;-p tcp -s $UNIVERSE -d $EXTIP --dport =
80 -j=20
ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># Catch all rule, all other incoming is denied and logged.=20
<BR>#<BR>$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j =
drop-and-log-it</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo -e "&nbsp;&nbsp; - Loading OUTPUT rulesets"</DIV>
<DIV>&nbsp;</DIV>
<DIV>####################################################################=
###<BR>#=20
OUTPUT: Outgoing traffic from various interfaces.&nbsp; All rulesets are =

<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; already flushed =
and set to=20
a default policy of DROP. <BR>#</DIV>
<DIV>&nbsp;</DIV>
<DIV># loopback interface is valid.<BR>#<BR>$IPTABLES -A OUTPUT -o lo -s =

$UNIVERSE -d $UNIVERSE -j ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># local interfaces, any source going to local net is=20
valid<BR>#<BR>$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j =
ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># local interface, any source going to local net is=20
valid<BR>#<BR>$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j =
ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># outgoing to local net on remote interface, stuffed routing,=20
deny<BR>#<BR>$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j=20
drop-and-log-it</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR># anything else outgoing on remote interface is =
valid<BR>#<BR>$IPTABLES=20
-A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV># DHCPd - Enable the following lines if you run an INTERNAL DHCPd=20
server<BR>#&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; - Remove =
BOTH #s all=20
the #s if you need this functionality.<BR>#<BR>$IPTABLES -A OUTPUT -o =
$INTIF -p=20
tcp -s $INTIP --sport 67 \<BR>&nbsp;-d 255.255.255.255 --dport 68 -j=20
ACCEPT<BR>$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67=20
\<BR>&nbsp;-d 255.255.255.255 --dport 68 -j ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV># Catch all rule, all other outgoing is denied and logged.=20
<BR>#<BR>$IPTABLES -A OUTPUT -s ! $EXTIP -d $UNIVERSE -j =
drop-and-log-it</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>echo -e "&nbsp;&nbsp; - Loading FORWARD rulesets"</DIV>
<DIV>&nbsp;</DIV>
<DIV>####################################################################=
###<BR>#=20
FORWARD: Enable Forwarding and thus IPMASQ<BR>#</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo "Enabling PORTFW Redirection on the external LAN.."</DIV>
<DIV>&nbsp;</DIV>
<DIV># This will forward ALL port 81 traffic from the external IP =
address<BR>#=20
to port 81 on the 192.168.1.13 machine<BR>#<BR># Be SURE that when you =
add these=20
new rules to your rc.firewall, you<BR># add them before a direct or =
implemented=20
drop or reject</DIV>
<DIV>&nbsp;</DIV>
<DIV>PORTFWIP=3D"192.168.1.13"</DIV>
<DIV>&nbsp;</DIV>
<DIV># Allow forwarding of new and existing port 81 =
connections<BR>#</DIV>
<DIV>&nbsp;</DIV>
<DIV>$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 81 -m state =
--state=20
NEW,ESTABLISHED,RELATED -j ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV># Enable PORTFW of this port 81 traffic<BR>#</DIV>
<DIV>&nbsp;</DIV>
<DIV>$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport 81 -j DNAT =
--to=20
$PORTFWIP:81</DIV>
<DIV>&nbsp;</DIV>
<DIV>echo "&nbsp;&nbsp;&nbsp;&nbsp; - FWD: Allow all connections OUT and =
only=20
existing/related IN"<BR>$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m =
state=20
--state ESTABLISHED,RELATED \<BR>&nbsp;-j ACCEPT<BR>$IPTABLES -A FORWARD =
-i=20
$INTIF -o $EXTIF -j ACCEPT</DIV>
<DIV>&nbsp;</DIV>
<DIV># Catch all rule, all other forwarding is denied and logged.=20
<BR>#<BR>$IPTABLES -A FORWARD -j drop-and-log-it</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>echo "&nbsp;&nbsp;&nbsp;&nbsp; - NAT: Enabling SNAT =
(MASQUERADE)=20
functionality on $EXTIF"<BR>#<BR>#More liberal form<BR>#$IPTABLES -t nat =
-A=20
POSTROUTING -o $EXTIF -j MASQUERADE<BR>#<BR>#Stricter form<BR>$IPTABLES =
-t nat=20
-A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP</DIV>
<DIV>&nbsp;</DIV>
<DIV><BR>################################################################=
#######<BR>echo=20
-e "\nStronger rc.firewall-2.4 $FWVER done.\n"<BR><A=20
href=3D"http://www.bodenzord.com/rc.firewall-2.txt"></A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV>
<DIV><FONT face=3DArial size=3D2></FONT>&nbsp;</DIV></BODY></HTML>

------=_NextPart_000_0017_01C48790.10C0AEC0--





More information about the netfilter-announce mailing list