Port forwarding from Internal LAN
Bodenzord
bodenzord@surfcity.net
Sat Aug 21 23:03:49 CEST 2004
This is a multi-part message in MIME format.
------=_NextPart_000_0017_01C48790.10C0AEC0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Hello,
I'm trying to set up port forwarding in IPTABLES and so far it's working =
great from the internet, but when I attempt from my internal LAN using =
the External IP address, it fails.
EXTIF=3D"eth0"
INTIF=3D"eth1"
EXTIP=3D"xxx.xxx.xxx.xxx"
INTNET=3D"192.168.1.0/24"
INTIP=3D"192.168.1.1"
PORTFWIP=3D"192.168.1.13"
>From the internet, if I type in http://xxx.xxx.xxx.xxx:81 it works.
When use a computer on my LAN and type in http://192.168.1.13:81 it =
works.
However, when i type in from a computer on my LAN: =
http://xxx.xxx.xxx.xxx:81 it does not.
Any ideas? Thanks in advance.
Mike
#########################################################################=
######
#
# rc.firewall-2.4-stronger
#
FWVER=3D0.74s-4
echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
IPTABLES=3D/sbin/iptables
LSMOD=3D/sbin/lsmod
DEPMOD=3D/sbin/depmod
INSMOD=3D/sbin/insmod
GREP=3D/bin/grep
AWK=3D/bin/awk
SED=3D/bin/sed
IFCONFIG=3D/sbin/ifconfig
EXTIF=3D"eth0"
INTIF=3D"eth1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " ---"
# For users who wish to use STATIC IP addresses:
EXTIP=3D"xxx.xxx.xxx.xxx"
echo " External IP: $EXTIP"
echo " ---"
# Assign the internal TCP/IP network and IP address
INTNET=3D"192.168.1.0/24"
INTIP=3D"192.168.1.1"
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " ---"
UNIVERSE=3D"0/0"
echo " - Verifying that all kernel modules are ok"
$DEPMOD -a
echo -en " Loading kernel modules: "
#Load the main body of the IPTABLES module - "ip_tables"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
$INSMOD ip_tables
fi
#Load the IPTABLES filtering module - "iptable_filter"=20
#
# - Loaded automatically when filter policies are activated
#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific=20
# conntrack modules being loaded afterwards such as the =
"ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is=20
# enabled=20
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
$INSMOD ip_conntrack
fi
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; =
then
$INSMOD ip_conntrack_ftp
fi
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en " ip_conntrack_irc, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; =
then
$INSMOD ip_conntrack_irc
fi
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#=20
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
$INSMOD iptable_nat
fi
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
$INSMOD ip_nat_ftp
fi
echo " ---"
#Clearing any previous configuration
echo " Clearing any existing rules and setting default policy to =
DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT=20
$IPTABLES -P OUTPUT DROP =20
$IPTABLES -F OUTPUT=20
$IPTABLES -P FORWARD DROP =20
$IPTABLES -F FORWARD=20
$IPTABLES -F -t nat
#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=3Dfalse
# to
# FORWARD_IPV4=3Dtrue
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
# Delete all User-specified chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
#Configuring specific CHAINS for later use in the ruleset
#
# NOTE: Some users prefer to have their firewall silently
# "DROP" packets while others prefer to use "REJECT"
# to send ICMP error messages back to the remote=20
# machine. The default is "REJECT" but feel free to
# change this below.
#
# NOTE: Without the --log-level set to "info", every single
# firewall hit will goto ALL vtys. This is a very big
# pain.
#
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info=20
$IPTABLES -A drop-and-log-it -j DROP
echo -e "\n - Loading INPUT rulesets"
#######################################################################
# INPUT: Incoming traffic from various interfaces. All rulesets are=20
# already flushed and set to a default policy of DROP.=20
#
# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
# external interface, from any source, for ICMP traffic is valid
#
# If you would like your machine to "ping" from the Internet,=20
# enable this next line
#
#$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
# remote interface, any source, going to permanent PPP address is valid
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
## FTP=20
# Allow ftp inbound:
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -m state --state =
NEW,ESTABLISHED -j ACCEPT=20
#
# Now for the connection tracking part of ftp. This is discussed more =
completely in my section=20
# on connection tracking to be found here.=20
# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
echo -e " - Allowing EXTERNAL access to the WWW server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \
-p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT
# Catch all rule, all other incoming is denied and logged.=20
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various interfaces. All rulesets are=20
# already flushed and set to a default policy of DROP.=20
#
# loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
# local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
# - Remove BOTH #s all the #s if you need this functionality.
#
$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT
# Catch all rule, all other outgoing is denied and logged.=20
#
$IPTABLES -A OUTPUT -s ! $EXTIP -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
echo "Enabling PORTFW Redirection on the external LAN.."
# This will forward ALL port 81 traffic from the external IP address
# to port 81 on the 192.168.1.13 machine
#
# Be SURE that when you add these new rules to your rc.firewall, you
# add them before a direct or implemented drop or reject
PORTFWIP=3D"192.168.1.13"
# Allow forwarding of new and existing port 81 connections
#
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 81 -m state =
--state NEW,ESTABLISHED,RELATED -j ACCEPT
# Enable PORTFW of this port 81 traffic
#
$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport 81 -j DNAT --to =
$PORTFWIP:81
echo " - FWD: Allow all connections OUT and only existing/related =
IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state =
ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.=20
#
$IPTABLES -A FORWARD -j drop-and-log-it
echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
#######################################################################
echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
------=_NextPart_000_0017_01C48790.10C0AEC0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2800.1106" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>Hello,</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>I'm trying to set up port forwarding in =
IPTABLES=20
and so far it's working great from the internet, but when I attempt from =
my=20
internal LAN using the External IP address, it fails.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial =
size=3D2>EXTIF=3D"eth0"<BR>INTIF=3D"eth1"</FONT></DIV>
<DIV>EXTIP=3D"xxx.xxx.xxx.xxx"<BR>INTNET=3D"192.168.1.0/24"<BR>INTIP=3D"1=
92.168.1.1"</DIV>
<DIV>
<DIV>PORTFWIP=3D"192.168.1.13"</DIV><BR></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>From the internet, if I type in <A=20
href=3D"http://xxx.xxx.xxx.xxx:81">http://xxx.xxx.xxx.xxx:81</A> it=20
works.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2>When use a computer on my LAN and type =
in <A=20
href=3D"http://192.168.1.13:81">http://192.168.1.13:81</A> it =
works.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>However, when i type in from a computer =
on my LAN:=20
</FONT><FONT face=3DArial size=3D2><A=20
href=3D"http://xxx.xxx.xxx.xxx:81">http://xxx.xxx.xxx.xxx:81</A> it =
does=20
not.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Any ideas? Thanks in =
advance.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Mike</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial=20
size=3D2>################################################################=
###############</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>#<BR># =
rc.firewall-2.4-stronger<BR>#</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>FWVER=3D0.74s-4</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>echo -e "\nLoading STRONGER rc.firewall =
- version=20
$FWVER..\n"</FONT></DIV>
<DIV> </DIV><FONT face=3DArial size=3D2>
<DIV><BR>IPTABLES=3D/sbin/iptables</DIV>
<DIV> </DIV>
<DIV><BR>LSMOD=3D/sbin/lsmod<BR>DEPMOD=3D/sbin/depmod<BR>INSMOD=3D/sbin/i=
nsmod<BR>GREP=3D/bin/grep<BR>AWK=3D/bin/awk<BR>SED=3D/bin/sed<BR>IFCONFIG=
=3D/sbin/ifconfig</DIV>
<DIV> </DIV>
<DIV><BR>EXTIF=3D"eth0"<BR>INTIF=3D"eth1"<BR>echo " External =
Interface: =20
$EXTIF"<BR>echo " Internal Interface: $INTIF"<BR>echo =
" =20
---"</DIV>
<DIV> </DIV>
<DIV><BR># For users who wish to use STATIC IP addresses:</DIV>
<DIV> </DIV>
<DIV>EXTIP=3D"xxx.xxx.xxx.xxx"<BR>echo " External IP: =
$EXTIP"<BR>echo=20
" ---"</DIV>
<DIV> </DIV>
<DIV><BR># Assign the internal TCP/IP network and IP=20
address<BR>INTNET=3D"192.168.1.0/24"<BR>INTIP=3D"192.168.1.1"<BR>echo =
" =20
Internal Network: $INTNET"<BR>echo " Internal=20
IP: $INTIP"<BR>echo " ---"</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>UNIVERSE=3D"0/0"</DIV>
<DIV> </DIV>
<DIV><BR>echo " - Verifying that all kernel modules are =
ok"<BR>$DEPMOD=20
-a</DIV>
<DIV> </DIV>
<DIV>echo -en " Loading kernel modules: "</DIV>
<DIV> </DIV>
<DIV><BR>#Load the main body of the IPTABLES module - =
"ip_tables"<BR># -=20
Loaded automatically when the "iptables" command is =
invoked<BR>#<BR># -=20
Loaded manually to clean up kernel auto-loading timing =
issues<BR>#<BR>echo -en=20
"ip_tables, "<BR>#<BR>#Verify the module isn't loaded. If it is, =
skip=20
it<BR>#<BR>if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; =
then<BR> $INSMOD ip_tables<BR>fi</DIV>
<DIV> </DIV>
<DIV><BR>#Load the IPTABLES filtering module - "iptable_filter" =
<BR>#<BR># =20
- Loaded automatically when filter policies are activated</DIV>
<DIV> </DIV>
<DIV><BR>#Load the stateful connection tracking framework -=20
"ip_conntrack"<BR>#<BR># The conntrack module in itself does =
nothing=20
without other specific <BR># conntrack modules being loaded afterwards =
such as=20
the "ip_conntrack_ftp"<BR># module<BR>#<BR># - This module is =
loaded=20
automatically when MASQ functionality is <BR># enabled =
<BR>#<BR># - Loaded manually to clean up kernel auto-loading =
timing=20
issues<BR>#<BR>echo -en "ip_conntrack, "<BR>#<BR>#Verify the module =
isn't=20
loaded. If it is, skip it<BR>#<BR>if [ -z "` $LSMOD | $GREP =
ip_conntrack |=20
$AWK {'print $1'} `" ]; then<BR> $INSMOD =
ip_conntrack<BR>fi</DIV>
<DIV> </DIV>
<DIV><BR>#Load the FTP tracking mechanism for full FTP =
tracking<BR>#<BR>#=20
Enabled by default -- insert a "#" on the next line to =
deactivate<BR>#<BR>echo=20
-e "ip_conntrack_ftp, "<BR>#<BR>#Verify the module isn't loaded. =
If it is,=20
skip it<BR>#<BR>if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK =
{'print $1'}=20
`" ]; then<BR> $INSMOD ip_conntrack_ftp<BR>fi</DIV>
<DIV> </DIV>
<DIV><BR>#Load the IRC tracking mechanism for full IRC =
tracking<BR>#<BR>#=20
Enabled by default -- insert a "#" on the next line to =
deactivate<BR>#<BR>echo=20
-en=20
" =
&=
nbsp; =20
ip_conntrack_irc, "<BR>#<BR>#Verify the module isn't loaded. If it =
is,=20
skip it<BR>#<BR>if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK =
{'print $1'}=20
`" ]; then<BR> $INSMOD ip_conntrack_irc<BR>fi</DIV>
<DIV> </DIV>
<DIV><BR>#Load the general IPTABLES NAT code - "iptable_nat"<BR># =
- Loaded=20
automatically when MASQ functionality is turned on<BR># <BR># - =
Loaded=20
manually to clean up kernel auto-loading timing issues<BR>#<BR>echo -en=20
"iptable_nat, "<BR>#<BR>#Verify the module isn't loaded. If it is, =
skip=20
it<BR>#<BR>if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" =
];=20
then<BR> $INSMOD iptable_nat<BR>fi</DIV>
<DIV> </DIV>
<DIV><BR>#Loads the FTP NAT functionality into the core IPTABLES =
code<BR>#=20
Required to support non-PASV FTP.<BR>#<BR># Enabled by default -- insert =
a "#"=20
on the next line to deactivate<BR>#<BR>echo -e =
"ip_nat_ftp"<BR>#<BR>#Verify the=20
module isn't loaded. If it is, skip it<BR>#<BR>if [ -z "` $LSMOD | =
$GREP=20
ip_nat_ftp | $AWK {'print $1'} `" ]; then<BR> $INSMOD=20
ip_nat_ftp<BR>fi</DIV>
<DIV> </DIV>
<DIV>echo " ---"</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><BR>#Clearing any previous configuration</DIV>
<DIV> </DIV>
<DIV>echo " Clearing any existing rules and setting default policy =
to=20
DROP.."<BR>$IPTABLES -P INPUT DROP<BR>$IPTABLES -F INPUT <BR>$IPTABLES =
-P OUTPUT=20
DROP <BR>$IPTABLES -F OUTPUT <BR>$IPTABLES -P FORWARD DROP =20
<BR>$IPTABLES -F FORWARD <BR>$IPTABLES -F -t nat</DIV>
<DIV> </DIV>
<DIV>#Not needed and it will only load the unneeded kernel =
module<BR>#$IPTABLES=20
-F -t mangle</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>#CRITICAL: Enable IP forwarding since it is disabled by =
default=20
since<BR>#<BR># &nbs=
p;=20
Redhat Users: you may try changing the options=20
in<BR># =
&=
nbsp; =20
/etc/sysconfig/network=20
from:<BR>#<BR># &nbs=
p;  =
;=20
FORWARD_IPV4=3Dfalse<BR># =
&=
nbsp; =20
to<BR># =
=20
FORWARD_IPV4=3Dtrue<BR>#<BR>echo " Enabling forwarding.."<BR>echo =
"1" >=20
/proc/sys/net/ipv4/ip_forward</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV># Flush the user chain.. if it exists<BR>if [ -n "`$IPTABLES -L | =
$GREP=20
drop-and-log-it`" ]; then<BR> $IPTABLES -F=20
drop-and-log-it<BR>fi</DIV>
<DIV> </DIV>
<DIV><BR># Delete all User-specified chains<BR>$IPTABLES -X</DIV>
<DIV> </DIV>
<DIV><BR># Reset all IPTABLES counters<BR>$IPTABLES -Z</DIV>
<DIV> </DIV>
<DIV><BR>#Configuring specific CHAINS for later use in the=20
ruleset<BR>#<BR># NOTE: Some users prefer to have their =
firewall=20
silently<BR># "DROP" =
packets=20
while others prefer to use=20
"REJECT"<BR># to send =
ICMP error=20
messages back to the remote=20
<BR># machine. The =
default=20
is "REJECT" but feel free=20
to<BR># change this=20
below.<BR>#<BR># NOTE: Without the --log-level set to "info", every=20
single<BR># firewall hit will goto =
ALL=20
vtys. This is a very big<BR># =20
pain.<BR>#<BR>echo " Creating a DROP chain.."<BR>$IPTABLES -N=20
drop-and-log-it<BR>$IPTABLES -A drop-and-log-it -j LOG --log-level info=20
<BR>$IPTABLES -A drop-and-log-it -j DROP</DIV>
<DIV> </DIV>
<DIV>echo -e "\n - Loading INPUT rulesets"</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>####################################################################=
###<BR>#=20
INPUT: Incoming traffic from various interfaces. All rulesets are=20
<BR># already flushed and set =
to a=20
default policy of DROP. <BR>#</DIV>
<DIV> </DIV>
<DIV># loopback interfaces are valid.<BR>#<BR>$IPTABLES -A INPUT -i lo =
-s=20
$UNIVERSE -d $UNIVERSE -j ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR># local interface, local machines, going anywhere is=20
valid<BR>#<BR>$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j=20
ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR># remote interface, claiming to be local machines, IP spoofing, =
get=20
lost<BR>#<BR>$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j=20
drop-and-log-it</DIV>
<DIV> </DIV>
<DIV><BR># external interface, from any source, for ICMP traffic is=20
valid<BR>#<BR># If you would like your machine to "ping" from the=20
Internet, <BR># enable this next line<BR>#<BR>#$IPTABLES -A INPUT =
-i=20
$EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR># remote interface, any source, going to permanent PPP address =
is=20
valid<BR>#<BR>#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j=20
ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR># Allow any related traffic coming back to the MASQ server=20
in<BR>#<BR>$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state =
--state=20
\<BR> ESTABLISHED,RELATED -j ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR># DHCPd - Enable the following lines if you run an INTERNAL =
DHCPd=20
server<BR>#<BR>$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 =
-j=20
ACCEPT<BR>$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j=20
ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR>## FTP <BR># Allow ftp inbound:</DIV>
<DIV> </DIV>
<DIV>$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -m state =
--state=20
NEW,ESTABLISHED -j ACCEPT </DIV>
<DIV> </DIV>
<DIV>#<BR># Now for the connection tracking part of ftp. This is =
discussed more=20
completely in my section <BR># on connection tracking to be found here. =
</DIV>
<DIV> </DIV>
<DIV><BR># HTTPd - Enable the following lines if you run an EXTERNAL WWW =
server<BR>#<BR>echo -e " - Allowing =
EXTERNAL=20
access to the WWW server"<BR>$IPTABLES -A INPUT -i $EXTIF -m state =
--state=20
NEW,ESTABLISHED,RELATED \<BR> -p tcp -s $UNIVERSE -d $EXTIP --dport =
80 -j=20
ACCEPT</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><BR># Catch all rule, all other incoming is denied and logged.=20
<BR>#<BR>$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j =
drop-and-log-it</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>echo -e " - Loading OUTPUT rulesets"</DIV>
<DIV> </DIV>
<DIV>####################################################################=
###<BR>#=20
OUTPUT: Outgoing traffic from various interfaces. All rulesets are =
<BR># already flushed =
and set to=20
a default policy of DROP. <BR>#</DIV>
<DIV> </DIV>
<DIV># loopback interface is valid.<BR>#<BR>$IPTABLES -A OUTPUT -o lo -s =
$UNIVERSE -d $UNIVERSE -j ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR># local interfaces, any source going to local net is=20
valid<BR>#<BR>$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j =
ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR># local interface, any source going to local net is=20
valid<BR>#<BR>$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j =
ACCEPT</DIV>
<DIV> </DIV>
<DIV><BR># outgoing to local net on remote interface, stuffed routing,=20
deny<BR>#<BR>$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j=20
drop-and-log-it</DIV>
<DIV> </DIV>
<DIV><BR># anything else outgoing on remote interface is =
valid<BR>#<BR>$IPTABLES=20
-A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV># DHCPd - Enable the following lines if you run an INTERNAL DHCPd=20
server<BR># - Remove =
BOTH #s all=20
the #s if you need this functionality.<BR>#<BR>$IPTABLES -A OUTPUT -o =
$INTIF -p=20
tcp -s $INTIP --sport 67 \<BR> -d 255.255.255.255 --dport 68 -j=20
ACCEPT<BR>$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67=20
\<BR> -d 255.255.255.255 --dport 68 -j ACCEPT</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV># Catch all rule, all other outgoing is denied and logged.=20
<BR>#<BR>$IPTABLES -A OUTPUT -s ! $EXTIP -d $UNIVERSE -j =
drop-and-log-it</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><BR>echo -e " - Loading FORWARD rulesets"</DIV>
<DIV> </DIV>
<DIV>####################################################################=
###<BR>#=20
FORWARD: Enable Forwarding and thus IPMASQ<BR>#</DIV>
<DIV> </DIV>
<DIV>echo "Enabling PORTFW Redirection on the external LAN.."</DIV>
<DIV> </DIV>
<DIV># This will forward ALL port 81 traffic from the external IP =
address<BR>#=20
to port 81 on the 192.168.1.13 machine<BR>#<BR># Be SURE that when you =
add these=20
new rules to your rc.firewall, you<BR># add them before a direct or =
implemented=20
drop or reject</DIV>
<DIV> </DIV>
<DIV>PORTFWIP=3D"192.168.1.13"</DIV>
<DIV> </DIV>
<DIV># Allow forwarding of new and existing port 81 =
connections<BR>#</DIV>
<DIV> </DIV>
<DIV>$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 81 -m state =
--state=20
NEW,ESTABLISHED,RELATED -j ACCEPT</DIV>
<DIV> </DIV>
<DIV># Enable PORTFW of this port 81 traffic<BR>#</DIV>
<DIV> </DIV>
<DIV>$IPTABLES -t nat -A PREROUTING -p tcp -d $EXTIP --dport 81 -j DNAT =
--to=20
$PORTFWIP:81</DIV>
<DIV> </DIV>
<DIV>echo " - FWD: Allow all connections OUT and =
only=20
existing/related IN"<BR>$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m =
state=20
--state ESTABLISHED,RELATED \<BR> -j ACCEPT<BR>$IPTABLES -A FORWARD =
-i=20
$INTIF -o $EXTIF -j ACCEPT</DIV>
<DIV> </DIV>
<DIV># Catch all rule, all other forwarding is denied and logged.=20
<BR>#<BR>$IPTABLES -A FORWARD -j drop-and-log-it</DIV>
<DIV> </DIV>
<DIV><BR>echo " - NAT: Enabling SNAT =
(MASQUERADE)=20
functionality on $EXTIF"<BR>#<BR>#More liberal form<BR>#$IPTABLES -t nat =
-A=20
POSTROUTING -o $EXTIF -j MASQUERADE<BR>#<BR>#Stricter form<BR>$IPTABLES =
-t nat=20
-A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP</DIV>
<DIV> </DIV>
<DIV><BR>################################################################=
#######<BR>echo=20
-e "\nStronger rc.firewall-2.4 $FWVER done.\n"<BR><A=20
href=3D"http://www.bodenzord.com/rc.firewall-2.txt"></A></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV></BODY></HTML>
------=_NextPart_000_0017_01C48790.10C0AEC0--
More information about the netfilter-announce
mailing list