|
NAT I guess
Hello,
I am stuck with dialup. haha laugh all you want. I have a computer on our home network that I've set up with apache, mysql, phpBB, etc just to try it all out. I would like to pass all the trafic from port 80 on THIS computer to the one on the network. I assume I would do it with iptables but I don't know how. Also I would have to be able to start and stop it. Thank you. |
Re: NAT I guess
Quote:
Code:
modprobe iptable_natCode:
echo 0 > /proc/sys/net/ipv4/ip_forwardI have this in an init script, but it's Gentoo syntax. Good News are, that you can do automatic NAT and much more installing firestarter, this iptables front end is very versatile, powerful and easy to user and set up. The only thing you need to enable NAT is having a separate device for your internal network and one for the outbound connection (i.e. a LAN and your dial-up or DSL connection). With the script, however, you can do NAT even in this case. Firestarter is a nice option, because it's fast to deploy and you can manage your firewall in real time; opening or closing ports, enabling particular IPs to connect to determined ports or even completely close your network from outbound connections. You don't have to bother for what ports are exported, as NAT translate the IP in a way that for an outside connection the visible port 80 is the one on your NATted machine (just remember not to enable a web server on the box which does the NATting). BTW, I can remember that Mandriva has an own way of dealing with NAT. Not sure because it's a long time since I last saw a Mandrake running, but I'm completely sure it's there. |
I've run the script and everything looks good:
lsmod shows that the module is loaded, iptables shows something: "Chain FORWARD (policy DROP) target prot opt source destination" and ip_forward is 1. It doesn't work. What else do I have to do? |
Quote:
Code:
route add default gw IP-OF-NAT-SERVERMore potential troublemakers: Check /etc/hosts.deny and /etc/hosts/allow If your outbound connection is dial-up, ISDN or a DSL-modem (not a router), check that the default gateway of this machine is set to the outbound device (ppp0,ippp0 or pppoe0). To set this the command is the same as above, just change the IP with the device: Code:
route add default gw ppp0Try this and ask again if it still doesn't work, I can't stat right now, but there are more things which can hinder communication. Test also the connectivity pinging form one machine to the other, as ICMP packages are not bound to ports you will know if the physical connection is OK or whether there is a failure in wiring, connection or the LAN-cards. |
Nope, still doesn't work.
route shows this on the NAT 'server': default DIALUPCOMPUTER 0.0.0.0 UG 0 0 0 eth0 default ROUTER 0.0.0.0 UG 0 0 0 eth0 (changed to protect my privacy) Could the problem be that there are 2 defaults? |
Quote:
It's the other boxes which has to set the NAT box as default route. Check also your firewall, test settings disabling it. |
Re: NAT I guess
Quote:
|
Re: Re: NAT I guess
Quote:
Even better, you could post it in the Wiki in the Security section |
part 1
Do know if it will be good enough for the security section so I'll post it here. Because of it's size I will need to post it in 2 parts, there is a limit to the amount of characters with each post. All you need to do is create a file called rc.firewall and copy the contents into script and save it in the /etc/rc.d directory. Then make executable for everyone by:
chmod 755 /etc/rc.d/rc.firewall You may need to edit a few things at the top of the script to suit your version of linux. I made this script to suit slackware 9 but is easy to use on other version like fedora core. Dialup uses ppp0 as the interface so I have made that the default for your external interface. Some of the comments in the script I have been making during it's testing so if they don't make any sense or match up to the rules, I haven't had time to go through and edit them properly but It should be easy to follow. Ive tested it on a router on my network and have had no trouble with it, also have a modified version for my workstations as well that seem to work fine, if you have any questions don't hesitate to ask. #!/bin/sh ## ## This is the location of the iptables command echo "Starting iptables script" IPTABLES="/usr/sbin/iptables" ############################################################################ ############################################################################ ## Declare some variables, this should be the only area you need to configure anything unless you need to forward to services ## on your internal network. ## ## Edit your interface types (eg... eth0 eth1 ppp0) ## ## Default external interface DEFAULT_EXTIF="ppp0" ## Default internal interface DEFAULT_INTIF="eth0" ## Loopback interface LOOPBACK="lo" ## Do you get your external ip-address from DHCP server. (yes or no) DHCP="no" ## ex. MAIL_SERVER="192.168.1.100" # MAIL_SERVER="" # WEB_SERVER="192.168.100.50" # FTP_SERVER="" DNS1="192.168.1.1" # DNS2="" # DNS3="" TCPBLOCK="137,138,139" UDPBLOCK="137,138,139,445" echo "Setting Reserved Networks/Class Variables" LOOPBACK_IP="127.0.0.0/8" # reserved loopback address range CLASS_A="10.0.0.0/8" # class A private networks CLASS_B="172.16.0.0/12" # class B private networks CLASS_C="192.168.0.0/16" # class C private networks CLASS_D="224.0.0.0/4" # class D multicast addresses CLASS_E="240.0.0.0/5" # class E reserved addresses BROADCAST_SRC="0.0.0.0" # broadcast source address BROADCAST_DEST="255.255.255.255" # broadcast destination address echo "Finished setting Reserved Networks/Class Variables" ############################################################################ ############################################################################ ## Block ip addresses of problem hosts ## ## I use portsentry to automatically add ip addresses to a file when a scan is detected, when the firewall ## is loaded, it will load rules to block all ip addreses in this file. You may also add addresses maually, ## you can specify them either as indivisual host 165.222.222.234 or a whole network 165.222.222.0/16. ## ## Note, there can only be one entry per line. You may find this extremely useful if you run a server ## on this machine of one internally on your network, you can add the ip addresses of known problem hosts ## and block them from connecting at all your servers. BLOCKED_IP="/etc/ipblock" #BLOCKEDPERM_IP="/etc/ipblock.perm" ## Allowed ip addresses that are permitted to connect directly to the machine itself, mostly used for administrative ## purposes from remote networks or to servers running on the internal network. ## ## e.g. ALLOWED_IP="224.25.168.0/24" or ALLOWED_IP="224.25.168.85" ## ALLOWED_IP="" #################################################################################################### ########## #################################################################################################### ############ ## ## You do not need to edit anything here in this section, this will determine network paramenters from static or DHCP assigned ## network interfaces. ## ## Note: This will not set the parameters of the network interfaces, (eg. ip-address, gateway or network id) ## this is done during setup of the operating system this will only retrieve the information and load ## it to the variables for the script. If you wish to set the interfaces manually, for slackware 9.0 edit the ## /etc/rc.d/rc.inet1 file other versions on unix/linux maybe in the same place. ## ## External Interface: ## If no interface is specified then set $DEFAULT_EXTIF as EXTIF if [ "x$2" != "x" ]; then EXTIF=$2 else EXTIF=$DEFAULT_EXTIF fi echo External Interface: $EXTIF ## Determine external IP EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`" if [ "$EXTIP" = '' ]; then echo "Aborting: Unable to determine the IP-address of $EXTIF !" exit 1 fi echo External IP: $EXTIP ## Determine external gateway EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'` echo Default GW: $EXTGW ## Internal Interface: ## If no interface is specified then set $DEFAULT_INTIF as INTIF if [ "x$3" != "x" ]; then INTIF=$3 else INTIF=$DEFAULT_INTIF fi echo Internal Interface: $INTIF ## Determine internal IP INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`" if [ "$INTIP" = '' ]; then echo "Aborting: Unable to determine the IP-address of $INTIF !" exit 1 fi echo Internal IP: $INTIP ## Determine internal netmask INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`" echo Internal Netmask: $INTMASK ## Determine network address of the internal network INTLAN=$INTIP'/'$INTMASK echo Internal LAN: $INTLAN #################################################################################################### ########## #################################################################################################### ########## ## Flood Variables ## ## ## Overall Limit for TCP-SYN-Flood detection TCPSYNLIMIT="5/s" ## Burst Limit for TCP-SYN-Flood detection TCPSYNLIMITBURST="10" ## Overall Limit for Loggging in Logging-Chains LOGLIMIT="2/s" ## Burst Limit for Logging in Logging-Chains LOGLIMITBURST="10" ## Overall Limit for Ping-Flood-Detection PINGLIMIT="5/s" ## Burst Limit for Ping-Flood-Detection PINGLIMITBURST="10" #################################################################################################### ########## #################################################################################################### ########## ## Load modules required by iptables ## ## ## echo "Loading IPTABLES modules" dmesg -n 1 ## Kill copyright display on module load dmesg -n 6 /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_TOS /sbin/modprobe ip_conntrack /sbin/modprobe ip_nat_irc /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe ipt_limit /sbin/modprobe ipt_state /sbin/modprobe ipt_LOG /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ipt_mac # /sbin/modprobe ipt_recent # This module has to be loaded manually, not included with the kernel echo "Iptables modules loaded" ## Setting module options echo "Setting module options" echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter echo "1" > /proc/sys/net/ipv4/conf/all/log_martians echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects echo "0" > /proc/sys/net/ipv4/tcp_ecn echo "1" > /proc/sys/net/ipv4/tcp_syncookies echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects #128 MB of RAM -> 8192 possible entries, 256 MB of RAM --> 16376 possible entries, etc... echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max echo 10 > /proc/sys/net/ipv4/tcp_fin_timeout echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo 15 > /proc/sys/net/ipv4/ipfrag_time echo 2048 > /proc/sys/net/ipv4/tcp_max_syn_backlog echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range echo "2" > /proc/sys/net/ipv4/tcp_synack_retries if [ $DHCP == "yes" ]; then echo "IP-Address obtained from DHCP Server.....setting module 'ip_dynaddr' to '1' " echo "1" > /proc/sys/net/ipv4/ip_dynaddr fi ## Reduce DoS'ing ability by reducing timeouts echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time echo 0 > /proc/sys/net/ipv4/tcp_window_scaling echo 0 > /proc/sys/net/ipv4/tcp_sack echo "Module options set" #################################################################################################### ########## #################################################################################################### ########## ## Clear all IPTABLES-chains ## ## ## Flush everything, start from scratch $IPTABLES -F $IPTABLES -F -t mangle $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -X -t mangle $IPTABLES -X -t nat $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT ## Set default policies to DROP $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD DROP $IPTABLES -P OUTPUT ACCEPT #################################################################################################### ########## #################################################################################################### ########## ## These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding ## ## ## echo "Start log and drop Rules" ## Invalid packets (not ESTABLISHED,RELATED or NEW) $IPTABLES -N LOGINVALID $IPTABLES -A LOGINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP " $IPTABLES -A LOGINVALID -j DROP ## TCP-Packets with one ore more bad flags $IPTABLES -N LOGBADFLAG $IPTABLES -A LOGBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP " $IPTABLES -A LOGBADFLAG -j DROP ## Logging of possible TCP-SYN-Floods $IPTABLES -N LOGSYNFLOOD $IPTABLES -A LOGSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP " $IPTABLES -A LOGSYNFLOOD -j DROP ## Logging of possible Ping-Floods $IPTABLES -N LOGPINGFLOOD $IPTABLES -A LOGPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP " $IPTABLES -A LOGPINGFLOOD -j DROP ## All other dropped packets $IPTABLES -N LOGDROP $IPTABLES -A LOGDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP " $IPTABLES -A LOGDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP " $IPTABLES -A LOGDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP " $IPTABLES -A LOGDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP " $IPTABLES -A LOGDROP -j DROP ## TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in $IPTABLES -N TCPACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT $IPTABLES -A TCPACCEPT -p tcp --syn -j LOGSYNFLOOD $IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT ## UDPACCEPT - Check for UDP-Floods before letting UDP-Packets in (Experimental logging rules) $IPTABLES -N UDPACCEPT $IPTABLES -A UDPACCEPT -p udp -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT $IPTABLES -A UDPACCEPT -p udp -j LOGDROP ## CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan) $IPTABLES -N CHECKBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LOGBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LOGBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LOGBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOGBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LOGBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOGBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags FIN,RST FIN,RST -j LOGBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ACK,FIN FIN -j LOGBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ACK,PSH PSH -j LOGBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ACK,URG URG -j LOGBADFLAG $IPTABLES -A CHECKBADFLAG -p tcp -j TCPACCEPT ## RESNET - Log and drop Reservered Network addresses coming in from internet $IPTABLES -N RESNET $IPTABLES -A RESNET -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "Reserved Net violation: " $IPTABLES -A RESNET -j DROP ## BLOCKED - Log and drop perm/temp banned ip addresss $IPTABLES -N BLOCKED $IPTABLES -A BLOCKED -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "Ban IP Violation: " $IPTABLES -A BLOCKED -j DROP # Inbound ICMP/Traceroute $IPTABLES -N ICMPINBOUND $IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LOGPINGFLOOD $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type host-precedence-violation -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type precedence-cutoff -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type source-quench -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type network-redirect -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type host-redirect -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type TOS-network-redirect -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type TOS-host-redirect -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type fragmentation-needed -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type router-advertisement -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp --icmp-type router-solicitation -j LOGDROP $IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT #Outbound ICMP/Traceroute $IPTABLES -N ICMPOUTBOUND $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LOGDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LOGDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LOGDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LOGDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LOGDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LOGDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LOGDROP $IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LOGDROP $IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT |
Part 2
#################################################################################################### ##########
#################################################################################################### ########## # icmp types # # 0 Echo Reply [RFC792] # 1 Unassigned [JBP] # 2 Unassigned [JBP] # 3 Destination Unreachable [RFC792] # 4 Source Quench [RFC792] # 5 Redirect [RFC792] # 6 Alternate Host Address [JBP] # 7 Unassigned [JBP] # 8 Echo [RFC792] # 9 Router Advertisement [RFC1256] # 10 Router Solicitation [RFC1256] # 11 Time Exceeded [RFC792] # 12 Parameter Problem [RFC792] # 13 Timestamp [RFC792] # 14 Timestamp Reply [RFC792] # 15 Information Request [RFC792] # 16 Information Reply [RFC792] # 17 Address Mask Request [RFC950] # 18 Address Mask Reply [RFC950] # 19 Reserved (for Security) [Solo] # 20-29 Reserved (for Robustness Experiment) [ZSu] # 30 Traceroute [RFC1393] # 31 Datagram Conversion Error [RFC1475] # 32 Mobile Host Redirect [David Johnson] # 33 IPv6 Where-Are-You [Bill Simpson] # 34 IPv6 I-Am-Here [Bill Simpson] # 35 Mobile Registration Request [Bill Simpson] # 36 Mobile Registration Reply [Bill Simpson] # 37 Domain Name Request [Simpson] # 38 Domain Name Reply [Simpson] # 39 SKIP [Markson] # 40 Photuris [Simpson] # 41-255 Reserved [JBP] echo "Finished creating log and drop Rules" #################################################################################################### ########## #################################################################################################### ########## ## ## Drop and log Reserved Internal Networks coming in on the external interface echo "Setting incoming drop rules for reservered networks and classes" # Incoming from internet $IPTABLES -A INPUT -i $EXTIF -s $CLASS_A -j RESNET $IPTABLES -A INPUT -i $EXTIF -s $CLASS_B -j RESNET $IPTABLES -A INPUT -i $EXTIF -s $CLASS_C -j RESNET $IPTABLES -A INPUT -i $EXTIF -s $CLASS_D -j RESNET $IPTABLES -A INPUT -i $EXTIF -s $CLASS_E -j RESNET $IPTABLES -A INPUT -i $EXTIF -s $LOOPBACK_IP -j RESNET $IPTABLES -A INPUT -i $EXTIF -s $BROADCAST_SRC -j RESNET $IPTABLES -A INPUT -i $EXTIF -s $BROADCAST_DEST -j RESNET # drop and log attemps to use our IP address assgined to our external interface $IPTABLES -A INPUT -i $EXTIF -s $EXTIP -j DROP #################################################################################################### ########## #################################################################################################### ########## ## Log and drop connection attempts from explicitly blocked hosts. ## ## NOTICE: THIS IS WORK IN PROGRESS NOT TESTED FULLY AT THIS STAGE ## echo "Loading Temp IP Blocklist Files" if [ -f $BLOCKED_IP ]; then while read BLOCKED; do $IPTABLES -A INPUT -i $EXTIF -s $BLOCKED -j BLOCKED done < $BLOCKED_IP else echo "firewall: Banned address/network file not found." echo "0.0.0.0" > /etc/ipblock fi echo "Finished Temp Loading IP Blocklist Files..............." # echo "Loading Permanent IP Blocklist Files" # if [ -f $BLOCKEDPERM_IP ]; then # while read BLOCKEDPERM; do # $IPTABLES -A FORWARD -i $EXTIF -s $BLOCKEDPERM -j BLOCKED # done < $BLOCKEDPERM_IP # fi # echo "Finished Permanent Loading IP Blocklist Files........." #################################################################################################### ########## #################################################################################################### ########## ## Allow for services running on this machine, or forward them to a specific server on your local network. ## Hosts in the /etc/ipblock list will not connect or be forwarded to any host on the local network. To allow ## a remote connection to the firewall itself, make sure place the ip-address of the allowed host in the ## /etc/hosts.allow file, please note that the /etc/hosts.deny file will not block a host from being accepted or ## forwarded throught the network by the net filter rules,only from connecting directly to the firewall machine ## itself. If running portsentry also place the ip address in the /usr/local/psionic/portsentry/portsentry.ignore file, ## otherwise you may be taken for a port scan and trigger an action that will place your ip address in the ## /etc/hosts.deny file and also add your ip address to /etc/ipblock and to iptables block rules, then you will be blocked by the firewall as well. ## ## ## Allow SSH access to firewall # $IPTABLES -A INPUT -p tcp -i $EXTIF -s $ALLOWED_IP --dport 22 -m state --state NEW,ESTABLISHED,RELATED -j CHECKBADFLAG ## Allow www to host behind firewall (change 192.168.1.1 to the ip-address of your server) $IPTABLES -A INPUT -p tcp -i $EXTIF --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j CHECKBADFLAG $IPTABLES -A PREROUTING -t nat -p tcp -i $EXTIF --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to 192.168.1.1:80 $IPTABLES -A FORWARD -p tcp -o $INTIF -d 192.168.1.1 --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #################################################################################################### ########## #################################################################################################### ########## ## General Rules ## ## Now we need to add some rules to start filtering the packets entering the router from both interfaces ## echo "Loading general rules......................" ## ## Lets kill and log any invalid packets to any interface, these are packets which are not NEW, ESTABLISHED or RELATED echo "Dropping INVALID packets" $IPTABLES -A INPUT -m state --state INVALID -j LOGINVALID $IPTABLES -A FORWARD -m state --state INVALID -j LOGINVALID $IPTABLES -A OUTPUT -m state --state INVALID -j LOGINVALID #################################################################################################### ########## ## Lets drop some ports, these are ports which are not supposed to go beyond the network or to come in from the internet ## These usually are smb and netbios protocols. $IPTABLES -A INPUT -p tcp -m multiport --dport $TCPBLOCK -j DROP $IPTABLES -A INPUT -p udp -m multiport --dport $UDPBLOCK -j DROP #################################################################################################### ########## ## Allow everything on the loopback interface echo "Allowing loopback interface" $IPTABLES -A INPUT -i $LOOPBACK -j ACCEPT #################################################################################################### ########## ## ICMP PACKETS ## ICMP Packets coming from the Internet echo "ICMP Packets from Internet" $IPTABLES -A INPUT -p icmp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections from internet $IPTABLES -A FORWARD -p icmp -o $INTIF -d $INTLAN -m state --state ESTABLISHED,RELATED -j ICMPINBOUND ## ICMP Packets coming from our network going to the internet to increase security always have the source as your ## local network range, this will help to stop any bad activity leaving and going to the internet. echo "ICMP Packets from Internal Network" $IPTABLES -A INPUT -p icmp -i $INTIF -d $INTIP -j ICMPOUTBOUND # Allow pings from the internal network for testing connections $IPTABLES -A FORWARD -p icmp -o $EXTIF -s $INTLAN -m state --state NEW,ESTABLISHED,RELATED -j ICMPOUTBOUND #################################################################################################### ########## ## TCP PACKETS ## TCP Packets coming from the internet, first it will be sent to check for bad flags, if it passes that it must be ## ESTABLISHED or RELATED connections to then be passed to the TCPACCEPT chain, again it will be checked for SYN flooding ## before it can pass through to the FORWARD chain. ## TCP Packets from the internet echo "TCP Packets from Internet" $IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections $IPTABLES -A FORWARD -p tcp -o $INTIF -d $INTLAN -m state --state ESTABLISHED,RELATED -j CHECKBADFLAG ## TCP Packets Now we do the same for our internal network allowing all to go out to the internet but still filtering it to make sure there ## is no flooding or any malicious activity going out. ## TCP Packets from our internal network echo "TCP Packets from Internal Network" $IPTABLES -A INPUT -p tcp -i $INTIF -s $INTLAN -j CHECKBADFLAG # Allow connection for the internal network to the firewall $IPTABLES -A FORWARD -p tcp -o $EXTIF -s $INTLAN -m state --state NEW,ESTABLISHED,RELATED -j CHECKBADFLAG # Allow all internal traffic out to the internet #################################################################################################### ########## ## UDP PACKETS ## UDP Packets from the internet echo "UDP Packets from Internet" $IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP -j LOGDROP # Drop local connections from internet $IPTABLES -A FORWARD -p udp -o $INTIF -d $INTLAN -m state --state ESTABLISHED,RELATED -j ACCEPT ## UDP from internal network echo "UDP Packets from Internal Network" $IPTABLES -A FORWARD -p udp -o $EXTIF -s $INTLAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT echo "Finished loading general rules......................" ################################################################################## ## ## Masquerading/SNAT ## ## if [ $DHCP == "yes" ]; then echo "DHCP Client enabled on External Interface.....set POSTROUTING to MASQUERADE" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE else echo "Static IP-Address assigned to External Interface.....set POSTROUTING to SNAT" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP fi ################################################################################## echo "Finished loading rc.firewall script............Good Luck" exit 0 |
THX!!
I printed the thread as a PDF file so I can extract the script and try it ou ;) I wouldn't be very difficult to build a KDE GUI for it using Kommander, so that the user dependant parameters can be selected by the user himself. |
Wow, that's alot to go through.
Now I need to find a Bash tutorial and a Iptables tutorial. I know only a little about bash and iptables. I only have a very simple firewall running on my dailup pc: iptables -F iptables -X iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -P INPUT DROP iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT Is there a simple way to forward port 80? If not I will just walkthrough your iptables script. Thank you. |
I believe using the fotoguy's script is an excellent idea.
However, you can configure bare minimum firewall by modifying your firewall script. This is your original script======================= iptables -F iptables -X iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -P INPUT DROP iptables -A INPUT -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT =========================================== In your script, you don't have any ACCEPT target for FORWARD. Thus, everything forwarded by PREROUTING is directly sent to DROP target. Thus, add the followings to your original script. iptables -t nat -A PREROUTING -p tcp -m tcp -d $INET_IP --dport 80 -j DNAT --to $LAN_IP:80 iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -d $LAN_IP --dport 80 -j ACCEPT iptables -A FORWARD -p tcp -m state --state NEW -d $LAN_IP --dport 443 -j ACCEPT In addition to this, you need to turn off rp_filter of the desination computer. (HOWEVER, you should keep rp_filter on for the forwarding computer, which holds the above firewall script and works as the firewall for your internal network). You can turn rp_filter off by echo "0" > /proc/sys/net/ipv4/conf/all/rp_filter. |
Quote:
$IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP -j LOGDROP # Drop local connections from internet $IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections $IPTABLES -A INPUT -p icmp -i $EXTIF -d $EXTIP -j LOGDROP #---> drop local connections from internet to: $IPTABLES -A INPUT -p udp -i $EXTIF -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p tcp -i $EXTIF -d $EXTIP -m state --state ESTABLISHED,RELATED -j CHECKBADFLAG $IPTABLES -A INPUT -p icmp -i $EXTIF -d $EXTIP --m state --state ESTABLISHED,RELATED -j ICMPINBOUND Hope this helps |
iptables v1.3.3: Unknown arg `-j'
Try `iptables -h' or 'iptables --help' for more information. ./nat-up: line 15: DNAT: command not found ./nat-up: line 16: --to: command not found iptables v1.3.3: Unknown arg `--dport' Try `iptables -h' or 'iptables --help' for more information. ./nat-up: line 20: 80: command not found ./nat-up: line 21: ACCEPT: command not found iptables v1.3.3: Unknown arg `--dport' Try `iptables -h' or 'iptables --help' for more information. ./nat-up: line 23: 443: command not found ./nat-up: line 24: ACCEPT: command not found Not sure why it gives me those errors. I can find --dport in the man page. Any more help would be nice, thank you. |
| All times are GMT -5. The time now is 05:44 PM. |