|
Problem with my iptables script please help
I am writing a script to translate my packets(DNAT works fine)the SNAT doesnt seem to be. Much help appreciated.
#!/bin/bash
# This bash script configures the Asterisk iptables for Routing.
# and saves the results. ( turned off )
# Stop iptables (need clean restart)
# I like this however it releases port 22 connections - ka
# service iptables stop
# Devices
netDev=eth0
lanDev=eth1
# Hosts
# Kernel flags
echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# # For Dynamic PPP: echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# Flush all tables
iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
# Set default policies
iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
# iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
# Chain for bad tcp packets
iptables -N badTCP
# Stop sequence prediction attacks
iptables -A badTCP -p tcp --tcp-flags SYN,ACK SYN,ACK -m state \
--state NEW -j REJECT --reject-with tcp-reset
# Drop new packets that are not connection requests
iptables -A badTCP -p tcp ! --syn -m state --state NEW -j DROP
# Blocklist to deal with "special people"
# iptables -N blockList
# for ip in `<blocklist.txt`; do
# iptables -A blockList -i $netDev -s $ip -j DROP
# done
# Accept a tcp connection
iptables -N tcpConnect
# iptables -A tcpConnect -p tcp -j blockList
iptables -A tcpConnect -p tcp --syn -j ACCEPT
# Allowed TCP connections
iptables -N tcpAllow
iptables -A tcpAllow -p tcp -m tcp --dport 22 -j tcpConnect
iptables -A tcpAllow -p tcp -m tcp --sport 22 -j tcpConnect
iptables -A tcpAllow -p tcp -m tcp --dport 631 -j tcpConnect
iptables -A tcpAllow -p tcp -m tcp --sport 631 -j tcpConnect
iptables -A tcpAllow -p tcp --dport ssh -j tcpConnect
iptables -A tcpAllow -p tcp --dport http -j tcpConnect
iptables -A tcpAllow -p tcp --dport https -j tcpConnect
iptables -A tcpAllow -p tcp --dport smtp -j tcpConnect
iptables -A tcpAllow -p tcp --dport ftp -j tcpConnect
iptables -A tcpAllow -p tcp -j REJECT --reject-with tcp-reset
# iptables -A tcpAllow -p tcp --dport imap -j tcpConnect
# iptables -A tcpAllow -p tcp --dport imaps -j tcpConnect
# iptables -A tcpAllow -p tcp --dport pop3 -j tcpConnect
# iptables -A tcpAllow -p tcp --dport pop3s -j tcpConnect
# iptables -A tcpAllow -p tcp --dport telnet -j tcpConnect
# Allowed UDP packets
iptables -N udpAllow
# iptables -A udpAllow -p udp --dport domain -j ACCEPT
# Nothing right now.
# Allowed icmp packets
iptables -N icmpAllow
iptables -A icmpAllow -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmpAllow -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmpAllow -p icmp --icmp-type echo-reply -j ACCEPT
# Main firewall configuration
iptables -A INPUT -p tcp -j badTCP
iptables -A INPUT -i $lanDev -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $netDev -p tcp -j tcpAllow
# iptables -A INPUT -i $netDev -p udp -j udpAllow
iptables -A INPUT -i $netDev -p icmp -j icmpAllow
iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# Network address translation
# SNAT is preferred over MASQUERADE if $netDev is constant
# iptables -t nat -A POSTROUTING -o $netDev \
# -j SNAT --to-source $thisServer
# Forwarding
# Packets that arrive on the server with destinations
# on other hosts do not pass through the INPUT chain.
# They go directly to FORWARD:
iptables -A FORWARD -p tcp -j badTCP
# iptables -A FORWARD -i $netDev -j ACCEPT
# iptables -A FORWARD -o $lanDev -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# The packets accepted by FORWARD are determined by the
# remoteLAN() function. See below.
remoteLAN()
{ target=$1
remlan=$2
iptables -t nat -A POSTROUTING -o $lanDev -s $remlan -j SNAT --to-source $target
# does not work! iptables -t nat -A PREROUTING -i $netDev -s $remlan -j SNAT --to-source $target
# iptables -A FORWARD -o $netDev -s $target -j ACCEPT
# iptables -t nat -A PREROUTING -i $netDev -s $remlan -j SNAT --to-source $target
# ok iptables -A FORWARD -i $netDev -d $target -j ACCEPT
iptables -t nat -A PREROUTING -i $netDev -d $target -j DNAT --to-destination $remlan
# iptables -A FORWARD -i $netDev -d $remlan -j ACCEPT
# ok iptables -A FORWARD -i $netDev -s $remlan -j ACCEPT
}
# Remote LAN convertions for the VoIP Network (See abovefor NAT changes)
remoteLAN 172.x.x.211 10.x.x.211
# remoteLAN 172.x.x.212 10.x.x.212
# remoteLAN 172.x.x.213 10.x.x.213
# remoteLAN 172.x.x.214 10.x.x.214
# remoteLAN 172.x.x.215 10.x.x215
# Example of logging:
# Use the rule: -j LOG --log-prefix "A prefix:"
# iptables -A OUTPUT -j LOG --log-prefix "Output :"
# iptables -A INPUT -j LOG --log-prefix "Input :"
iptables -A FORWARD -i $netDev -j LOG --log-prefix "F I eth0:"
iptables -A FORWARD -o $netDev -j LOG --log-prefix "F O eth0:"
iptables -A FORWARD -i $lanDev -j LOG --log-prefix "F I eth1:"
iptables -A FORWARD -o $lanDev -j LOG --log-prefix "F O eth1:"
# Save the firewall settings
# service iptables save
# Clean up & follow through info for testing
service iptables status
# iptables -nvL
# iptables -nvL -t nat
iptables -nvL -t filter
# EOF
|
