LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices



Reply
 
Search this Thread
Old 01-05-2006, 12:08 PM   #1
jccurtis
LQ Newbie
 
Registered: Dec 2005
Posts: 5

Rep: Reputation: 0
Problem with my iptables script please help


I am writing a script to translate my packets(DNAT works fine)the SNAT doesnt seem to be. Much help appreciated.


#!/bin/bash
# This bash script configures the Asterisk iptables for Routing.
# and saves the results. ( turned off )

# Stop iptables (need clean restart)
# I like this however it releases port 22 connections - ka
# service iptables stop

# Devices

netDev=eth0
lanDev=eth1

# Hosts


# Kernel flags

echo 1 > /proc/sys/net/ipv4/ip_forward
# echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
# echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# # For Dynamic PPP: echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Flush all tables

iptables -t filter -F
iptables -t filter -X
iptables -t filter -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z

# Set default policies

iptables -t filter -P INPUT DROP
iptables -t filter -P FORWARD DROP
# iptables -t filter -P FORWARD ACCEPT
iptables -t filter -P OUTPUT ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P OUTPUT ACCEPT

# Chain for bad tcp packets

iptables -N badTCP

# Stop sequence prediction attacks
iptables -A badTCP -p tcp --tcp-flags SYN,ACK SYN,ACK -m state \
--state NEW -j REJECT --reject-with tcp-reset

# Drop new packets that are not connection requests
iptables -A badTCP -p tcp ! --syn -m state --state NEW -j DROP

# Blocklist to deal with "special people"

# iptables -N blockList

# for ip in `<blocklist.txt`; do
# iptables -A blockList -i $netDev -s $ip -j DROP
# done

# Accept a tcp connection

iptables -N tcpConnect
# iptables -A tcpConnect -p tcp -j blockList
iptables -A tcpConnect -p tcp --syn -j ACCEPT

# Allowed TCP connections

iptables -N tcpAllow
iptables -A tcpAllow -p tcp -m tcp --dport 22 -j tcpConnect
iptables -A tcpAllow -p tcp -m tcp --sport 22 -j tcpConnect
iptables -A tcpAllow -p tcp -m tcp --dport 631 -j tcpConnect
iptables -A tcpAllow -p tcp -m tcp --sport 631 -j tcpConnect

iptables -A tcpAllow -p tcp --dport ssh -j tcpConnect
iptables -A tcpAllow -p tcp --dport http -j tcpConnect
iptables -A tcpAllow -p tcp --dport https -j tcpConnect
iptables -A tcpAllow -p tcp --dport smtp -j tcpConnect
iptables -A tcpAllow -p tcp --dport ftp -j tcpConnect
iptables -A tcpAllow -p tcp -j REJECT --reject-with tcp-reset

# iptables -A tcpAllow -p tcp --dport imap -j tcpConnect
# iptables -A tcpAllow -p tcp --dport imaps -j tcpConnect
# iptables -A tcpAllow -p tcp --dport pop3 -j tcpConnect
# iptables -A tcpAllow -p tcp --dport pop3s -j tcpConnect
# iptables -A tcpAllow -p tcp --dport telnet -j tcpConnect

# Allowed UDP packets

iptables -N udpAllow
# iptables -A udpAllow -p udp --dport domain -j ACCEPT
# Nothing right now.

# Allowed icmp packets

iptables -N icmpAllow
iptables -A icmpAllow -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmpAllow -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmpAllow -p icmp --icmp-type echo-reply -j ACCEPT

# Main firewall configuration

iptables -A INPUT -p tcp -j badTCP
iptables -A INPUT -i $lanDev -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A INPUT -i $netDev -p tcp -j tcpAllow
# iptables -A INPUT -i $netDev -p udp -j udpAllow
iptables -A INPUT -i $netDev -p icmp -j icmpAllow

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT

# Network address translation

# SNAT is preferred over MASQUERADE if $netDev is constant

# iptables -t nat -A POSTROUTING -o $netDev \
# -j SNAT --to-source $thisServer

# Forwarding

# Packets that arrive on the server with destinations
# on other hosts do not pass through the INPUT chain.
# They go directly to FORWARD:

iptables -A FORWARD -p tcp -j badTCP
# iptables -A FORWARD -i $netDev -j ACCEPT
# iptables -A FORWARD -o $lanDev -j ACCEPT
# iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# The packets accepted by FORWARD are determined by the
# remoteLAN() function. See below.

remoteLAN()
{ target=$1
remlan=$2



iptables -t nat -A POSTROUTING -o $lanDev -s $remlan -j SNAT --to-source $target
# does not work! iptables -t nat -A PREROUTING -i $netDev -s $remlan -j SNAT --to-source $target

# iptables -A FORWARD -o $netDev -s $target -j ACCEPT
# iptables -t nat -A PREROUTING -i $netDev -s $remlan -j SNAT --to-source $target
# ok iptables -A FORWARD -i $netDev -d $target -j ACCEPT

iptables -t nat -A PREROUTING -i $netDev -d $target -j DNAT --to-destination $remlan
# iptables -A FORWARD -i $netDev -d $remlan -j ACCEPT
# ok iptables -A FORWARD -i $netDev -s $remlan -j ACCEPT

}

# Remote LAN convertions for the VoIP Network (See abovefor NAT changes)
remoteLAN 172.x.x.211 10.x.x.211
# remoteLAN 172.x.x.212 10.x.x.212
# remoteLAN 172.x.x.213 10.x.x.213
# remoteLAN 172.x.x.214 10.x.x.214
# remoteLAN 172.x.x.215 10.x.x215

# Example of logging:

# Use the rule: -j LOG --log-prefix "A prefix:"
# iptables -A OUTPUT -j LOG --log-prefix "Output :"
# iptables -A INPUT -j LOG --log-prefix "Input :"
iptables -A FORWARD -i $netDev -j LOG --log-prefix "F I eth0:"
iptables -A FORWARD -o $netDev -j LOG --log-prefix "F O eth0:"
iptables -A FORWARD -i $lanDev -j LOG --log-prefix "F I eth1:"
iptables -A FORWARD -o $lanDev -j LOG --log-prefix "F O eth1:"

# Save the firewall settings

# service iptables save

# Clean up & follow through info for testing

service iptables status
# iptables -nvL
# iptables -nvL -t nat
iptables -nvL -t filter


# EOF
 
Old 01-07-2006, 07:51 AM   #2
Notwerk
Member
 
Registered: Apr 2005
Location: Jordan
Distribution: Debian (Sarge), Ubuntu (6.06)
Posts: 271

Rep: Reputation: 30
Only thing i see is a missing ";" in the for/done loop. But that's commented out

Last edited by Notwerk; 01-07-2006 at 08:05 AM.
 
Old 01-14-2006, 06:50 PM   #3
zmanea
Member
 
Registered: Sep 2003
Location: Colorado
Posts: 85

Rep: Reputation: 15
It is hard to understand what you are trying to accomplish from your script with regards to NAT. Are you trying to do a 1:1 mapping? Post some more information on what you are trying to accomplish.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
problem loading iptables script on startup manicajk Linux - General 8 04-12-2009 12:37 PM
iptables problem script thuns Linux - Security 4 02-13-2005 08:35 AM
Iptables script problem carlosruiz Linux - Security 3 01-30-2005 10:09 PM
iptables problem in a very simple script max_sipos Linux - Security 2 08-10-2004 07:58 AM
iptables script problem valo Linux - Security 5 08-19-2003 11:16 AM


All times are GMT -5. The time now is 11:11 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration