LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Verifying IPTable rules... (http://www.linuxquestions.org/questions/linux-networking-3/verifying-iptable-rules-285424/)

Ateo 02-02-2005 01:40 PM

Verifying IPTable rules...
 
This is my first endeavor with IPTables in many years. I've successfully installed the Sveasoft Alchemy firmware onto my WRT54G Linksys router. What I'm looking for here is a 2nd pair of eyes that is more familiar with IPTables to look over my ruleset before I actually implement them. I'm hoping that someone/anyone can point out inconsistancies/errors/security holes that I may be introducing into my router and LAN. I've documented what every ruleset should be (as far as I know). In a nutshell, I'm just looking for feedback on these rules. Any input would be greatly appreciated..

One thing that I need clarified is the different between DROP and DROPl (lower case L in the 2nd DROP....)

Thanks in advance......

For easier reading, I've placed it on my server:

http://www.skepticshour.com/extra/firewall.txt

Code:

##
## Some basic information on my network:
##
## My ISP has assigned me 2 public IP addresses
##
## One IP address is designated for all LAN traffic (assigned to WAN/vlan1/eth0)
## not including any one-to NAT mappings.
##
## One IP address is designated for a one-to-one NAT map (virtual, assigned to vlan1:1/eth0:1)
## for my public server. PUBLIC_IP_#2 --> 192.168.4.x
##
## Private LAN subnet is: 192.168.4.0/24
##
## ** WAN == vlan1 == eth0
## ** LAN == br0
## The above port names are all the same device, respectively. NOTE: To configure the interfaces,
## it is vlan1 and br0.
##

##
## Configure vlan1 with both IPs (or more)
## Add IP address to WAN interface (virtual IP)
## The first one will always be the interface IP,
## while the rest are simply virtual IPs for that interface....
## The following 2 commands are specific to the router (or maybe not)
##
/usr/sbin/ifconfig vlan1 PUBLIC_IP_#1/24 netmask 255.255.255.0
/usr/sbin/ip addr add PUBLIC_IP_#2/24 brd + dev vlan1

##
## Flush rules and delete chains
##
/usr/sbin/iptables -F
/usr/sbin/iptables -X

##
## Block out Internet access on vlan1
##
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -A INPUT -i vlan1 -m state --state NEW,INVALID -j DROP
/usr/sbin/iptables -A FORWARD -i vlan1 -m state --state NEW,INVALID -j DROP

##
## Now we are going to accpet all traffic from our loopback device
## if the IP matches any of our interfaces.
##
/usr/sbin/iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
/usr/sbin/iptables -A INPUT -i lo -s vlan1 -j ACCEPT
/usr/sbin/iptables -A INPUT -i lo -s br0 -j ACCEPT

##
## Block Broadcasts
##
/usr/sbin/iptables -A INPUT -i vlan1 -d 255.255.255.255 -j DROPl
/usr/sbin/iptables -A INPUT -i br0 -d 192.168.4.255 -j DROPl
/usr/sbin/iptables -A OUTPUT -o vlan1 -d 255.255.255.255 -j DROPl
/usr/sbin/iptables -A OUTPUT -o br0 -d 192.168.4.255  -j DROPl
/usr/sbin/iptables -A FORWARD -o vlan1 -d 255.255.255.255 -j DROPl
/usr/sbin/iptables -A FORWARD -o br0 -d 192.168.4.255 -j DROPl

##
## Block WAN access to internal network
## *****
## I'm unsure about this one. Should I replace
## the PUBLIC_IPs to my internal subnet?????
## *****
##
/usr/sbin/iptables -A INPUT -i vlan1 -d ! PUBLIC_IP_#2 -j DROPl
/usr/sbin/iptables -A INPUT -i vlan1 -d ! PUBLIC_IP_#1 -j DROPl

OR

/usr/sbin/iptables -A INPUT -i vlan1 -d ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A INPUT -i vlan1 -d ! 192.168.4.0/255.255.255.0 -j DROPl

##
## Block all addresses except local networks
##
/usr/sbin/iptables -A INPUT -i br0 -s ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A OUTPUT -o br0 -d ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A FORWARD -i br0 -s ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A FORWARD -o br0 -d ! 192.168.4.0/255.255.255.0 -j DROPl

##
## Block popular attacks to TCP ports
## All rules here were found elsewhere
##
/usr/sbin/iptables -A INPUT -p tcp --dport 0:1 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 0:1 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 0:1 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 13 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 13 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 13 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 98 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 111 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 111 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 111 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 137:139 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 137:139 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 137:139 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 161:162 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 161:162 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 161:162 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 445 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 445 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 445 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 1214 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 1214 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 1214 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 1999 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 1999 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 1999 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 2049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 2049 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 2049 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 3049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 3049 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 3049 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 3821 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 3821 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 3821 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 4329 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 4329 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 4329 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 6346 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 6346 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 6346 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 8000 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 8000 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 8000 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 8008 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 8008 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 8008 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 8080 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 8080 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 8080 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 12345 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 12345 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 12345 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 65535 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 65535 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 65535 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 98 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 512:515 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 512:515 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 512:515 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 1080 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 1080 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 1080 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 6000:6009 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 6000:6009 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 6000:6009 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 6112 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 6112 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 6112 -j DROPl

##
## Block popular attacks to UCP ports
## All rules here were found elsewhere
##
/usr/sbin/iptables -A INPUT -p udp --dport 0:1 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 0:1 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 0:1 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 13 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 13 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 13 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 98 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 98 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 98 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 111 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 111 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 111 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 137:139 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 137:139 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 137:139 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 161:162 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 445 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 445 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 445 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 1214 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 1214 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 1214 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 1999 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 1999 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 1999 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 2049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 2049 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 2049 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 3049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 3049 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 3049 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 3128 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 3128 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 3128 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 4329 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 4329 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 4329 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 6346 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 6346 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 6346 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 8000 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 8000 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 8000 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 8008 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 8008 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 8008 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 8080 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 8080 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 8080 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 12345 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 12345 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 12345 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 65535 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 65535 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 65535 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 161:162 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 520 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 520 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 520 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 123 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 123 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 123 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 517:518 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 517:518 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 517:518 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 1427 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 1427 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 1427 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 9000 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 9000 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 9000 -j DROPl

##
## Allow LAN to use TCP services
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport domain --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport ssh --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport http --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport https --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport ftp --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport ftp-data --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport mail --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport pop3 --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport time --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport rsync --syn -m state --state NEW -j ACCEPT

/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport domain --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport ssh --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport http --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport https --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport ftp --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport ftp-data --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport mail --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport pop3 --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport time --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport rsync --syn -m state --state NEW -j ACCEPT

##
## Allow LAN to use UDP services
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p udp -s PUBLIC_IP_#1 --dport domain -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p udp -s PUBLIC_IP_#1 --dport time -m state --state NEW -j ACCEPT

/usr/sbin/iptables -A FORWARD -i br0 -p udp -s 192.168.4.0/255.255.255.0 --dport domain -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p udp -s 192.168.4.0/255.255.255.0 --dport time -m state --state NEW -j ACCEPT

##
## Allow router and internal network to ping the outside world
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p icmp -s PUBLIC_IP_#1 --icmp-type 8 -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p icmp -s 192.168.4.0/255.255.255.0 --icmp-type 8 -m state --state NEW -j ACCEPT

##
## Allow firewall to ping internal systems
##
/usr/sbin/iptables -A OUTPUT -o br0 -p icmp -s 192.168.4.0/255.255.255.0 --icmp-type 8 -m state --state NEW -j ACCEPT

##
## Block outbound ICMP  (except for PING)
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p icmp --icmp-type ! 8 -j DROPl
/usr/sbin/iptables -A FORWARD -o vlan1 -p icmp --icmp-type ! 8 -j DROPl

##
## Block all inbound ICMP from internet
##
/usr/sbin/iptables -A INPUT -d ! 192.168.4.0/255.255.255.0 -p icmp -j DROPl

##
## Enable masquerading to allow LAN internet access
##
/usr/sbin/iptables -t nat -A PREROUTING -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o vlan1 -s 192.168.4.0/255.255.255.0 -j MASQUERADE
/usr/sbin/iptables -t nat -A POSTROUTING -j ACCEPT
/usr/sbin/iptables -t nat -A OUTPUT -j ACCEPT

##
## Forward LAN traffic from br0 to Internet interface vlan1
##
/usr/sbin/iptables -A FORWARD -i br0 -o vlan1 -m state --state NEW,ESTABLISHED -j ACCEPT

##
## Allowing access to sshd from local network only
##
/usr/sbin/iptables -A INPUT -s 192.168.4.0/255.255.255.0 --protocol tcp --dport 22 -j ACCEPT
                                                                             
##
## Allowing access httpd from local network only
##
/usr/sbin/iptables -A INPUT -s 192.168.4.0/255.255.255.0 --protocol tcp --dport 80 -j ACCEPT

##
## Forward specific ports to internal nodes
## Forwarding these requests are based on requests
## made to PUBLIC_IP_#1
##
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 4661:4672 -j DNAT --to-destination 192.168.4.20
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 5631:5632 -j DNAT --to-destination 192.168.4.241
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 6900:6981 -j DNAT --to-destination 192.168.4.20
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 8002:8004 -j DNAT --to-destination 192.168.4.241

##
## One-to-one NAT mapping
##
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#2 -j DNAT --to-destination 192.168.4.240

##
## Allow outside requests to services be forwarded
##
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 21 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 25 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol udp --dport 53 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 110 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 420 -j ACCEPT

##
## Outbound NAT
##
/usr/sbin/iptables -I POSTROUTING -t nat -s 192.168.4.240 -j SNAT --to PUBLIC_IP_#2

##
## Drop all packets to destination/sources not specified in
## previous rules
##
/usr/sbin/iptables -A INPUT -j DROPl
/usr/sbin/iptables -A OUTPUT -j DROPl
/usr/sbin/iptables -A FORWARD -j DROPl


comprookie2000 02-02-2005 03:33 PM

You can use nmap or netstat try;
nmap -help


All times are GMT -5. The time now is 08:59 AM.