Linux- NAT problem

win32sux · 09-11-2004, 09:09 PM

Quote:

Originally posted by fritz001
i want to create acces groups

on my lan there are 28 persons who have acces to net and another 70 no acces members

so let say
group1_full_net_acces (from the 28 persons only 20 hav full acces to net no restriction applied)

ip: 192.168.0.5 and mac 11:22:33:44:55:66
ip: 192.168.0.7 and mac 11:22:33:44:55:61
ip: 192.168.0.4 and mac 11:22:33:44:55:64
ip: 192.168.0.12 and mac 11:22:33:44:55:69
.
.
.
.
.
ip: 192.168.0.37 and mac 11:22:33:44:55:21

full access ftp, http, irc, messenger, ssh, pop3, imap...and so on

group2_limited_net_acces (for the rest of 8 persons)

ip: 192.168.0.33 and mac 11:22:33:44:55:26
ip: 192.168.0.71 and mac 11:22:33:44:55:51
ip: 192.168.0.45 and mac 11:22:33:44:55:14
ip: 192.168.0.112 and mac 11:22:33:44:55:59

they will only have acces to http, yahoo messenger and IRC

now how to set up the firewall to create this kind of rules

i try to modify last script but didn't figure out how to create the new rules...

here's a group scheme with 20 full access hosts and 8 limited access hosts...

i left the host a/b/c chains in there so they can have separate rules (more flexibility)...

i also added tcp/443 to LAN2INET (cuz that allows people to surf secure websites) and i fixed some typos i had made...

i don't know what ports yahoo messenger uses, so you'll have to edit the yahoo rule when you find out...

Code:

#!/bin/sh

IPT="/usr/sbin/iptables"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IFACE="eth1"
INET_IP="xxx.xxx.xxx.xxx"
LAN_IFACE="eth0"
LAN_IP="192.168.0.2"
LAN="192.168.0.0/24"

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_mac

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT


###############################################################################
### Let's make some chains...
###############################################################################

$IPT -N INPUT_LAN2GATE
$IPT -N INPUT_LAN2GATE_GROUP1
$IPT -N INPUT_LAN2GATE_GROUP2
$IPT -N INPUT_LAN2GATE_SERVER1
$IPT -N INPUT_LAN2GATE_HOST_A
$IPT -N INPUT_LAN2GATE_HOST_B
$IPT -N INPUT_LAN2GATE_HOST_C
$IPT -N INPUT_INET2GATE
$IPT -N FORWARD_LAN2INET
$IPT -N FORWARD_LAN2INET_GROUP1
$IPT -N FORWARD_LAN2INET_GROUP2
$IPT -N FORWARD_LAN2INET_SERVER1
$IPT -N FORWARD_LAN2INET_HOST_A
$IPT -N FORWARD_LAN2INET_HOST_B
$IPT -N FORWARD_LAN2INET_HOST_C
$IPT -N FORWARD_INET2LAN
$IPT -N BAD_PACKETS


###############################################################################
### INPUT
###############################################################################

$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
#$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p ALL -j BAD_PACKETS
$IPT -A INPUT -p ALL -i $INET_IFACE -j INPUT_INET2GATE
$IPT -A INPUT -p ALL -i $LAN_IFACE -j INPUT_LAN2GATE
$IPT -A INPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "INPUT DROP: "


###############################################################################
### OUTPUT
###############################################################################

$IPT -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT
$IPT -A OUTPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "OUTPUT DROP: "


###############################################################################
### FORWARD
###############################################################################

$IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPT -A FORWARD -p ALL -j BAD_PACKETS
$IPT -A FORWARD -p ALL -i $INET_IFACE -o $LAN_IFACE -j FORWARD_INET2LAN
$IPT -A FORWARD -p ALL -i $LAN_IFACE -o $INET_IFACE -j FORWARD_LAN2INET
$IPT -A FORWARD -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "FORWARD DROP: "


###############################################################################
### PREROUTING
###############################################################################

$IPT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 21 \
-j DNAT --to-destination 192.168.0.4:1415
$IPT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 555 \
-j DNAT --to-destination 192.168.0.4:555
$IPT -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $INET_IP --dport 555 \
-j DNAT --to-destination 192.168.0.4:555


###############################################################################
### POSTROUTING
###############################################################################

$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP


###############################################################################
### INPUT_LAN2GATE
###############################################################################

$IPT -A INPUT_LAN2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.4 -m mac --mac-source \
zz:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_SERVER1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.5 -m mac --mac-source \
aa:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_HOST_A
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.9 -m mac --mac-source \
bb:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_HOST_B
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.19 -m mac --mac-source \
cc:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_HOST_C
$IPT -A INPUT_LAN2GATE -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_GROUP1
###############################################################################

$IPT -A INPUT_LAN2GATE_GROUP1 -p UDP --dport 53 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_GROUP2
###############################################################################

$IPT -A INPUT_LAN2GATE_GROUP2 -p UDP --dport 53 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_SERVER1
###############################################################################

#$IPT -A INPUT_LAN2GATE_SERVER1 -p UDP --dport 53 -j ACCEPT
#$IPT -A INPUT_LAN2GATE_SERVER1 -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT_LAN2GATE_SERVER1 -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_HOST_A
###############################################################################

$IPT -A INPUT_LAN2GATE_HOST_A -p UDP --dport 53 -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_A -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_A -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_HOST_B
###############################################################################

$IPT -A INPUT_LAN2GATE_HOST_B -p UDP --dport 53 -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_B -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_B -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_HOST_C
###############################################################################

$IPT -A INPUT_LAN2GATE_HOST_C -p UDP --dport 53 -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_C -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_C -p ALL -j RETURN


###############################################################################
### INPUT_INET2GATE
###############################################################################

$IPT -A INPUT_INET2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT_INET2GATE -p TCP --dport 22 -j ACCEPT
#$IPT -A INPUT_INET2GATE -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT_INET2GATE -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET
###############################################################################

$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.4 -m mac --mac-source \
zz:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_SERVER1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.5 -m mac --mac-source \
aa:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_HOST_A
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.9 -m mac --mac-source \
bb:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_HOST_B
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.19 -m mac --mac-source \
cc:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_HOST_C
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_GROUP1
###############################################################################

$IPT -A FORWARD_LAN2INET_GROUP1 -p ALL -j ACCEPT
$IPT -A FORWARD_LAN2INET_GROUP1 -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_GROUP2
###############################################################################

$IPT -A FORWARD_LAN2INET_GROUP2 -p TCP --dport 6660:6669 -j ACCEPT
#$IPT -A FORWARD_LAN2INET_GROUP2 -p TCP --dport yahoo??? -j ACCEPT
$IPT -A FORWARD_LAN2INET_GROUP2 -p TCP --dport 443 -j ACCEPT
$IPT -A FORWARD_LAN2INET_GROUP2 -p TCP --dport 80 -j ACCEPT
$IPT -A FORWARD_LAN2INET_GROUP2 -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_SERVER1
###############################################################################

$IPT -A FORWARD_LAN2INET_SERVER1 -p ALL -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET_SERVER1 -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_HOST_A
###############################################################################

$IPT -A FORWARD_LAN2INET_HOST_A -p TCP --dport 443 -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_A -p TCP --dport 80 -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_A -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_HOST_B
###############################################################################

$IPT -A FORWARD_LAN2INET_HOST_A -p TCP --dport 443 -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_B -p TCP --dport 80 -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_B -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_HOST_C
###############################################################################

$IPT -A FORWARD_LAN2INET_HOST_C -p TCP --dport 6660:6669 -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_A -p TCP --dport 443 -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_C -p TCP --dport 80 -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_C -p ALL -j RETURN


###############################################################################
### FORWARD_INET2LAN
###############################################################################

$IPT -A FORWARD_INET2LAN -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_INET2LAN -p TCP -d 192.168.0.4 --dport 1415 -j ACCEPT
$IPT -A FORWARD_INET2LAN -p TCP -d 192.168.0.4 --dport 555 -j ACCEPT
$IPT -A FORWARD_INET2LAN -p UDP -d 192.168.0.4 --dport 555 -j ACCEPT
$IPT -A FORWARD_INET2LAN -p ALL -j RETURN


###############################################################################
### BAD_PACKETS
###############################################################################

$IPT -A BAD_PACKETS -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A BAD_PACKETS -p ICMP --fragment -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s ! $LAN -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s $LAN_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LAN -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LO_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -d 255.255.255.255 -j DROP
$IPT -A BAD_PACKETS -p ALL -j RETURN


echo "So let it be written, so let it be done..."

fritz001 · 09-13-2004, 11:41 AM

it's 100% working ...............

thanks again and i hope this thread help others

well, now i'm trying to find some tool to make Dinamid BandWidth alocation !!!

i heard about HTB(some ppl says is a god program for bandwidth allocation)

P.S. Yahoo messenger - protocol TCP port 5050

last minutes

when i try to connect from outside LAN to 192.168.0.4 ftp server

i manage to connect but no directory list appear, af if there are no files or directories on ftp server:
"$IPT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 21 \
-j DNAT --to-destination 192.168.0.4:1415"

i read some ftp documentations and says about port 20 -"data transfer"

what is it ?

Cedrik · 09-13-2004, 03:40 PM

Did you try to set passive ftp on the client side ?

fritz001 · 09-13-2004, 05:15 PM

on client machine is SERV-U FTP installed and it is setup to use passive mode

win32sux · 09-13-2004, 06:01 PM

Quote:

Originally posted by fritz001
when i try to connect from outside LAN to 192.168.0.4 ftp server

i manage to connect but no directory list appear, af if there are no files or directories on ftp server:
"$IPT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 21 \
-j DNAT --to-destination 192.168.0.4:1415"

i read some ftp documentations and says about port 20 -"data transfer"

what is it ?

the rules related to the ftp forwarding are these:

Quote:

$IPT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 21 \
-j DNAT --to-destination 192.168.0.4:1415

$IPT -A FORWARD_INET2LAN -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD_INET2LAN -p TCP -d 192.168.0.4 --dport 1415 -j ACCEPT

$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.4 -m mac --mac-source \
zz:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_SERVER1

$IPT -A FORWARD_LAN2INET_SERVER1 -p ALL -m state --state \
ESTABLISHED,RELATED -j ACCEPT

the port 20 thing should be picked-up by the "established,related" rule, i think...

make sure the you have set the right mac address for the rule that appears in bold...

fritz001 · 09-23-2004, 04:54 PM

well, after several weeks, everithing works fine but it seems the firewall rules interfer with samba

i mean i can't connect to samba server from any local machine in any way.

i don't know exactly what ports samba use !!!!!

win32sux · 09-24-2004, 12:10 PM

where's the samba server you want to access?? does it have a static ip??

who do you want to give access to it??

fritz001 · 09-24-2004, 02:34 PM

...problem solved....

samba server is installed on the same machie with firewall (ip: 192.168.0.2)

hereis the solution :

### INPUT_LAN2GATE_GROUP1
###############################################################################

$IPT -A INPUT_LAN2GATE_GROUP1 -p UDP --dport 53 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p ALL -j RETURN

12
$IPT -A INPUT_LAN2GATE_GROUP1 -p UDP --dport 445 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p TCP --dport 139 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p UDP --dport 137 -j ACCEPT

###############################################################################
### INPUT_LAN2GATE_GROUP2
###############################################################################

$IPT -A INPUT_LAN2GATE_GROUP2 -p UDP --dport 53 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p ICMP --icmp-type 8 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p ALL -j RETURN

12
$IPT -A INPUT_LAN2GATE_GROUP1 -p UDP --dport 445 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p TCP --dport 139 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p UDP --dport 137 -j ACCEPT

hm...it sound a little bit stupid but i don't know how to mount a new hdd(1st-part NTFS, 2nd-part NTFS, 3rd-part fat32)

i want to access them as /NTFS1, /NTFS2, /FAT32-part

las edit:
mount dev/hdd6 -t vfat mnt/FAT32-part does not working

secondary harddisk is a SECONDARY SLAVE

win32sux · 09-24-2004, 04:59 PM

i think these samba rules will work smoother:

Code:

$IPT -A INPUT_LAN2GATE_GROUP1 -p TCP --dport 445 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p UDP --dport 445 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p TCP --dport 137:139 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p UDP --dport 137:139 -j ACCEPT

$IPT -A INPUT_LAN2GATE_GROUP2 -p TCP --dport 445 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p UDP --dport 445 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p TCP --dport 137:139 -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p UDP --dport 137:139 -j ACCEPT

i've improved the script in general once again (take a close look)... i fixed several errors i had made...

Code:

#!/bin/sh

IPT="/usr/sbin/iptables"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IFACE="eth1"
INET_IP="xxx.xxx.xxx.xxx"
LAN_IFACE="eth0"
LAN_IP="192.168.0.2"
LAN_BCAST="192.168.0.255"
LAN="192.168.0.0/24"

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ipt_mac

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT


###############################################################################
### Let's make some chains...
###############################################################################

$IPT -N INPUT_LAN2GATE
$IPT -N INPUT_LAN2GATE_GROUP1
$IPT -N INPUT_LAN2GATE_GROUP2
$IPT -N INPUT_LAN2GATE_SERVER1
$IPT -N INPUT_LAN2GATE_HOST_A
$IPT -N INPUT_LAN2GATE_HOST_B
$IPT -N INPUT_LAN2GATE_HOST_C
$IPT -N INPUT_INET2GATE
$IPT -N FORWARD_LAN2INET
$IPT -N FORWARD_LAN2INET_GROUP1
$IPT -N FORWARD_LAN2INET_GROUP2
$IPT -N FORWARD_LAN2INET_SERVER1
$IPT -N FORWARD_LAN2INET_HOST_A
$IPT -N FORWARD_LAN2INET_HOST_B
$IPT -N FORWARD_LAN2INET_HOST_C
$IPT -N FORWARD_INET2LAN
$IPT -N BAD_PACKETS


###############################################################################
### INPUT
###############################################################################

$IPT -A INPUT -p ALL -m state --state INVALID -j DROP
#$IPT -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
$IPT -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A INPUT -p ALL -j BAD_PACKETS
$IPT -A INPUT -p ALL -i $INET_IFACE -j INPUT_INET2GATE
$IPT -A INPUT -p ALL -i $LAN_IFACE -j INPUT_LAN2GATE
$IPT -A INPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "INPUT DROP: "


###############################################################################
### OUTPUT
###############################################################################

$IPT -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT
$IPT -A OUTPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "OUTPUT DROP: "


###############################################################################
### FORWARD
###############################################################################

$IPT -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPT -A FORWARD -p ALL -j BAD_PACKETS
$IPT -A FORWARD -p ALL -i $INET_IFACE -o $LAN_IFACE -j FORWARD_INET2LAN
$IPT -A FORWARD -p ALL -i $LAN_IFACE -o $INET_IFACE -j FORWARD_LAN2INET
$IPT -A FORWARD -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "FORWARD DROP: "


###############################################################################
### PREROUTING
###############################################################################

$IPT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 21 \
-j DNAT --to-destination 192.168.0.4:1415
$IPT -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $INET_IP --dport 555 \
-j DNAT --to-destination 192.168.0.4:555
$IPT -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $INET_IP --dport 555 \
-j DNAT --to-destination 192.168.0.4:555


###############################################################################
### POSTROUTING
###############################################################################

$IPT -t nat -A POSTROUTING -p ALL -o $INET_IFACE -j SNAT --to-source $INET_IP


###############################################################################
### INPUT_LAN2GATE
###############################################################################

$IPT -A INPUT_LAN2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_GROUP2
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.4 -m mac --mac-source \
zz:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_SERVER1
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.5 -m mac --mac-source \
aa:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_HOST_A
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.9 -m mac --mac-source \
bb:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_HOST_B
$IPT -A INPUT_LAN2GATE -p ALL -s 192.168.0.19 -m mac --mac-source \
cc:xx:xx:xx:xx:xx -j INPUT_LAN2GATE_HOST_C
$IPT -A INPUT_LAN2GATE -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_GROUP1
###############################################################################

#$IPT -A INPUT_LAN2GATE_GROUP1 -p ALL -d $LAN_BCAST -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p ICMP --icmp-type 8 -m state \
--state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p TCP --dport 445 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p UDP --dport 445 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p TCP --dport 137:139 -m state \
--state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p UDP --dport 137:139 -m state \
--state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP1 -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_GROUP2
###############################################################################

#$IPT -A INPUT_LAN2GATE_GROUP2 -p ALL -d $LAN_BCAST -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p ICMP --icmp-type 8 -m state \
--state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p TCP --dport 445 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p UDP --dport 445 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p TCP --dport 137:139 -m state \
--state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p UDP --dport 137:139 -m state \
--state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_GROUP2 -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_SERVER1
###############################################################################

$IPT -A INPUT_LAN2GATE_SERVER1 -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_SERVER1 -p ICMP --icmp-type 8 -m state \
--state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_SERVER1 -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_HOST_A
###############################################################################

$IPT -A INPUT_LAN2GATE_HOST_A -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_A -p ICMP --icmp-type 8 -m state \
--state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_A -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_HOST_B
###############################################################################

$IPT -A INPUT_LAN2GATE_HOST_B -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_B -p ICMP --icmp-type 8 -m state \
--state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_B -p ALL -j RETURN


###############################################################################
### INPUT_LAN2GATE_HOST_C
###############################################################################

$IPT -A INPUT_LAN2GATE_HOST_C -p UDP --dport 53 -m state --state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_C -p ICMP --icmp-type 8 -m state \
--state NEW -j ACCEPT
$IPT -A INPUT_LAN2GATE_HOST_C -p ALL -j RETURN


###############################################################################
### INPUT_INET2GATE
###############################################################################

$IPT -A INPUT_INET2GATE -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT_INET2GATE -p TCP --dport 22 -m state --state NEW -j ACCEPT
#$IPT -A INPUT_INET2GATE -p ICMP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT_INET2GATE -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET
###############################################################################

$IPT -A FORWARD_LAN2INET -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.x -m mac --mac-source \
xx:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_GROUP2
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.4 -m mac --mac-source \
zz:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_SERVER1
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.5 -m mac --mac-source \
aa:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_HOST_A
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.9 -m mac --mac-source \
bb:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_HOST_B
$IPT -A FORWARD_LAN2INET -p ALL -s 192.168.0.19 -m mac --mac-source \
cc:xx:xx:xx:xx:xx -j FORWARD_LAN2INET_HOST_C
$IPT -A FORWARD_LAN2INET -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_GROUP1
###############################################################################

$IPT -A FORWARD_LAN2INET_GROUP1 -p ALL -m state --state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_GROUP1 -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_GROUP2
###############################################################################

$IPT -A FORWARD_LAN2INET_GROUP2 -p TCP --dport 6660:6669 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_GROUP2 -p TCP --dport 5050 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_GROUP2 -p TCP --dport 443 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_GROUP2 -p TCP --dport 80 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_GROUP2 -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_SERVER1
###############################################################################

#$IPT -A FORWARD_LAN2INET_SERVER1 -p ICMP --icmp-type 8 -m state \
#--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_SERVER1 -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_HOST_A
###############################################################################

$IPT -A FORWARD_LAN2INET_HOST_A -p TCP --dport 443 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_A -p TCP --dport 80 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_A -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_HOST_B
###############################################################################

$IPT -A FORWARD_LAN2INET_HOST_B -p TCP --dport 443 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_B -p TCP --dport 80 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_B -p ALL -j RETURN


###############################################################################
### FORWARD_LAN2INET_HOST_C
###############################################################################

$IPT -A FORWARD_LAN2INET_HOST_C -p TCP --dport 6660:6669 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_C -p TCP --dport 5050 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_C -p TCP --dport 443 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_C -p TCP --dport 80 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_C -p TCP --dport 21 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_C -p ICMP --icmp-type 8 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_LAN2INET_HOST_C -p ALL -j RETURN


###############################################################################
### FORWARD_INET2LAN
###############################################################################

$IPT -A FORWARD_INET2LAN -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD_INET2LAN -p TCP -d 192.168.0.4 --dport 1415 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_INET2LAN -p TCP -d 192.168.0.4 --dport 555 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_INET2LAN -p UDP -d 192.168.0.4 --dport 555 -m state \
--state NEW -j ACCEPT
$IPT -A FORWARD_INET2LAN -p ALL -j RETURN


###############################################################################
### BAD_PACKETS
###############################################################################

$IPT -A BAD_PACKETS -p TCP ! --syn -m state --state NEW -j DROP
$IPT -A BAD_PACKETS -p ICMP --fragment -j DROP
$IPT -A BAD_PACKETS -p ALL -d 255.255.255.255 -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s ! $LAN -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s $LAN_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -i $LAN_IFACE -s $LO_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LAN -j DROP
$IPT -A BAD_PACKETS -p ALL -i $INET_IFACE -s $LO_IP -j DROP
$IPT -A BAD_PACKETS -p ALL -j RETURN


echo "So let it be written, so let it be done..."

PS: let me know if you're not using the *_HOST_A/B/C chains anymore, so i can remove them from the script, for simplicity's sake...

win32sux · 09-24-2004, 05:06 PM

Quote:

Originally posted by fritz001
mount dev/hdd6 -t vfat mnt/FAT32-part does not working

this is quite off-topic for this thread... but try this instead:

Code:

mount -t vfat /dev/hdd6 /mnt/FAT32

kengoaidao · 10-19-2004, 03:58 PM

There is my problem:
- I have 2 NICs, eth0 connect to ADSL (using DHCP), eth1 connect LAN (using static IP, 192.168.65.1) (Switch) from Linux Server.
- I have one computer setup Windoze 2k and I assign IP is 192.168.65.2, gateway is 192.168.11.1 from ADSL.
- From Linux server, I can ping 192.168.65.1, 192.168.11.1, 192.168.65.2, www.yahoo.com, correct!
- From Client (Windoze 2k, I can ping 192.168.65.1, 192.168.65.2 - of course, 192.168.11.1) but I can't ping www.yahoo.com or browser yahoo website!

Pls show me this solution! Thanks, I'm a lamer!

fritz001 · 10-20-2004, 05:10 AM

it seems you have a problem with DNS on linux machine, i mean DNS problem( you can ping 216.119.70.18 but not ping www.yahoo.com)

so if y're using slackware(it has a build in dns daemon named dnsmasq) on 2nd or 3rd page of this post theris a solution how to use dnsmasq to resolv DNS problems,
..and if you're using redhat, mandrake try to use also dnsmasq( search google to find download page)
here is mein configuration file of DNSMASQ

dnsmasq.conf
# Never forward plain names (with a dot or domain part)
##########domain-needed
# Reply to reverse queries for addresses in the non-routed address
# space with the dotted.quad address
bogus-priv
# Filter useless windows-originated DNS requests
##############filterwin2k <----- here modified i had to coment this line

# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=

# By default, dnsmasq will send queries to any of the upstream
# servers it knows about and tries to favour servers to are known
# to be up. Uncommenting this forces dnsmasq to try each query
# with each server strictly in the order they appear in
# /etc/resolv.conf
strict-order <-------------------here modified i had to uncoment line

.................................................................................................... .....................

# If you want to disable negative caching, uncomment this.
#no-negcache

# Normally responses which come form /etc/hosts and the DHCP lease
# file have Time-To-Live set as zero, which conventionally means
# do not cache further. If you are happy to trade lower load on the
# server for potentially stale date, you can set a time-to-live (in
# seconds) here.
#local-ttl=

# If you want dnsmasq to detect attempts by Verisign to send queries
# to unregistered .com and .net hosts to its sitefinder service and
# have dnsmasq instead return the correct NXDOMAIN response, uncomment
# this line. You can add similar lines to do the same for other
# registries which have implemented wildcard A records.
#bogus-nxdomain=64.94.110.11

# If you want to fix up DNS results from upstream servers, use the
# alias option. This only works for IPv4.
# This alias makes a result of 1.2.3.4 appear as 5.6.7.8
#alias=1.2.3.4,5.6.7.8

alias=81.196.25.xx,192.168.0.2 <----------------here modified

# and this maps 1.2.3.x to 5.6.7.x
#alias=1.2.3.0,5.6.7.0,255.255.255.0

# For debugging purposes, log each DNS query as it passes through
# dnsmasq.
log-queries

# Include a another lot of configuration options.
#conf-file=/etc/dnsmasq.more.conf

so any dns request to 192.168.0.2 wiil be translated as direct request to 81.196.25.xx(my isp primary dsn)

fritz001 · 11-05-2004, 05:34 AM

well is me again
so ive upgraded my primary connection speed to 512kb
i also brought another 512kb

so i have eth0 -first 512kb connection (81.192.21.22)
eth1-second 512kb connection (81.192.21.32)
eth2 -lan connection

...and 20 lan users

well, now the problem

first 10 users to be forwarded to inet via eth0 and the rest via eth1

to be more specific

i92.168.0.4
--->81.192.21.22(on eth0)
192.168.0.5

192.168.0.9
-->81.192.21.22(on eth0)
192.168.0.23

......................

192.168.0.34

-->81.192.21.32(on eth1)
192.168.0.221

wel, i just don't know where to begin....

thanks !!!