Hi people
I am a newbie but i learn very fast
the server it`s a slack 9.0 .....sharing internet on 20 comps
now I rented 16 ip`s from my ISP .......but I don`t know how to use iptables......here it`s my configuration
in rc.local
/sbin/ifconfig eth0:1 213.xxx.xxx.xxx netmask 255.255.255.0 broadcast 213.xxx.xxx.xxx(identical with the ip)
/sbin/ifconfig eth0:1 213.xxx.xxx.xxx netmask ...........
etc etc for all 16 ip`s
in rc.firewall
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.2 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.3 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.4 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.5 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.6 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.7 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.8 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.9 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.10 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.11 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.12 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.13 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.14 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.15 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROTUING -s 192.168.0.16 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.17 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.20 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
/usr/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.23 -o eth0 -j SNAT --to 213.xxx.xxx.xxx
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.0.3:27015
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -m tcp --dport 27015 -j DNAT --to-destination 192.168.0.3:27015
$IPTABLES -A INPUT -p tcp -m tcp --dport 27015 -j ACCEPT
$IPTABLES -A INPUT -p udp -m tcp --dport 27015 -j ACCEPT
and works
now my questions
in a future i will install apache and the firewall must accept connections
how can I block the scaning and stuff like that??
nmap scan says this about open ports
79/tcp open finger
111/tcp open sunrpc
113/tcp open auth
it`s recommendet to block this ports??? and how i do that?
i forgot to tell you ......i use irc and i need to ident request otherwise i can`t connect
and the last request.....
i changed port for ssh ......how i can do to ssh response only on my adress(i am outside from this network)
P.s : i found this in syslog:
Aug 7 22:37:03 golden kernel: hda: status error: status=0x58 { DriveReady SeekComplete DataRequest }
Aug 7 22:37:03 golden kernel: hda: drive not ready for command
Aug 7 22:37:28 golden kernel: hda: irq timeout: status=0xd0 { Busy }
Aug 7 22:37:28 golden kernel: ide0: reset: success
Aug 8 10:25:45 golden in.identd[5709]: request_thread: read(10, ..., 1023) failed: Connection reset by peer
Aug 8 22:04:32 golden fingerd[7221]: Client hung up - probable port-scan
what is the first error with hda........please don`t say :hhd will fail soon
thanks all