LinuxQuestions.org
Help answer threads with 0 replies.
Home Forums Tutorials Articles Register
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
Reload this Page Verifying IPTable rules...
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-02-2005, 01:40 PM   #1
Ateo
Member
 
Registered: Sep 2004
Location: Long Beach, CA
Distribution: FreeBSD,Ubuntu,Gentoo,MacOS
Posts: 139

Rep: Reputation: 15
Verifying IPTable rules...

This is my first endeavor with IPTables in many years. I've successfully installed the Sveasoft Alchemy firmware onto my WRT54G Linksys router. What I'm looking for here is a 2nd pair of eyes that is more familiar with IPTables to look over my ruleset before I actually implement them. I'm hoping that someone/anyone can point out inconsistancies/errors/security holes that I may be introducing into my router and LAN. I've documented what every ruleset should be (as far as I know). In a nutshell, I'm just looking for feedback on these rules. Any input would be greatly appreciated..

One thing that I need clarified is the different between DROP and DROPl (lower case L in the 2nd DROP....)

Thanks in advance......

For easier reading, I've placed it on my server:

http://www.skepticshour.com/extra/firewall.txt

Code:
##
## Some basic information on my network:
##
## My ISP has assigned me 2 public IP addresses
##
## One IP address is designated for all LAN traffic (assigned to WAN/vlan1/eth0)
## not including any one-to NAT mappings.
##
## One IP address is designated for a one-to-one NAT map (virtual, assigned to vlan1:1/eth0:1)
## for my public server. PUBLIC_IP_#2 --> 192.168.4.x
##
## Private LAN subnet is: 192.168.4.0/24
##
## ** WAN == vlan1 == eth0
## ** LAN == br0
## The above port names are all the same device, respectively. NOTE: To configure the interfaces,
## it is vlan1 and br0.
##

##
## Configure vlan1 with both IPs (or more)
## Add IP address to WAN interface (virtual IP)
## The first one will always be the interface IP,
## while the rest are simply virtual IPs for that interface....
## The following 2 commands are specific to the router (or maybe not)
##
/usr/sbin/ifconfig vlan1 PUBLIC_IP_#1/24 netmask 255.255.255.0
/usr/sbin/ip addr add PUBLIC_IP_#2/24 brd + dev vlan1

##
## Flush rules and delete chains
##
/usr/sbin/iptables -F
/usr/sbin/iptables -X

##
## Block out Internet access on vlan1
##
/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P OUTPUT DROP
/usr/sbin/iptables -P FORWARD DROP
/usr/sbin/iptables -A INPUT -i vlan1 -m state --state NEW,INVALID -j DROP
/usr/sbin/iptables -A FORWARD -i vlan1 -m state --state NEW,INVALID -j DROP

##
## Now we are going to accpet all traffic from our loopback device
## if the IP matches any of our interfaces.
##
/usr/sbin/iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
/usr/sbin/iptables -A INPUT -i lo -s vlan1 -j ACCEPT
/usr/sbin/iptables -A INPUT -i lo -s br0 -j ACCEPT

##
## Block Broadcasts
##
/usr/sbin/iptables -A INPUT -i vlan1 -d 255.255.255.255 -j DROPl
/usr/sbin/iptables -A INPUT -i br0 -d 192.168.4.255 -j DROPl
/usr/sbin/iptables -A OUTPUT -o vlan1 -d 255.255.255.255 -j DROPl
/usr/sbin/iptables -A OUTPUT -o br0 -d 192.168.4.255  -j DROPl
/usr/sbin/iptables -A FORWARD -o vlan1 -d 255.255.255.255 -j DROPl
/usr/sbin/iptables -A FORWARD -o br0 -d 192.168.4.255 -j DROPl

##
## Block WAN access to internal network
## *****
## I'm unsure about this one. Should I replace 
## the PUBLIC_IPs to my internal subnet?????
## *****
##
/usr/sbin/iptables -A INPUT -i vlan1 -d ! PUBLIC_IP_#2 -j DROPl
/usr/sbin/iptables -A INPUT -i vlan1 -d ! PUBLIC_IP_#1 -j DROPl

OR

/usr/sbin/iptables -A INPUT -i vlan1 -d ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A INPUT -i vlan1 -d ! 192.168.4.0/255.255.255.0 -j DROPl

##
## Block all addresses except local networks
##
/usr/sbin/iptables -A INPUT -i br0 -s ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A OUTPUT -o br0 -d ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A FORWARD -i br0 -s ! 192.168.4.0/255.255.255.0 -j DROPl
/usr/sbin/iptables -A FORWARD -o br0 -d ! 192.168.4.0/255.255.255.0 -j DROPl

##
## Block popular attacks to TCP ports
## All rules here were found elsewhere
##
/usr/sbin/iptables -A INPUT -p tcp --dport 0:1 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 0:1 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 0:1 -j DROPl 

/usr/sbin/iptables -A INPUT -p tcp --dport 13 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 13 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 13 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 98 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 111 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 111 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 111 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 137:139 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 137:139 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 137:139 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 161:162 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 161:162 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 161:162 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 445 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 445 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 445 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 1214 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 1214 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 1214 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 1999 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 1999 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 1999 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 2049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 2049 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 2049 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 3049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 3049 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 3049 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 3821 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 3821 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 3821 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 4329 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 4329 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 4329 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 6346 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 6346 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 6346 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 8000 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 8000 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 8000 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 8008 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 8008 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 8008 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 8080 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 8080 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 8080 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 12345 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 12345 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 12345 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 65535 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 65535 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 65535 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 98 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 98 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 512:515 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 512:515 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 512:515 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 1080 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 1080 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 1080 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 6000:6009 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 6000:6009 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 6000:6009 -j DROPl

/usr/sbin/iptables -A INPUT -p tcp --dport 6112 -j DROPl
/usr/sbin/iptables -A OUTPUT -p tcp --dport 6112 -j DROPl
/usr/sbin/iptables -A FORWARD -p tcp --dport 6112 -j DROPl

##
## Block popular attacks to UCP ports
## All rules here were found elsewhere
##
/usr/sbin/iptables -A INPUT -p udp --dport 0:1 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 0:1 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 0:1 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 13 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 13 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 13 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 98 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 98 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 98 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 111 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 111 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 111 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 137:139 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 137:139 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 137:139 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 161:162 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 445 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 445 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 445 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 1214 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 1214 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 1214 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 1999 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 1999 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 1999 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 2049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 2049 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 2049 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 3049 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 3049 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 3049 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 3128 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 3128 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 3128 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 4329 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 4329 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 4329 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 6346 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 6346 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 6346 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 8000 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 8000 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 8000 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 8008 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 8008 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 8008 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 8080 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 8080 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 8080 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 12345 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 12345 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 12345 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 65535 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 65535 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 65535 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 161:162 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 161:162 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 520 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 520 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 520 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 123 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 123 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 123 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 517:518 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 517:518 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 517:518 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 1427 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 1427 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 1427 -j DROPl

/usr/sbin/iptables -A INPUT -p udp --dport 9000 -j DROPl
/usr/sbin/iptables -A OUTPUT -p udp --dport 9000 -j DROPl
/usr/sbin/iptables -A FORWARD -p udp --dport 9000 -j DROPl

##
## Allow LAN to use TCP services
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport domain --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport ssh --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport http --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport https --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport ftp --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport ftp-data --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport mail --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport pop3 --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport time --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p tcp -s PUBLIC_IP_#1 --dport rsync --syn -m state --state NEW -j ACCEPT

/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport domain --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport ssh --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport http --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport https --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport ftp --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport ftp-data --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport mail --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport pop3 --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport time --syn -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p tcp -s 192.168.4.0/255.255.255.0 --dport rsync --syn -m state --state NEW -j ACCEPT

##
## Allow LAN to use UDP services
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p udp -s PUBLIC_IP_#1 --dport domain -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A OUTPUT -o vlan1 -p udp -s PUBLIC_IP_#1 --dport time -m state --state NEW -j ACCEPT

/usr/sbin/iptables -A FORWARD -i br0 -p udp -s 192.168.4.0/255.255.255.0 --dport domain -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p udp -s 192.168.4.0/255.255.255.0 --dport time -m state --state NEW -j ACCEPT

##
## Allow router and internal network to ping the outside world
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p icmp -s PUBLIC_IP_#1 --icmp-type 8 -m state --state NEW -j ACCEPT
/usr/sbin/iptables -A FORWARD -i br0 -p icmp -s 192.168.4.0/255.255.255.0 --icmp-type 8 -m state --state NEW -j ACCEPT

##
## Allow firewall to ping internal systems
##
/usr/sbin/iptables -A OUTPUT -o br0 -p icmp -s 192.168.4.0/255.255.255.0 --icmp-type 8 -m state --state NEW -j ACCEPT

##
## Block outbound ICMP  (except for PING)
##
/usr/sbin/iptables -A OUTPUT -o vlan1 -p icmp --icmp-type ! 8 -j DROPl
/usr/sbin/iptables -A FORWARD -o vlan1 -p icmp --icmp-type ! 8 -j DROPl 

##
## Block all inbound ICMP from internet
##
/usr/sbin/iptables -A INPUT -d ! 192.168.4.0/255.255.255.0 -p icmp -j DROPl

##
## Enable masquerading to allow LAN internet access
##
/usr/sbin/iptables -t nat -A PREROUTING -j ACCEPT
/usr/sbin/iptables -t nat -A POSTROUTING -o vlan1 -s 192.168.4.0/255.255.255.0 -j MASQUERADE
/usr/sbin/iptables -t nat -A POSTROUTING -j ACCEPT
/usr/sbin/iptables -t nat -A OUTPUT -j ACCEPT

##
## Forward LAN traffic from br0 to Internet interface vlan1
##
/usr/sbin/iptables -A FORWARD -i br0 -o vlan1 -m state --state NEW,ESTABLISHED -j ACCEPT

##
## Allowing access to sshd from local network only
##
/usr/sbin/iptables -A INPUT -s 192.168.4.0/255.255.255.0 --protocol tcp --dport 22 -j ACCEPT
                                                                               
##
## Allowing access httpd from local network only
##
/usr/sbin/iptables -A INPUT -s 192.168.4.0/255.255.255.0 --protocol tcp --dport 80 -j ACCEPT

##
## Forward specific ports to internal nodes
## Forwarding these requests are based on requests
## made to PUBLIC_IP_#1
##
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 4661:4672 -j DNAT --to-destination 192.168.4.20
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 5631:5632 -j DNAT --to-destination 192.168.4.241
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 6900:6981 -j DNAT --to-destination 192.168.4.20
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#1 --dports 8002:8004 -j DNAT --to-destination 192.168.4.241

##
## One-to-one NAT mapping
##
/usr/sbin/iptables -I PREROUTING -t nat -d PUBLIC_IP_#2 -j DNAT --to-destination 192.168.4.240

##
## Allow outside requests to services be forwarded
##
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 21 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 25 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol udp --dport 53 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 80 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 110 -j ACCEPT
/usr/sbin/iptables -I FORWARD -d 192.168.4.240 --protocol tcp --dport 420 -j ACCEPT

##
## Outbound NAT
##
/usr/sbin/iptables -I POSTROUTING -t nat -s 192.168.4.240 -j SNAT --to PUBLIC_IP_#2

##
## Drop all packets to destination/sources not specified in
## previous rules
##
/usr/sbin/iptables -A INPUT -j DROPl
/usr/sbin/iptables -A OUTPUT -j DROPl
/usr/sbin/iptables -A FORWARD -j DROPl
Last edited by Ateo; 02-02-2005 at 01:44 PM.
 
Old 02-02-2005, 03:33 PM   #2
comprookie2000
Gentoo Developer
 
Registered: Feb 2004
Location: Fort Lauderdale FL.
Distribution: Gentoo
Posts: 3,291
Blog Entries: 5

Rep: Reputation: 58
You can use nmap or netstat try;
nmap -help
 
  


Reply



Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTable rules RecoilUK Linux - Security 1 05-27-2005 07:25 PM
Remove iptable rules greenthing Linux - Networking 11 03-03-2005 08:15 AM
Help with IPtable Rules aqoliveira Linux - Security 3 12-10-2003 10:00 AM
iptable-rules for eDonkey? grubjo Linux - Networking 2 08-01-2002 06:38 AM
Iptable rules for Gnutella al_erola Linux - Security 5 03-06-2002 03:21 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 12:47 AM.

Contact Us - Advertising Info - Rules - Privacy - LQ Merchandise - Donations - Contributing Member - LQ Sitemap -
Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration