LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Redirect port80 request from internal network? (https://www.linuxquestions.org/questions/linux-security-4/redirect-port80-request-from-internal-network-722286/)

fruitwerks 04-28-2009 12:23 PM

Redirect port80 request from internal network?
 
ok so i thought I had it all working out! I am trying to do a transparent proxy (is working..) but the rule that made that work, blocked public access to my webserver. You can see the line that made this happen commented out at the bottom. I need request for port 80 on public to go to port 80 - but internal requests for port 80 rerouted to squid.

Code:

#!/bin/bash

SYSCTL="/sbin/sysctl -w"
IPT="/sbin/iptables"
INET_IFACE="eth1"
LOCAL_IFACE="eth0"
LOCAL_IP="172.24.0.8"
LOCAL_NET="172.24.0.0/24"
LOCAL_BCAST="172.24.0.255"
LO_IFACE="lo"
LO_IP="127.0.0.1"

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe xt_state

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

$IPT -N bad_packets
$IPT -N bad_tcp_packets
$IPT -N icmp_packets
$IPT -N udp_inbound
$IPT -N udp_outbound
$IPT -N tcp_inbound
$IPT -N tcp_outbound

$IPT -N SSH_MONITOR
$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_MONITOR
$IPT -A SSH_MONITOR -m recent --set --name SSH
$IPT -A SSH_MONITOR -m recent --update --seconds 60 --hitcount 3 --name SSH -j DROP

$IPT -A bad_packets -p ALL -i $INET_IFACE -s $LOCAL_NET -j DROP
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP
$IPT -A bad_packets -p tcp -j bad_tcp_packets
$IPT -A bad_packets -p ALL -j RETURN

$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE -j RETURN
$IPT -A bad_tcp_packets -p tcp -i $LOCAL_IFACE ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "fp=bad_tcp_packets:1 a=DROP "
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "fp=bad_tcp_packets:2 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "fp=bad_tcp_packets:3 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "fp=bad_tcp_packets:4 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "fp=bad_tcp_packets:5 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "fp=bad_tcp_packets:6 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "fp=bad_tcp_packets:7 a=DROP "
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A bad_tcp_packets -p tcp -j RETURN

$IPT -A icmp_packets --fragment -p ICMP -j LOG --log-prefix "fp=icmp_packets:1 a=DROP "
$IPT -A icmp_packets --fragment -p ICMP -j DROP

$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG --log-prefix "fp=icmp_packets:2 a=ACCEPT "
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPT -A icmp_packets -p ICMP -j RETURN

$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j REJECT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 113 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 161 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 4779 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 4780 -j ACCEPT

$IPT -A udp_inbound -p UDP -s 0/0 --source-port 67 --destination-port 68 -j ACCEPT
$IPT -A udp_inbound -p UDP -j RETURN
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 113 -j REJECT
#$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT
#$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 900:901 -j ACCEPT
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 4776 -j ACCEPT
$IPT -A tcp_inbound -p TCP -j RETURN
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
$IPT -I INPUT -s 81.157.0.0/16 -j DROP
$IPT -I INPUT -s 220.191.0.0/16 -j DROP
$IPT -I INPUT -s 60.12.0.0/16 -j DROP
$IPT -I INPUT -s 219.142.0.0/16 -j DROP
$IPT -I INPUT -s 202.205.0.0/16 -j DROP
$IPT -I INPUT -s 211.140.0.0/16 -j DROP
$IPT -I INPUT -s 84.38.0.0/16 -j DROP
$IPT -I INPUT -s 10.0.0.0/8 -j DROP
$IPT -I INPUT -s 192.0.0.0/8 -j DROP
$IPT -I INPUT -s 85.255.0.0/8 -j DROP
$IPT -I INPUT -s 212.2.125.64/16 -j DROP
$IPT -I INPUT -s 212.6.198.0/24 -j DROP
$IPT -I INPUT -s 79.172.205.0/8 -j DROP
$IPT -I INPUT -m iprange --src-range 221.12.36.232-221.12.59.239 -j DROP
$IPT -I INPUT -s 190.158.230.0/24 -j DROP
$IPT -I INPUT -s 77.79.70.0/24 -j DROP
$IPT -I INPUT -s 82.207.66.0/24 -j DROP

#cat /root/cidr_block.log | while read address; do
#  $IPT -I INPUT -s "$address" -j REJECT
#done

$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT
$IPT -A INPUT -p UDP -i $LOCAL_IFACE --source-port 68 --destination-port 67 -j ACCEPT
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

$IPT -A FORWARD -p ALL -j bad_packets

$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "

$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "

#$IPT -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 3128
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IPT -t mangle -A OUTPUT -o $INET_IFACE -j TTL --ttl-set 128


fruitwerks 04-28-2009 06:39 PM

-i eth0

interface was not specified so web request from the outside went to a black hole


All times are GMT -5. The time now is 10:41 AM.