paddyhaig
asked on
Please can someone help me with my "Fire-Masq" I just need to be able to see internal servers as well as external Web.
I am looking for a little help with an IPtables init.d script issue.
Below is my predicament.
I decided to turn am old computer that I have into a NAT router/firewall for my internal network.
I installed two ethernet cards (eth0 & eth1 ) and installed RedHat Linux 7.3.
I also downloaded a NAT script from the Internet that uses IPTABLES.
I set the router/firewall up so that "eth0" is my WAN ( Public IP ) and "eth1" is my LAN ( Internal IP )
On my LAN ( Internal network ) I have 3 servers and 1 workstation, and also a wireless AP, that is used for
my wireless laptop and for my Neighbors wireless Internet connection. Oh and also the Linux router that
I am trying to configure here.
Here is how my network is presently configured.
1, The Linux router/firewall uses "eth0" conected to the Internet ( Public IP: 23.456.789.1 )
The router/firewall also doubles up as a DNS server for my domain.
and "eth1" my Private IP: 192.168.0.1 is connected to a 24 port switch.
Also connected to the above switch are the following systems:
Wireless Access Point ( IP: 192.168.0.2 ) This uses 192.168.1.0/24 for an 802.11b wireless network.
DataBase server ( IP: 192.168.0.5 )
Mail Server ( IP: 192.168.0.6 )
Web server ( IP: 192.168.0.7 )
Static Workstation ( IP: 192.168.0.14 )
The netmask for the above Ethernet wired network is: /28
My Problem:
Although it is quite possible to access the Web sites hosted on my Web server from outside of my network via the Internet, it
does not seem to be possible to access the Web sites from inside my network. The same aplies to my mail server. e.g. From my
work station or my wireless laptop I cannot pull up any Web sites hosted on my web server. I also cannot access my e-mail
using my domain name as a server name. ( I have to use an IP address )
One note: I would not believe that this could work at all, if it were not for the fact that it working just fine when I used
a Linksys Hardware router. I could pull up any web pages that were hosted on my web server without a problem.
Also just to let you know, the DNS seems to be working fine. I can ping my domain names from my internal network and they
seem to resolve correctly with the correct external IP of 23.456.789.1.
They just will not come up in my browser. I think it has to do with the port mapping possibly, but my experiance with
IPTABLES is somewhat limited.
Here is the present IPTABLES script that I am using.
--------------------------
#!/bin/sh
# description: nat
# chkconfig: 2345 99 00
case "$1" in
'start')
#!/bin/bash
# Do iptables based masquerading and firewalling.
# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:
# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
# Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_ec
# Don't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/al
# Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/al
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ig
# Log spoofed packets, source routed packets, redirect packets
echo 1 > /proc/sys/net/ipv4/conf/al
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw
# Clean old iptables
iptables -F
iptables -X
iptables -Z
# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Default forward policy to DROP
iptables -P FORWARD DROP
# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080
# Firewall Rules
# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP
# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT
# DNS
# Allow UDP and TCP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT
# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT
# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT
# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT
# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j
ACCEPT
# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT
# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT
# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT
# LOGGING:
# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP
# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP
# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP
# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP
# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP
# Anything else not allowed, log & drop
# iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
# iptables -A INPUT -i eth0 -j DROP
touch /var/lock/subsys/nat
;;
'stop')
rm -f /var/lock/subsys/nat
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
I solemly promise to share this script with all those on the Internet that want it, if I can get it going correctly.
Below is my predicament.
I decided to turn am old computer that I have into a NAT router/firewall for my internal network.
I installed two ethernet cards (eth0 & eth1 ) and installed RedHat Linux 7.3.
I also downloaded a NAT script from the Internet that uses IPTABLES.
I set the router/firewall up so that "eth0" is my WAN ( Public IP ) and "eth1" is my LAN ( Internal IP )
On my LAN ( Internal network ) I have 3 servers and 1 workstation, and also a wireless AP, that is used for
my wireless laptop and for my Neighbors wireless Internet connection. Oh and also the Linux router that
I am trying to configure here.
Here is how my network is presently configured.
1, The Linux router/firewall uses "eth0" conected to the Internet ( Public IP: 23.456.789.1 )
The router/firewall also doubles up as a DNS server for my domain.
and "eth1" my Private IP: 192.168.0.1 is connected to a 24 port switch.
Also connected to the above switch are the following systems:
Wireless Access Point ( IP: 192.168.0.2 ) This uses 192.168.1.0/24 for an 802.11b wireless network.
DataBase server ( IP: 192.168.0.5 )
Mail Server ( IP: 192.168.0.6 )
Web server ( IP: 192.168.0.7 )
Static Workstation ( IP: 192.168.0.14 )
The netmask for the above Ethernet wired network is: /28
My Problem:
Although it is quite possible to access the Web sites hosted on my Web server from outside of my network via the Internet, it
does not seem to be possible to access the Web sites from inside my network. The same aplies to my mail server. e.g. From my
work station or my wireless laptop I cannot pull up any Web sites hosted on my web server. I also cannot access my e-mail
using my domain name as a server name. ( I have to use an IP address )
One note: I would not believe that this could work at all, if it were not for the fact that it working just fine when I used
a Linksys Hardware router. I could pull up any web pages that were hosted on my web server without a problem.
Also just to let you know, the DNS seems to be working fine. I can ping my domain names from my internal network and they
seem to resolve correctly with the correct external IP of 23.456.789.1.
They just will not come up in my browser. I think it has to do with the port mapping possibly, but my experiance with
IPTABLES is somewhat limited.
Here is the present IPTABLES script that I am using.
--------------------------
#!/bin/sh
# description: nat
# chkconfig: 2345 99 00
case "$1" in
'start')
#!/bin/bash
# Do iptables based masquerading and firewalling.
# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:
# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
# Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_ec
# Don't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/al
# Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/al
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ig
# Log spoofed packets, source routed packets, redirect packets
echo 1 > /proc/sys/net/ipv4/conf/al
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw
# Clean old iptables
iptables -F
iptables -X
iptables -Z
# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Default forward policy to DROP
iptables -P FORWARD DROP
# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080
# Firewall Rules
# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP
# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT
# DNS
# Allow UDP and TCP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT
# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT
# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT
# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT
# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j
ACCEPT
# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT
# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT
# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT
# LOGGING:
# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP
# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP
# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP
# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP
# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP
# Anything else not allowed, log & drop
# iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
# iptables -A INPUT -i eth0 -j DROP
touch /var/lock/subsys/nat
;;
'stop')
rm -f /var/lock/subsys/nat
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
I solemly promise to share this script with all those on the Internet that want it, if I can get it going correctly.
ASKER
But if I make them resolve to the Internal IP, then people outside of my network will not be able to see the Websites?
They will get a non routable IP back when they query my name server.
They will get a non routable IP back when they query my name server.
Then you will either have to run a second instance of named (one listening in the external interface and the other one listening on the internal one), and have one resolve to the external IP and the other one to the internal IP (two different zone files).
Another thing you can do is adding to the hosts file on your LAN workstations the domain names and make them resolve to the internal IP.
I think the first one is a better way to do it since if you need several sub domains to resolve, then you don't have to keep adding them to the hosts file on every machine.
Take a look at named.conf man and create two named.conf (one for the internal and the other one for the external interface). You should use listen-on.
Hope it helps.
Lior
Another thing you can do is adding to the hosts file on your LAN workstations the domain names and make them resolve to the internal IP.
I think the first one is a better way to do it since if you need several sub domains to resolve, then you don't have to keep adding them to the hosts file on every machine.
Take a look at named.conf man and create two named.conf (one for the internal and the other one for the external interface). You should use listen-on.
Hope it helps.
Lior
ASKER
I appreciate your time on this liormmm, but I was really hoping that the might be just a couple of lines that I could add to the above script that might resolve my issue. The DNS route has been suggested to me already. I guess I will have to take that route "Chorkle" if it's the only resort. I did speak to a consultant, who said that he could fix it for a rather large sum of money. Although he did say that I would have to take the DMZ route using a third NIC.
I have the same setup, and here are some configuration templates that should resolve your problems:
IPTables script:
##
# First we disable IP forwarding and IP defrag, to
# protect against attacking while the machine is
# reloading its rules
##
echo '0' > /proc/sys/net/ipv4/ip_forw
echo '0' > /proc/sys/net/ipv4/ip_alwa
##
# Here are default policies. I set these to accept,
# because I implement my filtering in chains called
# from the table. If the packets match certain
# rules exactly, then the chain returns, otherwise
# the packets hit the LOG and DENY at the end.
##
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
# Flush rules and remove extra chains
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
##
# Add a NOHOST variable for rejection. This
# allows my server to send 'no such host'
# ICMP responses to certain types of requests,
# as opposed to timeouts, which are undesirable
# in certain circumstances.
##
NOHOST="REJECT --reject-with icmp-host-unreachable"
#####################
# Chain definitions #
#####################
##
# Create a chain for ICMP filtering.
##
$IPTABLES -N ICMP
IPT_ICMP_ADD="$IPTABLES -A ICMP"
# Allow only certain ICMP types ->eth0
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type host-unreachable
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type echo-request
$IPT_ICMP_ADD -p icmp -o eth0 -j LOG --icmp-type source-quench --log-prefix "c_00_icmp-1: "
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type source-quench
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type ttl-zero-during-reassembly
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type parameter-problem
#: Deny everything else
$IPT_ICMP_ADD -p icmp -o eth0 -j LOG --log-prefix "c_00_icmp-2: "
$IPT_ICMP_ADD -p icmp -o eth0 -j DROP
# Allow only certain ICMP types <-eth0
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type echo-reply -m state --state ESTABLISHED
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type destination-unreachable
$IPT_ICMP_ADD -p icmp -i eth0 -j LOG --icmp-type source-quench --log-prefix "c_00_icmp-3: "
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type source-quench
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type time-exceeded
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type parameter-problem
$IPT_ICMP_ADD -p icmp -i eth0 -j LOG --icmp-type 30 # Exp traceroute --log-prefix "c_00_icmp-4: "
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type 30 # Exp traceroute
# Deny everything else
$IPT_ICMP_ADD -p icmp -i eth0 -j LOG --log-prefix "c_00_icmp-5: "
$IPT_ICMP_ADD -p icmp -i eth0 -j $NOHOST
$IPT_ICMP_ADD -p icmp -i eth0 -j DROP
##
# Simple chains for port forwarding. This is
# special because I add an additional 'mark'
# chain that identifies packets that have been
# redirected from one port on the local host
# to another
##
$IPTABLES -t nat -N PortForwarding
$IPTABLES -t mangle -N PortFwdMark
IPT_PORT_FWD_ADD="$IPTABLE
IPT_PFWD_MRK_ADD="$IPTABLE
# Forward some kind of port to another host
$IPT_PORT_FWD_ADD -p tcp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination PRIVATE_HOST:PRIVATE_PORT
$IPT_PORT_FWD_ADD -p udp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination PRIVATE_HOST:PRIVATE_PORT
# Redirect a special port for ssh to public IP (Mark as redirected)
$IPT_PFWD_MRK_ADD -p tcp -i eth0 --dport PUBLIC_PORT -j MARK --set-mark 1
$IPT_PORT_FWD_ADD -p tcp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination IP_OF_eth0:PRIVATE_PORT
$IPT_PFWD_MRK_ADD -p udp -i eth0 --dport PUBLIC_PORT -j MARK --set-mark 1
$IPT_PORT_FWD_ADD -p udp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination IP_OF_eth0:PRIVATE_PORT
##
# Create a chain to specially filter localhost packets
##
$IPTABLES -N localhost_in
$IPTABLES -N localhost_out
IPT_ADD_LO_IN="$IPTABLES -A localhost_in"
IPT_ADD_LO_OUT="$IPTABLES -A localhost_out"
# Allow packets that come in over the localhost interface
$IPT_ADD_LO_IN -i lo -j ACCEPT
# Allow all packets to localhost
$IPT_ADD_LO_OUT -o lo -j ACCEPT
##
# Create a chain to process packets that travel over the internal interface
##
$IPTABLES -N internal_in
$IPTABLES -N internal_out
IPT_ADD_INT_IN="$IPTABLES -A internal_in"
IPT_ADD_INT_OUT="$IPTABLES
# Singlecast (###FIXME### Add any other local subnets here)
$IPT_ADD_INT_IN -i eth1 -s IP_OF_eth1/NM_OF_eth1 -j RETURN
# Broadcast
$IPT_ADD_INT_IN -i eth1 -s 255.255.255.255/32 -j RETURN
# Multicast
$IPT_ADD_INT_IN -i eth1 -s 224.0.0.0/4 -p ! tcp -j RETURN
# Whoops!!! These packets aren't addressed to us!!!
$IPT_ADD_INT_IN -i eth1 -j LOG --log-prefix "c_40_internal-1: "
$IPT_ADD_INT_IN -i eth1 -j $NOHOST
# Singlecast (###FIXME### Add any other local subnets here)
$IPT_ADD_INT_OUT -o eth1 -d IP_OF_eth1/IP_OF_eth1 -j RETURN
# Broadcast
$IPT_ADD_INT_OUT -o eth1 -d 255.255.255.255/32 -j RETURN
# Multicast
$IPT_ADD_INT_OUT -o eth1 -d 224.0.0.0/4 -p ! tcp -j RETURN
# We can't send packets out of that interface to those addresses!
$IPT_ADD_INT_OUT -o eth1 -j LOG --log-prefix "c_40_internal-2: "
$IPT_ADD_INT_OUT -o eth1 -j DROP
##
# Here are chains for external packets. Note, these
# ONLY check that the given packet is destined for
# our machine, to try to avoid some spoofing weirdness
# that I probably don't want to get near my machine.
##
$IPTABLES -N external_in
$IPTABLES -N external_out
IPT_ADD_EXT_IN="$IPTABLES -A external_in"
IPT_ADD_EXT_OUT="$IPTABLES
# Singlecast
$IPT_ADD_EXT_IN -i eth0 -d IP_OF_eth0/32 -j RETURN
# Broadcast
$IPT_ADD_EXT_IN -i eth0 -d BC_OF_eth0/32 -j RETURN
$IPT_ADD_EXT_IN -i eth0 -d 255.255.255.255/32 -j RETURN
# Deny everything else
$IPT_ADD_EXT_IN -i eth0 -j LOG --log-prefix "c_80_external-1: "
$IPT_ADD_EXT_IN -i eth0 -j $NOHOST
# Singlecast
$IPT_ADD_EXT_OUT -o eth0 -s IP_OF_eth0/32 -j RETURN
# Broadcast
$IPT_ADD_EXT_OUT -o eth0 -d BC_OF_eth0/32 -j RETURN
$IPT_ADD_EXT_OUT -o eth0 -d 255.255.255.255/32 -j RETURN
# Allow everything else
$IPT_ADD_EXT_OUT -o eth0 -j RETURN
##
# Grunt work chains. (These allow certain services)
# The ESTABLISHED and RELATED rules allow us to ask
# for and receive dhcp leases, and communicate normally
# with the internet. A few services are allowed to
# reach the localhost (Redirected SSH, Incoming Mail,
# and DNS) Add anything else you want to. Services
# that are redirected to other machines never reach
# this stage, and so we can ignore them. Stuff that
# we don't explicitly authorize should be replied to
# with a no-such-host message, that way, unless they
# connect to the correct ports, we don't exist. The
# no-such-host messages could be replaced by a simple
# drop by changing the NOHOST variable set at the top
# of this file.
##
$IPTABLES -N external_services_in
$IPTABLES -N external_services_out
IPT_EXT_SRV_IN="$IPTABLES -A external_services_in -i eth0"
IPT_EXT_SRV_OUT="$IPTABLES
# Allow established and related
$IPT_EXT_SRV_IN -m state --state ESTABLISHED -j RETURN
$IPT_EXT_SRV_IN -m state --state RELATED -j RETURN
# Allow SSH (Only packets marked as being redirected are allowed)
$IPT_EXT_SRV_IN -p tcp --dport 22 -m mark --mark 1/1 -j RETURN
$IPT_EXT_SRV_IN -p udp --dport 22 -m mark --mark 1/1 -j RETURN
# Allow Incoming Mail
$IPT_EXT_SRV_IN -p tcp --dport 25 -j RETURN
$IPT_EXT_SRV_IN -p udp --dport 25 -j RETURN
# Block everything else
$IPT_EXT_SRV_IN -p tcp -j LOG --log-prefix "c_85_ext_srv-1: "
$IPT_EXT_SRV_IN -p tcp -j $NOHOST
$IPT_EXT_SRV_IN -p tcp -j DROP
$IPT_EXT_SRV_IN -p udp -j LOG --log-prefix "c_85_ext_srv-2: "
$IPT_EXT_SRV_IN -p udp -j $NOHOST
$IPT_EXT_SRV_IN -p udp -j DROP
# Allow all outgoing
$IPT_EXT_SRV_OUT -j RETURN
###################
# Chain placement #
###################
##
# Here we add all the chains into the default ones
##
# Forwarding
$IPTABLES -A FORWARD -j ICMP
$IPTABLES -A FORWARD -i eth1 -o eth0 -s IP_OF_eth1/NM_OF_eth1 -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -i eth0 -d IP_OF_eth1/NM_OF_eth1 -j ACCEPT
# Input
$IPTABLES -A INPUT -j ICMP
$IPTABLES -A INPUT -i lo -j localhost_in
$IPTABLES -A INPUT -i eth1 -j internal_in
$IPTABLES -A INPUT -i eth0 -j external_in
$IPTABLES -A INPUT -i eth0 -j external_services_in
$IPTABLES -t mangle -A PREROUTING -j PortFwdMark
# NAT IP-masquerading
$IPTABLES -t nat -A POSTROUTING -s $IF_eth1_IP/$IF_eth1_NM -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -j PortForwarding
# Output
$IPTABLES -A OUTPUT -j ICMP
$IPTABLES -A OUTPUT -o lo -j localhost_out
$IPTABLES -A OUTPUT -o eth0 -j internal_out
$IPTABLES -A OUTPUT -o eth0 -j external_out
$IPTABLES -A OUTPUT -o eth0 -j external_services_out
##
# Renable IP forwarding and automatic IP defragmentation
##
echo '1' > /proc/sys/net/ipv4/ip_forw
echo '1' > /proc/sys/net/ipv4/ip_alwa
OK!!! Done with that part!!! For the most part your script looks just fine, but I'd like to post mine so you can see a few extra security related things that I did.
Now on to the BIND config. This part is fairly simple, but you will need to configure most of it on your own. I can provide you with some help, though. You need to set up a subdomain, say, internal.domain.com, and put all the machines in there. Have your DNS server listen on both the internal and external interfaces, except use acl's to limit access to non-recursive queries from the outside. Then only respond to queries for *.local.domain.com from hosts inside, again using ACLs.
Hope that Helps,
Kyle Moffett
IPTables script:
##
# First we disable IP forwarding and IP defrag, to
# protect against attacking while the machine is
# reloading its rules
##
echo '0' > /proc/sys/net/ipv4/ip_forw
echo '0' > /proc/sys/net/ipv4/ip_alwa
##
# Here are default policies. I set these to accept,
# because I implement my filtering in chains called
# from the table. If the packets match certain
# rules exactly, then the chain returns, otherwise
# the packets hit the LOG and DENY at the end.
##
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
# Flush rules and remove extra chains
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
##
# Add a NOHOST variable for rejection. This
# allows my server to send 'no such host'
# ICMP responses to certain types of requests,
# as opposed to timeouts, which are undesirable
# in certain circumstances.
##
NOHOST="REJECT --reject-with icmp-host-unreachable"
#####################
# Chain definitions #
#####################
##
# Create a chain for ICMP filtering.
##
$IPTABLES -N ICMP
IPT_ICMP_ADD="$IPTABLES -A ICMP"
# Allow only certain ICMP types ->eth0
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type host-unreachable
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type echo-request
$IPT_ICMP_ADD -p icmp -o eth0 -j LOG --icmp-type source-quench --log-prefix "c_00_icmp-1: "
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type source-quench
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type ttl-zero-during-reassembly
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type parameter-problem
#: Deny everything else
$IPT_ICMP_ADD -p icmp -o eth0 -j LOG --log-prefix "c_00_icmp-2: "
$IPT_ICMP_ADD -p icmp -o eth0 -j DROP
# Allow only certain ICMP types <-eth0
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type echo-reply -m state --state ESTABLISHED
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type destination-unreachable
$IPT_ICMP_ADD -p icmp -i eth0 -j LOG --icmp-type source-quench --log-prefix "c_00_icmp-3: "
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type source-quench
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type time-exceeded
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type parameter-problem
$IPT_ICMP_ADD -p icmp -i eth0 -j LOG --icmp-type 30 # Exp traceroute --log-prefix "c_00_icmp-4: "
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type 30 # Exp traceroute
# Deny everything else
$IPT_ICMP_ADD -p icmp -i eth0 -j LOG --log-prefix "c_00_icmp-5: "
$IPT_ICMP_ADD -p icmp -i eth0 -j $NOHOST
$IPT_ICMP_ADD -p icmp -i eth0 -j DROP
##
# Simple chains for port forwarding. This is
# special because I add an additional 'mark'
# chain that identifies packets that have been
# redirected from one port on the local host
# to another
##
$IPTABLES -t nat -N PortForwarding
$IPTABLES -t mangle -N PortFwdMark
IPT_PORT_FWD_ADD="$IPTABLE
IPT_PFWD_MRK_ADD="$IPTABLE
# Forward some kind of port to another host
$IPT_PORT_FWD_ADD -p tcp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination PRIVATE_HOST:PRIVATE_PORT
$IPT_PORT_FWD_ADD -p udp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination PRIVATE_HOST:PRIVATE_PORT
# Redirect a special port for ssh to public IP (Mark as redirected)
$IPT_PFWD_MRK_ADD -p tcp -i eth0 --dport PUBLIC_PORT -j MARK --set-mark 1
$IPT_PORT_FWD_ADD -p tcp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination IP_OF_eth0:PRIVATE_PORT
$IPT_PFWD_MRK_ADD -p udp -i eth0 --dport PUBLIC_PORT -j MARK --set-mark 1
$IPT_PORT_FWD_ADD -p udp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination IP_OF_eth0:PRIVATE_PORT
##
# Create a chain to specially filter localhost packets
##
$IPTABLES -N localhost_in
$IPTABLES -N localhost_out
IPT_ADD_LO_IN="$IPTABLES -A localhost_in"
IPT_ADD_LO_OUT="$IPTABLES -A localhost_out"
# Allow packets that come in over the localhost interface
$IPT_ADD_LO_IN -i lo -j ACCEPT
# Allow all packets to localhost
$IPT_ADD_LO_OUT -o lo -j ACCEPT
##
# Create a chain to process packets that travel over the internal interface
##
$IPTABLES -N internal_in
$IPTABLES -N internal_out
IPT_ADD_INT_IN="$IPTABLES -A internal_in"
IPT_ADD_INT_OUT="$IPTABLES
# Singlecast (###FIXME### Add any other local subnets here)
$IPT_ADD_INT_IN -i eth1 -s IP_OF_eth1/NM_OF_eth1 -j RETURN
# Broadcast
$IPT_ADD_INT_IN -i eth1 -s 255.255.255.255/32 -j RETURN
# Multicast
$IPT_ADD_INT_IN -i eth1 -s 224.0.0.0/4 -p ! tcp -j RETURN
# Whoops!!! These packets aren't addressed to us!!!
$IPT_ADD_INT_IN -i eth1 -j LOG --log-prefix "c_40_internal-1: "
$IPT_ADD_INT_IN -i eth1 -j $NOHOST
# Singlecast (###FIXME### Add any other local subnets here)
$IPT_ADD_INT_OUT -o eth1 -d IP_OF_eth1/IP_OF_eth1 -j RETURN
# Broadcast
$IPT_ADD_INT_OUT -o eth1 -d 255.255.255.255/32 -j RETURN
# Multicast
$IPT_ADD_INT_OUT -o eth1 -d 224.0.0.0/4 -p ! tcp -j RETURN
# We can't send packets out of that interface to those addresses!
$IPT_ADD_INT_OUT -o eth1 -j LOG --log-prefix "c_40_internal-2: "
$IPT_ADD_INT_OUT -o eth1 -j DROP
##
# Here are chains for external packets. Note, these
# ONLY check that the given packet is destined for
# our machine, to try to avoid some spoofing weirdness
# that I probably don't want to get near my machine.
##
$IPTABLES -N external_in
$IPTABLES -N external_out
IPT_ADD_EXT_IN="$IPTABLES -A external_in"
IPT_ADD_EXT_OUT="$IPTABLES
# Singlecast
$IPT_ADD_EXT_IN -i eth0 -d IP_OF_eth0/32 -j RETURN
# Broadcast
$IPT_ADD_EXT_IN -i eth0 -d BC_OF_eth0/32 -j RETURN
$IPT_ADD_EXT_IN -i eth0 -d 255.255.255.255/32 -j RETURN
# Deny everything else
$IPT_ADD_EXT_IN -i eth0 -j LOG --log-prefix "c_80_external-1: "
$IPT_ADD_EXT_IN -i eth0 -j $NOHOST
# Singlecast
$IPT_ADD_EXT_OUT -o eth0 -s IP_OF_eth0/32 -j RETURN
# Broadcast
$IPT_ADD_EXT_OUT -o eth0 -d BC_OF_eth0/32 -j RETURN
$IPT_ADD_EXT_OUT -o eth0 -d 255.255.255.255/32 -j RETURN
# Allow everything else
$IPT_ADD_EXT_OUT -o eth0 -j RETURN
##
# Grunt work chains. (These allow certain services)
# The ESTABLISHED and RELATED rules allow us to ask
# for and receive dhcp leases, and communicate normally
# with the internet. A few services are allowed to
# reach the localhost (Redirected SSH, Incoming Mail,
# and DNS) Add anything else you want to. Services
# that are redirected to other machines never reach
# this stage, and so we can ignore them. Stuff that
# we don't explicitly authorize should be replied to
# with a no-such-host message, that way, unless they
# connect to the correct ports, we don't exist. The
# no-such-host messages could be replaced by a simple
# drop by changing the NOHOST variable set at the top
# of this file.
##
$IPTABLES -N external_services_in
$IPTABLES -N external_services_out
IPT_EXT_SRV_IN="$IPTABLES -A external_services_in -i eth0"
IPT_EXT_SRV_OUT="$IPTABLES
# Allow established and related
$IPT_EXT_SRV_IN -m state --state ESTABLISHED -j RETURN
$IPT_EXT_SRV_IN -m state --state RELATED -j RETURN
# Allow SSH (Only packets marked as being redirected are allowed)
$IPT_EXT_SRV_IN -p tcp --dport 22 -m mark --mark 1/1 -j RETURN
$IPT_EXT_SRV_IN -p udp --dport 22 -m mark --mark 1/1 -j RETURN
# Allow Incoming Mail
$IPT_EXT_SRV_IN -p tcp --dport 25 -j RETURN
$IPT_EXT_SRV_IN -p udp --dport 25 -j RETURN
# Block everything else
$IPT_EXT_SRV_IN -p tcp -j LOG --log-prefix "c_85_ext_srv-1: "
$IPT_EXT_SRV_IN -p tcp -j $NOHOST
$IPT_EXT_SRV_IN -p tcp -j DROP
$IPT_EXT_SRV_IN -p udp -j LOG --log-prefix "c_85_ext_srv-2: "
$IPT_EXT_SRV_IN -p udp -j $NOHOST
$IPT_EXT_SRV_IN -p udp -j DROP
# Allow all outgoing
$IPT_EXT_SRV_OUT -j RETURN
###################
# Chain placement #
###################
##
# Here we add all the chains into the default ones
##
# Forwarding
$IPTABLES -A FORWARD -j ICMP
$IPTABLES -A FORWARD -i eth1 -o eth0 -s IP_OF_eth1/NM_OF_eth1 -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -i eth0 -d IP_OF_eth1/NM_OF_eth1 -j ACCEPT
# Input
$IPTABLES -A INPUT -j ICMP
$IPTABLES -A INPUT -i lo -j localhost_in
$IPTABLES -A INPUT -i eth1 -j internal_in
$IPTABLES -A INPUT -i eth0 -j external_in
$IPTABLES -A INPUT -i eth0 -j external_services_in
$IPTABLES -t mangle -A PREROUTING -j PortFwdMark
# NAT IP-masquerading
$IPTABLES -t nat -A POSTROUTING -s $IF_eth1_IP/$IF_eth1_NM -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -j PortForwarding
# Output
$IPTABLES -A OUTPUT -j ICMP
$IPTABLES -A OUTPUT -o lo -j localhost_out
$IPTABLES -A OUTPUT -o eth0 -j internal_out
$IPTABLES -A OUTPUT -o eth0 -j external_out
$IPTABLES -A OUTPUT -o eth0 -j external_services_out
##
# Renable IP forwarding and automatic IP defragmentation
##
echo '1' > /proc/sys/net/ipv4/ip_forw
echo '1' > /proc/sys/net/ipv4/ip_alwa
OK!!! Done with that part!!! For the most part your script looks just fine, but I'd like to post mine so you can see a few extra security related things that I did.
Now on to the BIND config. This part is fairly simple, but you will need to configure most of it on your own. I can provide you with some help, though. You need to set up a subdomain, say, internal.domain.com, and put all the machines in there. Have your DNS server listen on both the internal and external interfaces, except use acl's to limit access to non-recursive queries from the outside. Then only respond to queries for *.local.domain.com from hosts inside, again using ACLs.
Hope that Helps,
Kyle Moffett
ASKER
As I said before, does anyone know a way of doing this without doing any special DNS configuration. Or is the DNS route the only way! I am almost ready to pay the consultant as it seems like he is the only person that believes that he can make it work from a single IPTables based script. Again it does seem interesting that it can be done on a Linksys hardware router but not on a Linux 2 interface router.
now assuming that yourdomain.com resolves to your public IP (from your internal machines) this will work. If it doesnt there are a few other things you can do:
#note eth1 your internal device here
iptables -t nat -A PREROUTING -i eth1 -d 23.456.789.1 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -p tcp --dport 80 -i eth1 -j ACCEPT
basically just rerouting the traffic destined for yourdomain.com to your webserver before it ever leaves your network
either replace 23.456.789.1 with the yourdomain.com
please note from the iptables man page:
(please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea)
the reason for this is every packet will force a DNS lookup (waste of bandwidth/resources)
or
determine what 23.456.789.1 DOES resolve to and add that to your iptables rules.
host domainname.com
will find that for you, if you want to automate all of this:
#get the IP that we think domainname.com resolves to
#NOTE: this is avoiding the DNS issue by using whatever
#IP we THINK(even if we are wrong) domainname.com should
#go to
GETIP=`host yourdomain.com | cut -d ' ' -f4`
#again eth1 and route it back to the webserver
iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -p tcp --dport 80 -i eth1 -j ACCEPT
now i see you have other servers running here, you can copy paste this and modify the port number/IP so that each port gets sent where you want it
now having said that the correct way would really be to setup a second named to do this, but as you wanted an iptables script, you got one.
#note eth1 your internal device here
iptables -t nat -A PREROUTING -i eth1 -d 23.456.789.1 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -p tcp --dport 80 -i eth1 -j ACCEPT
basically just rerouting the traffic destined for yourdomain.com to your webserver before it ever leaves your network
either replace 23.456.789.1 with the yourdomain.com
please note from the iptables man page:
(please note that specifying any name to be resolved with a remote query such as DNS is a really bad idea)
the reason for this is every packet will force a DNS lookup (waste of bandwidth/resources)
or
determine what 23.456.789.1 DOES resolve to and add that to your iptables rules.
host domainname.com
will find that for you, if you want to automate all of this:
#get the IP that we think domainname.com resolves to
#NOTE: this is avoiding the DNS issue by using whatever
#IP we THINK(even if we are wrong) domainname.com should
#go to
GETIP=`host yourdomain.com | cut -d ' ' -f4`
#again eth1 and route it back to the webserver
iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -p tcp --dport 80 -i eth1 -j ACCEPT
now i see you have other servers running here, you can copy paste this and modify the port number/IP so that each port gets sent where you want it
now having said that the correct way would really be to setup a second named to do this, but as you wanted an iptables script, you got one.
(you may wish to modify this line to also include the -d, that's my fault)
iptables -A FORWARD -d $GETIP -p tcp --dport 80 -i eth1 -j ACCEPT
iptables -A FORWARD -d $GETIP -p tcp --dport 80 -i eth1 -j ACCEPT
ASKER
I feel like we are getting somewhere here! Although I am a little lost at your suggestion above. I would be so very greatfull and be quite willing to send beer tokens if you could copy my original IPTables script as supplied below re-edited with your additions and a short comment and explanation as to what the additions do exactly. Please use the Domain: "IPtablesScript.net" and IP: 123.123.123.123 for where I should put MY Information.
When this script is eventually working as I hope it might, I will post it on my Web site making sure that all credit is given to those that made it so. I will leave the link here.
#!/bin/sh
# description: nat
# chkconfig: 2345 99 00
case "$1" in
'start')
#!/bin/bash
# Do iptables based masquerading and firewalling.
# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:
# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
# Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_ec
# dOn't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/al
# Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/al
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ig
# Log spoofed packets, source routed packets, redirect packets
echo 1 > /proc/sys/net/ipv4/conf/al
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw
# Clean old iptables
iptables -F
iptables -X
iptables -Z
# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Default forward policy to DROP
iptables -P FORWARD DROP
# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 37 -j DNAT --to-destination 192.168.0.1:37 # Time port
# Firewall Rules
# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP
# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT
# DNS
# Allow UDP and TCP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT
# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT
# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT
# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT
# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT
# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT
# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT
# LOGGING:
# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP
# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP
# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP
# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP
# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP
# Anything else not allowed, log & drop
iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
iptables -A INPUT -i eth0 -j DROP
touch /var/lock/subsys/nat
;;
'stop')
rm -f /var/lock/subsys/nat
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
When this script is eventually working as I hope it might, I will post it on my Web site making sure that all credit is given to those that made it so. I will leave the link here.
#!/bin/sh
# description: nat
# chkconfig: 2345 99 00
case "$1" in
'start')
#!/bin/bash
# Do iptables based masquerading and firewalling.
# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:
# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
# Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_ec
# dOn't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/al
# Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/al
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ig
# Log spoofed packets, source routed packets, redirect packets
echo 1 > /proc/sys/net/ipv4/conf/al
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw
# Clean old iptables
iptables -F
iptables -X
iptables -Z
# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Default forward policy to DROP
iptables -P FORWARD DROP
# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 37 -j DNAT --to-destination 192.168.0.1:37 # Time port
# Firewall Rules
# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP
# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT
# DNS
# Allow UDP and TCP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT
# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT
# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT
# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT
# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT
# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT
# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT
# LOGGING:
# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP
# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP
# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP
# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP
# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP
# Anything else not allowed, log & drop
iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
iptables -A INPUT -i eth0 -j DROP
touch /var/lock/subsys/nat
;;
'stop')
rm -f /var/lock/subsys/nat
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
#!/bin/sh
# description: nat
# chkconfig: 2345 99 00
case "$1" in
'start')
#!/bin/bash
# Do iptables based masquerading and firewalling.
# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:
# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
# Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_ec
# dOn't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/al
# Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/al
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ig
# Log spoofed packets, source routed packets, redirect packets
echo 1 > /proc/sys/net/ipv4/conf/al
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw
# Clean old iptables
iptables -F
iptables -X
iptables -Z
# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Default forward policy to DROP
iptables -P FORWARD DROP
# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 37 -j DNAT --to-destination 192.168.0.1:37 # Time port
##########################
##########################
###new section here
#get the IP that we think domainname.com resolves to
#NOTE: this is avoiding the DNS issue by using whatever
#IP we THINK(even if we are wrong) domainname.com should
#go to
GETIP=`host yourdomain.com | cut -d ' ' -f4`
#again eth1 and route it back to the webserver
iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -p tcp --dport 80 -i eth1 -j ACCEPT
####end new section
##########################
##########################
# Firewall Rules
# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP
# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT
# DNS
# Allow UDP and TCP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT
# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT
# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT
# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT
# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT
# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT
# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT
# LOGGING:
# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP
# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP
# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP
# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP
# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP
# Anything else not allowed, log & drop
iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
iptables -A INPUT -i eth0 -j DROP
touch /var/lock/subsys/nat
;;
'stop')
rm -f /var/lock/subsys/nat
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
if this works as you want for webtraffic we can add a few more lines to get ftp and whatever else to work correctly.
# description: nat
# chkconfig: 2345 99 00
case "$1" in
'start')
#!/bin/bash
# Do iptables based masquerading and firewalling.
# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:
# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
# Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_ec
# dOn't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/al
# Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/al
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ig
# Log spoofed packets, source routed packets, redirect packets
echo 1 > /proc/sys/net/ipv4/conf/al
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw
# Clean old iptables
iptables -F
iptables -X
iptables -Z
# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Default forward policy to DROP
iptables -P FORWARD DROP
# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 37 -j DNAT --to-destination 192.168.0.1:37 # Time port
##########################
##########################
###new section here
#get the IP that we think domainname.com resolves to
#NOTE: this is avoiding the DNS issue by using whatever
#IP we THINK(even if we are wrong) domainname.com should
#go to
GETIP=`host yourdomain.com | cut -d ' ' -f4`
#again eth1 and route it back to the webserver
iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -p tcp --dport 80 -i eth1 -j ACCEPT
####end new section
##########################
##########################
# Firewall Rules
# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP
# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT
# DNS
# Allow UDP and TCP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT
# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT
# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT
# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT
# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT
# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT
# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT
# LOGGING:
# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP
# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP
# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP
# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP
# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP
# Anything else not allowed, log & drop
iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
iptables -A INPUT -i eth0 -j DROP
touch /var/lock/subsys/nat
;;
'stop')
rm -f /var/lock/subsys/nat
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
if this works as you want for webtraffic we can add a few more lines to get ftp and whatever else to work correctly.
grr once again, i copied the same wrong line: here, i will past the whole thing again so you can just copy/paste
#!/bin/sh
# description: nat
# chkconfig: 2345 99 00
case "$1" in
'start')
#!/bin/bash
# Do iptables based masquerading and firewalling.
# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:
# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
# Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_ec
# dOn't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/al
# Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/al
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ig
# Log spoofed packets, source routed packets, redirect packets
echo 1 > /proc/sys/net/ipv4/conf/al
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw
# Clean old iptables
iptables -F
iptables -X
iptables -Z
# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Default forward policy to DROP
iptables -P FORWARD DROP
# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 37 -j DNAT --to-destination 192.168.0.1:37 # Time port
##########################
##########################
###new section here
#get the IP that we think domainname.com resolves to
#NOTE: this is avoiding the DNS issue by using whatever
#IP we THINK(even if we are wrong) domainname.com should
#go to
GETIP=`host yourdomain.com | cut -d ' ' -f4`
#again eth1 and route it back to the webserver
iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -d $GETIP -p tcp --dport 80 -i eth1 -j ACCEPT
####end new section
##########################
##########################
# Firewall Rules
# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP
# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT
# DNS
# Allow UDP and TCP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT
# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT
# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT
# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT
# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT
# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT
# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT
# LOGGING:
# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP
# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP
# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP
# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP
# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP
# Anything else not allowed, log & drop
iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
iptables -A INPUT -i eth0 -j DROP
touch /var/lock/subsys/nat
;;
'stop')
rm -f /var/lock/subsys/nat
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
sorry about that... again ;-)
#!/bin/sh
# description: nat
# chkconfig: 2345 99 00
case "$1" in
'start')
#!/bin/bash
# Do iptables based masquerading and firewalling.
# Set default PATH
export PATH=/sbin:/usr/sbin:/bin:
# Load NAT modules
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ip_nat_irc
# Load connection-tracking modules
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
# Disable response to broadcasts.
echo 1 > /proc/sys/net/ipv4/icmp_ec
# dOn't accept source routed packets.
echo 0 > /proc/sys/net/ipv4/conf/al
# Disable ICMP redirect acceptance.
echo 0 > /proc/sys/net/ipv4/conf/al
# Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ig
# Log spoofed packets, source routed packets, redirect packets
echo 1 > /proc/sys/net/ipv4/conf/al
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forw
# Clean old iptables
iptables -F
iptables -X
iptables -Z
# Allow forwarding through the internal interface
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -o eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Default forward policy to DROP
iptables -P FORWARD DROP
# Do masquerading through eth0
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Port Forwarding
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
# iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080
iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 37 -j DNAT --to-destination 192.168.0.1:37 # Time port
##########################
##########################
###new section here
#get the IP that we think domainname.com resolves to
#NOTE: this is avoiding the DNS issue by using whatever
#IP we THINK(even if we are wrong) domainname.com should
#go to
GETIP=`host yourdomain.com | cut -d ' ' -f4`
#again eth1 and route it back to the webserver
iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -d $GETIP -p tcp --dport 80 -i eth1 -j ACCEPT
####end new section
##########################
##########################
# Firewall Rules
# Loopback - Allow unlimited traffic
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# SYN-Flooding Protection
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
# Make sure that new TCP connections are SYN packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# Fragments : Don't trust the little buggers. Send 'em to hell.
iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
iptables -A INPUT -i eth0 -f -j DROP
# Refuse spoofed packets claiming to be the loopback
iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP
# Allow BootP/DHCP UDP requests
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT
# DNS
# Allow UDP and TCP packets in for DNS client from nameservers
iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT
# SSH
# allow all sshd incoming connections (including the port fw)
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT
# HTTP
# allow all http/https incoming/return connections
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT
# FTP
# allow all ftpd incoming connections
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT
# Enable active ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable passive ftp transfers
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Enable ident probes (IRC)
iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT
# Allow ICMP in if it is related to other connections
iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow bot traffic through
iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT
# enable dcc
iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT
# LOGGING:
# UDP, log & drop
iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i eth0 -p udp -j DROP
# ICMP, log & drop
iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i eth0 -p icmp -j DROP
# Windows NetBIOS noise, log & drop
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP
# IGMP noise, log & drop
iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
iptables -A INPUT -i eth0 -p 2 -j DROP
# TCP, log & drop
iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i eth0 -p tcp -j DROP
# Anything else not allowed, log & drop
iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
iptables -A INPUT -i eth0 -j DROP
touch /var/lock/subsys/nat
;;
'stop')
rm -f /var/lock/subsys/nat
;;
*)
echo "Usage: $0 { start | stop }"
;;
esac
exit 0
sorry about that... again ;-)
ASKER
I just killed my Cisco 3500 Catalyst switch. Whilst trying to upgrade the management software. As soon as I get it fixed I will test this script. Thanks for all your help.
I think you have the 500 points coming.
I think you have the 500 points coming.
heh - I'll be rich ;-)
you can copy/paste these lines to add the same functionality for your ftp server (i saw you were running one from your iptables script)
iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 21 -j DNAT --to 192.168.2.7:21
iptables -A FORWARD -d $GETIP -p tcp --dport 21 -i eth1 -j ACCEPT
just in case you didnt notice this, i user 192.168.2.2 on accident on the script i sent you, your webserver was 2.7 but you seem to know enough to have seen that ;-)
Sorry about that (again, again, and now again)
you can copy/paste these lines to add the same functionality for your ftp server (i saw you were running one from your iptables script)
iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 21 -j DNAT --to 192.168.2.7:21
iptables -A FORWARD -d $GETIP -p tcp --dport 21 -i eth1 -j ACCEPT
just in case you didnt notice this, i user 192.168.2.2 on accident on the script i sent you, your webserver was 2.7 but you seem to know enough to have seen that ;-)
Sorry about that (again, again, and now again)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Please correct me if I got the whole scenario wrong.
Lior