?
Solved

Please can someone help me with my "Fire-Masq" I just need to be able to see internal servers as well as external Web.

Posted on 2003-03-07
14
Medium Priority
?
355 Views
Last Modified: 2010-03-18
I am looking for a little help with an IPtables init.d script issue.  

Below is my predicament.

I decided to turn am old computer that I have into a NAT router/firewall for my internal network.
I installed two ethernet cards (eth0 & eth1 ) and installed RedHat Linux 7.3.
I also downloaded a NAT script from the Internet that uses IPTABLES.

I set the router/firewall up so that "eth0" is my WAN ( Public IP ) and "eth1" is my LAN ( Internal IP )

On my LAN ( Internal network ) I have 3 servers and 1 workstation, and also a  wireless AP, that is used for
my wireless laptop and for my Neighbors wireless Internet connection. Oh and also the Linux router that
I am trying to configure here.

Here is how my network is presently configured.

1, The Linux router/firewall uses "eth0" conected to the Internet ( Public IP: 23.456.789.1 )

The router/firewall also doubles up as a DNS server for my domain.

and "eth1" my Private IP: 192.168.0.1 is connected to a 24 port switch.


Also connected to the above switch are the following systems:

Wireless Access Point ( IP: 192.168.0.2 ) This uses 192.168.1.0/24 for an 802.11b wireless network.
DataBase server       ( IP: 192.168.0.5 )
Mail Server           ( IP: 192.168.0.6 )
Web server            ( IP: 192.168.0.7 )
Static Workstation    ( IP: 192.168.0.14 )

The netmask for the above Ethernet wired network is: /28

My Problem:

Although it is quite possible to access the Web sites hosted on my Web server from outside of my network via the Internet, it

does not seem to be possible to access the Web sites from inside my network. The same aplies to my mail server. e.g. From my

work station or my wireless laptop I cannot pull up any Web sites hosted on my web server. I also cannot access my e-mail

using my domain name as a server name. ( I have to use an IP address )

One note:  I would not believe that this could work at all, if it were not for the fact that it working just fine when I used

a Linksys Hardware router. I could pull up any web pages that were hosted on my web server without a problem.

Also just to let you know, the DNS seems to be working fine. I can ping my domain names from my internal network and they

seem to resolve correctly with the correct external IP  of 23.456.789.1.

They just will not come up in my browser. I think it has to do with the port mapping possibly, but my experiance with

IPTABLES is somewhat limited.


Here is the present IPTABLES script that I am using.

-------------------------------------------------------------------------------------------------------------------

#!/bin/sh
# description: nat
# chkconfig: 2345 99 00

case "$1" in
'start')
        #!/bin/bash
        # Do iptables based masquerading and firewalling.

        # Set default PATH
        export PATH=/sbin:/usr/sbin:/bin:/usr/bin

        # Load NAT modules
        modprobe iptable_nat
        modprobe ip_nat_ftp
        modprobe ip_nat_irc

        # Load connection-tracking modules
        modprobe ip_conntrack
        modprobe ip_conntrack_ftp
        modprobe ip_conntrack_irc

        # Disable response to broadcasts.
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

        # Don't accept source routed packets.
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

        # Disable ICMP redirect acceptance.
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

        # Enable bad error message protection
        echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

        # Log spoofed packets, source routed packets, redirect packets
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

        # Turn on IP forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward


# Clean old iptables
        iptables -F
        iptables -X
        iptables -Z

        # Allow forwarding through the internal interface
        iptables -A FORWARD -i eth1 -j ACCEPT
        iptables -A FORWARD -o eth1 -j ACCEPT
        iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Default forward policy to DROP
        iptables -P FORWARD DROP

        # Do masquerading through eth0
        iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


        # Port Forwarding
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080

        # Firewall Rules

        # Loopback - Allow unlimited traffic
        iptables -A INPUT -i lo -j ACCEPT
        iptables -A OUTPUT -o lo -j ACCEPT

        # SYN-Flooding Protection
        iptables -N syn-flood
        iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
        iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
        iptables -A syn-flood -j DROP

        # Make sure that new TCP connections are SYN packets
        iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

        # Fragments : Don't trust the little buggers. Send 'em to hell.
        iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
        iptables -A INPUT -i eth0 -f -j DROP

        # Refuse spoofed packets claiming to be the loopback
        iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP

        # Allow BootP/DHCP UDP requests
        iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT

        # DNS
        # Allow UDP and TCP packets in for DNS client from nameservers
        iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
        iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT

        # SSH
        # allow all sshd incoming connections (including the port fw)
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT

        # HTTP
        # allow all http/https incoming/return connections
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT

        # FTP
        # allow all ftpd incoming connections
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT

        # Enable active ftp transfers
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Enable passive ftp transfers
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j

ACCEPT

        # Enable ident probes (IRC)
        iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT

        # Allow ICMP in if it is related to other connections
        iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Allow bot traffic through
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT

        # enable dcc
        iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT

        # LOGGING:

        # UDP, log & drop
        iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
        iptables -A INPUT -i eth0 -p udp -j DROP

        # ICMP, log & drop
        iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
        iptables -A INPUT -i eth0 -p icmp -j DROP

        # Windows NetBIOS noise, log & drop
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP

        # IGMP noise, log & drop
        iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
        iptables -A INPUT -i eth0 -p 2 -j DROP

        # TCP, log & drop
        iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
        iptables -A INPUT -i eth0 -p tcp -j DROP

        # Anything else not allowed, log & drop
#       iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
#       iptables -A INPUT -i eth0 -j DROP


        touch /var/lock/subsys/nat
        ;;
'stop')
        rm -f /var/lock/subsys/nat
        ;;
*)
        echo "Usage: $0 { start | stop }"
        ;;
esac
exit 0


I solemly promise to share this script with all those on the Internet that want it, if I can get it going correctly.
0
Comment
Question by:paddyhaig
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 2
  • +2
14 Comments
 
LVL 1

Expert Comment

by:liormmm
ID: 8090179
If all your domain names resolve to the external IP, and only the linux box has it, then you should change your dns to make them resolve to the Internal IP of your Linux router, since you are doing the port forwarding on eth0 with iptables, and all your LAN is connected "seeing" your Linux box through it's internal IP.

Please correct me if I got the whole scenario wrong.

Lior
0
 

Author Comment

by:paddyhaig
ID: 8090398
But if I make them resolve to the Internal IP, then people outside of my network will not be able to see the Websites?
They will get a non routable IP back when they query my name server.
0
 
LVL 1

Expert Comment

by:liormmm
ID: 8090440
Then you will either have to run a second instance of named (one listening in the external interface and the other one listening on the internal one), and have one resolve to the external IP and the other one to the internal IP (two different zone files).

Another thing you can do is adding to the hosts file on your LAN workstations the domain names and make them resolve to the internal IP.

I think the first one is a better way to do it since if you need several sub domains to resolve, then you don't have to keep adding them to the hosts file on every machine.

Take a look at named.conf man and create two named.conf (one for the internal and the other one for the external interface). You should use listen-on.

Hope it helps.

Lior
0
WordPress Tutorial 2: Terminology

An important part of learning any new piece of software is understanding the terminology it uses. Thankfully WordPress uses fairly simple names for everything that make it easy to start using the software.

 

Author Comment

by:paddyhaig
ID: 8091212
I appreciate your time on this liormmm, but I was really hoping that the might be just a couple of lines that I could add to the above script that might resolve my issue. The DNS route has been suggested to me already. I guess I will have to take that route "Chorkle"  if it's the only resort. I did speak to a consultant, who said that he could fix it for a rather large sum of money. Although he did say that I would have to take the DMZ route using a third NIC.
0
 

Expert Comment

by:mrmacman_g4
ID: 8092590
I have the same setup, and here are some configuration templates that should resolve your problems:

IPTables script:

##
# First we disable IP forwarding and IP defrag, to
# protect against attacking while the machine is
# reloading its rules
##
echo '0' > /proc/sys/net/ipv4/ip_forward
echo '0' > /proc/sys/net/ipv4/ip_always_defrag

##
# Here are default policies.  I set these to accept,
# because I implement my filtering in chains called
# from the table.  If the packets match certain
# rules exactly, then the chain returns, otherwise
# the packets hit the LOG and DENY at the end.
##
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

# Flush rules and remove extra chains
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X

##
# Add a NOHOST variable for rejection.  This
# allows my server to send 'no such host'
# ICMP responses to certain types of requests,
# as opposed to timeouts, which are undesirable
# in certain circumstances.
##
NOHOST="REJECT --reject-with icmp-host-unreachable"


#####################
# Chain definitions #
#####################

##
# Create a chain for ICMP filtering.
##
$IPTABLES -N ICMP
IPT_ICMP_ADD="$IPTABLES -A ICMP"

# Allow only certain ICMP types ->eth0
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type host-unreachable
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type echo-request
$IPT_ICMP_ADD -p icmp -o eth0 -j LOG    --icmp-type source-quench --log-prefix "c_00_icmp-1: "
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type source-quench
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type ttl-zero-during-reassembly
$IPT_ICMP_ADD -p icmp -o eth0 -j RETURN --icmp-type parameter-problem
#: Deny everything else
$IPT_ICMP_ADD -p icmp -o eth0 -j LOG --log-prefix "c_00_icmp-2: "
$IPT_ICMP_ADD -p icmp -o eth0 -j DROP

# Allow only certain ICMP types <-eth0
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type echo-reply -m state --state ESTABLISHED
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type destination-unreachable
$IPT_ICMP_ADD -p icmp -i eth0 -j LOG    --icmp-type source-quench --log-prefix "c_00_icmp-3: "
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type source-quench
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type time-exceeded
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type parameter-problem
$IPT_ICMP_ADD -p icmp -i eth0 -j LOG    --icmp-type 30 # Exp traceroute  --log-prefix "c_00_icmp-4: "
$IPT_ICMP_ADD -p icmp -i eth0 -j RETURN --icmp-type 30 # Exp traceroute

# Deny everything else
$IPT_ICMP_ADD -p icmp -i eth0 -j LOG --log-prefix "c_00_icmp-5: "
$IPT_ICMP_ADD -p icmp -i eth0 -j $NOHOST
$IPT_ICMP_ADD -p icmp -i eth0 -j DROP

##
# Simple chains for port forwarding.  This is
# special because I add an additional 'mark'
# chain that identifies packets that have been
# redirected from one port on the local host
# to another
##
$IPTABLES -t nat -N PortForwarding
$IPTABLES -t mangle -N PortFwdMark

IPT_PORT_FWD_ADD="$IPTABLES -t nat -A PortForwarding"
IPT_PFWD_MRK_ADD="$IPTABLES -t mangle -A PortFwdMark"

# Forward some kind of port to another host
$IPT_PORT_FWD_ADD -p tcp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination PRIVATE_HOST:PRIVATE_PORT
$IPT_PORT_FWD_ADD -p udp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination PRIVATE_HOST:PRIVATE_PORT

# Redirect a special port for ssh to public IP (Mark as redirected)
$IPT_PFWD_MRK_ADD -p tcp -i eth0 --dport PUBLIC_PORT -j MARK --set-mark 1
$IPT_PORT_FWD_ADD -p tcp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination IP_OF_eth0:PRIVATE_PORT
$IPT_PFWD_MRK_ADD -p udp -i eth0 --dport PUBLIC_PORT -j MARK --set-mark 1
$IPT_PORT_FWD_ADD -p udp -i eth0 --dport PUBLIC_PORT -j DNAT --to-destination IP_OF_eth0:PRIVATE_PORT

##
# Create a chain to specially filter localhost packets
##
$IPTABLES -N localhost_in
$IPTABLES -N localhost_out

IPT_ADD_LO_IN="$IPTABLES -A localhost_in"
IPT_ADD_LO_OUT="$IPTABLES -A localhost_out"

# Allow packets that come in over the localhost interface
$IPT_ADD_LO_IN -i lo -j ACCEPT

# Allow all packets to localhost
$IPT_ADD_LO_OUT -o lo -j ACCEPT

##
# Create a chain to process packets that travel over the internal interface
##
$IPTABLES -N internal_in
$IPTABLES -N internal_out

IPT_ADD_INT_IN="$IPTABLES -A internal_in"
IPT_ADD_INT_OUT="$IPTABLES -A internal_out"

# Singlecast (###FIXME### Add any other local subnets here)
$IPT_ADD_INT_IN -i eth1 -s IP_OF_eth1/NM_OF_eth1 -j RETURN
# Broadcast
$IPT_ADD_INT_IN -i eth1 -s 255.255.255.255/32 -j RETURN
# Multicast
$IPT_ADD_INT_IN -i eth1 -s 224.0.0.0/4 -p ! tcp -j RETURN
# Whoops!!! These packets aren't addressed to us!!!
$IPT_ADD_INT_IN -i eth1 -j LOG --log-prefix "c_40_internal-1: "
$IPT_ADD_INT_IN -i eth1 -j $NOHOST

# Singlecast (###FIXME### Add any other local subnets here)
$IPT_ADD_INT_OUT -o eth1 -d IP_OF_eth1/IP_OF_eth1 -j RETURN
# Broadcast
$IPT_ADD_INT_OUT -o eth1 -d 255.255.255.255/32 -j RETURN
# Multicast
$IPT_ADD_INT_OUT -o eth1 -d 224.0.0.0/4 -p ! tcp -j RETURN
# We can't send packets out of that interface to those addresses!
$IPT_ADD_INT_OUT -o eth1 -j LOG --log-prefix "c_40_internal-2: "
$IPT_ADD_INT_OUT -o eth1 -j DROP

##
# Here are chains for external packets.  Note, these
# ONLY check that the given packet is destined for
# our machine, to try to avoid some spoofing weirdness
# that I probably don't want to get near my machine.
##
$IPTABLES -N external_in
$IPTABLES -N external_out

IPT_ADD_EXT_IN="$IPTABLES -A external_in"
IPT_ADD_EXT_OUT="$IPTABLES -A external_out"

# Singlecast
$IPT_ADD_EXT_IN -i eth0 -d IP_OF_eth0/32 -j RETURN
# Broadcast
$IPT_ADD_EXT_IN -i eth0 -d BC_OF_eth0/32 -j RETURN
$IPT_ADD_EXT_IN -i eth0 -d 255.255.255.255/32 -j RETURN
# Deny everything else
$IPT_ADD_EXT_IN -i eth0 -j LOG --log-prefix "c_80_external-1: "
$IPT_ADD_EXT_IN -i eth0 -j $NOHOST

# Singlecast
$IPT_ADD_EXT_OUT -o eth0 -s IP_OF_eth0/32 -j RETURN
# Broadcast
$IPT_ADD_EXT_OUT -o eth0 -d BC_OF_eth0/32 -j RETURN
$IPT_ADD_EXT_OUT -o eth0 -d 255.255.255.255/32 -j RETURN
# Allow everything else
$IPT_ADD_EXT_OUT -o eth0 -j RETURN

##
# Grunt work chains.  (These allow certain services)
# The ESTABLISHED and RELATED rules allow us to ask
# for and receive dhcp leases, and communicate normally
# with the internet.  A few services are allowed to
# reach the localhost (Redirected SSH, Incoming Mail,
# and DNS) Add anything else you want to.  Services
# that are redirected to other machines never reach
# this stage, and so we can ignore them.  Stuff that
# we don't explicitly authorize should be replied to
# with a no-such-host message, that way, unless they
# connect to the correct ports, we don't exist.  The
# no-such-host messages could be replaced by a simple
# drop by changing the NOHOST variable set at the top
# of this file.
##
$IPTABLES -N external_services_in
$IPTABLES -N external_services_out

IPT_EXT_SRV_IN="$IPTABLES -A external_services_in -i eth0"
IPT_EXT_SRV_OUT="$IPTABLES -A external_services_out -o eth0"

# Allow established and related
$IPT_EXT_SRV_IN -m state --state ESTABLISHED -j RETURN
$IPT_EXT_SRV_IN -m state --state RELATED -j RETURN

# Allow SSH (Only packets marked as being redirected are allowed)
$IPT_EXT_SRV_IN -p tcp --dport 22 -m mark --mark 1/1 -j RETURN
$IPT_EXT_SRV_IN -p udp --dport 22 -m mark --mark 1/1 -j RETURN

# Allow Incoming Mail
$IPT_EXT_SRV_IN -p tcp --dport 25 -j RETURN
$IPT_EXT_SRV_IN -p udp --dport 25 -j RETURN

# Block everything else
$IPT_EXT_SRV_IN -p tcp -j LOG --log-prefix "c_85_ext_srv-1: "
$IPT_EXT_SRV_IN -p tcp -j $NOHOST
$IPT_EXT_SRV_IN -p tcp -j DROP
$IPT_EXT_SRV_IN -p udp -j LOG --log-prefix "c_85_ext_srv-2: "
$IPT_EXT_SRV_IN -p udp -j $NOHOST
$IPT_EXT_SRV_IN -p udp -j DROP

# Allow all outgoing
$IPT_EXT_SRV_OUT -j RETURN

###################
# Chain placement #
###################

##
# Here we add all the chains into the default ones
##
# Forwarding
$IPTABLES -A FORWARD -j ICMP
$IPTABLES -A FORWARD -i eth1 -o eth0 -s IP_OF_eth1/NM_OF_eth1 -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -i eth0 -d IP_OF_eth1/NM_OF_eth1 -j ACCEPT

# Input
$IPTABLES -A INPUT -j ICMP
$IPTABLES -A INPUT -i lo -j localhost_in
$IPTABLES -A INPUT -i eth1 -j internal_in
$IPTABLES -A INPUT -i eth0 -j external_in
$IPTABLES -A INPUT -i eth0 -j external_services_in
$IPTABLES -t mangle -A PREROUTING -j PortFwdMark

# NAT IP-masquerading
$IPTABLES -t nat -A POSTROUTING -s $IF_eth1_IP/$IF_eth1_NM -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -j PortForwarding

# Output
$IPTABLES -A OUTPUT -j ICMP
$IPTABLES -A OUTPUT -o lo -j localhost_out
$IPTABLES -A OUTPUT -o eth0 -j internal_out
$IPTABLES -A OUTPUT -o eth0 -j external_out
$IPTABLES -A OUTPUT -o eth0 -j external_services_out

##
# Renable IP forwarding and automatic IP defragmentation
##
echo '1' > /proc/sys/net/ipv4/ip_forward
echo '1' > /proc/sys/net/ipv4/ip_always_defrag



OK!!! Done with that part!!! For the most part your script looks just fine, but I'd like to post mine so you can see a few extra security related things that I did.

Now on to the BIND config.  This part is fairly simple, but you will need to configure most of it on your own.  I can provide you with some help, though.  You need to set up a subdomain, say, internal.domain.com, and put all the machines in there.  Have your DNS server listen on both the internal and external interfaces, except use acl's to limit access to non-recursive queries from the outside.  Then only respond to queries for *.local.domain.com from hosts inside, again using ACLs.

Hope that Helps,
Kyle Moffett
0
 

Author Comment

by:paddyhaig
ID: 8093549
As I said before, does anyone know a way of doing this without doing any special DNS configuration. Or is the DNS route the only way! I am almost ready to pay the consultant as it seems like he is the only person that believes that he can make it work from a single IPTables based script. Again it does seem interesting that it can be done on a Linksys hardware router but not on a Linux 2 interface router.
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8094321
now assuming that yourdomain.com resolves to your public IP (from your internal machines) this will work. If it doesnt there are a few other things you can do:

#note eth1 your internal device here
iptables -t nat -A PREROUTING -i eth1 -d 23.456.789.1 -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -p tcp --dport 80 -i eth1 -j ACCEPT

basically just rerouting the traffic destined for yourdomain.com to your webserver before it ever leaves your network

either replace 23.456.789.1 with the yourdomain.com
please note from the iptables man page:
(please  note  that specifying any name to be resolved with a remote query such as DNS is a really bad idea)
the reason for this is every packet will force a DNS lookup (waste of bandwidth/resources)


or

determine what 23.456.789.1 DOES resolve to and add that to your iptables rules.

host domainname.com

will find that for you, if you want to automate all of this:

#get the IP that we think domainname.com resolves to
#NOTE: this is avoiding the DNS issue by using whatever
#IP we THINK(even if we are wrong) domainname.com should
#go to
GETIP=`host yourdomain.com | cut -d ' ' -f4`
#again eth1 and route it back to the webserver
iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -p tcp --dport 80 -i eth1 -j ACCEPT

now i see you have other servers running here, you can copy paste this and modify the port number/IP so that each port gets sent where you want it

now having said that the correct way would really be to setup a second named to do this, but as you wanted an iptables script, you got one.
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8094328
(you may wish to modify this line to also include the -d, that's my fault)

iptables -A FORWARD -d $GETIP -p tcp --dport 80 -i eth1 -j ACCEPT
0
 

Author Comment

by:paddyhaig
ID: 8094836
I feel like we are getting somewhere here! Although I am a little lost at your suggestion above. I would be so very greatfull and be quite willing to send beer tokens if you could copy my original IPTables script as supplied below re-edited with your additions and a short comment and explanation as to what the additions do exactly. Please use the Domain: "IPtablesScript.net" and IP: 123.123.123.123 for where I should put MY Information.
When this script is eventually working as I hope it might, I will post it on my Web site making sure that all credit is given to those that made it so. I will leave the link here.


#!/bin/sh
# description: nat
# chkconfig: 2345 99 00

case "$1" in
'start')
        #!/bin/bash
        # Do iptables based masquerading and firewalling.

        # Set default PATH
        export PATH=/sbin:/usr/sbin:/bin:/usr/bin

        # Load NAT modules
        modprobe iptable_nat
        modprobe ip_nat_ftp
        modprobe ip_nat_irc

        # Load connection-tracking modules
        modprobe ip_conntrack
        modprobe ip_conntrack_ftp
        modprobe ip_conntrack_irc

        # Disable response to broadcasts.
        echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

        # dOn't accept source routed packets.
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

        # Disable ICMP redirect acceptance.
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

        # Enable bad error message protection
        echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

        # Log spoofed packets, source routed packets, redirect packets
        echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

        # Turn on IP forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward


# Clean old iptables
        iptables -F
        iptables -X
        iptables -Z

        # Allow forwarding through the internal interface
        iptables -A FORWARD -i eth1 -j ACCEPT
        iptables -A FORWARD -o eth1 -j ACCEPT
        iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Default forward policy to DROP
        iptables -P FORWARD DROP

        # Do masquerading through eth0
        iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


        # Port Forwarding
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
        # iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080
        iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 37 -j DNAT --to-destination 192.168.0.1:37 # Time port


        # Firewall Rules

        # Loopback - Allow unlimited traffic
        iptables -A INPUT -i lo -j ACCEPT
        iptables -A OUTPUT -o lo -j ACCEPT

        # SYN-Flooding Protection
        iptables -N syn-flood
        iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
        iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
        iptables -A syn-flood -j DROP

        # Make sure that new TCP connections are SYN packets
        iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

        # Fragments : Don't trust the little buggers. Send 'em to hell.
        iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
        iptables -A INPUT -i eth0 -f -j DROP

        # Refuse spoofed packets claiming to be the loopback
        iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP

        # Allow BootP/DHCP UDP requests
        iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT

        # DNS
        # Allow UDP and TCP packets in for DNS client from nameservers
        iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
        iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT


        # SSH
        # allow all sshd incoming connections (including the port fw)
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT

        # HTTP
        # allow all http/https incoming/return connections
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT

        # FTP
        # allow all ftpd incoming connections
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT

        # Enable active ftp transfers
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Enable passive ftp transfers
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Enable ident probes (IRC)
        iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT

        # Allow ICMP in if it is related to other connections
        iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

        # Allow bot traffic through
        iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT

        # enable dcc
        iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT

        # LOGGING:

        # UDP, log & drop
        iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
        iptables -A INPUT -i eth0 -p udp -j DROP

        # ICMP, log & drop
        iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
        iptables -A INPUT -i eth0 -p icmp -j DROP

        # Windows NetBIOS noise, log & drop
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
        iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP

        # IGMP noise, log & drop
        iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
        iptables -A INPUT -i eth0 -p 2 -j DROP

        # TCP, log & drop
        iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
        iptables -A INPUT -i eth0 -p tcp -j DROP

        # Anything else not allowed, log & drop
        iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
        iptables -A INPUT -i eth0 -j DROP


      touch /var/lock/subsys/nat
        ;;
'stop')
        rm -f /var/lock/subsys/nat
        ;;
*)
        echo "Usage: $0 { start | stop }"
        ;;
esac
exit 0

0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8094929
#!/bin/sh
# description: nat
# chkconfig: 2345 99 00

case "$1" in
'start')
       #!/bin/bash
       # Do iptables based masquerading and firewalling.

       # Set default PATH
       export PATH=/sbin:/usr/sbin:/bin:/usr/bin

       # Load NAT modules
       modprobe iptable_nat
       modprobe ip_nat_ftp
       modprobe ip_nat_irc

       # Load connection-tracking modules
       modprobe ip_conntrack
       modprobe ip_conntrack_ftp
       modprobe ip_conntrack_irc

       # Disable response to broadcasts.
       echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

       # dOn't accept source routed packets.
       echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

       # Disable ICMP redirect acceptance.
       echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

       # Enable bad error message protection
       echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

       # Log spoofed packets, source routed packets, redirect packets
       echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

       # Turn on IP forwarding
       echo 1 > /proc/sys/net/ipv4/ip_forward


# Clean old iptables
       iptables -F
       iptables -X
       iptables -Z

       # Allow forwarding through the internal interface
       iptables -A FORWARD -i eth1 -j ACCEPT
       iptables -A FORWARD -o eth1 -j ACCEPT
       iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

       # Default forward policy to DROP
       iptables -P FORWARD DROP

       # Do masquerading through eth0
       iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


       # Port Forwarding
       iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
       iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
       iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
       # iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
       iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
       iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
       iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080
       iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 37 -j DNAT --to-destination 192.168.0.1:37 # Time port

#########################################
#########################################
###new section here
#get the IP that we think domainname.com resolves to
#NOTE: this is avoiding the DNS issue by using whatever
#IP we THINK(even if we are wrong) domainname.com should
#go to
GETIP=`host yourdomain.com | cut -d ' ' -f4`
#again eth1 and route it back to the webserver
iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -p tcp --dport 80 -i eth1 -j ACCEPT
####end new section
##########################################
##########################################
       # Firewall Rules

       # Loopback - Allow unlimited traffic
       iptables -A INPUT -i lo -j ACCEPT
       iptables -A OUTPUT -o lo -j ACCEPT

       # SYN-Flooding Protection
       iptables -N syn-flood
       iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
       iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
       iptables -A syn-flood -j DROP

       # Make sure that new TCP connections are SYN packets
       iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

       # Fragments : Don't trust the little buggers. Send 'em to hell.
       iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
       iptables -A INPUT -i eth0 -f -j DROP

       # Refuse spoofed packets claiming to be the loopback
       iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP

       # Allow BootP/DHCP UDP requests
       iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT

       # DNS
       # Allow UDP and TCP packets in for DNS client from nameservers
       iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
       iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
       iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
       iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT


       # SSH
       # allow all sshd incoming connections (including the port fw)
       iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
       iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT

       # HTTP
       # allow all http/https incoming/return connections
       iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
       iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
       iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
       iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT

       # FTP
       # allow all ftpd incoming connections
       iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT

       # Enable active ftp transfers
       iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

       # Enable passive ftp transfers
       iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

       # Enable ident probes (IRC)
       iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT

       # Allow ICMP in if it is related to other connections
       iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

       # Allow bot traffic through
       iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT

       # enable dcc
       iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT

       # LOGGING:

       # UDP, log & drop
       iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
       iptables -A INPUT -i eth0 -p udp -j DROP

       # ICMP, log & drop
       iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
       iptables -A INPUT -i eth0 -p icmp -j DROP

       # Windows NetBIOS noise, log & drop
       iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
       iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP

       # IGMP noise, log & drop
       iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
       iptables -A INPUT -i eth0 -p 2 -j DROP

       # TCP, log & drop
       iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
       iptables -A INPUT -i eth0 -p tcp -j DROP

       # Anything else not allowed, log & drop
       iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
       iptables -A INPUT -i eth0 -j DROP


     touch /var/lock/subsys/nat
       ;;
'stop')
       rm -f /var/lock/subsys/nat
       ;;
*)
       echo "Usage: $0 { start | stop }"
       ;;
esac
exit 0




if this works as you want for webtraffic we can add a few more lines to get ftp and whatever else to work correctly.
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8094985
grr once again, i copied the same wrong line: here, i will past the whole thing again so you can just copy/paste


#!/bin/sh
# description: nat
# chkconfig: 2345 99 00

case "$1" in
'start')
      #!/bin/bash
      # Do iptables based masquerading and firewalling.

      # Set default PATH
      export PATH=/sbin:/usr/sbin:/bin:/usr/bin

      # Load NAT modules
      modprobe iptable_nat
      modprobe ip_nat_ftp
      modprobe ip_nat_irc

      # Load connection-tracking modules
      modprobe ip_conntrack
      modprobe ip_conntrack_ftp
      modprobe ip_conntrack_irc

      # Disable response to broadcasts.
      echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

      # dOn't accept source routed packets.
      echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

      # Disable ICMP redirect acceptance.
      echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

      # Enable bad error message protection
      echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

      # Log spoofed packets, source routed packets, redirect packets
      echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

      # Turn on IP forwarding
      echo 1 > /proc/sys/net/ipv4/ip_forward


# Clean old iptables
      iptables -F
      iptables -X
      iptables -Z

      # Allow forwarding through the internal interface
      iptables -A FORWARD -i eth1 -j ACCEPT
      iptables -A FORWARD -o eth1 -j ACCEPT
      iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

      # Default forward policy to DROP
      iptables -P FORWARD DROP

      # Do masquerading through eth0
      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


      # Port Forwarding
      iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 192.168.0.1:22
      iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 222 -j DNAT --to-destination 192.168.0.6:22
      iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.0.7:21
      # iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 25 -j DNAT --to-destination 192.168.0.6:25
      iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 110 -j DNAT --to-destination 192.168.0.6:110
      iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 192.168.0.7:80
      iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 8080 -j DNAT --to-destination 192.168.0.6:8080
      iptables -t nat -A PREROUTING -i eth0 -p tcp -m tcp --dport 37 -j DNAT --to-destination 192.168.0.1:37 # Time port

#########################################
#########################################
###new section here
#get the IP that we think domainname.com resolves to
#NOTE: this is avoiding the DNS issue by using whatever
#IP we THINK(even if we are wrong) domainname.com should
#go to
GETIP=`host yourdomain.com | cut -d ' ' -f4`
#again eth1 and route it back to the webserver
iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 80 -j DNAT --to 192.168.2.2:80
iptables -A FORWARD -d $GETIP -p tcp --dport 80 -i eth1 -j ACCEPT
####end new section
##########################################
##########################################
      # Firewall Rules

      # Loopback - Allow unlimited traffic
      iptables -A INPUT -i lo -j ACCEPT
      iptables -A OUTPUT -o lo -j ACCEPT

      # SYN-Flooding Protection
      iptables -N syn-flood
      iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
      iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
      iptables -A syn-flood -j DROP

      # Make sure that new TCP connections are SYN packets
      iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP

      # Fragments : Don't trust the little buggers. Send 'em to hell.
      iptables -A INPUT -i eth0 -f -j LOG --log-level debug --log-prefix "IPTABLES FRAGMENTS: "
      iptables -A INPUT -i eth0 -f -j DROP

      # Refuse spoofed packets claiming to be the loopback
      iptables -A INPUT -i eth0 -d 127.0.0.0/8 -j DROP

      # Allow BootP/DHCP UDP requests
      iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 67:68 -j ACCEPT

      # DNS
      # Allow UDP and TCP packets in for DNS client from nameservers
      iptables -A INPUT -i eth0 -p udp -s 0/0 --sport 53 -m state --state ESTABLISHED -j ACCEPT
      iptables -A INPUT -i eth0 -p udp -d 0/0 --dport 53 -j ACCEPT
      iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
      iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 53 -j ACCEPT


      # SSH
      # allow all sshd incoming connections (including the port fw)
      iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 22 -j ACCEPT
      iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 2222 -j ACCEPT

      # HTTP
      # allow all http/https incoming/return connections
      iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 80 -m state --state ESTABLISHED,RELATED -j ACCEPT
      iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 443 -m state --state ESTABLISHED,RELATED -j ACCEPT
      iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 80 -j ACCEPT
      iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 443 -j ACCEPT

      # FTP
      # allow all ftpd incoming connections
      iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 21 -j ACCEPT

      # Enable active ftp transfers
      iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

      # Enable passive ftp transfers
      iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT

      # Enable ident probes (IRC)
      iptables -t filter -A INPUT -i eth0 -p tcp -d 0/0 --dport 113 -j ACCEPT

      # Allow ICMP in if it is related to other connections
      iptables -A INPUT -i eth0 -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT

      # Allow bot traffic through
      iptables -A INPUT -i eth0 -p tcp -d 0/0 --dport 8676 -j ACCEPT

      # enable dcc
      iptables -A INPUT -i eth0 -p tcp -m state --state RELATED -j ACCEPT

      # LOGGING:

      # UDP, log & drop
      iptables -A INPUT -i eth0 -p udp -j LOG --log-level debug --log-prefix "IPTABLES UDP-IN: "
      iptables -A INPUT -i eth0 -p udp -j DROP

      # ICMP, log & drop
      iptables -A INPUT -i eth0 -p icmp -j LOG --log-level debug --log-prefix "IPTABLES ICMP-IN: "
      iptables -A INPUT -i eth0 -p icmp -j DROP

      # Windows NetBIOS noise, log & drop
      iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j LOG --log-level debug --log-prefix "IPTABLES NETBIOS-IN: "
      iptables -A INPUT -i eth0 -p tcp -s 0/0 --sport 137:139 -j DROP

      # IGMP noise, log & drop
      iptables -A INPUT -i eth0 -p 2 -j LOG --log-level debug --log-prefix "IPTABLES IGMP-IN: "
      iptables -A INPUT -i eth0 -p 2 -j DROP

      # TCP, log & drop
      iptables -A INPUT -i eth0 -p tcp -j LOG --log-level debug --log-prefix "IPTABLES TCP-IN: "
      iptables -A INPUT -i eth0 -p tcp -j DROP

      # Anything else not allowed, log & drop
      iptables -A INPUT -i eth0 -j LOG --log-level debug --log-prefix "IPTABLES UNKNOWN-IN: "
      iptables -A INPUT -i eth0 -j DROP


    touch /var/lock/subsys/nat
      ;;
'stop')
      rm -f /var/lock/subsys/nat
      ;;
*)
      echo "Usage: $0 { start | stop }"
      ;;
esac
exit 0


sorry about that... again ;-)
0
 

Author Comment

by:paddyhaig
ID: 8095376
I just killed my Cisco 3500 Catalyst switch. Whilst trying to upgrade the management software. As soon as I get it fixed I will test this script. Thanks for all your help.
I think you have the 500 points coming.
0
 
LVL 9

Expert Comment

by:majorwoo
ID: 8095391
heh - I'll be rich ;-)

you can copy/paste these lines to add the same functionality for your ftp server (i saw you were running one from your iptables script)

iptables -t nat -A PREROUTING -i eth1 -d $GETIP -p tcp --dport 21 -j DNAT --to 192.168.2.7:21
iptables -A FORWARD -d $GETIP -p tcp --dport 21 -i eth1 -j ACCEPT


just in case you didnt notice this, i user 192.168.2.2 on accident on the script i sent you, your webserver was 2.7 but  you seem to know enough to have seen that ;-)

Sorry about that (again, again, and now again)
0
 
LVL 1

Accepted Solution

by:
-CrashOverride- earned 2000 total points
ID: 8100396
go over the settings again and enable local axsess
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Suggested Courses
Course of the Month10 days, 4 hours left to enroll

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question