[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Re: Iptables with NAT question [2]

Okay, since I don't know the specific part of the rules that you're
looking for, I'll just attach what I've got. Sorry if you don't like
attachments. Thanks in advance for your help!

#!/bin/sh

IPTABLES=/sbin/iptables
EXTIF="eth0"
INTIF="eth0"
EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
INTNET="192.168.1.0/255.255.255.0"
INTIP ="192.168.1.1/255.255.255.0"
UNIVERSE="0.0.0.0/0"
LSMOD=/sbin/lsmod
GREP=/bin/grep
AWK=/bin/awk
WEBIP="192.168.1.2"

echo "   External Interface: $EXTIF"
echo "	 External IP: $EXTIP"
echo "   Internal Interface: $INTIF"
echo -n "   Enabling IP forwarding... "
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "done."

echo "   Clearing any existing rules and setting defaults to DROP..."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F

#Flush the user chain
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
	$IPTABLES -F drop-and-log-it
fi

#Delete all User-specified chains
$IPTABLES -X

#Reset all IPTABLES counters
$IPTABLES -Z

#Chains for later use...
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP

echo "   Loading INPUT rulesets"

#echo "loopback"
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

#echo "#local stuff going anywhere is valid"
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT

#echo "#drop-and-log-it for all remote spoofers"
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it

#echo "#allow any related traffic coming back to the masq server"
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT

#echo "#For external www server"
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED -p tcp -s $UNIVERSE -d $EXTIP --dport 80 -j ACCEPT

#echo "#all other incoming is denied and logged"
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo "   Loading OUTPUT rulesets"

#echo "#loopback valid"
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

#echo "#local interfaces - going to local net is valid"
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT

#echo "#outgoing to local net on remote interface, stuffed routing, deny"
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it

#echo "#anything else outgoing on remote iface is valid"
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT

#echo "#catch all rule, al other outgoing is denied and logged"
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it

echo "   Loading FORWARD rulesets"

echo "      Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

#catch all, all other forwarding is denied and logged
$IPTABLES -A FORWARD -j drop-and-log-it

#echo "   Enabling SNAT (MASQ) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#stricter form:
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP

#port forwarding
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to $WEBIP:80

echo -n "   Saving configuration to active state... "
/etc/init.d/iptables save_active
echo "done."

echo "Configuring iptables finished."
Reply to: