NEWBIE 'S FIREWALL

To: <debian-firewall@lists.debian.org>
Subject: NEWBIE 'S FIREWALL
From: <ocb@email.it>
Date: Tue, 18 May 2004 15:16:52 +0200
Message-id: <[🔎] 20040518131658.07C061C82A8@smtp-out1.email.it>
Hallo debian-firewall@lists.debian.org 's world!
I'm Valerio from Rome, Italy.

I've set-up a firewall's scripts on some Debian servers @ university, work &
home.
Can you please have a look at my script to know me any purposes?

And a second question: is in Debian 2.4.18 any utility for the firewall
rules like shorewall? (please don't hurt me: i don't know now (i'll study
it) how to rebuild kernel sigh!)

I'm sorry for my bad bad english!

Thanks,
Valerio


------------------------------------------------------------
------------------------------------------------------------
SCRIPT CONCEPT:
---
ocb_networking.sh is linked in /etc/init.d/ with a
 #> ln -s /etc/ocb_networking/ocb_networking.sh /etc/init.d/ocb_networking
and made bootable with
 #> update-rc.d ocb_networking defaults

it will call firewall.sh and masquerade.sh .
------------------------------------------------------------
------------------------------------------------------------


------------------------------------------------------------
------------------------------------------------------------
FILE OCB_NETWORKING.SH
---
#!/bin/sh
#
# byOCB-mag04: definizioni di FireWall e Masquerade con IpTables
#
#
# Check that networking is up.

[ "XXXX${NETWORKING}" = "XXXXno" ] && exit 0

[ -x /sbin/ifconfig ] || exit 0

# The location of various iptables and other shell programs
#
IPTABLES=/sbin/iptables


# See how we were called.
case "$1" in
  start)
    /etc/ocb_networking/firewall.sh
    /etc/ocb_networking/masquerade.sh
    ;;

  stop)
    echo -e "\nFlushing firewall and setting default policies to CLEAR\n"
    /etc/init.d/iptables clear

    #echo -e "\nFlushing firewall and setting default policies to DROP\n"
    #$IPTABLES -P INPUT DROP
    #$IPTABLES -F INPUT
    #$IPTABLES -P OUTPUT DROP
    #$IPTABLES -F OUTPUT
    #$IPTABLES -P FORWARD DROP
    #$IPTABLES -F FORWARD
    #$IPTABLES -F -t nat
    # Delete all User-specified chains
    #$IPTABLES -X
    #
    # Reset all IPTABLES counters
    #$IPTABLES -Z
    ;;
	

  restart)
    $0 stop
    $0 start
    ;;

  status)
    $IPTABLES -L
    ;;

  mlist)
    cat /proc/net/ip_conntrack
    ;;

  *)
    echo "Usage: ocb_networking {start|stop|restart|status|mlist}"
    exit 1
esac

exit 0
------------------------------------------------------------
------------------------------------------------------------

------------------------------------------------------------
------------------------------------------------------------
FILE FIREWALL.SH
---
#!/bin/sh

echo -n "ocb_networking: starting FireWall"

#####################################################################
#####################################################################
EXT_IF="eth0"
INT_IF="eth1"
#####################################################################
#####################################################################

# ip for the external interface (assuming EXT_IF is the external)
EXT_IP=`ifconfig $EXT_IF | grep "addr:" | cut -d: -f 2 | cut -d\  -f1`
# external netmask
EXT_MASK=`ifconfig $EXT_IF | grep "Mask:" | cut -d: -f4`

# ip for the internal interface (assuming INT_IF is te internal)
INT_IP=`ifconfig $INT_IF | grep "addr:" | cut -d: -f 2 | cut -d\  -f1`
# internal netmask
INT_MASK=`ifconfig $INT_IF | grep "Mask:" | cut -d: -f4`

# the gateway ip
GATEWAY=`route -n | grep "^0.0.0.0" | sed -e "s/ \+/ /g" | cut -d\  -f2`

# the path to the iptables command if needed
FW=/sbin/iptables

echo -n "." #progress marker

# set the network address
INT_NET="$INT_IP/$INT_MASK"
EXT_NET="$EXT_IP/$EXT_MASK"
echo -n "." #progress marker

#flush the BUFFA
$FW -t filter -F
$FW -t filter -X
echo -n "." #progress marker

#####################################################################
#setup the logging chain
$FW -N LOGDROP 2>/dev/null
$FW -A LOGDROP -p TCP -j LOG --log-level 7 --log-prefix "TCP Drop "
$FW -A LOGDROP -p UDP -j LOG --log-level 7 --log-prefix "UDP Drop "
$FW -A LOGDROP -p ICMP -j LOG --log-level 7 --log-prefix "ICMP Drop "
$FW -A LOGDROP -f -j LOG --log-level 7 --log-prefix "FRAG Drop "
$FW -A LOGDROP -j DROP
echo -n "." #progress marker


#####################################################################
# things to always allow
# this will enable all localhost connections
$FW -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT

#####################################################################
#some people that we will never allow
#scanning host for @home
#$FW -A INPUT -p ALL -s 24.0.0.203 -j LOGDROP

#####################################################################
#####################################################################
# things that we want to accept from anywhere

#ECHO
#[tcp:7; udp:7]
#$FW -A INPUT -p tcp -s 0/0 --dport 7 -j ACCEPT
#$FW -A INPUT -p udp -s 0/0 --dport 7 -j ACCEPT
#

#DISCARD
#[tcp:9; udp:9]
#$FW -A INPUT -p tcp -s 0/0 --dport 9 -j ACCEPT
#$FW -A INPUT -p udp -s 0/0 --dport 9 -j ACCEPT
#

#DAYTIME
#[tcp:13; udp:13]
#$FW -A INPUT -p tcp -s 0/0 --dport 13 -j ACCEPT
#$FW -A INPUT -p udp -s 0/0 --dport 13 -j ACCEPT
#

#FTP File Transfer
#[tcp:20=DefaultData;tcp:21=Control]
#$FW -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT # ftp
control/passiveTranfer traffic (tcp)
#$FW -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT # ftp traffic (tcp)
#

#SSH remote Secure SHell
#[tcp:22]
$FW -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT 
#

#TELNET
#[tcp:23]
#$FW -A INPUT -p tcp -s 0/0 --dport 23 -j ACCEPT
#

#SMTP Simple Mail Transfer
#[tcp:25]
#$FW -A INPUT -p tcp -s 0/0 --dport 25 -j ACCEPT
#

#TIME
#[tcp:37; udp:37]
#$FW -A INPUT -p tcp -s 0/0 --dport 37 -j ACCEPT
#$FW -A INPUT -p udp -s 0/0 --dport 37 -j ACCEPT
#

#NAMESERVER Host Name Server
#[tcp:42]
#$FW -A INPUT -p tcp -s 0/0 --dport 42 -j ACCEPT
#

#DOMAIN Domain Name Server (DNS)
#[tcp:53; udp:53]
#$FW -A INPUT -p tcp -s 0/0 --dport 53 -j ACCEPT
#$FW -A INPUT -p udp -s 0/0 --dport 53 -j ACCEPT
#
 
#BOOTPS Bootstrap Protocol Server
#[udp:67]
#$FW -A INPUT -p udp -s 0/0 --dport 67 -j ACCEPT
#

#BOOTPC Bootstrap Protocol Client
#[udp:68]
#$FW -A INPUT -p udp -s 0/0 --dport 68 -j ACCEPT
#

# DHCP server
#[udp:67,tcp:68]
$FW -A INPUT -p udp -s 0/0 --dport 67 -j ACCEPT
$FW -A INPUT -p tcp -s 0/0 --dport 68 -j ACCEPT
#

#TFTP Trivial File Transfer Protocol
#[udp:69]
#$FW -A INPUT -p udp -s 0/0 --dport 69 -j ACCEPT
#

#HTTP
#[tcp:80=http;tcp:446=https]
#$FW -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT # httpd
#$FW -A INPUT -p tcp -s 0/0 --dport 446 -j ACCEPT # httpd ssl
#

# POP Mail Server
#[tcp:109=oldPop;tcp:110=POP3]
#$FW -A INPUT -p tcp -s 0/0 --dport 109 -j ACCEPT # old pop
#$FW -A INPUT -p tcp -s 0/0 --dport 110 -j ACCEPT # pop3
#

#AUTH Authentication Service
#[tcp:113]
#$FW -A INPUT -p tcp -s 0/0 --dport 113 -j ACCEPT # ident request
#

#NTP Network Time Protocol
#[udp:123]
#$FW -A INPUT -p udp -s 0/0 --dport 123 -j ACCEPT
#

#NETBIOS File-Sharing with Samba or similar
#[udp:137=NS,NameService;udp:138=DGM,DatagramService;tcp:139=SSN,SessionServ
ice]
#$FW -A INPUT -p udp -s 0/0 --dport 137 -j ACCEPT # netbios-ns
#$FW -A INPUT -p udp -s 0/0 --dport 138 -j ACCEPT # netbios-dgm
#$FW -A INPUT -p tcp -s 0/0 --dport 139 -j ACCEPT # netbios-ssn
#

#SNMP Simple Network Mgmt. Protocol
#[udp:126=SNMP;udp:161=SNMP_Q/R;udp:162=SNMP-Trap,EventTraps]
#$FW -A INPUT -p udp -s 0/0 --dport 126 -j ACCEPT # SNMP
#$FW -A INPUT -p udp -s 0/0 --dport 161 -j ACCEPT # Q/R
#$FW -A INPUT -p udp -s 0/0 --dport 162 -j ACCEPT # Event Traps
#

#SYSLOG
#[udp:514]
#$FW -A INPUT -p udp -s 0/0 --dport 514 -j ACCEPT
#

#TALK Two User Interaction
#[udp:517]
#$FW -A INPUT -p udp -s 0/0 --dport 517 -j ACCEPT
#

#RIP Routing Information Protocol
#[udp:520]
#$FW -A INPUT -p udp -s 0/0 --dport 520 -j ACCEPT
#

#TIMED Time Server
#[udp:525]
#$FW -A INPUT -p udp -s 0/0 --dport 525 -j ACCEPT
#

#SWAT Samba configuration via web
#[tcp:901]
#$FW -A INPUT -p tcp -s 0/0 --dport 901 -j ACCEPT # swat
#

# MLDonkey File-Sharing
#[tcp:4662=traffic/control;udp:4662=traffic/control]
#[tcp:4002=chat]
#[tcp:4080=WebInterface;tcp:4000=TelnetInterface;tcp:4001=GuiInterface]
#[tcp:1214=FT;tcp:4444=DirectConnect;tcp:6882=BitTorrent;tcp:9999=OpenNap;tc
p:14402=Overnet]
 $FW -A INPUT -p tcp -s 0/0 --dport  4662 -j ACCEPT # traffic/control (tcp)
 $FW -A INPUT -p udp -s 0/0 --dport  4662 -j ACCEPT # traffic/control (udp)
 $FW -A INPUT -p tcp -s 0/0 --dport  4002 -j ACCEPT # chat
#$FW -A INPUT -p tcp -s 0/0 --dport  4000 -j ACCEPT # telnet interface
#$FW -A INPUT -p tcp -s 0/0 --dport  4001 -j ACCEPT # GUI interface
 $FW -A INPUT -p tcp -s 0/0 --dport  4080 -j ACCEPT # web interface
 $FW -A INPUT -p tcp -s 0/0 --dport  1214 -j ACCEPT # FT traffic
(default:disabled)
#$FW -A INPUT -p tcp -s 0/0 --dport  4444 -j ACCEPT # DirectConnect traffic
(default:disabled)
 $FW -A INPUT -p tcp -s 0/0 --dport  6882 -j ACCEPT # BitTorrent traffic
(default:Enabled)
#$FW -A INPUT -p tcp -s 0/0 --dport  9999 -j ACCEPT # Opennap traffic
(default:disabled)
 $FW -A INPUT -p tcp -s 0/0 --dport 14402 -j ACCEPT # overnet traffic
(default:disabled)
#

#VNC VNC Virtual Network Computer 
#[tcp:5900=display0-viewer;tcp:5800=display0-http]
#[tcp:5901=display1-viewer;tcp:5801=display1-http]
#[tcp:5902=display2-viewer;tcp:5802=display2-http]
#$FW -A INPUT -p tcp -s 0/0 --dport 5900 -j ACCEPT # :0 viewer
#$FW -A INPUT -p tcp -s 0/0 --dport 5800 -j ACCEPT # :0 http
 $FW -A INPUT -p tcp -s 0/0 --dport 5901 -j ACCEPT # :1 viewer
#$FW -A INPUT -p tcp -s 0/0 --dport 5801 -j ACCEPT # :1 http
#$FW -A INPUT -p tcp -s 0/0 --dport 5902 -j ACCEPT # :2 viewer
#$FW -A INPUT -p tcp -s 0/0 --dport 5802 -j ACCEPT # :2 http
#

#MYSQL
#[tcp:3306]
#$FW -A INPUT -p tcp -s 0/0 --dport 3306 -j ACCEPT
#


#####################################################################
#####################################################################
# things that we want to accept from internal net

#ECHO
#[tcp:7; udp:7]
#$FW -A INPUT -p tcp -s $INT_NET --dport 7 -j ACCEPT
#$FW -A INPUT -p udp -s $INT_NET --dport 7 -j ACCEPT
#

#DISCARD
#[tcp:9; udp:9]
#$FW -A INPUT -p tcp -s $INT_NET --dport 9 -j ACCEPT
#$FW -A INPUT -p udp -s $INT_NET --dport 9 -j ACCEPT
#

#DAYTIME
#[tcp:13; udp:13]
#$FW -A INPUT -p tcp -s $INT_NET --dport 13 -j ACCEPT
#$FW -A INPUT -p udp -s $INT_NET --dport 13 -j ACCEPT
#

#FTP File Transfer
#[tcp:20=DefaultData;tcp:21=Control]
#$FW -A INPUT -p tcp -s $INT_NET --dport 21 -j ACCEPT # ftp
control/passiveTranfer traffic (tcp)
#$FW -A INPUT -p tcp -s $INT_NET --dport 20 -j ACCEPT # ftp traffic (tcp)
#

#SSH remote Secure SHell
#[tcp:22]
$FW -A INPUT -p tcp -s $INT_NET --dport 22 -j ACCEPT 
#

#TELNET
#[tcp:23]
#$FW -A INPUT -p tcp -s $INT_NET --dport 23 -j ACCEPT
#

#SMTP Simple Mail Transfer
#[tcp:25]
#$FW -A INPUT -p tcp -s $INT_NET --dport 25 -j ACCEPT
#

#TIME
#[tcp:37; udp:37]
#$FW -A INPUT -p tcp -s $INT_NET --dport 37 -j ACCEPT
#$FW -A INPUT -p udp -s $INT_NET --dport 37 -j ACCEPT
#

#NAMESERVER Host Name Server
#[tcp:42]
#$FW -A INPUT -p tcp -s $INT_NET --dport 42 -j ACCEPT
#

#DOMAIN Domain Name Server (DNS)
#[tcp:53; udp:53]
#$FW -A INPUT -p tcp -s $INT_NET --dport 53 -j ACCEPT
 $FW -A INPUT -p udp -s $INT_NET --dport 53 -j ACCEPT
#
 
#BOOTPS Bootstrap Protocol Server
#[udp:67]
#$FW -A INPUT -p udp -s $INT_NET --dport 67 -j ACCEPT
#

#BOOTPC Bootstrap Protocol Client
#[udp:68]
#$FW -A INPUT -p udp -s $INT_NET --dport 68 -j ACCEPT
#

# DHCP server
#[udp:67,tcp:68]
 $FW -A INPUT -p udp -s $INT_NET --dport 67 -j ACCEPT
 $FW -A INPUT -p tcp -s $INT_NET --dport 68 -j ACCEPT
#

#TFTP Trivial File Transfer Protocol
#[udp:69]
#$FW -A INPUT -p udp -s $INT_NET --dport 69 -j ACCEPT
#

#HTTP
#[tcp:80=http;tcp:446=https]
#$FW -A INPUT -p tcp -s $INT_NET --dport 80 -j ACCEPT # httpd
#$FW -A INPUT -p tcp -s $INT_NET --dport 446 -j ACCEPT # httpd ssl
#

# POP Mail Server
#[tcp:109=oldPop;tcp:110=POP3]
#$FW -A INPUT -p tcp -s $INT_NET --dport 109 -j ACCEPT # old pop
#$FW -A INPUT -p tcp -s $INT_NET --dport 110 -j ACCEPT # pop3
#

#AUTH Authentication Service
#[tcp:113]
#$FW -A INPUT -p tcp -s $INT_NET --dport 113 -j ACCEPT # ident request
#

#NTP Network Time Protocol
#[udp:123]
#$FW -A INPUT -p udp -s $INT_NET --dport 123 -j ACCEPT
#

#NETBIOS File-Sharing with Samba or similar
#[udp:137=NS,NameService;udp:138=DGM,DatagramService;tcp:139=SSN,SessionServ
ice]
 $FW -A INPUT -p udp -s $INT_NET --dport 137 -j ACCEPT # netbios-ns
 $FW -A INPUT -p udp -s $INT_NET --dport 138 -j ACCEPT # netbios-dgm
 $FW -A INPUT -p tcp -s $INT_NET --dport 139 -j ACCEPT # netbios-ssn
#


#SNMP Simple Network Mgmt. Protocol
#[udp:126=SNMP;udp:161=SNMP_Q/R;udp:162=SNMP-Trap,EventTraps]
 $FW -A INPUT -p udp -s $INT_NET --dport 126 -j ACCEPT # SNMP
 $FW -A INPUT -p udp -s $INT_NET --dport 161 -j ACCEPT # Q/R
 $FW -A INPUT -p udp -s $INT_NET --dport 162 -j ACCEPT # Event Traps
#

#SYSLOG
#[udp:514]
 $FW -A INPUT -p udp -s $INT_NET --dport 514 -j ACCEPT
#

#TALK Two User Interaction
#[udp:517]
 $FW -A INPUT -p udp -s $INT_NET --dport 517 -j ACCEPT
#

#RIP Routing Information Protocol
#[udp:520]
#$FW -A INPUT -p udp -s $INT_NET --dport 520 -j ACCEPT
#

#TIMED Time Server
#[udp:525]
 $FW -A INPUT -p udp -s $INT_NET --dport 525 -j ACCEPT
#

#SWAT Samba configuration via web
#[tcp:901]
 $FW -A INPUT -p tcp -s $INT_NET --dport 901 -j ACCEPT # swat
#

# MLDonkey File-Sharing
#[tcp:4080=WebInterface;tcp:4000=TelnetInterface;tcp:4004=GuiInterface]
#$FW -A INPUT -p tcp -s $INT_NET --dport  4000 -j ACCEPT # telnet interface
#$FW -A INPUT -p tcp -s $INT_NET --dport  4001 -j ACCEPT # GUI interface
 $FW -A INPUT -p tcp -s $INT_NET --dport  4080 -j ACCEPT # web interface
#

#VNC VNC Virtual Network Computer 
#[tcp:5900=display0-viewer;tcp:5800=display0-http]
#[tcp:5901=display1-viewer;tcp:5801=display1-http]
#[tcp:5902=display2-viewer;tcp:5802=display2-http]
#$FW -A INPUT -p tcp -s $INT_NET --dport 5900 -j ACCEPT # :0 viewer
#$FW -A INPUT -p tcp -s $INT_NET --dport 5800 -j ACCEPT # :0 http
#$FW -A INPUT -p tcp -s $INT_NET --dport 5901 -j ACCEPT # :1 viewer
#$FW -A INPUT -p tcp -s $INT_NET --dport 5801 -j ACCEPT # :1 http
#$FW -A INPUT -p tcp -s $INT_NET --dport 5902 -j ACCEPT # :2 viewer
#$FW -A INPUT -p tcp -s $INT_NET --dport 5802 -j ACCEPT # :2 http
#

#MYSQL
#[tcp:3306]
 $FW -A INPUT -p tcp -s $INT_NET --dport 3306 -j ACCEPT
#


#####################################################################
# block everything else in the low port range.
$FW -A INPUT -p tcp -s 0/0 --dport 1:1024 -j LOGDROP
$FW -A INPUT -p udp -s 0/0 --dport 1:1024 -j LOGDROP


#####################################################################
# extras to block to the outside
#$FW -A INPUT -p tcp -s 0/0 --dport 3306 -j LOGDROP
#$FW -A INPUT -p udp -s 0/0 --dport 3306 -j LOGDROP

#####################################################################
# a spot of flood defense
$FW -A INPUT -m limit --limit 1/second -p icmp -j ACCEPT
echo -n "." #progress marker

echo "done" #progress marker
------------------------------------------------------------
------------------------------------------------------------


------------------------------------------------------------
------------------------------------------------------------
FILE FIREWALL.SH
---
#!/bin/sh

echo -n "ocb_networking: starting Masquerading"

#####################################################################
#####################################################################
EXT_IF="eth0"
INT_IF="eth1"
#####################################################################
#####################################################################

#####################################################################
# variables and stuff

# ip for the external interface
EXT_IP=`ifconfig $EXT_IF | grep "addr:" | cut -d: -f 2 | cut -d\  -f1`
# external netmask
EXT_MASK=`ifconfig $EXT_IF | grep "Mask:" | cut -d: -f4`

# ip for the internal interface
INT_IP=`ifconfig $INT_IF | grep "addr:" | cut -d: -f 2 | cut -d\  -f1`
# internal netmask
INT_MASK=`ifconfig $INT_IF | grep "Mask:" | cut -d: -f4`

# the gateway ip
GATEWAY=`route -n | grep "^0.0.0.0" | sed -e "s/ \+/ /g" | cut -d\  -f2`

# the path to the iptables command if needed
FW=iptables

# set the network address
INT_NET="$INT_IP/$INT_MASK"
EXT_NET="$EXT_IP/$EXT_MASK"
echo -n "." #progress marker

#####################################################################
# turn on ip_forwarding..
echo "1" > /proc/sys/net/ipv4/ip_forward
echo -n "." #progress marker

#####################################################################
# load modules
modprobe ip_conntrack_irc ports=6666,6667,6668,6669,6670,7000 # DCC sends
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
echo -n "." #progress marker

#####################################################################
# flush the NAT tables
$FW -t nat -F
echo -n "." #progress marker

#####################################################################
#general forwarding for internal network
$FW -t nat -A POSTROUTING -s $INT_NET -j SNAT --to-source=$EXT_IP
echo -n "." #progress marker

#####################################################################
#####################################################################
#forward special requests to the internal network
#

#ICQ example
#$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 4001:4010 -j DNAT
--to-destination 192.168.x.x:4001-4010 #
#

#EMULE example
#$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 4662 -j DNAT
--to-destination 192.168.x.x:4662 # 
#$FW -t nat -A PREROUTING -d $EXT_IP -p udp --dport 4672 -j DNAT
--to-destination 192.168.x.x:4672 # 

#SAMBA example
#$FW -t nat -A PREROUTING -d $EXT_IP -p udp --dport 137 -j DNAT
--to-destination 192.168.x.x:137 # 
#$FW -t nat -A PREROUTING -d $EXT_IP -p udp --dport 138 -j DNAT
--to-destination 192.168.x.x:138 # 
#$FW -t nat -A PREROUTING -d $EXT_IP -p udp --dport 139 -j DNAT
--to-destination 192.168.x.x:139 # 

#MLDonkey Web Interface example
#$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 4080 -j DNAT
--to-destination 192.168.x.x:4080 # 

#SSH example
#$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 6922 -j DNAT
--to-destination 192.168.x.x:22 # ext_ip:6922 to int_ip:22

#VNC 
$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5900 -j DNAT
--to-destination 192.168.1.101:5900 # :0 viewer
#$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5800 -j DNAT
--to-destination 192.168.x.x:5800 # :0 http
#$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5901 -j DNAT
--to-destination 192.168.1.101:5901 # :1 viewer
#$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5801 -j DNAT
--to-destination 192.168.x.x:5801 # :1 http
#$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5902 -j DNAT
--to-destination 192.168.x.x:5902 # :2 viewer
#$FW -t nat -A PREROUTING -d $EXT_IP -p tcp --dport 5802 -j DNAT
--to-destination 192.168.x.x:5802 # :2 http


echo -n "."

echo "done"

------------------------------------------------------------
------------------------------------------------------------



THASNKS!!!
Valerio

 
 
 --
 Email.it, the professional e-mail, gratis per te: http://www.email.it/f
 
 Sponsor:
 
 Clicca qui: http://adv.email.it/cgi-bin/foclick.cgi?mid=&d=18-5
Attachment: firewall.sh
Description: Binary data
Attachment: masquerade.sh
Description: Binary data
Attachment: ocb_networking.sh
Description: Binary data
Reply to:
Follow-Ups:
- Re: NEWBIE 'S FIREWALL
  - From: Richard Verwayen <holle@ackw.de>
Prev by Date: Re: iptables problem getting url's hosted inside
Next by Date: Re: iptables problem getting url's hosted inside
Previous by thread: Re: iptables problem getting url's hosted inside
Next by thread: Re: NEWBIE 'S FIREWALL
Index(es):
- Date
- Thread