Les Ritchin wrote:
Hello all,
[snip]
Here is the script: #!/bin/bash # Flush any existing rules and zero the traffic counters iptables -F iptables -Z iptables -t nat -F iptables -t nat -Z # Allow forwarding echo "1" > /proc/sys/net/ipv4/ip_forward # Disable smurf attack response echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Don't accept source routed packets echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable bad error message protection echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # Accept all input on local loopback iptables -A INPUT -i lo -j ACCEPT# Filter ADSL traffic - returning traffic is okay, new connections are checked for valid ports, all others are rejected# If it's an established returning connection, let it through iptables -A INPUT -i eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
Also add for OUTPUT (unless default policy is to accept) iptables -A OUTPUT -o eth1 -m state \ --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j DNAT --to 192.168.0.10:80#iptables -A FORWARD -p tcp -i eth1 -d 192.168.0.10 --dport 80 -j ACCEPT
Uncomment the above
# Allow ICMP iptables -A INPUT -i eth1 -p icmp -j ACCEPT # Allow SSH iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT # Allow HTTP iptables -A INPUT -i eth1 -p tcp --dport 80 -j ACCEPT # Allow HTTPS iptables -A INPUT -i eth1 -p tcp --dport 443 -j ACCEPT # Allow SMTP iptables -A INPUT -i eth1 -p tcp --dport 25 -j ACCEPT # Allow POP3 iptables -A INPUT -i eth1 -p tcp --dport 110 -j ACCEPT # Allow POP3-SSL iptables -A INPUT -i eth1 -p tcp --dport 995 -j ACCEPT # Allow Alternate HTTP for APC iptables -A INPUT -i eth1 -p tcp --dport 8080 -j ACCEPT # Doesn't match any of the above, reject the packet iptables -A INPUT -i eth1 -j REJECT# Allow all staff traffic (defined by all INPUT on ETH0) through if it's a local addressiptables -A INPUT -i eth0 -s 192.168.0.0/24 -j ACCEPT# If it doesn't match the above subnet on the internal network, someone may be doing something nasty, so reject the packetiptables -A INPUT -i eth0 -j REJECT # This sets up Network Address Translation # When the packet is ready to be resent, the IP headers are rewritten iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 192.168.0.91 iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to-source xxx.xxx.xxx.xxx
Also make sure that the masterswitch isn't configured to only allow traffic from the local network. You can test this by doing a SSH tunnel.
Just in case you don't know how.. ssh -L 8080:192.168.0.10:80 <host> go to http://localhost:8080
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature