Re: IPTABLES SOS
Hi,
I managed it this way : (Based on the levy.pl script, which genberated a
good framework)
This will allow all lan->internet traffic, and only accepts Mail from the
internet, forwarding it to an internal mailserver. This is just an
example, without any guarantee.
I hope it clears out a bit.
Look at the iptables and NAT howto for the 2.4 kernels for info. (By
russel ??). Don't know the links but googling them should be easy.
Good luck
Johan
#!/bin/sh
# firewall.rules
# Global variable section
# Change these when IP#, interfaces ea are changed
# My Ip adresses of this host
INT_IP="CHANGE TO YOUR PUBLIC IP"
LAN_IP="CHANGE TO YOUR PRIVATE IP"
# The networks I'm connected to
INT_NW="0/0"
LAN_NW="PRIVATE LAN NUMBER"
#All my network interfaces stuck in me
IF_INT="eth1"
IF_LAN="eth0"
#I will forward to following hosts/services
MAILSERVER="YOUR LAN_IP OF YOUR MAILSERVER"
# chain policies
# set default policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
# flush tables
/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -X
/sbin/iptables -F -t nat
# create DUMP table
/sbin/iptables -N DUMP > /dev/null
/sbin/iptables -F DUMP
/sbin/iptables -A DUMP -p tcp --dport ! 137:139 -j LOG --log-prefix
"[DUMP-REJECT] "
/sbin/iptables -A DUMP -p udp --dport ! 137:139 -j LOG --log-prefix
"[DUMP-DROP] "
/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A DUMP -p udp -j DROP
/sbin/iptables -A DUMP -j DROP
# Stateful table
/sbin/iptables -N STATEFUL > /dev/null
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! $IF_INT -j ACCEPT
/sbin/iptables -A STATEFUL -j LOG --log-prefix "[STATEFUL-DUMP] "
/sbin/iptables -A STATEFUL -j DUMP
/sbin/iptables -A FORWARD -s 192.168.0.0/24 -i $IF_LAN -o $IF_INT -j
ACCEPT
# loopback rules
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
#Forwarded ports
/sbin/iptables -A FORWARD -p tcp -d $MAILSERVER --dport 25 -i $IF_INT -o
$IF_LAN -j ACCEPT
# drop reserved addresses incoming
/sbin/iptables -A INPUT -i $IF_INT -s 127.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i $IF_INT -s 192.168.0.0/16 -j DUMP
/sbin/iptables -A INPUT -i $IF_INT -s 172.16.0.0/12 -j DUMP
/sbin/iptables -A INPUT -i $IF_INT -s 10.0.0.0/8 -j DUMP
# allow certain inbound ICMP types
/sbin/iptables -A INPUT -i $IF_INT -p icmp --icmp-type
destination-unreachable -j ACCEPT
/sbin/iptables -A INPUT -i $IF_INT -p icmp --icmp-type time-exceeded -j
ACCEPT
/sbin/iptables -A INPUT -i $IF_INT -p icmp --icmp-type echo-reply -j
ACCEPT
# opened ports
/sbin/iptables -A INPUT -p tcp -i $IF_INT --dport 25 -j ACCEPT
# ensure no netbios leaks
/sbin/iptables -A OUTPUT -p tcp -o $IF_INT --dport 137:139 -j DUMP
/sbin/iptables -A OUTPUT -p udp -o $IF_INT --dport 137:139 -j DUMP
/sbin/iptables -A FORWARD -p tcp -o $IF_INT --dport 137:139 -j DUMP
/sbin/iptables -A FORWARD -p udp -o $IF_INT --dport 137:139 -j DUMP
# Set up NAT for internal network
/sbin/iptables -t nat -A POSTROUTING -o $IF_INT -j MASQUERADE
# Do the forwarding of incoming mail (25)
/sbin/iptables -A PREROUTING -t nat -p tcp -i $IF_INT --dport 25 -j DNAT
\
--to $MAILSERVER:25
# push everything else to state table
/sbin/iptables -A INPUT -j STATEFUL
/sbin/iptables -A OUTPUT -j STATEFUL
/sbin/iptables -A FORWARD -j STATEFUL
>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
On 7/2/01, 9:01:44 AM, Craig <craigsc@zdata.co.za> wrote regarding IPTABLES
SOS:
> Goodday ladies and fella's
> I have just installed the new 2.4 kernel on one of my potato boxes and am
> fighting with iptables to forward mail from external ip to internal mail
> server
> ie 1.2.3.4:25 --> 192.168.x.y:25
> Has anyone managed to pull this off, and if so can someone please HELP
> me :)
> Kind regards
> Craig :)
Reply to: