[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: redireccionar ssh a la lan



On Wed, Feb 02, 2005 at 10:02:59AM -0300, velkrox@yahoo.com.ar wrote:
> Date: Wed, 2 Feb 2005 10:02:59 -0300
> From: velkrox@yahoo.com.ar
> Subject: Re: redireccionar ssh a la lan
> To: debian-user-spanish@lists.debian.org
> X-Mailer: Microsoft Outlook Express 6.00.2800.1478
> 
> walter:
> depende de varias cosas, por ej: que el chain forward tenga la default
> policy drop, y no lo estes aceptando. seria bueno que postees las reglas
> (completo, que no falte nada) como para poder ayudarte.
> 
> igualmente, te comento que en mi casa forwardeo con iptables a una de las
> pcs de adentro de la lan, y no tengo ningun problema.
es un choclo ... no me maten


#!/bin/sh

# This is the location of the iptables command
IPTABLES="/sbin/iptables"


case "$1" in
   stop)
      echo "Shutting down firewall..."
      $IPTABLES -F
      $IPTABLES -F -t mangle
      $IPTABLES -F -t nat
      $IPTABLES -X
      $IPTABLES -X -t mangle
      $IPTABLES -X -t nat
      
      $IPTABLES -P INPUT ACCEPT
      $IPTABLES -P OUTPUT ACCEPT
      $IPTABLES -P FORWARD ACCEPT
      echo "...done"
      ;;
   status)
      echo $"Table: filter"
      iptables --list
      echo $"Table: nat"
      iptables -t nat --list
      echo $"Table: mangle"
      iptables -t mangle --list
      ;;
   restart|reload)
      $0 stop
      $0 start
      ;;
   start)
    echo "Starting Firewall..."
    echo ""


##--------------------------Begin Firewall---------------------------------##


#----Default-Interfaces-----#

## Default external interface (used, if EXTIF isn't specified on command line)
DEFAULT_EXTIF="eth0"

## Default internal interface (used, if INTIF isn't specified on command line)
DEFAULT_INTIF="eth1"


#----Special Variables-----#

# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"

# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"

# Specification of X Window System (TCP) ports.
XWINPORTS="6000:6063"

#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"

# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"

# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"



#----Automatically determine infos about involved interfaces-----#

### External Interface:

## Get external interface from command-line
## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
if [ "x$2" != "x" ]; then
   EXTIF=$2
else
   EXTIF=$DEFAULT_EXTIF
fi
echo External Interface: $EXTIF
## Interfaz que conecta a internet, en este caso la eth0 conecta
## al modem ADSL - Determine external IP 200.40.171.158
EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
  if [ "$EXTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of $EXTIF !"
     exit 1
  fi
echo External IP: $EXTIP

## Determine external gateway 200.40.171.157
EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW

echo " --- "

### Internal Interface:

## Get internal interface from command-line
## If no interface is specified then set $DEFAULT_INTIF as INTIF
if [ "x$3" != "x" ]; then
   INTIF=$3
else
   INTIF=$DEFAULT_INTIF
fi
echo Internal Interface: $INTIF

## Interfaz que conecta con la LAN - Determine internal IP 192.168.1.9
INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \  -f 1`"
  if [ "$INTIP" = '' ]; then
     echo "Aborting: Unable to determine the IP-address of $INTIF !"
     exit 1
  fi  
echo Internal IP: $INTIP

## Determine internal netmask
INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
echo Internal Netmask: $INTMASK

## Determine network address of the internal network
INTLAN=$INTIP'/'$INTMASK
echo Internal LAN: $INTLAN

echo ""

#----Load IPTABLES-modules-----#


#Insert modules- should be done automatically if needed

#If the IRC-modules are available, uncomment them below

echo "Loading IPTABLES modules"

dmesg -n 1
#Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
#/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6

echo " --- "

#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


#----Set network sysctl options-----#


echo "Setting sysctl options"

#Enable forwarding in kernel - Aviso al kernel que acepte ip_forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack


echo " --- "

echo "Creating user-chains"



#----Create logging chains-----#


#Invalid packets (not ESTABLISHED,RELATED or NEW)
#Paquetes no validos (no establecidos, relacionados o nuevos)
	$IPTABLES -N LINVALID
	$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=INVALID:1 a=DROP "
	$IPTABLES -A LINVALID -j DROP

#TCP-Packets with one ore more bad flags
#Paquetes TCP con una o mas bandera mala
	$IPTABLES -N LBADFLAG
	$IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=BADFLAG:1 a=DROP "
	$IPTABLES -A LBADFLAG -j DROP

#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
	$IPTABLES -N LSPECIALPORT
	$IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=SPECIALPORT:1 a=DROP "
	$IPTABLES -A LSPECIALPORT -j DROP
	
#Logging of possible TCP-SYN-Floods
	$IPTABLES -N LSYNFLOOD
	$IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=SYNFLOOD:1 a=DROP "
	$IPTABLES -A LSYNFLOOD -j DROP
	
#Logging of possible Ping-Floods
	$IPTABLES -N LPINGFLOOD
	$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=PINGFLOOD:1 a=DROP "
	$IPTABLES -A LPINGFLOOD -j DROP


#All other dropped packets
	$IPTABLES -N LDROP
	$IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=TCP:1 a=DROP "
	$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=UDP:2 a=DROP "
	$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=ICMP:3 a=DROP "
	$IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=FRAGMENT:4 a=DROP "
	$IPTABLES -A LDROP -j DROP

#All other rejected packets
	$IPTABLES -N LREJECT
	$IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=TCP:1 a=REJECT "
	$IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=UDP:2 a=REJECT "
	$IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=ICMP:3 a=REJECT "
	$IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-level DEBUG --log-prefix "fp=FRAGMENT:4 a=REJECT "	
	$IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
	$IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
	$IPTABLES -A LREJECT -j REJECT



#----Create Accept-Chains-----#


#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
	
	$IPTABLES -N TCPACCEPT
	$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
	$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
	$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT


#----Create special User-Chains-----#


#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

	$IPTABLES -N CHECKBADFLAG
	$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
	$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
	$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
	$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
	$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
	$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG



#FILTERING FOR SPECIAL PORTS


	#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)

		#SMB-Traffic
		$IPTABLES -N SMB
		
		$IPTABLES -A SMB -p tcp --dport 137 -j DROP
		$IPTABLES -A SMB -p tcp --dport 138 -j DROP
		$IPTABLES -A SMB -p tcp --dport 139 -j DROP
		$IPTABLES -A SMB -p tcp --dport 445 -j DROP
		$IPTABLES -A SMB -p udp --dport 137 -j DROP
		$IPTABLES -A SMB -p udp --dport 138 -j DROP
		$IPTABLES -A SMB -p udp --dport 139 -j DROP
		$IPTABLES -A SMB -p udp --dport 445 -j DROP
  
		$IPTABLES -A SMB -p tcp --sport 137 -j DROP
		$IPTABLES -A SMB -p tcp --sport 138 -j DROP
		$IPTABLES -A SMB -p tcp --sport 139 -j DROP
		$IPTABLES -A SMB -p tcp --sport 445 -j DROP
		$IPTABLES -A SMB -p udp --sport 137 -j DROP
		$IPTABLES -A SMB -p udp --sport 138 -j DROP
		$IPTABLES -A SMB -p udp --sport 139 -j DROP
		$IPTABLES -A SMB -p udp --sport 445 -j DROP


	#Inbound Special Ports
	# SPECIALPORTS 
	
		$IPTABLES -N SPECIALPORTS
		
		#Deepthroat Scan
  		$IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j LSPECIALPORT
  
  		#Subseven Scan
  		$IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
                $IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
  		$IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT  
  
  		#Netbus Scan
  		$IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
  		$IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT
  
  		#Back Orifice scan
  		$IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT
  
  		#X-Win
  		$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS  -j LSPECIALPORT
		
		#Hack'a'Tack 2000
		$IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT
		

#ICMP/TRACEROUTE FILTERING


	#Inbound ICMP/Traceroute
	
		$IPTABLES -N ICMPINBOUND
		
		#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped
  		$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
  		#
  		$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD

  		#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
  		$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP
  
  		#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
  		$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP
  		$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP

  		#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
  		$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP
  		$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP


  		#Allow all other ICMP in
  		$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT
	
	
	#Outbound ICMP/Traceroute
	
		$IPTABLES -N ICMPOUTBOUND
	
		#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
  		$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP
  
  		#Block ICMP-TTL-Expired
		#MS Traceroute (MS uses ICMP instead of UDp for tracert)
		$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
  		$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP
  
  		#Block ICMP-Parameter-Problem
  		$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP
  
  		#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
  		$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
  		$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP

  		#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
  		$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
  		$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP


  		##Accept all other ICMP going out
  		$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT
	
#----End User-Chains-----#	

echo " --- "

#----Start Ruleset-----#

echo "Implementing firewall rules..."


#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################


##GENERAL Filtering

  # Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
  # Mato paquetes invalidos (no establecidos,relacionados o nuevos)
  $IPTABLES -A INPUT -m state --state INVALID -j LINVALID
  
  # Check TCP-Packets for Bad Flags 
  $IPTABLES -A INPUT -p tcp -j CHECKBADFLAG

##Packets FROM FIREWALL-BOX ITSELF

  #Local IF Acepto todas la conexiones desde la LAN
  $IPTABLES -A INPUT -i lo -j ACCEPT
  #
  #Kill connections to the local interface from the outside
  #world (--> Should be already catched by kernel/rp_filter)
  # Desde el exterior no se permite acceder al loopback por si acaso
  $IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT

##Packets FROM INTERNAL NET

  $IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT
  
#Kill anything from outside claiming to be from internal
#network (Address-Spoofing --> Should be already catched by rp_filter)
  $IPTABLES -A INPUT -s $INTLAN -j LREJECT

##Packets FROM EXTERNAL NET

 ##ICMP & Traceroute filtering
  
  #Filter ICMP
  $IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND

  #Block UDP-Traceroute
  $IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP

  # Block Kazza, cerrar conexiones entrantes desde eth1 hacia port
  $IPTABLES -A INPUT -p tcp -i $INTIF --dport 41000:41030 -j LDROP

 ##Silent Drops/Rejects (Things we don't want in our logs)

  #Drop all SMB-Traffic
  $IPTABLES -A INPUT -i $EXTIF -j SMB
  
  #Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset
  
  # ftp-data
  $IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 20 -j TCPACCEPT
  
  # ftp
  $IPTABLES -A INPUT -i $EXTIF -p tcp  --dport 21 -j TCPACCEPT

  # ssh
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT

  # vpn (virtual private network)
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 1723 -j TCPACCEPT

  #telnet o proxy
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 8080 -j TCPACCEPT

  # smtp
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -m state --state NEW -j TCPACCEPT

  # DNS
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT

  # http
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT

  # https
  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT

  # POP-3

  #$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -m state --state NEW -j TCPACCEPT


 ##Separate logging of special portscans/connection attempts
  
  $IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS


 ##Allow ESTABLISHED/RELATED connections in
  
  $IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
  $IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT


 ##Catch all rule
  $IPTABLES -A INPUT -j LDROP


##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################

##Packets TO FIREWALL-BOX ITSELF

  #Local IF
  $IPTABLES -A OUTPUT -o lo -j ACCEPT
  
##Packets TO INTERNAL NET

  #Allow unlimited traffic to internal network using legit addresses
  $IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -j ACCEPT

##Packets TO EXTERNAL NET

 ##ICMP & Traceroute

  $IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND
  
 ##Silent Drops/Rejects (Things we don't want in our logs)

  #SMB
  $IPTABLES -A OUTPUT -o $EXTIF -j SMB

  #Ident
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset

 ##Public services running ON FIREWALL-BOX (comment out to activate):

  # ftp-data
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 20 -j ACCEPT
  
  # ftp
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp  --sport 21 -j ACCEPT

  # ssh
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

  # vpn (virtual private network)
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 1723 -m state --state ESTABLISHED -j ACCEPT

  #telnet o proxy
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 8080 -m state --state ESTABLISHED -j ACCEPT

  # smtp
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

  # DNS
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT
  $IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT

  # http
  $IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

  # https
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

  # POP-3
  #$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT

 ##Accept all tcp/udp traffic on unprivileged ports going out

  $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT

##Catch all rule

$IPTABLES -A OUTPUT -j LDROP

####################
## FORWARD-Chain  ## (everything that passes the firewall)
####################


##GENERAL Filtering

  #Kill invalid packets (not ESTABLISHED, RELATED or NEW)
  $IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
 
  # Check TCP-Packets for Bad Flags 
  $IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG


##Filtering FROM INTERNAL NET
  
  ##Silent Drops/Rejects (Things we don't want in our logs)

   #SMB
   $IPTABLES -A FORWARD -o $EXTIF -j SMB
  
  ##Special Drops/Rejects
   # - To be done -
  
  
  ##Filter for some Trojans communicating to outside
   # - To be done -
  
  ##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)

   #$IPTABLES -A FORWARD -o $EXTIF -s $HTTPIP -p tcp --sport 80 -j ACCEPT

  ##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
  $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
  $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT


##Filtering FROM EXTERNAL NET
 
  ##Silent Drops/Rejects (Things we don't want in our logs)
  
   #SMB
   $IPTABLES -A FORWARD -i $EXTIF -j SMB
  
  ##Allow replies coming in
  $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
  $IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT

##Port-Forwarding [inbound] (--> Also see chain PREROUTING)


##Catch all rule/Deny every other forwarding

$IPTABLES -A FORWARD -j LDROP

################
## PREROUTING ##
################

##Port-Forwarding (--> Also see chain FORWARD)

  ##EXTIF = eth0 EXTIP = 200.40.171.158
  ##INTIF = eth1 INTIP = 192.168.1.9
# Para el puerto 8080
# -----------------
#$IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 8080
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp -d 200.40.171.158 --dport 8080 -j DNAT --to $HTTPIP:80

# -----------------
$IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 22
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 22 -j DNAT --to 192.168.1.8:22

# Redirecciono al puerto 3128 todos los paquetes que entran por eth1 y con
# destino puerto 80 (proxy transparente)
$IPTABLES -A FORWARD -p tcp -s 192.168.1.0/24 -d ! 192.168.1.9 --dport 3128 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128
###################
##  POSTROUTING  ##
###################

#$IPTABLES -t nat -A POSTROUTING -o $EXTIP -p tcp -j SNAT --to 192.168.1.9


# Masquerade from Internal Net to External Net (real)
 $IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
echo "...done NO MASQ"


> 
> saludos, velkro.
> 
> ----- Original Message ----- 
> From: "Walter G Osoria" <wosoria@adinet.com.uy>
> To: <debian-user-spanish@lists.debian.org>
> Sent: Wednesday, February 02, 2005 09:38
> Subject: redireccionar ssh a la lan
> 
> saludos a todos, quiero redireccionar desde el exterior a un pc
> de la lan, tengo la siguientes reglas de iptables
> 
> $IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 22 -m state
> --state NEW -j DNAT --to $PCLAN:22
> 
> $IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j
> ACCEPT -p tcp --dport 22
> 
> pero no me funciona, puede ser que al conectarme de la misma lan me
> esté dejando en el servidor y no me redireccione al pc que quiero ?
> 
> $IPTABLES -t nat -A POSTROUTING -s $LAN/24 -o $EXTIF -j MASQUERADE
> 
> o sino que este enmascarando la red mal ? un abrazo y gracias
> 
> 
> 
> 
> -- 
> To UNSUBSCRIBE, email to debian-user-spanish-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

-- 
______________________________________________
  Walter Osoria - Debian GNU/Linux 3.0
    wosoria@adinet.com.uy - LIcq 2277064
       Linux registered user #124360
--------------------------------------------
GnuPG Public Key: http://www.keyserver.net
FingerPrint = 2D31 FE71 D7A7 20E7 D1EB  5593 CFE2 2D72 FFAC 33FA
----------------------------------------------------------------



Reply to: