iptables script
Hi all,
I'm trying to forward port ssh (22) to another computer
on my intranet
The network topology is simple: 192.168.0.12, is connected
on eth0 to dhcp, and eth1 acts as a NAT to the intranet
consisting on 9 computers.
here's the firwall script (iptables) i use:
#!/bin/sh
#########################################
# Script created using EasyTables v0.8.4-3
# by Roi Dayan
#########################################
#printf "."
IPC=/usr/local/sbin/iptables
IF=eth0
#IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
#MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
#NET=$IP/$MASK
#printf "."
#Delete user made chains. Flush and zero the chains.
$IPC -F
$IPC -X
$IPC -Z
$IPC -t nat -F
$IPC -t nat -X
$IPC -t nat -Z
#Creating custom chains.
$IPC -N LDROP
$IPC -A LDROP -p tcp -j LOG --log-level debug --log-prefix "DROP "
$IPC -A LDROP -p udp -j LOG --log-level debug --log-prefix "DROP "
$IPC -A LDROP -p icmp -j LOG --log-level debug --log-prefix "DROP "
$IPC -A LDROP -f -j LOG --log-level warning --log-prefix "DROP "
$IPC -A LDROP -j DROP
$IPC -N LREJECT
$IPC -A LREJECT -p tcp -j LOG --log-level debug --log-prefix "REJECT "
$IPC -A LREJECT -p udp -j LOG --log-level debug --log-prefix "REJECT "
$IPC -A LREJECT -p icmp -j LOG --log-level debug --log-prefix "REJECT "
$IPC -A LREJECT -f -j LOG --log-level warning --log-prefix "REJECT "
$IPC -A LREJECT -j REJECT
$IPC -N LACCEPT
$IPC -A LACCEPT -p tcp -j LOG --log-level debug --log-prefix "ACCEPT "
$IPC -A LACCEPT -p udp -j LOG --log-level debug --log-prefix "ACCEPT "
$IPC -A LACCEPT -p icmp -j LOG --log-level debug --log-prefix "ACCEPT "
$IPC -A LACCEPT -f -j LOG --log-level warning --log-prefix "ACCEPT "
$IPC -A LACCEPT -j ACCEPT
$IPC -N TREJECT
$IPC -A TREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPC -A TREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
$IPC -A TREJECT -j REJECT
$IPC -N LTREJECT
$IPC -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPC -A LTREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
$IPC -A LTREJECT -p tcp -j LOG --log-level debug --log-prefix "REJECT "
$IPC -A LTREJECT -p udp -j LOG --log-level debug --log-prefix "REJECT "
$IPC -A LTREJECT -p icmp -j LOG --log-level debug --log-prefix "REJECT "
$IPC -A LTREJECT -f -j LOG --log-level warning --log-prefix "REJECT "
$IPC -A LTREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPC -A LTREJECT -p ! tcp -j REJECT --reject-with icmp-port-unreachable
$IPC -A LTREJECT -j REJECT
#printf "."
#Modules to help certain services
#/sbin/depmod -a >/dev/null 2>&1
#/sbin/modprobe ip_masq_ftp >/dev/null 2>&1
#/sbin/modprobe ip_masq_raudio >/dev/null 2>&1
#/sbin/modprobe ip_masq_irc >/dev/null 2>&1
#/sbin/modprobe ip_masq_icq >/dev/null 2>&1
#/sbin/modprobe ip_masq_quake >/dev/null 2>&1
#/sbin/modprobe ip_masq_user >/dev/null 2>&1
#/sbin/modprobe ip_masq_vdolive >/dev/null 2>&1
#printf "."
#Allow all traffic on the loopback interface (lo)
$IPC -I INPUT -i lo -j ACCEPT
$IPC -I OUTPUT -o lo -j ACCEPT
$IPC -I INPUT -i ! lo -s 127.0.0.0/255.0.0.0 -j DROP
#printf "."
#Allow connections with the ack bit set.
#(They are from an established connections)
$IPC -A INPUT -p tcp ! --syn -i $IF -j ACCEPT
#printf "."
#Turn on source address verification in kernel
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
fi
#printf "."
#Turn on syn cookies protection in kernel
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]
then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
#printf "."
#Set up kernel to handle dynamic IP masquerading
if [ -e /proc/sys/net/ipv4/ip_dynaddr ]
then
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
fi
#printf "."
#to enable ip MASQUERADE and automatic defragmention (for masquerading)
echo 1 > /proc/sys/net/ipv4/ip_forward
#echo 1 > /proc/sys/net/ipv4/ip_always_defrag
#printf "."
#timeouts
#$IPC -M -S 14400 60 600
#printf "."
#Block nonroutable IPs
$IPC -A INPUT -j DROP -s 10.0.0.0/8 -i $IF
$IPC -A INPUT -j DROP -s 127.0.0.0/8 -i $IF
$IPC -A INPUT -j DROP -s 172.16.0.0/12 -i $IF
$IPC -A INPUT -j DROP -s 192.168.0.0/16 -i $IF
#printf "."
#Block Back Orifice
$IPC -A INPUT -p tcp -i $IF --dport 31337 -j LDROP
$IPC -A INPUT -p udp -i $IF --dport 31337 -j LDROP
#Block NetBus
$IPC -A INPUT -p tcp -i $IF --dport 12345:12346 -j LDROP
$IPC -A INPUT -p udp -i $IF --dport 12345:12346 -j LDROP
#Block Trin00
$IPC -A INPUT -p tcp -i $IF --dport 1524 -j LDROP
$IPC -A INPUT -p tcp -i $IF --dport 27665 -j LDROP
$IPC -A INPUT -p udp -i $IF --dport 27444 -j LDROP
$IPC -A INPUT -p udp -i $IF --dport 31335 -j LDROP
#printf "."
#Block Multicast
$IPC -A INPUT -s 224.0.0.0/8 -d 0/0 -j DROP
$IPC -A INPUT -s 0/0 -d 224.0.0.0/8 -j DROP
#printf "."
#PortsRules
#FTP(21)
$IPC -A INPUT -p tcp -i $IF --dport 21 -j LACCEPT
#SSH
$IPC -A INPUT -p tcp -i $IF --dport 22 -j LACCEPT
#Telnet
$IPC -A INPUT -p tcp -i $IF --dport 23 -j LACCEPT
#SMTP
$IPC -A INPUT -p tcp -i $IF --dport 25 -j LACCEPT
#WWW
$IPC -A INPUT -p tcp -s 0/0 -i $IF --dport 80 -j LACCEPT
$IPC -A INPUT -p tcp -i $IF --dport 80 -j LACCEPT
#Rejecting (not denying) ident requests.
$IPC -A INPUT -p tcp -i $IF --dport 113 -j TREJECT
$IPC -A INPUT -p udp -i $IF --dport 113 -j TREJECT
#Blocking access to the X Server ports.
$IPC -A INPUT -p tcp -i $IF --dport 5999:6003 -j LDROP
$IPC -A INPUT -p udp -i $IF --dport 5999:6003 -j LDROP
$IPC -A INPUT -p tcp -i $IF --dport 7100 -j LDROP
#printf "."
#Settings for internal interfaces (LAN) - Internet Connection Share.
$IPC -A FORWARD -i $IF -j ACCEPT
$IPC -A FORWARD -o $IF -j ACCEPT
$IPC -t nat -A POSTROUTING -o $IF -j MASQUERADE
#printf "."
#printf "."
#Settings for internal interfaces (LAN).
InternalIP=`/sbin/ifconfig eth1 | grep inet | cut -d : -f 2 | cut -d \ -f 1`
InternalMASK=`/sbin/ifconfig eth1 | grep Mas | cut -d : -f 4`
InternalNET=$InternalIP/$InternalMASK
$IPC -A INPUT -i eth1 -j ACCEPT
$IPC -A OUTPUT -o eth1 -j ACCEPT
$IPC -A INPUT -i ! eth1 -s $InternalNET -j DROP
#printf "."
#printf "."
### Custom rules should be added here ###
#########################################
#printf "."
#Set telnet, www, smtp, pop3 and FTP for minimum delay
#$IPC -A OUTPUT -p tcp -d 0/0 80 -t 0x01 0x10
#$IPC -A OUTPUT -p tcp -d 0/0 22 -t 0x01 0x10
#$IPC -A OUTPUT -p tcp -d 0/0 23 -t 0x01 0x10
#$IPC -A OUTPUT -p tcp -d 0/0 21 -t 0x01 0x10
#$IPC -A OUTPUT -p tcp -d 0/0 110 -t 0x01 0x10
#$IPC -A OUTPUT -p tcp -d 0/0 25 -t 0x01 0x10
$IPC -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 22 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 23 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 110 -j TOS --set-tos Minimize-Delay
$IPC -t mangle -A OUTPUT -p tcp --dport 25 -j TOS --set-tos Minimize-Delay
#printf "."
#Set ftp-data for maximum throughput
#$IPC -A OUTPUT -p tcp -d 0/0 20 -t 0x01 0x08
$IPC -t mangle -A OUTPUT -p tcp --dport 20 -j TOS --set-tos Maximize-Throughput
#printf "."
#Allow ICMP
$IPC -A INPUT -p icmp -i $IF -j ACCEPT
$IPC -A OUTPUT -p icmp -o $IF -j ACCEPT
#printf "."
#Open ports for established connections
$IPC -A INPUT -m state --state ESTABLISHED -j ACCEPT
$IPC -A INPUT -m state --state RELATED -j ACCEPT
$IPC -A INPUT -p tcp -i $IF --dport 1023:65535 -j ACCEPT
$IPC -A INPUT -p udp -i $IF --dport 1023:65535 -j ACCEPT
#printf "."
#Set default rule on MASQUERADE chain to DROP
$IPC -P FORWARD DROP
#printf "."
#DROP everything else
$IPC -P OUTPUT ACCEPT
$IPC -A INPUT -i $IF -j LDROP
#printf "."
###################### Port-Forwarding ???..... ################################
# $IPC -A PREROUTING -t nat -p tcp -i eth0 -o eth1 --dport 22 -j DNAT --to 192.168.0.8
# $IPC -A FORWARD -i eth0 -o eth1 -p tcp -d 192.168.0.8 --dport 22 -j ACCEPT
The last two lines on this script are commented; the portforwrd didn't work
I'm running debian 2.2r4 (potato) on both machines, but i have apt-get'ed
all the necessary packages so i could use iptables and kernel 2.4.
Any help, would be greatly appreciated
...there is no place like ~
---------------------------
Américo Rocha
astartoth@linuxkafe.net
Reply to: