Re: Simple iptables rule to punch a hole in the firewall.

To: debian-user@lists.debian.org
Subject: Re: Simple iptables rule to punch a hole in the firewall.
From: David Gardi <debian@gardisoft.org>
Date: Fri, 28 Dec 2001 19:04:17 +0100
Message-id: <[🔎] 3C2CB421.8000203@gardisoft.org>
References: <[🔎] 3C2CB13B.3080401@hanaden.com>

hanasaki wrote:

Could someone help me out with a set of rules to NAT or MASQ port 500on TCP and on UDP from the internal to the external network? Onlyconnections originated on the internal network should be allowed.
I have : iptables v1.2.4

Thanks,

Here is what I used when I needed masq. you need to change it a bit tosuit your needs...

feel free.

David

#!/bin/sh
#
# Setup iptables.

test -f /sbin/iptables || exit 0

case "$1" in
  start)
        echo "Setting up iptables"
	echo "1" > /proc/sys/net/ipv4/ip_forward
	echo " IP Forwarding Enabled"
	echo "1" > /proc/sys/net/ipv4/ip_dynaddr
	echo "Dynamic Address Hacking Enabled"
## Insert connection-tracking modules (not needed if built into kernel).
        #/sbin/modprobe ip_tables
        #/sbin/modprobe ip_conntrack
        #/sbin/modprobe ip_conntrack_ftp
        #/sbin/modprobe iptable_nat
## Create chain which blocks new connections, except if coming from inside.
        /sbin/iptables -N block
        /sbin/iptables -N dlog
	/sbin/iptables -N synflood
	/sbin/iptables -A block -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j synflood
        /sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
        /sbin/iptables -A block -i icmp -j ACCEPT
        /sbin/iptables -A block -p tcp --source 127.0.0.1 --destination-port domain -j ACCEPT
        /sbin/iptables -A block -p tcp --source 192.168.1.2 --destination-port domain -j ACCEPT
	/sbin/iptables -A block -p tcp --source 155.245.123.31 --destination-port 143 -j ACCEPT
	/sbin/iptables -A block -p udp -m udp --source 205.188.153.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT
        /sbin/iptables -A block -p tcp --destination-port auth -j ACCEPT
        /sbin/iptables -A block -j dlog
## Set up the dlog chain
        /sbin/iptables -A dlog -p tcp --destination-port telnet -j LOG --log-level notice
        /sbin/iptables -A dlog -j DROP
## Set up the synflood chain
	/sbin/iptables -A synflood -m limit --limit 1/sec --limit-burst 4 -j RETURN
	/sbin/iptables -A synflood -j DROP
## Jump to that chain from INPUT and FORWARD chains.
        /sbin/iptables -A INPUT -j block
        /sbin/iptables -A FORWARD -j block
        /sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.2 -j MASQUERADE
	echo "SNAT (MASQ) Enabled on ppp0 Interface"
        ;;
  stop)
	echo "Stopping IP Filtering..."
	/sbin/iptables -F block
        /sbin/iptables -F dlog
        /sbin/iptables -F INPUT
        /sbin/iptables -F OUTPUT
        /sbin/iptables -F FORWARD
	/sbin/iptables -F synflood
        /sbin/iptables -X block
        /sbin/iptables -X dlog
	/sbin/iptables -X synflood
	echo "Done."
        ;;
  *)
        echo "Usage: /etc/init.d/iptables {start|stop}"
        exit 1
esac

exit 0

#!/bin/sh
#
# Setup iptables.

test -f /sbin/iptables || exit 0

case "$1" in
  start)
        echo "Setting up iptables"
	echo "1" > /proc/sys/net/ipv4/ip_forward
	echo " IP Forwarding Enabled"
	echo "1" > /proc/sys/net/ipv4/ip_dynaddr
	echo "Dynamic Address Hacking Enabled"
## Insert connection-tracking modules (not needed if built into kernel).
        #/sbin/modprobe ip_tables
        #/sbin/modprobe ip_conntrack
        #/sbin/modprobe ip_conntrack_ftp
        #/sbin/modprobe iptable_nat
## Create chain which blocks new connections, except if coming from inside.
        /sbin/iptables -N block
        /sbin/iptables -N dlog
	/sbin/iptables -N synflood
	/sbin/iptables -A block -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j synflood
        /sbin/iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
        /sbin/iptables -A block -m state --state NEW -i ! ppp0 -j ACCEPT
        /sbin/iptables -A block -i icmp -j ACCEPT
        /sbin/iptables -A block -p tcp --source 127.0.0.1 --destination-port domain -j ACCEPT
        /sbin/iptables -A block -p tcp --source 192.168.1.2 --destination-port domain -j ACCEPT
	/sbin/iptables -A block -p tcp --source 155.245.123.31 --destination-port 143 -j ACCEPT
	/sbin/iptables -A block -p udp -m udp --source 205.188.153.0/255.255.255.0 -m state --state RELATED,ESTABLISHED -j ACCEPT
        /sbin/iptables -A block -p tcp --destination-port auth -j ACCEPT
        /sbin/iptables -A block -j dlog
## Set up the dlog chain
        /sbin/iptables -A dlog -p tcp --destination-port telnet -j LOG --log-level notice
        /sbin/iptables -A dlog -j DROP
## Set up the synflood chain
	/sbin/iptables -A synflood -m limit --limit 1/sec --limit-burst 4 -j RETURN
	/sbin/iptables -A synflood -j DROP
## Jump to that chain from INPUT and FORWARD chains.
        /sbin/iptables -A INPUT -j block
        /sbin/iptables -A FORWARD -j block
        /sbin/iptables -t nat -A POSTROUTING -o ppp0 -s 192.168.1.2 -j MASQUERADE
	echo "SNAT (MASQ) Enabled on ppp0 Interface"
        ;;
  stop)
	echo "Stopping IP Filtering..."
	/sbin/iptables -F block
        /sbin/iptables -F dlog
        /sbin/iptables -F INPUT
        /sbin/iptables -F OUTPUT
        /sbin/iptables -F FORWARD
	/sbin/iptables -F synflood
        /sbin/iptables -X block
        /sbin/iptables -X dlog
	/sbin/iptables -X synflood
	echo "Done."
        ;;
  *)
        echo "Usage: /etc/init.d/iptables {start|stop}"
        exit 1
esac

exit 0

Reply to:

References:
- Simple iptables rule to punch a hole in the firewall.
  - From: hanasaki <hanasaki@hanaden.com>

Prev by Date: Re: Newbie comments & queries
Next by Date: Re: Want to talk about files and shredding them etc
Previous by thread: Simple iptables rule to punch a hole in the firewall.
Next by thread: Python mx.DateTime
Index(es):
- Date
- Thread