* problems with NAT script
@ 2003-05-16 16:44 Michael
0 siblings, 0 replies; only message in thread
From: Michael @ 2003-05-16 16:44 UTC (permalink / raw)
To: netfilter
im trying to write a script to handle NAT and firewalling.
I have a small lan (192.168.0.x), on the gateway im runnin debian 3.0 with
2.4.20.
eth0 = cable modem
eth1 = internal NIC to switch
My cable connection uses dhcp, no static IP.
I've made my adhoc script using pieces of code ive found around the place.
When i execute my script i still have complete net access on the GW but all
my clients do not have external access, i can ping to/from the
clients/gateway.
Just doesn't seem to be doing the NAT, i read the manual regarding nat, as
im using dynamitic IP i thought that all id need to use is the MASQUERADE
command.
I wasn't sure how attachments are handled in the list so I just pasted the
script below,
can anyone offer any suggestions?
thanks
Michael
############################################################################
#######
# IPTABLES Firewall script
# written by ts
# Modified By Sethan0n 13/05/03
############################################################################
#######
#!/bin/sh
IPTABLES="//sbin/iptables"
#Flush old rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -X
#Set default policies to DROP
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
LOOP_IF="lo"
###########################################################################
#----Set network sysctl options-----#
echo "--Setting sysctl options--"
echo "Disabling IP Spoofing attacks"
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
echo "Disabling respond to broadcast pings"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "Blocking source routing"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "Kill timestamps"
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
echo "Enable SYN Cookies"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "Kill redirects"
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "Enabling bad error message protection"
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Logging martians (packets with impossible addresses)"
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo "Reducing DoS'ing ability by reducing timeouts"
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo "Done..."
#########################################################################
echo "--Setting up standard rules--"
echo "Enabling SYN-FLOODING PROTECTION"
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
echo "Making sure NEW tcp connections are SYN packets"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
echo "Logging fragments caught"
$IPTABLES -N fragments
$IPTABLES -A INPUT -f -j fragments
$IPTABLES -A fragments -j LOG --log-prefix "IPTABLES FRAGMENTS:"
$IPTABLES -A fragments -j DROP
echo "Refusing spoofed packets pretending to be from your IP address"
#$IPTABLES -A INPUT -s $NET_IPADDR -j DROP
echo "Done..."
##########################################################################
echo "--Setting up user defined chains--"
# PREROUTING
$IPTABLES -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# INPUT
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# blanket allow from home network
$IPTABLES -A INPUT -i eth1 -j ACCEPT
# allow SSH and FTP
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT
# allow VNC
$IPTABLES -A INPUT -p tcp --dport 5800 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 5801 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 5802 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 5803 -j ACCEPT
# allow specif icmp types
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
echo "Allow Allow unlimited traffic on the loopback interface"
$IPTABLES -A INPUT -i lo -j ACCEPT
echo "Allow ftp"
$IPTABLES -A INPUT -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
echo "Active ftp"
$IPTABLES -A INPUT -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j
ACCEPT
echo "Passive ftp"
$IPTABLES -A INPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
state --state ESTABLISHED -j ACCEPT
echo "Allow DNS(53/tcp&udp)"
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p tcp --sport 53 -j ACCEPT
$IPTABLES -A INPUT -p udp --sport 53 -j ACCEPT
echo "Allow SFTP(115/tcp)to the internet"
$IPTABLES -A INPUT -p tcp --sport 115 -j ACCEPT
echo "Allow IMAP2"
$IPTABLES -A INPUT -p tcp --sport 143 -j ACCEPT
echo "Allow HTTP(80)(tcp&udp)to the internet"
$IPTABLES -A INPUT -p tcp --sport 80 -j ACCEPT
echo "Allow https"
$IPTABLES -A INPUT -p tcp --sport 443 -j ACCEPT
echo "Rejecting all connections to 137:139"
$IPTABLES -N NETBIOS
$IPTABLES -A INPUT -p udp --sport 137:139 -j NETBIOS
$IPTABLES -A NETBIOS -j LOG --log-prefix "IPTABLES NETBIOS: "
$IPTABLES -A NETBIOS -j DROP
echo "Allowing SMTP"
$IPTABLES -A INPUT -p tcp --sport 25 -j ACCEPT
echo "Allowing POP3"
$IPTABLES -A INPUT -p tcp --sport 110 -j ACCEPT
echo "Allowing Ident"
$IPTABLES -A INPUT -p tcp --sport 113 -j ACCEPT
# log and drop final packets
#$IPTABLES -A INPUT -j LOG
#$IPTABLES -A INPUT -j DROP
#OUTPUT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allow unlimited traffic on the loopback interface"
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 22 -j ACCEPT
echo "Allow ftp"
$IPTABLES -A OUTPUT -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j
ACCEPT
echo "Active ftp"
$IPTABLES -A OUTPUT -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
echo "Passive ftp"
$IPTABLES -A OUTPUT -p tcp --sport 1024:65535 --dport 1024:65535 -m
state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allow VNC"
$IPTABLES -A OUTPUT -p tcp --sport 5800 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 5801 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 5802 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --sport 5803 -j ACCEPT
echo "Allow icmp"
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type time-exceeded -j ACCEPT
echo "Allow DNS(53/tcp&udp)"
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
echo "Allow SFTP(115/tcp)to the internet"
$IPTABLES -A OUTPUT -p tcp --dport 115 -j ACCEPT
echo "Allow IMAP2"
$IPTABLES -A OUTPUT -p tcp --dport 143 -j ACCEPT
echo "Allow HTTP(80)(tcp&udp)to the internet"
$IPTABLES -A OUTPUT -p tcp --dport 80 -j ACCEPT
echo "Allow https"
$IPTABLES -A OUTPUT -p tcp --dport 443 -j ACCEPT
echo "Allowing SMTP"
$IPTABLES -A OUTPUT -p tcp --dport 25 -j ACCEPT
echo "Allowing POP3"
$IPTABLES -A OUTPUT -p tcp --dport 110 -j ACCEPT
echo "Allowing Ident"
$IPTABLES -A OUTPUT -p tcp --dport 113 -j ACCEPT
# log and drop final packets
$IPTABLES -A OUTPUT -j LOG
$IPTABLES -A OUTPUT -j DROP
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2003-05-16 16:44 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-05-16 16:44 problems with NAT script Michael
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.