iptables script and ports to access intranet from internet..

iptables script and ports to access intranet from internet..

[Guillermo Javier Nardoni]

Hello i have a script wich allows me to route and make NAt over my intranet, but i'm trying to acces from internet (outside the business-room) but i can't access.

port 80 is the problem.,
when i try to access port 21 (ftp) it access right.

could you help0 me please?

i send it to the userlist to see what's the problem.

thanks a lot.
Guillermo from Argentina.


RC.NAT

#! /bin/bash

IF_INET="ppp0"

IF_LAN="eth1"

IF_LAN_NET="192.168.0.0/255"

IF_WLAN="ppp0"



# (SMB) (NFS) (X11)

#BAD_TCP="135:139 1433 2049 5999:6063"

BAD_TCP=""

#BAD_UDP="135:139 1433 2049 5999:6063"

BAD_UDP=""



case "$1" in

start)

echo "Cleaning up..."

echo 0 > /proc/sys/net/ipv4/ip_forward

iptables -F

iptables -t nat -F

iptables -t mangle -F

echo -n "Determinating IP-Address of Internet Interface... "

IF_INET_IP="`ifconfig $IF_INET | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"

echo $IF_INET_IP

echo "Creating IPTABLES rules:"

echo " Masquerading..."

iptables -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE

echo " Protecting well-known ports..."

# for i in $BAD_TCP; do

# iptables -A INPUT -p tcp --dport $i -j DROP

# iptables -A INPUT -p tcp --sport $i -j DROP

# iptables -A OUTPUT -p tcp --dport $i -j DROP

# iptables -A OUTPUT -p tcp --sport $i -j DROP

# iptables -A FORWARD -p tcp --dport $i -j DROP

# iptables -A FORWARD -p tcp --sport $i -j DROP

# done

# for i in $BAD_UDP; do

# iptables -A INPUT -p udp --dport $i -j DROP

# iptables -A INPUT -p udp --sport $i -j DROP

# iptables -A OUTPUT -p udp --dport $i -j DROP

# iptables -A OUTPUT -p udp --sport $i -j DROP

# iptables -A FORWARD -p udp --dport $i -j DROP

# iptables -A FORWARD -p udp --sport $i -j DROP

# done



iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128

iptables -t nat -A POSTROUTING -p TCP -s 0/0 --dport 21 -j MASQUERADE 

iptables -t nat -A POSTROUTING -p TCP -d 0/0 --dport 20 -j MASQUERADE 

iptables -t nat -A POSTROUTING -p TCP --dport 25 -j MASQUERADE 

iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE

iptables -t nat -A POSTROUTING -p TCP --dport 22 -j MASQUERADE 

iptables -t nat -A POSTROUTING -p TCP --dport 23 -j MASQUERADE 



echo " Rules for ICMP..."

# 0: echo reply

# 3: destination unreachable

# 4: source quench

# 5: redirect

# 8: echo request

# 9: router advertisement

# 10: router solicitation

# 11: time exceeded

# 12: parameter-problem

# 13: timestamp request

# 14: timestamp reply

# 15: information request

# 16: information reply

# 17: address mask request

# 18: address mask reply

iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 14 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 16 -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 18 -j ACCEPT

iptables -A INPUT -p icmp -j LOG -m limit --log-prefix "FILTER ICMP-BAD-TYPE-IN:"

iptables -A INPUT -p icmp -j DROP

iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type 13 -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type 15 -j ACCEPT

iptables -A OUTPUT -p icmp --icmp-type 17 -j ACCEPT

iptables -A OUTPUT -p icmp -j LOG -m limit --log-prefix "FILTER ICMP-BAD-TYPE-OUT:"

iptables -A OUTPUT -p icmp -j DROP

iptables -A FORWARD -p icmp -j ACCEPT

echo " Stateful inspection..."

iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $IF_INET -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $IF_INET -j ACCEPT

echo " Rules for Loopback Interface..."

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT


echo " Rules for local LAN..."

iptables -A INPUT -i $IF_LAN -j ACCEPT

iptables -A FORWARD -i $IF_LAN -j ACCEPT

echo " Rules for local WLAN..."

iptables -A INPUT -p tcp --dport 53 -i $IF_WLAN -j ACCEPT

iptables -A INPUT -p udp --dport 53 -i $IF_WLAN -j ACCEPT

iptables -A INPUT -p tcp --dport 67 -i $IF_WLAN -j ACCEPT

iptables -A INPUT -p udp --dport 67 -i $IF_WLAN -j ACCEPT

#iptables -A INPUT -p tcp --dport 80 -i $IF_WLAN -j AACEPT

iptables -A INPUT -p tcp --destination-port 8080 -i ppp0 -j ACCEPT

iptables -A INPUT -i ppp0 -j ACCEPT


iptables -A FORWARD -p tcp --dport 22 -i $IF_WLAN -j ACCEPT

iptables -A FORWARD -p tcp --dport 80 -i $IF_WLAN -j ACCEPT

iptables -A FORWARD -d ! $IF_LAN_NET -i $IF_WLAN -j ACCEPT

echo " Local public services (all interfaces):"

echo " SSH..."

iptables -A INPUT -p tcp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 21 -j ACCEPT

iptables -A INPUT -p tcp --dport 23 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT


#echo " Forwarding:"

#echo " SSH..."

#iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 22 -j ACCEPT

#iptables -t nat -A PREROUTING -i $IF_INET -p tcp -d $IF_INET_IP --dport 2222 -j DNAT --to 192.168.0.100:22

echo " Logging & Dropping..."

iptables -A INPUT -p tcp -j LOG -m limit --log-prefix "FILTER TCP-BAD-IN:"

iptables -A INPUT -p tcp -j DROP

iptables -A INPUT -p udp -j LOG -m limit --log-prefix "FILTER UDP-BAD-IN:"

iptables -A INPUT -p udp -j DROP

iptables -A INPUT -j LOG -m limit --log-prefix "FILTER UNKNOWN-BAD-IN:"

iptables -A INPUT -j DROP

iptables -A FORWARD -p tcp -j LOG -m limit --log-prefix "FILTER TCP-BAD-FWD:"

iptables -A FORWARD -p tcp -j DROP

iptables -A FORWARD -p udp -j LOG -m limit --log-prefix "FILTER UDP-BAD-FWD:"

iptables -A FORWARD -p udp -j DROP

iptables -A FORWARD -j LOG -m limit --log-prefix "FILTER UNKNOWN-BAD-FWD:"

iptables -A FORWARD -j DROP

iptables -P INPUT ACCEPT

echo "Setting up spoofing protection..."

for i in /proc/sys/net/ipv4/conf/*/rp_filter; do

echo 1 > $i

done


# disable source routed packets

echo "Disabling source routed packets..."

for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do

echo 0 > $i

done

echo "Setting default policy..."

#iptables -P INPUT DROP

#iptables -P INPUT ACCEPT

#iptables -P FORWARD ACCEPT

iptables -P OUTPUT ACCEPT

iptables -P FORWARD DROP

echo "Starting up routing..."

echo 1 > /proc/sys/net/ipv4/ip_forward

;;

stop)

echo "Shutting down routing..."

echo 0 > /proc/sys/net/ipv4/ip_forward

iptables -P INPUT ACCEPT

iptables -P OUTPUT ACCEPT

iptables -F

iptables -t nat -F

iptables -t mangle -F

;;

*)

echo "Usage: ./filter {start|stop}"

exit 1

;;

esac

exit 0

Re: iptables script and ports to access intranet from internet..

[Jason Opperisano]

On Wed, Dec 15, 2004 at 05:15:02AM -0300, Guillermo Javier Nardoni
wrote:
> iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port
> 3128

this is your problem.  if your intent is to redirect internal users to a
transparent proxy--specify the internal interface:

  iptables -t nat -A PREROUTING -i $IF_LAN -p TCP --dport 80 \
    -j REDIRECT --to-port 3128

without specifying the internal interface--your external port 80
requests will be redirected to the proxy as well (this may or may not be
what you want--sounds like it's not).

> #iptables -A INPUT -p tcp --dport 80 -i $IF_WLAN -j AACEPT

fix the typo and uncomment that to allow access to port 80 on the
firewall from the outside:

  iptables -A INPUT -p tcp --dport 80 -i $IF_WLAN -j ACCEPT

> iptables -A INPUT -i ppp0 -j ACCEPT

you really think that's a good idea?

> iptables -A INPUT -p tcp --dport 22 -j ACCEPT
>
> iptables -A INPUT -p tcp --dport 21 -j ACCEPT
>
> iptables -A INPUT -p tcp --dport 23 -j ACCEPT
>
> iptables -A INPUT -p tcp --dport 80 -j ACCEPT

a lot of this seems repetitive...

> echo " Logging & Dropping..."
>
> iptables -A INPUT -p tcp -j LOG -m limit --log-prefix "FILTER
> TCP-BAD-IN:"
>
> iptables -A INPUT -p tcp -j DROP
>
> iptables -A INPUT -p udp -j LOG -m limit --log-prefix "FILTER
> UDP-BAD-IN:"
>
> iptables -A INPUT -p udp -j DROP
>
> iptables -A INPUT -j LOG -m limit --log-prefix "FILTER
> UNKNOWN-BAD-IN:"
>
> iptables -A INPUT -j DROP

since you've already accepted everything--you won't be doing much
dropping here...

-j

--
"Call this an unfair generalization if you must, but old people are
 no good at everything."
        --The Simpsons