From: "Power" <power@megasardines.com>
To: NetFilter <netfilter@lists.netfilter.org>
Subject: Firewall with 2 Dial in Modems + Port forwarding
Date: Tue, 2 Sep 2003 08:51:35 +0800 [thread overview]
Message-ID: <008e01c370ec$5cfb6d40$0100a8c0@cKServer> (raw)
[-- Attachment #1: Type: text/plain, Size: 2867 bytes --]
this is my sample script
FWVER=0.63
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
IPTABLES=/sbin/iptables
EXTIF="eth1"
INTIF1="eth0"
INTIF2="ppp0"
INTIF3="ppp1"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF1"
echo " Internal Interface: $INTIF2"
echo " Internal Interface: $INTIF3"
echo -en " loading modules: "
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en "ip_tables, "
/sbin/insmod ip_tables
echo -en "ip_conntrack, "
/sbin/insmod ip_conntrack
echo -en "ip_conntrack_ftp, "
/sbin/insmod ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
/sbin/insmod ip_conntrack_irc
echo -en "iptable_nat, "
/sbin/insmod iptable_nat
echo -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp
echo ". Done loading modules."
echo " enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF3 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
[root@delllinux rc.d]# !ip
iptables -L FORWARD
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning
[root@delllinux rc.d]# iptables -t nat -A PREROUTING --dst 192.168.2.90 -p tcp --dport 4899 -j DNAT --to-destination 192.168.1.2
My problem is for the iptables command above to work I have to issue the command "iptables -P FORWARD ACCEPT" Can anyone tell me how to allow just certain forwarding so I can set the default to DENY? And is this firewall script secure enough?
[-- Attachment #2: Type: text/html, Size: 5157 bytes --]
next reply other threads:[~2003-09-02 0:51 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-09-02 0:51 Power [this message]
-- strict thread matches above, loose matches on Subject: below --
2003-09-03 1:14 Firewall with 2 Dial in Modems + Port forwarding cKBoy
2003-09-01 1:08 Power
2003-08-28 11:44 cKBoy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='008e01c370ec$5cfb6d40$0100a8c0@cKServer' \
--to=power@megasardines.com \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.