From: Guido Trentalancia <guido@trentalancia.com>
To: Bojan Sukalo <shukalo83@gmail.com>
Cc: netfilter@vger.kernel.org
Subject: Re: Natting html traffic
Date: Sat, 13 Feb 2010 15:47:14 +0100 [thread overview]
Message-ID: <1266072434.2916.46.camel@tesla.lan> (raw)
In-Reply-To: <368e93c51002130422la851213ud93649e9ccc5519c@mail.gmail.com>
Hello again !
On Sat, 2010-02-13 at 13:22 +0100, Bojan Sukalo wrote:
> OK, just not to go off topic here (telnet can be used to comunicate
> with lots of stuff)
>
> Here are my iptables rules with comments.
>
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> iptables -F INPUT
> iptables -F FORWARD
> iptables -F OUTPUT
> iptables -F -t nat
>
> ##from internal to outside world
> iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
>
> ##from vpn clients to inisde
> iptables -A FORWARD -i tap0 -o eth1 -j ACCEPT
>
>
> ##established sessions from outside to inside
> iptables -A FORWARD -i eth0 -o eth1 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
> ## established session from inside to vpn clients
> iptables -A FORWARD -i eth1 -o tap0 -m state --state
> ESTABLISHED,RELATED -j ACCEPT
>
> ##Allow inputs from the internal network and local interfaces
> iptables -A INPUT -i eth1 -s 192.168.60.0/24 -d 0/0 -j ACCEPT
> iptables -A INPUT -i tap0 -s 192.168.168.0/24 -d 0/0 -j ACCEPT
> iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
The last three entries are not very secure. In particular, the first two
leave all ports open, while in a real situation you'd better have an
entry for each allowed service/port (by adding "-m state --state NEW -m
tcp -p tcp --dport ALLOWED_SERVICE_PORT", substituting
ALLOWED_SERVICE_PORT with the service you need and perhaps removing -d
0/0).
You could also add for the loopback interface this entry (although it
should be equivalent to setting rp_filter=1):
-A INPUT ! -i lo -d 127.0.0.0/8 -j REJECT
> ## NAT to public source ip (also tried -j MASQUARADE here but that
> also didn't help)
> iptables -A POSTROUTING -t nat -s 192.168.60.0/24 -o eth0 -j SNAT
> --to-source my_public_ip
iptables -A POSTROUTING -t nat -s 192.168.60.0/24 -o eth0 -j MASQUERADE
because amongst other things, if you use SNAT then you would also need
DNAT !
And remember to do "echo 1 > /proc/sys/net/ipv4/ip_forward" to enable
forwarding.
> ##prevent some spoofing from outside
> iptables -A INPUT -i eth0 -s 192.168.60.0/24 -j DROP
> iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
I think you could just use:
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
or just a similar command for specific interfaces.
> ##add some access rules for ssh and openvpn
> iptables -A INPUT -i eth0 -p tcp -s ssh_allowed_public_ip
> --destination-port 22 -j ACCEPT
> iptables -A INPUT -i eth0 -p udp -s 0/0 --destination-port 1194 -j ACCEPT
>
> ##giving trust to my public dns, just in case
> iptables -A INPUT -p udp -s my_public_dns --source-port 53 -d 0/0 -j ACCEPT
>
> ##trying hard nat to work by clamping mss to mtu
> iptables -t mangle -A FORWARD -i eth1 -o eth0 -p tcp --tcp-flags
> SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
What do you want to achieve with the last rule ?
Regards,
Guido
next prev parent reply other threads:[~2010-02-13 14:47 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-02-12 23:03 Natting html traffic Bojan Sukalo
2010-02-12 23:18 ` Guido Trentalancia
2010-02-13 2:13 ` Покотиленко Костик
2010-02-13 4:26 ` Guido Trentalancia
2010-02-13 4:51 ` Peter Chacko
2010-02-13 10:08 ` Oskar Berggren
2010-02-13 12:22 ` Bojan Sukalo
2010-02-13 14:47 ` Guido Trentalancia [this message]
2010-02-13 15:29 ` Bojan Sukalo
2010-02-13 16:19 ` Guido Trentalancia
2010-02-13 18:36 ` Mart Frauenlob
2010-02-13 16:06 ` Guido Trentalancia
2010-02-13 18:44 ` Mart Frauenlob
2010-02-13 18:19 ` Mart Frauenlob
-- strict thread matches above, loose matches on Subject: below --
2010-02-13 16:46 Bojan Sukalo
2010-02-13 16:55 ` Guido Trentalancia
2010-02-14 10:52 ` Bojan Sukalo
2010-02-14 16:08 ` Guido Trentalancia
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1266072434.2916.46.camel@tesla.lan \
--to=guido@trentalancia.com \
--cc=netfilter@vger.kernel.org \
--cc=shukalo83@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.