* fw-builder
@ 2003-01-02 21:18 Simpson, Doug
2003-01-03 2:01 ` fw-builder Joel Newkirk
0 siblings, 1 reply; 2+ messages in thread
From: Simpson, Doug @ 2003-01-02 21:18 UTC (permalink / raw)
To: 'netfilter@lists.netfilter.org'
Here is my rc.firewall that I generated using FW Builder.
I want to add these lines -
iptables -t nat -A POSTROUTING -p tcp --dport 110 -o eth0 -s $INTERNAL_IP -j
SNAT --to $external_ip
iptables -t nat -A POSTROUTING -p tcp --dport 23 -o eth0 -s $INTERNAL_IP -j
SNAT --to $EXTERNAL_IP
Where can I put these in the script and do I need to follow the same pattern
as the script?
Thank you
Doug
##############################################
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v1.0.7-
#
# Generated Fri Nov 22 17:45:36 2002 CST by root
#
#
#
#
check() {
if test ! -x "$1"; then
echo "$1 not found or is not executable"
exit 1
fi
}
log() {
if test -x "$LOGGER"; then
logger -p info "$1"
fi
}
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"
check $MODPROBE
check $IPTABLES
check $IP
cd /etc || exit 1
log "Activating firewall script generated Fri Nov 22 17:45:36 2002 CST by
root"
INTERFACES="eth0 eth1 lo "
for i in $INTERFACES ; do
$IP link show "$i" > /dev/null 2>&1 || {
echo Interface $i does not exist
exit 1
}
done
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//')`
for module in $(echo $MODULES); do
if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz"
]; then
$MODPROBE -k ${module} || exit 1
fi
done
FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
$IP -4 neigh flush dev eth0
$IP -4 addr flush dev eth0 label "eth0:FWB*"
$IP -4 neigh flush dev eth1
$IP -4 addr flush dev eth1 label "eth1:FWB*"
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0(eth0)
#
#
#
$IPTABLES -N eth0_In_RULE_0
$IPTABLES -A INPUT -i eth0 -p udp --source-port 500 -m state --state NEW -j
eth0_In_RULE_0
$IPTABLES -A FORWARD -i eth0 -p udp --source-port 500 -m state --state NEW
-j eth0_In_RULE_0
$IPTABLES -A eth0_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0
-- ACCEPT "
$IPTABLES -A eth0_In_RULE_0 -j ACCEPT
$IPTABLES -N eth0_Out_RULE_0
$IPTABLES -A OUTPUT -o eth0 -p udp --source-port 500 -m state --state NEW -j
eth0_Out_RULE_0
$IPTABLES -A FORWARD -o eth0 -p udp --source-port 500 -m state --state NEW
-j eth0_Out_RULE_0
$IPTABLES -A eth0_Out_RULE_0 -j LOG --log-level info --log-prefix "RULE 0
-- ACCEPT "
$IPTABLES -A eth0_Out_RULE_0 -j ACCEPT
#
# Rule 1(eth0)
#
#
#
$IPTABLES -N eth0_In_RULE_1
$IPTABLES -A INPUT -i eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_In_RULE_1
$IPTABLES -A FORWARD -i eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_In_RULE_1
$IPTABLES -A eth0_In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1
-- ACCEPT "
$IPTABLES -A eth0_In_RULE_1 -j ACCEPT
$IPTABLES -N eth0_Out_RULE_1
$IPTABLES -A OUTPUT -o eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_Out_RULE_1
$IPTABLES -A FORWARD -o eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_Out_RULE_1
$IPTABLES -A eth0_Out_RULE_1 -j LOG --log-level info --log-prefix "RULE 1
-- ACCEPT "
$IPTABLES -A eth0_Out_RULE_1 -j ACCEPT
#
# Rule 2(eth0)
#
#
#
$IPTABLES -N eth0_In_RULE_2
$IPTABLES -A INPUT -i eth0 -p 50 -m state --state NEW -j eth0_In_RULE_2
$IPTABLES -A FORWARD -i eth0 -p 50 -m state --state NEW -j eth0_In_RULE_2
$IPTABLES -A eth0_In_RULE_2 -j LOG --log-level info --log-prefix "RULE 2
-- ACCEPT "
$IPTABLES -A eth0_In_RULE_2 -j ACCEPT
$IPTABLES -N eth0_Out_RULE_2
$IPTABLES -A OUTPUT -o eth0 -p 50 -m state --state NEW -j eth0_Out_RULE_2
$IPTABLES -A FORWARD -o eth0 -p 50 -m state --state NEW -j eth0_Out_RULE_2
$IPTABLES -A eth0_Out_RULE_2 -j LOG --log-level info --log-prefix "RULE 2
-- ACCEPT "
$IPTABLES -A eth0_Out_RULE_2 -j ACCEPT
#
# Rule 3(eth0)
#
#
#
$IPTABLES -N eth0_In_RULE_3
$IPTABLES -A INPUT -i eth0 -p 51 -m state --state NEW -j eth0_In_RULE_3
$IPTABLES -A FORWARD -i eth0 -p 51 -m state --state NEW -j eth0_In_RULE_3
$IPTABLES -A eth0_In_RULE_3 -j LOG --log-level info --log-prefix "RULE 3
-- ACCEPT "
$IPTABLES -A eth0_In_RULE_3 -j ACCEPT
$IPTABLES -N eth0_Out_RULE_3
$IPTABLES -A OUTPUT -o eth0 -p 51 -m state --state NEW -j eth0_Out_RULE_3
$IPTABLES -A FORWARD -o eth0 -p 51 -m state --state NEW -j eth0_Out_RULE_3
$IPTABLES -A eth0_Out_RULE_3 -j LOG --log-level info --log-prefix "RULE 3
-- ACCEPT "
$IPTABLES -A eth0_Out_RULE_3 -j ACCEPT
#
# Rule 4(eth0)
#
#
#
$IPTABLES -N eth0_In_RULE_4
$IPTABLES -A INPUT -i eth0 -p tcp --source-port 110 -m state --state NEW -j
eth0_In_RULE_4
$IPTABLES -A FORWARD -i eth0 -p tcp --source-port 110 -m state --state NEW
-j eth0_In_RULE_4
$IPTABLES -A eth0_In_RULE_4 -j LOG --log-level info --log-prefix "RULE 4
-- ACCEPT "
$IPTABLES -A eth0_In_RULE_4 -j ACCEPT
$IPTABLES -N eth0_Out_RULE_4
$IPTABLES -A OUTPUT -o eth0 -p tcp --source-port 110 -m state --state NEW -j
eth0_Out_RULE_4
$IPTABLES -A FORWARD -o eth0 -p tcp --source-port 110 -m state --state NEW
-j eth0_Out_RULE_4
$IPTABLES -A eth0_Out_RULE_4 -j LOG --log-level info --log-prefix "RULE 4
-- ACCEPT "
$IPTABLES -A eth0_Out_RULE_4 -j ACCEPT
#
# Rule 5(eth0)
#
#
#
$IPTABLES -N eth0_In_RULE_5
$IPTABLES -A INPUT -i eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_In_RULE_5
$IPTABLES -A FORWARD -i eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_In_RULE_5
$IPTABLES -A eth0_In_RULE_5 -j LOG --log-level info --log-prefix "RULE 5
-- ACCEPT "
$IPTABLES -A eth0_In_RULE_5 -j ACCEPT
$IPTABLES -N eth0_Out_RULE_5
$IPTABLES -A OUTPUT -o eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_Out_RULE_5
$IPTABLES -A FORWARD -o eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_Out_RULE_5
$IPTABLES -A eth0_Out_RULE_5 -j LOG --log-level info --log-prefix "RULE 5
-- ACCEPT "
$IPTABLES -A eth0_Out_RULE_5 -j ACCEPT
#
# Rule 6(eth0)
#
#
#
$IPTABLES -N eth0_In_RULE_6
$IPTABLES -A INPUT -i eth0 -p tcp --destination-port 80 -m state --state NEW
-j eth0_In_RULE_6
$IPTABLES -A FORWARD -i eth0 -p tcp --destination-port 80 -m state --state
NEW -j eth0_In_RULE_6
$IPTABLES -A eth0_In_RULE_6 -j LOG --log-level info --log-prefix "RULE 6
-- ACCEPT "
$IPTABLES -A eth0_In_RULE_6 -j ACCEPT
$IPTABLES -N eth0_Out_RULE_6
$IPTABLES -A OUTPUT -o eth0 -p tcp --destination-port 80 -m state --state
NEW -j eth0_Out_RULE_6
$IPTABLES -A FORWARD -o eth0 -p tcp --destination-port 80 -m state --state
NEW -j eth0_Out_RULE_6
$IPTABLES -A eth0_Out_RULE_6 -j LOG --log-level info --log-prefix "RULE 6
-- ACCEPT "
$IPTABLES -A eth0_Out_RULE_6 -j ACCEPT
#
# Rule 7(eth0)
#
#
#
$IPTABLES -N eth0_In_RULE_7
$IPTABLES -A INPUT -i eth0 -p tcp --source-port 25 --destination-port 25 -m
state --state NEW -j eth0_In_RULE_7
$IPTABLES -A FORWARD -i eth0 -p tcp --source-port 25 --destination-port 25
-m state --state NEW -j eth0_In_RULE_7
$IPTABLES -A eth0_In_RULE_7 -j LOG --log-level info --log-prefix "RULE 7
-- ACCEPT "
$IPTABLES -A eth0_In_RULE_7 -j ACCEPT
$IPTABLES -N eth0_Out_RULE_7
$IPTABLES -A OUTPUT -o eth0 -p tcp --source-port 25 --destination-port 25 -m
state --state NEW -j eth0_Out_RULE_7
$IPTABLES -A FORWARD -o eth0 -p tcp --source-port 25 --destination-port 25
-m state --state NEW -j eth0_Out_RULE_7
$IPTABLES -A eth0_Out_RULE_7 -j LOG --log-level info --log-prefix "RULE 7
-- ACCEPT "
$IPTABLES -A eth0_Out_RULE_7 -j ACCEPT
#
# Rule 8(eth0)
#
#
#
$IPTABLES -N eth0_Out_RULE_8
$IPTABLES -A OUTPUT -o eth0 -s 192.168.1.1 -m state --state NEW -j
eth0_Out_RULE_8
$IPTABLES -A eth0_Out_RULE_8 -j LOG --log-level info --log-prefix "RULE 8
-- ACCEPT "
$IPTABLES -A eth0_Out_RULE_8 -j ACCEPT
#
# Rule 9(eth0)
#
#
#
$IPTABLES -N eth0_Out_RULE_9
$IPTABLES -A FORWARD -o eth0 -s 192.168.1.0/24 -m state --state NEW -j
eth0_Out_RULE_9
$IPTABLES -A eth0_Out_RULE_9 -j LOG --log-level info --log-prefix "RULE 9
-- ACCEPT "
$IPTABLES -A eth0_Out_RULE_9 -j ACCEPT
#
# Rule 10(eth0)
#
#
#
$IPTABLES -N eth0_In_RULE_10
$IPTABLES -A INPUT -i eth0 -j eth0_In_RULE_10
$IPTABLES -A FORWARD -i eth0 -j eth0_In_RULE_10
$IPTABLES -A eth0_In_RULE_10 -j LOG --log-level info --log-prefix "RULE 10
-- DROP "
$IPTABLES -A eth0_In_RULE_10 -j DROP
#
# Rule 0(eth1)
#
#
#
$IPTABLES -N eth1_In_RULE_0
$IPTABLES -A INPUT -i eth1 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -A FORWARD -i eth1 -m state --state NEW -j eth1_In_RULE_0
$IPTABLES -A eth1_In_RULE_0 -j LOG --log-level info --log-prefix "RULE 0
-- ACCEPT "
$IPTABLES -A eth1_In_RULE_0 -j ACCEPT
$IPTABLES -N eth1_Out_RULE_0
$IPTABLES -A OUTPUT -o eth1 -m state --state NEW -j eth1_Out_RULE_0
$IPTABLES -A FORWARD -o eth1 -m state --state NEW -j eth1_Out_RULE_0
$IPTABLES -A eth1_Out_RULE_0 -j LOG --log-level info --log-prefix "RULE 0
-- ACCEPT "
$IPTABLES -A eth1_Out_RULE_0 -j ACCEPT
#
# Rule 1(eth1)
#
#
#
$IPTABLES -N eth1_In_RULE_1
$IPTABLES -A INPUT -i eth1 -p tcp --destination-port 23 -j eth1_In_RULE_1
$IPTABLES -A FORWARD -i eth1 -p tcp --destination-port 23 -j eth1_In_RULE_1
$IPTABLES -A eth1_In_RULE_1 -j LOG --log-level info --log-prefix "RULE 1
-- DROP "
$IPTABLES -A eth1_In_RULE_1 -j DROP
#
# Rule 0(lo)
#
# allow everything on loopback
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A FORWARD -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A FORWARD -o lo -j ACCEPT
#
# Rule 0(global)
#
# 'catch all' rule
#
$IPTABLES -N RULE_0
$IPTABLES -A OUTPUT -j RULE_0
$IPTABLES -A INPUT -j RULE_0
$IPTABLES -A FORWARD -j RULE_0
$IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT
"
$IPTABLES -A RULE_0 -j ACCEPT
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
^ permalink raw reply [flat|nested] 2+ messages in thread* Re: fw-builder
2003-01-02 21:18 fw-builder Simpson, Doug
@ 2003-01-03 2:01 ` Joel Newkirk
0 siblings, 0 replies; 2+ messages in thread
From: Joel Newkirk @ 2003-01-03 2:01 UTC (permalink / raw)
To: Simpson, Doug, 'netfilter@lists.netfilter.org'
On Thursday 02 January 2003 04:18 pm, Simpson, Doug wrote:
> Here is my rc.firewall that I generated using FW Builder.
> I want to add these lines -
> iptables -t nat -A POSTROUTING -p tcp --dport 110 -o eth0 -s
> $INTERNAL_IP -j SNAT --to $external_ip
> iptables -t nat -A POSTROUTING -p tcp --dport 23 -o eth0 -s
> $INTERNAL_IP -j SNAT --to $EXTERNAL_IP
> Where can I put these in the script and do I need to follow the same
> pattern as the script?
> Thank you
> Doug
> ##############################################
> #!/bin/sh
> #
> # This is automatically generated file. DO NOT MODIFY !
> #
> # Firewall Builder fwb_ipt v1.0.7-
> $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
Right here would probably make sense. Actually you can put them
anywhere, since there are no other POSTROUTING rules in the script.
Just DON'T put them inside a loop or a conditional statement. There's
no explicit need to follow the pattern in the script, but be aware that
if you rebuild the ruleset with fw-builder you will need to manually
re-insert these afterwards, AFAIK.
j
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2003-01-03 2:01 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2003-01-02 21:18 fw-builder Simpson, Doug
2003-01-03 2:01 ` fw-builder Joel Newkirk
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.