From: mariusz stanisz <knightofcarnage@netscape.net>
To: netfilter@lists.netfilter.org
Subject: Firewall - Nat
Date: Mon, 17 Mar 2003 19:52:11 -0600 [thread overview]
Message-ID: <3E767BCB.9010207@netscape.net> (raw)
Hi i need some help making an iptables script that does the following...
1) eth0 has 4 extern ips
eth0 -> 192.168.0.50 (nic 0)
eth0:eth2 -> 192.168.0.200
eth0:eth3 -> 192.168.0.201
eth0:eth4 -> 192.168.0.202
eth1 -> 192.168.0.1 (internal network) (nic 1)
2) On eth1 there is a 5 port switch which has 4 different webservers
connected to it.
webserver 1 -> 172.168.0.2
wbeserver 2 -> 172.168.0.3
webserver 3 -> 172.168.0.4
webserver 3 -> 172.168.0.5
3) On eth0 the only incoming traffic is allowed on port 21,23 and 80.from
192.168.0.0/255.255.255.0 network.
All outgoing traffic is allowed.
4) On eth1 all traffic is allowed both ways.
5) This is the most important rule i need.
192.168.0.50:80 -> 172.168.0.2:80
192.168.0.200:80 -> 172.168.0.3:80
192.168.0.201:80 -> 172.168.0.4:80
192.168.0.202:80 -> 172.168.0.5:80
This what i have so far but it does not work at all. I'm not sure what is
wrong with it.
+++++++++++++++++++++++++++++
Hardware is TS-5500
cpu elan (486 DX/4-WD) 66Mhz
++++++++++++++++++++++++++++
=========================================================================================
#!/bin/sh
NETACCEPT=192.168.0.0/255.255.255.0
NAT=yes
TEST=start
case "$TEST" in
'start')
if [ -x /usr/bin/logger ]; then
logger -p info "Firewall Starting"
fi
FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_intvl
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
iptables -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
iptables -t $table -F $chain
fi
done
iptables -t $table -X
done
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Interface Rule #0 for ETH0
#
iptables -N ETH0
iptables -A OUTPUT -o eth0 -m state --state NEW -j ETH0
iptables -A FORWARD -o eth0 -m state --state NEW -j ETH0
iptables -A ETH0 -j ACCEPT
#
# Interface Rule #1 for ETH0
#
iptables -N TELNET
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -s $NETACCEPT
--destination-port 23 -j TELNET
iptables -A FORWARD -i eth0 -p tcp -m state --state NEW -s $NETACCEPT
--destination-port 23 -j TELNET
iptables -A INPUT -i eth0 -p udp -m state --state NEW -s $NETACCEPT
--destination-port 23 -j TELNET
iptables -A FORWARD -i eth0 -p udp -m state --state NEW -s $NETACCEPT
--destination-port 23 -j TELNET
iptables -A TELNET -j LOG --log-level info --log-prefix "TELNET_IN : "
iptables -A TELNET -j ACCEPT
#
# Interface Rule #2 for ETH0
#
iptables -N FTP
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -s $NETACCEPT
--destination-port 21 -j FTP
iptables -A FORWARD -i eth0 -p tcp -m state --state NEW -s $NETACCEPT
--destination-port 21 -j FTP
iptables -A INPUT -i eth0 -p udp -m state --state NEW -s $NETACCEPT
--destination-port 21 -j FTP
iptables -A FORWARD -i eth0 -p udp -m state --state NEW -s $NETACCEPT
--destination-port 21 -j FTP
iptables -A FTP -j LOG --log-level info --log-prefix "FTP_IN : "
iptables -A FTP -j ACCEPT
#
# Interface Rule #3 for ETH0
#
iptables -N WWW
iptables -A INPUT -i eth0 -p tcp -m state --state NEW -s $NETACCEPT
--destination-port 80 -j WWW
iptables -A FORWARD -i eth0 -p tcp -m state --state NEW -s $NETACCEPT
--destination-port 80 -j WWW
iptables -A INPUT -i eth0 -p udp -m state --state NEW -s $NETACCEPT
--destination-port 80 -j WWW
iptables -A FORWARD -i eth0 -p udp -m state --state NEW -s $NETACCEPT
--destination-port 80 -j WWW
iptables -A WWW -j LOG --log-level info --log-prefix "WWW_IN : "
iptables -A WWW -j ACCEPT
#
# Interface Rule #0 for LO
#
iptables -N LO
iptables -A INPUT -i lo -m state --state NEW -j LO
iptables -A FORWARD -i lo -m state --state NEW -j LO
iptables -A OUTPUT -o lo -m state --state NEW -j LO
iptables -A FORWARD -o lo -m state --state NEW -j LO
iptables -A LO -j ACCEPT
#
# Interface Rule #0 for ETH1
#
iptables -N ETH1
iptables -A INPUT -i eth1 -m state --state NEW -j ETH1
iptables -A FORWARD -i eth1 -m state --state NEW -j ETH1
iptables -A OUTPUT -o eth1 -m state --state NEW -j ETH1
iptables -A FORWARD -o eth1 -m state --state NEW -j ETH1
iptables -A ETH1 -j ACCEPT
#
# Final rules filter
#
iptables -A INPUT -j DROP
iptables -A OUTPUT -j ACCEPT
iptables -A FORWARD -j DROP
echo "$FWD" > /proc/sys/net/ipv4/ip_forward
if [ -x /usr/bin/logger ]; then
logger -p info "Filter Done"
fi
#
# rules nat
#
if [ $NAT == "yes" ]; then
#
ifconfig eth0:eth2 192.168.0.200 netmask 255.255.255.0 up
ifconfig eth0:eth3 192.168.0.201 netmask 255.255.255.0 up
ifconfig eth0:eth4 192.168.0.202 netmask 255.255.255.0 up
#
iptables -t nat -A POSTROUTING -o eth0 -s 172.168.0.0/255.255.255.0 -d
0/0 -j MASQUERADE
iptables -t nat -A PREROUTING -p udp -i eth0 -d 192.168.0.50 --dport 80
-j DNAT --to 172.168.0.2:80
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.50 --dport 80
-j DNAT --to 172.168.0.2:80
iptables -t nat -A PREROUTING -p udp -i eth0 -d 192.168.0.200 --dport 80
-j DNAT --to 172.168.0.3:80
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.200 --dport 80
-j DNAT --to 172.168.0.3:80
iptables -t nat -A PREROUTING -p udp -i eth0 -d 192.168.0.201 --dport 80
-j DNAT --to 172.168.0.4:80
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.201 --dport 80
-j DNAT --to 172.168.0.4:80
iptables -t nat -A PREROUTING -p udp -i eth0 -d 192.168.0.202 --dport 80
-j DNAT --to 172.168.0.5:80
iptables -t nat -A PREROUTING -p tcp -i eth0 -d 192.168.0.202 --dport 80
-j DNAT --to 172.168.0.5:80
if [ -x /usr/bin/logger ]; then
logger -p info "Nat Done"
fi
fi
;;
'stop')
logger -p info "Firewall Is Down"
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
cat /proc/net/ip_tables_names | while read table; do
iptables -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
iptables -t $table -F $chain
fi
done
iptables -t $table -X
done
;;
*)
echo "usage $0 start|stop"
;;
esac
=============================================================================================
Help Please.
I'm not sure if if have to repeat all rules for eth2,eth3,eth4 .
--
Your favorite stores, helpful shopping tools and great gift ideas.
Experience the convenience of buying online with Shop@Netscape!
http://shopnow.netscape.com/
reply other threads:[~2003-03-18 1:52 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E767BCB.9010207@netscape.net \
--to=knightofcarnage@netscape.net \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.