Gateway with Iptables - Tarak Ranjan

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Tarak Ranjan <tarak.ranjan@liqwidkrystal.com>
To: netfilter@vger.kernel.org
Subject: Gateway with Iptables
Date: Mon, 29 Oct 2007 10:29:14 +0530	[thread overview]
Message-ID: <472568A2.3040002@liqwidkrystal.com> (raw)

Hi List,
i have a proxy server, when i enable the proxy my mail clients are not 
able to send/receive mail. here is my iptables. please help me with the 
necessary changes.

#############################################################################

# Internet Interface
INET_IFACE="eth1"
INET_ADDRESS="x.x.x.x"
# Local Interface Information
LOCAL_IFACE="eth0"
LOCAL_IP="192.168.1.3"
LOCAL_NET="192.168.1.0/24"
LOCAL_BCAST="192.168.1.255"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
#SQUID
SQUID_SERVER=“192.168.1.3?
SQUID_PORT="8080"
echo "SSH Blocking.........."
$IPT -A INPUT -p tcp -s 192.168.1.210 -d 0/0 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.123 -d 0/0 --dport 22 -j ACCEPT
$IPT -A INPUT -p tcp -s 192.168.1.37 -d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.123 
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 -d 
0/0 --dport 22 -j ACCEPT
#$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.37 
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.210 
-d 0/0 --dport 22 -j ACCEPT
$IPT -A FORWARD -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.0/24 
-d 0/0 --dport 22 -j DROP
#$IPT -A OUTPUT -i $LOCAL_IFACE -o $INET_IFACE -p tcp -s 192.168.1.38 -d 
0/0 --dport 22 -j ACCEP

$IPT -A FORWARD -p tcp -s 0/0 -d x.x.x.y/32 --destination-port 25 --syn 
-j ACCEPT
#$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 25 -j DNAT --to 
192.168.1.100:25
#$IPT -A FORWARD -p tcp -d 192.168.1.100 --dport 25 -j ACCEPT
$IPT -A INPUT -p tcp -s 0/0 --dport 22 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 3306 -j DROP
#$IPT -A FORWARD -p tcp -d 0/0 -s 0/0 --dport 80 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 111 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 199 -j DROP
$IPT -A INPUT -p tcp -s 0/0 --dport 443 -j ACCEPT
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT

# Block IRC
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 194 -j REJECT

# Block Outbound Telnet
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 23 -j REJECT

# Block SSH
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 22 -j REJECT

# Block Usenet Access
$IPT -A tcp_outbound -p TCP -s 0/0 --destination-port 119 -j REJECT


# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets
$IPT -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to# Rules for the private network (accessing gateway system 
itself)
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -s $LOCAL_NET -j ACCEPT
$IPT -A INPUT -p ALL -i $LOCAL_IFACE -d $LOCAL_BCAST -j ACCEPT


# Inbound Internet Packet Rules

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# broadcast protocols.
$IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

# Log packets that still don't match
$IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "
# Used if forwarding for a private network

# Drop bad packets
$IPT -A FORWARD -p ALL -j bad_packets

# Accept TCP packets we want to forward from internal sources
$IPT -A FORWARD -p tcp -i $LOCAL_IFACE -j tcp_outbound

# Accept UDP packets we want to forward from internal sources
$IPT -A FORWARD -p udp -i $LOCAL_IFACE -j udp_outbound

# If not blocked, accept any other packets from the internal interface
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT

# Deal with responses from the internet
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT

# Log packets that still don't match
$IPT -A FORWARD -j LOG --log-prefix "fp=FORWARD:99 a=DROP "
############################################################################
#Redirect all 80 port request to 8080 SQUID PROXY Added By TARAK
# DNAT port 80 request comming from LAN systems to squid 3128 
($SQUID_PORT) aka transparent proxy

#$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT 
--to-ports $SQUID_PORT
#$IPT -t nat -A POSTROUTING -o eth1 -s $LOCAL_NET -j MASQUERADE
#$IPT -A FORWARD -s $LOCAL_NET -d $SQUID_SERVER -i eth1 -o eth0 -p tcp 
--dport $SQUID_PORT -j ACCEPT
$IPT -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT 
--to-port $SQUID_PORT
###############################################################################
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP
$IPT -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LOCAL_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

# Log packets that still don't match
$IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "


-- 
Thanks & Regards,

Tarak Ranjan
___________________________
IS-Team
Liqwid Krystal

T:   +91 80  2509 1790 Ext. 107
E@:  tarak.ranjan@liqwidkrystal.com
IM:  reachtarak@hotmail.com

Online Learning|Certification|Learning Solutions: http://www.liqwidkrystal.com

next             reply	other threads:[~2007-10-29  4:59 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2007-10-29  4:59 Tarak Ranjan [this message]
2007-10-29  8:20 ` Gateway with Iptables Amos Jeffries
2007-10-29 11:07 ` Tarak Ranjan
2007-10-29 16:12   ` Rob Sterenborg
2007-10-29 16:45     ` kernel warning NAT: no longer support implicit source local NAT Jeffrey Glass
2007-10-30  9:00   ` Gateway with Iptables Amos Jeffries
  -- strict thread matches above, loose matches on Subject: below --
2007-10-30  5:11 Tarak Ranjan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=472568A2.3040002@liqwidkrystal.com \
    --to=tarak.ranjan@liqwidkrystal.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.