From mboxrd@z Thu Jan 1 00:00:00 1970 From: "cKBoy" Subject: Firewall with 2 Dial in Modems + Port forwarding Date: Thu, 28 Aug 2003 19:44:24 +0800 Sender: netfilter-admin@lists.netfilter.org Message-ID: <005001c36d59$bbbdc940$0100a8c0@cKServer> Mime-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_004D_01C36D9C.C8AAD330" Return-path: Errors-To: netfilter-admin@lists.netfilter.org List-Help: List-Post: List-Subscribe: , List-Id: List-Unsubscribe: , List-Archive: To: NetFilter This is a multi-part message in MIME format. ------=_NextPart_000_004D_01C36D9C.C8AAD330 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable this is my sample script FWVER=3D0.63 echo -e "\n\nLoading simple rc.firewall version $FWVER..\n" IPTABLES=3D/sbin/iptables EXTIF=3D"eth1" INTIF1=3D"eth0" INTIF2=3D"ppp0" INTIF3=3D"ppp1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF1" echo " Internal Interface: $INTIF2" echo " Internal Interface: $INTIF3" echo -en " loading modules: " echo " - Verifying that all kernel modules are ok" /sbin/depmod -a echo -en "ip_tables, " /sbin/insmod ip_tables echo -en "ip_conntrack, " /sbin/insmod ip_conntrack echo -en "ip_conntrack_ftp, " /sbin/insmod ip_conntrack_ftp echo -en "ip_conntrack_irc, " /sbin/insmod ip_conntrack_irc echo -en "iptable_nat, " /sbin/insmod iptable_nat echo -en "ip_nat_ftp, " /sbin/insmod ip_nat_ftp echo ". Done loading modules." echo " enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " enabling DynamicAddr.." echo "1" > /proc/sys/net/ipv4/ip_dynaddr echo " clearing any existing rules and setting default policy.." $IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT and only existing and related = ones IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state = ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state = ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $INTIF3 -m state --state = ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF3 -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j LOG $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo -e "\nrc.firewall-2.4 v$FWVER done.\n" [root@delllinux rc.d]# !ip iptables -L FORWARD Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- anywhere anywhere state = RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state = RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere ACCEPT all -- anywhere anywhere state = RELATED,ESTABLISHED ACCEPT all -- anywhere anywhere LOG all -- anywhere anywhere LOG level = warning [root@delllinux rc.d]# iptables -t nat -A PREROUTING --dst 192.168.2.90 = -p tcp --dport 4899 -j DNAT --to-destination 192.168.1.2 My problem is for the iptables command above to work I have to issue the = command "iptables -P FORWARD ACCEPT" Can anyone tell me how to allow = just certain forwarding so I can set the default to DENY? And is this = firewall script secure enough? ------=_NextPart_000_004D_01C36D9C.C8AAD330 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
this is my sample script
 
FWVER=3D0.63
 
echo -e "\n\nLoading simple rc.firewall = version=20 $FWVER..\n"
 

IPTABLES=3D/sbin/iptables
 

EXTIF=3D"eth1"
INTIF1=3D"eth0"
INTIF2=3D"ppp0"
INTIF3=3D= "ppp1"
 
echo "   External Interface:  $EXTIF"
echo = "  =20 Internal Interface:  $INTIF1"
echo "   Internal=20 Interface:  $INTIF2"
echo "   Internal = Interface: =20 $INTIF3"
echo -en "   loading modules: "
 
echo "  - Verifying that all kernel modules are = ok"
/sbin/depmod=20 -a
echo -en "ip_tables, "
/sbin/insmod ip_tables
echo -en = "ip_conntrack,=20 "
/sbin/insmod ip_conntrack
echo -en "ip_conntrack_ftp, = "
/sbin/insmod=20 ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
/sbin/insmod=20 ip_conntrack_irc
echo -en "iptable_nat, "
/sbin/insmod = iptable_nat
echo=20 -en "ip_nat_ftp, "
/sbin/insmod ip_nat_ftp
echo ".  Done loading modules."
 
echo "   enabling forwarding.."
echo "1" >=20 /proc/sys/net/ipv4/ip_forward
echo "   enabling=20 DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

echo "   clearing any existing rules and setting = default=20 policy.."
$IPTABLES -P INPUT ACCEPT
$IPTABLES -F = INPUT
$IPTABLES -P=20 OUTPUT ACCEPT
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD = DROP
$IPTABLES=20 -F FORWARD
$IPTABLES -t nat -F
 
echo "   FWD: Allow all connections OUT and only existing = and=20 related ones IN"
 
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF1 -m state --state=20 ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF1 -o = $EXTIF -j=20 ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state=20 ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF2 -o = $EXTIF -j=20 ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF3 -m state --state=20 ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF3 -o = $EXTIF -j=20 ACCEPT
 
$IPTABLES -A FORWARD -j LOG
 

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
 
echo -e "\nrc.firewall-2.4 v$FWVER done.\n"
[root@delllinux = rc.d]#=20 !ip
iptables -L FORWARD
Chain FORWARD (policy=20 DROP)
target     prot opt=20 source           &= nbsp;  =20 destination
ACCEPT     all  -- =20 anywhere           = ; =20 anywhere           = state=20 RELATED,ESTABLISHED
ACCEPT     all  --  = anywhere           = ; =20 anywhere
ACCEPT     all  -- =20 anywhere           = ; =20 anywhere           = state=20 RELATED,ESTABLISHED
ACCEPT     all  --  = anywhere           = ; =20 anywhere
ACCEPT     all  -- =20 anywhere           = ; =20 anywhere           = state=20 RELATED,ESTABLISHED
ACCEPT     all  --  = anywhere           = ; =20 anywhere
LOG        all  = -- =20 anywhere           = ; =20 anywhere           LOG = level=20 warning

[root@delllinux rc.d]# iptables -t nat -A PREROUTING --dst = 192.168.2.90=20 -p tcp --dport 4899 -j DNAT --to-destination 192.168.1.2
 
 
My problem is for the iptables command above to work I have to = issue the=20 command "iptables -P FORWARD ACCEPT"  Can anyone tell me how to = allow just=20 certain forwarding so I can set the default to DENY? And is this = firewall script=20 secure enough?
 ------=_NextPart_000_004D_01C36D9C.C8AAD330--