From: "Guillermo Javier Nardoni" <gjnardoni@yahoo.com.ar>
To: Netfilter users list <netfilter@lists.netfilter.org>
Subject: iptables script and ports to access intranet from internet..
Date: Wed, 15 Dec 2004 05:15:02 -0300 [thread overview]
Message-ID: <006601c4e27e$2d75fb80$0400a8c0@beta03> (raw)
Hello i have a script wich allows me to route and make NAt over my intranet, but i'm trying to acces from internet (outside the business-room) but i can't access.
port 80 is the problem.,
when i try to access port 21 (ftp) it access right.
could you help0 me please?
i send it to the userlist to see what's the problem.
thanks a lot.
Guillermo from Argentina.
RC.NAT
#! /bin/bash
IF_INET="ppp0"
IF_LAN="eth1"
IF_LAN_NET="192.168.0.0/255"
IF_WLAN="ppp0"
# (SMB) (NFS) (X11)
#BAD_TCP="135:139 1433 2049 5999:6063"
BAD_TCP=""
#BAD_UDP="135:139 1433 2049 5999:6063"
BAD_UDP=""
case "$1" in
start)
echo "Cleaning up..."
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -t nat -F
iptables -t mangle -F
echo -n "Determinating IP-Address of Internet Interface... "
IF_INET_IP="`ifconfig $IF_INET | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
echo $IF_INET_IP
echo "Creating IPTABLES rules:"
echo " Masquerading..."
iptables -t nat -A POSTROUTING -o $IF_INET -j MASQUERADE
echo " Protecting well-known ports..."
# for i in $BAD_TCP; do
# iptables -A INPUT -p tcp --dport $i -j DROP
# iptables -A INPUT -p tcp --sport $i -j DROP
# iptables -A OUTPUT -p tcp --dport $i -j DROP
# iptables -A OUTPUT -p tcp --sport $i -j DROP
# iptables -A FORWARD -p tcp --dport $i -j DROP
# iptables -A FORWARD -p tcp --sport $i -j DROP
# done
# for i in $BAD_UDP; do
# iptables -A INPUT -p udp --dport $i -j DROP
# iptables -A INPUT -p udp --sport $i -j DROP
# iptables -A OUTPUT -p udp --dport $i -j DROP
# iptables -A OUTPUT -p udp --sport $i -j DROP
# iptables -A FORWARD -p udp --dport $i -j DROP
# iptables -A FORWARD -p udp --sport $i -j DROP
# done
iptables -t nat -A PREROUTING -p TCP --dport 80 -j REDIRECT --to-port 3128
iptables -t nat -A POSTROUTING -p TCP -s 0/0 --dport 21 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP -d 0/0 --dport 20 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 25 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 110 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 22 -j MASQUERADE
iptables -t nat -A POSTROUTING -p TCP --dport 23 -j MASQUERADE
echo " Rules for ICMP..."
# 0: echo reply
# 3: destination unreachable
# 4: source quench
# 5: redirect
# 8: echo request
# 9: router advertisement
# 10: router solicitation
# 11: time exceeded
# 12: parameter-problem
# 13: timestamp request
# 14: timestamp reply
# 15: information request
# 16: information reply
# 17: address mask request
# 18: address mask reply
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 4 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 14 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 16 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 18 -j ACCEPT
iptables -A INPUT -p icmp -j LOG -m limit --log-prefix "FILTER ICMP-BAD-TYPE-IN:"
iptables -A INPUT -p icmp -j DROP
iptables -A OUTPUT -p icmp --icmp-type 4 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 12 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 13 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 15 -j ACCEPT
iptables -A OUTPUT -p icmp --icmp-type 17 -j ACCEPT
iptables -A OUTPUT -p icmp -j LOG -m limit --log-prefix "FILTER ICMP-BAD-TYPE-OUT:"
iptables -A OUTPUT -p icmp -j DROP
iptables -A FORWARD -p icmp -j ACCEPT
echo " Stateful inspection..."
iptables -A INPUT -m state --state ESTABLISHED,RELATED -i $IF_INET -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -i $IF_INET -j ACCEPT
echo " Rules for Loopback Interface..."
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
echo " Rules for local LAN..."
iptables -A INPUT -i $IF_LAN -j ACCEPT
iptables -A FORWARD -i $IF_LAN -j ACCEPT
echo " Rules for local WLAN..."
iptables -A INPUT -p tcp --dport 53 -i $IF_WLAN -j ACCEPT
iptables -A INPUT -p udp --dport 53 -i $IF_WLAN -j ACCEPT
iptables -A INPUT -p tcp --dport 67 -i $IF_WLAN -j ACCEPT
iptables -A INPUT -p udp --dport 67 -i $IF_WLAN -j ACCEPT
#iptables -A INPUT -p tcp --dport 80 -i $IF_WLAN -j AACEPT
iptables -A INPUT -p tcp --destination-port 8080 -i ppp0 -j ACCEPT
iptables -A INPUT -i ppp0 -j ACCEPT
iptables -A FORWARD -p tcp --dport 22 -i $IF_WLAN -j ACCEPT
iptables -A FORWARD -p tcp --dport 80 -i $IF_WLAN -j ACCEPT
iptables -A FORWARD -d ! $IF_LAN_NET -i $IF_WLAN -j ACCEPT
echo " Local public services (all interfaces):"
echo " SSH..."
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 23 -j ACCEPT
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
#echo " Forwarding:"
#echo " SSH..."
#iptables -A FORWARD -p tcp -d 192.168.0.100 --dport 22 -j ACCEPT
#iptables -t nat -A PREROUTING -i $IF_INET -p tcp -d $IF_INET_IP --dport 2222 -j DNAT --to 192.168.0.100:22
echo " Logging & Dropping..."
iptables -A INPUT -p tcp -j LOG -m limit --log-prefix "FILTER TCP-BAD-IN:"
iptables -A INPUT -p tcp -j DROP
iptables -A INPUT -p udp -j LOG -m limit --log-prefix "FILTER UDP-BAD-IN:"
iptables -A INPUT -p udp -j DROP
iptables -A INPUT -j LOG -m limit --log-prefix "FILTER UNKNOWN-BAD-IN:"
iptables -A INPUT -j DROP
iptables -A FORWARD -p tcp -j LOG -m limit --log-prefix "FILTER TCP-BAD-FWD:"
iptables -A FORWARD -p tcp -j DROP
iptables -A FORWARD -p udp -j LOG -m limit --log-prefix "FILTER UDP-BAD-FWD:"
iptables -A FORWARD -p udp -j DROP
iptables -A FORWARD -j LOG -m limit --log-prefix "FILTER UNKNOWN-BAD-FWD:"
iptables -A FORWARD -j DROP
iptables -P INPUT ACCEPT
echo "Setting up spoofing protection..."
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
# disable source routed packets
echo "Disabling source routed packets..."
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done
echo "Setting default policy..."
#iptables -P INPUT DROP
#iptables -P INPUT ACCEPT
#iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
echo "Starting up routing..."
echo 1 > /proc/sys/net/ipv4/ip_forward
;;
stop)
echo "Shutting down routing..."
echo 0 > /proc/sys/net/ipv4/ip_forward
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -F
iptables -t nat -F
iptables -t mangle -F
;;
*)
echo "Usage: ./filter {start|stop}"
exit 1
;;
esac
exit 0
next reply other threads:[~2004-12-15 8:15 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-12-15 8:15 Guillermo Javier Nardoni [this message]
2004-12-16 13:14 ` iptables script and ports to access intranet from internet Jason Opperisano
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='006601c4e27e$2d75fb80$0400a8c0@beta03' \
--to=gjnardoni@yahoo.com.ar \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox