From: Jack Bowling <jbinpg@shaw.ca>
To: netfilter@lists.samba.org
Subject: Re: simple, but not for me.
Date: Sun, 30 Jun 2002 01:04:17 -0700 [thread overview]
Message-ID: <0GYI00ERLEF9TJ@l-daemon> (raw)
In-Reply-To: <00b401c21ffa$96cb0dd0$0200a8c0@SILVERBEAST>
** Reply to message from outspoken <outspoken@gru.net> on Sun, 30 Jun 2002 01:54:24 -0400
> understood. i apologize for the sloppy script, i have been too busy to clean
> it up and this was thrown together in the last couple days.
> disregard the ACCEPT INPUT rule as its only a temporary solution and i know
> its a bad security plan, but i have too much going on right now, over the
> next few weeks i will resolve it. =)
>
>
> #!/bin/bash
> echo "[-----firewall module init-----]"
> cd /lib/modules/2.4.10-4GB/kernel/net/ipv4/netfilter
> insmod ip_tables
> insmod ip_conntrack
> insmod ipt_state
> insmod ipt_limit
> insmod iptable_filter.o
> insmod iptable_mangle.o
> insmod ipt_LOG.o
> insmod ipt_MASQUERADE.o
> insmod ipt_REDIRECT.o
> insmod ipt_REJECT.o
> insmod iptable_nat.o
First off, lose the .o suffix from the above modules otherwise they won't load.
Second, it's a good habit to use modprobe instead of insmod since modprobe takes care of dependencies.
> echo "[-----clearing firewall rulesets-----]"
> iptables -F INPUT
> iptables -F FORWARD
> iptables -F OUTPUT
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> iptables -P OUTPUT ACCEPT
Hehehehe. I'll take you at your word that you know the above policies are A VERY BAD THING. Default policies on at least INPUT and FORWARD should be DROP, IMHO.
>
> echo "[-----network address translation---]"
>
> extif=eth0
> intif=eth1
>
> extip=xxx.xxx.xxx.xxx
> intip=192.168.0.1
> webip=192.168.0.8
>
> iptables -t nat -F
> #iptables -t nat -A prerouting -o $extif -j DNAT --to-destination $extip
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> echo "[-----enabling spoof protection-----]"
> #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]
> #then
> #for f in /proc/sys/net/ipv4/conf/*/rp_filter
> #do
> #echo 1 > $f
> #done
> #fi
>
> for blah in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo "1" > $blah
> done
>
> echo "[-----setting external rulesets-----]"
> iptables -A INPUT -i eth0 -f -j DROP
> iptables -A INPUT -i eth0 -p TCP --syn -m limit --limit 1/s -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m
> limit --limit 1/s -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP --dport 32768:61000 -m state --state
> ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-reply -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP --dport 137 -j DROP
> iptables -A INPUT -i eth0 -p UDP --dport 137 -j DROP
> iptables -A INPUT -i eth0 -p TCP --dport 138 -j DROP
> iptables -A INPUT -i eth0 -p UDP --dport 138 -j DROP
> iptables -A INPUT -i eth0 -p TCP --dport 139 -j DROP
> iptables -A INPUT -i eth0 -p UDP --dport 139 -j DROP
>
> iptables -A INPUT -i eth0 -p TCP --dport 32768:61000 -m state --state
> ESTABLISHED -j ACCEPT
> iptables -A INPUT -i eth0 -p TCP --sport 32768:61000 --dport 22 -m
> state --state NEW,ESTABLISHED -j ACCEPT
>
> echo "[-----setting internal rulesets-----]"
> iptables -A FORWARD -i eth1 -d 10.0.0.0/8 -j DROP
> iptables -A FORWARD -i eth1 -d 127.0.0.0/8 -j DROP
> iptables -A FORWARD -i eth1 -p igmp -j DROP
> iptables -A FORWARD -i eth1 -p TCP --syn -m limit --limit 10/s -j ACCEPT
> iptables -A FORWARD -i eth1 -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m
> limit --limit 10/s -j ACCEPT
This is what you need to port forward (assuming standard ports):
#Forward web services to internal host
iptables -t nat -A PREROUTING -p tcp -d $extip --dport 80 -j DNAT--to 192.168.0.8:80
#Forward ssh to internal host
iptables -t nat -A PREROUTING -p tcp -d $extip --dport 22 -j DNAT--to 192.168.0.8:22
#Forward mysql to internal host
iptables -t nat -A PREROUTING -p tcp -d $extip --dport 3306 -j DNAT--to 192.168.0.8:3306
Remember to shut off the above services on your firewall box. And when you change your default FORWARD policy to DROP, you will have to add an explicit -j ACCEPT before each above port forward rule in the FORWARD chain.
> iptables -A INPUT -i eth1 -p TCP -s 0/0 -d 0/0 --dport 113 -m state --state
> ESTABLISHED,NEW -j ACCEPT
> iptables -A INPUT -i eth1 -p TCP -s 0/0 -d 0/0 --dport 22 -m state --state
> NEW,ESTABLISHED -j ACCEPT
>
> echo "[-----setting internal rulesets-----]"
> iptables -A INPUT -i lo -j ACCEPT
> iptables -A FORWARD -i eth1 -p ICMP -s 192.168.0.0/24 -j ACCEPT
>
> echo "[-----setting forward rulesets-----]"
> iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 192.168.0.0/24 -p TCP -j
> ACCEPT
> iptables -A INPUT -i eth1 -s 192.168.0.0/24 -d 192.168.0.0/24 -p UDP -j
> ACCEPT
jb
next prev parent reply other threads:[~2002-06-30 8:04 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20020630053506.43C3143FD@lists.samba.org>
2002-06-30 5:54 ` simple, but not for me outspoken
2002-06-30 8:04 ` Jack Bowling [this message]
2002-06-30 19:35 j davis
[not found] <20020630132725.896984212@lists.samba.org>
2002-06-30 16:48 ` Marc Carter
-- strict thread matches above, loose matches on Subject: below --
2002-06-30 4:04 outspoken
2002-06-30 5:25 ` Jack Bowling
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0GYI00ERLEF9TJ@l-daemon \
--to=jbinpg@shaw.ca \
--cc=netfilter@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox