From: "Gáspár Lajos" <swifty@freemail.hu>
To: Netfilter IPtableMailinglist <netfilter@lists.netfilter.org>
Subject: Re: Problem with router connected to two ISPs (connection marking?)
Date: Wed, 09 Aug 2006 13:47:39 +0200 [thread overview]
Message-ID: <44D9CB5B.9020508@freemail.hu> (raw)
In-Reply-To: <200608082140.03815.marek.zachara@telperion.pl>
>
> Hi there
>
...
> here is the iptables script: ------------------------
>
> EXTINT=eth0
> DMZ=eth1
> INTERN=eth2
>
> MAIL=1.0.0.1
> WWW=1.0.0.2
> MAIL2=2.0.0.1
> WWW2=2.0.0.2
>
> INT_WWW=192.168.1.16
>
> $IPT -P INPUT DROP
> $IPT -F INPUT
> $IPT -P OUTPUT ACCEPT
> $IPT -F OUTPUT
> $IPT -P FORWARD ACCEPT
> $IPT -F FORWARD
>
> $IPT -t filter -N keep_state
> $IPT -t filter -A keep_state -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -t filter -A keep_state -j RETURN
>
-j RETURN <== Not needed if this is the last command of a chain...
> $IPT -t filter -A INPUT -j keep_state
> $IPT -t filter -A OUTPUT -j keep_state
> $IPT -t filter -A FORWARD -j keep_state
>
It would be a bit simplier:
$IPT -t filter -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
$IPT -t filter -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
$IPT -t filter -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED
> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A INPUT -p icmp -j ACCEPT
> #silently discard all windows related worm attacks
> $IPT -A INPUT -p tcp --destination-port 135:140 -j DROP
> $IPT -A INPUT -p udp --destination-port 135:140 -j DROP
> $IPT -A INPUT -p tcp --destination-port 445 -j DROP
> #drop any traffic incomming on unprivileged ports
> $IPT -A INPUT -p tcp --destination-port ! 1:1024 -j DROP
> $IPT -A INPUT -p udp --destination-port ! 1:1024 -j DROP
> #log any potential scans of privileged ports (ignore port 80)
> $IPT -A INPUT -p tcp --destination-port 80 -j DROP
> $IPT -A INPUT -i $EXTINT -j LOG --log-level info
>
> $IPT -t nat -F
>
>
> # WWW server
> $IPT -t nat -A PREROUTING -d $WWW -p tcp --destination-port 80 -j DNAT --to-destination $INT_WWW
> $IPT -t nat -A PREROUTING -d $WWW2 -p tcp --destination-port 80 -j DNAT --to-destination $INT_WWW
>
Maybe these lines will help you... :) But if not.... :D
$IPT -t nat -A POSTROUTING -j SNAT -p tcp --dport www -d $WWW
--to-source $MY_IP
$IPT -t nat -A POSTROUTING -j SNAT -p tcp --dport www -d $WWW
--to-source $MY_IP
> #masquerade all other outgoing transfers
> $IPT -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE
>
> $IPT -t mangle -F
> $IPT -t mangle -A PREROUTING -i $EXTINT -j CONNMARK --restore-mark
> $IPT -t mangle -A PREROUTING -m connmark --mark 1 -j ACCEPT
> $IPT -t mangle -A PREROUTING -m connmark --mark 2 -j ACCEPT
> $IPT -t mangle -A PREROUTING -i $EXTINT -d 1.0.0.0/29 -j CONNMARK --set-mark 1
> $IPT -t mangle -A PREROUTING -i $EXTINT -d 2.0.0.0/29 -j CONNMARK --set-mark 2
> $IPT -t mangle -A PREROUTING -i $EXTINT -j CONNMARK --save-mark
>
>
next prev parent reply other threads:[~2006-08-09 11:47 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-08-08 19:40 Problem with router connected to two ISPs (connection marking?) Marek Zachara
2006-08-09 11:47 ` Gáspár Lajos [this message]
2006-08-09 12:35 ` Marek Zachara
2006-08-10 13:12 ` former03 | Baltasar Cevc
2006-08-10 15:04 ` Gáspár Lajos
2006-08-09 13:50 ` former03 | Baltasar Cevc
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=44D9CB5B.9020508@freemail.hu \
--to=swifty@freemail.hu \
--cc=netfilter@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox