Hi. I know this is not the best list to post this kind of problem, but this is were I think I belong most...
So here it is : I have a Linux box router "detritus" (screenless), with two ethernet connections : one on 192.168.1.1 for connection with my freebox (a DSL modem in France), and the other for the internal network, on 192.168.10.1. On the internal network are three (sometimes four) computers : - my wife's, "tasdboue", on Window$ (192.168.10.5) - my daughter's, "agecanonix", on dual boot (192.168.10.6) - mine, on dual boot, "arthur", also on dual boot (192.168.10.2). So I have to configure the router so that it : - can be accesed from the intranet by ssh, maybe limited to my computer - can NAT on all computers on the intranet for web, ftp... - can, and this is my main problem, accept connections from outside and NAT them to ONLY my computer when they are related to P2P (this is the reason why most iptables lists don't answer me :-(, mainly emule on Window$ and amule or mldonkey on Linux. This is for the moment the iptables script I use, it doesn't allow connections on P2P ports : root [ ~ ]# cat /etc/rc.d/rc.iptables ------------------------------------------------------------------------ #!/bin/sh # Begin $rc_base/rc.iptables echo echo "You're using the example configuration for a setup of a firewall" echo "from Beyond Linux From Scratch." echo "This example is far from being complete, it is only meant" echo "to be a reference." echo "Firewall security is a complex issue, that exceeds the scope" echo "of the configuration rules below." echo "You can find additional information" echo "about firewalls in Chapter 4 of the BLFS book." echo "http://www.linuxfromscratch.org/blfs"; echo # Insert iptables modules (not needed if built into the kernel). # modprobe ip_tables # modprobe iptable_filter # modprobe ip_conntrack # modprobe ip_conntrack_ftp # modprobe ipt_state # modprobe iptable_nat # modprobe ip_nat_ftp # modprobe ipt_MASQUERADE # modprobe ipt_LOG # modprobe ipt_REJECT # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # DonĀ¹t send Redirect Messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Drop Spoofed Packets coming in on an interface where responses # would result in the reply going out a different interface. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible addresses. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # Disable Explicit Congestion Notification # Too many routers are still ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn # Set a known state iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # These lines are here in case rules are already in place and the # script is ever rerun on the fly. We want to remove all rules and # pre-existing user defined chains before we implement new rules. iptables -F iptables -X iptables -Z iptables -t nat -F # Allow local connections iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Free output on any interface to any ip for any service # (equal to -P ACCEPT) iptables -A OUTPUT -j ACCEPT # Permit answers on already established connections # and permit new connections related to established ones # (e.g. port mode ftp) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow Samba transfers on the intranet iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT # To avoid ftp delays, reject the identd requests with a 'tcp-reset' iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset # Your caching name server (e.g., named) does its lookups via UDP: # iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # Anything coming from the outside should not have a private address, # this is a common attack called IP-spoofing: iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP # Allow forwarding if the initiated on the intranet iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT # Do masquerading # (not needed if intranet is not using private ip-addresses) iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT \ --to-destination 192.168.0.2:119 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4661 -j DNAT \ --to-destination 192.168.0.2:4661 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4662 -j DNAT \ --to-destination 192.168.0.2:4662 iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4665 -j DNAT \ --to-destination 192.168.0.2:4665 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 49350 -j DNAT \ --to-destination 192.168.0.2:49350 iptables -t nat -A PREROUTING -i eth0 -p udp --dport 27171 -j DNAT \ --to-destination 192.168.0.2:27171 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Disable ping requests iptables -A INPUT -p icmp -j DROP # Configuration pour eMule, mlDonkey... # /etc/rc.d/rc.iptables.mldonkey EXTIF="eth0" INTIF="eth1" IPEMULE="192.168.10.2" iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4661 -d $IPEMULE \ -m state --state NEW -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4662 -d $IPEMULE \ -m state --state NEW -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 4665 -d $IPEMULE \ -m state --state NEW -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 49350 -d $IPEMULE \ -m state --state NEW -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 27171 -d $IPEMULE \ -m state --state NEW -j ACCEPT # Log everything for debugging # (last of all rules, but before policy rules) iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT" --log-level 5 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD" --log-level 5 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT" --log-level 5 # Enable IP Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward ------------------------------------------------------------------------- So you see this script has become a real mess over the years !! I decided to clean it up a little, but I need help ! Some things that don't work : - logging keeps logging on the console, which is quite annoying (I use syslog-ng). - active ftp doesn't work, I think ... - about P2P : I keep getting lowids from emule. I don't understand the rules : do I have to nat first, open the ports on the router, on the destination machine... all this is quite confusing ! All the foolish lines added from the BLFS basic script are taken from different sources from Internet... but it didn't help me much :-( Please, could someone give me a push ? Thank you very much for reading that long. \bye -- Nicolas FRANCOIS | /\ http://nicolas.francois.free.fr | |__| X--/\\ We are the Micro$oft. _\_V Resistance is futile. You will be assimilated. darthvader penguin -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
