Hello list
I have a RH 7.2 boks, with 2.4.18 kernel and latest iptables installed
and working well.
I have generated a rc.firewall from
http://www.linux-firewall-tools.com/linux/ and modified it a little
for my needs, and its working well
I then have a friend without access to mail & news, and I want to
create a mapping for him
As a start I have tried to figure out how to do the new part of it but
it wont work
I have this in my box
ppp0 = my network interface
$IPADDR = my ip gained from a scriptline
193.213.112.21:119 = my newsserver and its port
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp -d $IPADDR --dport 33333
-j DNAT --to-destination 193.213.112.21:119
$IPTABLES -A FORWARD -i ppp0 -o ppp0 -p tcp -d $IPADDR --dport 33333
-j ACCEPT
With these two lines I want to let my friend communicate with the
newsserver true my computer, and I also want to let him gain access to
a mailserver the same way, but I dont get it to work.
Are anyone able to help me with a working ruleset for this?
Here is the most important part of my rc.firewall with this two lines
in for my friend so you can see what I have done.
#!/bin/sh
# /etc/rc.d/rc.firewall
# Invoked from /etc/ppp/ip-up, or
# from /sbin/ifup-local, or
# from /etc/sysconfig/network-scripts/ifup-post.
echo -e "\n\nLoading simple rc.firewall version $FWVER..\n"
#
----------------------------------------------------------------------------
# Some definitions for easy maintenance.
# EDIT THESE TO SUIT YOUR SYSTEM AND ISP.
EXTERNAL_INTERFACE="ppp0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming
convention
LOCAL_INTERFACE_1="eth1" # internal LAN interface
echo " External Interface: $EXTERNAL_INTERFACE"
echo " Internal Interface: $LOCAL_INTERFACE_1"
IPADDR=$(/sbin/ifconfig | /bin/grep P-t-P | /usr/bin/cut -c 21-38 |
/bin/awk '{print $1}' )
LOCALNET_1="192.168.1.0/24" # whatever private range you
use
ANYWHERE="0/0" # match any IP address
DHCP_SERVER="0/0"
NAMESERVER_1="148.122.208.99" # everyone must have
at least one
NAMESERVER_2="148.122.161.3"
SMTP_SERVER="0/0" # Your ISP mail gateway. Your
relay.
POP_SERVER="pop.online.no" # Your ISP pop mail server.
NEWS_SERVER="0/0" # Your ISP news server
LOOPBACK="127.0.0.0/8" # reserved loopback address
range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination
address
PRIVPORTS="0:1023" # well known, privileged port
range
UNPRIVPORTS="1024:65535" # unprivileged port range
#
----------------------------------------------------------------------------
NFS_PORT="2049" # (TCP/UDP) NFS
SOCKS_PORT="1080" # (TCP) Socks
OPENWINDOWS_PORT="2000" # (TCP) openwindows
# X Windows port allocation begins at 6000 and increments to 6063
# for each additional server running.
XWINDOW_PORTS="6000:6063" # (TCP) X windows
# The SSH client starts at 1023 and works down to 513 for each
# additional simultaneous connection originating from a privileged
port.
# Clients can optionally be configured to use only unprivileged ports.
SSH_LOCAL_PORTS="1022:65535" # port range for local clients
SSH_REMOTE_PORTS="513:65535" # port range for remote
clients
# traceroute usually uses -S 32769:65535 -D 33434:33523
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
#
---------------------------------------------------------------------------
IPTABLES=/sbin/iptables
echo -en " loading modules: "
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en "ip_tables, "
/sbin/modprobe ip_tables
echo -en "ip_conntrack, "
/sbin/modprobe ip_conntrack
echo -en "ip_conntrack_ftp, "
/sbin/modprobe ip_conntrack_ftp
echo -en "ip_conntrack_irc, "
/sbin/modprobe ip_conntrack_irc
echo -en "iptable_nat, "
/sbin/modprobe iptable_nat
echo -en "ip_nat_ftp, "
/sbin/modprobe ip_nat_ftp
echo -en "ip_nat_irc, "
/sbin/modprobe ip_nat_irc
echo -en "ipt_multiport, "
/sbin/modprobe ipt_multiport
echo ". Done loading modules."
echo ". Vi har bekreftet at det virker s� langt."
#
----------------------------------------------------------------------------
# Enable IP Forwarding, if it isn't already
echo " enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
# Enable TCP SYN Cookie Protection
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# Enable broadcast echo Protection
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
#
----------------------------------------------------------------------------
# Default policy is DROP
# Explicitly accept desired INCOMING & OUTGOING connections
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -F
echo " Kontrollpunkt A1"
#
----------------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface.
$IPTABLES -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPTABLES -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
#
----------------------------------------------------------------------------
# Unlimited traffic within the local network.
# All internal machines have access to the fireall machine.
$IPTABLES -A INPUT -i $LOCAL_INTERFACE_1 -s $LOCALNET_1 -j ACCEPT
$IPTABLES -A OUTPUT -o $LOCAL_INTERFACE_1 -d $LOCALNET_1 -j ACCEPT
#
----------------------------------------------------------------------------
# Masquerade internal traffic.
# All internal traffic is masqueraded externally.
# WARNING:
# The iptables functionality is under development.
# No filters are applied. Just masquerading.
$IPTABLES -A FORWARD -i $EXTERNAL_INTERFACE -o $LOCAL_INTERFACE_1 -m
state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LOCAL_INTERFACE_1 -o $EXTERNAL_INTERFACE -j
ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j MASQUERADE
echo " Kontrollpunkt A2"
#
----------------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse incoming packets pretending to be from the external
address.
$IPTABLES -A INPUT -s $IPADDR -j DROP
#
----------------------------------------------------------------------------
# NOTE:
# The symbolic names used in /etc/services for the port numbers
vary by
# supplier. Using them is less error prone and more meaningful,
though.
#
----------------------------------------------------------------------------
# TCP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# NFS: establishing a TCP connection
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $NFS_PORT -j DROP
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $NFS_PORT -j REJECT
# openwindows: establishing a connection
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $OPENWINDOWS_PORT -j DROP
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $OPENWINDOWS_PORT -j REJECT
# Xwindows: establishing a connection
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $XWINDOW_PORTS -j DROP
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $XWINDOW_PORTS -j REJECT
# SOCKS: establishing a connection
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $SOCKS_PORT -j DROP
$IPTABLES -A OUTPUT -o $EXTERNAL_INTERFACE -p tcp --syn \
--destination-port $SOCKS_PORT -j REJECT
#
----------------------------------------------------------------------------
# UDP UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--destination-port $NFS_PORT -j DROP
# UDP INCOMING TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p udp \
--source-port $TRACEROUTE_SRC_PORTS \
--destination-port $TRACEROUTE_DEST_PORTS -j DROP
#
----------------------------------------------------------------------------
$IPTABLES -A INPUT -i $EXTERNAL_INTERFACE -p tcp ! --syn \
-d $IPADDR -j ACCEPT
# ------------------------------------------------------------------
# THIS PART IS FOR MY FRIEND
$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp -d $IPADDR --dport 33333
-j DNAT --to-destination 193.213.112.21:119
$IPTABLES -A FORWARD -i ppp0 -o ppp0 -p tcp -d $IPADDR --dport 33333
-j ACCEPT
Mvh
Roger Mauseth
