|
Ladies and Gents,
I've changed my iptables a
bit,
Please take a look:
# Turn port forwarding on
for spoof in /proc/sys/net/ipv4/conf/*/rp_filter do echo 0 > $spoof done echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/modprobe iptable_nat /sbin/modprobe ip_tables /sbin/modprobe iptable_filter /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp INTERNALIF="eth0" INTERNALNET="10.0.0.0/24" INTERNALBCAST="10.0.0.255" EXTERNALIF="eth1" IPSECIF="ipsec0" MYADDR="209.12.32.66" BIRCH="10.0.0.3" PINE="10.0.0.2" FIR="10.0.0.1" IPTABLES="/sbin/iptables" #Allow dynamic ip echo 1 > /proc/sys/net/ipv4/ip_dynaddr # Allow all connections on the internal interface#
iptables -A INPUT -i lo -j ACCEPT #Kill connections to the local interface from the outside
world.
iptables -A INPUT -d 127.0.0.0/8 -j REJECT #Allow unlimited traffic from internal network using legit
addresses
iptables -A INPUT -i $INTERNALIF -s $INTERNALNET -j ACCEPT #Allow IPSEC tunnel traffic
iptables -A INPUT -p 50 -j ACCEPT #Allow all traffic from the ipsec device to the internal network iptables -A FORWARD -i ipsec0 -o $INTERNALIF -j ACCEPT iptables -A FORWARD -i $INTERNALIF -o ipsec0 -j ACCEPT #Kill anything from outside claiming to be from internal
network
iptables -A INPUT -i $EXTERNALIF -s $INTERNALNET -j REJECT ##ICMP
#ping don't forward pings going inside iptables -A FORWARD -p icmp --icmp-type echo-request -o $INTERNALIF -j REJECT #ping flood protection $IPTABLES -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j DROP #Deny icmp to broadcast address $IPTABLES -A INPUT -p icmp -d $INTERNALBCAST -j DROP #Allow all other icmp
$IPTABLES -A INPUT -p icmp -j ACCEPT ##Allow established connections
#Unlike ipchains, we don't have to go through the business of allowing #a local port range- just allow all connections already established. $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#Note that unlike ipchains, the following must be enabled even with
masquerading
#Don't forward SMB related traffic $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 137 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 138 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p tcp --dport 139 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 137 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 138 -j REJECT $IPTABLES -A FORWARD -o $EXTERNALIF -p udp --dport 139 -j REJECT $IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 137 -j REJECT #Allow ALL other forwarding going out $IPTABLES -A FORWARD -o $EXTERNALIF -i $INTERNALIF -j ACCEPT $IPTABLES -A FORWARD -i $INTERNALIF -o $EXTERNALIF -j ACCEPT #Allow replies coming in $IPTABLES -A FORWARD -i $EXTERNALIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT $IPTABLES -A INPUT -p udp --dport 20 -j ACCEPT #$IPTABLES -A INPUT -p udp --dport 21 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 110 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 20 -j ACCEPT
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT #FIR @coinfotech (exchange) email
$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 25 -j DNAT --to $FIR:25 $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $FIR --dport 25 -j ACCEPT #PINE DNAT 1494,1450,3389
$IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport 1494 -j DNAT --to $PINE:1494 $IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $PINE --dport 1494 -j ACCEPT $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport
1450 -j DNAT --to $PINE:1450
$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $PINE --dport 1450 -j ACCEPT $IPTABLES -A PREROUTING -t nat -i $EXTERNALIF -p tcp -d $MYADDR --dport
3389 -j DNAT --to $PINE:3389
$IPTABLES -A FORWARD -i $EXTERNALIF -p tcp -d $PINE --dport 3389 -j ACCEPT ##IPSEC RULES
#FIR @coinfotech (exchange) email
$IPTABLES -A PREROUTING -t nat -i $IPSECIF -p tcp -d $MYADDR --dport 25 -j DNAT --to $FIR:25 $IPTABLES -A FORWARD -i $IPSECIF -p tcp -d $FIR --dport 25 -j ACCEPT #PINE DNAT 1494,1450,3389
$IPTABLES -A PREROUTING -t nat -i $IPSECIF -p tcp -d $MYADDR --dport 1494 -j DNAT --to $PINE:1494 $IPTABLES -A FORWARD -i $IPSECIF -p tcp -d $PINE --dport 1494 -j ACCEPT $IPTABLES -A PREROUTING -t nat -i $IPSECIF -p tcp -d $MYADDR --dport 1450
-j DNAT --to $PINE:1450
$IPTABLES -A FORWARD -i $IPSECIF -p tcp -d $PINE --dport 1450 -j ACCEPT $IPTABLES -A PREROUTING -t nat -i $IPSECIF -p tcp -d $MYADDR --dport 3389
-j DNAT --to $PINE:3389
$IPTABLES -A FORWARD -i $IPSECIF -p tcp -d $PINE --dport 3389 -j ACCEPT # Masquerade everything out eth0 #iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -t nat -A POSTROUTING -o ipsec0 -j MASQUERADE # or SNAT since i have a static IP #iptables -t nat -A POSTROUTING -o ipsec0 -s 10.0.0.0/24 -j SNAT --to 209.12.32.2 #iptables -t nat -A POSTROUTING -o eth0 -s 10.0.0.0/24 -j SNAT --to 209.12.32.2 #iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/24 -j SNAT --to 209.12.32.2 #BS # /sbin/iptables -t mangle -A PREROUTING -i ipsec0 -j MARK --set-mark 1 # /sbin/iptables -t nat -A POSTROUTING -m mark --mark 1 -j SNAT --to 10.0.0.1-10.0.0.254 #forward rules
iptables -A FORWARD -s 10.0.0.0/24 -j ACCEPT iptables -A FORWARD -d 10.0.0.0/24 -j ACCEPT # ALLOW IPSEC IN eth0 iptables -A INPUT -p udp --dport 500 -j ACCEPT iptables -A INPUT -p 50 -j ACCEPT iptables -A INPUT -p 22 -j ACCEPT iptables -A INPUT -m limit --limit 5/minute -j LOG --log-level 7
--log-prefix "IPTABLES"
Regards,
Vasiliy Boulytchev Colorado Information Technologies Inc. |
