Re: [Vserver] HOWTO deal with NAT'ing firewalls and source-based routing with vservers

Mon, 13 Feb 2006 05:40:23 -0800


hello, this its my shell script to up the firewall,  this machine are cobert by another firewall...

any one see incorrect rules for my config??

the ftp server have the same config and works...

in the master server i can do #telnet 192.168.1.10 5222 but outside cant do ti.

####
#!/bin/bash

export SERVER_IP="x.x.x.x"


echo "Aplicando IP_FORWARD"

modprobe ip_tables
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_ftp
modprobe ip_nat_irc
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ipt_REJECT
modprobe ipt_state


iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

echo 1 > /proc/sys/net/ipv4/ip_forward
echo ""

echo "Inicio vaciando las reglas"
iptables -F
iptables -X
iptables -Z
echo ""

echo "Limpiar las reglas de nat."
iptables -t nat -F
echo ""

echo "Politicas por defecto."
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT

iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
echo ""

# FTP
iptables -t nat -I POSTROUTING -s 192.168.1.3 -j SNAT --to $SERVER_IP
#Jabberd 2
iptables -t nat -I POSTROUTING -s 192.168.1.10 -j SNAT --to $SERVER_IP
echo ""

echo "Reglas de NATeado"
echo ""

echo "FTP aplicado"
iptables -t nat -A PREROUTING -d $SERVER_IP -i eth0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 192.168.1.3:21
iptables -t nat -A PREROUTING -d $SERVER_IP -i eth0 -p tcp -m tcp --dport 20 -j DNAT --to-destination 192.168.1.3:20
iptables -t nat -A PREROUTING -d $SERVER_IP -i eth0 -p tcp -m tcp --dport 5000:6000 -j DNAT --to-destination 192.168.1.3:5000-6000
echo ""


echo "Jabberd2 aplicado"
#iptables -t nat -A PREROUTING -d $SERVER_IP -i eth0 -p tcp -m tcp --dport 5222 -j DNAT --to-destination 192.168.1.10:5222

iptables -t nat -A PREROUTING -p tcp --dport 5222 -i eth0 -j DNAT --to 192.168.1.10:5222

#iptables -t nat -A PREROUTING -d $SERVER_IP -i eth0 -p tcp -m tcp --dport 5223 -j DNAT --to-destination 192.168.1.10:5223
#iptables -t nat -A PREROUTING -d $SERVER_IP -i eth0 -p tcp -m tcp --dport 5269 -j DNAT --to-destination 192.168.1.10:5269
#iptables -t nat -A PREROUTING -d $SERVER_IP -i eth0 -p tcp -m tcp --dport 5280 -j DNAT --to-destination 192.168.1.10:5280
echo ""

Thanks :)

--
Jairo Enrique Serrano Castañeda
Ingeniero de Sistemas UTB
T - http://www.jsnat.com - http://savio.unitecnologica.edu.co
C - http://www.drupal.org.es - http://www.champetux.org 
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Reply via email to