[glux] firewall e forward

Francesco Moretto cybercecco@libero.it
Fri, 07 Mar 2003 12:07:17 +0100


grazie @arminillo ma non funziona, se tento un collegamento da remoto 
con la macchina interna  (as400 su porta 23 (!!)) resta latente fino al 
timeout, provo a postare lo script che uso sul firewall per 
l'impostazione dele regole, magari sbaglio qualche cosa a monte....
Grazie ancora

Francesco



#!/bin/sh

PATH=$PATH:/sbin
export PATH

modprobe ip_conntrack

# funziona SOLO con iptables

# RETE INTERNA
IP_LAN=192.168.0.250
ETH_LAN="eth0"
LOCAL_LAN="192.168.0.0/24"

# RETE ESTERNA
IP_NET=192.168.100.251
ETH_NET="eth1"
ANY=0.0.0.0/0

INTERNET_SERVER="192.168.0.250"

INTERFACES="lo eth0 eth1"
TCP_SERVICES="http ssh https smtp 9898 9899 23 449 8471 8476 8474 8470"
#TCP_SERVICES="http ssh https ftp smtp"

UDP_SERVICES="9898 9899 23 449 8471 8476 8474 8470"
WORK="9899 9898"
AS400="23 449 8471 8476 8474 8470"




# Starting firewall

if [ "$1" = "start" ]; then

    echo "Starting stateful firewall..."

    depmod -a
   

    # RESET
    iptables -F INPUT
    iptables -F FORWARD
   
    # Setup firewalling:

    # (a) Default policy: DROP
    iptables -P INPUT DROP

    # (b) Allow outcoming connections and related
    iptables -A INPUT -i ! $ETH_NET -j ACCEPT
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT







        # (e) Enable forwarding
        echo 1 > /proc/sys/net/ipv4/ip_forward

#        iptables -A FORWARD -s $ANY -d $IP_NET -i $ETH_NET -o $ETH_LAN 
-p tcp -j ACCEPT


    for x in $TCP_SERVICES
    do
        iptables -A INPUT -p tcp --dport $x -m state --state NEW -j ACCEPT
    done
    for x in $UDP_SERVICES
    do
        iptables -A INPUT -p udp --dport $x -m state --state NEW -j ACCEPT
    done

        for x in $WORK
        do
                iptables -t nat -A PREROUTING -p tcp -i $ETH_NET --dport 
$x -j DNAT --to-destination 192.168.0.33:$x
                iptables -t nat -A PREROUTING -p udp -i $ETH_NET --dport 
$x -j DNAT --to-destination 192.168.0.33:$x
        done
 
        for x in $AS400
        do
                iptables -t nat -A PREROUTING -p tcp -i $ETH_NET --dport 
$x -j DNAT --to-destination 192.168.0.5:$x
                iptables -t nat -A PREROUTING -p udp -i $ETH_NET --dport 
$x -j DNAT --to-destination 192.168.0.5:$x
        done


    # (d) Disable spoofing

    for x in $INTERFACES
    do
        echo 1 > /proc/sys/net/ipv4/conf/$x/rp_filter
    done

#       (e1) transparent proxy (squid su INTERNET_SERVER)



    iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --source ! 
$INTERNET_SERVER --dport 80  -j DNAT --to $INTERNET_SERVER:8080

    iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --source ! 
$INTERNET_SERVER --dport 80
    iptables -t nat -A POSTROUTING -o $ETH_LAN -p tcp -d 
$INTERNET_SERVER -s $LOCAL_LAN -j SNAT --to $IP_LAN
    iptables -A FORWARD -s $LOCAL_LAN -d $INTERNET_SERVER -i $ETH_LAN -o 
$ETH_LAN -p tcp -j ACCEPT






    # (e2) SMTP
#    iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 25  -j 
DNAT --to $INTERNET_SERVER
   
    # (e3) HTTP(S)
#     iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 80  -j 
DNAT --to $INTERNET_SERVER
#    iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 443  -j 
DNAT --to $INTERNET_SERVER
 





 

    # (f) NAT

    iptables -t nat -A POSTROUTING -o $ETH_NET -j SNAT --to-source $IP_NET

    echo "Firewall running."   
fi

if [ "$1" = "stop" ]; then
   
    # RESET
    iptables -F INPUT
    iptables -F FORWARD
    iptables -F -t nat
    iptables -P INPUT ACCEPT
    iptables -P FORWARD ACCEPT
    echo 0 > /proc/sys/net/ipv4/ip_forward
    echo "Firewall stopped"
fi