[glux] firewall e forward

@arminillo carminillo@tiscali.it
07 Mar 2003 12:27:40 +0100


Aggiungo due precisazioni... se hai l'ADSL su eth... comunque la tua
interfaccia esterna da settare per il NAT è ppp0 e poi se provi la
connessione da una macchina all'interno della tua lan non riuscirai mai
a passare... devi collegarti con modem e provare.

bye bye
@arminillo

Il ven, 2003-03-07 alle 12:07, Francesco Moretto ha scritto:
> grazie @arminillo ma non funziona, se tento un collegamento da remoto 
> con la macchina interna  (as400 su porta 23 (!!)) resta latente fino al 
> timeout, provo a postare lo script che uso sul firewall per 
> l'impostazione dele regole, magari sbaglio qualche cosa a monte....
> Grazie ancora
> 
> Francesco
> 
> 
> 
> #!/bin/sh
> 
> PATH=$PATH:/sbin
> export PATH
> 
> modprobe ip_conntrack
> 
> # funziona SOLO con iptables
> 
> # RETE INTERNA
> IP_LAN=192.168.0.250
> ETH_LAN="eth0"
> LOCAL_LAN="192.168.0.0/24"
> 
> # RETE ESTERNA
> IP_NET=192.168.100.251
> ETH_NET="eth1"
> ANY=0.0.0.0/0
> 
> INTERNET_SERVER="192.168.0.250"
> 
> INTERFACES="lo eth0 eth1"
> TCP_SERVICES="http ssh https smtp 9898 9899 23 449 8471 8476 8474 8470"
> #TCP_SERVICES="http ssh https ftp smtp"
> 
> UDP_SERVICES="9898 9899 23 449 8471 8476 8474 8470"
> WORK="9899 9898"
> AS400="23 449 8471 8476 8474 8470"
> 
> 
> 
> 
> # Starting firewall
> 
> if [ "$1" = "start" ]; then
> 
>     echo "Starting stateful firewall..."
> 
>     depmod -a
>    
> 
>     # RESET
>     iptables -F INPUT
>     iptables -F FORWARD
>    
>     # Setup firewalling:
> 
>     # (a) Default policy: DROP
>     iptables -P INPUT DROP
> 
>     # (b) Allow outcoming connections and related
>     iptables -A INPUT -i ! $ETH_NET -j ACCEPT
>     iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> 
> 
> 
> 
> 
> 
>         # (e) Enable forwarding
>         echo 1 > /proc/sys/net/ipv4/ip_forward
> 
> #        iptables -A FORWARD -s $ANY -d $IP_NET -i $ETH_NET -o $ETH_LAN 
> -p tcp -j ACCEPT
> 
> 
>     for x in $TCP_SERVICES
>     do
>         iptables -A INPUT -p tcp --dport $x -m state --state NEW -j ACCEPT
>     done
>     for x in $UDP_SERVICES
>     do
>         iptables -A INPUT -p udp --dport $x -m state --state NEW -j ACCEPT
>     done
> 
>         for x in $WORK
>         do
>                 iptables -t nat -A PREROUTING -p tcp -i $ETH_NET --dport 
> $x -j DNAT --to-destination 192.168.0.33:$x
>                 iptables -t nat -A PREROUTING -p udp -i $ETH_NET --dport 
> $x -j DNAT --to-destination 192.168.0.33:$x
>         done
>  
>         for x in $AS400
>         do
>                 iptables -t nat -A PREROUTING -p tcp -i $ETH_NET --dport 
> $x -j DNAT --to-destination 192.168.0.5:$x
>                 iptables -t nat -A PREROUTING -p udp -i $ETH_NET --dport 
> $x -j DNAT --to-destination 192.168.0.5:$x
>         done
> 
> 
>     # (d) Disable spoofing
> 
>     for x in $INTERFACES
>     do
>         echo 1 > /proc/sys/net/ipv4/conf/$x/rp_filter
>     done
> 
> #       (e1) transparent proxy (squid su INTERNET_SERVER)
> 
> 
> 
>     iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --source ! 
> $INTERNET_SERVER --dport 80  -j DNAT --to $INTERNET_SERVER:8080
> 
>     iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --source ! 
> $INTERNET_SERVER --dport 80
>     iptables -t nat -A POSTROUTING -o $ETH_LAN -p tcp -d 
> $INTERNET_SERVER -s $LOCAL_LAN -j SNAT --to $IP_LAN
>     iptables -A FORWARD -s $LOCAL_LAN -d $INTERNET_SERVER -i $ETH_LAN -o 
> $ETH_LAN -p tcp -j ACCEPT
> 
> 
> 
> 
> 
> 
>     # (e2) SMTP
> #    iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 25  -j 
> DNAT --to $INTERNET_SERVER
>    
>     # (e3) HTTP(S)
> #     iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 80  -j 
> DNAT --to $INTERNET_SERVER
> #    iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 443  -j 
> DNAT --to $INTERNET_SERVER
>  
> 
> 
> 
> 
> 
> 
> 
>     # (f) NAT
> 
>     iptables -t nat -A POSTROUTING -o $ETH_NET -j SNAT --to-source $IP_NET
> 
>     echo "Firewall running."   
> fi
> 
> if [ "$1" = "stop" ]; then
>    
>     # RESET
>     iptables -F INPUT
>     iptables -F FORWARD
>     iptables -F -t nat
>     iptables -P INPUT ACCEPT
>     iptables -P FORWARD ACCEPT
>     echo 0 > /proc/sys/net/ipv4/ip_forward
>     echo "Firewall stopped"
> fi
> 
> 
> 
> 
> 
> 
> _______________________________________________
> glux mailing list
> glux@lists.linux.it
> http://lists.linux.it/listinfo/glux
> http://www.lecco.linux.it