[glux] firewall e forward
@arminillo
carminillo@tiscali.it
07 Mar 2003 12:27:40 +0100
Aggiungo due precisazioni... se hai l'ADSL su eth... comunque la tua
interfaccia esterna da settare per il NAT è ppp0 e poi se provi la
connessione da una macchina all'interno della tua lan non riuscirai mai
a passare... devi collegarti con modem e provare.
bye bye
@arminillo
Il ven, 2003-03-07 alle 12:07, Francesco Moretto ha scritto:
> grazie @arminillo ma non funziona, se tento un collegamento da remoto
> con la macchina interna (as400 su porta 23 (!!)) resta latente fino al
> timeout, provo a postare lo script che uso sul firewall per
> l'impostazione dele regole, magari sbaglio qualche cosa a monte....
> Grazie ancora
>
> Francesco
>
>
>
> #!/bin/sh
>
> PATH=$PATH:/sbin
> export PATH
>
> modprobe ip_conntrack
>
> # funziona SOLO con iptables
>
> # RETE INTERNA
> IP_LAN=192.168.0.250
> ETH_LAN="eth0"
> LOCAL_LAN="192.168.0.0/24"
>
> # RETE ESTERNA
> IP_NET=192.168.100.251
> ETH_NET="eth1"
> ANY=0.0.0.0/0
>
> INTERNET_SERVER="192.168.0.250"
>
> INTERFACES="lo eth0 eth1"
> TCP_SERVICES="http ssh https smtp 9898 9899 23 449 8471 8476 8474 8470"
> #TCP_SERVICES="http ssh https ftp smtp"
>
> UDP_SERVICES="9898 9899 23 449 8471 8476 8474 8470"
> WORK="9899 9898"
> AS400="23 449 8471 8476 8474 8470"
>
>
>
>
> # Starting firewall
>
> if [ "$1" = "start" ]; then
>
> echo "Starting stateful firewall..."
>
> depmod -a
>
>
> # RESET
> iptables -F INPUT
> iptables -F FORWARD
>
> # Setup firewalling:
>
> # (a) Default policy: DROP
> iptables -P INPUT DROP
>
> # (b) Allow outcoming connections and related
> iptables -A INPUT -i ! $ETH_NET -j ACCEPT
> iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>
>
>
>
>
>
> # (e) Enable forwarding
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # iptables -A FORWARD -s $ANY -d $IP_NET -i $ETH_NET -o $ETH_LAN
> -p tcp -j ACCEPT
>
>
> for x in $TCP_SERVICES
> do
> iptables -A INPUT -p tcp --dport $x -m state --state NEW -j ACCEPT
> done
> for x in $UDP_SERVICES
> do
> iptables -A INPUT -p udp --dport $x -m state --state NEW -j ACCEPT
> done
>
> for x in $WORK
> do
> iptables -t nat -A PREROUTING -p tcp -i $ETH_NET --dport
> $x -j DNAT --to-destination 192.168.0.33:$x
> iptables -t nat -A PREROUTING -p udp -i $ETH_NET --dport
> $x -j DNAT --to-destination 192.168.0.33:$x
> done
>
> for x in $AS400
> do
> iptables -t nat -A PREROUTING -p tcp -i $ETH_NET --dport
> $x -j DNAT --to-destination 192.168.0.5:$x
> iptables -t nat -A PREROUTING -p udp -i $ETH_NET --dport
> $x -j DNAT --to-destination 192.168.0.5:$x
> done
>
>
> # (d) Disable spoofing
>
> for x in $INTERFACES
> do
> echo 1 > /proc/sys/net/ipv4/conf/$x/rp_filter
> done
>
> # (e1) transparent proxy (squid su INTERNET_SERVER)
>
>
>
> iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --source !
> $INTERNET_SERVER --dport 80 -j DNAT --to $INTERNET_SERVER:8080
>
> iptables -t nat -A PREROUTING -i $ETH_LAN -p tcp --source !
> $INTERNET_SERVER --dport 80
> iptables -t nat -A POSTROUTING -o $ETH_LAN -p tcp -d
> $INTERNET_SERVER -s $LOCAL_LAN -j SNAT --to $IP_LAN
> iptables -A FORWARD -s $LOCAL_LAN -d $INTERNET_SERVER -i $ETH_LAN -o
> $ETH_LAN -p tcp -j ACCEPT
>
>
>
>
>
>
> # (e2) SMTP
> # iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 25 -j
> DNAT --to $INTERNET_SERVER
>
> # (e3) HTTP(S)
> # iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 80 -j
> DNAT --to $INTERNET_SERVER
> # iptables -t nat -A PREROUTING -i $ETH_NET -p tcp --dport 443 -j
> DNAT --to $INTERNET_SERVER
>
>
>
>
>
>
>
>
> # (f) NAT
>
> iptables -t nat -A POSTROUTING -o $ETH_NET -j SNAT --to-source $IP_NET
>
> echo "Firewall running."
> fi
>
> if [ "$1" = "stop" ]; then
>
> # RESET
> iptables -F INPUT
> iptables -F FORWARD
> iptables -F -t nat
> iptables -P INPUT ACCEPT
> iptables -P FORWARD ACCEPT
> echo 0 > /proc/sys/net/ipv4/ip_forward
> echo "Firewall stopped"
> fi
>
>
>
>
>
>
> _______________________________________________
> glux mailing list
> glux@lists.linux.it
> http://lists.linux.it/listinfo/glux
> http://www.lecco.linux.it