To the group.
I have a customer with some interesting firewall rules. The problem that they
are noticing is that when the external ip address changes, the firewall needs
to be reset to forward the right ports to the DMZ. Any ideas?
### gui.firewall.conf - start ###
###
### Generic Firewall Rules
GUI_FIREWALL_RULES="
1~NAT_EXT_DMZ~TCP~0/0~110~~10.1.1.1~110~~POP3~0/0
1~NAT_EXT_DMZ~TCP~0/0~12093~~10.1.1.1~12093~~SSH~0/0
1~NAT_EXT_DMZ~TCP~0/0~143~~10.1.1.1~143~~IMAP~0/0
1~NAT_EXT_DMZ~TCP~0/0~25~~10.1.1.1~25~~SMTP~0/0
1~NAT_EXT_DMZ~TCP~0/0~443~~10.1.1.1~443~~HTTPS~0/0
1~NAT_EXT_DMZ~TCP~0/0~465~~10.1.1.1~465~~Mail~0/0
1~NAT_EXT_DMZ~TCP~0/0~587~~10.1.1.1~587~~Mail~0/0
1~NAT_EXT_DMZ~TCP~0/0~80~~10.1.1.1~80~~HTTP~0/0
1~NAT_EXT_DMZ~TCP~0/0~993~~10.1.1.1~993~~IMAPS~0/0
1~NAT_EXT_DMZ~TCP~0/0~995~~10.1.1.1~995~~POP3S~0/0
1~NAT_EXT_LAN~TCP/UDP~0/0~53000~~172.16.1.2~53000~~Stefans P2P~0/0
1~NAT_EXT_LAN~TCP/UDP~0/0~53001~~172.16.1.33~53001~~Erins P2P~0/0
1~NAT_EXT_LAN~TCP/UDP~0/0~53002~~172.16.1.35~53002~~Brendans P2P~0/0
1~PASS_EXT_LOCAL~TCP/UDP~0/0~1194~~~~~Open VPN Negotiation~
1~PASS_EXT_LOCAL~TCP/UDP~0/0~5060~5061~~~~SIP~
1~PASS_EXT_LOCAL~TCP~172.16.253.0/24~22~~~~~Open VPN Tunnel Access SSH~
1~PASS_EXT_LOCAL~TCP~172.16.253.0/24~443~~~~~Open VPN Tunnel Access HTTPS~
1~PASS_EXT_LOCAL~UDP~0/0~16384~16415~~~~RTP ports~
"
NAT_FORWARD_TCP="0/0~110>10.1.1.1~110 0/0~12093>10.1.1.1~12093
0/0~143>10.1.1.1~143 0/0~25>10.1.1.1~
25 0/0~443>10.1.1.1~443 0/0~465>10.1.1.1~465 0/0~587>10.1.1.1~587
0/0~80>10.1.1.1~80 0/0~993>10.1.1.
1~993 0/0~995>10.1.1.1~995 0/0~53000>172.16.1.2~53000
0/0~53001>172.16.1.33~53001 0/0~53002>172.16.1
.35~53002"
NAT_FORWARD_UDP="0/0~53000>172.16.1.2~53000 0/0~53001>172.16.1.33~53001
0/0~53002>172.16.1.35~53002"
HOST_OPEN_TCP="0/0~1194 0/0~5060:5061 172.16.253.0/24~22 172.16.253.0/24~443"
HOST_OPEN_UDP="0/0~1194 0/0~5060:5061 0/0~16384:16415"
### Reset Unused
OPEN_TCP=""
OPEN_UDP=""
### Options
LAN_INET_DEFAULT_POLICY_DROP="0"
DMZ_INET_DEFAULT_POLICY_DROP="0"
ALLOWLANS="INTIF INT2IF"
OVPNC_ALLOWLAN=""
OVPN_ALLOWLAN="INTIF"
OPEN_ICMP=1
OPEN_ICMPV6=1
### Logging
ICMP_REQUEST_LOG=1
PRIV_TCP_LOG=1
UNPRIV_TCP_LOG=1
PRIV_UDP_LOG=1
UNPRIV_UDP_LOG=1
OTHER_IP_LOG=1
IGMP_LOG=1
FORWARD_DROP_LOG=1
### Traffic Shaping
SHAPETYPE="htb"
EXTDOWN="3000"
EXTUP="330"
VOIPPORTS="16384:16415"
### Block All Traffic
BLOCK_HOSTS=""
BLOCKED_HOST_LOG=0
### gui.firewall.conf - end ###
And here's custom-rules
# Put any custom (iptables) rules here down below:
##################################################
# Added Oct 2012 - stefan
# Lock down port 5060 to scanning
iptables -N SCAN_CHECK
iptables -N LOG_SCANDROP
iptables -F SCAN_CHECK
iptables -F LOG_SCANDROP
# Define the scan rules - works with any protocol
# Note - astlinux supports max hitcount of 20. Other distributions may
support more.
iptables -A SCAN_CHECK -m recent --set --name SCAN
iptables -A SCAN_CHECK -m recent --rcheck --name SCAN --seconds 600 --hitcount
20 -j LOG_SCANDROP
iptables -A SCAN_CHECK -m recent --rcheck --name SCAN --seconds 180 --hitcount
12 -j LOG_SCANDROP
iptables -A SCAN_CHECK -m recent --rcheck --name SCAN --seconds 60 --hitcount 4
-j LOG_SCANDROP
# Log and drop packets that satisfy the scan filters
iptables -A LOG_SCANDROP -j LOG --log-prefix "AIF:ScanDrop "
iptables -A LOG_SCANDROP -j DROP
# Jump to the scan filter as the very first rules in the INPUT chain (Can
define more than one rule for different protocols)
# Note - need separate rules for TCP and UDP. Generally SIP uses UDP only, but
not always
iptables -I INPUT 1 -p udp --dport 5060:5061 -i eth0 -m state --state NEW -j
SCAN_CHECK
iptables -I INPUT 1 -p tcp --dport 5060:5061 -i eth0 -m state --state NEW -j
SCAN_CHECK
#------------------------
Regards
Michael Knill
------------------------------------------------------------------------------
Keep yourself connected to Go Parallel:
INSIGHTS What's next for parallel hardware, programming and related areas?
Interviews and blogs by thought leaders keep you ahead of the curve.
http://goparallel.sourceforge.net
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
