|
hi!
im trying hard to get my port 12345 forwarded to
192.168.0.2
with the same settings port 7662 works, but no
chance to get 12345 forwarded ... ):
it would be also nice if anybody could tell me how
i can close all ports on eth0 and then how i can allow them ...
thanx anyway! (hope all is okay, this is my first
mailinglist-use ...)
>>>Alois
here is my nmasq and my portfw-file:
nmasq:
#!/bin/sh
echo -e "\n\nLoading simple rc.firewall version
$FWVER..\n"
IPTABLES=/sbin/iptables
EXTIF="eth0"
INTIF="eth1" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" echo " enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward echo " clearing any existing rules and
setting default policy.."
$IPTABLES -P INPUT ACCEPT $IPTABLES -F INPUT $IPTABLES -P OUTPUT ACCEPT $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -t nat -F echo " FWD: Allow all connections OUT
and only existing and related ones IN"
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF" $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE echo "65536" >
/proc/sys/net/ipv4/ip_conntrack_max
echo -e "\nDone.\n"
portfw:
#!/bin/sh
echo "Enabling PORTFW Redirection on the external
LAN.."
IPTABLES="/sbin/iptables"
INTIF="eth1" EXTIF="eth0" EXTIP=`/sbin/ifconfig eth0 | grep 'inet addr:' | cut -f2 -d":" | awk '{ print $1 }'` WORKSTATION="192.168.0.2" #------------------------
#Portforwarding Programme #------------------------ #eMule
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 7662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 7662 -j DNAT --to $WORKSTATION:7662 $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 7662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 7662 -j DNAT --to $WORKSTATION:7662 #eMule Webserver $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 57662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 57662 -j DNAT --to $WORKSTATION:57662 #FSWeMule
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 9662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 9662 -j DNAT --to $WORKSTATION:9662 $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 9662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 9662 -j DNAT --to $WORKSTATION:9662 #FSWeMule Webserver $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 59662 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 59662 -j DNAT --to $WORKSTATION:59662 #FTP WORKSTATION
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 12345 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 12345 -j DNAT --to $WORKSTATION:12345 #Passive Port Range f�r FTP WORKSTATION $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 49152:51199 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 49152:51199 -j DNAT --to $WORKSTATION #VNC WORKSTATION
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 5800 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 5800 -j DNAT --to $WORKSTATION:5800 $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 5900 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 5900 -j DNAT --to $WORKSTATION:5900 #--------------------
#Portforwarding Games #-------------------- #rise of nations
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 34987 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 34987 -j DNAT --to $WORKSTATION:34987 #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 34987 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 34987 -j DNAT --to $WORKSTATION:34987 #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 28293 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 28293 -j DNAT --to $WORKSTATION:28293 #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 28293 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 28293 -j DNAT --to $WORKSTATION:28293 #UnrealTournament
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 28902 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 28902 -j DNAT --to $WORKSTATION:28902 #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 7777:7787 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 7777:7787 -j DNAT --to $WORKSTATION #$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 27900 -j DNAT --to $WORKSTATION:27900 #$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 7777:7787 -j DNAT --to $WORKSTATION #Diablo II
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 4000 -j DNAT --to $WORKSTATION #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6112 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6112 -j DNAT --to $WORKSTATION #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 6119 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 6119 -j DNAT --to $WORKSTATION #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 4000 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 4000 -j DNAT --to $WORKSTATION #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 6112 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 6112 -j DNAT --to $WORKSTATION #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 6119 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 6119 -j DNAT --to $WORKSTATION #Serious Sam 2
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 25600 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25600 -j DNAT --to $WORKSTATION:25600 #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 25600 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT #$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 25600 -j DNAT --to $WORKSTATION:25600 #------------------------
#Sicherheitssperren / etc #------------------------ #IPs sperren
$IPTABLES -I FORWARD -s 194.158.136.95 -j DROP $IPTABLES -I FORWARD -s 194.158.136.96 -j DROP $IPTABLES -I FORWARD -s 212.88.169.23 -j DROP $IPTABLES -I FORWARD -s 194.112.167.226 -j DROP $IPTABLES -I FORWARD -s 195.58.165.220 -j DROP $IPTABLES -I FORWARD -s 195.58.165.219 -j DROP $IPTABLES -I FORWARD -s 194.129.73.179 -j DROP #$IPTABLES -I FORWARD -s 194.48.124.50 -j DROP #Ports schlie�en
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 9 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 9 -j DROP $IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 13 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 13 -j DROP $IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 37 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 37 -j DROP $IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 113 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 113 -j DROP $IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 515 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 515 -j DROP $IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 32768 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 32768 -j DROP $IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 6543 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 6543 -j DROP $IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 4446 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 4446 -j DROP #Samba auf LAN beschr�nken
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 139 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 139 -j DROP #Webmin auf LAN beschr�nken
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 10000 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 10000 -j DROP #Portmap von aussen abstellen
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 111 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 111 -j DROP $IPTABLES -A INPUT -p udp -s 192.168.0.1/24 --dport 111 -j ACCEPT $IPTABLES -A INPUT -p udp --dport 111 -j DROP #x11 auf LAN beschr�nken
$IPTABLES -A INPUT -p tcp -s 192.168.0.1/24 --dport 6001 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 6001 -j DROP # MY_DROP-Chain
iptables -N MY_DROP iptables -A MY_DROP -m limit --limit 7200/h -j LOG --log-prefix "PORTSCAN DROP " iptables -A MY_DROP -j DROP # Alle verworfenen Pakete protokollieren
iptables -A INPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "INPUT INVALID " iptables -A OUTPUT -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "OUTPUT INVALID " iptables -A FORWARD -m state --state INVALID -m limit --limit 7200/h -j LOG --log-prefix "FORWARD INVALID " # Korrupte Pakete zurueckweisen
iptables -A INPUT -m state --state INVALID -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP iptables -A FORWARD -m state --state INVALID -j DROP # Stealth Scans etc. DROPpen
# Keine Flags gesetzt iptables -A INPUT -p tcp --tcp-flags ALL NONE -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j MY_DROP # SYN und FIN gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j MY_DROP # SYN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j MY_DROP # FIN und RST gleichzeitig gesetzt
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j MY_DROP # FIN ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j MY_DROP # PSH ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j MY_DROP # URG ohne ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j MY_DROP iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j MY_DROP # Maximum Segment Size (MSS) f�r das Forwarding an
PMTU anpassen
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Connection-Tracking aktivieren
iptables -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ! eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # BOOTP-Relaying ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/bootp_relay 2> /dev/null; done # Proxy-ARP ausschalten
for i in /proc/sys/net/ipv4/conf/*; do echo 0 > $i/proxy_arp 2> /dev/null; done # Ung�ltige ICMP-Antworten ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses 2> /dev/null # ICMP Echo-Broadcasts ignorieren
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 2> /dev/null # Max. 500/Sekunde (5/Jiffie) senden
echo 5 > /proc/sys/net/ipv4/icmp_ratelimit # Speicherallozierung und -timing f�r
IP-De/-Fragmentierung
echo 262144 > /proc/sys/net/ipv4/ipfrag_high_thresh echo 196608 > /proc/sys/net/ipv4/ipfrag_low_thresh echo 30 > /proc/sys/net/ipv4/ipfrag_time # TCP-FIN-Timeout zum Schutz vor DoS-Attacken
setzen
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout # Maximal 3 Antworten auf ein TCP-SYN
echo 3 > /proc/sys/net/ipv4/tcp_retries1 # TCP-Pakete maximal 15x wiederholen
echo 15 > /proc/sys/net/ipv4/tcp_retries2 |
