Hi,
I'm gonna comment your script below...
On Tue, 21 Jun 2005 22:13:48 +0600
"askar ..." <[EMAIL PROTECTED]> wrote:
> The iptables scripts as follows:
> ---------------------------------------------
> #!/bin/bash
> IPTABLES='/sbin/iptables'
>
> # Set interface values
> EXTIF='ppp0'
> INTIF1='eth0'
>
> # enable ip forwarding in the kernel
> /bin/echo 1 > /proc/sys/net/ipv4/ip_forward
Note that this should be better done in the ppp-connect script rather
than here. The iptables should be set up at boot time, I'd suggest. So
you're not imposing a (rather short) open firewall situation. In fact,
iptables doesn't care if interfaces are already available when setting
up routes.
> # flush rules and delete chains
> $IPTABLES -F
> $IPTABLES -X
>
> # enable masquerading to allow LAN internet access
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
this is OK as it only alters outgoing traffic to ppp0.
> # forward LAN traffic from $INTIF1 to Internet interface $EXTIF
> $IPTABLES -A FORWARD -i $INTIF1 -o $EXTIF -m state --state
> NEW,ESTABLISHED -j ACCEPT
Hm, you may want to add "RELATED" to that state list...
> #echo -e " - Allowing access to the SSH server"
> $IPTABLES -A INPUT --protocol tcp --dport 22 -j ACCEPT
>
> #echo -e " - Allowing access to the HTTP server"
> $IPTABLES -A INPUT --protocol tcp --dport 80 -j ACCEPT
Not needed, as all respective packets will get rewritten to 192.168.0.2
and will never hit the INPUT table. That doesn't include packets from
internal LAN, see respective rule below.
> # block out all other Internet access on $EXTIF
> $IPTABLES -A INPUT -i $EXTIF -m state --state NEW,INVALID -j DROP
Hm, you may switch that to a simple
$IPTABLES -P INPUT DROP
At least, the state matching is completely unneccessary here. SSH would
already be accepted at this point.
[from here use proposed parts below, I'll continue commenting]
> $IPTABLES -A FORWARD -i $EXTIF -m state --state NEW,INVALID -j DROP
?!? This would drop all requests from ppp0, especially the ones to the
www port...
> $IPTABLES -A FORWARD -i eth0 -o ppp0 -j LOG --log-prefix "Dropped outgoing: "
> $IPTABLES -A FORWARD -i ppp0 -o eth0 -j LOG --log-prefix "Dropped incoming: "
will (almost) never hit, because packets _are_ dropped already.
> $IPTABLES -A FORWARD -i ppp0 -d 192.168.0.2 -p tcp --dport 80 -m state
> --state NEW,RELATED,ESTABLISHED -j ACCEPT
and thus this cannot match, either.
so from above [...] marked point, the approach would be
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport 80 -d 192.168.0.2 \
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 \
-j DNAT --to 192.168.0.2
This will alter the destination IP and let FORWARD rules apply.
Note that any Logging entries must be inserted before the respective
ACCEPTs or DROPs.
HWH
--
[email protected] mailing list
