RE: IP Chains and port forwarding

Moonshi Mohsenruddin Thu, 26 Aug 1999 22:42:47 -0700
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Maybe you can see what I just did and add this to your
"/etc/rc.d/init.d/firewall and use ./firewall start | restart | stop

- --
Moonshi Mohsenruddin           [EMAIL PROTECTED]
Singapore       icq:2595480       http://www.linux.com.sg

#root@firewall:/etc/rc.d/init.d > cat firewall | more
#!/bin/sh
#
# Firewall rules
# --------------
#
# Source function library.
#. /etc/rc.d/init.d/functions
[ -f /sbin/ipfwadm ] || exit 0
IPFW="/sbin/ipfwadm"
MQMOD="/sbin/modprobe"
INT_NET="192.168.1.0/24"
ANY_NET="0.0.0.0/0"
RINETD="/sbin/rinetd"

# See how the rules are called.
case "$1" in
  start)
        echo -n "Starting Firewall: "
        $IPFW -F -p deny
        $IPFW -F -f
        $IPFW -I -f
        $IPFW -O -f

# Load masquerading modules
        echo -n "Load masquerading modules: "
        $MQMOD ip_masq_ftp
        $MQMOD ip_masq_raudio
        $MQMOD ip_masq_irc
        $MQMOD ip_masq_cuseeme
        $MQMOD ip_masq_vdolive
        $MQMOD ip_masq_quake

        $IPFW -I -a deny -S $INT_NET -W eth0

# Masquerade INT_NET to Internet
        echo -n "Masquerade INT_NET > Internet: "
        $IPFW -F -a accept -m -S $INT_NET -W eth0
        $IPFW -O -a accept -P all -S $INT_NET -D $ANY_NET -W eth0
        $IPFW -F -a accept -D $INT_NET -W eth0
        $IPFW -I -a accept -S $INT_NET -W eth0
        $IPFW -I -a accept -P udp -S $ANY_NET 53 -D 192.168.1.0/0
1024:65535 -W eth0
        $IPFW -I -a accept -P tcp -S $ANY_NET -D $INT_NET 1024:65535
- -W eth0

# Accept Internet daemon connections to servers
        echo -n "Accept Internet daemons to INT_NET: "
        $IPFW -I -a accept -P tcp -S $ANY_NET 80 -D 192.168.1.11/24 80
         #webtraffic
        $IPFW -I -a accept -P tcp -S $ANY_NET 443 -D 192.168.1.11/24
443        #ssltraffic
        $IPFW -I -a accept -P tcp -S $ANY_NET 25 -D 192.168.1.11/24 25
         #smtptraffic
        $IPFW -I -a accept -P tcp -S $ANY_NET 110 -D 192.168.1.11/24
110        #pop3traffic
        $IPFW -I -a accept -P tcp -S $ANY_NET 22 -D 192.168.1.1/24 22
         #sshtraffic
        $IPFW -I -a accept -P tcp -S $ANY_NET 20 -D 192.168.1.0/24
1024:65535   #ftptraffic

        echo
        ;;
  stop)
        echo -n "Shutting down Firewall: "
        $IPFW -F -f
        $IPFW -I -f
        $IPFW -O -f
        $IPFW -F -p allow

        $IPFW -I -a accept -P tcp -D 192.168.1.11/24 110        #
pop3traffic
        $IPFW -I -a accept -P tcp -D 192.168.1.1/22 22          # ssh
traffic

        $IPFW -I -a accept -P tcp -S $ANY_NET 20 -D 192.168.1.0/24
1024:65535

        $MQMOD ip_masq_ftp

        $IPFW -F -a accept -W eth0 -D 192.168.1.0/24

        echo
        ;;
  stop)
        echo -n "Shutting down Firewall: "
        $IPFW -F -f
        $IPFW -I -f
        $IPFW -O -f
        $IPFW -F -p allow
        $IPFW -O -p allow
        echo
        ;;
  restart)
        $0 stop
        $0 start
        ;;
  *)
        echo "Usage: $0  {start|stop|restart}"
        exit 1
esac

exit 0

Then add these to your "/etc/rinetd.conf"

# Start RINETD (TCP Redirector)
# /etc/rinetd.conf
<external ip address of  service> <port>        <private ip address of
service> <port>

# Example;
203.116.3.14   80       192.168.100.11    80

# End

and add "/usr/sbin/rinetd" in your "/etc/rc.d/rc.local"


- -----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Catalin BOIE
Sent: Thursday, August 26, 1999 2:05 PM
To: Martin Krzywinski
Cc: Vanc Linux Group; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: Re: IP Chains and port forwarding


On Wed, 25 Aug 1999, Martin Krzywinski wrote:

>
> I'm starting to fiddle with ipchains. I'm masquarading
>
>  router --- [x.x.199.193]FIREWALL[10.1.1.1] --- private network
>
> A few things aren't working. For example, I can't ftp out of the
private
> clients. The connection is made but the server complains about port
> numbers. I guess there's something screwy in the masquerading setup.
> Telnet and browsing work fine. Http downloads work fine.
>

Insert ip_masq_ftp & Co. modules.

> I've got
>
>  ipchains -A forward -j MASQ
>
> added, but just that for now.
>
> In addition, I'd like to have internal web/ftp/ssh servers. How can
I
> forward requests to x.x.199.194 on a given port, say 23, to go to
> 10.1.1.Y:23?
>
> Thanks for any info,
>
> Martin
>
> --------------------------------------------
>  And I keep hearing from the cellar bin
>  The rumbling sound
>  Of load on load of apples coming in.
>  For I have had too much
>  Of apple-picking: I am overtired
>  Of the great harvest I myself desired.
>          Robert Frost (After Apple-Picking)
> --------------------------------- 575/1424 -
>
>
>
>
>
- -====---====---====---====---====---====---====---====---====---====---
====-
>  to unsubscribe email "unsubscribe linux-admin" to
[EMAIL PROTECTED]
>  See the linux-admin FAQ: http://www.kalug.lug.net/linux-admin-FAQ/
>

- -
To unsubscribe from this list: send the line "unsubscribe linux-net"
in
the body of a message to [EMAIL PROTECTED]

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.0.2i

iQA/AwUBN8XBCGefe0TVuy5lEQJLEACfQkbEzSvajOnobq2wZSiBRukqQEwAoKzS
d/+614Uqbt5bQW+n7iA046Sx
=4CZu
-----END PGP SIGNATURE-----


-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to [EMAIL PROTECTED]
RE: IP Chains and port forwarding

Reply via email to
