/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Sorry this is so long - but I hope that it will read clearly and be obvious.
OK - I've been spoiled by the absolutely brilliant design of ip masq scripts
by David Ranch (how's that for sucking up?)
Seriously though, I thoroughly understood David's flow, logic and command
structure and unfortunately, I am left to struggle myself while David
struggles
with it too - see his section 6.4 of his 'beta' version of Trinity OS.
Ok - I'm not bright enough or have no experience with BSD to comprehend all
of
the potential of iptables but I can tell that it's awesome.
I will try to keep my questions as short as possible...
I have used the script from Boing World - simple / works - including the
DNAT
implementation to forward specific ports to internal lan host. I have no
problems using this script but it's obvious - especially after looking at
other
scripts that this lacks a bunch.
I have used gShield, a bit clumsy, good concept, too much hidden and it
blocked
ports on internal lan that shouldn't have been blocked and I was certain
that my
continuing to use it would not further my understanding of iptables. Felt
similarly about Ferm.
So I am playing with ruleset of www.sentry.net/~obsid samples and I like it
but
I haven't gotten the DNAT to work (not a major problem at this point) but
other
issues abound and I will confine my questions to the flow of this ruleset.
1. Seems that the flow is...
- insmod all the modules for iptables
- flush all rules
- establish addresses for interfaces
- define user-defined chains
- execute input rules
- execute output rules
- execute forward rules
- define NAT addresses (could probably be moved up top with others)
- define DNAT rules
- define SNAT rules
- define explicitly, kernel configuration / deny source routing etc.
does this make sense?
2. The rules for DENY / ALLOW are for both the internal & external interface
and
this isn't desirable. I want to run DHCP & BIND on the internal interface
for
the internal LAN but have them blocked on the external interface.
specifically, the rule for deny looks like...
$IPTABLES -N DENY_PORTS
$IPTABLES -F DENY_PORTS
DENIED_PORTS_TCP="23 137:139 2049 6000:6063 \
20034 12345:12346 27374 27665 \
27444 31335 10498 12754"
for PORT in $DENIED_PORTS_TCP; do
$IPTABLES -A DENY_PORTS -p tcp --dport $PORT \
-m limit --limit 5/minute \
-j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORT:"
$IPTABLES -A DENY_PORTS -p tcp --sport $PORT \
-m limit --limit 5/minute \
-j LOG --log-level $LOG_LEVEL --log-prefix "DENIED PORT:"
$IPTABLES -A DENY_PORTS -p tcp --dport $PORT -j DROP
$IPTABLES -A DENY_PORTS -p tcp --sport $PORT -j DROP
done
and then later on in the script
## Filter incoming packets based on port number.
$IPTABLES -A EXTERNAL_INPUT -i $EXTERNAL -p ! icmp -j DENY_PORTS
this is cool, but if I add port 21 to this list (I don't want to allow FTP
in),
then I can't FTP out from internal LAN.
QUESTION: Do I duplicate the entire set of rules
$IPTABLES -N DENY_PORTS_INTIF (and everything that followed that section)
and
$IPTABLES -N DENY_PORTS_EXTIF (and everything that followed that section)
and then later on...
$IPTABLES -A EXTERNAL_INPUT -i $EXTERNAL -p ! icmp -j DENY_PORTS_EXTIF
$IPTABLES -A INTERNAL_INPUT -i $INTERNAL -p ! icmp -j DENY_PORTS_INTIF
?
3. Lastly, the following won't work...
# $IPTABLES -t nat -A PREROUTING -i $EXTERNAL \
# -p tcp -d $EXT_IP --dport 22 \
# -j DNAT --to-destination 192.168.69.69:22
but if I remove
-d $EXT_IP
and change
--to-destination
to
-- to
it works - does this make sense? I liked having the External IP address
included.
Thanks,
Craig
-------------------------------------------------
This mail sent through IMP: barney.azapple.com
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
