/* HINT: Search archives @ http://www.indyramp.com/masq/ before posting!
/* ALSO: Don't quote this header. It makes you look lame :-) */
Hi,
I am trying to figure out how to setup IPTABLES. I need to allow Everyone on the LAN
to have Natted access to the internet. And I need to allow Port 10000 on the router to
be accessed from anywhere. I also need to allow Port 80,25,443,8080 to be forwarded to
a internal address. Can someone please look at the script below, and tell me what I am
doing wrong. Everyone inside can get out to the internet fine. But external
connections to port 10000 or any of the "forwarding" ports fail... If I set the
default connects to allow this problem goes away..
Thanks for your help..
Ryan
#!/bin/sh
#
# Firewall Script
# By: Ryan C. Bonham
#
# Program Locations
#
GREP=/bin/grep
IPTABLES=/sbin/iptables
IFCONFIG=/sbin/ifconfig
ROUTE=/sbin/route
#
# Make Sure Modules are all loaded
#
echo -en " loading modules: "
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
# Declare all Variables for LAN
#
INTIF="eth1"
INTIP="10.0.2.8"
INTSUBNET="255.0.0.0"
INTNETWORKCIDER="10.0.0.0"
INTSUBNETCIDER="8"
#
# Declare all Variables for WAN
#
EXTIF="eth0"
EXTIP="65.167.47.254"
EXTSUBNET="255.255.255.252"
GATEWAY="65.15.167.47.252"
#
# Declare all Variables for Internal Servers
#
WEBSERVER="10.0.2.5"
POPSERVER="10.0.2.5"
SMTPSERVER="10.0.2.5"
FTPSERVER="10.0.2.5"
FRONTPAGE="Y"
WEBMIN="Y"
#
#Declare MISC. Variables
#
UNIVERSE="0.0.0.0/0"
#
#Bring LAN UP
#
$IFCONFIG $INTIF $INTIP netmask $INTSUBNET
#
# Bring WAN UP
#
$IFCONFIG $EXTIF $EXTIP netmask $EXTSUBNET
#
# Set Default Gateway
#
$ROUTE add default gw $GATEWAY
#
# Set iptables loaction
#
IPTABLES=/sbin/iptables
#
# Display Interfaces
#
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
#
#Start IP Forwarding
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Clear Existing Rules and set Defualt Policy
#
echo " clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
#Delete all User-specified chains
#
$IPTABLES -X
#
# Reset all IPTABLES counter
#
$IPTABLES -Z
#
# Create DROP chain
#
echo " Creating DROP Chain..."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP
#
# If we defined a webserver address activate port forwarding for port 80 and 443
#
if [ $WEBSERVER != "0" ]; then
# Open Port 80
echo " Setting up webserver.."
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to
$WEBSERVER:80
$IPTABLES -t nat -A POSTROUTING -d $WEBSERVER -s
$INTNETWORKCIDER/$INTSUBNETCIDER -p tcp --dport 80 -j SNAT --to $INTIP
$IPTABLES -A OUTPUT -t nat -p tcp -d $EXTIP --dport 80 -j DNAT --to
$WEBSERVER:80
$IPTABLES -A FORWARD -d $WEBSERVER -p tcp -d --dport 80 -j ACCEPT
# Open Port 4430
echo " Setting up secure webserver.."
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 443 -j DNAT --to
$WEBSERVER:443
$IPTABLES -t nat -A POSTROUTING -d $WEBSERVER -s
$INTNETWORKCIDER/$INTSUBNETCIDER -p tcp --dport 443 -j SNAT --to $INTIP
$IPTABLES -A OUTPUT -t nat -p tcp -d $EXTIP --dport 443 -j DNAT --to
$WEBSERVER:443
$IPTABLES -A FORWARD -d $WEBSERVER -p tcp -d --dport 443 -j ACCEPT
fi
if [ $FRONTPAGE = "Y" ]; then
# Open Port 8080
echo " Setting up Frontpage Administration.."
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 8080 -j DNAT --to
$WEBSERVER:8080
$IPTABLES -t nat -A POSTROUTING -d $WEBSERVER -s
$INTNETWORKCIDER/$INTSUBNETCIDER -p tcp --dport 8080 -j SNAT --to $INTIP
$IPTABLES -A OUTPUT -t nat -p tcp -d $EXTIP --dport 8080 -j DNAT --to
$WEBSERVER:8080
$IPTABLES -A FORWARD -d $WEBSERVER -p tcp -d --dport 8080 -j ACCEPT
fi
#
# If a POP server is defined then start prot forwarding for port 110
#
if [ $POPSERVER != "0" ]; then
# Open Port 110
echo " Setting up POP Server.."
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 110 -j DNAT --to
$WEBSERVER:110
$IPTABLES -t nat -A POSTROUTING -d $WEBSERVER -s
$INTNETWORKCIDER/$INTSUBNETCIDER -p tcp --dport 110 -j SNAT --to $INTIP
$IPTABLES -A OUTPUT -t nat -p tcp -d $EXTIP --dport 110 -j DNAT --to
$WEBSERVER:110
$IPTABLES -A FORWARD -d $WEBSERVER -p tcp -d --dport 110 -j ACCEPT
fi
#
# If a SMTP server is defined then start prot forwarding for port 25
#
if [ $SMTPSERVER != "0" ]; then
# Open Port 25
echo " Setting up SMTP Server.."
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 25 -j DNAT --to
$WEBSERVER:25
$IPTABLES -t nat -A POSTROUTING -d $WEBSERVER -s
$INTNETWORKCIDER/$INTSUBNETCIDER -p tcp --dport 25 -j SNAT --to $INTIP
$IPTABLES -A OUTPUT -t nat -p tcp -d $EXTIP --dport 25 -j DNAT --to
$WEBSERVER:25
$IPTABLES -A FORWARD -d $WEBSERVER -p tcp -d --dport 25 -j ACCEPT
fi
#
# IF a FTP Server is defined tehn start port forwarding for port 21
#
if [ $FTPSERVER != "0" ]; then
# Open Port 21
echo " Setting up FTP Server.."
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 21 -j DNAT --to
$WEBSERVER:21
$IPTABLES -t nat -A POSTROUTING -d $WEBSERVER -s
$INTNETWORKCIDER/$INTSUBNETCIDER -p tcp --dport 21 -j SNAT --to $INTIP
$IPTABLES -A OUTPUT -t nat -p tcp -d $EXTIP --dport 21 -j DNAT --to
$WEBSERVER:21
$IPTABLES -A FORWARD -d $WEBSERVER -p tcp -d --dport 21 -j ACCEPT
fi
#
# Setup Rules to allow webmin access
#
if [ $WEBMIN = "Y" ]; then
echo " Allow Webmin.."
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -p TCP -d $EXITIP --dport 10000 -j
ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 10000 -j ACCEPT
fi
##############################################################################################
# INPUT: Incomming traffic. All rulesets are flushed and set to drop traffic by defualt
#
echo " --- Loading INPUT Ruleset.."
#
# Allow Loopback Device..
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
#
# Local Interface going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNETWORKCIDER/$INTSUBNETCIDER -d $UNIVERSE -j ACCEPT
#
# Remote Interface, claiming to be local machines, IP spoofing, get lost.
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNETWORKCIDER/$INTSUBNETCIDER -d $UNIVERSE -j
drop-and-log-it
#
# ALLOW ICMP Traffic from External Interface PING
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
#
# Allow any related traffic comming to firewall back in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXITIP -m state --state
ESTABLISHED,RELATED -j ACCEPT
#
# Catch all rule, deny and log all other trafic
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
##############################################################################################
# OUTPUT: Outgoing traffic. All rulesets are flushed and set to drop traffic by defualt
#
echo " --- Loading OUTPUT Ruleset.."
#
#
# Allow Loopback Device..
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
#
# Local Interface, anything going back to Local Net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNETWORKCIDER/$INTSUBNETCIDER -j ACCEPT
#
# Local Interface, anything going back to Local Net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNETWORKCIDER/$INTSUBNETCIDER -j ACCEPT
#
# Make sure no packets bound to INTNET go out
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNETWORKCIDER/$INTSUBNETCIDER -j
drop-and-log-it
#
# Anything else going out is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
#
# Catch all rule, deny and log all other trafic
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
##############################################################################################
# Forward: Forwarding traffic. All rulesets are flushed and set to drop traffic by
defualt
#
echo " --- Forward OUTPUT Ruleset.."
# FWD: Allow all connections out and only related/existing IN
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j drop-and-log-it
#
# Start IP Masquerading for clients
#
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
#
# ALL DONE
#
echo "FIREWALL RUNNING..."
_______________________________________________
Masq maillist - [EMAIL PROTECTED]
Admin requests can be handled at http://www.indyramp.com/masq-list/ --
THIS INCLUDES UNSUBSCRIBING!
or email to [EMAIL PROTECTED]
PLEASE read the HOWTO and search the archives before posting.
You can start your search at http://www.indyramp.com/masq/
Please keep general linux/unix/pc/internet questions off the list.
