Hello to you all,
I have this slight problem with a new firewall script which I made two days ago. After
watching
at it for a few hours and actually seeing the portmappings not to work (also without
succes to
make them work....), I decided to sent it to you.
May I ask a little of your valuable time to have a look at the script below? Why are
my
portmappings not working? According to my readings/understanding of Netfilter they
should work....
Many thxz in advance,
with friendly greetings,
Jaap Crezee
JCZ-Automatisering
The Netherlands
NB1. I also want to rate-limit ICMP packets => If someone can tell me in a few
secs, plz
tell me what to change.
NB2.
Also if its not to much of your time how can i efficiently log dropped packets? (not
there in the howto yet :))
NB3. Script:
#!/bin/sh
INTIF=eth1
EXTIF=eth0
IPTABLESCMD=/usr/local/sbin/iptables
TCP_SERVICES="21,22,23,25,110,443,1494,8080,3000,3001,3389"
$IPTABLESCMD -F
$IPTABLESCMD -F INPUT
$IPTABLESCMD -F OUTPUT
$IPTABLESCMD -F FORWARD
$IPTABLESCMD -F -t mangle
$IPTABLESCMD -F -t nat
$IPTABLESCMD -X
############## network agression protection ###############
# ignore 'snort' or 'ICMP (ping) broadcast' attacks
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ignore bogus 'ICMP dead error replies'
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# anti IP spoofing
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# disable ICMP redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
############### reject strange packets #####################
# reject fragmented packets
$IPTABLESCMD -A INPUT -i $EXTIF -f -j DROP
# reject private network ranges from external interface
$IPTABLESCMD -A INPUT -i $EXTIF -s 127.0.0.1 -j DROP
$IPTABLESCMD -A INPUT -i $EXTIF -s 10.0.0.0/8 -j DROP
$IPTABLESCMD -A INPUT -i $EXTIF -s 172.16.0.0/12 -j DROP
$IPTABLESCMD -A INPUT -i $EXTIF -s 192.168.0.0/16 -j DROP
############### Port forwarding ############################
# WorldClient
$IPTABLESCMD -t nat -A PREROUTING -p tcp --dport 3000 -i $EXTIF -j DNAT --to
10.0.0.2:3000
# ConfigClient
$IPTABLESCMD -t nat -A PREROUTING -p tcp --dport 3001 -i $EXTIF -j DNAT --to
10.0.0.2:3001
# Windhoos Terminal Server
$IPTABLESCMD -t nat -A PREROUTING -p tcp --dport 3389 -i $EXTIF -j DNAT --to
10.0.0.2:3389
# Citrix Metaframe
$IPTABLESCMD -t nat -A PREROUTING -p tcp --dport 1494 -i $EXTIF -j DNAT --to
10.0.0.2:1494
# Mail
$IPTABLESCMD -t nat -A PREROUTING -p tcp --dport 25 -i $EXTIF -j DNAT --to 10.0.0.2:25
$IPTABLESCMD -t nat -A PREROUTING -p tcp --dport 110 -i $EXTIF -j DNAT --to
10.0.0.2:110
# ssh jc (jc = (internal) workstation
$IPTABLESCMD -t nat -A PREROUTING -p tcp --dport 2222 -i $EXTIF -j DNAT --to
10.0.1.2:22
############### Actual routing #############################
# turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLESCMD -P INPUT DROP
$IPTABLESCMD -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLESCMD -A INPUT -i $EXTIF -m state --state NEW -p tcp -m multiport --dport
$TCP_SERVICES
-j ACCEPT
$IPTABLESCMD -A INPUT -i $INTIF -m state --state NEW -j ACCEPT
$IPTABLESCMD -A INPUT -i lo -m state --state NEW -j ACCEPT
$IPTABLESCMD -A INPUT -i $EXTIF -p icmp -j ACCEPT
$IPTABLESCMD -P FORWARD DROP
$IPTABLESCMD -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLESCMD -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLESCMD -P OUTPUT ACCEPT
$IPTABLESCMD -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
--
Met vriendelijke groeten,
Jaap Crezee
Icq: 85373921
