ive never set up a Nat box with one card before other than using a Serial
Modem for the external connection ...
so have you tried Two Ethernet cards ???
if not i can give you a script thats werks very well for me ... :)
Give this a go just change all your interface / IP settings to suit .. :)
#!/bin/sh
#
# rc.firewall Mid-Strong Based Firewall ..BNI..
echo -e "\nLoading STRONGER rc.firewall -..\n"
EXTIF="ppp0"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " ---"
EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' | sed -e
's/.*://'`"
echo " External IP: $EXTIP"
echo " ---"
INTNET="172.16.0.0/12"
INTIP="172.16.0.254/32"
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " ---"
#
IPTABLES=/sbin/iptables
#
LSMOD=/sbin/lsmod
GREP=/bin/grep
AWK=/bin/awk
#
UNIVERSE="0.0.0.0/0"
IRCPORTS="6665,6666,6667,6668,6669,7000"
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en " Loading kernel modules: "
echo -en "ip_tables, "
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_tables
fi
echo -en "ip_conntrack, "
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack
fi
echo -e "ip_conntrack_ftp, "
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack_ftp
fi
echo -en " ip_conntrack_irc, "
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack_irc ports=$IRCPORTS
fi
if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_nat_irc ports=$IRCPORTS
fi
echo -en "iptable_nat, "
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
/sbin/insmod iptable_nat
fi
echo -en "ip_nat_ftp"
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_nat_ftp
fi
echo -e " iptable_filter"
if [ -z "` $LSMOD | $GREP iptable_filter | $AWK {'print $1'} `" ]; then
/sbin/insmod iptable_filter
fi
echo " ---"
# Have you changed your /etc/sysconfig/network to this:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling Sysctl options."
##### Disable IP Spoof Attack
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
##### Stop Smurf Amplifiers
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
##### Block Source Routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
##### Kill Timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
##### Enable Syn Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
##### Kill Redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
##### Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
##### Log Martians (packets with impossible addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
##### Reduce DoS'ing ability/effect by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " ---"
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -F SMB
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
$IPTABLES -X
$IPTABLES -Z
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP
### Internal Squid Cache Proxy Redirect for all Traffic that is on port 80
#$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 3129
### Internal FTP Serv
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 2100 -j DNAT --to
172.16.0.123:2100
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p udp --dport 2100 -j DNAT --to
172.16.0.123:2100
### Internal Web Server DNAT
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 8888 -j DNAT --to
172.16.0.123:80
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p udp --dport 8888 -j DNAT --to
172.16.0.123:80
### Allow Port Forwarding on the Ports Specified
#$IPTABLES -A FORWARD -p tcp -i ppp0 -d 172.16.0.123 --dport 2100 -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i ppp0 -d 172.16.0.123 --dport 2100 -j ACCEPT
#$IPTABLES -A FORWARD -p tcp -i ppp0 -d 172.16.0.123 --dport 80 -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i ppp0 -d 172.16.0.123 --dport 80 -j ACCEPT
echo -e "\n - Loading INPUT rulesets"
## loopback interfaces are valid.
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
## local interface, local machines, going anywhere is valid
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
## remote interface, claiming to be local machines, IP spoofing, get lost
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
## Allow any related traffic coming back to the MASQ serer in
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \
ESTABLISHED,RELATED -j ACCEPT
########### Bad ASS Windows/Samba Ports ####################
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 135:139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 135:139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP
$IPTABLES -A SMB -p tcp --sport 135:139 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 135:139 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP
$IPTABLES -A INPUT -i $EXTIF -j SMB
# Catch all rule, all other incoming is denied and logged.
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
## loopback interface is valid.
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
## local interfaces, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
## local interface, any source going to local net is valid
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
## outgoing to local net on remote interface, stuffed routing, deny
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
## anything else outgoing on remote interface is valid
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
## Catch all rule, all other outgoing is denied and logged.
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
# Flood Protection
$IPTABLES -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Ports Scanners
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
1/s -j ACCEPT
# Ping o Death
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT
echo " -=-=-= DoS Defence is Up -=-=-="
echo " - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j drop-and-log-it
$IPTABLES -A FORWARD -j DROP
echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
###
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
## Stricter form used mainly on Static IP Connections
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
#######################################################################
echo -e "\nDone.\n"
