Gday, So why are you going through all this trouble ?
Do you need to use the Webserver as a Workstation ? Well if you only need the Webserver to recive http requests from the internet and back again this can be done quite easily .. :) +-----+ ethx eth0 +-----+ eth1 +-----+ | web | ========| Fire |=======| Adsl |------PH Line-------- | serv | | Wall | +-----+ +-----+ +-----+ So wouldnt it be easyier to just deny/drop eveything packet coming from your Crossover Cable Lan except DNS (:53),SYN,TCP (:80), and maybee a few other ports ?? so then we could easily just USE Masquerade (if you wish) and set the default gateway on Webserv to your Iptables box, DNS ect ... and use a script like this (works well for me .. :) ... ------------Starts Here---------------------------------------------------- #!/bin/sh # # rc.firewall Mid-Strong Based Firewall ..BNI.. echo -e "\nLoading STRONGER rc.firewall -..\n" EXTIF="ppp0" INTIF="eth0" echo " External Interface: $EXTIF" echo " Internal Interface: $INTIF" echo " ---" ############ Change This Line Below to Suit :)############## EXTIP="xxx.xxx.xxx.xxx" echo " External IP: $EXTIP" echo " ---" INTNET="172.16.0.0/12" INTIP="172.16.0.254/32" echo " Internal Network: $INTNET" echo " Internal IP: $INTIP" echo " ---" IPTABLES=/sbin/iptables LSMOD=/sbin/lsmod GREP=/bin/grep AWK=/bin/awk # UNIVERSE="0.0.0.0/0" IRCPORTS="6665,6666,6667,6668,6669,7000" ################### Make Sure you load all the modules that are going to get used .. :) echo " Enabling forwarding.." echo "1" > /proc/sys/net/ipv4/ip_forward echo " Enabling Sysctl options." echo " ---" echo " Clearing any existing rules and setting default policy to DROP.." $IPTABLES -F SMB $IPTABLES -P INPUT DROP $IPTABLES -F INPUT $IPTABLES -P OUTPUT DROP $IPTABLES -F OUTPUT $IPTABLES -P FORWARD DROP $IPTABLES -F FORWARD $IPTABLES -F -t nat if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then $IPTABLES -F drop-and-log-it fi $IPTABLES -X $IPTABLES -Z echo " Creating a DROP chain.." $IPTABLES -N drop-and-log-it $IPTABLES -A drop-and-log-it -j LOG --log-level info $IPTABLES -A drop-and-log-it -j DROP ### Internal Squid Cache Proxy Redirect for all Traffic that is on port 80 #$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3129 ################ This one is for you .. :)############### ### Internal Web Server DNAT $IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp --dport 80 -j DNAT --to 172.16.0.222:80 #Not Needed# $IPTABLES -t nat -A PREROUTING -i ppp0 -p udp --dport 80 -j DNAT --to 172.16.0.222:80 ####### Port Forwarding ################ $IPTABLES -A FORWARD -p tcp -i ppp0 -d 172.16.0.222 --dport 80 -j ACCEPT #$IPTABLES -A FORWARD -p udp -i ppp0 -d 172.16.0.222 --dport 80 -j ACCEPT echo -e "\n - Loading INPUT rulesets" ## loopback interfaces are valid. $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT ## local interface, local machines, going anywhere is valid $IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT ## remote interface, claiming to be local machines, IP spoofing, get lost $IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it $IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT ## Allow any related traffic coming back to the MASQ serer in $IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state \ ESTABLISHED,RELATED -j ACCEPT # Catch all rule, all other incoming is denied and logged. $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading OUTPUT rulesets" ## loopback interface is valid. $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT ## local interfaces, any source going to local net is valid $IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT ## local interface, any source going to local net is valid $IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT ## outgoing to local net on remote interface, stuffed routing, deny $IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it ## anything else outgoing on remote interface is valid $IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT ## Catch all rule, all other outgoing is denied and logged. $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it echo -e " - Loading FORWARD rulesets" echo " - FWD: Allow all connections OUT and only existing/related IN" $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED \ -j ACCEPT $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT $IPTABLES -A FORWARD -j drop-and-log-it $IPTABLES -A FORWARD -j DROP echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF" ########### You are better of Using SNAT ############# ### $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE Stricter form used mainly on Static IP Connections $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP ####################################################################### echo -e "\nDone.\n"
