yes it is True .... but you can still use the New IP Address with IPTables
just not the Ethertnet Alias's like eth0:1 etc ....
This should help you out, i just finnished rewiting a good SNAT / DNAT
scirpt of mine ..
In this Script Multi IP is commented out with '#' so you can go through
the script and un'#'
all the Multi IP lines (they got comments to help find em).
It is also possible to do more the Two Extenal address, it just means alot
of Scripting .... lol
hope it helps ya out ... :D
File: rc.firewall
---------------------------------Start Copy Below This
Line ---------------------------------------
#!/bin/sh
#
# rc.firewall Mid-Strong Based Firewall ..BNI..
######## Revision 5.1 ########## With Comments ##############
#############################################################
EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
echo " ---"
# Determine the external IP automatically:
# ----------------------------------------
#EXTIP="`/sbin/ifconfig $EXTIF | grep 'inet addr' | awk '{print $2}' |
sed -e 's/.*://'`"
############### For STATIC IP addresses: #############
EXTIP="192.168.0.253"
########## New Multiple External IP Access #########
EXTIP2="192.168.0.212"
echo " External IP: $EXTIP"
echo " ---"
# Assign the internal TCP/IP network and IP address
INTNET="172.16.0.0/16"
INTIP="172.16.0.253/32"
echo " Internal Network: $INTNET"
echo " Internal IP: $INTIP"
echo " ---"
# The location of various iptables and other shell programs
#
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables
LSMOD=/sbin/lsmod
GREP=/bin/grep
AWK=/bin/awk
# Setting a few special variables
#
UNIVERSE="0.0.0.0/0"
IRCPORTS="6665,6666,6667,6668,6669,7000"
############# Kernel Modules Section #############
echo " - Verifying that all kernel modules are ok"
/sbin/depmod -a
echo -en " Loading kernel modules: "
#Load the main body of the IPTABLES module - "iptable"
# - Loaded automatically when the "iptables" command is invoked
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_tables
fi
#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
# - This module is loaded automatically when MASQ functionality is
# enabled
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack
fi
#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack_ftp
fi
#Load the IRC tracking mechanism for full IRC tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en " ip_conntrack_irc, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_conntrack_irc ports=$IRCPORTS
fi
if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_nat_irc
fi
#Load the general IPTABLES NAT code - "iptable_nat"
# - Loaded automatically when MASQ functionality is turned on
#
# - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
/sbin/insmod iptable_nat
fi
#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -en "ip_nat_ftp"
#
#Verify the module isn't loaded. If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
/sbin/insmod ip_nat_ftp
fi
######### Ip Tables Filter ################
echo -en " ip_tables_filter"
if [ -z "` $LSMOD | $GREP iptable_filter | $AWK {'print $1'} `" ]; then
/sbin/insmod iptable_filter
fi
######### IpT MultiPort ################
echo -e " ipt_multiport"
if [ -z "` $LSMOD | $GREP ipt_multiport | $AWK {'print $1'} `" ]; then
/sbin/insmod ipt_multiport
fi
echo "---"
#CRITICAL: Enable IP forwarding since it is disabled by default since
#
# Redhat Users: you may try changing the options in
# /etc/sysconfig/network from:
#
# FORWARD_IPV4=false
# to
# FORWARD_IPV4=true
#
echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " Enabling Sysctl options."
##### Disable IP Spoof Attack
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
##### Stop Smurf Amplifiers
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
##### Block Source Routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
##### Kill Timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
##### Enable Syn Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
##### Kill Redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
##### Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "32768 61000"> /proc/sys/net/ipv4/ip_local_port_range
##### Log Martians (packets with impossible addresses
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
##### Reduce DoS'ing ability/effect by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
# Dynamic IP users:
# Uncomment Second Line Below
echo " Enabling DynamicAddr.."
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " ---"
echo " Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F SMB
# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
$IPTABLES -F drop-and-log-it
fi
# Delete all User-specified chains
$IPTABLES -X
# Reset all IPTABLES counters
$IPTABLES -Z
#Configuring specific CHAINS for later use in the ruleset
#
# NOTE: Some users prefer to have their firewall silently
# "DROP" packets while others prefer to use "REJECT"
# to send ICMP error messages back to the remote
# machine. The default is "REJECT" but feel free to
# change this below.
#
# NOTE: Without the --log-level set to "info", every single
# firewall hit will goto ALL vtys. This is a very big
# pain.
#
echo " Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j DROP
#
########### Bad ASS Windows/Samba Ports ####################
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 135:139 -j REJECT
$IPTABLES -A SMB -p tcp --dport 445 -j REJECT
$IPTABLES -A SMB -p udp --dport 135:139 -j REJECT
$IPTABLES -A SMB -p udp --dport 445 -j REJECT
$IPTABLES -A SMB -p tcp --sport 135:139 -j REJECT
$IPTABLES -A SMB -p tcp --sport 445 -j REJECT
$IPTABLES -A SMB -p udp --sport 135:139 -j REJECT
$IPTABLES -A SMB -p udp --sport 445 -j REJECT
#$IPTABLES -A SMB -p tcp --dport 135:139 -j DROP
#$IPTABLES -A SMB -p tcp --dport 445 -j DROP
#$IPTABLES -A SMB -p udp --dport 135:139 -j DROP
#$IPTABLES -A SMB -p udp --dport 445 -j DROP
#$IPTABLES -A SMB -p tcp --sport 135:139 -j DROP
#$IPTABLES -A SMB -p tcp --sport 445 -j DROP
#$IPTABLES -A SMB -p udp --sport 135:139 -j DROP
#$IPTABLES -A SMB -p udp --sport 445 -j DROP
### Internal Squid Server Redirect ####
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j
REDIRECT --to-port 3128
### Internal Web Server DNAT ##########
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8888 -j DNAT --to
172.16.0.111:80
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 8860 -j DNAT --to
172.16.0.111:443
$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 8860 -j DNAT --to
172.16.0.111:443
### NEW Multiple External IP DNAT Done Here, Uncomment and use accordingly
##########
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP2 -p tcp --dport
0:65535 -j DNAT --to 172.16.0.55
#$IPTABLES -t nat -A PREROUTING -i $EXTIF -d $EXTIP2 -p udp --dport
0:65535 -j DNAT --to 172.16.0.55
echo -e "\n - Loading INPUT rulesets"
#######################################################################
## INPUT: Incoming traffic from various internfaces. All rulesets are
# already flushed and set to a default policy of DROP.
## loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
## local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT
## remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it
## external interface, from any source, for ICMP traffic is valid
#
# If you would like your machine to "ping" from the Internet,
# enable this next line
#
$IPTABLES -A INPUT -i $EXTIF -p ICMP -s $UNIVERSE -d $EXTIP -j ACCEPT
## remote interface, any source, going to permanent PPP address is valid
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
## NEW Multi EXTIP, Add two lines for each new EXTIP* address below
##########
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP2 -j ACCEPT
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP2 -m state --state
ESTABLISHED,RELATED -j ACCEPT
## Allow any related traffic coming back to the MASQ serer in
#
$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state
ESTABLISHED,RELATED -j ACCEPT
# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading OUTPUT rulesets"
#######################################################################
# OUTPUT: Outgoing traffic from various internfaces. All rulesets are
# already flushed and set to a default policy of DROP.
#
## loopback interface is valid.
#
$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
## local interface, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT
## outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it
## NEW Multi EXTIP, Add two lines for each new EXTIP* address below
##########
$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP2 -d $INTNET -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP2 -d $UNIVERSE -j ACCEPT
## anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT
## Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
echo -e " - Loading FORWARD rulesets"
#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#
### Allow Port Forwarding on the Ports Specified
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 172.16.0.111 --dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i $EXTIF -d 172.16.0.111 --dport 443 -j ACCEPT
$IPTABLES -A FORWARD -p udp -i $EXTIF -d 172.16.0.111 --dport 443 -j ACCEPT
## NEW Multi EXTIP, Add two lines for each new EXTIP* address below
##########
#$IPTABLES -A FORWARD -p tcp -i $EXTIF -s $EXTIP2 -d 172.16.0.55 --dport
0:65535 -j ACCEPT
#$IPTABLES -A FORWARD -p udp -i $EXTIF -s $EXTIP2 -d 172.16.0.55 --dport
0:65535 -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -j SMB
$IPTABLES -A FORWARD -o $INTIF -j SMB
$IPTABLES -A FORWARD -i $EXTIF -j SMB
$IPTABLES -A FORWARD -o $EXTIF -j SMB
###
# Specific Defence rules can go here to.
###
# Flood Protection
$IPTABLES -A FORWARD -i $EXTIF -p tcp --syn -m limit --limit 1/s -j ACCEPT
# Ports Scanners
$IPTABLES -A FORWARD -i $EXTIF -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m
limit --limit 1/s -j ACCEPT
# Ping o Death
$IPTABLES -A FORWARD -i $EXTIF -p icmp --icmp-type echo-request -m
limit --limit 1/s -j ACCEPT
echo " -=-=-= DoS Defence is Up -=-=-="
echo " - FWD: Allow all connections OUT and only existing/related IN"
## NEW Multi EXTIP, Add a lines for each new EXTIP* address below ##########
#$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -d 172.16.0.55 -m state --state
ESTABLISHED,RELATED -j ACCEPT
########## Exisiting Rule (Do Not Delete) #########
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -jACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTNET -j ACCEPT
$IPTABLES -A FORWARD -j drop-and-log-it
$IPTABLES -A FORWARD -j DROP
echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#
## Use this for Dynamic IP connections because it does not keep any of the
old Tracked Conections
###
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
## Stricter form used mainly on Static IP Connections
########## Uncomment line below to enable SNAT on NEW $EXTIP*
################
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 172.16.0.55 -j SNAT --to
$EXTIP2
########## Existing SNAT Rule, Do Not Delete unless you really know what ya
doing #######
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
#######################################################################
echo -e "\nDone.\n"
echo -e "\neXecuting Packet Shaping Dont Forget To /etc/rc.wshaper.\n"
/etc/rc.wshaper
--------------------------End copy Before this
line -----------------------------------------------------------
