NAT iptables firewall script NAT iptables firewall script is an iptables firewall script.
Download

NAT iptables firewall script Ranking & Summary

NAT iptables firewall script Tags

iptables netfilter iptables firewall netfilter firewall nat NAT firewall

NAT iptables firewall script Description

NAT iptables firewall script is an iptables firewall script. NAT iptables firewall script is an iptables firewall script.This script is meant to be run once per boot the rules will be double added if you try to run it twice if you need to add another rule during runtime, change the -A to a -I to add it to the top of the list of rules if you use -A it will go at the end after the reject rule.Sample:# interface definitionsBAD_IFACE=eth0DMZ_IFACE=eth1DMZ_ADDR=x.x.x.96/28GOOD_IFACE=eth2GOOD_ADDR=192.168.1.0/24MASQ_SERVER=x.x.x.98FTP_SERVER=x.x.x.100MAIL_SERVER=x.x.x.99MAIL_SERVER_INTERNAL=192.168.1.3# testing#set -xip route del x.x.x.96/28 dev $BAD_IFACEip route del x.x.x.96/28 dev $DMZ_IFACEip route add x.x.x.97 dev $BAD_IFACEip route add x.x.x.96/28 dev $DMZ_IFACE# we need proxy arp for the dmz networkecho 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arpecho 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp# turn on ip forwardingecho 1 > /proc/sys/net/ipv4/ip_forward# turn on antispoofing protectionfor f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done# flush all rules in the filter table#iptables -F# flush built in rulesiptables -F INPUTiptables -F OUTPUTiptables -F FORWARD# deny everything for nowiptables -A INPUT -j DROPiptables -A FORWARD -j DROPiptables -A OUTPUT -j DROP# make the chains to define packet directions# bad is the internet, dmz is our dmz, good is our masqed networkiptables -N good-dmziptables -N bad-dmziptables -N good-badiptables -N dmz-goodiptables -N dmz-badiptables -N bad-goodiptables -N icmp-acc# accept related packetsiptables -A FORWARD -m state --state INVALID -j DROPiptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT# internal client masqingiptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER# mail server masqingiptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443# to allow the above to work you need something like# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT# set which addresses jump to which chainsiptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmziptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-badiptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-badiptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-goodiptables -A FORWARD -o $DMZ_IFACE -j bad-dmziptables -A FORWARD -o $GOOD_IFACE -j bad-good# drop anything that doesn't fit theseiptables -A FORWARD -j LOG --log-prefix "chain-jump "iptables -A FORWARD -j DROP# icmp acceptanceiptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPTiptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "iptables -A icmp-acc -j DROP# from internal to dmziptables -A good-dmz -p tcp --dport smtp -j ACCEPTiptables -A good-dmz -p tcp --dport pop3 -j ACCEPTiptables -A good-dmz -p udp --dport domain -j ACCEPTiptables -A good-dmz -p tcp --dport domain -j ACCEPTiptables -A good-dmz -p tcp --dport www -j ACCEPTiptables -A good-dmz -p tcp --dport https -j ACCEPTiptables -A good-dmz -p tcp --dport ssh -j ACCEPTiptables -A good-dmz -p tcp --dport telnet -j ACCEPTiptables -A good-dmz -p tcp --dport auth -j ACCEPTiptables -A good-dmz -p tcp --dport ftp -j ACCEPTiptables -A good-dmz -p tcp --dport 1521 -j ACCEPTiptables -A good-dmz -p icmp -j icmp-acciptables -A good-dmz -j LOG --log-prefix "good-dmz "iptables -A good-dmz -j DROP# from external to dmziptables -A bad-dmz -p tcp --dport smtp -j ACCEPTiptables -A bad-dmz -p udp --dport domain -j ACCEPTiptables -A bad-dmz -p tcp --dport domain -j ACCEPTiptables -A bad-dmz -p tcp --dport www -j ACCEPTiptables -A bad-dmz -p tcp --dport https -j ACCEPTiptables -A bad-dmz -p tcp --dport ssh -j ACCEPTiptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPTiptables -A bad-dmz -p icmp -j icmp-acciptables -A bad-dmz -j LOG --log-prefix "bad-dmz "iptables -A bad-dmz -j DROP# from internal to externaliptables -A good-bad -j ACCEPT# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER#iptables -A good-bad -p tcp -j MASQ#iptables -A good-bad -p udp -j MASQ#iptables -A good-bad -p icmp -j MASQ#ipchains -A good-bad -p tcp --dport www -j MASQ#ipchains -A good-bad -p tcp --dport ssh -j MASQ#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ#ipchains -A good-bad -p tcp --dport ftp -j MASQ#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ#ipchains -A good-bad -j REJECT -l# from dmz to internal# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPTiptables -A dmz-good -p tcp --dport smtp -j ACCEPTiptables -A dmz-good -p tcp --sport smtp -j ACCEPTiptables -A dmz-good -p udp --sport domain -j ACCEPTiptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPTiptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPTiptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPTiptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPTiptables -A dmz-good -p icmp -j icmp-acciptables -A dmz-good -j LOG --log-prefix "dmz-good "iptables -A dmz-good -j DROP# from dmz to externaliptables -A dmz-bad -p tcp --dport smtp -j ACCEPTiptables -A dmz-bad -p tcp --sport smtp -j ACCEPTiptables -A dmz-bad -p udp --dport domain -j ACCEPTiptables -A dmz-bad -p tcp --dport domain -j ACCEPTiptables -A dmz-bad -p tcp --dport www -j ACCEPTiptables -A dmz-bad -p tcp --dport https -j ACCEPTiptables -A dmz-bad -p tcp --dport ssh -j ACCEPTiptables -A dmz-bad -p tcp --dport ftp -j ACCEPTiptables -A dmz-bad -p tcp --dport whois -j ACCEPTiptables -A dmz-bad -p tcp --dport telnet -j ACCEPTiptables -A dmz-bad -p udp --dport ntp -j ACCEPT# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQiptables -A dmz-bad -p icmp -j icmp-acciptables -A dmz-bad -j LOG --log-prefix "dmz-bad "iptables -A dmz-bad -j DROP# from external to internaliptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPTiptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPTiptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPTiptables -A bad-good -j LOG --log-prefix "bad-good "iptables -A bad-good -j REJECT# rules for this machine itselfiptables -N bad-ifiptables -N dmz-ifiptables -N good-if# set up the jumps to each chainiptables -A INPUT -i $BAD_IFACE -j bad-ifiptables -A INPUT -i $DMZ_IFACE -j dmz-ifiptables -A INPUT -i $GOOD_IFACE -j good-if# external ifaceiptables -A bad-if -p icmp -j icmp-acciptables -A bad-if -j ACCEPT#ipchains -A bad-if -i ! ppp0 -j DENY -l#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT#ipchains -A bad-if -j icmp-acc#ipchains -A bad-if -j DENY# dmz ifaceiptables -A bad-if -p icmp -j icmp-acciptables -A dmz-if -j ACCEPT# internal ifaceiptables -A good-if -p tcp --dport ssh -j ACCEPTiptables -A good-if -p ICMP --icmp-type ping -j ACCEPTiptables -A good-if -p ICMP --icmp-type pong -j ACCEPTiptables -A good-if -j icmp-acciptables -A good-if -j DROP# remove the complete blocksiptables -D INPUT 1iptables -D FORWARD 1iptables -D OUTPUT 1

NAT iptables firewall script Related Software