[ILUG] Ip forwarding and iptables
[ILUG] Ip forwarding and iptables
cout at eircom.net
cout at eircom.net
Thu Jun 27 07:23:36 IST 2002
iptables -F
##nuke that syn flood iptables -N syn-flood iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
#nuke any tcp connection that is not a syn
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp ! --syn -m state --state NEW -j DROP
#
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 139 -m state --state NEW -j DROP
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 139 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 139 -m state --state NEW,ESTABLISHED -j ACCEPT
#http
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 80 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#ftp
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
#irc
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 194 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 194 -m state --state NEW,ESTABLISHED -j ACCEPT
#allow dns
iptables -A INPUT -s ! 10.0.0.0/24 -p udp --dport 53 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p udp --dport 53 -m state --state NEW,ESTABLISHED -j ACCEPT
#outgoing ssh
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 22 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
#telnet out
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 23 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 23 -m state --state NEW,ESTABLISHED -j ACCEPT
#smtp
iptables -t nat -A PREROUTING -s ! 192.168.0.0/24 -d 192.168.0.0/24 -p tcp --dport 22 -j DNAT --to 10.0.0.2
iptables -A FORWARD -i eth0 iptables -A FORWARD -i eth1
iptables -A FORWARD -o eth0 iptables -A FORWARD -o eth1
iptables -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 25 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 25 -m state --state NEW,ESTABLISHED -j ACCEPT
#nameserver out
iptables -t filter -A INPUT -s ! 10.0.0.0/24 -p tcp --dport 42 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -s 10.0.0.0/24 -d ! 10.0.0.0/24 -p tcp --dport 42 -m state --state NEW,ESTABLISHED -j ACCEPT
#masquerading
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d ! 10.0.0.0/24 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.0/24 -d 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -s ! 10.0.0.0/24 -d 10.0.0.0/24 -p icmp -j LOG
#icmp
iptables -A INPUT -s ! 10.0.0.0/24 -d 10.0.0.0/24 -p icmp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -s 10.0.0.0/24 -d ! 10.0.0.0/24 -m state --state NEW,ESTABLISHED -j ACCEPT
#drop
iptables -A INPUT -p tcp -s ! 10.0.0.0/24 -m state --state NEW -j LOG
iptables -A INPUT -p tcp -s ! 10.0.0.0/24 -m state --state NEW -j DROP
iptables -A INPUT -p udp -s ! 10.0.0.0/24 -m state --state NEW -j LOG
iptables -A INPUT -p udp -s ! 10.0.0.0/24 -m state --state NEW -j DROP
Righteo I need to figure out how to forward port 25 to 10.0.0.2 from eth1 call eth1's ip 192.168.0.1 for argument's sake and eth0's 10.0.0.33.
Can someone please tell me how the the hell I do this?
Brian
More information about the ILUG
mailing list Read this without the formatting . 
