iptables+iproute problem

Linux Advanced Routing and Traffic Control

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi there.

I have followed some documents found here and there, but do not have
already success implementing a script using iptables and iproute.

What I need is to send all traffic trough an ADSL line, but mail trough an
expensive and slow DS0. The mail server lies on the PC acting also as
firewall. I include the script. When using that I get some error messages
(I found that the flush command really flushes all, not only routes, but
interfaces too) or, changing it a little, all the traffic goes trough the
ADSL but mail does not go though the DS0 link.

I think there is some subtle error, but this is my first experience with
iproute and I am lost.

If someone could help I would really appreciate it.

By the way, I am using Debian Sarge, with kernel 2.6.8-2-386, iptables
1.2.11-10, iproute 20041019-3

Thanks in advice.

Follows the script:
_________________________________________________________________

#!/bin/sh
#
# rc.firewall-2.4-stronger
#
FWVER=0.81s

#          An example of a stronger IPTABLES firewall with IP Masquerade
#          support for 2.6.x kernels.
#
# Log:
#
#   0.81s - Added some mangled and ip2route rules
#   0.80s - Added a DISABLED ip_nat_irc kernel module section, changed the
#           default of the ip_conntrack_irc to NOT load by default, and
#           added additional kernel module comments
#   0.79s - ruleset now uses modprobe instead of insmod
#   0.78s - REJECT is not a legal policy yet; back to DROP
#   0.77s - Changed the default block behavior to REJECT not DROP
#   0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment
#           where to put optional PORTFW commands
#   0.75s - Added clarification that PPPoE users need to use
#           "ppp0" instead of "eth0" for their external interface
#   0.74s - Changed the EXTIP command to work on NON-English distros
#   0.73s - Added comments in the output section that DHCPd is optional
#           and changed the default settings to disabled
#   0.72s - Changed the filter from the INTNET to the INTIP to be
#           stateful; moved the command VARs to the top and made the
#           rest of the script to use them
#   0.70s - Added a disabled examples for allowing internal DHCP
#           and external WWW access to the server
#   0.63s - Added support for the IRC module
#   0.62s - Initial version based upon the basic 2.4.x rc.firewall


echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"


# The location of various iptables and other shell programs
#
#   If your Linux distribution came with a copy of iptables, most
#   likely it is located in /sbin.  If you manually compiled
#   iptables, the default location is in /usr/local/sbin
#
# ** Please use the "whereis iptables" command to figure out
# ** where your copy is and change the path below to reflect
# ** your setup
#
IPTABLES=/sbin/iptables
LSMOD=/sbin/lsmod
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
GREP=/bin/grep
AWK=/usr/bin/awk
SED=/bin/sed
IFCONFIG=/sbin/ifconfig


#Setting the EXTERNAL and INTERNAL interfaces for the network
#
#  Each IP Masquerade network needs to have at least one
#  external and one internal network.  The external network
#  is where the natting will occur and the internal network
#  should preferably be addressed with a RFC1918 private address
#  scheme.
#
#  For this example, "eth0" is external and "eth1" is internal"
#
#  NOTE:  If this doesnt EXACTLY fit your configuration, you must
#         change the EXTIF or INTIF variables above. For example:
#
#            If you are a PPPoE or analog modem user:
#
#               EXTIF="ppp0"
#
IFDS0="eth1"
IFADSL="eth2"
IFLAN="eth0"
echo "  External Interfaces:  $IFDS0,$IFADSL"
echo "  Internal Interface:  $IFLAN"
echo "  ---"

# Specify your Static IP address here or let the script take care of it
# for you.
#
#   If you prefer to use STATIC addresses in your firewalls, un-# out the
#   static example below and # out the dynamic line.  If you don't care,
#   just leave this section alone.
#
#   If you have a DYNAMIC IP address, the ruleset already takes care of
#   this for you.  Please note that the different single and double quote
#   characters and the script MATTER.
#
#
#   DHCP users:
#   -----------
#   If you get your TCP/IP address via DHCP, **you will need ** to enable the
#   #ed out command below underneath the PPP section AND replace the word
#   "eth0" with the name of your EXTERNAL Internet connection (ppp0, ippp0,
#   etc) on the lines for "ppp-ip" and "extip".  You should also note that
the
#   DHCP server can and will change IP addresses on you.  To deal with this,
#   users should configure their DHCP client to re-run the rc.firewall
ruleset
#   everytime the DHCP lease is renewed.
#
#     NOTE #1:  Some DHCP clients like the original "pump" (the newer
#               versions have been fixed) did NOT have the ability to run
#               scripts after a lease-renew.  Because of this, you need to
#               replace it with something like "dhcpcd" or "dhclient".
#
#     NOTE #2:  The syntax for "dhcpcd" has changed in recent versions.
#
#               Older versions used syntax like:
#                         dhcpcd -c /etc/rc.d/rc.firewall eth0
#
#               Newer versions execute a file called
/etc/dhcpc/dhcpcd-eth0.exe
#
#     NOTE #3:  For Pump users, put the following line in /etc/pump.conf:
#
#                   script /etc/rc.d/rc.firewall
#
#   PPP users:
#   ----------
#   If you aren't already aware, the /etc/ppp/ip-up script is always run when
#   a PPP connection comes up.  Because of this, we can make the ruleset
go and
#   get the new PPP IP address and update the strong firewall ruleset.
#
#   If the /etc/ppp/ip-up file already exists, you should edit it and add
a line
#   containing "/etc/rc.d/rc.firewall" near the end of the file.
#
#   If you don't already have a /etc/ppp/ip-up sccript, you need to create
the
#   following link to run the /etc/rc.d/rc.firewall script.
#
#       ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
#
#   * You then want to enable the #ed out shell command below *
#
#
# Determine the external IP automatically:
# ----------------------------------------
#
#  The following line will determine your external IP address.  This
#  line is somewhat complex and confusing but it will also work for
#  all NON-English Linux distributions:
#
#EXTIP1="`$IFCONFIG $EXTIF1 | $AWK \
# /$EXTIF1/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"


# For users who wish to use STATIC IP addresses:
#
#  # out the EXTIP line above and un-# out the EXTIP line below
#
IPDS0="200.36.148.163"
NETDS0="200.36.148.160/27"
GWDS0="200.36.148.161"
IPADSL="172.16.0.49"
NETADSL="172.16.0.0/16"
GWADSL="172.16.0.1"
echo "  External IP1: $IPDS0"
echo "  External IP2: $IPADSL"
echo "  ---"

# Assign the internal TCP/IP network and IP address
NETLAN="10.0.0.0/8"
IPLAN="10.1.200.49/8"
echo "  Internal Network: $NETLAN"
echo "  Internal IP:      $IPLAN"
echo "  ---"

# Setting a few other local variables
#
UNIVERSE="0.0.0.0/0"
localnet="128.0.0.0/8"


# Building routes
# Flush all
#ip route flush default
#ip route flush all
#ip link set $IFLAN up
#ip link set $IFDS0 up
#ip link set $IFADSL up
#ip link set lo up
/etc/init.d/ruteo


# Build general routes
ip route add $localnet dev lo
ip route add $NETLAN dev $IFLAN
ip route add $IPDS0 dev $IFDS0 src $IPDS0
ip route add $IPADSL dev $IFADSL src $IPADSL
echo 211 TDS0 >> /etc/iproute2/rt_tables
ip route add $NETDS0 dev $IFDS0 src $IPDS0 table TDS0
ip route add default via $GWDS0 table TDS0
echo 212 TADSL >> /etc/iproute2/rt_tables
ip route add $NETADSL dev $IFADSL src $IPADSL table TADSL
#ip route add default via $GWADSL table TADSL
#echo "# Routing mail packets"
#$IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 1
#ip rule add fwmark 1 table TDS0
#ip route add default via $GWADSL
ip route add from $IPDS0 table TDS0
ip route add from $IPADSL table TADSL

ip route add $NETLAN dev $IFLAN table TDS0
ip route add $NETADSL dev $IFADSL table TDS0
ip route add $localnet dev lo table TDS0

ip route add $NETLAN dev $IFLAN table TADSL
ip route add $NETDS0 dev $IFDS0 table TADSL
ip route add $localnet dev lo table TADSL

#======================================================================
#== No editing beyond this line is required for initial MASQ testing ==

# Need to verify that all modules have all required dependencies
#
echo "  - Verifying that all kernel modules are ok"
$DEPMOD -a

echo -en "    Loading kernel modules: "

# With the new IPTABLES code, the core MASQ functionality is now either
# modular or compiled into the kernel.  This HOWTO shows ALL IPTABLES
# options as MODULES.  If your kernel is compiled correctly, there is
# NO need to load the kernel modules manually.
#
#  NOTE: The following items are listed ONLY for informational reasons.
#        There is no reason to manual load these modules unless your
#        kernel is either mis-configured or you intentionally disabled
#        the kernel module autoloader.
#

# Upon the commands of starting up IP Masq on the server, the
# following kernel modules will be automatically loaded:
#
# NOTE:  Only load the IP MASQ modules you need.  All current IP MASQ
#        modules are shown below but are commented out from loading.
# ===============================================================

#Load the main body of the IPTABLES module - "ip_tables"
#  - Loaded automatically when the "iptables" command is invoked
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_tables, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_tables | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_tables
fi


#Load the IPTABLES filtering module - "iptable_filter"
#
#  - Loaded automatically when filter policies are activated


#Load the stateful connection tracking framework - "ip_conntrack"
#
# The conntrack  module in itself does nothing without other specific
# conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
# module
#
#  - This module is loaded automatically when MASQ functionality is
#    enabled
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "ip_conntrack, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack
fi


#Load the FTP tracking mechanism for full FTP tracking
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_conntrack_ftp, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_conntrack_ftp
fi


#Load the IRC tracking mechanism for full IRC tracking
#
# Disabled by default -- insert a "#" on the next few lines to activate
#
# echo -en "                             ip_conntrack_irc, "
#
#Verify the module isn't loaded.  If it is, skip it
#
# if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {'print $1'} `" ]; then
#    $MODPROBE ip_conntrack_irc
# fi


#Load the general IPTABLES NAT code - "iptable_nat"
#  - Loaded automatically when MASQ functionality is turned on
#
#  - Loaded manually to clean up kernel auto-loading timing issues
#
echo -en "iptable_nat, "
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {'print $1'} `" ]; then
   $MODPROBE iptable_nat
fi


#Loads the FTP NAT functionality into the core IPTABLES code
# Required to support non-PASV FTP.
#
# Enabled by default -- insert a "#" on the next line to deactivate
#
echo -e "ip_nat_ftp"
#
#Verify the module isn't loaded.  If it is, skip it
#
if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {'print $1'} `" ]; then
   $MODPROBE ip_nat_ftp
fi


#Loads the IRC NAT functionality (for DCC) into the core IPTABLES code
#
# DISABLED by default -- delete the "#" on the next few lines to activate
#
# echo -e "ip_nat_irc"
#
#Verify the module isn't loaded.  If it is, skip it
#
# if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {'print $1'} `" ]; then
#    $MODPROBE ip_nat_irc
# fi


echo "  ---"

# Just to be complete, here is a partial list of some of the other
# IPTABLES kernel modules and their function.  Please note that most
# of these modules (the ipt ones) are automatically loaded by the
# master kernel module for proper operation and don't need to be
# manually loaded.
# --------------------------------------------------------------------
#
#    ip_nat_snmp_basic - this module allows for proper NATing of some
#                        SNMP traffic
#
#    iptable_mangle    - this target allows for packets to be
#                        manipulated for things like the TCPMSS
#                        option, etc.
#
# --
#
#    ipt_mark       - this target marks a given packet for future action.
#                     This automatically loads the ipt_MARK module
#
#    ipt_tcpmss     - this target allows to manipulate the TCP MSS
#                     option for braindead remote firewalls.
#                     This automatically loads the ipt_TCPMSS module
#
#    ipt_limit      - this target allows for packets to be limited to
#                     to many hits per sec/min/hr
#
#    ipt_multiport  - this match allows for targets within a range
#                     of port numbers vs. listing each port individually
#
#    ipt_state      - this match allows to catch packets with various
#                     IP and TCP flags set/unset
#
#    ipt_unclean    - this match allows to catch packets that have invalid
#                     IP/TCP flags set
#
#    iptable_filter - this module allows for packets to be DROPped,
#                     REJECTed, or LOGged.  This module automatically
#                     loads the following modules:
#
#                     ipt_LOG - this target allows for packets to be
#                               logged
#
#                     ipt_REJECT - this target DROPs the packet and returns
#                                  a configurable ICMP packet back to the
#                                  sender.


#CRITICAL:  Enable IP forwarding since it is disabled by default since
#
#           Redhat Users:  you may try changing the options in
#                          /etc/sysconfig/network from:
#
#                       FORWARD_IPV4=false
#                             to
#                       FORWARD_IPV4=true
#
echo "  Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#
#   If you get your IP address dynamically from SLIP, PPP, or DHCP,
#   enable the following option.  This enables dynamic-address hacking
#   which makes the life with Diald and similar programs much easier.
#
#echo "  Enabling DynamicAddr.."
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#echo "  ---"

#############################################################################
#
# Enable Stronger IP forwarding and Masquerading
#
#  NOTE:  In IPTABLES speak, IP Masquerading is a form of SourceNAT or SNAT.
#
#  NOTE #2:  The following is an example for an internal LAN address in the
#            192.168.1.x network with a 255.255.255.0 or a "24" bit subnet
#            mask connecting to the Internet on external interface "eth0".
#            This example will MASQ internal traffic out to the Internet
#            but not allow non-initiated traffic into your internal network.
#
#
#         ** Please change the above network numbers, subnet mask, and your
#         *** Internet connection interface name to match your setup
#

#Clearing any previous configuration
#
#  Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP
#
#    You CANNOT change this to REJECT as it isn't a vaild policy setting.
#    If you want REJECT, you must explictly REJECT at the end of a giving
#    INPUT, OUTPUT, or FORWARD chain
#
echo "  Clearing any existing rules and setting default policy to DROP.."
$IPTABLES -P INPUT DROP
$IPTABLES -F INPUT
$IPTABLES -P OUTPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P FORWARD DROP
$IPTABLES -F FORWARD
$IPTABLES -F -t nat

#Not needed and it will only load the unneeded kernel module
#$IPTABLES -F -t mangle

# Flush the user chain.. if it exists
if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
   $IPTABLES -F drop-and-log-it
fi
#
# Delete all User-specified chains
$IPTABLES -X
#
# Reset all IPTABLES counters
$IPTABLES -Z


#Configuring specific CHAINS for later use in the ruleset
#
#  NOTE:  Some users prefer to have their firewall silently
#         "DROP" packets while others prefer to use "REJECT"
#         to send ICMP error messages back to the remote
#         machine.  The default is "REJECT" but feel free to
#         change this below.
#
# NOTE: Without the --log-level set to "info", every single
#       firewall hit will goto ALL vtys.  This is a very big
#       pain.
#
echo "  Creating a DROP chain.."
$IPTABLES -N drop-and-log-it
$IPTABLES -A drop-and-log-it -j LOG --log-level info
$IPTABLES -A drop-and-log-it -j REJECT

echo "# Routing mail packets"
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 1
$IPTABLES -t mangle -A PREROUTING -p tcp --dport 53 -j MARK --set-mark 1

ip rule add fwmark 1 table TDS0
ip route add default via $GWDS0 table TDS0

$IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 2

ip rule add fwmark 2 table TADSL
ip route add default via $GWADSL table TADSL

#ip route add default via $GWADSL
#ip route add default via $GWDS0

echo -e "\n   - Loading INPUT rulesets"

#######################################################################
# INPUT: Incoming traffic from various interfaces.  All rulesets are
#        already flushed and set to a default policy of DROP.
#

# loopback interfaces are valid.
#
$IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT


# local interface, local machines, going anywhere is valid
#
$IPTABLES -A INPUT -i $IFLAN -s $NETLAN -d $UNIVERSE -j ACCEPT


# remote interface, claiming to be local machines, IP spoofing, get lost
#
$IPTABLES -A INPUT -i $IFDS0 -s $NETLAN -d $UNIVERSE -j drop-and-log-it
$IPTABLES -A INPUT -i $IFADSL -s $NETLAN -d $UNIVERSE -j drop-and-log-it


# external interface, from any source, for ICMP traffic is valid
#
#  If you would like your machine to "ping" from the Internet,
#  enable this next line
#
$IPTABLES -A INPUT -i $IFDS0 -p ICMP -s $UNIVERSE -d $IPDS0 -j ACCEPT
$IPTABLES -A INPUT -i $IFADSL -p ICMP -s $UNIVERSE -d $IPADSL -j DROP


# remote interface, any source, going to permanent PPP address is valid
#
#$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT


# Allow any related traffic coming back to the MASQ server in
#
$IPTABLES -A INPUT -i $IFDS0 -s $UNIVERSE -d $IPDS0 -m state --state \
 ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i $IFADSL -s $UNIVERSE -d $IPADSL -m state --state \
 ESTABLISHED,RELATED -j ACCEPT

# ----- Begin OPTIONAL INPUT Section -----
#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#
#$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
#$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT

# HTTPd - Enable the following lines if you run an EXTERNAL WWW server
#
#    NOTE:  This is NOT needed for simply enabling PORTFW.  This is ONLY
#           for users that plan on running Apache on the MASQ server itself
#
echo -e "      - Allowing EXTERNAL access to the WWW server"
$IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $UNIVERSE -d $IPDS0 --dport 80 -j ACCEPT

echo -e "      - Allowing EXTERNAL access to the WWW server"
$IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $UNIVERSE -d $IPDS0 --dport 443 -j ACCEPT

echo -e "      - Allowing EXTERNAL access to the SMTP server"
$IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $UNIVERSE -d $IPDS0 --dport 25 -j ACCEPT

echo -e "      - Allowing EXTERNAL access to the DNS server"
$IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $UNIVERSE -d $IPDS0 --dport 53 -j ACCEPT
$IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
 -p udp -s $UNIVERSE -d $IPDS0 --dport 53 -j ACCEPT

echo -e "      - Allowing EXTERNAL access to the SSH server"
$IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $UNIVERSE -d $IPDS0 --dport 22 -j ACCEPT

#echo -e "      - Forcing proxy use"
$IPTABLES -t nat -A PREROUTING -i $IFLAN -p tcp --dport 80 -j REDIRECT
--to-port 3128
#echo -e "proxy 2/2"
#$IPTABLES -A OUTPUT -s 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-port
3128

echo -e "      - Allowing EXTERNAL access to the pop port"
$IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $UNIVERSE -d $IPDS0 --dport 110 -j ACCEPT
$IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $UNIVERSE -d $IPDS0 --dport 995 -j ACCEPT

echo -e "      - Allowing EXTERNAL access to the imap port"
$IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $UNIVERSE -d $IPDS0 --dport 143 -j ACCEPT
$IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
 -p tcp -s $UNIVERSE -d $IPDS0 --dport 993 -j ACCEPT


#
# ----- End OPTIONAL INPUT Section -----



# Catch all rule, all other incoming is denied and logged.
#
$IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "   - Loading OUTPUT rulesets"

#######################################################################
# OUTPUT: Outgoing traffic from various interfaces.  All rulesets are
#         already flushed and set to a default policy of DROP.
#

# loopback interface is valid.
#

$IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT

# local interfaces, any source going to local net is valid
#
$IPTABLES -A OUTPUT -o $IFLAN -s $IPLAN -d $NETLAN -j ACCEPT
$IPTABLES -A OUTPUT -o $IFLAN -s $IPDS0 -d $NETLAN -j ACCEPT
$IPTABLES -A OUTPUT -o $IFLAN -s $IPADSL -d $NETLAN -j ACCEPT


# local interface, any source going to local net is valid
#
#$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP1 -d $INTNET -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP2 -d $INTNET -j ACCEPT


# outgoing to local net on remote interface, stuffed routing, deny
#
$IPTABLES -A OUTPUT -o $IFDS0 -s $UNIVERSE -d $NETLAN -j drop-and-log-it
$IPTABLES -A OUTPUT -o $IFADSL -s $UNIVERSE -d $NETLAN -j drop-and-log-it


# anything else outgoing on remote interface is valid
#
$IPTABLES -A OUTPUT -o $IFDS0 -s $IPDS0 -d $UNIVERSE -j ACCEPT
$IPTABLES -A OUTPUT -o $IFADSL -s $IPADSL -d $UNIVERSE -j ACCEPT

# Disable reverse path filtering
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter

# ----- Begin OPTIONAL OUTPUT Section -----
#

# DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
#         - Remove BOTH #s all the #s if you need this functionality.
#
#$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT
#$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
# -d 255.255.255.255 --dport 68 -j ACCEPT

#
# ----- End OPTIONAL OUTPUT Section -----


# Catch all rule, all other outgoing is denied and logged.
#
$IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it


echo -e "   - Loading FORWARD rulesets"

#######################################################################
# FORWARD: Enable Forwarding and thus IPMASQ
#

# ----- Begin OPTIONAL FORWARD Section -----
#
# ----- End OPTIONAL FORWARD Section -----


echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $IFDS0 -o $IFLAN -m state --state
ESTABLISHED,RELATED \
 -j ACCEPT

echo "     - FWD: Allow all connections OUT and only existing/related IN"
$IPTABLES -A FORWARD -i $IFADSL -o $IFLAN -m state --state
ESTABLISHED,RELATED \
 -j ACCEPT

echo "     - FWD: Allow all connections OUT and only existing/related IN"


# File sharing
# Red de Audio Galaxy
$IPTABLES -A FORWARD -d 64.245.58.0/23 -j REJECT

# GNUtella, Bearshare y ToadNode
$IPTABLES -A FORWARD -p tcp --dport 6346 -j REJECT

# eDonkey
$IPTABLES -A FORWARD -p tcp --dport 4661:4662 -j REJECT
$IPTABLES -A FORWARD -p udp --dport 4665 -j REJECT

# Puertos y redes de Kazaa y Morpheus
$IPTABLES -A FORWARD -p tcp --dport 1214 -j REJECT
$IPTABLES -A FORWARD -d 213.248.112.0/24 -j REJECT
$IPTABLES -A FORWARD -d 206.142.53.0/24 -j REJECT

# Red de Napigator
$IPTABLES -A FORWARD -d 209.25.178.0/24 -j REJECT

# Red de Napster
$IPTABLES -A FORWARD -d 64.124.41.0/24 -j REJECT

# Redes de WinMX
$IPTABLES -A FORWARD -d 209.61.186.0/24 -j REJECT
$IPTABLES -A FORWARD -d 64.49.201.0/24 -j REJECT

# Red de IMesh
$IPTABLES -A FORWARD -d 216.35.208.0/24 -j REJECT

# Messaging
# AIM e ICQ
$IPTABLES -A FORWARD -p tcp --dport 9898 -j REJECT
$IPTABLES -A FORWARD -p tcp --dport 5190:5193 -j REJECT
$IPTABLES -A FORWARD -d login.oscar.aol.com -j REJECT
$IPTABLES -A FORWARD -d login.icq.com -j REJECT

# Jabber
$IPTABLES -A FORWARD -p tcp --dport 5222:5223 -j REJECT

# MSN Messenger
#$IPTABLES -A FORWARD -p tcp --dport 1863 -j REJECT
#$IPTABLES -A FORWARD -d 64.4.13.0/24 -j REJECT

# Yahoo! Messenger
#$IPTABLES -A FORWARD -p tcp --dport 5000:5010 -j REJECT
#$IPTABLES -A FORWARD -d cs.yahoo.com -j REJECT
#$IPTABLES -A FORWARD -d scsa.yahoo.com -j REJECT

#Blocking Batanga
$IPTABLES -A FORWARD -d 66.45.7.228 -j REJECT


#Blocking Randex-D worm
$IPTABLES -A INPUT -s 68.192.170.235 -j REJECT
$IPTABLES -A FORWARD -d 68.192.170.235 -j REJECT


$IPTABLES -A FORWARD -i $IFLAN -o $IFADSL -j ACCEPT
#$IPTABLES -A FORWARD -i $IFLAN -o $IFDS0 -j ACCEPT

# Catch all rule, all other forwarding is denied and logged.
#
$IPTABLES -A FORWARD -j drop-and-log-it


echo "     - NAT: Enabling SNAT (MASQUERADE) functionality on $IFDS0,
$IFADSL"
#
#More liberal form
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Stricter form
$IPTABLES -t nat -A POSTROUTING -o $IFADSL -j SNAT --to $IPADSL
#$IPTABLES -t nat -A POSTROUTING -o $IFDS0 -j SNAT --to $IPDS0


#######################################################################
echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"


_______________________________________________
LARTC mailing list
LARTC@xxxxxxxxxxxxxxx
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

[Index of Archives]     [LARTC Home Page]     [Netfilter]     [Netfilter Development]     [Network Development]     [Bugtraq]     [GCC Help]     [Yosemite News]     [Linux Kernel]     [Fedora Users]
  Powered by Linux