(no subject)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Here is my rc.firewall that I generated using FW Builder.
I want to add these lines - 
iptables -t nat -A POSTROUTING -p tcp --dport 110 -o eth0 -s $INTERNAL_IP -j
SNAT --to $external_ip
iptables -t nat -A POSTROUTING -p tcp --dport 23 -o eth0 -s $INTERNAL_IP -j
SNAT --to $EXTERNAL_IP
Where can I put these in the script and do I need to follow the same pattern
as the script?
Thank you
Doug
##############################################
#!/bin/sh 
#
#  This is automatically generated file. DO NOT MODIFY !
#
#  Firewall Builder  fwb_ipt v1.0.7- 
#
#  Generated Fri Nov 22 17:45:36 2002 CST by root
#
#
#
#
check() {
  if test ! -x "$1"; then
    echo "$1 not found or is not executable"
    exit 1
  fi
}

log() {
  if test -x "$LOGGER"; then
    logger -p info "$1"
  fi
}

MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"

check $MODPROBE
check $IPTABLES
check $IP

cd /etc || exit 1

log "Activating firewall script generated Fri Nov 22 17:45:36 2002 CST by
root"


INTERFACES="eth0 eth1 lo "
for i in $INTERFACES ; do
  $IP link show "$i" > /dev/null 2>&1 || {
    echo Interface $i does not exist
    exit 1
  }
done


MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/" 
MODULES=`(cd $MODULE_DIR; ls *_conntrack_*  *_nat_* | sed 's/\.o.*$//')`
for module in $(echo $MODULES); do 
  if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz"
]; then 
    $MODPROBE -k ${module} ||  exit 1 
  fi 
done


FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward

echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all

echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout

echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl

$IP -4 neigh flush dev eth0
$IP -4 addr flush dev eth0 label "eth0:FWB*"
$IP -4 neigh flush dev eth1
$IP -4 addr flush dev eth1 label "eth1:FWB*"


$IPTABLES -P OUTPUT  DROP
$IPTABLES -P INPUT   DROP
$IPTABLES -P FORWARD DROP



cat /proc/net/ip_tables_names | while read table; do
  $IPTABLES -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        $IPTABLES -t $table -F $chain
      fi
  done
  $IPTABLES -t $table -X
done


$IPTABLES -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# 
# Rule 0(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_0
$IPTABLES -A INPUT -i eth0 -p udp --source-port 500 -m state --state NEW -j
eth0_In_RULE_0 
$IPTABLES -A FORWARD -i eth0 -p udp --source-port 500 -m state --state NEW
-j eth0_In_RULE_0 
$IPTABLES -A eth0_In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_0 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_0
$IPTABLES -A OUTPUT -o eth0 -p udp --source-port 500 -m state --state NEW -j
eth0_Out_RULE_0 
$IPTABLES -A FORWARD -o eth0 -p udp --source-port 500 -m state --state NEW
-j eth0_Out_RULE_0 
$IPTABLES -A eth0_Out_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_0 -j ACCEPT 
# 
# Rule 1(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_1
$IPTABLES -A INPUT -i eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_In_RULE_1 
$IPTABLES -A FORWARD -i eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_In_RULE_1 
$IPTABLES -A eth0_In_RULE_1  -j LOG  --log-level info --log-prefix "RULE 1
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_1 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_1
$IPTABLES -A OUTPUT -o eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_Out_RULE_1 
$IPTABLES -A FORWARD -o eth0 -p udp --destination-port 500 -m state --state
NEW -j eth0_Out_RULE_1 
$IPTABLES -A eth0_Out_RULE_1  -j LOG  --log-level info --log-prefix "RULE 1
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_1 -j ACCEPT 
# 
# Rule 2(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_2
$IPTABLES -A INPUT -i eth0 -p 50 -m state --state NEW -j eth0_In_RULE_2 
$IPTABLES -A FORWARD -i eth0 -p 50 -m state --state NEW -j eth0_In_RULE_2 
$IPTABLES -A eth0_In_RULE_2  -j LOG  --log-level info --log-prefix "RULE 2
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_2 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_2
$IPTABLES -A OUTPUT -o eth0 -p 50 -m state --state NEW -j eth0_Out_RULE_2 
$IPTABLES -A FORWARD -o eth0 -p 50 -m state --state NEW -j eth0_Out_RULE_2 
$IPTABLES -A eth0_Out_RULE_2  -j LOG  --log-level info --log-prefix "RULE 2
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_2 -j ACCEPT 
# 
# Rule 3(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_3
$IPTABLES -A INPUT -i eth0 -p 51 -m state --state NEW -j eth0_In_RULE_3 
$IPTABLES -A FORWARD -i eth0 -p 51 -m state --state NEW -j eth0_In_RULE_3 
$IPTABLES -A eth0_In_RULE_3  -j LOG  --log-level info --log-prefix "RULE 3
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_3 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_3
$IPTABLES -A OUTPUT -o eth0 -p 51 -m state --state NEW -j eth0_Out_RULE_3 
$IPTABLES -A FORWARD -o eth0 -p 51 -m state --state NEW -j eth0_Out_RULE_3 
$IPTABLES -A eth0_Out_RULE_3  -j LOG  --log-level info --log-prefix "RULE 3
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_3 -j ACCEPT 
# 
# Rule 4(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_4
$IPTABLES -A INPUT -i eth0 -p tcp --source-port 110 -m state --state NEW -j
eth0_In_RULE_4 
$IPTABLES -A FORWARD -i eth0 -p tcp --source-port 110 -m state --state NEW
-j eth0_In_RULE_4 
$IPTABLES -A eth0_In_RULE_4  -j LOG  --log-level info --log-prefix "RULE 4
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_4 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_4
$IPTABLES -A OUTPUT -o eth0 -p tcp --source-port 110 -m state --state NEW -j
eth0_Out_RULE_4 
$IPTABLES -A FORWARD -o eth0 -p tcp --source-port 110 -m state --state NEW
-j eth0_Out_RULE_4 
$IPTABLES -A eth0_Out_RULE_4  -j LOG  --log-level info --log-prefix "RULE 4
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_4 -j ACCEPT 
# 
# Rule 5(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_5
$IPTABLES -A INPUT -i eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_In_RULE_5 
$IPTABLES -A FORWARD -i eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_In_RULE_5 
$IPTABLES -A eth0_In_RULE_5  -j LOG  --log-level info --log-prefix "RULE 5
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_5 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_5
$IPTABLES -A OUTPUT -o eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_Out_RULE_5 
$IPTABLES -A FORWARD -o eth0 -p tcp --destination-port 110 -m state --state
NEW -j eth0_Out_RULE_5 
$IPTABLES -A eth0_Out_RULE_5  -j LOG  --log-level info --log-prefix "RULE 5
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_5 -j ACCEPT 
# 
# Rule 6(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_6
$IPTABLES -A INPUT -i eth0 -p tcp --destination-port 80 -m state --state NEW
-j eth0_In_RULE_6 
$IPTABLES -A FORWARD -i eth0 -p tcp --destination-port 80 -m state --state
NEW -j eth0_In_RULE_6 
$IPTABLES -A eth0_In_RULE_6  -j LOG  --log-level info --log-prefix "RULE 6
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_6 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_6
$IPTABLES -A OUTPUT -o eth0 -p tcp --destination-port 80 -m state --state
NEW -j eth0_Out_RULE_6 
$IPTABLES -A FORWARD -o eth0 -p tcp --destination-port 80 -m state --state
NEW -j eth0_Out_RULE_6 
$IPTABLES -A eth0_Out_RULE_6  -j LOG  --log-level info --log-prefix "RULE 6
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_6 -j ACCEPT 
# 
# Rule 7(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_7
$IPTABLES -A INPUT -i eth0 -p tcp --source-port 25 --destination-port 25 -m
state --state NEW -j eth0_In_RULE_7 
$IPTABLES -A FORWARD -i eth0 -p tcp --source-port 25 --destination-port 25
-m state --state NEW -j eth0_In_RULE_7 
$IPTABLES -A eth0_In_RULE_7  -j LOG  --log-level info --log-prefix "RULE 7
-- ACCEPT " 
$IPTABLES -A eth0_In_RULE_7 -j ACCEPT 
$IPTABLES -N eth0_Out_RULE_7
$IPTABLES -A OUTPUT -o eth0 -p tcp --source-port 25 --destination-port 25 -m
state --state NEW -j eth0_Out_RULE_7 
$IPTABLES -A FORWARD -o eth0 -p tcp --source-port 25 --destination-port 25
-m state --state NEW -j eth0_Out_RULE_7 
$IPTABLES -A eth0_Out_RULE_7  -j LOG  --log-level info --log-prefix "RULE 7
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_7 -j ACCEPT 
# 
# Rule 8(eth0)
# 
# 
# 
$IPTABLES -N eth0_Out_RULE_8
$IPTABLES -A OUTPUT -o eth0  -s 192.168.1.1 -m state --state NEW -j
eth0_Out_RULE_8 
$IPTABLES -A eth0_Out_RULE_8  -j LOG  --log-level info --log-prefix "RULE 8
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_8 -j ACCEPT 
# 
# Rule 9(eth0)
# 
# 
# 
$IPTABLES -N eth0_Out_RULE_9
$IPTABLES -A FORWARD -o eth0  -s 192.168.1.0/24 -m state --state NEW -j
eth0_Out_RULE_9 
$IPTABLES -A eth0_Out_RULE_9  -j LOG  --log-level info --log-prefix "RULE 9
-- ACCEPT " 
$IPTABLES -A eth0_Out_RULE_9 -j ACCEPT 
# 
# Rule 10(eth0)
# 
# 
# 
$IPTABLES -N eth0_In_RULE_10
$IPTABLES -A INPUT -i eth0 -j eth0_In_RULE_10 
$IPTABLES -A FORWARD -i eth0 -j eth0_In_RULE_10 
$IPTABLES -A eth0_In_RULE_10  -j LOG  --log-level info --log-prefix "RULE 10
-- DROP " 
$IPTABLES -A eth0_In_RULE_10 -j DROP 
# 
# Rule 0(eth1)
# 
# 
# 
$IPTABLES -N eth1_In_RULE_0
$IPTABLES -A INPUT -i eth1 -m state --state NEW -j eth1_In_RULE_0 
$IPTABLES -A FORWARD -i eth1 -m state --state NEW -j eth1_In_RULE_0 
$IPTABLES -A eth1_In_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0
-- ACCEPT " 
$IPTABLES -A eth1_In_RULE_0 -j ACCEPT 
$IPTABLES -N eth1_Out_RULE_0
$IPTABLES -A OUTPUT -o eth1 -m state --state NEW -j eth1_Out_RULE_0 
$IPTABLES -A FORWARD -o eth1 -m state --state NEW -j eth1_Out_RULE_0 
$IPTABLES -A eth1_Out_RULE_0  -j LOG  --log-level info --log-prefix "RULE 0
-- ACCEPT " 
$IPTABLES -A eth1_Out_RULE_0 -j ACCEPT 
# 
# Rule 1(eth1)
# 
# 
# 
$IPTABLES -N eth1_In_RULE_1
$IPTABLES -A INPUT -i eth1 -p tcp --destination-port 23 -j eth1_In_RULE_1 
$IPTABLES -A FORWARD -i eth1 -p tcp --destination-port 23 -j eth1_In_RULE_1 
$IPTABLES -A eth1_In_RULE_1  -j LOG  --log-level info --log-prefix "RULE 1
-- DROP " 
$IPTABLES -A eth1_In_RULE_1 -j DROP 
# 
# Rule 0(lo)
# 
# allow everything on loopback
# 
$IPTABLES -A INPUT -i lo -j ACCEPT 
$IPTABLES -A FORWARD -i lo -j ACCEPT 
$IPTABLES -A OUTPUT -o lo -j ACCEPT 
$IPTABLES -A FORWARD -o lo -j ACCEPT 
# 
# Rule 0(global)
# 
# 'catch all' rule
# 
$IPTABLES -N RULE_0
$IPTABLES -A OUTPUT -j RULE_0 
$IPTABLES -A INPUT -j RULE_0 
$IPTABLES -A FORWARD -j RULE_0 
$IPTABLES -A RULE_0 -j LOG  --log-level info --log-prefix "RULE 0 -- ACCEPT
" 
$IPTABLES -A RULE_0 -j ACCEPT 
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward





[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux