Re: Check my firewall please?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

its cool ( i think)
whats wrong in your point of view ?


On 4/21/06, Asfand Yar Qazi <ayqazi@xxxxxxxxx> wrote:
> Sorry if you get so many of these posts, but I'd be grateful if you
> could check my firewall/NAT rules on my box which now acts as an ADSL
> router:
>
> #!/bin/bash
>
> MYADDR=89.145.208.16
>
> function pppnat()
> {
>        # Source NAT on ppp0 - change source address of packets sent
>        # out to the address on interface ppp0
>
>        # The following iptables command should only be used to change
>        # the source IP for dynamically allocated IP addresses, as it
>        # forgets existing connections if the link goes down.
>        # iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE || klear
>
>        iptables -t nat -A POSTROUTING -o ppp0 -j SNAT --to ${MYADDR}
>
>        # Port-forward 22 onto big (so ssh works).
>        iptables -t nat -A PREROUTING -p tcp --dport 22 -i ppp0 \
>                                      -j DNAT --to 10.0.0.1
>
>        # Port-forward 12003 onto suhaib (so azureus works properly).
>        iptables -t nat -A PREROUTING -p tcp --dport 12003 -i ppp0 \
>                                      -j DNAT --to 10.0.0.3
> }
>
> function pppfilter()
> {
>
>        iptables -N pppfilter || klear
>
>        # Accept connections that do not originate from ppp0
>        iptables -A pppfilter -m state --state NEW -i ! ppp0 -j ACCEPT || klear
>
>        # Accept packets from ppp0 for connections that already exist
>        iptables -A pppfilter -m state --state ESTABLISHED,RELATED \
>                              -j ACCEPT || klear
>
>        # Log NEW ssh connect attempts from ppp0
>        iptables -A pppfilter -p tcp --dport 22 \
>                              -m state --state NEW \
>                              -i ppp0 \
>                              -j LOG --log-prefix="[ssh] " || klear
>
>        # Accept ssh packets from ppp0
>        # TODO: only accept ssh packets from work IP
>        iptables -A pppfilter -p tcp --dport 22 -j ACCEPT || klear
>
>        # Log all new connection attempts
>        # Not needed really, is it?...
>        # iptables -A pppfilter -m state --state NEW \
>        #                       -m limit --limit 10/minute -i ppp0 \
>        #                       -j LOG --log-prefix="[block addr] " || klear
>
>        # Reject everything not already accepted
>        iptables -A pppfilter -j REJECT || klear
>
>
>        # Jump to that chain from INPUT and FORWARD chains.
>        iptables -A INPUT -j pppfilter || klear
>        iptables -A FORWARD -j pppfilter || klear
> }
>
> pppnat
> pppfilter
>
>


--
Syed Kashif Ali Bukhari
+92-300-4295604
Network Engineer
Beaconhouse IT Services, Lahore Pakistan
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux