Re: Problem with router connected to two ISPs (connection marking?)

[Gáspár Lajos <swifty@xxxxxxxxxxx>]

> Hi there
>   
...
> here is the iptables script: ------------------------
>
> EXTINT=eth0
> DMZ=eth1
> INTERN=eth2
>
> MAIL=1.0.0.1
> WWW=1.0.0.2
> MAIL2=2.0.0.1
> WWW2=2.0.0.2
>
> INT_WWW=192.168.1.16
>
> $IPT -P INPUT DROP
> $IPT -F INPUT
> $IPT -P OUTPUT ACCEPT
> $IPT -F OUTPUT
> $IPT -P FORWARD ACCEPT
> $IPT -F FORWARD
>
> $IPT -t filter -N keep_state
> $IPT -t filter -A keep_state -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -t filter -A keep_state -j RETURN
>   
-j RETURN <== Not needed if this is the last command of a chain...
> $IPT -t filter -A INPUT -j keep_state
> $IPT -t filter -A OUTPUT -j keep_state
> $IPT -t filter -A FORWARD -j keep_state
>   
It would be a bit simplier:

$IPT -t filter -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
$IPT -t filter -A OUTPUT -j ACCEPT -m state --state ESTABLISHED,RELATED
$IPT -t filter -A FORWARD -j ACCEPT -m state --state ESTABLISHED,RELATED

> $IPT -A INPUT -i lo -j ACCEPT
> $IPT -A INPUT -p icmp -j ACCEPT
> #silently discard all windows related worm attacks
> $IPT -A INPUT -p tcp --destination-port 135:140 -j DROP
> $IPT -A INPUT -p udp --destination-port 135:140 -j DROP
> $IPT -A INPUT -p tcp --destination-port 445 -j DROP
> #drop any traffic incomming on unprivileged ports
> $IPT -A INPUT -p tcp --destination-port ! 1:1024 -j DROP
> $IPT -A INPUT -p udp --destination-port ! 1:1024 -j DROP
> #log any potential scans of privileged ports (ignore port 80)
> $IPT -A INPUT -p tcp --destination-port 80 -j DROP
> $IPT -A INPUT -i $EXTINT -j LOG --log-level info
>
> $IPT -t nat -F
>
>
> # WWW server
> $IPT -t nat -A PREROUTING -d $WWW -p tcp --destination-port 80 -j DNAT --to-destination $INT_WWW
> $IPT -t nat -A PREROUTING -d $WWW2 -p tcp --destination-port 80 -j DNAT --to-destination $INT_WWW
>   
Maybe these lines will help you... :) But if not.... :D

$IPT -t nat -A POSTROUTING -j SNAT -p tcp --dport www -d $WWW 
--to-source $MY_IP
$IPT -t nat -A POSTROUTING -j SNAT -p tcp --dport www -d $WWW 
--to-source $MY_IP
> #masquerade all other outgoing transfers
> $IPT -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE
>
> $IPT -t mangle -F
> $IPT -t mangle -A PREROUTING -i $EXTINT -j CONNMARK --restore-mark
> $IPT -t mangle -A PREROUTING -m connmark --mark 1 -j ACCEPT
> $IPT -t mangle -A PREROUTING -m connmark --mark 2 -j ACCEPT
> $IPT -t mangle -A PREROUTING -i $EXTINT -d 1.0.0.0/29 -j CONNMARK --set-mark 1
> $IPT -t mangle -A PREROUTING -i $EXTINT -d 2.0.0.0/29 -j CONNMARK --set-mark 2
> $IPT -t mangle -A PREROUTING -i $EXTINT -j CONNMARK --save-mark
>
>