Sorry. Had a production problem to attend to. Here is the code sample I promised. This code has been necessisarily sanitized, but you should be able to adapt it as I did. ================= BEGIN SCRIPT ================= #!/bin/sh # # Taken originally from: # rc.DMZ.firewall - DMZ IP Firewall script for Linux 2.4.x # # Author: Oskar Andreasson <blueflux@koffein.net> # (c) of BoingWorld.com, use at your own risk, do whatever you please with # it as long as you don't distribute this without due credits to # BoingWorld.com # #Modification history # # 2001/10/18 - bsh - begin mods to BoingWorld sample # 2001/10/21 - bsh - prep'd eth0 for virtual IPs for DNAT # 2001/10/22 - bsh - fixed inbound VPN # # ##### echo "rc.firewall - v1.6 - bsh" #eth0 interface (public) echo " Init variables" INET_IP="AAA.BBB.CCC.DDD" INET_NET="AAA.BBB.CCC.DDD/24" INET_IFACE="eth0" # DNAT Vars VPN_IP="AAA.BBB.CCC.001" LAN_VPN_IP="192.168.0.100" SERVERW_IP="AAA.BBB.CCC.002" LAN_SERVERW_IP="192.168.0.105" SERVERZ_IP="AAA.BBB.CCC.003" LAN_SERVERZ_IP="192.168.0.110" SERVERY_IP="AAA.BBB.CCC.004" LAN_SERVERY_IP="192.168.0.120" COLOFW_IP="AAA.BBB.CCC.DDD" SERVERX_IP="AAA.BBB.CCC.005" LAN_SERVERX_IP="192.168.0.20" #eth1 interface (private) LAN_IP="192.168.0.1" LAN_NET="192.168.0.0/24" LAN_IFACE="eth1" LO_IP="127.0.0.1" LO_IFACE="lo" IPTABLES=`which iptables` ########################################### # # Load all required IPTables modules # # # Needed to initially load modules echo " Load modules" /sbin/depmod -a # # Adds some iptables targets like LOG, REJECT and MASQUARADE. # /sbin/modprobe ipt_LOG /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ip_tables /sbin/modprobe iptable_nat /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_gre #/sbin/modprobe ip_conntrack_irc #CRITICAL: Enable IP forwarding since it is disabled by default. # echo "1" > /proc/sys/net/ipv4/ip_forward # # Dynamic IP users: # echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########################################### # # Chain Policies gets set up before any bad packets gets through # echo " Begin Default Policies" $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # Enable logging for all transactons # WARNING - This is VERY resource intensive # LOG to /var/log/messages # #$IPTABLES -A INPUT -j LOG --log-prefix "***IN> " #$IPTABLES -A OUTPUT -j LOG --log-prefix "***OUT> " #$IPTABLES -A FORWARD -j LOG --log-prefix "***FWD> " # # the allowed chain for TCP connections, utilized in the FORWARD chain # echo " define table: allowed" $IPTABLES -N allowed $IPTABLES -F allowed $IPTABLES -A allowed -p TCP --syn -j ACCEPT $IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A allowed -p ALL -j DROP # # ICMP rules, utilized in the FORWARD chain # echo " define table: icmp_packets" $IPTABLES -N icmp_packets $IPTABLES -F icmp_packets #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT #DANGER DoS! $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT #$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT $IPTABLES -A icmp_packets -p ICMP -j ACCEPT ########################################### # POSTROUTING chain in the nat table # # Enable IP SNAT for all internal networks trying to get out on the Internet # echo " SNAT Setup for Local ($INET_IFACE) --> Inet ($INET_IP)" $IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP #$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE ########################################### # PREROUTING chain in the nat table # # Do some checks for obviously spoofed IP's # echo " Prerouting Spoof Rules" $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP # Get rid of undesireables # echo " Prerouting Drop undesireables" $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport "22" -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport "111" -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp --dport "111" -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport "137:139" -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp --dport "137:139" -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport "515" -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp --dport "768" -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport "1024" -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp --dport "1024" -j DROP #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp --dport 2301 -j DROP #$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p udp --dport 2301 -j DROP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -d 255.255.255.255 -j DROP # # Enable IP Destination NAT for LAN zone # echo " DNAT for $SERVERZ_IP:=$LAN_SERVERZ_IP HTTP public services" $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SERVERZ_IP --dport 80 -j DNAT --to $LAN_SERVERZ_IP echo " DNAT for $SERVERW_IP:=$LAN_SERVERW_IP SMTP public services" $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SERVERW_IP --dport 25 -j DNAT --to $LAN_SERVERW_IP echo " DNAT for $SERVERY_IP:=$LAN_SERVERY_IP SMTP public services" $IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $SERVERY_IP --dport 25 -j DNAT --to $LAN_SERVERY_IP #echo " DNAT for $VPN_IP:=$LAN_VPN_IP PPTP public services" $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p tcp -d $VPN_IP --dport 1723 -j DNAT --to $LAN_VPN_IP $IPTABLES -t nat -A PREROUTING -i $INET_IFACE -p 47 -d $VPN_IP -j DNAT --to $LAN_VPN_IP ########################################### # # FORWARD chain # # Get rid of bad TCP packets # echo " chain FORWARD: drop bad packets" $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:" $IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP # # LAN section # # General rules # echo " chain FORWARD: generally accepted rules" $IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j ACCEPT #$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT ### Added this line to allow PPTP inbound to work. -bsh $IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -j ACCEPT # # Exposed Services # echo " chain FORWARD: All traffic to $LAN_SERVERX_IP" $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d $LAN_SERVERX_IP -j allowed echo " chain FORWARD: http ($LAN_SERVERZ_IP)" $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d $LAN_SERVERZ_IP --dport 80 -j allowed echo " chain FORWARD: smtp ($LAN_SERVERW_IP)" $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d $LAN_SERVERW_IP --dport 25 -j allowed echo " chain FORWARD: smtp ($LAN_SERVERY_IP)" $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d $LAN_SERVERY_IP --dport 25 -j allowed echo " chain FORWARD: pptp ($LAN_VPN_IP)" $IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $LAN_IFACE -d $LAN_VPN_IP --dport 1723 -j allowed $IPTABLES -A FORWARD -p 47 -i $INET_IFACE -o $LAN_IFACE -d $LAN_VPN_IP -j allowed echo " chain FORWARD: icmp ($LAN_SERVERZ_IP)" $IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $LAN_IFACE -d $LAN_SERVERZ_IP -j icmp_packets # # LAN section # echo " chain FORWARD: traffic destined for the LAN" $IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # # LOG all packets reaching here # echo " chain FORWARD: enable LOG" $IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " ########################################################### # # Firewall rules # Rules applying to the firewall box # # # INPUT chain # # Packets from the Internet to this box # echo " chain INPUT: ICMP" $IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets # # Packets from LAN or LOCALHOST # echo " chain INPUT: Handle packets from LAN and Localhost" # From LAN Interface to LAN firewall IP $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -j ACCEPT # From Localhost interface to Localhost IP $IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT # All established and related packets incoming from the internet to the firewall $IPTABLES -A INPUT -p ALL -d $VPN_IP -j ACCEPT $IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A INPUT -p ALL -i $LAN_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT # Logging rule $IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " ########################################################### # # OUTPUT chain # # # Allow ourself to send packets not spoofed everywhere # echo " chain OUTPUT: Allow outbound traffic (basically unrestricted)" $IPTABLES -A OUTPUT -p ALL -o $LO_IFACE -s $LO_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $LAN_IFACE -s $LAN_IP -j ACCEPT $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -s $INET_IP -j ACCEPT # # Logging rule # $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ================= END SCRIPT ================= -=Berns ------ Bernard Hoffman Director of Software Engineering _ _ _ _ _ _ _ e | Market Capital, Inc. 610-592-0522 http://www.emarketcapital.com -----Original Message----- From: Prem Chandra Kumar.N [mailto:pckumar_n@yahoo.com] Sent: Tuesday, November 27, 2001 10:02 PM To: BHoffman@eMarketCapital.com Cc: security-discuss@linuxsecurity.com Subject: Re: Configuring RedHat Linux 7.1 as a gateway server without IPChains. Dear Berns, I need to configure my Redhat Linux 7.1 as a gateway server through NAT. This server has two NIC' One connected to external Network and Other one connected to Internal Network. I want to allow my Internal Network User's to access internet through this machine. I want to make linux server as Software Router ( similar to NAT configuration in NT). I do not want IPCHAINS. I tried using netcfg, but it Didn't work. Please give me the solution as soon as possible. Regards Prem, ----- Original Message ----- From: "Bernard Hoffman" <BHoffman@eMarketCapital.com> To: <security-discuss@linuxsecurity.com> Sent: 27 November 2001 21:06 Subject: RE: Configuring RedHat Linux 7.1 as a gateway server without IPChains. > I just recently completed a basic NAT/Firewall solution with iptables on > RedHat 7.1 If you would like my sample, contact me directly. > > -=Berns > > ------ > Bernard Hoffman > Director of Software Engineering > _ _ _ _ _ _ _ > e | Market Capital, Inc. > 610-592-0522 > http://www.emarketcapital.com > > > -----Original Message----- > From: Prem Chandra Kumar.N [mailto:pckumar_n@yahoo.com] > Sent: Tuesday, November 27, 2001 1:02 AM > To: security-discuss@linuxsecurity.com > Subject: Configuring RedHat Linux 7.1 as a gateway server without > IPChains. > > > > Hi, > I need to configure RedHat Linux 7.1 as a gateway server for allowing my > user's to access the internet from my local private network. I want to > configure without IPCHAINS. > I tried using netcfg utility, it did not work > Please anyoone helpl me how to configure the same with an example. > > Regards > Prem Kumar.N > > > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. > ------------------------------------------------------------------------ > To unsubscribe email security-discuss-request@linuxsecurity.com > with "unsubscribe" in the subject of the message. > ------------------------------------------------------------------------ To unsubscribe email security-discuss-request@linuxsecurity.com with "unsubscribe" in the subject of the message.
