[oclug] Linux 2.4.0 Routing

Bart Trojanowski bart at nexus.carleton.ca
Thu Jan 11 08:02:45 EST 2001 

For iptables see ettached.
y
On Wed, 10 Jan 2001, Dan Cardamore wrote:

> Does anyone know how to do firewalling / masqing with 2.4.0 native ip
> routing (ie, not ipchains)?   If you have a script, can you post it
> along?
> 
> Dan
> ________________________________________________________________
>  Dan Cardamore          wombat at hld.ca         http://www.hld.ca
>  GnuPGP Key:            mailto:wombat at hld.ca?subject=sendpgpkey
>  Email Stats:           http://www.hld.ca/~wombat/emailStats
>  Opensource projects:   http://opensource.hld.ca
>  My Groupware project:  http://www.collaboffice.com
> ________________________________________________________________
> _______________________________________________
> oclug mailing list
> oclug at lists.oclug.on.ca
> http://www.oclug.on.ca/mailman/listinfo/oclug
> 

-- 
	WebSig: http://www.jukie.net/~bart/sig/


-------------- next part --------------
# * assumption made that your external IP is 24.24.24.24 change it!
# * look for 24.24.24.25 and change it or remove it if you don't use IPSec
# * all addresses that start with 172.16. are internal ones that you can
#   change also
# * you must have iptables compiled and loaded.
#
# bart at jukie.net if you have questions.


##############################################################################
# setup initial policies
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

##############################################################################
# control funky denial of service attacks
iptables -N simple-dos
iptables -A simple-dos -p tcp --syn -m limit --limit 100/s -j RETURN
iptables -A simple-dos -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 100/s -j RETURN
iptables -A simple-dos -p icmp --icmp-type echo-request -m limit --limit 100/s -j RETURN
iptables -A simple-dos
#iptables -A simple-dos -j DROP

##############################################################################
# kill all Roger's sweeps - they but me
iptables -N no-rogers-scans
iptables -A no-rogers-scans -j DROP -s 24.0.94.130/24
iptables -A no-rogers-scans -j DROP -s 24.112.31.169/24

##############################################################################
# allow for the friend-ipsec protocol to trusted hosts
iptables -N friend-ipsec
iptables -A friend-ipsec -d ! 24.24.24.24 -j RETURN
iptables -A friend-ipsec -s 24.24.24.25 -p 50 -j ACCEPT
iptables -A friend-ipsec -s 24.24.24.25 -p 51 -j ACCEPT
iptables -A friend-ipsec -s 24.24.24.25 -p udp --sport 500 --dport 500 -j ACCEPT

##############################################################################
# allow local interfaces and machines to transmit freely (not on eth0)
iptables -N in-home-ok
iptables -A in-home-ok -s 24.24.24.24 -j ACCEPT
iptables -A in-home-ok -s 127.0.0.0/8 -j ACCEPT
iptables -A in-home-ok -s 172.16.10.0/24 -j ACCEPT
iptables -A in-home-ok -s 172.16.11.0/24 -j ACCEPT
iptables -A in-home-ok -s 172.16.12.0/24 -j ACCEPT
iptables -A in-home-ok -s 172.16.0.0/24 -j ACCEPT
iptables -A in-home-ok -s 172.16.5.0/24 -j ACCEPT
iptables -A in-home-ok -s 172.16.6.0/24 -j ACCEPT

##############################################################################
# enable some normal ports on the router
iptables -N in-services
iptables -A in-services -d ! 24.24.24.24 -j RETURN
iptables -A in-services -p icmp -j ACCEPT
iptables -A in-services -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A in-services -p tcp --sport 7 -j ACCEPT

##############################################################################
# forward
iptables -N fw-internal
iptables -A fw-internal -s 172.16.0.0/16 -j ACCEPT
iptables -A fw-internal -d 172.16.0.0/16 -j ACCEPT


##############################################################################
#
#iptables -A OUTPUT -d 0/0 22:22 -p tcp -t 01 10
#iptables -A OUTPUT -d 0/0 22:22 -p udp -t 01 10
#iptables -A OUTPUT -d 0/0 21:21 -p tcp -t 01 10
#iptables -A OUTPUT -s 0/0 20:20 -p tcp -t 01 08


##############################################################################
#
iptables -N in-end
iptables -A in-end -p udp
iptables -A in-end -p tcp

iptables -N fwd-end
iptables -A fwd-end -p udp
iptables -A fwd-end -p tcp

iptables -N out-end
iptables -A out-end -p udp
iptables -A out-end -p tcp

##############################################################################
# flows                                                                      #
##############################################################################

##############################################################################
# flow for input
iptables -A INPUT -j simple-dos
iptables -A INPUT -j no-rogers-scans
iptables -A INPUT -j friend-ipsec
iptables -A INPUT -i ! eth0 -j in-home-ok
iptables -A INPUT -i eth0 -j in-services
iptables -A INPUT -j in-end

##############################################################################
# flow for forward
iptables -A FORWARD -j simple-dos
iptables -A FORWARD -j no-rogers-scans
iptables -A FORWARD -j fw-internal
iptables -A FORWARD -j fwd-end

##############################################################################
# flow for output
iptables -A OUTPUT -j out-end

##############################################################################
# NAT/Masquerading
iptables -t nat -A POSTROUTING -s 172.16.0.0/16 -o eth0 -j SNAT --to-source 24.24.24.24
iptables -t nat -A POSTROUTING

##############################################################################
# enable some normal ports on the internal box

#iptables -t nat -A PREROUTING -i eth0 -d ! 24.24.24.24 -j RETURN

iptables -t nat -A PREROUTING -i ! eth0 -j RETURN
iptables -t nat -A PREROUTING -d ! 24.24.24.24 -j RETURN

#iptables -t nat -A PREROUTING -p icmp -j ACCEPT

# forward Diablo II port
iptables -t nat -A PREROUTING -p tcp --dport 4000 -j DNAT --to-destination 172.16.10.2:4000
iptables -t nat -A PREROUTING -p udp --dport 4000 -j DNAT --to-destination 172.16.10.2:4000

# forward standard services to an internal IP address
iptables -t nat -A PREROUTING -p tcp --dport 7  -j DNAT --to-destination 172.16.10.254:7
iptables -t nat -A PREROUTING -p tcp --dport 20 -j DNAT --to-destination 172.16.10.254:20
iptables -t nat -A PREROUTING -p tcp --dport 21 -j DNAT --to-destination 172.16.10.254:21
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination 172.16.10.254:22
iptables -t nat -A PREROUTING -p tcp --dport 23 -j DNAT --to-destination 172.16.10.254:23
iptables -t nat -A PREROUTING -p tcp --dport 24 -j DNAT --to-destination 172.16.10.254:24
iptables -t nat -A PREROUTING -p tcp --dport 25 -j DNAT --to-destination 172.16.10.254:25

iptables -t nat -A PREROUTING -p tcp --dport 53  -j DNAT --to-destination 172.16.10.254:53
iptables -t nat -A PREROUTING -p tcp --dport 80  -j DNAT --to-destination 172.16.10.254:80
iptables -t nat -A PREROUTING -p tcp --dport 110 -j DNAT --to-destination 172.16.10.254:110

iptables -t nat -A PREROUTING -p udp --sport 1024:65535 --dport 53 -j DNAT --to-destination 172.16.10.254:53
iptables -t nat -A PREROUTING -p udp --sport 53 --dport 53 -j DNAT --to-destination 172.16.10.254:53

iptables -t nat -A PREROUTING

More information about the OCLUG mailing list