From: alivardar@ttnet.net.tr
Date: Fri 28 Feb 2003 - 11:44:42 EET
asagida tum islemler var
eth0 ninternet
eth1 local2(gercek ip numaralari verilmis makinler)
eth2 local network
an saagilarda tanimli olan nat isleminde bir ip ic nete sokulamk isteniyor ancak ic nette pingleme ve portlar buna cevaop verirken internette buna ulasilamaiyor butun ipler geliyor routerda hersey acik
zira gateway makinesine bu ip yi tanımlayıp denegim de ulasılabildi.
#IPTables Configuration.
IPTABLES="/sbin/iptables"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
#Modul yukleme islemleri
/sbin/depmod -a
#Gerekli moduller
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#ip forwarding acildi
echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -N bad_tcp_packets
# Create separate chains for ICMP, TCP and UDP to traverse
$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
# bad_tcp_packets chain
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# allowed chain kontrol et
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
# ICMP rules
# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Bad TCP packets we don't want
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
# Packets from the Internet to this box
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
# From DMZ Interface to DMZ firewall IP
$IPTABLES -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT
# From LAN Interface to LAN firewall IP
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
# From Localhost interface to Localhost IP's
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
# All established and related packets incoming from the internet to the
# firewall
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Log weird packets that don't match the above.
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
# Bad TCP packets we don't want
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
# DMZ section
# General rules
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $LAN_IFACE -o $INET_IFACE -j ACCEPT
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
# HTTP server
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
--dport 27022 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP \
-j icmp_packets
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP_ATHENA \
--dport 80 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_HTTP_IP_ATHENA \
-j icmp_packets
#Transparent proxy forward
#$IPTABLES -A FORWARD -p TCP -i $LAN_IFACE -o $DMZ_IFACE -d $DMZ_SQUID_IP \
#--dport 80 -j allowed
#$IPTABLES -A FORWARD -p TCP -i $LAN_IFACE -o $DMZ_IFACE -d $DMZ_SQUID_IP \
#--dport 443 -j allowed
#$IPTABLES -A FORWARD -p ICMP -i $LAN_IFACE -o $DMZ_IFACE -d $DMZ_SQUID_IP \
#-j icmp_packets
# SMTP Server
# odin
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_IP1 \
--dport 25 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_IP1 \
-j icmp_packets
# athena
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_IP2 \
--dport 25 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_SMTP_IP2 \
-j icmp_packets
# IMAP Servers
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_IMAP_IP1 \
--dport 143 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_IMAP_IP1 \
-j icmp_packets
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_IMAP_IP2 \
--dport 143 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_IMAP_IP2 \
-j icmp_packets
# POP
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_POP_IP1 \
--dport 110 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_POP_IP1 \
-j icmp_packets
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_POP_IP2 \
--dport 110 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_POP_IP2 \
-j icmp_packets
# DNS server
$IPTABLES -A FORWARD -p TCP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j allowed
$IPTABLES -A FORWARD -p UDP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
--dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $DMZ_IFACE -d $DMZ_DNS_IP \
-j icmp_packets
#Netmeeting port ayarlari 1503, 1720, 1731
#1503
#$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p TCP --dport 1503 -m state \
#--state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p UDP --dport 1503 -m state \
#3--state NEW,ESTABLISHED,RELATED -j ACCEPT
#1720
#$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p TCP --dport 1720 -m state \
#--state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p UDP --dport 1720 -m state \
#--state NEW,ESTABLISHED,RELATED -j ACCEPT
#1731
#$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p TCP --dport 1731 -m state \
#--state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p UDP --dport 1731 -m state \
#--state NEW,ESTABLISHED,RELATED -j ACCEPT
#static nat Genel forward acik hale getiriliyor
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p TCP -d $MEETING_IP \
--dport 1:10000 -j allowed
$IPTABLES -A FORWARD -i $INET_IFACE -o $LAN_IFACE -p UDP -d $MEETING_IP \
--dport 1:10000 -j allowed
$IPTABLES -A FORWARD -p ICMP -i $INET_IFACE -o $LAN_IFACE -d $MEETING_LOCAL_IP \
-j icmp_packets
# Log weird packets that don't match the above.
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
# Bad TCP packets we don't want.
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
# Special OUTPUT rules to decide which IP's to allow.
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $DMZ_IP -j ACCEPT
# Log weird packets that don't match the above.
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "Kaybolan paketler: "
#nat table
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $HTTP_IP --dport 80 \
-j DNAT --to-destination $DMZ_HTTP_IP
$IPTABLES -t nat -A PREROUTING -p TCP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
$IPTABLES -t nat -A PREROUTING -p UDP -i $INET_IFACE -d $DNS_IP --dport 53 \
-j DNAT --to-destination $DMZ_DNS_IP
#netmeting port yonlendirme
#$IPTABLES -A PREROUTING -t nat -p TCP -d $INET_IP --dport 1503 \
#-j DNAT --to $MEETING_LOCAL_IP:1503
#$IPTABLES -A PREROUTING -t nat -p UDP -d $INET_IP --dport 1503 \
#-j DNAT --to $MEETING_LOCAL_IP:1503
#$IPTABLES -A PREROUTING -t nat -p TCP -d $INET_IP --dport 1720 \
#-j DNAT --to $MEETING_LOCAL_IP:1720
#$IPTABLES -A PREROUTING -t nat -p UDP -d $INET_IP --dport 1720 \
#-j DNAT --to $MEETING_LOCAL_IP:1720
#$IPTABLES -A PREROUTING -t nat -p TCP -d $INET_IP --dport 1731 \
#-j DNAT --to $MEETING_LOCAL_IP:1731
#$IPTABLES -A PREROUTING -t nat -p UDP -d $INET_IP --dport 1731 \
#-j DNAT --to $MEETING_LOCAL_IP:1731
#genel yonlendirme ip
$IPTABLES -A PREROUTING -t nat -p TCP -d $MEETING_IP --dport 1:10000 \
-j DNAT --to $MEETING_LOCAL_IP:1-10000
$IPTABLES -A PREROUTING -t nat -p UDP -d $MEETING_IP --dport 1:10000 \
-j DNAT --to $MEETING_LOCAL_IP:1-10000
$IPTABLES -A PREROUTING -t nat -p ICMP -d $MEETING_IP \
-j DNAT --to $MEETING_LOCAL_IP
#Transparent proxy squid nat ismlemi
#ancak bu durumda calismasi zor zira http yonlendirme mevcut
#$IPTABLES -A PREROUTING -t nat -p TCP -d $LAN_IP --dport 80 \
#-j DNAT --to $DMZ_SQUID_IP:80
#$IPTABLES -A PREROUTING -t nat -p TCP -d $LAN_IP --dport 443 \
#-j DNAT --to $DMZ_SQUID_IP:443
# Enable simple IP Forwarding and Network Address Translation
#$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
$IPTABLES -t nat -A POSTROUTING -j SNAT --to-source $INET_IP
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERAD