#!/bin/bash # 20070330 iptables-router hse@ukr.net # Distributed under the terms of the GNU General Public License v2 or later # Like router betwin DMZ & Inet with 2 interfaces! # !!!!!!!!!!!!!!! # need iptables-lo # !!!!!!!!!!!!!!! # Exampel of iptables script for router # usage: /etc/ppp/iptables-router <dev1> <dev2> <action> # parametr <action> can be "start" or "stop" # parametr <dev*> for ppp is "ppp0", for eth0 is eth0.. # 0 ******************* VARIABLE setup ***************************** # befor runing this script setup configuration of youre network here: ifconfig='/sbin/ifconfig' iptables='/sbin/iptables' modprobe='/sbin/modprobe' # Check parameters if ? "$3" == 'stop' then if ? `ls /dev/$1 2>&1 then echo "Device /dev/$1 not exist!!!" # exit 1 fi if ? `ls /dev/$2 2>&1 then echo "Device /dev/$2 not exist!!!" # exit 1 fi # parametr action can be "-A" or "-D" only!!! if ?span> <span class="hl opt"> then action='-A' actionchain='-N' elif ?span> <span class="hl opt"> then action='-D' actionchain='-X' fi else echo 'Usage: iptables-router <device1> <device2> <action> Example: iptables-router eth0 eth1 start iptables-router eth0 eth1 stop' exit 1 fi # befor runing this script setup configuration of yore network here: # begin #Interface setup InetInterface="$1" InetDevice='eth0' LocalInterface="$2" LocalDevice='eth1' #Ip Address setup LoopInterface='lo' LoopIP='127.0.0.0/8' #Interface setup #Figure out curent ip configuretion if ?span> <span class="hl opt"> then InetHostIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${InetInterface} |grep 'inet addr' |awk -F: '{ print $2 } ' |awk '{ print $1 }'` InetBroadcastIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${InetInterface} |grep ' Bcast:' |awk -F: '{ print $3 } ' |awk '{ print $1 }'` InetNetMask=`LANG="POSIX" LC_ALL="" ${ifconfig} ${InetInterface} |grep 'inet addr' |awk -F: '{ print $4 } '` mkdir -p /etc/iptables/${InetInterface} echo ${InetHostIP} > /etc/iptables/${InetInterface}/HostIP echo ${InetBroadcastIP} > /etc/iptables/${InetInterface}/BroadcastIP echo ${InetNetMask} > /etc/iptables/${InetInterface}/NetMask LocalHostIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${LocalInterface} |grep 'inet addr' |awk -F: '{ print $2 } ' |awk '{ print $1 }'` LocalBroadcastIP=`LANG="POSIX" LC_ALL="" ${ifconfig} ${LocalInterface} |grep ' Bcast:' |awk -F: '{ print $3 } ' |awk '{ print $1 }'` LocalNetMask=`LANG="POSIX" LC_ALL="" ${ifconfig} ${LocalInterface} |grep 'inet addr' |awk -F: '{ print $4 } '` mkdir -p /etc/iptables/${LocalInterface} echo ${LocalHostIP} > /etc/iptables/${LocalInterface}/HostIP echo ${LocalBroadcastIP} > /etc/iptables/${LocalInterface}/BroadcastIP echo ${LocalNetMask} > /etc/iptables/${LocalInterface}/NetMask else InetHostIP=`cat /etc/iptables/${InetInterface}/HostIP` InetBroadcastIP=`cat /etc/iptables/${InetInterface}/BroadcastIP` InetNetMask=`cat /etc/iptables/${InetInterface}/NetMask` LocalHostIP=`cat /etc/iptables/${LocalInterface}/HostIP` LocalBroadcastIP=`cat /etc/iptables/${LocalInterface}/BroadcastIP` LocalNetMask=`cat /etc/iptables/${LocalInterface}/NetMask` fi InetNet="${InetHostIP}/${InetNetMask}" LocalNet="${LocalHostIP}/${LocalNetMask}" #SpoofingHostIP="10.0.0.10" # ISP Servers setup # DHCP can be: "server", "client" or "static" DHCP='static' # If DHCP='client' you must setup DHCP_SERVER: DHCP_SERVER='10.0.0.10' #ns_1='10.0.0.10' #TimeServer='10.0.0.10' #POP_Server='10.0.0.10' #IMAP_Server='10.0.0.10' #SMTP_Server='10.0.0.10' monitoring_Server='10.0.0.10' #Local Servers setup DNS_Servers="10.0.0.1" WWW_Servers="10.0.0.5" FTP_Servers="10.0.0.5" #Check for some kernel modules # # Needed to initially load modules # #/sbin/depmod -a # # Required modules #${modprobe} ip_tables #${modprobe} ip_conntrack #${modprobe} iptable_filter #${modprobe} iptable_mangle #${modprobe} iptable_nat #${modprobe} ipt_LOG #${modprobe} ipt_limit #${modprobe} ipt_state #${modprobe} ipt_owner #${modprobe} ipt_REJECT #${modprobe} ipt_MASQUERADE #${modprobe} ip_conntrack_ftp #${modprobe} ip_conntrack_irc #${modprobe} ip_nat_ftp #${modprobe} ip_nat_irc # Required proc configuration # Enable forwarding #echo 1 > /proc/sys/net/ipv4/ip_forward # no IP spoofing #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] # then # for i in /proc/sys/net/ipv4/conf/*/rp_filter # do # echo 1 > $i # done #fi # Disable Source Routed Packets #for i in /proc/sys/net/ipv4/conf/*/accept_source_route # do # echo 0 > $i # done #echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp #echo 0 > /proc/sys/net/ipv4/ip_dynaddr echo " Machine type: ${MACHTYPE} hostname: ${HOSTNAME}.${DOMAINNAME} InetInterface=${InetInterface} InetHostIP=${InetHostIP} InetBroadcastIP=${InetBroadcastIP} InetNetMask=${InetNetMask} LocalInterface=${LocalInterface} LocalHostIP=${LocalHostIP} LocalBroadcastIP=${LocalBroadcastIP} LocalNetMask=${LocalNetMask}" # end # fill free to chang next firewall ruls to sute youre needs # I ******************* FILTERING TABEL ruls **************************** # (0) Policies (default) ${iptables} -t filter -P INPUT DROP ${iptables} -t filter -P OUTPUT DROP ${iptables} -t filter -P FORWARD DROP # (1) User-defined chains for ACCEPTed TCP packets # from Internet #${iptables} ${action} TCPRules -p TCP --syn -j ACCEPT #${iptables} ${action} TCPRules -p TCP -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT # Loging incorect packets: #${iptables} ${action} TCPRules -p TCP -m limit --limit 5/m -j LOG --log-prefix "iptables TCP INPUT " --log-tcp-options --log-ip-options # Bann all IP which try acces to other #${iptables} ${action} TCPRules -p TCP -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP # (2) INPUT chain rules # Attempt to detect TCP and UDP port scans from Inet! # Bad Guy list, we will remember them :-) # echo xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT # echo -xx.xx.xx.xx > /proc/net/ipt_recent/DEFAULT # echo clear > /proc/net/ipt_recent/DEFAULT # Forever ${iptables} ${action} INPUT -i ${InetInterface} -m recent --name BadGuy --rcheck -j DROP # Cache bad guy ${iptables} ${action} INPUT -p TCP -i ${InetInterface} -s ! ${LocalNet} -d ${InetHostIP} -m multiport --dport 23,79,135,139,311,389,445,464,513,548,554,587,1025,1026 -m recent --name BadGuy --set -j DROP # List of temporiary banned, we will remember them too :) # When seen last 60 seconds ${iptables} ${action} INPUT -i ${InetInterface} -m recent --name TmpBan --update --seconds 30 -j DROP # When seen 5 time during 600 seconds it's enoph ${iptables} ${action} INPUT -i ${InetInterface} -s ! ${LocalNet} -m recent --name TmpBan --rcheck --seconds 600 --hitcount 7 -j BadGuy # When seen 1 time during 1200 seconds it's good ${iptables} ${action} INPUT -i ${InetInterface} -m recent --name TmpBan --rcheck --seconds 3600 --hitcount 1 -j GoodGuy # When TTL of the current packet matches that of the packet which hit the --set rule. DoS! ${iptables} ${action} INPUT -i ${InetInterface} -m recent --name TmpBan --update --rttl -j DROP # Bad TCP packets we don't want. ${iptables} ${action} INPUT -p TCP -j BadTcp # Rules for incoming packets from local computer: #${iptables} ${action} INPUT -m conntrack -p ALL -i ${LoopInterface} -s ${LocalHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #${iptables} ${action} INPUT -m conntrack -p ALL -i ${LoopInterface} -s ${InetHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} INPUT -m conntrack -p ALL -i ${LoopInterface} -d ${LocalHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} INPUT -m conntrack -p ALL -i ${LoopInterface} -d ${InetHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #${iptables} ${action} INPUT -m conntrack -p ALL -i ${LocalInterface} -s ${LoopBackIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} INPUT -m conntrack -p ALL -i ${LocalInterface} -s ${LocalHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} INPUT -m conntrack -p ALL -i ${LocalInterface} -s ${InetHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #${iptables} ${action} INPUT -m conntrack -p ALL -i ${InetInterface} -s ${LoopBackIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} INPUT -m conntrack -p ALL -i ${InetInterface} -s ${InetHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} INPUT -m conntrack -p ALL -i ${InetInterface} -s ${LocalHostIP} --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for broadcast if ?span> <span class="hl opt"> then # In Microsoft Networks you will be swamped by broadcasts. These lines will prevent them from showing up in the logs. ${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -d ${LocalBroadcastIP} --dport 135:139 -j DROP ${iptables} ${action} INPUT -p ALL -i ${LocalInterface} -d ${LocalBroadcastIP} -j ACCEPT fi if ?span> <span class="hl opt"> then # In Microsoft Networks you will be swamped by broadcasts. These lines will prevent them from showing up in the logs. ${iptables} ${action} INPUT -p UDP -i ${InetInterface} -d ${InetBroadcastIP} --dport 135:139 -j DROP ${iptables} ${action} INPUT -p ALL -i ${InetInterface} -d ${InetBroadcastIP} -j ACCEPT fi # Rules for multicasts # If you have a Microsoft Network on the outside of your firewall, you may also get flooded by Multicasts. We drop them so we do not get flooded by logs ${iptables} ${action} INPUT -i ${LocalInterface} -d 224.0.0.0/8 -j DROP ${iptables} ${action} INPUT -i ${InetInterface} -d 224.0.0.0/8 -j DROP # Cache bad guy ${iptables} ${action} INPUT -p UDP -i ${InetInterface} -s ! ${LocalNet} -d ${InetHostIP} -m multiport --dport 23,79,135,139,445,1025,1026 -m recent --name BadGuy --set -j DROP # Packets for established conections # Rules for incoming packets from Lan ${iptables} ${action} INPUT -m conntrack -p ALL -i ${LocalInterface} -s ${LocalNet} --ctstate ESTABLISHED,RELATED -j ACCEPT # Rules for incoming packets from Internet ${iptables} ${action} INPUT -m conntrack -p ALL -i ${InetInterface} -d ${InetHostIP} --ctstate ESTABLISHED,RELATED -j ACCEPT #TCP rules #Internet: use rediraction to DMZ ### FTP 21 # SHH 22 # MTA 25 # DNS 53 # HTTP 80 HTTPS 443 #${iptables} ${action} INPUT -p TCP -i ${InetInterface} -d ${InetHostIP} -m multiport --dport 20,21,22,25,53,80,443 -j TCPRules #Local: ### TFTP 69,1758 # NFS 111,2049 # CUPS 631 # SWAT 901 # rndc 953 # squid 3128 # mysql 3306 # distccd 3632 # privoxy 8118 # tor 9050 ${iptables} ${action} INPUT -p TCP -i ${LocalInterface} -s ${LocalNet} -d ${LocalHostIP} -m multiport --dport 22,3128,8118,9050 -j TCPRules # for monitoring ${iptables} ${action} INPUT -p TCP -i ${LocalInterface} -s ${monitoring_Server} -d ${LocalHostIP} -m multiport --dport 9045,9046,9047,9048,9049 -j TCPRules # Loging acces to other TCP ports ${iptables} ${action} INPUT -p TCP -i ${LocalInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables tcp? INPUT" --log-tcp-options --log-ip-options ${iptables} ${action} INPUT -p TCP -i ${InetInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables tcp? INPUT" --log-tcp-options --log-ip-options # UDP rules #Internet: use rediraction to DMZ ### DNS 53 #${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -d ${LocalHostIP} -m multiport --dport domain -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ###incoming from:# DNS 53 # NTP 123 # multimedia appl 2074,4000 #${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -d ${LocalHostIP} -m multiport --sport 53,123,2074,4000 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ### DHCP case "${DHCP}" in 'server' ) # For DHCP server ${iptables} ${action} INPUT -p UDP -i ${LocalInterface} --dport 67 --sport 68 -j ACCEPT ;; 'client' ) # Information pertaining to DHCP over the Internet, if needed. ${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT ;; 'static' ) # If we get DHCP requests from the Outside of our network, our logs will be swamped as well. This rule will block them from getting logged. ${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -d 255.255.255.255 --dport 67:68 -j DROP ;; esac #Local: ### TFTP 69,1758 # NFS 111,2049 # NTP 123 # multimedia appl 2074,4000 ${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -s ${LocalNet} -d ${LocalHostIP} -m multiport --dport 123 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Loging acces to other UDP ports ${iptables} ${action} INPUT -p UDP -i ${LocalInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables udp? INPUT " --log-ip-options ${iptables} ${action} INPUT -p UDP -i ${InetInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables udp? INPUT " --log-ip-options #ICMP rules #Internet # echo reply (ping) ${iptables} ${action} INPUT -p ICMP -i ${LocalInterface} -s ${LocalNet} -d ${LocalHostIP} --icmp-type 8 -j ACCEPT ${iptables} ${action} INPUT -p ICMP -i ${InetInterface} -d ${InetHostIP} --icmp-type 8 -j ACCEPT # time to live (traceroute) ${iptables} ${action} INPUT -p ICMP -i ${LocalInterface} -s ${LocalNet} -d ${LocalHostIP} --icmp-type 11 -j ACCEPT ${iptables} ${action} INPUT -p ICMP -i ${InetInterface} -d ${InetHostIP} --icmp-type 11 -j ACCEPT # Loging other ICMP ${iptables} ${action} INPUT -p ICMP -i ${LocalInterface} -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "iptables icmp? INPUT " ${iptables} ${action} INPUT -p ICMP -i ${InetInterface} -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "iptables icmp? INPUT " # Bann all IP which try acces to other ${iptables} ${action} INPUT -i ${InetInterface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP #(3) FORWARD chain rules # Bad TCP packets we don't want. ${iptables} ${action} FORWARD -p TCP -j BadTcp # ACCEPT packets we wont to forward. Chain work in both directions! ${iptables} ${action} FORWARD -m conntrack -p ALL -i ${LocalInterface} --ctstate NEW,ESTABLISHED,RELATED,SNAT,DNAT -j ACCEPT ${iptables} ${action} FORWARD -m conntrack -p ALL -i ${InetInterface} --ctstate NEW,ESTABLISHED,RELATED,SNAT,DNAT -j ACCEPT # Loging incorect FORWARD ${iptables} ${action} FORWARD -i ${LocalInterface} -m limit --limit 5/m --limit-burst 3 -j LOG --log-prefix "iptables FORWARD" --log-tcp-options --log-ip-options ${iptables} ${action} FORWARD -i ${InetInterface} -m limit --limit 5/m --limit-burst 3 -j LOG --log-prefix "iptables FORWARD" --log-tcp-options --log-ip-options # Bann all IP which try acces to other ${iptables} ${action} FORWARD -i ${InetInterface} -m recent --name TmpBan --set -j DROP # (4) OUTPUT chain rules # Bad TCP packets we don't want. ${iptables} ${action} OUTPUT -p TCP -j BadTcp #Only output packets from local addresses no spoofing ${iptables} ${action} OUTPUT -p ALL -o ${LoopInterface} -s ${LocalHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${LoopInterface} -s ${InetHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #Only output packets using owner!!! It betare do in selinux... ${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${LocalHostIP} -m owner --uid-owner tor -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${LocalHostIP} -m owner --uid-owner privoxy -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${LocalHostIP} -m owner --uid-owner squid -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${LocalHostIP} -m owner --cmd-owner /usr/bin/wget -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p TCP -o ${LocalInterface} -s ${LocalHostIP} -d ${LocalNet} --sport 22 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p UDP -o ${LocalInterface} -s ${LocalHostIP} --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${InetInterface} -s ${InetHostIP} -m owner --uid-owner tor -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${InetInterface} -s ${InetHostIP} -m owner --uid-owner privoxy -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p ALL -o ${InetInterface} -s ${InetHostIP} -m owner --uid-owner squid -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #${iptables} ${action} OUTPUT -p ALL -o ${InetInterface} -s ${LocalHostIP} -d 0/0 -m owner --cmd-owner /usr/bin/wget -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} ${action} OUTPUT -p UDP -o ${InetInterface} -s ${InetHostIP} --dport 53 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #Output packets from all local appl #${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${LocalHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #for spoofing edit next line #${iptables} ${action} OUTPUT -p ALL -o ${LocalInterface} -s ${SpoofingHostIP} -j ACCEPT # Loging incorect OUTPUT ${iptables} ${action} OUTPUT -o ${LocalInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables OUTPUT " --log-tcp-options --log-ip-options ${iptables} ${action} OUTPUT -o ${InetInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables OUTPUT " --log-tcp-options --log-ip-options # Bann all IP which try acces to other ${iptables} ${action} OUTPUT -o ${InetInterface} -m recent --name TmpBan --set -j DROP # (1 Delete) User-defined chains # II ***************** MANGLE TABEL ruls ***************************** # (0) Policies (default) ${iptables} -t mangle -P PREROUTING ACCEPT ${iptables} -t mangle -P INPUT ACCEPT ${iptables} -t mangle -P FORWARD ACCEPT ${iptables} -t mangle -P OUTPUT ACCEPT ${iptables} -t mangle -P POSTROUTING ACCEPT # (1) Mangel USER define chain rules # (2) Mangel PREROUTING chain rules # Rules for incoming packets from local computer # Rules for incoming packets from Internet # (3) Mangel INPUT chain rules # (4) Mangel FORWARD chain rules # (5) Mangel OUTPUT chain rules # (6) Mangel POSTROUTING chain rules # If you have problem with your PPPoE connection, such as large mails not # getting through while small mail get through properly etc, you may set # this option to "yes" which may fix the problem by clamp # (resize) all routed packets to PMTU (Path Maximum Transmit Unit). # Note that it is better to set this up in the PPPoE package itself, since # the PPPoE configuration option will give less overhead. #$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu #Only output packets from local addresses no spoofing #for spoofing edit next line # Rules for outgoing packets to Internet # III ***************** NAT TABEL ruls ******************************* # (0) Policies (default) ${iptables} -t nat -P OUTPUT ACCEPT ${iptables} -t nat -P PREROUTING DROP ${iptables} -t nat -P POSTROUTING ACCEPT # (1) NAT USER define chain rules # (2) PREROUTING chain rles REDIRECTION and PORTMAPING #Pacets from INTERNET # DNAT - maping to internal lan address (loadbalansing) ${iptables} -t nat ${action} PREROUTING -p TCP -i ${InetInterface} -d ${InetHostIP} -m multiport --dport 20,21 -j DNAT --to-destination ${FTP_Servers} ${iptables} -t nat ${action} PREROUTING -p UDP -i ${InetInterface} -d ${InetHostIP} --dport 53 -j DNAT --to-destination ${DNS_Servers} ${iptables} -t nat ${action} PREROUTING -p TCP -i ${InetInterface} -d ${InetHostIP} -m multiport --dport 80,443 -j DNAT --to-destination ${WWW_Servers} # Maping to external address use socks5 #Redirection to different port on this server (you must edit /etc/services or other config) #${iptables} -t nat ${action} PREROUTING -p TCP -s ${LocalNet} -d ${LocalHostIP} --destination-port 22 -j REDIRECT --to-ports 2222 #Packet from internet (Interface) #INPUT # Rules for incoming packets from local computer ${iptables} -t nat ${action} PREROUTING -p ALL -i ${LoopInterface} -s ${LocalHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} -t nat ${action} PREROUTING -p ALL -i ${LoopInterface} -s ${InetHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -s ${LoopIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -s ${InetHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -s ${LoopIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -s ${LocalHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for broadcast: ${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -d ${LocalBroadcastIP} -j ACCEPT #${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -d ${ExternalBrodcastIP} -j ACCEPT # Rules for incoming packets from Lan ${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -s ${LocalNet} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT # Rules for incoming packets from Internet ${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -d ${InetHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #OUTPUT #Only output packets from local addresses no spoofing ${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -d ${LocalNet} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT ${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -s ${InetHostIP} -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT #for spoofing edit next line #${iptables} -t nat ${action} PREROUTING -p ALL -s ${SpoofingHostIP} -j ACCEPT # Loging incorect acces ${iptables} -t nat ${action} PREROUTING -p ALL -i ${LocalInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options ${iptables} -t nat ${action} PREROUTING -p ALL -i ${InetInterface} -m limit --limit 5/m --limit-burst 5 -j LOG --log-prefix "iptables nat PREROUTING" --log-tcp-options --log-ip-options # Bann all IP which try acces to other ${iptables} -t nat ${action} PREROUTING -i ${InetInterface} -s ! ${LocalNet} -m recent --name TmpBan --set -j DROP # (3) OUTPUT chain rules #Only output packets from local addresses no spoofing #for spoofing edit next line # (4) POSTROUTING chain rules NAT or MASQUERADE # NetWork address translation (NAT or MASQUERADE) #${iptables} -t nat ${action} POSTROUTING -o ${InetInterface} -j MASQUERADE ${iptables} -t nat ${action} POSTROUTING -o ${InetInterface} -j SNAT --to-source ${InetHostIP} #INPUT # Rules for incoming packets from local computer: # Rules for broadcast: # Rules for incoming packets from Internet #OUTPUT #Only output packets from local addresses no spoofing #for spoofing edit next line # IV ***************** RAW TABEL ruls ******************************* # (0) Policies (default) #${iptables} -t raw -P PREROUTING ACCEPT #${iptables} -t raw -P OUTPUT ACCEPT # (1) Mangel USER define chain rules # (2) Mangel PREROUTING chain rules # Rules for incoming packets from local computer # Rules for incoming packets from Internet # (3) Mangel OUTPUT chain rules exit 0