[olug] Port Forwarding

Vincent vraffensberger at home.com
Mon Jul 2 12:40:32 UTC 2001


#!/bin/bash
#
# firestarter:       Starts iptables firewalling/ NAT
#
# chkconfig: 345 80 85
# description: Starts firewalling and NAT via iptables
#
# processname: /sbin/iptables

RETVAL=0

start() {
        # Remove all ipchains and ip_tables kernel modules
        echo
        echo "Flushing current tables and removing kernel modules! "
        echo
        iptables -F
        for mod in `lsmod | grep ip | cut -d" " -f1`; do
                echo "Attempt #1 - Removing kernel module:" $mod
                rmmod $mod
        done
        for mod in `lsmod | grep ip | cut -d" " -f1`; do
                echo "Attempt #2 - Removing kernel module:" $mod
                rmmod $mod
        done
        for mod in `lsmod | grep ip | cut -d" " -f1`; do
                echo "Attempt #3 - Removing kernel module:" $mod
                rmmod $mod
        done
        #echo "Remaining kernel modules: "
        #lsmod
        # Add ip_tables Kernel Modules: "
        echo
        echo "Inserting kernel modules and setting kernel parameters! "
        echo
        modprobe ip_tables
        modprobe ip_nat_ftp
        modprobe ip_conntrack_ftp
        #modprobe iptable_filter
        #modprobe iptable_mangle
        #modprobe iptable_nat
        #modprobe ipt_MIRROR
        #modprobe ipt_limit
        #modprobe ipt_LOG
        #modprobe ipt_mac
        #modprobe ipt_mark
        #modprobe ipt_MARK
        #modprobe ipt_MASQUERADE
        #modprobe ipt_multiport
        #modprobe ipt_owner
        #modprobe ipt_REDIRECT
        #modprobe ipt_REJECT
        #modprobe ipt_state
        #modprobe ipt_tcpmss
        #modprobe ipt_TCPMSS
        #modprobe ipt_tos
        #modprobe ipt_TOS
        #modprobe ipt_unclean
        #modprobe ip_conntrack_irc
        #modprobe ip_conntrack#modprobe
        #modprobe ip_nat_irc#modprobe
        #modprobe ip_queue
        #
        #echo "The following modules are now loaded: "
        #lsmod
        #
        # no source routing
        [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] && \
                for i in /proc/sys/net/ipv4/conf/*/accept_source_route
                do
                        echo 0 > $i;
                done
        # ignore broadcast icmp echo requests
        [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] && \
                echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
        # ignore icmp echo requests on all interfaces
        [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ] && \
                echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
        # enable spoof protection
        if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
                for f in /proc/sys/net/ipv4/conf/*/rp_filter
                do
                        echo 1 > $f;
                done
        else
                echo "ieee: no kernel spoof protection enabled".
                exit 1
        fi
        # local port range for TCP/UDP connections
        #       [ -e /proc/sys/net/ipv4/ip_local_port_range ] && \
        #               echo -e "32768\t61000" >
/proc/sys/net/ipv4/ip_local_port_range
        # log packets with impossible addresses to kernel log.
        [ -e /proc/sys/net/ipv4/conf/all/log_martians ] && \
                echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
        # don't accept ICMP redirects on Internet
        [ -e /proc/sys/net/ipv4/conf/$interIF/accept_redirects ] && \
                echo 0 > /proc/sys/net/ipv4/conf/$interIF/accept_redirects
        # no acceptance of {ICMP} redirects at all
        [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ] && \
        echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
        # enable IP forward
        [ -e /proc/sys/net/ipv4/ip_forward ] && \
        echo 1 > /proc/sys/net/ipv4/ip_forward
        # enable TCP Syncookies
        [ -e /proc/sys/net/ipv4/tcp_syncookies ] && \
        echo 1 > /proc/sys/net/ipv4/tcp_syncookies
        #
        # Flush everything
        echo "Flushing all IP Tables! "
        iptables -F
        #echo "Ramaining IP Tables: "
        #iptables -L

        # Default Policies are DROP
        echo "Default Policies are set to DROP! "
        echo
        iptables -t filter -P INPUT DROP
        iptables -t filter -P OUTPUT ACCEPT
        iptables -t filter -P FORWARD DROP

        # accept trusted interfaces and lan
        echo "Trusting local interfaces and LAN! "
        iptables -A INPUT -i lo -j ACCEPT
        iptables -A INPUT -i eth1 -j ACCEPT
        iptables -A INPUT -s 127.0.0.0/24 -j ACCEPT
        iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT

        # accept related packets to connections made locally
        iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT

        # accept connections for ssh
        echo "Accepting inbound SSH connections! "
        iptables -A INPUT -p tcp -m multiport --destination-port 22 -j
ACCEPT

        # setup the NAT rules first
        echo "Establishing NAT! "
        iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j
SNAT --to-source 24.3.227.221

        # accept related packets to connections made locally for NAT
        iptables -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d
192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEP
T

        #Allow ftp to send data back and forth.
        iptables -A INPUT -p tcp ! --syn --source-port 20 --destination-port
1024:65535 -j ACCEPT

        # accept trusted interface
        iptables -A FORWARD -i eth1 -d 0.0.0.0/0 -j ACCEPT

        # log unwanted traffic, don't flood the logfile
        echo "Logging malicious traffic! "
        iptables -A FORWARD -m limit --limit 5/minute --limit-burst 5 -j
LOG --log-level warning --log-prefix "NetFilter
: "

        # Have some fun with the portscanners
        echo "Now mirroring malicious traffic! ..hehe. "
        #iptables -A INPUT -i eth0 -p tcp -j LOG -m limit --limit
1000/hour --limit-burst 1000 --log-prefix "MIRROR:"
        #iptables -A INPUT -i eth0 -p tcp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
        #iptables -A INPUT -i eth0 -p udp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
        #iptables -A INPUT -i eth0 -p icmp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
        #iptables -A INPUT -i eth0 -p tcp --tcp-option \! 2 -j MIRROR -m
limit --limit 1000/hour --limit-burst 1000
        iptables -A INPUT -i eth0 -p all -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
        iptables -A INPUT -i eth0 -p all -j LOG -m limit --limit
1000/hour --limit-burst 1000 --log-prefix "MIRROR:"
        echo

        echo "Current IP kernel modules and IP tables: "
        lsmod | grep ip | cut -d" " -f1
        iptables -L
}

stop() {
        # Remove all ipchains and ip_tables kernel modules
        iptables -F
        echo
        echo "Removing IP kernel modules and flushing IP tables! "
        echo
        for mod in `lsmod | grep ip | cut -d" " -f1`; do
                echo "Attempt #1 - Removing kernel module:" $mod
                rmmod $mod
        done
        for mod in `lsmod | grep ip | cut -d" " -f1`; do
                echo "Attempt #2 - Removing kernel module:" $mod
                rmmod $mod
        done
        for mod in `lsmod | grep ip | cut -d" " -f1`; do
                echo "Attempt #3 - Removing kernel module:" $mod
                rmmod $mod
        done
        echo
        echo "Remaining IP kernel modules and IP tables: "
        echo
        lsmod | grep ip | cut -d" " -f1
        echo
        iptables -L

}

# See how we were called.
case "$1" in
  start)
        start
        ;;
  stop)
        stop
        ;;
  restart)
        stop
        start
        ;;
  *)
        echo $"Usage: $0 {start|stop}"
        exit 1
esac

exit $RETVAL

----- Original Message -----
From: "LP" <linuxposse at home.com>
To: <olug at bstc.net>
Sent: Sunday, July 01, 2001 10:20 PM
Subject: Re: [olug] Port Forwarding


> If you attached a script, sorry, I don't see it.
>
> Gregg
>
> At 10:15 PM 7/1/2001 -0500, you wrote:
> >I think that manually removing/adding the modules you need will take care
of
> >this.  I've attached a script which I use.  Edit the addresses for your
> >setup and try it.
> >
> >
> >
> >
> >----- Original Message -----
> >From: "LP" <linuxposse at home.com>
> >To: <olug at bstc.net>
> >Sent: Sunday, July 01, 2001 9:40 PM
> >Subject: Re: [olug] Port Forwarding
> >
> >
> > > I'm still wrestling with this.
> > > I'm seeing this error:
> > >
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o:
init_module:
> > > Device or resource busy
> > > Hint: insmod errors can be caused by incorrect module parameters,
> >including
> > > invalid IO or IRQ parameters
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o failed
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod
> > > ip_tables failed
> > > iptables v1.2.1a: can't initialize iptables table `filter': iptables
who?
> > > (do you need to insmod?)
> > > Perhaps iptables or your kernel needs to be upgraded.
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o:
init_module:
> > > Device or resource busy
> > > Hint: insmod errors can be caused by incorrect module parameters,
> >including
> > > invalid IO or IRQ parameters
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod
> > > /lib/modules/
> > > 2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o failed
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod
> > > ip_tables failed
> > > iptables v1.2.1a: can't initialize iptables table `nat': iptables who?
(do
> > > you need to insmod?)
> > > Perhaps iptables or your kernel needs to be upgraded.
> > >
> > > Here is the entry in my rc.local that is causing the error:
> > >
> > > echo 1 > /proc/sys/net/ipv4/ip_forward
> > > /sbin/iptables -A INPUT -p tcp -d 24.xxx.xx.x --dport 80 -j ACCEPT
> > > /sbin/iptables -t nat -A PREROUTING -p tcp \
> > >          -d 24.xxx.xx.x --dport 80 \
> > >          -j DNAT --to-destination 192.168.1.2I
> > >
> > > I've been playing with this for several hours and could use more input
> >please.
> > >
> > >
> > >
> > > At 05:41 PM 6/30/2001 -0500, Jon wrote:
> > >
> > > >quick and dirty nat forwarding with 2.4 and iptables
> > > >/usr/sbin/iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
> > > >/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d $STATIC_IP \
> > > >     --dport 1080 -j DNAT --to 192.168.1.2:80
> > > >
> > > >On Sat, Jun 30, 2001 at 03:09:51PM -0500, LP wrote:
> > > > > Im using the RH  2.4.2-2 kernal and I'm searching the web for
> >information
> > > > > on port forwarding.
> > > > >
> > > > > Any good site you would suggest?
> > > > >
> > > > > Gregg
>


---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net



More information about the OLUG mailing list