[olug] Port Forwarding
Vincent
vraffensberger at home.com
Mon Jul 2 12:40:32 UTC 2001
#!/bin/bash
#
# firestarter: Starts iptables firewalling/ NAT
#
# chkconfig: 345 80 85
# description: Starts firewalling and NAT via iptables
#
# processname: /sbin/iptables
RETVAL=0
start() {
# Remove all ipchains and ip_tables kernel modules
echo
echo "Flushing current tables and removing kernel modules! "
echo
iptables -F
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #1 - Removing kernel module:" $mod
rmmod $mod
done
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #2 - Removing kernel module:" $mod
rmmod $mod
done
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #3 - Removing kernel module:" $mod
rmmod $mod
done
#echo "Remaining kernel modules: "
#lsmod
# Add ip_tables Kernel Modules: "
echo
echo "Inserting kernel modules and setting kernel parameters! "
echo
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
#modprobe iptable_filter
#modprobe iptable_mangle
#modprobe iptable_nat
#modprobe ipt_MIRROR
#modprobe ipt_limit
#modprobe ipt_LOG
#modprobe ipt_mac
#modprobe ipt_mark
#modprobe ipt_MARK
#modprobe ipt_MASQUERADE
#modprobe ipt_multiport
#modprobe ipt_owner
#modprobe ipt_REDIRECT
#modprobe ipt_REJECT
#modprobe ipt_state
#modprobe ipt_tcpmss
#modprobe ipt_TCPMSS
#modprobe ipt_tos
#modprobe ipt_TOS
#modprobe ipt_unclean
#modprobe ip_conntrack_irc
#modprobe ip_conntrack#modprobe
#modprobe ip_nat_irc#modprobe
#modprobe ip_queue
#
#echo "The following modules are now loaded: "
#lsmod
#
# no source routing
[ -e /proc/sys/net/ipv4/conf/all/accept_source_route ] && \
for i in /proc/sys/net/ipv4/conf/*/accept_source_route
do
echo 0 > $i;
done
# ignore broadcast icmp echo requests
[ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ] && \
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# ignore icmp echo requests on all interfaces
[ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ] && \
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
# enable spoof protection
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for f in /proc/sys/net/ipv4/conf/*/rp_filter
do
echo 1 > $f;
done
else
echo "ieee: no kernel spoof protection enabled".
exit 1
fi
# local port range for TCP/UDP connections
# [ -e /proc/sys/net/ipv4/ip_local_port_range ] && \
# echo -e "32768\t61000" >
/proc/sys/net/ipv4/ip_local_port_range
# log packets with impossible addresses to kernel log.
[ -e /proc/sys/net/ipv4/conf/all/log_martians ] && \
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
# don't accept ICMP redirects on Internet
[ -e /proc/sys/net/ipv4/conf/$interIF/accept_redirects ] && \
echo 0 > /proc/sys/net/ipv4/conf/$interIF/accept_redirects
# no acceptance of {ICMP} redirects at all
[ -e /proc/sys/net/ipv4/conf/all/accept_redirects ] && \
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
# enable IP forward
[ -e /proc/sys/net/ipv4/ip_forward ] && \
echo 1 > /proc/sys/net/ipv4/ip_forward
# enable TCP Syncookies
[ -e /proc/sys/net/ipv4/tcp_syncookies ] && \
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#
# Flush everything
echo "Flushing all IP Tables! "
iptables -F
#echo "Ramaining IP Tables: "
#iptables -L
# Default Policies are DROP
echo "Default Policies are set to DROP! "
echo
iptables -t filter -P INPUT DROP
iptables -t filter -P OUTPUT ACCEPT
iptables -t filter -P FORWARD DROP
# accept trusted interfaces and lan
echo "Trusting local interfaces and LAN! "
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -s 127.0.0.0/24 -j ACCEPT
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
# accept related packets to connections made locally
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j
ACCEPT
# accept connections for ssh
echo "Accepting inbound SSH connections! "
iptables -A INPUT -p tcp -m multiport --destination-port 22 -j
ACCEPT
# setup the NAT rules first
echo "Establishing NAT! "
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.1.0/24 -j
SNAT --to-source 24.3.227.221
# accept related packets to connections made locally for NAT
iptables -A FORWARD -i eth0 -o eth1 -s 0.0.0.0/0 -d
192.168.1.0/24 -m state --state ESTABLISHED,RELATED -j ACCEP
T
#Allow ftp to send data back and forth.
iptables -A INPUT -p tcp ! --syn --source-port 20 --destination-port
1024:65535 -j ACCEPT
# accept trusted interface
iptables -A FORWARD -i eth1 -d 0.0.0.0/0 -j ACCEPT
# log unwanted traffic, don't flood the logfile
echo "Logging malicious traffic! "
iptables -A FORWARD -m limit --limit 5/minute --limit-burst 5 -j
LOG --log-level warning --log-prefix "NetFilter
: "
# Have some fun with the portscanners
echo "Now mirroring malicious traffic! ..hehe. "
#iptables -A INPUT -i eth0 -p tcp -j LOG -m limit --limit
1000/hour --limit-burst 1000 --log-prefix "MIRROR:"
#iptables -A INPUT -i eth0 -p tcp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
#iptables -A INPUT -i eth0 -p udp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
#iptables -A INPUT -i eth0 -p icmp -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
#iptables -A INPUT -i eth0 -p tcp --tcp-option \! 2 -j MIRROR -m
limit --limit 1000/hour --limit-burst 1000
iptables -A INPUT -i eth0 -p all -j MIRROR -m limit --limit
1000/hour --limit-burst 1000
iptables -A INPUT -i eth0 -p all -j LOG -m limit --limit
1000/hour --limit-burst 1000 --log-prefix "MIRROR:"
echo
echo "Current IP kernel modules and IP tables: "
lsmod | grep ip | cut -d" " -f1
iptables -L
}
stop() {
# Remove all ipchains and ip_tables kernel modules
iptables -F
echo
echo "Removing IP kernel modules and flushing IP tables! "
echo
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #1 - Removing kernel module:" $mod
rmmod $mod
done
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #2 - Removing kernel module:" $mod
rmmod $mod
done
for mod in `lsmod | grep ip | cut -d" " -f1`; do
echo "Attempt #3 - Removing kernel module:" $mod
rmmod $mod
done
echo
echo "Remaining IP kernel modules and IP tables: "
echo
lsmod | grep ip | cut -d" " -f1
echo
iptables -L
}
# See how we were called.
case "$1" in
start)
start
;;
stop)
stop
;;
restart)
stop
start
;;
*)
echo $"Usage: $0 {start|stop}"
exit 1
esac
exit $RETVAL
----- Original Message -----
From: "LP" <linuxposse at home.com>
To: <olug at bstc.net>
Sent: Sunday, July 01, 2001 10:20 PM
Subject: Re: [olug] Port Forwarding
> If you attached a script, sorry, I don't see it.
>
> Gregg
>
> At 10:15 PM 7/1/2001 -0500, you wrote:
> >I think that manually removing/adding the modules you need will take care
of
> >this. I've attached a script which I use. Edit the addresses for your
> >setup and try it.
> >
> >
> >
> >
> >----- Original Message -----
> >From: "LP" <linuxposse at home.com>
> >To: <olug at bstc.net>
> >Sent: Sunday, July 01, 2001 9:40 PM
> >Subject: Re: [olug] Port Forwarding
> >
> >
> > > I'm still wrestling with this.
> > > I'm seeing this error:
> > >
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o:
init_module:
> > > Device or resource busy
> > > Hint: insmod errors can be caused by incorrect module parameters,
> >including
> > > invalid IO or IRQ parameters
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o failed
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod
> > > ip_tables failed
> > > iptables v1.2.1a: can't initialize iptables table `filter': iptables
who?
> > > (do you need to insmod?)
> > > Perhaps iptables or your kernel needs to be upgraded.
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o:
init_module:
> > > Device or resource busy
> > > Hint: insmod errors can be caused by incorrect module parameters,
> >including
> > > invalid IO or IRQ parameters
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod
> > > /lib/modules/
> > > 2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o failed
> > > /lib/modules/2.4.2-2/kernel/net/ipv4/netfilter/ip_tables.o: insmod
> > > ip_tables failed
> > > iptables v1.2.1a: can't initialize iptables table `nat': iptables who?
(do
> > > you need to insmod?)
> > > Perhaps iptables or your kernel needs to be upgraded.
> > >
> > > Here is the entry in my rc.local that is causing the error:
> > >
> > > echo 1 > /proc/sys/net/ipv4/ip_forward
> > > /sbin/iptables -A INPUT -p tcp -d 24.xxx.xx.x --dport 80 -j ACCEPT
> > > /sbin/iptables -t nat -A PREROUTING -p tcp \
> > > -d 24.xxx.xx.x --dport 80 \
> > > -j DNAT --to-destination 192.168.1.2I
> > >
> > > I've been playing with this for several hours and could use more input
> >please.
> > >
> > >
> > >
> > > At 05:41 PM 6/30/2001 -0500, Jon wrote:
> > >
> > > >quick and dirty nat forwarding with 2.4 and iptables
> > > >/usr/sbin/iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
> > > >/usr/sbin/iptables -t nat -A PREROUTING -p tcp -d $STATIC_IP \
> > > > --dport 1080 -j DNAT --to 192.168.1.2:80
> > > >
> > > >On Sat, Jun 30, 2001 at 03:09:51PM -0500, LP wrote:
> > > > > Im using the RH 2.4.2-2 kernal and I'm searching the web for
> >information
> > > > > on port forwarding.
> > > > >
> > > > > Any good site you would suggest?
> > > > >
> > > > > Gregg
>
---------------------------------------------------------------------
To unsubscribe, e-mail: olug-unsubscribe at bstc.net
For additional commands, e-mail: olug-help at bstc.net
More information about the OLUG
mailing list