[ale] iptables
Dean
dean777 at bellsouth.net
Thu Jan 10 13:39:00 EST 2002
<span style='font-size:10.0pt;
font-family:Arial'>Hello,
<span style='font-size:10.0pt;
font-family:Arial'>Â
<span style='font-size:10.0pt;
font-family:Arial'>Iâm trying to set up NAT for a network I have.<span
style='mso-spacerun:yes'>Â I have 7 servers configured with fictitious
IP addresses and Iâm using NAT on the firewall in order to access these
servers using public addresses via the internet. For instance I would like to
SSH to the servers from the internet using the public addresses. I have
attached the script that I have built ⦠it has worked on another network
environment but for some reason it is not currently working on this
environment. Can someone take a look at the script when you get a chance?
<span style='font-size:10.0pt;
font-family:Arial'>Â
<span style='font-size:10.0pt;
font-family:Arial'>Thanks⦠Dean
<span style='font-size:10.0pt;
font-family:Arial'>Â
<span style='font-size:10.0pt;
font-family:Arial'>Â
#
# this script is stored in a file called "build-firewall"
# execute this script from /etc/rc.d/rc.local, i.e.,
# place the command "/root/build-firewall" near the end of rc.local # note: the user must enable iptables #
# build the private to public nat table #
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.1 -o eth0 -j SNAT --to 66.35. 144.111
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.2 -o eth0 -j SNAT --to 66.35. 144.112
/sbin/iptables -t nat -A POSTROUTING -s 10.106.15.3 -o eth0 -j SNAT --to 66.35. 144.113
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.4 -o eth0 -j SNAT --to 66.35. 144.114
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.5 -o eth0 -j SNAT --to 66.35. 144.115
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.6 -o eth0 -j SNAT --to 66.35. 144.116
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.13 -o eth0 -j SNAT --to 66.35. 144.117
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.14 -o eth0 -j SNAT --to 66.35. 144.118
# # build the public to private nat table #
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.111 -i eth0 -j DNAT --to 10.100 .15.1
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.112 -i eth0 -j DNAT --to 10.100 .15.2
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.113 -i eth0 -j DNAT --to 10.100 .15.3
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.114 -i eth0 -j DNAT --to 10.100 .15.4
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.115 -i eth0 -j DNAT --to 10.100 .15.5
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.116 -i eth0 -j DNAT --to 10.100 .15.6
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.117 -i eth0 -j DNAT --to 10.100 .15.13
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.118 -i eth0 -j DNAT --to 10.100 .15.14
# # build the pinholes for allowing certain protocols through the firewall
# # forward ssh through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 22:22 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 22:22 -j ACCEPT
#
# forward ftp through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dsport 21:21 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 21:21 -j ACCEPT
#
#
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 23:23 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 23:23 -j ACCEPT
#
# forward http through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 80:80 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 80:80 -j ACCEPT
#
# forward ntp through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 123:123 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 123:123 -j ACCEPT
#
# forward backup ssh through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 222:222 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 222:222 -j ACCEPT
#
# forward network genomics through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 3200:3201 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 3200:3201 -j ACCEPT
# # forward vnc through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 5900:5900 -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 5900:5900 -j ACCEPT
# # establish pinholes on the firewall for remote management
# # accept ssh on the firewall
/sbin/iptables -A INPUT -s 0/0 -p tcp --dport 22:22 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -p tcp --sport 22:22 -j ACCEPT
#
/sbin/iptables -A INPUT -s 0/0 -p tcp --dport 23:23 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -p tcp --sport 23:23 -j ACCEPT
#
# accept backup ssh on the firewall
/sbin/iptables -A INPUT -s 0/0 -p tcp --dport 222:222 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -p tcp --sport 222:222 -j ACCEPT
#
# accept ftp on the firewall
/sbin/iptables -A INPUT -s 0/0 -p tcp --dport 21:21 -j ACCEPT
/sbin/iptables -A INPUT -s 0/0 -p tcp --sport 21:21 -j ACCEPT
#
# stop all the other tcp traffic
#
/sbin/iptables -A FORWARD -s 0/0 -p tcp -j DROP
/sbin/iptables -A INPUT -s 0/0 -p tcp -j DROP
#
#use ip aliasing to make the public interface of the firewall
#respond to arps for the public ip addresses of the private computers
#
#
/sbin/ip address add 66.35.144.111 dev eth0
/sbin/ip address add 66.35.144.112 dev eth0
/sbin/ip address add 66.35.144.113 dev eth0
/sbin/ip address add 66.35.144.114 dev eth0
/sbin/ip address add 66.35.144.115 dev eth0
/sbin/ip address add 66.35.144.116 dev eth0
/sbin/ip address add 66.35.144.117 dev eth0
/sbin/ip address add 66.35.144.118 dev eth0
#
#
# enable ip packet forwarding
#
echo 1 > /proc/sys/net/ip4/ip_forward
#
#
---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be
sent to listmaster at ale dot org.
More information about the Ale
mailing list