snat und dnat auf einem Host

Sven Broeckling sven at broeckling.de
Tue Apr 15 14:51:02 CEST 2003 

Hallo Pierre, hallo Volker, 

> Also, iptables ist ein toll, welches ich bis jetzt nur unter Linux kenne.
> Und da er iptables einsetzt um zu naten, ist es auch ein linux-Problem.
War auch meine Ansicht.... 

@Volker:
Das war in der Tat das Problem, dass der Rückweg in dem Fall einfach nicht
funktionierte. Jetzt klappt das ganze auch. Vielen Dank. 

@Pierre:
Ich poste mal die betreffenden Regeln noch, vielleicht kannst du damit ja
noch was anfangen. 

Gruss
 Sven 

-------------- next part --------------
#!/bin/bash


# ---------------------------------------------------------------------
# kernel modules used
# ---------------------------------------------------------------------

modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe ipt_LOG
#modprobe ipt_MASQUERADE

# iptables binary and stuff
IPTABLES="/sbin/iptables"                   # iptables control program

# ---------------------------------------------------------------------
# interfaces, hosts and networks
# ---------------------------------------------------------------------

# interfaces
INT_IF="eth1"                               # internal interface
EXT_IF="eth0"                               # external interface

# networks
ANY="0.0.0.0/0"                             # any network (e.g. "internet")
INTRA_NET="192.168.0.0/14"                  # internal network
OFF_NET="195.133.193.0/26"                  # official network

# hosts
IME=192.168.0.5                             # my internal ip
OME=195.133.193.2                           # my official ip
CISCO=195.133.193.1                         # the cisco router
IWWW=192.168.0.20                           # internal adress for paladin
OWWW=195.133.193.3                          # official adress for paladin
IWEBH=192.168.0.41                          # internal adress for paladin
OWEBH=195.133.193.5                         # official adress for paladin
IPROX=192.168.0.34                          # internal adress for prox
OPROX=195.133.193.6                         # official adress for prox


$IPTABLES -F                                # flush tables
$IPTABLES -F -t nat
$IPTABLES -X                                # remove user tables
$IPTABLES -Z                                # clear packet/byte counters


# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# the kernel config stuff
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------

# Enable response to ping.
/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all

# Enable response to broadcasts.
/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Don't accept source routed packets. 
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

# Disable ICMP redirect acceptance. 
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
   /bin/echo "0" > ${interface}
done

# Enable bad error message protection.
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Turn on reverse path filtering. This helps make sure that packets use
# legitimate source addresses, by automatically rejecting incoming packets
# if the routing table entry for their source address doesn't match the network
# interface they're arriving on. This has security advantages because it prevents
# so-called IP spoofing, however it can pose problems if you use asymmetric routing
# (packets from you to a host take a different path than packets from that host to you)
# or if you operate a non-routing host which has several IP addresses on different
# interfaces. (Note - If you turn on IP forwarding, you will also get this).
### pasted from sns.ias.edu
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
   /bin/echo "1" > ${interface}
done

# Log spoofed packets, source routed packets, redirect packets.
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

# finally, make sure that we forward
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward

# ---------------------------------------------------------------------
# ---------------------------------------------------------------------
# the rules...
# ---------------------------------------------------------------------
# ---------------------------------------------------------------------

# ---------------------------------------------------------------------
# block an log every new connection from outside
# ---------------------------------------------------------------------
$IPTABLES -N block
$IPTABLES -A block -m state --state ESTABLISHED,RELATED     -j ACCEPT
$IPTABLES -A block -m state --state NEW -i ! $EXT_IF        -j ACCEPT
$IPTABLES -A block -p icmp                                  -j ACCEPT
$IPTABLES -A block                                          -j LOG --log-level 1 --log-prefix "blocked (final rule): "
$IPTABLES -A block                                          -j DROP

# ---------------------------------------------------------------------
# Check nmap xmas tree scan
# ---------------------------------------------------------------------
$IPTABLES -N checknmap
$IPTABLES -A checknmap -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 6 --log-prefix "blocked (NMAP): "
$IPTABLES -A checknmap -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP

# ---------------------------------------------------------------------
# prefetch runnaway smb/nmb connections
# ---------------------------------------------------------------------

$IPTABLES -N smbblock
#$IPTABLES -A smbblock -p tcp --dport 137:139 -i $INT_IF -j LOG --log-level 1 --log-prefix "got ya bill (smb tcp): "
#$IPTABLES -A smbblock -p udp --dport 137:139 -i $INT_IF -j LOG --log-level 1 --log-prefix "got ya bill (smb udp): "
$IPTABLES -A smbblock -p tcp --dport 137:139 -i $INT_IF -j DROP
$IPTABLES -A smbblock -p udp --dport 137:139 -i $INT_IF -j DROP

# ---------------------------------------------------------------------
# accept forwarding connections
# ---------------------------------------------------------------------

$IPTABLES -N acceptfw
$IPTABLES -A acceptfw  -i $EXT_IF   -d $IWWW    -j ACCEPT
$IPTABLES -A acceptfw  -i $EXT_IF   -d $IWEBH   -j ACCEPT
$IPTABLES -A acceptfw  -i $EXT_IF   -d $IPROX   -j ACCEPT


# ---------------------------------------------------------------------
# conntections to me
# ---------------------------------------------------------------------

$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT      # accept everything at iface lo
$IPTABLES -A INPUT -j checknmap         # check for nmap xmas tree scan
$IPTABLES -A INPUT -j smbblock          # dont let smb packets flee
$IPTABLES -A INPUT -j block             # jump to final block chain


# ---------------------------------------------------------------------
# forwarding connections
# ---------------------------------------------------------------------

$IPTABLES -P FORWARD DROP
$IPTABLES -A FORWARD -j smbblock       # dont let smb packets flee
$IPTABLES -A FORWARD -j acceptfw       # accept forwarding connections
$IPTABLES -A FORWARD -j block          # jump to final blocking chain

# ---------------------------------------------------------------------
# postrouting masquerading (snat)
# ---------------------------------------------------------------------

#$IPTABLES -A POSTROUTING -t nat -s $INTRA_NET -d $ANY          -j MASQUERADE

$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -s $INTRA_NET   -j SNAT --to $OME

#$IPTABLES -A POSTROUTING -t nat -o $INT_IF -s ! $INTRA_NET -j SNAT --to $IME

$IPTABLES -A PREROUTING -t nat -i $EXT_IF -p tcp --dport 80  -d $OWWW   -s ! $INTRA_NET -j DNAT --to $IWWW
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -p tcp --dport 25  -d $OWWW   -s ! $INTRA_NET -j DNAT --to $IWWW
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -p tcp --dport 110 -d $OWWW   -s ! $INTRA_NET -j DNAT --to $IWWW
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -p tcp --dport 21  -d $OWWW   -s ! $INTRA_NET -j DNAT --to $IWWW
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -p tcp --dport 2401 -d $OWWW   -s ! $INTRA_NET -j DNAT --to $IWWW
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -p tcp --dport 80  -d $OWEBH  -s ! $INTRA_NET -j DNAT --to $IWEBH
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -p tcp --dport 80  -d $OPROX  -s ! $INTRA_NET -j DNAT --to $IPROX
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -p tcp --dport 22  -d $OPROX  -s ! $INTRA_NET -j DNAT --to $IPROX
$IPTABLES -A PREROUTING -t nat -i $EXT_IF -p tcp --dport 2716 -d $OPROX  -s ! $INTRA_NET -j DNAT --to $IPROX

$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -s $IWWW   -j SNAT --to $OWWW
$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -s $IWEBH   -j SNAT --to $OWEBH
$IPTABLES -A POSTROUTING -t nat -o $EXT_IF -s $IPROX   -j SNAT --to $OPROX



# ---------------------------------------------------------------------
# outgoing connections
# ---------------------------------------------------------------------

$IPTABLES -P OUTPUT ACCEPT

More information about the Linux mailing list