nat
Sponsored Links
Sponsored Links
Secleted [ 0 ] software to compare
Results 1 - 15 of about 120
NAT Check 1
Check Your Network Address Translator for Compatibility with Peer-to-Peer Protocols. more>>
Check Your Network Address Translator for Compatibility with Peer-to-Peer Protocols.
If you are accessing the Internet from behind a Network Address Translator (NAT) of some kind, I would appreciate your help in surveying the behavior of different NATs, in terms of how and whether they support a certain technique for enabling peer-to-peer communication between NATted hosts (particularly when both endpoints are behind NATs). Down, you can understand what NAT is.
Suppose there are three communicating hosts: A, B, and C. Host A is a "well-known" Internet server with a permanent IP address, which acts as an "introducer" for the other two nodes. (For example, Host A might be a well-known ultrapeer or a game catalog server of some kind.) Host B, using Host As "introduction" services, would like to establish a direct peer-to-peer connection with host C. Both B and C, however, are behind (probably different) network address/port translators, and neither of them has exclusive use of any public IP address.
To initiate a peer-to-peer connection with host C, host B first sends A a message requesting an "introduction" to host C. A sends B a reply message containing Cs IP address and UDP port number as reported by host C, in addition to Cs IP address and UDP port number as observed by A. (If C is behind a NAT, then these two address/port combinations will be different.) At the same time, host A sends host C a message containing Bs IP address and UDP port numbers - again, both the ones reported by B and the ones observed by A, which will be different if B is behind a NAT.
Now B and C each know that they want to initiate a connection with each other, and they know each others public (NATted) as well as original IP addresses and UDP port numbers. Both B and C now start attempting to send UDP messages directly to each other, at each of the available addresses. If B and C happen to be behind the same NAT, then they will be able to communicate with each other directly using their "originally reported" IP addresses and UDP port numbers.
In the more common case where B and C are behind different NATs, the "originally reported" addresses will be useless because they will both be private IP addresses in different addressing domains. Instead, the IP address/UDP port combinations observed by A can be used in this case to establish direct communication. Although Bs NAT will initially filter out any UDP packets arriving from Cs public (NATted) UDP port directed at Bs public port, the first UDP message B sends to C will cause Bs NAT to open up a new UDP session keyed on Cs public port, allowing future incoming traffic from C to pass through the NAT to B. Similarly, the first few messages from B to C may be filtered out by Cs NAT, but will be able to start passing through the firewall as soon as Cs first message to B causes Cs NAT to open up a new session. In this way, each NAT is tricked into thinking that its respective internal host is the "initiator" of this new session, when in fact the session is fully symmetrical and was initiated (with As help) simultaneously in each direction.
Required NAT Behavior
There is one important requirement that the NATs must satisfy in order for this technique to work: the NATs must be designed so that they assign only one (public IP address, public UDP port) pair to each (internal IP address, internal UDP port) combination, rather than allocating and assigning a new public UDP port for each new UDP session. Recall that a "session" in Internet terminology is defined by the IP addresses and port numbers of both communicating endpoints, so host Bs communication with host A is considered to be one session while host Bs communication with host C is a different session. If Bs NAT, for example, assigns one public UDP port for Bs communication with A, and then assigns B a different public UDP port for the new session B tries to open up with C, then the above technique for peer-to-peer communication will not work because Cs messages to B will be directed to the wrong UDP port.
RFC 3022 explicitly allows and suggests that NATs behave in the former, "desirable" fashion, by maintaining a single (public IP, public port) mapping for a given (internal IP, internal port) combination independent of the number of active sessions involving this mapping. This behavior is not only good for compatibility with UDP applications, but it also helps to conserve the NATs scarce pool of public port numbers. Maintaining a consistent public port mapping does not adversely affect security in any way, either, because incoming traffic can still be filtered on a per-session basis regardless of how addresses are translated. There in fact appears to be no good reason not to implement the desirable behavior in a NAT, except perhaps for the implementation simplicity of naively allocating a new public port for every new session. Unfortunately, RFC 3022 does not require NATs to implement the desirable behavior, which has led me to wonder just how many real NATs actually do, and hence this page.
What NAT Check Does
The program natcheck.c is basically just a program that "pings" a well-known UDP port at two different servers that are publically accessible on the Internet. Both of these servers run the program natserver.c, with the command-line arguments "1" and "2" respectively. In addition, there a third "conspiring" server runs natserver with the command-line argument "3". Whenever each of the first two servers receives a UDP request, it not only sends a reply directly to the sender of that request, but also sends a message to the third server, which in turn "bounces" the reply back to the original client. The effect is that the client will receive not only solicited "ping" replies from the server the request was directed to, but also "unsolicited" replies from the third server.
To determine if the network address translator in use is implementing the desirable behavior of maintaining a single (public IP address, public port) mapping for a given (client IP address, client port), the client program natcheck.c basically just initiates a sequence of simultaneous pings to the first two servers (in case some of the requests or replies are lost in transit) and checks that the clients address and UDP port as reported by both servers is the same. If the NAT naively allocates a new public port for each new session, then the source port as reported by the two servers will be different, and its time to upgrade your NAT.
The replies echoed from the third server are used only to check whether the NAT properly filters out unsolicited incoming traffic on a per-session basis. Since the client never sends any messages to the third server, if the NAT is properly implementing firewall functionality, the client should never see the third servers echoed replies even after opening up active communication sessions with the first two servers.
Enhancements:
- The NAT Check client no longer attempts to guess whether you have Basic NAT or Network Address/Port Translation (NAPT). It turns to be quite difficult to test for this property reliably, because many NAPTs attempt to bind a private UDP port to a public port with the same port number if that port number is available, causing NAT Check to falsely report Basic NAT. The only way to test for this property reliably would be to run NAT Check on at least two client machines simultaneously, and since this property isnt terribly important to P2P apps its just not worth the trouble.
- The NAT Check client now tests for one additional NAT feature, which I call loopback translation. If a NAT supports loopback translation, it means that a host on the private network behind the NAT can communicate with other hosts on the same private network using public (translated) port bindings assigned by the NAT. Most NATs probably do not support this feature yet, but it may become increasingly important in the future where P2P clients may be located behind a common ISP-deployed NAT as well as individual home NATs. More details on loopback translation will appear in the next version of my Internet-Draft, to be released soon.
- The NAT Check client program now has a command-line option, "-v", which turns on verbose messages during the test.
<<lessIf you are accessing the Internet from behind a Network Address Translator (NAT) of some kind, I would appreciate your help in surveying the behavior of different NATs, in terms of how and whether they support a certain technique for enabling peer-to-peer communication between NATted hosts (particularly when both endpoints are behind NATs). Down, you can understand what NAT is.
Suppose there are three communicating hosts: A, B, and C. Host A is a "well-known" Internet server with a permanent IP address, which acts as an "introducer" for the other two nodes. (For example, Host A might be a well-known ultrapeer or a game catalog server of some kind.) Host B, using Host As "introduction" services, would like to establish a direct peer-to-peer connection with host C. Both B and C, however, are behind (probably different) network address/port translators, and neither of them has exclusive use of any public IP address.
To initiate a peer-to-peer connection with host C, host B first sends A a message requesting an "introduction" to host C. A sends B a reply message containing Cs IP address and UDP port number as reported by host C, in addition to Cs IP address and UDP port number as observed by A. (If C is behind a NAT, then these two address/port combinations will be different.) At the same time, host A sends host C a message containing Bs IP address and UDP port numbers - again, both the ones reported by B and the ones observed by A, which will be different if B is behind a NAT.
Now B and C each know that they want to initiate a connection with each other, and they know each others public (NATted) as well as original IP addresses and UDP port numbers. Both B and C now start attempting to send UDP messages directly to each other, at each of the available addresses. If B and C happen to be behind the same NAT, then they will be able to communicate with each other directly using their "originally reported" IP addresses and UDP port numbers.
In the more common case where B and C are behind different NATs, the "originally reported" addresses will be useless because they will both be private IP addresses in different addressing domains. Instead, the IP address/UDP port combinations observed by A can be used in this case to establish direct communication. Although Bs NAT will initially filter out any UDP packets arriving from Cs public (NATted) UDP port directed at Bs public port, the first UDP message B sends to C will cause Bs NAT to open up a new UDP session keyed on Cs public port, allowing future incoming traffic from C to pass through the NAT to B. Similarly, the first few messages from B to C may be filtered out by Cs NAT, but will be able to start passing through the firewall as soon as Cs first message to B causes Cs NAT to open up a new session. In this way, each NAT is tricked into thinking that its respective internal host is the "initiator" of this new session, when in fact the session is fully symmetrical and was initiated (with As help) simultaneously in each direction.
Required NAT Behavior
There is one important requirement that the NATs must satisfy in order for this technique to work: the NATs must be designed so that they assign only one (public IP address, public UDP port) pair to each (internal IP address, internal UDP port) combination, rather than allocating and assigning a new public UDP port for each new UDP session. Recall that a "session" in Internet terminology is defined by the IP addresses and port numbers of both communicating endpoints, so host Bs communication with host A is considered to be one session while host Bs communication with host C is a different session. If Bs NAT, for example, assigns one public UDP port for Bs communication with A, and then assigns B a different public UDP port for the new session B tries to open up with C, then the above technique for peer-to-peer communication will not work because Cs messages to B will be directed to the wrong UDP port.
RFC 3022 explicitly allows and suggests that NATs behave in the former, "desirable" fashion, by maintaining a single (public IP, public port) mapping for a given (internal IP, internal port) combination independent of the number of active sessions involving this mapping. This behavior is not only good for compatibility with UDP applications, but it also helps to conserve the NATs scarce pool of public port numbers. Maintaining a consistent public port mapping does not adversely affect security in any way, either, because incoming traffic can still be filtered on a per-session basis regardless of how addresses are translated. There in fact appears to be no good reason not to implement the desirable behavior in a NAT, except perhaps for the implementation simplicity of naively allocating a new public port for every new session. Unfortunately, RFC 3022 does not require NATs to implement the desirable behavior, which has led me to wonder just how many real NATs actually do, and hence this page.
What NAT Check Does
The program natcheck.c is basically just a program that "pings" a well-known UDP port at two different servers that are publically accessible on the Internet. Both of these servers run the program natserver.c, with the command-line arguments "1" and "2" respectively. In addition, there a third "conspiring" server runs natserver with the command-line argument "3". Whenever each of the first two servers receives a UDP request, it not only sends a reply directly to the sender of that request, but also sends a message to the third server, which in turn "bounces" the reply back to the original client. The effect is that the client will receive not only solicited "ping" replies from the server the request was directed to, but also "unsolicited" replies from the third server.
To determine if the network address translator in use is implementing the desirable behavior of maintaining a single (public IP address, public port) mapping for a given (client IP address, client port), the client program natcheck.c basically just initiates a sequence of simultaneous pings to the first two servers (in case some of the requests or replies are lost in transit) and checks that the clients address and UDP port as reported by both servers is the same. If the NAT naively allocates a new public port for each new session, then the source port as reported by the two servers will be different, and its time to upgrade your NAT.
The replies echoed from the third server are used only to check whether the NAT properly filters out unsolicited incoming traffic on a per-session basis. Since the client never sends any messages to the third server, if the NAT is properly implementing firewall functionality, the client should never see the third servers echoed replies even after opening up active communication sessions with the first two servers.
Enhancements:
- The NAT Check client no longer attempts to guess whether you have Basic NAT or Network Address/Port Translation (NAPT). It turns to be quite difficult to test for this property reliably, because many NAPTs attempt to bind a private UDP port to a public port with the same port number if that port number is available, causing NAT Check to falsely report Basic NAT. The only way to test for this property reliably would be to run NAT Check on at least two client machines simultaneously, and since this property isnt terribly important to P2P apps its just not worth the trouble.
- The NAT Check client now tests for one additional NAT feature, which I call loopback translation. If a NAT supports loopback translation, it means that a host on the private network behind the NAT can communicate with other hosts on the same private network using public (translated) port bindings assigned by the NAT. Most NATs probably do not support this feature yet, but it may become increasingly important in the future where P2P clients may be located behind a common ISP-deployed NAT as well as individual home NATs. More details on loopback translation will appear in the next version of my Internet-Draft, to be released soon.
- The NAT Check client program now has a command-line option, "-v", which turns on verbose messages during the test.
Added: 2006-06-21 License: GPL (GNU General Public License) Price:
737 downloads
Fair NAT 0.80
Fair NAT is a script for configuring NAT on dedicated Linux routers. more>>
Fair NAT is a script for configuring NAT on dedicated Linux routers. This is the home of my linux router shaper script which allows something like fair bandwidth sharing among clients in the local network. The script is not great or anything - please dont expect the holy grail here - I just thought Id publish it because many people helped me write it and maybe someone has some use for it. I bet there are still lots of things that can be improved. Sorry about the crappy design of this page, I dont have time to put more effort in better looks.
You have a certain number of Clients (User A - User N) in your LAN which are connected by a Switch (or a Hub or BNC) to the Linux Router which is supposed to act as a gateway to the internet. The trouble now is, User B has a lot of downloads running and User C uploads stuff day and night, which leaves User A who only wants to use an interactive SSH shell in the rain, since B and C already use up all bandwidth the internet connection offers.
What we need to do is to share available bandwidth fairly among clients. In order to achieve this, I first tried several searches at Google and Freshmeat. This turned up quite a lot of results, like the Linux Advanced Routing & Traffic Control HOWTO which is a must-read and also contains great scripts, like the Wondershaper for single users. Another great general purpose script I found was HTB.init, which doesnt do anything by default, but gives you an easy way to setup HTB queues. In case you prefer CBQ, theres a CBQ.init too. If you dont know what Im talking about, read the HOWTO above or continue reading here.
Since I never found a script that did exactly what I wanted, I decided to write my own. Its designed to be an all-I-need script, therefore it does not just setup Traffic Shaping, but Masquerading and Port Forwarding too. In short, it does everything that has to do with IPTables and Traffic Control. I use HTB (Hierarchical Token Bucket) to share bandwidth among clients (one class per client). On top of that I added a PRIO queue to prioritize interactive traffic on a per-user basis. On top of PRIO I set SFQ to treat connections fairly. In version 0.72, experimental support for IPP2P to recognize peer-to-peer traffic was added.
This is the simplified scheme for routing:
HTB class (for bandwidth sharing)
|
-- PRIO (for prioritizing interactive traffic)
|
--- Interactive: SFQ (to treat concurrent connections fairly)
--- Normal: SFQ
--- High-Traffic: SFQ
[ --- P2P: SFQ (if IPP2P support is enabled only) ]
I bet this can still be improved and Im always interested in ways to do so. In case you want another class structure, this can be done by replacing the parent_class and user_class functions in the script. See CLASS_MODE in Configuration section and the function documentation in the script for details. Feel free to send me your own functions with a short explanation, if you want me to make them available for everybody.
Heres a "real" graphic, which shows the complete qdisc/class structure on $DEV_LAN if you use the unmodified example configuration file. This graphic was created using a hacked version of Stef Coenes show.pl script and GraphViz. Click here to see it, but I warn you: its quite big. Heres a similar picture, which includes IPP2P support. Note that there are more filter rules (the blue arrows) now which put the filesharing traffic into the users prio band 4.
Main features:
- This is a variable with a space-separated list of features that should be enabled. Default is all enabled if you dont set this variable.
- PROC:
- Allow Fair NAT to change some system variables in /proc, like setting /proc/sys/net/ipv4/ip_forward to 1.
- MODULES:
- Try to load kernel modules for QoS first.
- RESET:
- Fair NAT will replace all existing iptables rules with a very basic (empty) configuration. Not healthy for firewalls. You can disable this feature to keep the original rules in place. See Firewall Support below.
- NAT:
- Allow Fair NAT to configure NAT. You could disable this if you prefer to set this up yourself / let your firewall do it.
- FORWARD:
- Allow Fair NAT to configure Port Forwarding. Same as NAT, you can disable this if you dont need it.
- QOS_DOWN:
- Shape download traffic. If you know a little bit about traffic shaping and believe that download shaping is completely useless, feel free to disable this.
- QOS_UP:
- Shaping upload traffic can be disabled also. If you disable this and QOS_DOWN also, you could use Fair NAT for setting up NAT and Port Forwarding only, although thats not really the purpose of the script ;-)
- TOS:
- Allow Fair NAT to modify the TOS (type-of-service) field of packets. Right now, Fair NAT relies on this TOS field for shaping, so using this feature is highly recommended.
<<lessYou have a certain number of Clients (User A - User N) in your LAN which are connected by a Switch (or a Hub or BNC) to the Linux Router which is supposed to act as a gateway to the internet. The trouble now is, User B has a lot of downloads running and User C uploads stuff day and night, which leaves User A who only wants to use an interactive SSH shell in the rain, since B and C already use up all bandwidth the internet connection offers.
What we need to do is to share available bandwidth fairly among clients. In order to achieve this, I first tried several searches at Google and Freshmeat. This turned up quite a lot of results, like the Linux Advanced Routing & Traffic Control HOWTO which is a must-read and also contains great scripts, like the Wondershaper for single users. Another great general purpose script I found was HTB.init, which doesnt do anything by default, but gives you an easy way to setup HTB queues. In case you prefer CBQ, theres a CBQ.init too. If you dont know what Im talking about, read the HOWTO above or continue reading here.
Since I never found a script that did exactly what I wanted, I decided to write my own. Its designed to be an all-I-need script, therefore it does not just setup Traffic Shaping, but Masquerading and Port Forwarding too. In short, it does everything that has to do with IPTables and Traffic Control. I use HTB (Hierarchical Token Bucket) to share bandwidth among clients (one class per client). On top of that I added a PRIO queue to prioritize interactive traffic on a per-user basis. On top of PRIO I set SFQ to treat connections fairly. In version 0.72, experimental support for IPP2P to recognize peer-to-peer traffic was added.
This is the simplified scheme for routing:
HTB class (for bandwidth sharing)
|
-- PRIO (for prioritizing interactive traffic)
|
--- Interactive: SFQ (to treat concurrent connections fairly)
--- Normal: SFQ
--- High-Traffic: SFQ
[ --- P2P: SFQ (if IPP2P support is enabled only) ]
I bet this can still be improved and Im always interested in ways to do so. In case you want another class structure, this can be done by replacing the parent_class and user_class functions in the script. See CLASS_MODE in Configuration section and the function documentation in the script for details. Feel free to send me your own functions with a short explanation, if you want me to make them available for everybody.
Heres a "real" graphic, which shows the complete qdisc/class structure on $DEV_LAN if you use the unmodified example configuration file. This graphic was created using a hacked version of Stef Coenes show.pl script and GraphViz. Click here to see it, but I warn you: its quite big. Heres a similar picture, which includes IPP2P support. Note that there are more filter rules (the blue arrows) now which put the filesharing traffic into the users prio band 4.
Main features:
- This is a variable with a space-separated list of features that should be enabled. Default is all enabled if you dont set this variable.
- PROC:
- Allow Fair NAT to change some system variables in /proc, like setting /proc/sys/net/ipv4/ip_forward to 1.
- MODULES:
- Try to load kernel modules for QoS first.
- RESET:
- Fair NAT will replace all existing iptables rules with a very basic (empty) configuration. Not healthy for firewalls. You can disable this feature to keep the original rules in place. See Firewall Support below.
- NAT:
- Allow Fair NAT to configure NAT. You could disable this if you prefer to set this up yourself / let your firewall do it.
- FORWARD:
- Allow Fair NAT to configure Port Forwarding. Same as NAT, you can disable this if you dont need it.
- QOS_DOWN:
- Shape download traffic. If you know a little bit about traffic shaping and believe that download shaping is completely useless, feel free to disable this.
- QOS_UP:
- Shaping upload traffic can be disabled also. If you disable this and QOS_DOWN also, you could use Fair NAT for setting up NAT and Port Forwarding only, although thats not really the purpose of the script ;-)
- TOS:
- Allow Fair NAT to modify the TOS (type-of-service) field of packets. Right now, Fair NAT relies on this TOS field for shaping, so using this feature is highly recommended.
Download (0.031MB)
Added: 2006-06-29 License: GPL (GNU General Public License) Price:
1214 downloads
NAT Monitor 2.4
NAT Monitor is a tool to monitor hosts bandwidth usage in a Linux-NAT network. more>>
NAT Monitor is a tool to monitor hosts bandwidth usage in a Linux-NAT network.
A daemon collects data and clients display them (currently a GTK app with graph and a text version). It detects new hosts, saves up to 12 hours of data, and has a nice summary statistic.
<<lessA daemon collects data and clients display them (currently a GTK app with graph and a text version). It detects new hosts, saves up to 12 hours of data, and has a nice summary statistic.
Download (0.030MB)
Added: 2005-11-18 License: GPL (GNU General Public License) Price:
1439 downloads
nat-traverse 0.4
nat-traverse establishes connections between hosts which are behind NAT gateways. more>>
nat-traverse establishes connections between nodes which are behind NAT gateways, i.e. hosts which do not have public IP addresses.
Additionally, you can setup a small VPN by using pppd on top of nat-traverse. nat-traverse does not need an external server on the Internet, and it isnt necessary to reconfigure the involved NAT gateways, either. nat-traverse works out-of-the-box.
Version restrictions:
- Only IPv4 is supported, nat-traverse wont work with IPv6 addresses. Even though it would be relatively trivial to add IPv6 support, I refrained from doing that, as theres no need to use NAT with IPv6 (the address space IPv6 provides is sufficient).
Enhancements:
- New option --quit-after-connect quits nat-traverse after the tunnel has been established successfully.
<<lessAdditionally, you can setup a small VPN by using pppd on top of nat-traverse. nat-traverse does not need an external server on the Internet, and it isnt necessary to reconfigure the involved NAT gateways, either. nat-traverse works out-of-the-box.
Version restrictions:
- Only IPv4 is supported, nat-traverse wont work with IPv6 addresses. Even though it would be relatively trivial to add IPv6 support, I refrained from doing that, as theres no need to use NAT with IPv6 (the address space IPv6 provides is sufficient).
Enhancements:
- New option --quit-after-connect quits nat-traverse after the tunnel has been established successfully.
Download (0.015MB)
Added: 2005-08-23 License: GPL (GNU General Public License) Price:
1524 downloads
netstat-nat 1.4.7
Netstat-nat is a small program written in C. more>>
Netstat-nat is a small program written in C. It displays NAT connections, managed by netfilter/iptables which comes with the > 2.4.x linux kernels. The program reads its information from /proc/net/ip_conntrack, which is the temporary conntrack-storage of netfilter. (http://netfilter.samba.org/). Netstat-nat takes several arguments but they not needed.
-h displays help
-n dont resolve IPs/ports to host/portnames.
-p protocol display NAT connections with protocol selection.
-s source host display connections by source IP/hostname.
-d destination host display connections by destination IP/hostname.
-S display SNAT connections
-D display DNAT connections
-L display only connections to NAT box self (disables display of SNAT & DNAT)
-x extended view of hostnames
-r src | dst | src-port | dst-port | state sort connections
-o strip output-header
Enhancements:
- This release contains a fix for read-in (ip_conntrack).
- Previous versions could sometimes hang or segfault on some systems.
- There is a fix for displaying DNAT over SNAT connections.
<<less-h displays help
-n dont resolve IPs/ports to host/portnames.
-p protocol display NAT connections with protocol selection.
-s source host display connections by source IP/hostname.
-d destination host display connections by destination IP/hostname.
-S display SNAT connections
-D display DNAT connections
-L display only connections to NAT box self (disables display of SNAT & DNAT)
-x extended view of hostnames
-r src | dst | src-port | dst-port | state sort connections
-o strip output-header
Enhancements:
- This release contains a fix for read-in (ip_conntrack).
- Previous versions could sometimes hang or segfault on some systems.
- There is a fix for displaying DNAT over SNAT connections.
Download (0.071MB)
Added: 2006-08-19 License: GPL (GNU General Public License) Price:
1168 downloads
NatACL 3.0 Beta 15
NatACL is an authentication daemon for NAT and transparent proxying that man in the middles outbound HTTP requests. more>>
NatACL is an authentication daemon for NAT and transparent proxying that man in the middles outbound HTTP requests and forces the user to a login/password page requesting credentials to allow the outbound connection. After proper credentials are received, NAT rules are automatically generated.
To install NatACL type these commands:
#for linux
make
make install
If you are updating NatACL from a previous version, you may have to manualy
update your /usr/local/etc/NatACL.conf.
<<lessTo install NatACL type these commands:
#for linux
make
make install
If you are updating NatACL from a previous version, you may have to manualy
update your /usr/local/etc/NatACL.conf.
Download (0.079MB)
Added: 2006-08-14 License: GPL (GNU General Public License) Price:
1166 downloads
Example NAT usage 1/17/01
Example NAT usage is a little script to show a NAT usage example. more>>
Example NAT usage is a little script to show a NAT usage example.
Sample:
#----------------------#
# Variable Definitions #
#----------------------#
EXT=eth0
INT=eth1
# "Masquerading" Example
PRIV_NETS="128.111.1.1 128.111.185.0/255.255.255.0"
MASQ_NET=192.168.1.0/255.255.255.0
# "General SNAT" Example
MAP_FROM=192.168.1.0/255.255.255.0
MAP_TO=128.111.185.30-128.111.185.42
# "Redirection" Example
INTERNAL_IP=10.10.1.1
# "Port Forwarding" Example
EXTERNAL_IP=128.111.1.200
NEWS_SERVER=10.10.1.38
MAIL_SERVER=10.10.1.69
# "Load Balancing" Example
VIRTUAL_SERVER=news.sblug.com
SERVER_RANGE=10.10.1.9-10.10.1.15
#-------------#
# NAT Section #
#-------------#
#
# Flush previous rules
#
iptables -t nat -F
#
# Masquerading
#
# Masquerading for outgoing connections, except privileged nets are exempt
for NET in $PRIV_NETS ; do
iptables -t nat -A POSTROUTING -d $NET -o $EXT -j ACCEPT
done
iptables -t nat -A POSTROUTING -s $MASQ_NET -o $EXT -j MASQUERADE
#
# General SNAT
#
# Internal computers w/ private ips "borrow" public ips of other internal computers to ssh out
iptables -t nat -A POSTROUTING -s $MAP_FROM -o $EXT -p tcp --dport ssh -j SNAT --to-source $MAP_TO
iptables -t nat -A POSTROUTING -s $MAP_FROM -o $EXT -p udp --dport ssh -j SNAT --to-source $MAP_TO
#
# Redirection
#
# Redirect internal net http traffic through squid proxy, but allow direct access to local web server
iptables -t nat -A PREROUTING -i $INT -d ! $INTERNAL_IP -p tcp --dport www -j REDIRECT --to-port 8080
#
# Port Forwarding
#
# Forward gateway port 7000 to news server and gateway port 8000 to pop mail server
iptables -t nat -A PREROUTING -d $EXTERNAL_IP -p tcp --dport 7000 -j DNAT --to-dest $NEWS_SERVER:nntp
iptables -t nat -A PREROUTING -d $EXTERNAL_IP -p tcp --dport 8000 -j DNAT --to-dest $MAIL_SERVER:pop3
#
# Load Balancing
#
# Basic load balancing by redirecting nntp requests to any of several local news servers
iptables -t nat -A PREROUTING -d $VIRTUAL_SERVER -p tcp --dport nntp -j DNAT --to-dest $SERVER_RANGE
<<lessSample:
#----------------------#
# Variable Definitions #
#----------------------#
EXT=eth0
INT=eth1
# "Masquerading" Example
PRIV_NETS="128.111.1.1 128.111.185.0/255.255.255.0"
MASQ_NET=192.168.1.0/255.255.255.0
# "General SNAT" Example
MAP_FROM=192.168.1.0/255.255.255.0
MAP_TO=128.111.185.30-128.111.185.42
# "Redirection" Example
INTERNAL_IP=10.10.1.1
# "Port Forwarding" Example
EXTERNAL_IP=128.111.1.200
NEWS_SERVER=10.10.1.38
MAIL_SERVER=10.10.1.69
# "Load Balancing" Example
VIRTUAL_SERVER=news.sblug.com
SERVER_RANGE=10.10.1.9-10.10.1.15
#-------------#
# NAT Section #
#-------------#
#
# Flush previous rules
#
iptables -t nat -F
#
# Masquerading
#
# Masquerading for outgoing connections, except privileged nets are exempt
for NET in $PRIV_NETS ; do
iptables -t nat -A POSTROUTING -d $NET -o $EXT -j ACCEPT
done
iptables -t nat -A POSTROUTING -s $MASQ_NET -o $EXT -j MASQUERADE
#
# General SNAT
#
# Internal computers w/ private ips "borrow" public ips of other internal computers to ssh out
iptables -t nat -A POSTROUTING -s $MAP_FROM -o $EXT -p tcp --dport ssh -j SNAT --to-source $MAP_TO
iptables -t nat -A POSTROUTING -s $MAP_FROM -o $EXT -p udp --dport ssh -j SNAT --to-source $MAP_TO
#
# Redirection
#
# Redirect internal net http traffic through squid proxy, but allow direct access to local web server
iptables -t nat -A PREROUTING -i $INT -d ! $INTERNAL_IP -p tcp --dport www -j REDIRECT --to-port 8080
#
# Port Forwarding
#
# Forward gateway port 7000 to news server and gateway port 8000 to pop mail server
iptables -t nat -A PREROUTING -d $EXTERNAL_IP -p tcp --dport 7000 -j DNAT --to-dest $NEWS_SERVER:nntp
iptables -t nat -A PREROUTING -d $EXTERNAL_IP -p tcp --dport 8000 -j DNAT --to-dest $MAIL_SERVER:pop3
#
# Load Balancing
#
# Basic load balancing by redirecting nntp requests to any of several local news servers
iptables -t nat -A PREROUTING -d $VIRTUAL_SERVER -p tcp --dport nntp -j DNAT --to-dest $SERVER_RANGE
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
984 downloads
NATting SOHO firewall
NATting SOHO firewall is a firewall script for iptables. more>>
NATting SOHO firewall is a firewall script for iptables.
# Model NATting SOHO firewall for SP article
# by Jay Beale (jay@bastille-linux.org)
#
# Warning: youre going to have to hack this for your own purposes.
#
# Assumptions:
# your internal network is 192.168.1.0/24 on eth1
# your internet IP is 10.0.0.1 on eth0
# your internal network IP on eth1 is 192.168.1.1
#
# Additonally:
# you have another internal network, a DMZ: 192.168.2.0/24 on eth2
$INTERNAL_IP = 192.168.1.1
$INTERNAL_NET = 192.168.1.0/24
$INTERNET = 10.0.0.1
$DMZ = 192.168.2.0/24
# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Set default policies for packets going through this firewall box
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -P FORWARD DROP
# Set default policies for packet entering this box
iptables -P OUTPUT ALLOW
iptables -P INPUT ALLOW
# Kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Anything coming from our internal network should have only our addresses!
iptables -A FORWARD -i eth1 -s ! $INTERNAL_NET -j DROP
# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
# Note:There are more "reserved" networks, but these are the classical ones.
# Block outgoing network filesharing protocols that arent designed
# to leave the LAN
# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP
# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP
###
# Transparently proxy all web-surfing through Squid box
$SQUID = 192.168.1.2:8080
$SQUIDSSL = 192.168.1.2:443
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL
# Transparently forward all outgoing mail to a relay host
$SMTP = 192.168.1.3
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 25 -j DNAT --to $SMTP
# Transparently redirect web connections from outside to the DMZ web
# server
$DMZ_WEB = 192.168.2.2
iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.1 -dport 80 -j DNAT --to $DMZ_WEB
# Source NAT to get Internet traffic through
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $INTERNET
# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward
<<less# Model NATting SOHO firewall for SP article
# by Jay Beale (jay@bastille-linux.org)
#
# Warning: youre going to have to hack this for your own purposes.
#
# Assumptions:
# your internal network is 192.168.1.0/24 on eth1
# your internet IP is 10.0.0.1 on eth0
# your internal network IP on eth1 is 192.168.1.1
#
# Additonally:
# you have another internal network, a DMZ: 192.168.2.0/24 on eth2
$INTERNAL_IP = 192.168.1.1
$INTERNAL_NET = 192.168.1.0/24
$INTERNET = 10.0.0.1
$DMZ = 192.168.2.0/24
# Insert the required kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# Set default policies for packets going through this firewall box
iptables -t nat -P PREROUTING DROP
iptables -t nat -P POSTROUTING DROP
iptables -P FORWARD DROP
# Set default policies for packet entering this box
iptables -P OUTPUT ALLOW
iptables -P INPUT ALLOW
# Kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Anything coming from our internal network should have only our addresses!
iptables -A FORWARD -i eth1 -s ! $INTERNAL_NET -j DROP
# Anything coming from the Internet should have a real Internet address
iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
# Note:There are more "reserved" networks, but these are the classical ones.
# Block outgoing network filesharing protocols that arent designed
# to leave the LAN
# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP
# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP
###
# Transparently proxy all web-surfing through Squid box
$SQUID = 192.168.1.2:8080
$SQUIDSSL = 192.168.1.2:443
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 80 -j DNAT --to $SQUID
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 443 -j DNAT --to $SQUIDSSL
# Transparently forward all outgoing mail to a relay host
$SMTP = 192.168.1.3
iptables -t nat -A PREROUTING -i eth1 -tcp --dport 25 -j DNAT --to $SMTP
# Transparently redirect web connections from outside to the DMZ web
# server
$DMZ_WEB = 192.168.2.2
iptables -t nat -A PREROUTING -i eth0 -d 192.168.1.1 -dport 80 -j DNAT --to $DMZ_WEB
# Source NAT to get Internet traffic through
iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $INTERNET
# Activate the forwarding!
echo 1 >/proc/sys/net/ipv4/ip_forward
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
987 downloads
NAT iptables firewall script
NAT iptables firewall script is an iptables firewall script. more>>
NAT iptables firewall script is an iptables firewall script.
This script is meant to be run once per boot the rules will be double added if you try to run it twice if you need to add another rule during runtime, change the -A to a -I to add it to the top of the list of rules if you use -A it will go at the end after the reject rule.
Sample:
# interface definitions
BAD_IFACE=eth0
DMZ_IFACE=eth1
DMZ_ADDR=x.x.x.96/28
GOOD_IFACE=eth2
GOOD_ADDR=192.168.1.0/24
MASQ_SERVER=x.x.x.98
FTP_SERVER=x.x.x.100
MAIL_SERVER=x.x.x.99
MAIL_SERVER_INTERNAL=192.168.1.3
# testing
#set -x
ip route del x.x.x.96/28 dev $BAD_IFACE
ip route del x.x.x.96/28 dev $DMZ_IFACE
ip route add x.x.x.97 dev $BAD_IFACE
ip route add x.x.x.96/28 dev $DMZ_IFACE
# we need proxy arp for the dmz network
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
# turn on ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# turn on antispoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# flush all rules in the filter table
#iptables -F
# flush built in rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
# deny everything for now
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
# make the chains to define packet directions
# bad is the internet, dmz is our dmz, good is our masqed network
iptables -N good-dmz
iptables -N bad-dmz
iptables -N good-bad
iptables -N dmz-good
iptables -N dmz-bad
iptables -N bad-good
iptables -N icmp-acc
# accept related packets
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# internal client masqing
iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
# mail server masqing
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443
# to allow the above to work you need something like
# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
# set which addresses jump to which chains
iptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmz
iptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good
iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz
iptables -A FORWARD -o $GOOD_IFACE -j bad-good
# drop anything that doesnt fit these
iptables -A FORWARD -j LOG --log-prefix "chain-jump "
iptables -A FORWARD -j DROP
# icmp acceptance
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "
iptables -A icmp-acc -j DROP
# from internal to dmz
iptables -A good-dmz -p tcp --dport smtp -j ACCEPT
iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT
iptables -A good-dmz -p udp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport www -j ACCEPT
iptables -A good-dmz -p tcp --dport https -j ACCEPT
iptables -A good-dmz -p tcp --dport ssh -j ACCEPT
iptables -A good-dmz -p tcp --dport telnet -j ACCEPT
iptables -A good-dmz -p tcp --dport auth -j ACCEPT
iptables -A good-dmz -p tcp --dport ftp -j ACCEPT
iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT
iptables -A good-dmz -p icmp -j icmp-acc
iptables -A good-dmz -j LOG --log-prefix "good-dmz "
iptables -A good-dmz -j DROP
# from external to dmz
iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT
iptables -A bad-dmz -p udp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport www -j ACCEPT
iptables -A bad-dmz -p tcp --dport https -j ACCEPT
iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT
iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT
iptables -A bad-dmz -p icmp -j icmp-acc
iptables -A bad-dmz -j LOG --log-prefix "bad-dmz "
iptables -A bad-dmz -j DROP
# from internal to external
iptables -A good-bad -j ACCEPT
# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
#iptables -A good-bad -p tcp -j MASQ
#iptables -A good-bad -p udp -j MASQ
#iptables -A good-bad -p icmp -j MASQ
#ipchains -A good-bad -p tcp --dport www -j MASQ
#ipchains -A good-bad -p tcp --dport ssh -j MASQ
#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
#ipchains -A good-bad -p tcp --dport ftp -j MASQ
#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
#ipchains -A good-bad -j REJECT -l
# from dmz to internal
# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPT
iptables -A dmz-good -p tcp --dport smtp -j ACCEPT
iptables -A dmz-good -p tcp --sport smtp -j ACCEPT
iptables -A dmz-good -p udp --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT
iptables -A dmz-good -p icmp -j icmp-acc
iptables -A dmz-good -j LOG --log-prefix "dmz-good "
iptables -A dmz-good -j DROP
# from dmz to external
iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT
iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT
iptables -A dmz-bad -p udp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport www -j ACCEPT
iptables -A dmz-bad -p tcp --dport https -j ACCEPT
iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT
iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT
iptables -A dmz-bad -p tcp --dport whois -j ACCEPT
iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT
iptables -A dmz-bad -p udp --dport ntp -j ACCEPT
# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
iptables -A dmz-bad -p icmp -j icmp-acc
iptables -A dmz-bad -j LOG --log-prefix "dmz-bad "
iptables -A dmz-bad -j DROP
# from external to internal
iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -j LOG --log-prefix "bad-good "
iptables -A bad-good -j REJECT
# rules for this machine itself
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if
# set up the jumps to each chain
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $GOOD_IFACE -j good-if
# external iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -j ACCEPT
#ipchains -A bad-if -i ! ppp0 -j DENY -l
#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
#ipchains -A bad-if -j icmp-acc
#ipchains -A bad-if -j DENY
# dmz iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A dmz-if -j ACCEPT
# internal iface
iptables -A good-if -p tcp --dport ssh -j ACCEPT
iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT
iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT
iptables -A good-if -j icmp-acc
iptables -A good-if -j DROP
# remove the complete blocks
iptables -D INPUT 1
iptables -D FORWARD 1
iptables -D OUTPUT 1
<<lessThis script is meant to be run once per boot the rules will be double added if you try to run it twice if you need to add another rule during runtime, change the -A to a -I to add it to the top of the list of rules if you use -A it will go at the end after the reject rule.
Sample:
# interface definitions
BAD_IFACE=eth0
DMZ_IFACE=eth1
DMZ_ADDR=x.x.x.96/28
GOOD_IFACE=eth2
GOOD_ADDR=192.168.1.0/24
MASQ_SERVER=x.x.x.98
FTP_SERVER=x.x.x.100
MAIL_SERVER=x.x.x.99
MAIL_SERVER_INTERNAL=192.168.1.3
# testing
#set -x
ip route del x.x.x.96/28 dev $BAD_IFACE
ip route del x.x.x.96/28 dev $DMZ_IFACE
ip route add x.x.x.97 dev $BAD_IFACE
ip route add x.x.x.96/28 dev $DMZ_IFACE
# we need proxy arp for the dmz network
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
# turn on ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# turn on antispoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# flush all rules in the filter table
#iptables -F
# flush built in rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
# deny everything for now
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
# make the chains to define packet directions
# bad is the internet, dmz is our dmz, good is our masqed network
iptables -N good-dmz
iptables -N bad-dmz
iptables -N good-bad
iptables -N dmz-good
iptables -N dmz-bad
iptables -N bad-good
iptables -N icmp-acc
# accept related packets
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# internal client masqing
iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
# mail server masqing
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443
# to allow the above to work you need something like
# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
# set which addresses jump to which chains
iptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmz
iptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good
iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz
iptables -A FORWARD -o $GOOD_IFACE -j bad-good
# drop anything that doesnt fit these
iptables -A FORWARD -j LOG --log-prefix "chain-jump "
iptables -A FORWARD -j DROP
# icmp acceptance
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "
iptables -A icmp-acc -j DROP
# from internal to dmz
iptables -A good-dmz -p tcp --dport smtp -j ACCEPT
iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT
iptables -A good-dmz -p udp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport www -j ACCEPT
iptables -A good-dmz -p tcp --dport https -j ACCEPT
iptables -A good-dmz -p tcp --dport ssh -j ACCEPT
iptables -A good-dmz -p tcp --dport telnet -j ACCEPT
iptables -A good-dmz -p tcp --dport auth -j ACCEPT
iptables -A good-dmz -p tcp --dport ftp -j ACCEPT
iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT
iptables -A good-dmz -p icmp -j icmp-acc
iptables -A good-dmz -j LOG --log-prefix "good-dmz "
iptables -A good-dmz -j DROP
# from external to dmz
iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT
iptables -A bad-dmz -p udp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport www -j ACCEPT
iptables -A bad-dmz -p tcp --dport https -j ACCEPT
iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT
iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT
iptables -A bad-dmz -p icmp -j icmp-acc
iptables -A bad-dmz -j LOG --log-prefix "bad-dmz "
iptables -A bad-dmz -j DROP
# from internal to external
iptables -A good-bad -j ACCEPT
# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
#iptables -A good-bad -p tcp -j MASQ
#iptables -A good-bad -p udp -j MASQ
#iptables -A good-bad -p icmp -j MASQ
#ipchains -A good-bad -p tcp --dport www -j MASQ
#ipchains -A good-bad -p tcp --dport ssh -j MASQ
#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
#ipchains -A good-bad -p tcp --dport ftp -j MASQ
#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
#ipchains -A good-bad -j REJECT -l
# from dmz to internal
# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPT
iptables -A dmz-good -p tcp --dport smtp -j ACCEPT
iptables -A dmz-good -p tcp --sport smtp -j ACCEPT
iptables -A dmz-good -p udp --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT
iptables -A dmz-good -p icmp -j icmp-acc
iptables -A dmz-good -j LOG --log-prefix "dmz-good "
iptables -A dmz-good -j DROP
# from dmz to external
iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT
iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT
iptables -A dmz-bad -p udp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport www -j ACCEPT
iptables -A dmz-bad -p tcp --dport https -j ACCEPT
iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT
iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT
iptables -A dmz-bad -p tcp --dport whois -j ACCEPT
iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT
iptables -A dmz-bad -p udp --dport ntp -j ACCEPT
# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
iptables -A dmz-bad -p icmp -j icmp-acc
iptables -A dmz-bad -j LOG --log-prefix "dmz-bad "
iptables -A dmz-bad -j DROP
# from external to internal
iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -j LOG --log-prefix "bad-good "
iptables -A bad-good -j REJECT
# rules for this machine itself
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if
# set up the jumps to each chain
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $GOOD_IFACE -j good-if
# external iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -j ACCEPT
#ipchains -A bad-if -i ! ppp0 -j DENY -l
#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
#ipchains -A bad-if -j icmp-acc
#ipchains -A bad-if -j DENY
# dmz iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A dmz-if -j ACCEPT
# internal iface
iptables -A good-if -p tcp --dport ssh -j ACCEPT
iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT
iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT
iptables -A good-if -j icmp-acc
iptables -A good-if -j DROP
# remove the complete blocks
iptables -D INPUT 1
iptables -D FORWARD 1
iptables -D OUTPUT 1
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
603 downloads
Set up iptables NAT rules 1.2b2
Set up iptables NAT rules is an example IPTables 1.2.1 script for a multi-homed firewall. more>>
Set up iptables NAT rules is an example IPTables 1.2.1 script for a multi-homed firewall.
Please feel free to send me any comments or suggestions.
Current versions and documentation are available at http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/
Sample:
## Variables ##
IPTABLES="/usr/local/sbin/iptables" ## Default IPTables >= v. 1.2.0
#IPTABLES="/usr/local/bin/iptables" ## Default IPTables<<less
Please feel free to send me any comments or suggestions.
Current versions and documentation are available at http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/
Sample:
## Variables ##
IPTABLES="/usr/local/sbin/iptables" ## Default IPTables >= v. 1.2.0
#IPTABLES="/usr/local/bin/iptables" ## Default IPTables<<less
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
989 downloads
Script for NAT and more 02/02/01
Script for NAT and more is an iptables firewall script. more>>
Script for NAT and more is an iptables firewall script.
Sample:
# Location of IPTables
FW="`whereis -b iptables | cut -d " " -f 2`"
# Interface Configuration
IF0="eth0"
IP0="`ifconfig $IF0 | grep inet | cut -d : -f 2 | cut -d -f 1`"
MASK0="`ifconfig $IF0 | grep Mask | cut -d : -f 4`"
LOCALNET="$IP0"
echo "IP: $LOCALNET/$MASK0"
# Inside Interface (Can be either eth1 or none)
IF1="eth1"
IP1="`ifconfig $IF1 | grep inet | cut -d : -f 2 | cut -d -f 1`"
MASK1="`ifconfig $IF1 | grep Mask | cut -d : -f 4`"
GWIP="$IP1"
echo "LAN Gateway: $GWIP/$MASK1"
if [ $IF1 != none ]; then
LAN="10.0.1.0/24"
HOST0="10.0.1.2"
HOST1="10.0.1.3"
fi
# Everyone
WORLD="0/0"
# Options
TOS=no
ICMP=yes
# Flush
$FW -F INPUT
$FW -F OUTPUT
$FW -F FORWARD
$FW -F -t nat
$FW -F -t mangle
$FW -F LOGDROP
# Policy
$FW -P INPUT DROP
$FW -P OUTPUT ACCEPT
$FW -P FORWARD ACCEPT
# Create Event Logging
if [ -z "`iptables -L | grep LOGDROP`" ]; then
$FW -N LOGDROP 2>/dev/null
fi
$FW -A LOGDROP -p TCP -j LOG --log-level info --log-prefix "TCP Drop "
$FW -A LOGDROP -p UDP -j LOG --log-level info --log-prefix "UDP Drop "
$FW -A LOGDROP -p ICMP -j LOG --log-level info --log-prefix "ICMP Drop "
$FW -A LOGDROP -f -j LOG --log-level emerg --log-prefix "FRAG Drop "
$FW -A LOGDROP -j DROP
echo "Event logging added"
# $FW -A INPUT -i eth0 -j LOG
# Avoid these from being logged (gets annoying)
# $FW -A INPUT -s $WORLD -p TCP --sport 6666:7000 -d $LOCALNET -j ACCEPT
# $FW -A INPUT -s 24.0.0.0/8 -p ALL -d $LOCALNET -j DROP
# LAN Configuration
# Dynamic IP
$FW -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Static IP
# $FW -t nat -A POSTROUTING -o $IF0 -s $LAN -j SNAT --to $LOCALNET
$FW -A FORWARD -o eth0 -j ACCEPT
$FW -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT
$FW -A FORWARD -p TCP -s $WORLD --dport 137:139 -j DROP
$FW -A FORWARD -p UDP -s $WORLD --sport 137:139 -j DROP
# $FW -A FORWARD -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1
$FW -A INPUT -m state --state ESTABLISHED -j ACCEPT
# $FW -A OUTPUT -p TCP -s $LAN --syn -j ACCEPT
$FW -A INPUT -p TCP --tcp-flags ALL SYN,ACK -j ACCEPT
$FW -P FORWARD DROP
# Port Forwarding
##### Traffic via LAN
# $FW -t nat -A POSTROUTING -p TCP -o eth0 -s $LAN --sport 6667:7000 -j SNAT
# --to $LOCALNET:6666-7000
# FTP
$FW -t nat -A PREROUTING -d $LOCALNET -p TCP --dport 20 -j DNAT
--to $HOST0:20
$FW -t nat -A PREROUTING -d $LOCALNET -p TCP --dport 21 -j DNAT
--to $HOST0:21
# SSH
$FW -t nat -A PREROUTING -d $LOCALNET -p TCP --dport 22 -j DNAT
--to $HOST0:22
# Telnet (seperate system)
$FW -t nat -A PREROUTING -d $LOCALNET -p TCP --dport 23 -j DNAT
--to $HOST1:23
# WWW
$FW -t nat -A PREROUTING -d $LOCALNET -p TCP --dport 80 -j DNAT
--to $HOST0:80
# Type Of Services (iptables -m tos -h for information)
if [ $TOS = yes ]; then
$FW -t mangle -A OUTPUT -p TCP --dport 20 -j TOS --set-tos 8
$FW -t mangle -A OUTPUT -p TCP --dport 21 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 22 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 23 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 25 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 53 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 53 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 80 -j TOS --set-tos 8
##
$FW -t mangle -A PREROUTING -p TCP --dport 20 -j TOS --set-tos 8
$FW -t mangle -A PREROUTING -p TCP --dport 21 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p TCP --dport 23 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p UDP --dport 25 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p UDP --dport 53 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p UDP --dport 53 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p TCP --dport 80 -j TOS --set-tos 8
fi
# Permit full access from LAN
$FW -A INPUT -s $LAN -p TCP -d $LOCALNET --dport 20: -j ACCEPT
$FW -A INPUT -s $LAN -p UDP -d $LOCALNET --sport 20: -j ACCEPT
$FW -A INPUT -s $LAN -p TCP -d $GWIP --dport 20: -j ACCEPT
$FW -A INPUT -s $LAN -p UDP -d $GWIP --sport 20: -j ACCEPT
##### Traffic via local system
# Permit Identd (Local machine)
$FW -A INPUT -s $WORLD -d $LOCALNET -p TCP --dport 113 -j ACCEPT
# Permit ICMP response
if [ $ICMP = yes ]; then
$FW -A OUTPUT -s $LOCALNET -d $WORLD -o $IF0 -p ICMP -j ACCEPT
$FW -A INPUT -s $WORLD -d $LOCALNET -i $IF0 -p ICMP -j ACCEPT
fi
<<lessSample:
# Location of IPTables
FW="`whereis -b iptables | cut -d " " -f 2`"
# Interface Configuration
IF0="eth0"
IP0="`ifconfig $IF0 | grep inet | cut -d : -f 2 | cut -d -f 1`"
MASK0="`ifconfig $IF0 | grep Mask | cut -d : -f 4`"
LOCALNET="$IP0"
echo "IP: $LOCALNET/$MASK0"
# Inside Interface (Can be either eth1 or none)
IF1="eth1"
IP1="`ifconfig $IF1 | grep inet | cut -d : -f 2 | cut -d -f 1`"
MASK1="`ifconfig $IF1 | grep Mask | cut -d : -f 4`"
GWIP="$IP1"
echo "LAN Gateway: $GWIP/$MASK1"
if [ $IF1 != none ]; then
LAN="10.0.1.0/24"
HOST0="10.0.1.2"
HOST1="10.0.1.3"
fi
# Everyone
WORLD="0/0"
# Options
TOS=no
ICMP=yes
# Flush
$FW -F INPUT
$FW -F OUTPUT
$FW -F FORWARD
$FW -F -t nat
$FW -F -t mangle
$FW -F LOGDROP
# Policy
$FW -P INPUT DROP
$FW -P OUTPUT ACCEPT
$FW -P FORWARD ACCEPT
# Create Event Logging
if [ -z "`iptables -L | grep LOGDROP`" ]; then
$FW -N LOGDROP 2>/dev/null
fi
$FW -A LOGDROP -p TCP -j LOG --log-level info --log-prefix "TCP Drop "
$FW -A LOGDROP -p UDP -j LOG --log-level info --log-prefix "UDP Drop "
$FW -A LOGDROP -p ICMP -j LOG --log-level info --log-prefix "ICMP Drop "
$FW -A LOGDROP -f -j LOG --log-level emerg --log-prefix "FRAG Drop "
$FW -A LOGDROP -j DROP
echo "Event logging added"
# $FW -A INPUT -i eth0 -j LOG
# Avoid these from being logged (gets annoying)
# $FW -A INPUT -s $WORLD -p TCP --sport 6666:7000 -d $LOCALNET -j ACCEPT
# $FW -A INPUT -s 24.0.0.0/8 -p ALL -d $LOCALNET -j DROP
# LAN Configuration
# Dynamic IP
$FW -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Static IP
# $FW -t nat -A POSTROUTING -o $IF0 -s $LAN -j SNAT --to $LOCALNET
$FW -A FORWARD -o eth0 -j ACCEPT
$FW -A FORWARD -i eth0 -m state --state ESTABLISHED -j ACCEPT
$FW -A FORWARD -p TCP -s $WORLD --dport 137:139 -j DROP
$FW -A FORWARD -p UDP -s $WORLD --sport 137:139 -j DROP
# $FW -A FORWARD -p TCP --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1
$FW -A INPUT -m state --state ESTABLISHED -j ACCEPT
# $FW -A OUTPUT -p TCP -s $LAN --syn -j ACCEPT
$FW -A INPUT -p TCP --tcp-flags ALL SYN,ACK -j ACCEPT
$FW -P FORWARD DROP
# Port Forwarding
##### Traffic via LAN
# $FW -t nat -A POSTROUTING -p TCP -o eth0 -s $LAN --sport 6667:7000 -j SNAT
# --to $LOCALNET:6666-7000
# FTP
$FW -t nat -A PREROUTING -d $LOCALNET -p TCP --dport 20 -j DNAT
--to $HOST0:20
$FW -t nat -A PREROUTING -d $LOCALNET -p TCP --dport 21 -j DNAT
--to $HOST0:21
# SSH
$FW -t nat -A PREROUTING -d $LOCALNET -p TCP --dport 22 -j DNAT
--to $HOST0:22
# Telnet (seperate system)
$FW -t nat -A PREROUTING -d $LOCALNET -p TCP --dport 23 -j DNAT
--to $HOST1:23
# WWW
$FW -t nat -A PREROUTING -d $LOCALNET -p TCP --dport 80 -j DNAT
--to $HOST0:80
# Type Of Services (iptables -m tos -h for information)
if [ $TOS = yes ]; then
$FW -t mangle -A OUTPUT -p TCP --dport 20 -j TOS --set-tos 8
$FW -t mangle -A OUTPUT -p TCP --dport 21 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 22 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 23 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 25 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 53 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 53 -j TOS --set-tos 16
$FW -t mangle -A OUTPUT -p TCP --dport 80 -j TOS --set-tos 8
##
$FW -t mangle -A PREROUTING -p TCP --dport 20 -j TOS --set-tos 8
$FW -t mangle -A PREROUTING -p TCP --dport 21 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p TCP --dport 22 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p TCP --dport 23 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p UDP --dport 25 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p UDP --dport 53 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p UDP --dport 53 -j TOS --set-tos 16
$FW -t mangle -A PREROUTING -p TCP --dport 80 -j TOS --set-tos 8
fi
# Permit full access from LAN
$FW -A INPUT -s $LAN -p TCP -d $LOCALNET --dport 20: -j ACCEPT
$FW -A INPUT -s $LAN -p UDP -d $LOCALNET --sport 20: -j ACCEPT
$FW -A INPUT -s $LAN -p TCP -d $GWIP --dport 20: -j ACCEPT
$FW -A INPUT -s $LAN -p UDP -d $GWIP --sport 20: -j ACCEPT
##### Traffic via local system
# Permit Identd (Local machine)
$FW -A INPUT -s $WORLD -d $LOCALNET -p TCP --dport 113 -j ACCEPT
# Permit ICMP response
if [ $ICMP = yes ]; then
$FW -A OUTPUT -s $LOCALNET -d $WORLD -o $IF0 -p ICMP -j ACCEPT
$FW -A INPUT -s $WORLD -d $LOCALNET -i $IF0 -p ICMP -j ACCEPT
fi
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
982 downloads
NAT and blocking all but Port 22 1.0
NAT and blocking all but Port 22 is a simple iptables firewall script. more>>
NAT and blocking all but Port 22 is a simple iptables firewall script.
Sample:
# Internal and External Devices
dev_world=ppp0
dev_int=eth0
# Firewall IP
addr_int=192.168.1.1
# Internal Net
net_int=192.168.1.0/24
###################################################
# Load Modules
insmod ip_tables
insmod ip_conntrack
insmod ip_conntrack_ftp
insmod ipt_state
insmod iptable_nat
insmod ipt_MASQUERADE
###################################################
# Delete all Rules in Filtertable
iptables -F
###################################################
# Define new chains
iptables -N BLOCK
iptables -N EXT-INT
iptables -N INT-EXT
iptables -N ICMP-DENY
iptables -N INT-IF
iptables -N EXT-IF
###################################################
iptables -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A BLOCK -m state --state NEW -i ! $dev_world -j ACCEPT
iptables -A BLOCK -j DROP
iptables -A INPUT -j BLOCK
iptables -A FORWARD -j BLOCK
###################################################
# Point to chains
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $dev_int -s $net_int -j INT-IF
iptables -A INPUT -d ! $addr_int -i $dev_world -s ! $net_int -j EXT-IF
iptables -A INPUT -j DROP
iptables -A FORWARD -d ! $net_int -i $dev_world -s $net_int -j INT-EXT
iptables -A FORWARD -d $net_int -i $dev_int -s ! $net_int -j EXT-INT
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j ACCEPT
###################################################
# Chain Rules
iptables -A EXT-INT -j DROP
iptables -A EXT-IF -i ! $dev_world -j DROP
iptables -A EXT-IF -p tcp --dport 22 -j ACCEPT
iptables -A EXT-IF -p tcp --dport 5901 -j ACCEPT
iptables -A EXT-IF -p tcp --dport 1024: -j ACCEPT
iptables -A EXT-IF -p udp --dport 1024: -j ACCEPT
iptables -A EXT-IF -j DROP
iptables -A INT-IF -j ACCEPT
###################################################
# NAT Rules
# Standard Routing
iptables -A POSTROUTING -t nat -o $dev_world -j MASQUERADE -s $net_int
# Port Forwarding
#iptables -A PREROUTING -t nat -p tcp -d 192.168.1.1 --dport 5901 --to 192.168.1.2:5901 -j DNAT
##################################################
# Enable IP-Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward)
<<lessSample:
# Internal and External Devices
dev_world=ppp0
dev_int=eth0
# Firewall IP
addr_int=192.168.1.1
# Internal Net
net_int=192.168.1.0/24
###################################################
# Load Modules
insmod ip_tables
insmod ip_conntrack
insmod ip_conntrack_ftp
insmod ipt_state
insmod iptable_nat
insmod ipt_MASQUERADE
###################################################
# Delete all Rules in Filtertable
iptables -F
###################################################
# Define new chains
iptables -N BLOCK
iptables -N EXT-INT
iptables -N INT-EXT
iptables -N ICMP-DENY
iptables -N INT-IF
iptables -N EXT-IF
###################################################
iptables -A BLOCK -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A BLOCK -m state --state NEW -i ! $dev_world -j ACCEPT
iptables -A BLOCK -j DROP
iptables -A INPUT -j BLOCK
iptables -A FORWARD -j BLOCK
###################################################
# Point to chains
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i $dev_int -s $net_int -j INT-IF
iptables -A INPUT -d ! $addr_int -i $dev_world -s ! $net_int -j EXT-IF
iptables -A INPUT -j DROP
iptables -A FORWARD -d ! $net_int -i $dev_world -s $net_int -j INT-EXT
iptables -A FORWARD -d $net_int -i $dev_int -s ! $net_int -j EXT-INT
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j ACCEPT
###################################################
# Chain Rules
iptables -A EXT-INT -j DROP
iptables -A EXT-IF -i ! $dev_world -j DROP
iptables -A EXT-IF -p tcp --dport 22 -j ACCEPT
iptables -A EXT-IF -p tcp --dport 5901 -j ACCEPT
iptables -A EXT-IF -p tcp --dport 1024: -j ACCEPT
iptables -A EXT-IF -p udp --dport 1024: -j ACCEPT
iptables -A EXT-IF -j DROP
iptables -A INT-IF -j ACCEPT
###################################################
# NAT Rules
# Standard Routing
iptables -A POSTROUTING -t nat -o $dev_world -j MASQUERADE -s $net_int
# Port Forwarding
#iptables -A PREROUTING -t nat -p tcp -d 192.168.1.1 --dport 5901 --to 192.168.1.2:5901 -j DNAT
##################################################
# Enable IP-Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward)
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
985 downloads
narc 0.7
NARC is a free firewalling package for Netfilter/Iptables. more>>
NARC is a free firewalling package for Netfilter/Iptables. It attempts to simplify the setup of a firewall (stateful packet filter) via the iptables tools. NARC is a bash shellscript that generates sensible and secure rules for Netfilter based on a simple configuration file.
Netfilter is the framework in Linux 2.4 kernels that allow for firewalling, NAT, and packet mangling. Iptables is the userspace tools that works with the Netfilter framework (technically a lie; Iptables is also a part of the Netfilter framework in the kernel). Think of Netfilter as the kernel space, and Iptables as the userspace.
Main features:
- Quick setup via a simple configuration file
- Connection tracking (and fragmentation reassembly)
- Customized logging
- Probe detection (TCP & UDP)
- Illegal TCP packet filtering
- FIN, NULL, ACK scan detection
- ICMP message filtering and rate limiting
- SYN packet length checking
- General rate limiting (to prevent DoS type attacks)
- IP/network based TCP connection rate limiting
- SYN flood protection
- Smurf attack protection
- Spoofed IP address filtering
- DMZ support
- Port forwarding support
<<lessNetfilter is the framework in Linux 2.4 kernels that allow for firewalling, NAT, and packet mangling. Iptables is the userspace tools that works with the Netfilter framework (technically a lie; Iptables is also a part of the Netfilter framework in the kernel). Think of Netfilter as the kernel space, and Iptables as the userspace.
Main features:
- Quick setup via a simple configuration file
- Connection tracking (and fragmentation reassembly)
- Customized logging
- Probe detection (TCP & UDP)
- Illegal TCP packet filtering
- FIN, NULL, ACK scan detection
- ICMP message filtering and rate limiting
- SYN packet length checking
- General rate limiting (to prevent DoS type attacks)
- IP/network based TCP connection rate limiting
- SYN flood protection
- Smurf attack protection
- Spoofed IP address filtering
- DMZ support
- Port forwarding support
Download (0.018MB)
Added: 2006-07-07 License: BSD License Price:
698 downloads
Nuface 1.2.4
Nuface is a Web-based administration tool that generates Edenwall, NuFW, or simple Netfilter firewall rules. more>>
Nuface is a Web-based administration tool that generates Edenwall, NuFW, or simple Netfilter firewall rules.
Nuface project features a high level abstraction on the security policy set by the administrator, and works internally on an XML data scheme.
Its philosophy is to let you agglomerate subjects, resources, or protocols into meta-objects, and use those meta objects to generate ACLs, which are then interpreted as netfilter rules by Nupyf, the internal XML parser.
This tool may easily be extended to support firewall implementations other than Netfilter.
Enhancements:
- This release fixes a bug that would scramble destination NAT rules when deleting any other NAT rule.
- It adds an HTML href to linked objects so they can be directly edited.
<<lessNuface project features a high level abstraction on the security policy set by the administrator, and works internally on an XML data scheme.
Its philosophy is to let you agglomerate subjects, resources, or protocols into meta-objects, and use those meta objects to generate ACLs, which are then interpreted as netfilter rules by Nupyf, the internal XML parser.
This tool may easily be extended to support firewall implementations other than Netfilter.
Enhancements:
- This release fixes a bug that would scramble destination NAT rules when deleting any other NAT rule.
- It adds an HTML href to linked objects so they can be directly edited.
Download (0.44MB)
Added: 2007-07-05 License: GPL (GNU General Public License) Price:
845 downloads
oidentd 2.0.7
oidentd is an ident daemon with IP masq/NAT support and the ability to specify responses. more>>
oidentd is an RFC 1413 compliant ident daemon which runs on Linux, FreeBSD, NetBSD, Darwin, OpenBSD, and Solaris.
It can handle IP masqueraded/NAT connections on Linux, FreeBSD, NetBSD, and OpenBSD, and it has a flexible mechanism for specifying ident responses.
Users can be granted permission to specify their own ident responses. Responses can be specified according to host and port pairs.
Enhancements:
- Really fix the bug with random ident replies.
- Build fixes (specifically, for Solaris)
<<lessIt can handle IP masqueraded/NAT connections on Linux, FreeBSD, NetBSD, and OpenBSD, and it has a flexible mechanism for specifying ident responses.
Users can be granted permission to specify their own ident responses. Responses can be specified according to host and port pairs.
Enhancements:
- Really fix the bug with random ident replies.
- Build fixes (specifically, for Solaris)
Download (0.19MB)
Added: 2005-04-06 License: GPL (GNU General Public License) Price:
1668 downloads
Secleted [ 0 ] software to compare
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above nat search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
