[ale] iptables

Dean dean777 at bellsouth.net
Thu Jan 10 13:39:00 EST 2002 







<span style='font-size:10.0pt;
font-family:Arial'>Hello,

<span style='font-size:10.0pt;
font-family:Arial'> 

<span style='font-size:10.0pt;
font-family:Arial'>I’m trying to set up NAT for a network I have.<span
style='mso-spacerun:yes'>  I have 7 servers configured with fictitious
IP addresses and I’m using NAT on the firewall in order to access these
servers using public addresses via the internet. For instance I would like to
SSH to the servers from the internet using the public addresses. I have
attached the script that I have built … it has worked on another network
environment but for some reason it is not currently working on this
environment. Can someone take a look at the script when you get a chance?

<span style='font-size:10.0pt;
font-family:Arial'> 

<span style='font-size:10.0pt;
font-family:Arial'>Thanks… Dean

<span style='font-size:10.0pt;
font-family:Arial'> 

<span style='font-size:10.0pt;
font-family:Arial'> 







#
# this script is stored in a file called "build-firewall"
# execute this script from /etc/rc.d/rc.local, i.e.,
# place the command "/root/build-firewall" near the end of rc.local # note: the user must enable iptables # 
# build the private to public nat table # 
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.1  -o eth0 -j SNAT --to 66.35. 144.111 
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.2  -o eth0 -j SNAT --to 66.35. 144.112 
/sbin/iptables -t nat -A POSTROUTING -s 10.106.15.3  -o eth0 -j SNAT --to 66.35. 144.113 
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.4  -o eth0 -j SNAT --to 66.35. 144.114 
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.5  -o eth0 -j SNAT --to 66.35. 144.115 
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.6  -o eth0 -j SNAT --to 66.35. 144.116 
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.13 -o eth0 -j SNAT --to 66.35. 144.117 
/sbin/iptables -t nat -A POSTROUTING -s 10.100.15.14 -o eth0 -j SNAT --to 66.35. 144.118 

# # build the public to private nat table # 
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.111 -i eth0 -j DNAT --to 10.100 .15.1 
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.112 -i eth0 -j DNAT --to 10.100 .15.2 
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.113 -i eth0 -j DNAT --to 10.100 .15.3 
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.114 -i eth0 -j DNAT --to 10.100 .15.4 
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.115 -i eth0 -j DNAT --to 10.100 .15.5 
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.116 -i eth0 -j DNAT --to 10.100 .15.6 
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.117 -i eth0 -j DNAT --to 10.100 .15.13 
/sbin/iptables -t nat -A PREROUTING -d 66.35.144.118 -i eth0 -j DNAT --to 10.100 .15.14 

# # build the pinholes for allowing certain protocols through the firewall 
# # forward ssh through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 22:22     -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 22:22     -j ACCEPT
#
# forward ftp through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dsport 21:21    -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 21:21     -j ACCEPT
#
#
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 23:23     -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 23:23     -j ACCEPT
#
# forward http through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 80:80     -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 80:80     -j ACCEPT
#
# forward ntp through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 123:123   -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 123:123   -j ACCEPT
#
# forward backup ssh through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 222:222   -j ACCEPT
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 222:222   -j ACCEPT
#
# forward network genomics through the firewall
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 3200:3201 -j ACCEPT 
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 3200:3201 -j ACCEPT 

# # forward vnc through the firewall 
/sbin/iptables -A FORWARD -s 0/0 -p tcp --dport 5900:5900 -j ACCEPT 
/sbin/iptables -A FORWARD -s 0/0 -p tcp --sport 5900:5900 -j ACCEPT 
# # establish pinholes on the firewall for remote management 

# # accept ssh on the firewall
/sbin/iptables -A INPUT   -s 0/0 -p tcp --dport 22:22     -j ACCEPT
/sbin/iptables -A INPUT   -s 0/0 -p tcp --sport 22:22     -j ACCEPT
#
/sbin/iptables -A INPUT   -s 0/0 -p tcp --dport 23:23     -j ACCEPT
/sbin/iptables -A INPUT   -s 0/0 -p tcp --sport 23:23     -j ACCEPT
#
# accept backup ssh on the firewall
/sbin/iptables -A INPUT   -s 0/0 -p tcp --dport 222:222   -j ACCEPT
/sbin/iptables -A INPUT   -s 0/0 -p tcp --sport 222:222   -j ACCEPT
#
# accept ftp on the firewall
/sbin/iptables -A INPUT   -s 0/0 -p tcp --dport 21:21     -j ACCEPT
/sbin/iptables -A INPUT   -s 0/0 -p tcp --sport 21:21     -j ACCEPT
#
# stop all the other tcp traffic
#
/sbin/iptables -A FORWARD -s 0/0 -p tcp -j DROP
/sbin/iptables -A INPUT -s 0/0 -p tcp -j DROP
#
#use ip aliasing to make the public interface of the firewall 
#respond to arps for the public ip addresses of the private computers
#
#
/sbin/ip address add 66.35.144.111 dev eth0
/sbin/ip address add 66.35.144.112 dev eth0
/sbin/ip address add 66.35.144.113 dev eth0
/sbin/ip address add 66.35.144.114 dev eth0
/sbin/ip address add 66.35.144.115 dev eth0
/sbin/ip address add 66.35.144.116 dev eth0
/sbin/ip address add 66.35.144.117 dev eth0
/sbin/ip address add 66.35.144.118 dev eth0
#
#
# enable ip packet forwarding
#
echo 1 > /proc/sys/net/ip4/ip_forward
#
#





---
This message has been sent through the ALE general discussion list.
See http://www.ale.org/mailing-lists.shtml for more info. Problems should be 
sent to listmaster at ale dot org.

More information about the Ale mailing list