Hi all,
Sorry i know this is covered on the net in various places, but i cannot seem to get what seems straight forward stuff working, by trying various different solutions. Below is a unfinished firewall script that is currently used in a test setup. I cannot however get port 9023 to port forward from the firewall to an internal boxes ip address. When I used nmap it returns filtered? Any suggestions on what im missing here? In the test setup this box is providing natted internet access.
I have marked the latest attempted lines i have been attempting to use with !!! in the comment line. Please help this is driving me insane :(
Thanks in advance
(Trying to forward port 9023 from interface eth6, to an ip attached to interface eth5). Ethername conventions below MAIN and WAN.
echo Flushing everything in the current setup iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD
echo Setup default policies to handle unmatched traffic to drop all traffic iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT
echo Setup ethernet name conventions export MAIN=eth5 export NET1=eth4 export NET2=eth0 export WAN=eth6 export LOOPBACK=lo #export VPN=tap0 #export VPNBR=br0
export IPVPNMAIN=192.168.1.6 export IPVPNBRIDGE=192.168.1.7 export EXTERNALIP=xxx.yyy.zzz.ttt
echo Allowing incomming links from all network adapters to SSHD - Seperate rules iptables -A INPUT --protocol tcp --dport 10589 -i ${MAIN} -j ACCEPT iptables -A INPUT --protocol tcp --dport 10589 -i ${NET1} -j ACCEPT iptables -A INPUT --protocol tcp --dport 10589 -i ${NET2} -j ACCEPT iptables -A INPUT --protocol tcp --dport 10589 -i ${WAN} -j ACCEPT
echo Open external port to be forwarded next, for OpenVPN SSH Remote Access iptables -A INPUT --protocol tcp --dport 9023 -i ${WAN} -j ACCEPT
echo Allowing incomming links porwarded to VPN Machine for SSH Links #iptables -t nat -A PREROUTUING --protocol tcp --dport 9023 -j DNAT -- to ${IPVPNMAIN}:9023
echo Setup Logging and destruction of Spoofed Internal packets, not created from external networks iptables -A INPUT -j LOG -i ${MAIN} \\! -s 192.168.1.0/24 iptables -A INPUT -j LOG -i ${NET1} \\! -s 192.168.11.0/24 iptables -A INPUT -j LOG -i ${NET2} \\! -s 192.168.12.0/24 iptables -A INPUT -j DROP -i ${MAIN} \\! -s 192.168.1.0/24 iptables -A INPUT -j DROP -i ${NET1} \\! -s 192.168.11.0/24 iptables -A INPUT -j DROP -i ${NET2} \\! -s 192.168.12.0/24
echo Block packets from network addresses outside of the source address range - IP Spoofing iptables -A INPUT -j LOG \\! -i ${MAIN} -s 192.168.1.0/24 iptables -A INPUT -j LOG \\! -i ${NET1} -s 192.168.11.0/24 iptables -A INPUT -j LOG \\! -i ${NET2} -s 192.168.12.0/24 iptables -A INPUT -j DROP \\! -i ${MAIN} -s 192.168.1.0/24 iptables -A INPUT -j DROP \\! -i ${NET1} -s 192.168.11.0/24 iptables -A INPUT -j DROP \\! -i ${NET2} -s 192.168.12.0/24
echo Protect loopback systems from IP Spoofing iptables -A INPUT -j DROP -i \\! ${LOOPBACK} -s 127.0.0.0/255.0.0.0
echo Allowing previously initiated and accepted exchanges bypass remaining rule checking iptables -A INPUT -m state --state ESTABLISHED,RELATED -i ${WAN} -p \\! icmp -j ACCEPT
echo Allow all connections from the localhost iptables -A INPUT -j ACCEPT -i ${LOOPBACK}
echo Allowing connections to Squid Proxy Server from dialer networks iptables -A INPUT --protocol tcp --dport 3128 -i ${NET1} -j ACCEPT iptables -A INPUT --protocol tcp --dport 3128 -i ${NET2} -j ACCEPT
echo Allowing DNS Forwarder and Caching hosted by this server to be accessed by everyone but not WAN iptables -A INPUT -p UDP --dport 53 -i ${MAIN} -j ACCEPT iptables -A INPUT -p UDP --dport 53 -i ${NET1} -j ACCEPT iptables -A INPUT -p UDP --dport 53 -i ${NET2} -j ACCEPT
echo Allow all connections from the Network Servers iptables -A INPUT -s 192.168.1.5 -j ACCEPT iptables -A INPUT -s 192.168.11.5 -j ACCEPT iptables -A INPUT -s 192.168.12.5 -j ACCEPT
### NOTE NOT REQUIRED ALL OUTGOING ALLOWED ### -> To be corrected later # echo Allow DNS Resolution # iptables -A OUTPUT -o ${WAN} -p udp --destination-port 53 -m state -- state NEW,ESTABLISHED -j ACCEPT # iptables -A OUTPUT -o ${WAN} -p tcp --destination-port 53 -m state -- state NEW,ESTABLISHED -j ACCEPT
echo Lock down system services to the main network only iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i ${MAIN} -j ACCEPT iptables -A INPUT -p UDP --dport bootps -i ! ${MAIN} -j REJECT iptables -A INPUT -p UDP --dport domain -i ! ${MAIN} -j REJECT
echo Dropping any other outside generated connections iptables -A INPUT -m state --state NEW -i ${WAN} -j DROP
#echo Enabling IP Masq to enable NAT style internet IP Redirection Access iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE
# !!! THESE ARE ATTEMPTED PORT FORWARDING RULES CURRENTLY NOT WORKING : ( iptables -A FORWARD -i ${WAN} -o ${MAIN} -p tcp --dport 9023 -m state
--state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A PREROUTING -t nat -p tcp -d ${EXTERNALIP} --dport 9023 -m state --state NEW,ESTABLISHED,RELATED -j DNAT --to ${IPVPNMAIN}:9023 iptables -t nat -A POSTROUTING -d ${IPVPNMAIN} -s 192.168.1.0 -p tcp -- dport 9023 -m state --state NEW,ESTABLISHED,RELATED -j SNAT --to $ {IPVPNMAIN}