Firewall - CVP: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
(3 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
[[Category:Linux]] |
|||
<pre> |
<pre> |
||
#!/bin/sh |
#!/bin/sh |
||
Line 47: | Line 45: | ||
# Mail |
# Mail |
||
$IPT -t nat -A PREROUTING -p tcp -d $IP2 --dport 25 -j DNAT --to-destination xxx:25 |
$IPT -t nat -A PREROUTING -p tcp -d $IP2 --dport 25 -j DNAT --to-destination xxx:25 |
||
# Accepter forbindelser der er etableret og relateret |
|||
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT |
|||
# NAT disse net |
|||
$IPT -t nat -A POSTROUTING -s xxx/24 -j MASQUERADE |
|||
# Tillad forbindelser der er bliver etableret, er etableret og relateret |
|||
$IPT -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT |
|||
# Reenable forward |
|||
echo 1 > /proc/sys/net/ipv4/ip_forward |
|||
</pre> |
|||
<pre> |
|||
## Add default routes |
|||
route add default gw 192.168.1.254 eth0 |
|||
</pre> |
</pre> |
Latest revision as of 19:46, 12 March 2011
#!/bin/sh # eth0 er ydersiden (default GW), eth1 er extra yderside fra 3 (.91), eth2 er TDC gammel yderside, eth3 er indersiden # # Disable OS fingerprinting echo 0 > /proc/sys/net/ipv4/tcp_timestamps echo 0 > /proc/sys/net/ipv4/ip_forward IPT=/sbin/iptables IP0=80.251.198.92 IP1=80.251.198.91 IP2=xxx IP3=xxx # Flush alle chains og slet user-chains for i in filter nat mangle do $IPT -t $i -F $IPT -t $i -X done # Set default policy $IPT -P INPUT DROP ## ACCEPT i testing $IPT -P FORWARD DROP ## ACCEPT i testing $IPT -P OUTPUT ACCEPT # Blok nye forbindelser - undtaget fra indersideinterface $IPT -A INPUT -m state --state NEW -i eth1 -j ACCEPT $IPT -A INPUT -m state --state NEW -i eth0 -j ACCEPT $IPT -A INPUT -m state --state NEW -i lo -j ACCEPT # Tillad ping af firewall $IPT -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT # Tillad ping gennem firewall $IPT -A INPUT -p icmp --icmp-type echo-request -j ACCEPT # Webmin + ssh $IPT -A INPUT -m state --state NEW -s 212.37.141.188 -p tcp --dport 22 -j ACCEPT $IPT -A INPUT -m state --state NEW -s 212.37.141.188 -p tcp --dport 10000 -j ACCEPT ## NAT rules # Mail $IPT -t nat -A PREROUTING -p tcp -d $IP2 --dport 25 -j DNAT --to-destination xxx:25 # Accepter forbindelser der er etableret og relateret $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # NAT disse net $IPT -t nat -A POSTROUTING -s xxx/24 -j MASQUERADE # Tillad forbindelser der er bliver etableret, er etableret og relateret $IPT -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT # Reenable forward echo 1 > /proc/sys/net/ipv4/ip_forward
## Add default routes route add default gw 192.168.1.254 eth0