This is following previous mail.. my routing script: # Create three routing tables, in addition to the default, # which route packets depending on the source IP addresses: # table 10 is for the private network behind the gateway # IP all on one LAN. We put this first to get # it out of the way. ip rule pref 10 to 192.168.12/28 table 10 ip route add 192.168.12.0/28 table 10 dev eth0 # table 20 is for ISP Hathway, IP 202.88.172.84, gateway 202.88.172.1 ip rule pref 20 from 202.88.172.84 table 20 ip route add default table 20 via 202.88.172.84 # table 30 is for ISP ADSL PPPoE, IP 192.168.13.1, gateway 192.168.13.2 ip rule pref 20 from 192.168.13.2 table 30 ip route add default table 30 via 192.168.13.1 # The default routing table is used if none of the above tables apply. # If your ISP''s have servers that authenticate by originating IP address, ip route add 192.168.13.0/24 dev eth1 ip route add 202.88.172.0/24 dev eth2 # The default route in the default routing table # uses ECMP to choose upstream routers ip route add default nexthop via 202.88.172.84 nexthop via 192.168.13.1 # Make it all happen. IMPORTANT! The above commands do NOT # flush the route cache! ip route flush cache My Iptable script.. =================#!/bin/sh # iptables script generator: V0.1-2002 echo 0 > /proc/sys/net/ipv4/ip_forward LAN_IP_NET=''192.168.1.1/255.255.255.0'' LAN_NIC=''eth0'' WAN_IP=''203.1.1.xx'' WAN_NIC=''eth1'' # load some modules (if needed) #LAN_NIC # LoadModuls() { #insmod #insmod ip_conntrack #insmod ip_tables insmod iptable_nat insmod ipt_MASQUERADE insmod ipt_REJECT insmod ipt_limit insmod ipt_state insmod ipt_unclean insmod iptable_filter insmod iptable_nat # } ## # FlushTable() { # Flush iptables -t nat -F POSTROUTING iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -F iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT } ## # IpRuleSet() { # enable Masquerade and forwarding iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE #iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE iptables -A FORWARD -o eth+ -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -o eth1 -j ACCEPT iptables -A FORWARD -o eth2 -j ACCEPT # Open ports on router for server/services iptables -A INPUT -j ACCEPT -p tcp --dport 25 iptables -A INPUT -j ACCEPT -p tcp --dport 22 iptables -A INPUT -j ACCEPT -p udp --dport 53 iptables -A INPUT -j ACCEPT -p udp --sport 53 iptables -A INPUT -j ACCEPT -p tcp --dport 2525 iptables -A INPUT -j ACCEPT -p tcp --dport 24 # iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP # Output iptables -A OUTPUT -j ACCEPT -p tcp --dport 53 iptables -A OUTPUT -j ACCEPT -p udp --dport 53 # STATE RELATED for router iptables -A INPUT -i eth+ -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A OUTPUT -o ! eth1 -m state --state NEW -j ACCEPT iptables -A INPUT -p udp --sport 137 --dport 137 -j DROP iptables -A OUTPUT -m state --state INVALID -j DROP # iptables -A OUTPUT -o eth1 -p tcp --dport 31337 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 31335 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 20034 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 137:139 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 1433 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 5432 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 5999 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 6063 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 5900:5910 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 5010 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 5000:5001 -j DROP iptables -A OUTPUT -o eth1 -p udp --dport 5000:5010 -j DROP iptables -A OUTPUT -o eth1 -p tcp --dport 5100 -j DROP # iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 7100 -j DROP iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP iptables -A INPUT -p tcp -s 0/0 -d 0/0 --dport 111 -j DROP iptables -A INPUT -p udp -s 0/0 -d 0/0 --dport 111 -j DROP # # Enable forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i eth0 -j ACCEPT # Drop icmp, but only after letting certain types through. iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT iptables -A INPUT -p icmp -j DROP # iptables -A INPUT -i eth1 -s 66.14.136.144/32 -j DROP iptables -A INPUT -i eth1 -s 66.14.136.145/32 -j DROP iptables -A INPUT -i eth1 -s 66.14.136.146/32 -j DROP iptables -A INPUT -i eth1 -s 66.14.136.147/32 -j DROP iptables -A INPUT -i eth1 -s 66.14.136.148/32 -j DROP iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j DROP iptables -A INPUT -i eth1 -s 127.0.0.0/8 -j DROP # iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP iptables -A INPUT -j DROP } case "$1" in "") LoadModuls FlushTable IpRuleSet ;; -F) FlushTable ;; esac __________________________________ Do you Yahoo!? Yahoo! Finance: Get your refund fast by filing online. http://taxes.yahoo.com/filing.html _______________________________________________ LARTC mailing list / LARTC@mailman.ds9a.nl http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/