your script is too long , so do not expect me to read it
however, if you would like to forward mail via 2nd link, you should:
1. add default route via link1
2. add rule : ip rule add prio 30 fwmark 0x990 lookup link2
3. create table link2: ip route add table link2 ...
4. mark mail pkts with 990 : iptables -t mangle -A PREROUTING -p udp
--dport 25 -j MARK --set-mark 0x990
or somthing similiar
hth,
erez.
On 3/14/06, asbaeza@catsanet.com.mx <asbaeza@catsanet.com.mx>
wrote:> Hi there.
>
> I have followed some documents found here and there, but do not have
> already success implementing a script using iptables and iproute.
>
> What I need is to send all traffic trough an ADSL line, but mail trough an
> expensive and slow DS0. The mail server lies on the PC acting also as
> firewall. I include the script. When using that I get some error messages
> (I found that the flush command really flushes all, not only routes, but
> interfaces too) or, changing it a little, all the traffic goes trough the
> ADSL but mail does not go though the DS0 link.
>
> I think there is some subtle error, but this is my first experience with
> iproute and I am lost.
>
> If someone could help I would really appreciate it.
>
> By the way, I am using Debian Sarge, with kernel 2.6.8-2-386, iptables
> 1.2.11-10, iproute 20041019-3
>
> Thanks in advice.
>
> Follows the script:
> _________________________________________________________________
>
> #!/bin/sh
> #
> # rc.firewall-2.4-stronger
> #
> FWVER=0.81s
>
> # An example of a stronger IPTABLES firewall with IP Masquerade
> # support for 2.6.x kernels.
> #
> # Log:
> #
> # 0.81s - Added some mangled and ip2route rules
> # 0.80s - Added a DISABLED ip_nat_irc kernel module section, changed the
> # default of the ip_conntrack_irc to NOT load by default, and
> # added additional kernel module comments
> # 0.79s - ruleset now uses modprobe instead of insmod
> # 0.78s - REJECT is not a legal policy yet; back to DROP
> # 0.77s - Changed the default block behavior to REJECT not DROP
> # 0.76s - Added a comment about the OPTIONAL WWW ruleset and a comment
> # where to put optional PORTFW commands
> # 0.75s - Added clarification that PPPoE users need to use
> # "ppp0" instead of "eth0" for their external
interface
> # 0.74s - Changed the EXTIP command to work on NON-English distros
> # 0.73s - Added comments in the output section that DHCPd is optional
> # and changed the default settings to disabled
> # 0.72s - Changed the filter from the INTNET to the INTIP to be
> # stateful; moved the command VARs to the top and made the
> # rest of the script to use them
> # 0.70s - Added a disabled examples for allowing internal DHCP
> # and external WWW access to the server
> # 0.63s - Added support for the IRC module
> # 0.62s - Initial version based upon the basic 2.4.x rc.firewall
>
>
> echo -e "\nLoading STRONGER rc.firewall - version $FWVER..\n"
>
>
> # The location of various iptables and other shell programs
> #
> # If your Linux distribution came with a copy of iptables, most
> # likely it is located in /sbin. If you manually compiled
> # iptables, the default location is in /usr/local/sbin
> #
> # ** Please use the "whereis iptables" command to figure out
> # ** where your copy is and change the path below to reflect
> # ** your setup
> #
> IPTABLES=/sbin/iptables
> LSMOD=/sbin/lsmod
> DEPMOD=/sbin/depmod
> MODPROBE=/sbin/modprobe
> GREP=/bin/grep
> AWK=/usr/bin/awk
> SED=/bin/sed
> IFCONFIG=/sbin/ifconfig
>
>
> #Setting the EXTERNAL and INTERNAL interfaces for the network
> #
> # Each IP Masquerade network needs to have at least one
> # external and one internal network. The external network
> # is where the natting will occur and the internal network
> # should preferably be addressed with a RFC1918 private address
> # scheme.
> #
> # For this example, "eth0" is external and "eth1" is
internal"
> #
> # NOTE: If this doesnt EXACTLY fit your configuration, you must
> # change the EXTIF or INTIF variables above. For example:
> #
> # If you are a PPPoE or analog modem user:
> #
> # EXTIF="ppp0"
> #
> IFDS0="eth1"
> IFADSL="eth2"
> IFLAN="eth0"
> echo " External Interfaces: $IFDS0,$IFADSL"
> echo " Internal Interface: $IFLAN"
> echo " ---"
>
> # Specify your Static IP address here or let the script take care of it
> # for you.
> #
> # If you prefer to use STATIC addresses in your firewalls, un-# out the
> # static example below and # out the dynamic line. If you don''t
care,
> # just leave this section alone.
> #
> # If you have a DYNAMIC IP address, the ruleset already takes care of
> # this for you. Please note that the different single and double quote
> # characters and the script MATTER.
> #
> #
> # DHCP users:
> # -----------
> # If you get your TCP/IP address via DHCP, **you will need ** to enable
the
> # #ed out command below underneath the PPP section AND replace the word
> # "eth0" with the name of your EXTERNAL Internet connection
(ppp0, ippp0,
> # etc) on the lines for "ppp-ip" and "extip". You
should also note that
> the
> # DHCP server can and will change IP addresses on you. To deal with
this,
> # users should configure their DHCP client to re-run the rc.firewall
> ruleset
> # everytime the DHCP lease is renewed.
> #
> # NOTE #1: Some DHCP clients like the original "pump" (the
newer
> # versions have been fixed) did NOT have the ability to run
> # scripts after a lease-renew. Because of this, you need to
> # replace it with something like "dhcpcd" or
"dhclient".
> #
> # NOTE #2: The syntax for "dhcpcd" has changed in recent
versions.
> #
> # Older versions used syntax like:
> # dhcpcd -c /etc/rc.d/rc.firewall eth0
> #
> # Newer versions execute a file called
> /etc/dhcpc/dhcpcd-eth0.exe
> #
> # NOTE #3: For Pump users, put the following line in /etc/pump.conf:
> #
> # script /etc/rc.d/rc.firewall
> #
> # PPP users:
> # ----------
> # If you aren''t already aware, the /etc/ppp/ip-up script is
always run when
> # a PPP connection comes up. Because of this, we can make the ruleset
> go and
> # get the new PPP IP address and update the strong firewall ruleset.
> #
> # If the /etc/ppp/ip-up file already exists, you should edit it and add
> a line
> # containing "/etc/rc.d/rc.firewall" near the end of the file.
> #
> # If you don''t already have a /etc/ppp/ip-up sccript, you need
to create
> the
> # following link to run the /etc/rc.d/rc.firewall script.
> #
> # ln -s /etc/rc.d/rc.firewall /etc/ppp/ip-up
> #
> # * You then want to enable the #ed out shell command below *
> #
> #
> # Determine the external IP automatically:
> # ----------------------------------------
> #
> # The following line will determine your external IP address. This
> # line is somewhat complex and confusing but it will also work for
> # all NON-English Linux distributions:
> #
> #EXTIP1="`$IFCONFIG $EXTIF1 | $AWK \
> # /$EXTIF1/''{next}//{split($0,a,":");split(a[2],a,"
");print a[1];exit}''`"
>
>
> # For users who wish to use STATIC IP addresses:
> #
> # # out the EXTIP line above and un-# out the EXTIP line below
> #
> IPDS0="200.36.148.163"
> NETDS0="200.36.148.160/27"
> GWDS0="200.36.148.161"
> IPADSL="172.16.0.49"
> NETADSL="172.16.0.0/16"
> GWADSL="172.16.0.1"
> echo " External IP1: $IPDS0"
> echo " External IP2: $IPADSL"
> echo " ---"
>
> # Assign the internal TCP/IP network and IP address
> NETLAN="10.0.0.0/8"
> IPLAN="10.1.200.49/8"
> echo " Internal Network: $NETLAN"
> echo " Internal IP: $IPLAN"
> echo " ---"
>
> # Setting a few other local variables
> #
> UNIVERSE="0.0.0.0/0"
> localnet="128.0.0.0/8"
>
>
> # Building routes
> # Flush all
> #ip route flush default
> #ip route flush all
> #ip link set $IFLAN up
> #ip link set $IFDS0 up
> #ip link set $IFADSL up
> #ip link set lo up
> /etc/init.d/ruteo
>
>
> # Build general routes
> ip route add $localnet dev lo
> ip route add $NETLAN dev $IFLAN
> ip route add $IPDS0 dev $IFDS0 src $IPDS0
> ip route add $IPADSL dev $IFADSL src $IPADSL
> echo 211 TDS0 >> /etc/iproute2/rt_tables
> ip route add $NETDS0 dev $IFDS0 src $IPDS0 table TDS0
> ip route add default via $GWDS0 table TDS0
> echo 212 TADSL >> /etc/iproute2/rt_tables
> ip route add $NETADSL dev $IFADSL src $IPADSL table TADSL
> #ip route add default via $GWADSL table TADSL
> #echo "# Routing mail packets"
> #$IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 1
> #ip rule add fwmark 1 table TDS0
> #ip route add default via $GWADSL
> ip route add from $IPDS0 table TDS0
> ip route add from $IPADSL table TADSL
>
> ip route add $NETLAN dev $IFLAN table TDS0
> ip route add $NETADSL dev $IFADSL table TDS0
> ip route add $localnet dev lo table TDS0
>
> ip route add $NETLAN dev $IFLAN table TADSL
> ip route add $NETDS0 dev $IFDS0 table TADSL
> ip route add $localnet dev lo table TADSL
>
> #=====================================================================>
#== No editing beyond this line is required for initial MASQ testing =>
> # Need to verify that all modules have all required dependencies
> #
> echo " - Verifying that all kernel modules are ok"
> $DEPMOD -a
>
> echo -en " Loading kernel modules: "
>
> # With the new IPTABLES code, the core MASQ functionality is now either
> # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
> # options as MODULES. If your kernel is compiled correctly, there is
> # NO need to load the kernel modules manually.
> #
> # NOTE: The following items are listed ONLY for informational reasons.
> # There is no reason to manual load these modules unless your
> # kernel is either mis-configured or you intentionally disabled
> # the kernel module autoloader.
> #
>
> # Upon the commands of starting up IP Masq on the server, the
> # following kernel modules will be automatically loaded:
> #
> # NOTE: Only load the IP MASQ modules you need. All current IP MASQ
> # modules are shown below but are commented out from loading.
> # ==============================================================>
> #Load the main body of the IPTABLES module - "ip_tables"
> # - Loaded automatically when the "iptables" command is invoked
> #
> # - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "ip_tables, "
> #
> #Verify the module isn''t loaded. If it is, skip it
> #
> if [ -z "` $LSMOD | $GREP ip_tables | $AWK {''print
$1''} `" ]; then
> $MODPROBE ip_tables
> fi
>
>
> #Load the IPTABLES filtering module - "iptable_filter"
> #
> # - Loaded automatically when filter policies are activated
>
>
> #Load the stateful connection tracking framework - "ip_conntrack"
> #
> # The conntrack module in itself does nothing without other specific
> # conntrack modules being loaded afterwards such as the
"ip_conntrack_ftp"
> # module
> #
> # - This module is loaded automatically when MASQ functionality is
> # enabled
> #
> # - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "ip_conntrack, "
> #
> #Verify the module isn''t loaded. If it is, skip it
> #
> if [ -z "` $LSMOD | $GREP ip_conntrack | $AWK {''print
$1''} `" ]; then
> $MODPROBE ip_conntrack
> fi
>
>
> #Load the FTP tracking mechanism for full FTP tracking
> #
> # Enabled by default -- insert a "#" on the next line to
deactivate
> #
> echo -e "ip_conntrack_ftp, "
> #
> #Verify the module isn''t loaded. If it is, skip it
> #
> if [ -z "` $LSMOD | $GREP ip_conntrack_ftp | $AWK {''print
$1''} `" ]; then
> $MODPROBE ip_conntrack_ftp
> fi
>
>
> #Load the IRC tracking mechanism for full IRC tracking
> #
> # Disabled by default -- insert a "#" on the next few lines to
activate
> #
> # echo -en " ip_conntrack_irc, "
> #
> #Verify the module isn''t loaded. If it is, skip it
> #
> # if [ -z "` $LSMOD | $GREP ip_conntrack_irc | $AWK {''print
$1''} `" ]; then
> # $MODPROBE ip_conntrack_irc
> # fi
>
>
> #Load the general IPTABLES NAT code - "iptable_nat"
> # - Loaded automatically when MASQ functionality is turned on
> #
> # - Loaded manually to clean up kernel auto-loading timing issues
> #
> echo -en "iptable_nat, "
> #
> #Verify the module isn''t loaded. If it is, skip it
> #
> if [ -z "` $LSMOD | $GREP iptable_nat | $AWK {''print
$1''} `" ]; then
> $MODPROBE iptable_nat
> fi
>
>
> #Loads the FTP NAT functionality into the core IPTABLES code
> # Required to support non-PASV FTP.
> #
> # Enabled by default -- insert a "#" on the next line to
deactivate
> #
> echo -e "ip_nat_ftp"
> #
> #Verify the module isn''t loaded. If it is, skip it
> #
> if [ -z "` $LSMOD | $GREP ip_nat_ftp | $AWK {''print
$1''} `" ]; then
> $MODPROBE ip_nat_ftp
> fi
>
>
> #Loads the IRC NAT functionality (for DCC) into the core IPTABLES code
> #
> # DISABLED by default -- delete the "#" on the next few lines to
activate
> #
> # echo -e "ip_nat_irc"
> #
> #Verify the module isn''t loaded. If it is, skip it
> #
> # if [ -z "` $LSMOD | $GREP ip_nat_irc | $AWK {''print
$1''} `" ]; then
> # $MODPROBE ip_nat_irc
> # fi
>
>
> echo " ---"
>
> # Just to be complete, here is a partial list of some of the other
> # IPTABLES kernel modules and their function. Please note that most
> # of these modules (the ipt ones) are automatically loaded by the
> # master kernel module for proper operation and don''t need to be
> # manually loaded.
> # --------------------------------------------------------------------
> #
> # ip_nat_snmp_basic - this module allows for proper NATing of some
> # SNMP traffic
> #
> # iptable_mangle - this target allows for packets to be
> # manipulated for things like the TCPMSS
> # option, etc.
> #
> # --
> #
> # ipt_mark - this target marks a given packet for future action.
> # This automatically loads the ipt_MARK module
> #
> # ipt_tcpmss - this target allows to manipulate the TCP MSS
> # option for braindead remote firewalls.
> # This automatically loads the ipt_TCPMSS module
> #
> # ipt_limit - this target allows for packets to be limited to
> # to many hits per sec/min/hr
> #
> # ipt_multiport - this match allows for targets within a range
> # of port numbers vs. listing each port individually
> #
> # ipt_state - this match allows to catch packets with various
> # IP and TCP flags set/unset
> #
> # ipt_unclean - this match allows to catch packets that have invalid
> # IP/TCP flags set
> #
> # iptable_filter - this module allows for packets to be DROPped,
> # REJECTed, or LOGged. This module automatically
> # loads the following modules:
> #
> # ipt_LOG - this target allows for packets to be
> # logged
> #
> # ipt_REJECT - this target DROPs the packet and returns
> # a configurable ICMP packet back to the
> # sender.
>
>
> #CRITICAL: Enable IP forwarding since it is disabled by default since
> #
> # Redhat Users: you may try changing the options in
> # /etc/sysconfig/network from:
> #
> # FORWARD_IPV4=false
> # to
> # FORWARD_IPV4=true
> #
> echo " Enabling forwarding.."
> echo "1" > /proc/sys/net/ipv4/ip_forward
>
>
> # Dynamic IP users:
> #
> # If you get your IP address dynamically from SLIP, PPP, or DHCP,
> # enable the following option. This enables dynamic-address hacking
> # which makes the life with Diald and similar programs much easier.
> #
> #echo " Enabling DynamicAddr.."
> #echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>
> #echo " ---"
>
>
#############################################################################
> #
> # Enable Stronger IP forwarding and Masquerading
> #
> # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or
SNAT.
> #
> # NOTE #2: The following is an example for an internal LAN address in the
> # 192.168.1.x network with a 255.255.255.0 or a "24"
bit subnet
> # mask connecting to the Internet on external interface
"eth0".
> # This example will MASQ internal traffic out to the Internet
> # but not allow non-initiated traffic into your internal
network.
> #
> #
> # ** Please change the above network numbers, subnet mask, and your
> # *** Internet connection interface name to match your setup
> #
>
> #Clearing any previous configuration
> #
> # Unless specified, the defaults for INPUT, OUTPUT, and FORWARD to DROP
> #
> # You CANNOT change this to REJECT as it isn''t a vaild policy
setting.
> # If you want REJECT, you must explictly REJECT at the end of a giving
> # INPUT, OUTPUT, or FORWARD chain
> #
> echo " Clearing any existing rules and setting default policy to
DROP.."
> $IPTABLES -P INPUT DROP
> $IPTABLES -F INPUT
> $IPTABLES -P OUTPUT DROP
> $IPTABLES -F OUTPUT
> $IPTABLES -P FORWARD DROP
> $IPTABLES -F FORWARD
> $IPTABLES -F -t nat
>
> #Not needed and it will only load the unneeded kernel module
> #$IPTABLES -F -t mangle
>
> # Flush the user chain.. if it exists
> if [ -n "`$IPTABLES -L | $GREP drop-and-log-it`" ]; then
> $IPTABLES -F drop-and-log-it
> fi
> #
> # Delete all User-specified chains
> $IPTABLES -X
> #
> # Reset all IPTABLES counters
> $IPTABLES -Z
>
>
> #Configuring specific CHAINS for later use in the ruleset
> #
> # NOTE: Some users prefer to have their firewall silently
> # "DROP" packets while others prefer to use
"REJECT"
> # to send ICMP error messages back to the remote
> # machine. The default is "REJECT" but feel free to
> # change this below.
> #
> # NOTE: Without the --log-level set to "info", every single
> # firewall hit will goto ALL vtys. This is a very big
> # pain.
> #
> echo " Creating a DROP chain.."
> $IPTABLES -N drop-and-log-it
> $IPTABLES -A drop-and-log-it -j LOG --log-level info
> $IPTABLES -A drop-and-log-it -j REJECT
>
> echo "# Routing mail packets"
> $IPTABLES -t mangle -A PREROUTING -p tcp --dport 25 -j MARK --set-mark 1
> $IPTABLES -t mangle -A PREROUTING -p udp --dport 53 -j MARK --set-mark 1
> $IPTABLES -t mangle -A PREROUTING -p tcp --dport 53 -j MARK --set-mark 1
>
> ip rule add fwmark 1 table TDS0
> ip route add default via $GWDS0 table TDS0
>
> $IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 2
>
> ip rule add fwmark 2 table TADSL
> ip route add default via $GWADSL table TADSL
>
> #ip route add default via $GWADSL
> #ip route add default via $GWDS0
>
> echo -e "\n - Loading INPUT rulesets"
>
> #######################################################################
> # INPUT: Incoming traffic from various interfaces. All rulesets are
> # already flushed and set to a default policy of DROP.
> #
>
> # loopback interfaces are valid.
> #
> $IPTABLES -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
>
>
> # local interface, local machines, going anywhere is valid
> #
> $IPTABLES -A INPUT -i $IFLAN -s $NETLAN -d $UNIVERSE -j ACCEPT
>
>
> # remote interface, claiming to be local machines, IP spoofing, get lost
> #
> $IPTABLES -A INPUT -i $IFDS0 -s $NETLAN -d $UNIVERSE -j drop-and-log-it
> $IPTABLES -A INPUT -i $IFADSL -s $NETLAN -d $UNIVERSE -j drop-and-log-it
>
>
> # external interface, from any source, for ICMP traffic is valid
> #
> # If you would like your machine to "ping" from the Internet,
> # enable this next line
> #
> $IPTABLES -A INPUT -i $IFDS0 -p ICMP -s $UNIVERSE -d $IPDS0 -j ACCEPT
> $IPTABLES -A INPUT -i $IFADSL -p ICMP -s $UNIVERSE -d $IPADSL -j DROP
>
>
> # remote interface, any source, going to permanent PPP address is valid
> #
> #$IPTABLES -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT
>
>
> # Allow any related traffic coming back to the MASQ server in
> #
> $IPTABLES -A INPUT -i $IFDS0 -s $UNIVERSE -d $IPDS0 -m state --state \
> ESTABLISHED,RELATED -j ACCEPT
> $IPTABLES -A INPUT -i $IFADSL -s $UNIVERSE -d $IPADSL -m state --state \
> ESTABLISHED,RELATED -j ACCEPT
>
> # ----- Begin OPTIONAL INPUT Section -----
> #
>
> # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
> #
> #$IPTABLES -A INPUT -i $INTIF -p tcp --sport 68 --dport 67 -j ACCEPT
> #$IPTABLES -A INPUT -i $INTIF -p udp --sport 68 --dport 67 -j ACCEPT
>
> # HTTPd - Enable the following lines if you run an EXTERNAL WWW server
> #
> # NOTE: This is NOT needed for simply enabling PORTFW. This is ONLY
> # for users that plan on running Apache on the MASQ server itself
> #
> echo -e " - Allowing EXTERNAL access to the WWW server"
> $IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
> -p tcp -s $UNIVERSE -d $IPDS0 --dport 80 -j ACCEPT
>
> echo -e " - Allowing EXTERNAL access to the WWW server"
> $IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
> -p tcp -s $UNIVERSE -d $IPDS0 --dport 443 -j ACCEPT
>
> echo -e " - Allowing EXTERNAL access to the SMTP server"
> $IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
> -p tcp -s $UNIVERSE -d $IPDS0 --dport 25 -j ACCEPT
>
> echo -e " - Allowing EXTERNAL access to the DNS server"
> $IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
> -p tcp -s $UNIVERSE -d $IPDS0 --dport 53 -j ACCEPT
> $IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
> -p udp -s $UNIVERSE -d $IPDS0 --dport 53 -j ACCEPT
>
> echo -e " - Allowing EXTERNAL access to the SSH server"
> $IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
> -p tcp -s $UNIVERSE -d $IPDS0 --dport 22 -j ACCEPT
>
> #echo -e " - Forcing proxy use"
> $IPTABLES -t nat -A PREROUTING -i $IFLAN -p tcp --dport 80 -j REDIRECT
> --to-port 3128
> #echo -e "proxy 2/2"
> #$IPTABLES -A OUTPUT -s 127.0.0.1 -p tcp --dport 80 -j REDIRECT --to-port
> 3128
>
> echo -e " - Allowing EXTERNAL access to the pop port"
> $IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
> -p tcp -s $UNIVERSE -d $IPDS0 --dport 110 -j ACCEPT
> $IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
> -p tcp -s $UNIVERSE -d $IPDS0 --dport 995 -j ACCEPT
>
> echo -e " - Allowing EXTERNAL access to the imap port"
> $IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
> -p tcp -s $UNIVERSE -d $IPDS0 --dport 143 -j ACCEPT
> $IPTABLES -A INPUT -i $IFDS0 -m state --state NEW,ESTABLISHED,RELATED \
> -p tcp -s $UNIVERSE -d $IPDS0 --dport 993 -j ACCEPT
>
>
> #
> # ----- End OPTIONAL INPUT Section -----
>
>
>
> # Catch all rule, all other incoming is denied and logged.
> #
> $IPTABLES -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
>
>
> echo -e " - Loading OUTPUT rulesets"
>
> #######################################################################
> # OUTPUT: Outgoing traffic from various interfaces. All rulesets are
> # already flushed and set to a default policy of DROP.
> #
>
> # loopback interface is valid.
> #
>
> $IPTABLES -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT
>
> # local interfaces, any source going to local net is valid
> #
> $IPTABLES -A OUTPUT -o $IFLAN -s $IPLAN -d $NETLAN -j ACCEPT
> $IPTABLES -A OUTPUT -o $IFLAN -s $IPDS0 -d $NETLAN -j ACCEPT
> $IPTABLES -A OUTPUT -o $IFLAN -s $IPADSL -d $NETLAN -j ACCEPT
>
>
> # local interface, any source going to local net is valid
> #
> #$IPTABLES -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT
> #$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP1 -d $INTNET -j ACCEPT
> #$IPTABLES -A OUTPUT -o $INTIF -s $EXTIP2 -d $INTNET -j ACCEPT
>
>
> # outgoing to local net on remote interface, stuffed routing, deny
> #
> $IPTABLES -A OUTPUT -o $IFDS0 -s $UNIVERSE -d $NETLAN -j drop-and-log-it
> $IPTABLES -A OUTPUT -o $IFADSL -s $UNIVERSE -d $NETLAN -j drop-and-log-it
>
>
> # anything else outgoing on remote interface is valid
> #
> $IPTABLES -A OUTPUT -o $IFDS0 -s $IPDS0 -d $UNIVERSE -j ACCEPT
> $IPTABLES -A OUTPUT -o $IFADSL -s $IPADSL -d $UNIVERSE -j ACCEPT
>
> # Disable reverse path filtering
> echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
> echo 0 > /proc/sys/net/ipv4/conf/eth2/rp_filter
>
> # ----- Begin OPTIONAL OUTPUT Section -----
> #
>
> # DHCPd - Enable the following lines if you run an INTERNAL DHCPd server
> # - Remove BOTH #s all the #s if you need this functionality.
> #
> #$IPTABLES -A OUTPUT -o $INTIF -p tcp -s $INTIP --sport 67 \
> # -d 255.255.255.255 --dport 68 -j ACCEPT
> #$IPTABLES -A OUTPUT -o $INTIF -p udp -s $INTIP --sport 67 \
> # -d 255.255.255.255 --dport 68 -j ACCEPT
>
> #
> # ----- End OPTIONAL OUTPUT Section -----
>
>
> # Catch all rule, all other outgoing is denied and logged.
> #
> $IPTABLES -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it
>
>
> echo -e " - Loading FORWARD rulesets"
>
> #######################################################################
> # FORWARD: Enable Forwarding and thus IPMASQ
> #
>
> # ----- Begin OPTIONAL FORWARD Section -----
> #
> # ----- End OPTIONAL FORWARD Section -----
>
>
> echo " - FWD: Allow all connections OUT and only existing/related
IN"
> $IPTABLES -A FORWARD -i $IFDS0 -o $IFLAN -m state --state
> ESTABLISHED,RELATED \
> -j ACCEPT
>
> echo " - FWD: Allow all connections OUT and only existing/related
IN"
> $IPTABLES -A FORWARD -i $IFADSL -o $IFLAN -m state --state
> ESTABLISHED,RELATED \
> -j ACCEPT
>
> echo " - FWD: Allow all connections OUT and only existing/related
IN"
>
>
> # File sharing
> # Red de Audio Galaxy
> $IPTABLES -A FORWARD -d 64.245.58.0/23 -j REJECT
>
> # GNUtella, Bearshare y ToadNode
> $IPTABLES -A FORWARD -p tcp --dport 6346 -j REJECT
>
> # eDonkey
> $IPTABLES -A FORWARD -p tcp --dport 4661:4662 -j REJECT
> $IPTABLES -A FORWARD -p udp --dport 4665 -j REJECT
>
> # Puertos y redes de Kazaa y Morpheus
> $IPTABLES -A FORWARD -p tcp --dport 1214 -j REJECT
> $IPTABLES -A FORWARD -d 213.248.112.0/24 -j REJECT
> $IPTABLES -A FORWARD -d 206.142.53.0/24 -j REJECT
>
> # Red de Napigator
> $IPTABLES -A FORWARD -d 209.25.178.0/24 -j REJECT
>
> # Red de Napster
> $IPTABLES -A FORWARD -d 64.124.41.0/24 -j REJECT
>
> # Redes de WinMX
> $IPTABLES -A FORWARD -d 209.61.186.0/24 -j REJECT
> $IPTABLES -A FORWARD -d 64.49.201.0/24 -j REJECT
>
> # Red de IMesh
> $IPTABLES -A FORWARD -d 216.35.208.0/24 -j REJECT
>
> # Messaging
> # AIM e ICQ
> $IPTABLES -A FORWARD -p tcp --dport 9898 -j REJECT
> $IPTABLES -A FORWARD -p tcp --dport 5190:5193 -j REJECT
> $IPTABLES -A FORWARD -d login.oscar.aol.com -j REJECT
> $IPTABLES -A FORWARD -d login.icq.com -j REJECT
>
> # Jabber
> $IPTABLES -A FORWARD -p tcp --dport 5222:5223 -j REJECT
>
> # MSN Messenger
> #$IPTABLES -A FORWARD -p tcp --dport 1863 -j REJECT
> #$IPTABLES -A FORWARD -d 64.4.13.0/24 -j REJECT
>
> # Yahoo! Messenger
> #$IPTABLES -A FORWARD -p tcp --dport 5000:5010 -j REJECT
> #$IPTABLES -A FORWARD -d cs.yahoo.com -j REJECT
> #$IPTABLES -A FORWARD -d scsa.yahoo.com -j REJECT
>
> #Blocking Batanga
> $IPTABLES -A FORWARD -d 66.45.7.228 -j REJECT
>
>
> #Blocking Randex-D worm
> $IPTABLES -A INPUT -s 68.192.170.235 -j REJECT
> $IPTABLES -A FORWARD -d 68.192.170.235 -j REJECT
>
>
> $IPTABLES -A FORWARD -i $IFLAN -o $IFADSL -j ACCEPT
> #$IPTABLES -A FORWARD -i $IFLAN -o $IFDS0 -j ACCEPT
>
> # Catch all rule, all other forwarding is denied and logged.
> #
> $IPTABLES -A FORWARD -j drop-and-log-it
>
>
> echo " - NAT: Enabling SNAT (MASQUERADE) functionality on $IFDS0,
> $IFADSL"
> #
> #More liberal form
> #$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
> #
> #Stricter form
> $IPTABLES -t nat -A POSTROUTING -o $IFADSL -j SNAT --to $IPADSL
> #$IPTABLES -t nat -A POSTROUTING -o $IFDS0 -j SNAT --to $IPDS0
>
>
> #######################################################################
> echo -e "\nStronger rc.firewall-2.4 $FWVER done.\n"
>
>
> _______________________________________________
> LARTC mailing list
> LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc
>