Download Shareware and Freeware Software for Windows, Linux, Macintosh, PDA

line Home  |  About Us  |  Link To Us  |  FAQ  |  Contact

Serving Software Downloads in 976 Categories, Downloaded 30.066.651 Times

NAT iptables firewall script

  Date Added: November 07, 2010  |  Visits: 1.735

NAT iptables firewall

Report Broken Link
Printer Friendly Version


Product Homepage
Download (80 downloads)

NAT iptables firewall script is an iptables firewall script. This script is meant to be run once per boot the rules will be double added if you try to run it twice if you need to add another rule during runtime, change the -A to a -I to add it to the top of the list of rules if you use -A it will go at the end after the reject rule. Sample: # interface definitions BAD_IFACE=eth0 DMZ_IFACE=eth1 DMZ_ADDR=x.x.x.96/28 GOOD_IFACE=eth2 GOOD_ADDR=192.168.1.0/24 MASQ_SERVER=x.x.x.98 FTP_SERVER=x.x.x.100 MAIL_SERVER=x.x.x.99 MAIL_SERVER_INTERNAL=192.168.1.3 # testing #set -x ip route del x.x.x.96/28 dev $BAD_IFACE ip route del x.x.x.96/28 dev $DMZ_IFACE ip route add x.x.x.97 dev $BAD_IFACE ip route add x.x.x.96/28 dev $DMZ_IFACE # we need proxy arp for the dmz network echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp # turn on ip forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # turn on antispoofing protection for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done # flush all rules in the filter table #iptables -F # flush built in rules iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD # deny everything for now iptables -A INPUT -j DROP iptables -A FORWARD -j DROP iptables -A OUTPUT -j DROP # make the chains to define packet directions # bad is the internet, dmz is our dmz, good is our masqed network iptables -N good-dmz iptables -N bad-dmz iptables -N good-bad iptables -N dmz-good iptables -N dmz-bad iptables -N bad-good iptables -N icmp-acc # accept related packets iptables -A FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # internal client masqing iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER # mail server masqing iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25 iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80 iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443 # to allow the above to work you need something like # iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT # set which addresses jump to which chains iptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmz iptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-bad iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz iptables -A FORWARD -o $GOOD_IFACE -j bad-good # drop anything that doesnt fit these iptables -A FORWARD -j LOG --log-prefix "chain-jump " iptables -A FORWARD -j DROP # icmp acceptance iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT # iptables -A icmp-acc -j LOG --log-prefix "icmp-acc " iptables -A icmp-acc -j DROP # from internal to dmz iptables -A good-dmz -p tcp --dport smtp -j ACCEPT iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT iptables -A good-dmz -p udp --dport domain -j ACCEPT iptables -A good-dmz -p tcp --dport domain -j ACCEPT iptables -A good-dmz -p tcp --dport www -j ACCEPT iptables -A good-dmz -p tcp --dport https -j ACCEPT iptables -A good-dmz -p tcp --dport ssh -j ACCEPT iptables -A good-dmz -p tcp --dport telnet -j ACCEPT iptables -A good-dmz -p tcp --dport auth -j ACCEPT iptables -A good-dmz -p tcp --dport ftp -j ACCEPT iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT iptables -A good-dmz -p icmp -j icmp-acc iptables -A good-dmz -j LOG --log-prefix "good-dmz " iptables -A good-dmz -j DROP # from external to dmz iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT iptables -A bad-dmz -p udp --dport domain -j ACCEPT iptables -A bad-dmz -p tcp --dport domain -j ACCEPT iptables -A bad-dmz -p tcp --dport www -j ACCEPT iptables -A bad-dmz -p tcp --dport https -j ACCEPT iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT iptables -A bad-dmz -p icmp -j icmp-acc iptables -A bad-dmz -j LOG --log-prefix "bad-dmz " iptables -A bad-dmz -j DROP # from internal to external iptables -A good-bad -j ACCEPT # iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER #iptables -A good-bad -p tcp -j MASQ #iptables -A good-bad -p udp -j MASQ #iptables -A good-bad -p icmp -j MASQ #ipchains -A good-bad -p tcp --dport www -j MASQ #ipchains -A good-bad -p tcp --dport ssh -j MASQ #ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ #ipchains -A good-bad -p tcp --dport ftp -j MASQ #ipchains -A good-bad -p icmp --icmp-type ping -j MASQ #ipchains -A good-bad -j REJECT -l # from dmz to internal # iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPT iptables -A dmz-good -p tcp --dport smtp -j ACCEPT iptables -A dmz-good -p tcp --sport smtp -j ACCEPT iptables -A dmz-good -p udp --sport domain -j ACCEPT iptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPT iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT iptables -A dmz-good -p icmp -j icmp-acc iptables -A dmz-good -j LOG --log-prefix "dmz-good " iptables -A dmz-good -j DROP # from dmz to external iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT iptables -A dmz-bad -p udp --dport domain -j ACCEPT iptables -A dmz-bad -p tcp --dport domain -j ACCEPT iptables -A dmz-bad -p tcp --dport www -j ACCEPT iptables -A dmz-bad -p tcp --dport https -j ACCEPT iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT iptables -A dmz-bad -p tcp --dport whois -j ACCEPT iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT iptables -A dmz-bad -p udp --dport ntp -j ACCEPT # ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ iptables -A dmz-bad -p icmp -j icmp-acc iptables -A dmz-bad -j LOG --log-prefix "dmz-bad " iptables -A dmz-bad -j DROP # from external to internal iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT iptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPT iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT iptables -A bad-good -j LOG --log-prefix "bad-good " iptables -A bad-good -j REJECT # rules for this machine itself iptables -N bad-if iptables -N dmz-if iptables -N good-if # set up the jumps to each chain iptables -A INPUT -i $BAD_IFACE -j bad-if iptables -A INPUT -i $DMZ_IFACE -j dmz-if iptables -A INPUT -i $GOOD_IFACE -j good-if # external iface iptables -A bad-if -p icmp -j icmp-acc iptables -A bad-if -j ACCEPT #ipchains -A bad-if -i ! ppp0 -j DENY -l #ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT #ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT #ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT #ipchains -A bad-if -j icmp-acc #ipchains -A bad-if -j DENY # dmz iface iptables -A bad-if -p icmp -j icmp-acc iptables -A dmz-if -j ACCEPT # internal iface iptables -A good-if -p tcp --dport ssh -j ACCEPT iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT iptables -A good-if -j icmp-acc iptables -A good-if -j DROP # remove the complete blocks iptables -D INPUT 1 iptables -D FORWARD 1 iptables -D OUTPUT 1.

Requirements: No special requirements
Platforms: Linux
Keyword: -j Accept Dmz Drop Forward Icmp Iface Iptables Iptables Firewall Iptables Firewall Script Mail Masq Nat Server Tcp
Users rating: 0/10

License: Freeware
NAT IPTABLES FIREWALL RELATED
Networking Tools  -  dirwall 0.11
dirwall is a small iptables firewall script that keeps the iptables rules separate from the script. The rules are stored in separate files so that other packages may maintain them. The dirwall rules are located in...
102.4 KB  
Utilities  -  quicktables 2.3
quicktables is an iptables firewall and firewall / nat (gateway) script generator. it was created to provide a secure set of iptables rules quickly, while still maintaining few requirements (sh and ifconfig pretty much). quicktables will ask you...
19.46 KB  
Networking Tools  -  DNS Blacklist Packet Filter 0.6 Beta1
DNS Blacklist Packet Filter project is a Linux netfilter client that decides whether to accept or drop packets based on the results of a DNS blacklist query (such as MAPS, SORBS, or SPEWS, to name a few). One use is to filter all incoming SMTP...
163.84 KB  
Utilities  -  mysql-iptables 3.86
mysql-iptables collects an iptables chain list and stores them into a MySQL database. The values in the database are incremented on each update to give a total value, this eliminates the problem of reboot/crash lost info in /proc/net/dev. It...
20.48 KB  
Development Editors  -  Comm Tunnel 2.2.0.78
Comm Tunnel is a free tool to connect endpoints. It builds a tunnel between endpoints. The endpoints can be any of serial port, TCP/IP server, TCP/IP client or UDP. The data received on one endpoint will be forward to anther fourt endpoints. It...
44.52 KB  
Server Management  -  PWP-OWA 0.9.6
PWP-OWA is a PHP-based drop-in replacement for Oracle's Apache/mod_plsql combination, or Oracle Internet Application Server (iAS), allowing for execution of PL/SQL Web Toolkit applications on any PHP-friendly Web server (Apache, IIS, iPlanet, etc.)
 
Utilities  -  Easy Firewall Generator for IPTables 1.17
Easy Firewall Generator for IPTables simply generate script for setting iptables. Advantage is its simplicity, because this program is written in PHP. I have generalized it to include a number of features that are commonly used, but it is...
36.86 KB  
Networking Tools  -  layer7-firewall 1.0.2
layer7-firewall provides an easily configured layer seven firewall. layer7-firewall is an easily configured layer seven firewall. It boots from a CD, using a floppy disk for data storage. Layer7-firewall is a firewall which filters data in...
60 MB  
Utilities  -  IpTables Rope 20051223
ROPE is a "match module" for Linux IpTables that allows packets to be matched using highly flexible rules, written in a simple purpose-designed scripting language. It was written initially to provide support for the next phase of the P2PWall...
61.44 KB  
Networking Tools  -  iptables 1.3.8
iptables and netfilter are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network addresss [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and...
174.08 KB  
NEW DOWNLOADS IN NETWORK & INTERNET, NETWORKING TOOLS
Network & Internet  -  Free WiFi Hotspot 3.3.1
Free WiFi Hotspot is a super easy solution to turn your laptop or notebook into a portable Wi-Fi hotspot, wirelessly sharing your internet connections like DSL, Cable, Bluetooth, Mobile Broadband Card, Dial-Up, etc. through the built-in wireless...
1.04 MB  
Network & Internet  -  Easy Uploads 1.8
Easy uploads is a file storage media streaming application designed by Filestreamers that allows you to upload, store, and stream your files from their virtually unlimited file storage server. Easy Uploads can backup,share, and stream your files...
615.97 KB  
Network & Internet  -  IPv6 CARE 3.2b
IPv6 CARE, "IPv6 Compliant Automatic Runtime Environment", is a Linux tool able to patch ipv6-agnostic programs on-the-fly ('patch' mode). It can also generate a diagnosis about the IPv6 compliance of an application ('check' mode).
409.6 KB  
Network & Internet  -  PacketFence ZEN 3.1.0
PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boosting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X...
1024 MB  
Network & Internet  -  django-dbstorage 1.3
A Django file storage backend for files in the database.
10.24 KB  
Networking Tools  -  gvrpad 0.1
gvrpad is a daemon that makes GVRP announcements of all VLAN interfaces on a FreeBSD system. GVRP is the GARP VLAN Registration Protocol, defined in IEEE 802.1Q (VLANS); GARP is the Generic Attribute Registration Protocol, defined in 802.1D...
15.36 KB  
Networking Tools  -  Cheops 0.61
Cheops is an Open Source Network User Interface. It is designed to be the network equivalent of a swiss-army knife, unifying your network utilities. Cheops is for the network what a file manager is for your filesystem..
317.44 KB  
Networking Tools  -  dynacc 0.5.0
Dynacc aims to be a Pakage which gives you control other your Internet Connection. It runs a linux router/host which provides MASQ services and HTTP proxying for a LAN. It gives you the Power to define users/groups which are allowed to make...
122.88 KB  
Networking Tools  -  ssh tunnel on demand 1.0
ssh tunnel on demand provides a script that creates an SSH tunnel on demand. ssh tunnel on demand is a script that makes it possible for a user to create an SSH tunnel to a server and connect to it without needing an account on the box or any...
13.31 KB  
Networking Tools  -  strongSwan 4.1.5
strongSwan is an OpenSource IPsec implementation for the Linux operating system. strongSwan is an OpenSource IPsec implementation for the Linux operating system. In order to have a stable IPsec platform to base our future extensions of the X.509...
1.7 MB