#!/bin/sh
echo "Stopping firewall and allowing everyone..."
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 10.242.144.3 --dport 110 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s 10.242.144.3 --sport 110 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
In order to block incoming / outgoing port 110 simply use target REJECT instead of ACCEPT:
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d 202.54.1.20 --dport 110 -j REJECT
iptables -A OUTPUT -p tcp -s 202.54.1.20 --sport 110 -d 0/0 --dport 1024:65535 -j REJECT
/sbin/iptables -A INPUT -p tcp --dport 25 -m state --state NEW -j ACCEPT
#Port Forward SMTP to the mailserver
iptables -t nat -A PREROUTING -p tcp -d 172.16.0.1 --dport 25 -j DNAT --to-destination 192.168.0.113:25
iptables -A FORWARD -p tcp -d 192.168.0.113 --dport 25 -j ACCEPT
#SNAT for port 25 and 110
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.113 --dport 25 -o eth1 -j SNAT --to-source 172.16.0.1
iptables -t nat -A POSTROUTING -p tcp -s 192.168.0.0/21 --dport 110 -o eth1 -j SNAT --to-source 172.16.0.1
***/etc/init.d/iptables contains:
# (1) Policies (default)
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
# (2) User-defined chain for ACCEPTED TCP packets
iptables -N okay
iptables -A okay -p TCP --syn -j ACCEPT
iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A okay -p TCP -j DROP
# (3) INPUT chain rules
## Rules for incoming packets from LAN
iptables -A INPUT -p ALL -i eth1 -s 10.12.1.0/8 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 10.12.1.0 -j ACCEPT
iptables -A INPUT -p ALL -i lo -s 116.168.1.2 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -d 10.12.1.255 -j ACCEPT
## Rules for incoming packets from the Internet
# Packets for established connections
iptables -A INPUT -p ALL -d 116.168.1.2 -m state --state \
ESTABLISHED,RELATED -j ACCEPT
# REJECT THESE JERKS from accessing anything (HACKERS):
iptables -A INPUT -p tcp -s 66.232.147.175 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 67.169.132.93 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.9.128.100 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.9.183.254 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 202.153.41.139 -j REJECT --reject-with tcp-reset
iptables -A INPUT -p tcp -s 210.51.188.113 -j REJECT --reject-with tcp-reset
# TCP rules
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 21 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 22 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 25 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 80 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 110 -j okay
iptables -A INPUT -p TCP -i eth0 -s 0/0 --destination-port 113 -j okay
# UDP rules
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 53 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 2074 -j ACCEPT
iptables -A INPUT -p UDP -i eth0 -s 0/0 --destination-port 4000 -j ACCEPT
# ICMP rules
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT
# (4) FORWARD ip rules
# Accept packets I want to forward
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# (5) OUTPUT ip rules
# ONLY output packets with local addresses (NO spoofing)
iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 10.12.1.1 -j ACCEPT
iptables -A OUTPUT -p ALL -s 116.168.1.2 -j ACCEPT
# (6) POSTROUTING ip rules
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source 116.168.1.2
# uncomment the bottom for DHCP if it works first
# iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Subscribe to:
Post Comments (Atom)
-
ကကုသန္ဓော ကောဏဂမနော ကဿပေါ ဂေါတမော မုနိဆယ်ထား ဆယ်တော်မူမြတ်စွာဘုရား မေတ္တယျော ပဉ္စဗုဒ္ဓေါတေ သိသေမေသန္တ သဗ္ဗဒါ ဧတေသံ အာနုဘာဝေန ရက္ခဒေဝါ မဟိဒ္ဓ...
-
Ref: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006651 Ref: http://ict-freak.nl/...
-
When running on Windows, Moshell uses a unix emulator known as Cygwin. Go directly to step 13 if you have already installed and configured c...
No comments:
Post a Comment