Jeg er kommet i den lykkelige situatíon at jeg har fået 2 linier ind i huset
en 2 Mb adsl pro acces og en 512 Kb kabelmoden
Jeg har en linuxserver stående som kører firewall/apache web/qmail
mailserver/roger wilco base
Den sørgere også for at jeg kan komme på internettet fra mit lan
Men jeg kan ikke få det til at virke med begge linier
Det jeg gerne vil er at mit kabelmodem (eth2) skal stå for alt server
trafikken (web/mail/RW)
Men min adsl skal køre nat for mit interne lan (eth1)
Men der hvor det går galt er i forhold til den default gateway
Hvis jeg sætter den til min adsl virker mit lan men så virker alt det andet
ikke.
Det modsatte sker når jeg sætter den til mit kabelmodem
Der vil også på et tidspunkt komme en counterstrike server på det interne
lan som der skal dnat'es til via adsl
Men den tid den sorg
Jeg har bygget min firewall op efter et script som jeg fandt på internettet
Men det er ikke lavet til to linier
Det jeg har gjort er bare at kopiere nogen af tingene
Men det er åbenbart ikke nok
Håber der er nogen der kan give mig et hint
Mvh
Lars Sørensen
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x
#
# Author: Oskar Andreasson <blueflux@koffein.net>
# (c) of BoingWorld.com, use at your own risk, do whatever you please with
# it as long as you don't distribute this without due credits to
# BoingWorld.com
#
###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# INET_IP is used by me to allow myself to do anything to myself, might
# be a security risc but sometimes I want this. If you don't have a static
# IP, I suggest not using this option at all for now but it's stil
# enabled per default and will add some really nifty security bugs for all
# those who skips reading the documentation=)
LAN_IP="10.0.0.1/24"
LAN_IP_RANGE="10.0.0.0/24"
LAN_BCAST_ADRESS="10.0.0.255"
LAN_IFACE="eth0"
LO_IFACE="lo"
LO_IP="127.0.0.1"
INET_IP="xxx.xxx.xxx.xxx"
INET_IFACE="eth2"
INET_IP1="yyy.yyy.yyy.yyy"
INET_IFACE1="eth1"
IPTABLES="/sbin/iptables"
#########
# Load all required IPTables modules
#
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner
#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#
# Enable ip_forward, this is critical since it is turned off as defaul in
# Linux.
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# Enable simple IP Forwarding and Network Address Translation
#
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
#
# Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#
# Accept the packets we actually want to forward
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 5/minute --limit-burst 5 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# TCP rules
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 4000 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3782 -j allowed # Roger Wilco
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3783 -j allowed # Roger Wilco
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 27900 -j allowed # Roger
Wilco
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 28900 -j allowed # Roger
Wilco
$IPTABLES -A tcp_packets -m limit --limit 5/minute --limit-burst 5 -j LOG \
--log-level DEBUG --log-prefix "Ting og sager"
#
# UDP ports
#
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 3782 -j ACCEPT
# Roger Wilco
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 3783 -j ACCEPT
# Roger Wilco
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 27900 -j ACCEPT
# Roger Wilco
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 28900 -j ACCEPT
# Roger Wilco
#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's
#
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE1 -s 192.168.0.0/16 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE1 -s 10.0.0.0/8 -j DROP
#$IPTABLES -t nat -A PREROUTING -i $INET_IFACE1 -s 172.16.0.0/12 -j DROP
#
# INPUT chain
#
# Take care of bad TCP packets that we don't want
#
#$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j LOG \
#--log-prefix "New not syn:"
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
#
# Rules for incoming packets from the internet
#
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE1 -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE1 -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE1 -j udpincoming_packets
#
# Rules for special networks not part of the Internet
#
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP1 -m state --state ESTABLISHED,RELATED
\
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 5/minute --limit-burst 5 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
# OUTPUT chain
#
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP1 -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 5/minute --limit-burst 5 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "