Writer: administrator 2003-10-19 #! / Bin / bash # do iptables based masquerading and firewalling. # ~ Spot, 09/01/2002 # set default path export path = / sbin: / usr / sbin: / bin: / usr / bin # Load NAT modules modprobe iptable_nat modprobe ip_nat_ftp modprobe ip_nat_irc # Load connection-tracking modules modprobe ip_conntrack modprobe ip_conntrack_ftp modprobe ip_conntrack_irc # Disable response to broadcasts. echo 1> / proc / sys / net / ipv4 / icmp_echo_ignore_broadcasts # Do not accept source routed packets. echo 0> / proc / sys / net / ipv4 / conf / all / accept_source_route # Disable ICMP redirect acceptance. echo 0> / proc / sys / net / ipv4 / conf / all / accept_redirects # Enable bad error message protection echo 1> / proc / sys / net / ipv4 / icmp_ignore_bogus_error_responses # Log spoofed packets, source routed packets, redirect packets echo 1> / proc / sys / net / ipv4 / conf / all / log_martians # Turn on IP forwarding echo 1>
/ Proc / sys / net / ipv4 / ip_forward # Clean old iptables iptables -F iptables -X iptables -Z # Allow forwarding through the internal interface iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -o eth1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT # Default forward policy to DROP iptables -P FORWARD DROP # Do masquerading through eth0 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Port Forwarding iptables - T Nat -a preording -i eth0 -p tcp -m tcp --dport 2222 --j dnat --to-destination 192.168.100.2:22 # firewall rules # loopback - allow unlimited traffic iptables -a input -i lo -j accept / iptables -a output # syn-flooding protection iptables -n syn-flood iptables -a infut -i eth0 -p tcp --Syn -j syn-flood iptables -a syn-flood -m limit - LIMIT 1 / S --LIMIT-BURST 4 -J RETURN IPTABLES -A SYN-FLOOD -J DROP # Make Sure That NEW TCP Connections Are Syn Packets iptables -a INPUT -I Eth0 -p TCP! --SYN -M State - -state new -j drop # fragme NTS: Don't trust the little buggers. Send 'em to hell. iptables -a infix - iptables fragments: "
iptables -ainput -i eth0 -f -j drop # refuse spoofed packets claiming to be the loopback iptables -a input -i eth0 -d 127.0.0.0/8 -j drop # allow bootp / dhcp udp requests iptables -a input - I eth0 -p udp -d 0/0 --dport 67:68 -j accept # DNS # allow udp packets in for DNS Client from Nameservers iptables -a input -i eth0 -p udp -s 0/0 --sport 53 -m state --State Established -j accept iptables -a input -i eth0 -p udp -d 0 --dport 53 -j accept # ssh # allow all sshd incoming connections (include the port fw) iptables -a input -i eth0 -p tcp -d 0 --dport 22 -j accept iptables -a input -i eth0 -p TCP -D 0 - Dport 2222 -j accept # http # allow all http / https incoming / Return Connections iptables -a input -i eth0 -p tcp -s 0/0 --sport 80 -m state --state established, Related -j Accept iptables -a input -i eth0 -p tcp -s 0/0 - Sport 443 -M State --State Established, Related -j Accept iptables -a Input -i Eth0 -p TCP -D 0/0 - Dport 80 -J Accept iptables -a Input -i Eth0 -p TCP -D 0 / 0 - DPO RT 443 -J ACCEPT # ftp # allow all ftpd incoming connection iptables -a input -i eth0 -p TCP -D 0/0 --dport 21 -j accept # enable active ftp transfers iptables -a input -i eth0 -p TCP -S 0/0 --Sport 20 -M State --State Established, Related -j Accept # enable passive ftp transces iptables -a input -i eth0 -p tcp -s 0/0 --sport 1024: 65535 --dport 1024:
65535 -m State --State Established, Related -j Accept # enable Ident Probes (IRC) iptables -t filter -a input -i eth0 -p TCP -D 0/0 --dport 113 -j accept # allow icmp in estil IT IS Related To Other Connections iptables -a INPUT -I Eth0 -p Icmp -m State --State Established, Related -j Accept # allow bot traffich iptables -a input -i eth0 -p tcp -d 0 - DPORT 8676 -J Accept # enable DCC iptables -a input -i eth0 -p tcp -m state --state related -j accept # logging: # udp, log & drop iptables -a input -i eth0 -p udp -j log --Log-level debug --log-prefix "iptables udp-in:" iptables -a input -i eth0 -p udp -j drop # ICMP, LOG & DROP iptables -ainput -i eth0 -p icmp -j log --Log-level debug -log-prefix "iptables icmp-in:" iptables -a input -i eth0 -p icmp -j drop # Windows Netbios Noise, Log & DROP iptables -a input -i eth0 -p TCP - S 0/0 - Sport 137: 139 -j log --log-level debug --log-prefix "iptables NetBIOS-IPTABLES NETBIOS-IN:" iptables -a input -i eth0 -p tcp -s 0/0 --sport 137 : 139 -J Drop # igmp Noise, LOG & DROP iptables -a input -i eth0 -p 2 -j log --log-level debug -log-prefix "iptables IGMP-in:" iptables -a input -i eth0 -p 2 -j drop) TCP, LOG & DROP iptables -a input -i eth0 -p tcp -j log --log-level debug -log-prefix "iptables TCP-IN:" iptables -a input -i eth0 -p tcp -j drop) ANYTHING ELSE NOT ALLOWED, LOG & DROP IPTABLES -A INPUT -I Eth0 -j Log --Log-Level Debug --Log-Prefix "iptables unknown-in:" iptables -a input -i eth0 -j drop This example is Masqurede, your situation is to do NAT, if it is static NAT, you can be as follows: Then we will assign it to the A, B, and C host's public network IP bind to the external network interface of the iptables firewall, perform the following command:
