2004-12-08, 08:24 AM
First let me tell u about the network.... i have a firewall whit 3 network interfacs on for the internet and one for the intranet (workstations) and one for the server. i want to access the server from internett and the intranet. eth0 is internet, eth1 is intranet and eth2 is to the server.
This is the iptables im using now... its from my old server that did work fine whit only 2 network interfaces...
# Generated by iptables-save v1.2.8 on Wed Dec 8 02:57:30 2004
*filter
:INPUT DROP [4:696]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [2117:378269]
:ACCEPTnLOG - [0:0]
:BLACKLIST - [0:0]
:BLOCK_OUT - [0:0]
:CLIENT - [0:0]
:CLOSED - [0:0]
:DHCP - [0:0]
:DMZ - [0:0]
:DNS - [0:0]
:DROPICMP - [0:0]
:DROPnLOG - [0:0]
:HIGHPORT - [0:0]
:MON_OUT - [0:0]
:MULTICAST - [0:0]
:OPENPORT - [0:0]
:PUBLIC - [0:0]
:RESERVED - [0:0]
:SCAN - [0:0]
:SERVICEDROP - [0:0]
:STATEFUL - [0:0]
:loopback - [0:0]
-A INPUT -i lo -j loopback
-A INPUT -s 192.168.160.0/255.255.255.0 -d 192.168.160.0/255.255.255.0 -i eth1 -j ACCEPT
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 -j RESERVED
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 -j RESERVED
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.1 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.2 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.4 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.5 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.6 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.9 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.13 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.15 -i eth0 -j RESERVED
-A INPUT -s 224.0.0.1 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.2 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.4 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.5 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.6 -i eth0 -j MULTICAST
-A INPUT -s 224.0.0.9 -i eth0 -j MULTICAST
A INPUT -p icmp -m limit --limit 1/sec -j ACCEPT
-A INPUT -p udp -m udp --sport 32769:65535 --dport 33434:33523 -j ACCEPT
-A INPUT -s 192.168.160.249 -p udp -m udp --sport 53 -j DNS
-A INPUT -s 193.216.147.2 -p udp -m udp --sport 53 -j DNS
-A INPUT -s 193.216.147.3 -p udp -m udp --sport 53 -j DNS
-A INPUT -d 217.22.16.44 -p tcp -m tcp --dport 53 -j PUBLIC
-A INPUT -d 217.22.16.44 -p udp -m udp --dport 53 -j PUBLIC
-A INPUT -d 217.22.16.44 -p tcp -m tcp --dport 22 -j PUBLIC
-A INPUT -d 217.22.16.44 -p udp -m udp --dport 22 -j PUBLIC
-A INPUT -d 217.22.16.44 -p tcp -m tcp --dport 113 -j PUBLIC
-A INPUT -d 217.22.16.44 -p udp -m udp --dport 113 -j PUBLIC
-A INPUT -p tcp -m tcp --dport 5010 -j OPENPORT
-A INPUT -p udp -m udp --dport 5010 -j OPENPORT
-A INPUT -p tcp -m tcp --dport 5656 -j OPENPORT
-A INPUT -p udp -m udp --dport 5656 -j OPENPORT
-A INPUT -j STATEFUL
-A FORWARD -d 10.0.0.2 -p udp -m udp --dport 40000:50000 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p tcp -m tcp --dport 40000:50000 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p udp -m udp --dport 80 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p udp -m udp --dport 10000 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p tcp -m tcp --dport 10000 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p tcp -m tcp --dport 20 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p tcp -m tcp --dport 21 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p tcp -m tcp --dport 80 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p udp -m udp --dport 80 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p tcp -m tcp --dport 443 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p udp -m udp --dport 443 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p tcp -m tcp --dport 25 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p tcp -m tcp --dport 110 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p udp -m udp --dport 110 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p tcp -m tcp --dport 143 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p udp -m udp --dport 143 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p tcp -m tcp --dport 993 -j ACCEPT
-A FORWARD -d 10.0.0.2 -p udp -m udp --dport 993 -j ACCEPT
-A FORWARD -o eth0 -p tcp -m tcp --dport 137 -j BLOCK_OUT
-A FORWARD -o eth0 -p udp -m udp --dport 137 -j BLOCK_OUT
-A FORWARD -o eth0 -p tcp -m tcp --dport 138 -j BLOCK_OUT
-A FORWARD -o eth0 -p udp -m udp --dport 138 -j BLOCK_OUT
-A FORWARD -o eth0 -p tcp -m tcp --dport 139 -j BLOCK_OUT
-A FORWARD -o eth0 -p udp -m udp --dport 139 -j BLOCK_OUT
-A FORWARD -j STATEFUL
-A OUTPUT -o lo -j loopback
-A OUTPUT -p icmp -m state --state INVALID -j DROP
-A OUTPUT -o eth0 -p tcp -m tcp --dport 137 -j BLOCK_OUT
-A OUTPUT -o eth0 -p udp -m udp --dport 137 -j BLOCK_OUT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 138 -j BLOCK_OUT
-A OUTPUT -o eth0 -p udp -m udp --dport 138 -j BLOCK_OUT
-A OUTPUT -o eth0 -p tcp -m tcp --dport 139 -j BLOCK_OUT
-A OUTPUT -o eth0 -p udp -m udp --dport 139 -j BLOCK_OUT
-A ACCEPTnLOG -j LOG --log-prefix "gShield (accept) "
-A ACCEPTnLOG -j ACCEPT
-A BLACKLIST -j LOG --log-prefix "gShield (blacklisted drop) "
-A BLACKLIST -j DROP
-A BLOCK_OUT -j DROP
-A CLIENT -j ACCEPT
-A CLOSED -j LOG --log-prefix "gShield (closed port drop) "
-A CLOSED -p tcp -j REJECT --reject-with tcp-reset
-A CLOSED -p udp -j REJECT --reject-with icmp-port-unreachable
-A CLOSED -j DROP
-A DHCP -j LOG --log-prefix "gShield (DHCP accept) "
-A DHCP -j ACCEPT
-A DMZ -j LOG --log-prefix "gShield (DMZ drop) "
-A DMZ -j DROP
-A DNS -j ACCEPT
-A DROPICMP -j DROP
-A DROPnLOG -p udp -m udp --dport 137:139 -j DROP
-A DROPnLOG -p tcp -m tcp --sport 80 --dport 1024:65535 ! --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A DROPnLOG -d 255.255.255.255 -p udp -m udp --sport 67 --dport 68 -j DROP
-A DROPnLOG -m limit --limit 20/min -j LOG --log-prefix "gShield (default drop) "
-A DROPnLOG -p 47 -m limit --limit 20/min -j LOG --log-prefix "gShield (default drop / GRE) "
-A DROPnLOG -p tcp -j REJECT --reject-with tcp-reset
-A DROPnLOG -p udp -j REJECT --reject-with icmp-port-unreachable
-A DROPnLOG -j DROP
-A HIGHPORT -j ACCEPT
-A MON_OUT -j ACCEPT
-A MULTICAST -j DROP
-A OPENPORT -j ACCEPT
-A PUBLIC -j ACCEPT
-A RESERVED -p tcp -j REJECT --reject-with tcp-reset
-A RESERVED -p udp -j REJECT --reject-with icmp-port-unreachable
-A RESERVED -j DROP
-A SCAN -j LOG --log-prefix "gShield (possible port scan) "
-A SCAN -j DROP
-A SERVICEDROP -j LOG --log-prefix "gShield (service drop) "
-A SERVICEDROP -p tcp -j REJECT --reject-with tcp-reset
-A SERVICEDROP -p udp -j REJECT --reject-with icmp-port-unreachable
-A SERVICEDROP -j DROP
-A STATEFUL -m state --state RELATED,ESTABLISHED -j ACCEPT
-A STATEFUL -i ! eth0 -m state --state NEW -j ACCEPT
-A STATEFUL -j DROPnLOG
-A loopback -i lo -j ACCEPT
COMMIT
# Completed on Wed Dec 8 02:57:30 2004
# Generated by iptables-save v1.2.8 on Wed Dec 8 02:57:30 2004
*nat
:PREROUTING ACCEPT [11600:1633075]
:POSTROUTING ACCEPT [86:6234]
:OUTPUT ACCEPT [86:6234]
-A PREROUTING -i eth0 -p tcp -m tcp --dport 10000 -j DNAT --to-destination 10.0.0.2:10000
-A PREROUTING -i eth0 -p udp -m udp --dport 10000 -j DNAT --to-destination 10.0.0.2:10000
-A PREROUTING -d 217.22.16.44 -i eth0 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
-A PREROUTING -d 217.22.16.44 -i eth0 -p udp -m udp --dport 80 -j DNAT --to-destination 10.0.0.2:80
-A PREROUTING -d 217.22.16.44 -i eth0 -p tcp -m tcp --dport 40000:50000 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 217.22.16.44 -i eth0 -p udp -m udp --dport 40000:50000 -j DNAT --to-destination 10.0.0.2
-A PREROUTING -d 217.22.16.44 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.0.0.2:21
-A PREROUTING -d 217.22.16.44 -p tcp -m tcp --dport 20 -j DNAT --to-destination 10.0.0.2:20
-A PREROUTING -d 217.22.16.44 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.0.0.2:80
-A PREROUTING -d 217.22.16.44 -p udp -m udp --dport 80 -j DNAT --to-destination 10.0.0.2:80
-A PREROUTING -d 217.22.16.44 -p tcp -m tcp --dport 443 -j DNAT --to-destination 10.0.0.2:443
-A PREROUTING -d 217.22.16.44 -p udp -m udp --dport 443 -j DNAT --to-destination 10.0.0.2:443
-A PREROUTING -d 217.22.16.44 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.0.0.2:25
-A PREROUTING -d 217.22.16.44 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.0.0.2:110
-A PREROUTING -d 217.22.16.44 -p udp -m udp --dport 110 -j DNAT --to-destination 10.0.0.2:110
-A PREROUTING -d 217.22.16.44 -p tcp -m tcp --dport 143 -j DNAT --to-destination 10.0.0.2:143
-A PREROUTING -d 217.22.16.44 -p udp -m udp --dport 143 -j DNAT --to-destination 10.0.0.2:143
-A PREROUTING -d 217.22.16.44 -p tcp -m tcp --dport 993 -j DNAT --to-destination 10.0.0.2:993
-A PREROUTING -d 217.22.16.44 -p udp -m udp --dport 993 -j DNAT --to-destination 10.0.0.2:993
-A POSTROUTING -s 10.0.0.0/255.255.255.0 -o eth0 -j SNAT --to-source 217.22.16.44
COMMIT
# Completed on Wed Dec 8 02:57:30 2004
# Generated by iptables-save v1.2.8 on Wed Dec 8 02:57:30 2004
*mangle
:PREROUTING ACCEPT [21539:2950819]
:INPUT ACCEPT [13827:2062253]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [2381:419840]
:POSTROUTING ACCEPT [2381:419840]
-A PREROUTING -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08
-A PREROUTING -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --sport 23 -j TOS --set-tos 0x10
-A PREROUTING -p tcp -m tcp --sport 80 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 80 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 119 -j TOS --set-tos 0x08
-A OUTPUT -o eth0 -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 23 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 25 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 53 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p udp -m udp --dport 53 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 119 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 110 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 143 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 6660:6669 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7000 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7500 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7501 -j TOS --set-tos 0x10
-A OUTPUT -o eth0 -p tcp -m tcp --dport 7777 -j TOS --set-tos 0x10
COMMIT
# Completed on Wed Dec 8 02:57:30 2004
[img]<___base_url___>/uploads/emoticons/default_rolleyes.gif[/img][img]<___base_url___>/uploads/emoticons/default_rolleyes.gif[/img][img]<___base_url___>/uploads/emoticons/default_rolleyes.gif[/img]