#!/bin/bash # sample script for secure NAT setups on aon intelligent gateway with two DSL connections # Angulo Solido - http://www.angulosolido.pt # NESTA MAQUINA ESTE SCRIPT CORRE NO BOOT ############################## SHARED DEFS ############################## . /usr/local/AS/etc/igw-common.sh ############################## MAIN SCRIPT ############################## # create two independent routing tables ip rule add from $EXTIP table $EXTTABLE ip route add 192.168.1.0/24 dev $INTIF src $EXTIP table $EXTTABLE ip route add $EXTGW dev $EXTIF src $EXTIP table $EXTTABLE ip route add default via $EXTGW table $EXTTABLE ip rule add from $SRVIP table $SRVTABLE ip route add 192.168.1.0/24 dev $INTIF src $SRVIP table $SRVTABLE ip route add $SRVGW dev $EXTIF src $SRVIP table $SRVTABLE ip route add default via $SRVGW table $SRVTABLE # the servers use the SRV table: all packets go through SRVIF for i in $SERVERS; do ip rule add from $i table $SRVTABLE done # default gw ip route add default scope global nexthop via $EXTGW # default policies: DROP everything but OUTPUT iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT # accept everything from the loopback device iptables -t filter -A INPUT -i lo -j ACCEPT # open specific services # ICMP iptables -t filter -A INPUT -p icmp -m icmp -j ACCEPT # enable ssh on all interfaces iptables -t filter -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT #enable DNS on $INTIF iptables -A INPUT -i $INTIF -p udp -m udp --dport 53 -j ACCEPT # enable DHCP on $INTIF iptables -A INPUT -i $INTIF -p udp -m udp --dport 67:68 --sport 67:68 -j ACCEPT ## accept connections which are ESTABLISHED or RELATED to the outgoing connections ## usually we don't need this rule for INPUT in a server ## RELATED is related to ip_conntrack and associated modules #iptables -t filter -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # accept traffic related to ESTABLISHED connections iptables -t filter -A INPUT -m state --state ESTABLISHED -j ACCEPT # allow specific traffic to be forwarded (example) # HTTPS=443 # iptables -t filter -A FORWARD -i $INTIF -o $EXTIF -p tcp -m tcp --dport $HTTPS -j ACCEPT # allow ftp connections to a specific IP (for clients that support passive ftp only!) #IP=xx.xxx.xxx.xx #iptables -t filter -A FORWARD -i $INTIF -o $EXTIF -d $IP -p tcp -m tcp --dport 1024:65535 -j ACCEPT #iptables -t filter -A FORWARD -i $INTIF -o $EXTIF -d $IP -p tcp -m tcp --dport 21 -j ACCEPT # transparent proxy to squid #iptables -t nat -A PREROUTING -i $INTIF -p tcp --dport 80 -j REDIRECT --to-port 3128 # the nat stuff goes here iptables -t filter -A FORWARD -i $EXTIF -o $INTIF -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE # same applies to SRVIF which also needs NAT iptables -t filter -A FORWARD -i $SRVIF -o $INTIF -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t filter -A FORWARD -i $INTIF -o $SRVIF -j ACCEPT iptables -t nat -A POSTROUTING -o $SRVIF -j MASQUERADE # forward specific ports to an internal machine # target machines must be registered as SERVERS at igw-common.sh forward_service 192.168.1.2 25 25 tcp $SRVIF add forward_service 192.168.1.2 995 995 tcp $SRVIF add forward_service 192.168.1.2 80 80 tcp $SRVIF add forward_service 192.168.1.2 2222 22 tcp $SRVIF add # temp VM Windows #forward_service 192.168.1.104 3389 3389 tcp $SRVIF add # this must be enabled on every boot, on /etc/sysctl.conf echo "1" > /proc/sys/net/ipv4/ip_forward