iptables -t nat -L (nat table)
iptables -L (standard table)
IP Tables Bash Script
This is a very basic example of IP Tables and how to use them.
#!/bin/bash
iptables="/sbin/iptables"
standard_ports="5060"
lan="192.168.205.0/255.255.255.0"
vpn30="192.168.30.0/255.255.255.0"
vpn20="192.168.20.0/255.255.255.0"
vpn10="192.168.10.0/255.255.255.0"
any="0.0.0.0"
yourserver="your.server.com"
yourserverip="200.0.168.500"
$iptables -F
$iptables -Z
$iptables -X
#Policies are defined below. Policies are the default rules used if a packet does not match any of the rules
#you have defined.
#our policy (the p switch) drop all packets TO this machine
#policy to drop all packets to OTHER machines
#accept all packets coming FROM this machine
$iptables -P INPUT DROP
$iptables -P FORWARD DROP
$iptables -P OUTPUT DROP
#NOTE!! Normally you would define rules for the INPUT, OUTPUT, and FORWARDING and then join/jump to the rule you set up.
#But since we are dealing with some very simple rules I have just defined all that I want to do directly on the chains
#That is I don't use the 'states' chain that I have defined below. If you wanted to use it you'd do something like:
#$iptables -A INPUT -p tcp,upd -j state
#$iptables -A OUTPUT -p tcp,upd -j state
#$iptables -A FORWARD -p tcp,upd -j state
#Chains are defined blow. These are the rules we use to match packets
#create a chain aka rule, called states (n switch stands for 'new' and is mandatory)
$iptables -N states
#Any packets that are part of an established or related connection accept immediately so we don't have to match anymore
#Accept connections to us from the $lan
#Accept established udp connections from DV
$iptables -A states -m state --state ESTABLISHED,RELATED -j ACCEPT
#$iptables -A states -m state --state NEW -s $lan -d localhost -j ACCEPT
#$iptables -A states -m state --state ESTABLISHED -s $yourserver -p udp -d localhost -j ACCEPT
#Accept all traffic on the loopback device
#Ditto
$iptables -A INPUT -i lo -p all -j ACCEPT
$iptables -A OUTPUT -o lo -p all -j ACCEPT
#Accept all stateful input
#Accept all packets with a source coming from the lan
$iptables -A INPUT -p all -j states
$iptables -A INPUT -p all -s $vpn30 -j ACCEPT
$iptables -A INPUT -p all -s $lan -j ACCEPT
$iptables -A INPUT -p all -s $vpn20 -j ACCEPT
$iptables -A INPUT -p all -s $vpn10 -j ACCEPT
$iptables -A INPUT -p all -s "200.0.168.500" -j ACCEPT
#Default all outbound traffic to the 'state' rule i.e. allow established and related connections through
#Accept all outbound traffic
#$iptables -A OUTPUT -p all -j states
$iptables -A OUTPUT -p all -j ACCEPT
#$iptables -A OUTPUT -p udp --dport 5060 -d $yourserverip -s localhost -j ACCEPT
#$iptables -A OUTPUT -p tcp --dport 80 -s localhost -j ACCEPT
IP Tables NAT (Network Address Translation)
IP Tables has a different set of chains for NAT. This table can be useful for forwarding a
port e.g. 80, to something listening on port 8090 (Tomcat or JBoss)
#!/bin/bash
iptables="/sbin/iptables"
lan="192.168.0.0/255.255.255.0"
$iptables -F
$iptables -Z
$iptables -X
$iptables -t nat -F
$iptables -t nat -Z
$iptables -t nat -X
#always accept input and output from within the lan
$iptables -A INPUT -p all -s $lan -j ACCEPT
$iptables -A OUTPUT -p all -j ACCEPT
#The first rule is to redirect all traffic with an outside src going to port 83 to port 8003
#The second rule is for local host. NOTE: localhost does NOT go through PREROUTING, so just
#a call to OUTPUT is necessary. If you do not put that rule in, traffic from localhost will not be
#redirected to the correct port.
$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 83 -j REDIRECT --to-port 8003
$iptables -t nat -A OUTPUT -p tcp --dport 83 -j DNAT --to :8003
No comments:
Post a Comment