Subj : HTTP SERVER ON FORWARDED MACHINE To : comp.os.linux.networking,comp.os.linux,comp.os.linux.redhat,comp.os.linux.security,comp.os.linux.misc From : joealey2003 Date : Mon Aug 23 2004 08:55 am Hi all... I have a redhat linux 9 connected to the internet and 1 computer that receives internet forwarded from the linux. What i need is to run a valid on internet http server on this forwarded computer where i run apache on port 80. Anyone can help with iptables or anything? I know that a transparent proxy is very similar, but it doesn't work. Here goes my script anyway... ////////////////////////////// #! /bin/sh # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/ip_dynaddr IPTABLES=/sbin/iptables MODPROBE=/sbin/modprobe IFACE_INTERNET=eth0 IFACE_LOCALLAN=eth2 IFACE_LOCALLAN_2=eth1 ############################ SETTING UP IP ADDRESS ########################### ########################## ETH 0 ################# if=`ifconfig $ife 2>/dev/null | grep 'inet ' | sed s/[[:alpha:]:]//g | gawk '{ print $1"/"$3" "$2 }'` if [ ! "$if" ]; then echo -e "Error: Interface $ife is down - failed to initialize" exit 1 fi; IP_INTERNET=`echo $if | cut -f1 -d'/'` BROADCAST_INTERNET=`echo $if | cut -f2 -d' '` NET_INTERNET=`echo $if | cut -f1 -d' '` ########################## ETH 1 & ETH 2 ################# #ife2=`echo $ife | cut -f1 -d:` # cut off alias #declare -i c=0 #for i in $ifi; do # if=`ifconfig $i 2>/dev/null | grep 'inet ' | sed s/[[:alpha:]:]//g | gawk '{ print $1"/"$3" "$2 }'` # if [ ! "$if" ]; then # echo -e "Error: Interface $i is down - failed to initialize" # exit 1 # fi; #lan_if_ip[$c]=`echo $if | cut -f1 -d'/'` #lan_if_bc[$c]=`echo $if | cut -f2 -d' '` #local_net[$c]=`echo $if | cut -f1 -d' '` # ((c=c+1)) # done; #IP_INTERNET=200.167.253.63 #BROADCAST_INTERNET=200.167.253.255 IP_LOCALLAN=194.168.0.1 IP_LOCALLAN_2=193.168.0.1 SUBNET_LOCALLAN=194.168.0.0/24 SUBNET_LOCALLAN_2=193.168.0.0/24 BROADCAST_LOCALLAN=194.168.0.255 BROADCAST_LOCALLAN_2=193.168.0.255 ########################### END SETTING UP NET ADDRESSES ##################### # # (0) Flush existing stuff # $IPTABLES --flush $IPTABLES --table nat --flush $IPTABLES --delete-chain $IPTABLES --table nat --delete-chain # # (a) Start connection tracking # $MODPROBE ip_tables $MODPROBE ip_conntrack $MODPROBE iptable_filter $MODPROBE iptable_mangle $MODPROBE iptable_nat $MODPROBE ipt_LOG $MODPROBE ipt_limit $MODPROBE ipt_state $MODPROBE ipt_MASQUERADE # # (1) Policies (default) # $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP # # (2) User-defined chain for ACCEPTed TCP packets # #### $IPTABLES -N okay #### $IPTABLES -A okay -p TCP --syn -j ACCEPT #### $IPTABLES -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT #### $IPTABLES -A okay -p TCP -j DROP # # (log) # $IPTABLES -N log # # (3) INPUT chain rules # #allow this stuff before we log: $IPTABLES -A INPUT -p ALL -i $IFACE_LOCALLAN -s $SUBNET_LOCALLAN -j ACCEPT $IPTABLES -A INPUT -p ALL -i $IFACE_LOCALLAN_2 -s $SUBNET_LOCALLAN_2 -j ACCEPT $IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT ######################################$IPTABLES -A INPUT -p UDP -m udp --sport 67 --dport 68 -j ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -d $BROADCAST_LOCALLAN -j ACCEPT $IPTABLES -A INPUT -p ALL -i $IFACE_INTERNET -d $BROADCAST_LOCALLAN_2 -j ACCEPT #drop this stuff before we log: #### $IPTABLES -A INPUT -p udp -i $IFACE_INTERNET -d $BROADCAST_INTERNET -j DROP #### $IPTABLES -A INPUT -p udp -i $IFACE_INTERNET -m udp --dport 53 -j DROP #send this off to be logged: #COARSE: #### $IPTABLES -A INPUT -p TCP -m tcp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "LOW PORT TCP CONNECTION:" #### $IPTABLES -A INPUT -p UDP -m udp --dport 0:1023 -m state --state NEW -j LOG --log-prefix "LOW PORT UDP CONNECTION:" #FINE: #### $IPTABLES -A INPUT -p TCP -m state --state NEW -m tcp --dport 1024:65535 -j LOG --log-prefix "HIGH PORT TCP CONNECTION:" #### $IPTABLES -A INPUT -p UDP -m state --state NEW -m udp --dport 1024:65535 -j LOG --log-prefix "HIGH PORT UDP CONNECTION:" #### $IPTABLES -A INPUT -p TCP -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "NEW NOT SYN:" #Rules for incoming packets from the Internet #### $IPTABLES -A INPUT -p TCP -i $IFACE_INTERNET -s 0/0 --dport 22 -j okay # # (4) FORWARD chain rules # #Accept the packets we want to forward #### $IPTABLES -A FORWARD -p TCP -m tcp -o $IFACE_INTERNET -m state --state NEW -j LOG --log-prefix "OUTGOING TCP CONNECTION:" #### $IPTABLES -A FORWARD -p UDP -m udp -o $IFACE_INTERNET -m state --state NEW -j LOG --log-prefix "OUTGOING UDP CONNECTION:" $IPTABLES -A FORWARD -i $IFACE_LOCALLAN -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_LOCALLAN_2 -j ACCEPT $IPTABLES -A FORWARD -i $IFACE_INTERNET -j ACCEPT $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # (5) OUTPUT chain rules #Only output packets with local addresses (no spoofing) $IPTABLES -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $IP_LOCALLAN -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $IP_LOCALLAN_2 -j ACCEPT $IPTABLES -A OUTPUT -p ALL -s $IP_INTERNET -j ACCEPT # (6) POSTROUTING chain rules $IPTABLES -t nat -A POSTROUTING -o $IFACE_INTERNET -j MASQUERADE ######################### # PORT 21## ######################### $IPTABLES -A OUTPUT -p tcp -m tcp --dport 21 -j ACCEPT $IPTABLES -A INPUT -p tcp --dport 20:21 -j ACCEPT ######################### echo -e "Done!" .