[Erledigt] iptables NAT - Druckversion +- uhuC (https://uhuc.de) +-- Forum: uhuc Classic (https://uhuc.de/forum-43.html) +--- Forum: Hilfeforum (https://uhuc.de/forum-5.html) +--- Thema: [Erledigt] iptables NAT (/thread-415.html) |
iptables NAT - kromonos - 05.10.2013 Ich hab hier ein Problem mit iptables. Als Gateway funktioniert es ast rein, nur leider nicht die eingehende NAT Folgendes Script hab ich mir zusammen geschustert/angepasst: [shcode=bash]#!/bin/sh # # Copyright 2007 Fabio Baltieri (fabio.baltieri[at]gmail.com) # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # This script has been developed and used on a GNU/Linux Slackware # based system, to use it, just set the correct variables (LAN and WAN # interface names), set the correct subnet under the INPUT rules and # place the script in /etc/rc.d/rc.firewall so that it will be # automatically called by rc.inet2. # Also, you probably want to customize the rules for your particular # configuration and create some mapping for internal services on the # network, a template is present under the "DNAT" section. IPTABLES=iptables MODPROBE=modprobe LAN=eth0 WAN=ppp0 firewall_start() { echo "Loading firewall rules" $MODPROBE x_tables $MODPROBE ip_tables $MODPROBE iptable_filter $MODPROBE iptable_nat $MODPROBE nf_conntrack $MODPROBE nf_conntrack_ftp ports=21,2121 $MODPROBE nf_conntrack_irc $MODPROBE nf_conntrack_pptp $MODPROBE nf_nat_ftp $MODPROBE nf_nat_irc $MODPROBE nf_nat_pptp # Enable IP forwarding, rp_filter and syncookies echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 0 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 61 > /proc/sys/net/ipv4/ip_default_ttl echo 1 > /proc/sys/net/ipv4/tcp_abort_on_overflow echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout echo 3 > /proc/sys/net/ipv4/tcp_syn_retries echo 3 > /proc/sys/net/ipv4/tcp_synack_retries # Firewall rules $IPTABLES -P INPUT ACCEPT $IPTABLES -A INPUT -i lo -j ACCEPT $IPTABLES -A INPUT -i $LAN -s 172.16.0.0/16 -j ACCEPT $IPTABLES -A INPUT -i $LAN -p udp --dport bootps -j ACCEPT # $IPTABLES -A INPUT -i $WAN -p tcp --dport auth -j REJECT --reject-with tcp-reset $IPTABLES -A INPUT -i $WAN -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT $IPTABLES -A FORWARD -i $WAN -m state --state ESTABLISHED,RELATED,NEW -j ACCEPT # Forwarding $IPTABLES -A FORWARD -p tcp -m multiport --dport 135,136,137,138,139,445 -j DROP $IPTABLES -A FORWARD -p udp -m multiport --dport 137,138,139,445 -j DROP $IPTABLES -t mangle -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu # Masquerading $IPTABLES -t nat -A POSTROUTING -o $WAN -j MASQUERADE # DNAT $IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 443 -j DNAT --to 172.16.0.54:443 $IPTABLES -I INPUT -p tcp -m tcp --dport 443 -j ACCEPT $IPTABLES -I FORWARD -i $WAN -p tcp --dport 443 -d 172.16.0.54 -j ACCEPT $IPTABLES -t nat -A PREROUTING -i $WAN -p tcp --dport 25 -j DNAT --to 172.16.0.54:25 $IPTABLES -I INPUT -p tcp -m tcp --dport 25 -j ACCEPT $IPTABLES -I FORWARD -i $WAN -p tcp --dport 25 -d 172.16.0.54 -j ACCEPT } firewall_stop() { # Disable IP forwarding echo 0 > /proc/sys/net/ipv4/ip_forward # Reset default policy to ACCEPT $IPTABLES -t filter -P INPUT ACCEPT $IPTABLES -t filter -P FORWARD ACCEPT $IPTABLES -t filter -P OUTPUT ACCEPT $IPTABLES -t nat -P PREROUTING ACCEPT $IPTABLES -t nat -P POSTROUTING ACCEPT $IPTABLES -t nat -P OUTPUT ACCEPT # Flush rules $IPTABLES -F -t filter $IPTABLES -F -t nat $IPTABLES -F -t mangle $IPTABLES -X $IPTABLES -t mangle -X $IPTABLES -t nat -X } firewall_status() { echo echo "Table: filter" echo $IPTABLES -v -t filter -L --line-numbers echo echo "Table: nat" echo $IPTABLES -v -t nat -L --line-numbers echo } case "$1" in 'start'|'restart') firewall_stop firewall_start ;; 'stop') firewall_stop ;; 'status') firewall_status ;; *) echo "usage $0 start|stop|restart|status" esac [/shcode] Wie schon erwähnt, funktioniert es als Gateway problemlos, allerdings kann ich von außen nicht über die freigegebenen Ports zugreifen Hat da jemand evtl. eine Lösung für? EDIT: OK, scheinbar funktioniert das Script wie gewünscht. Nur die UMTS Verbindung lässt keine direkten eingehenden Verbindungen zu -_- |