• Home:
• Guides:
• Hobies:
• Contact me
• Recording Program
• Office Collaboration program
• services

# FLUSH ALL and preper to send mail...
service iptables stop           > /dev/null
sleep 1
iptables -F
date > /root/date

# be carefull if u have a modem also that will 
take place of the ppp0!
EXT=ppp0
# Load the module
modprobe ip_tables            > /dev/null
modprobe iptable_nat          > /dev/null
modprobe ip_conntrack > /dev/null
insmod ip_conntrack_ftp 2> /dev/null >/dev/null
echo 1 > /proc/sys/net/ipv4/ip_forward  > /dev/null
iptables=/sbin/iptables     
echo "starting NAT for ALL!" 
#--> if you dont config squid instead!!
$iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE    > /dev/null

#FW:
$iptables -P INPUT DROP            > /dev/null
$iptables -P FORWARD ACCEPT        > /dev/null
$iptables -P OUTPUT ACCEPT         > /dev/null
$iptables -A INPUT -m state --state 
ESTABLISHED,RELATED -j ACCEPT > /dev/null
#accept all traffic from Home 
#$iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 -j ACCEPT

#@@@@@@@@@@@@@@@@@@@@@     #Jungle#   @@@@@@@@@@@@@@@@@@@@@@@@@

#icmp - for my local net only
$iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 -p icmp -j ACCEPT

#usermin - for local net only
#$iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 
-p tcp --dport 20000 -j ACCEPT

#imap
$iptables -t filter -A INPUT -p tcp --dport 143 -j ACCEPT

#mysql
#$iptables -t filter -A INPUT -p tcp --dport 3306 -j ACCEPT

#squirrelmail  (identd)
$iptables -t filter -A INPUT -p tcp --dport 113 -j ACCEPT

#ssh
$iptables -t filter -A INPUT -p tcp --dport 22 -j ACCEPT

#ftp: for all 
$iptables -t filter -A INPUT -p tcp --dport 21 --syn -j ACCEPT

#squid:  local only
$iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 
-p tcp --dport 3128 --syn -j ACCEPT

# TS for 2000 at 192.168.0.5 
(connecting from outside fw-default for 1 machine 
only-on that default port u cannot connect from inside out!)
#$iptables -t nat -A PREROUTING -p tcp --dport 3389 -j 
DNAT --to-destination 192.168.0.3:3389
#(connecting from outside to a specific machine 1 of few:
-configured :properties of local area connection|
advanced tab| select v-protect my computer| settings botton|
add :name: ts, ip:of xp machine, external port: 2000, 
internal port 3389
#from xp connection go: ros.co.il:2001 
(u cannot connect from 98 to ts xp!)
$iptables -t nat -A PREROUTING -p tcp --dport 2001 -j DNAT
 --to-destination 192.168.0.3:3389

#junkbuster:  local only
#$iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 
-p tcp --dport 8000 --syn -j ACCEPT

# *****************   local pop3    ************************** 
$iptables -t filter -A INPUT -p tcp --dport 110 --syn -j ACCEPT
#                       local smtp 
#local network only:
#$iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 
-p tcp --dport 25 --syn -j ACCEPT
#smtp one per second limit- burst rate of ten
$iptables -A INPUT -p tcp --dport 25 --syn -m limit --limit 
1/s --limit-burst 10 -j ACCEPT
#                       local http:   (https 443)
$iptables -t filter -A INPUT -p tcp --dport 80 --syn -j ACCEPT
#   ****************   v--  this or that --^   *****************

######### route ports 25+110+80 to 
exchange & IIS on 192.168.0.5  #############
#$iptables -A PREROUTING -t nat -p tcp -d 192.114.42.72 
--dport 110 -j DNAT --to 192.168.0.5:110
#$iptables -A PREROUTING -t nat -p tcp -d 192.114.42.72 
--dport 25 -j DNAT --to 192.168.0.5:25
#$iptables -A PREROUTING -t nat -p tcp -d 192.114.42.72 
--dport 80 -j DNAT --to 192.168.0.5:80
##################                        ################################
#dns
$iptables -t filter -A INPUT -p udp --dport 53 -j ACCEPT

#telnet
#$iptables -t filter -A INPUT -p tcp --dport 23 
--syn -j ACCEPT

#lpd    local only
#$iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 
-p tcp --dport 515 --syn -j ACCEPT

#Tightvnc (l: 1:5801, 2:5902)
#$iptables -t filter -A INPUT -p tcp --dport 5801 
--syn -j ACCEPT
# route a connection by port to indevidual pc by:viewer: 
ros.co.il::5901
# at the station u must configure vnc server to accept that port
$iptables -t nat -A PREROUTING -p tcp --dport 5901 -j DNAT 
--to-destination 192.168.0.3:5901
#$iptables -t nat -A PREROUTING -p tcp --dport 5902 -j DNAT 
--to-destination 192.168.0.35:5902

#DHCP:    local only
$iptables -t filter -A INPUT -p udp --dport 67 -j ACCEPT
$iptables -t filter -A INPUT -p udp --dport 138 -j ACCEPT

#https
#$iptables -t filter -A INPUT -p tcp --dport 443 --syn -j ACCEPT

#ssl
#$iptables -t filter -A INPUT -p tcp --dport 995 --syn -j ACCEPT
#$iptables -t filter -A INPUT -p tcp --dport 2291 --syn -j ACCEPT
#$iptables -t filter -A INPUT -p udp --dport 995 -j ACCEPT
#$iptables -t filter -A INPUT -p udp --dport 1900 -j ACCEPT

#smb
$iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 
-p udp --dport 137 -j ACCEPT
$iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 
-p tcp --dport 139 --syn -j ACCEPT

#HYLAFAX CLIENT ONLY:
#$iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 
-p tcp --dport 4559 --syn -j ACCEPT

#wins
$iptables -t filter -A INPUT -s 192.168.0.0/255.255.255.0 
-p tcp --dport 42 --syn -j ACCEPT

# IRC 194, ICQ 5190, AOL messenger: 5190+ 4099, 
#MSN messenger 6891-6900 -for file transfer 6901 tcp/udp -voice
#kazza 1214 tcp


# make a log:
#$iptables --new WATCH #2>/dev/null
#$iptables -A WATCH -m limit -j LOG --log-level warn 
--log-prefix "DROP"
#$iptables -A WATCH -j DROP
#$iptables -A INPUT -m state --state NEW -i eth0 -j LOG 
#$iptables -A INPUT -m state --state NEW -i eth1 -j LOG

	Post a Comment
	your name:
Write code here