rigacci.org

User Tools

Site Tools

Trace:
doc:appunti:linux:sa:iptables

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
Next revisionBoth sides next revision
doc:appunti:linux:sa:iptables [2014/04/16 17:35] – [Usare iptables per mitigare o bloccare un DNS Amplification Attack] niccolodoc:appunti:linux:sa:iptables [2020/11/23 15:25] – [Shorewall and DNAT onto a local host] niccolo
Line 47: Line 47:
 </code> </code>
  
-In ''**/etc/shorewall/masq**'':+For Shorewall 5 we nedd a line in **/etc/shorewall/snat**: 
 + 
 +<code> 
 +#ACTION               SOURCE           DEST               PROTO  PORT  
 +SNAT(192.168.1.254)   192.168.1.0/24   eth0:192.168.1.5   tcp    www 
 +</code> 
 + 
 +Shorewall 4 instead requires a line in **/etc/shorewall/masq**:
  
 <code> <code>
Line 60: Line 67:
 #                                                   PORT    DEST. #                                                   PORT    DEST.
 DNAT     loc     loc:192.168.1.5  tcp    www        -       130.151.100.69 DNAT     loc     loc:192.168.1.5  tcp    www        -       130.151.100.69
 +DNAT     net     loc:192.168.1.5  tcp    www        -       130.151.100.69
 </code> </code>
 +
 +===== Shorewall with router in local LAN =====
 +
 +Hosts in LAN#1 may access hosts in LAN#2 by just adding a static route to the **192.168.2.0/24 network** via the **192.168.1.10 gateway**, but it is very annoying to modify the routing table into several hosts.
 +
 +{{shorewall-router-in-lan.png?400|Shorewall with router in LAN}}
 +
 +You can instead make **two configurations** on the Shorewall firewall. First of all you add the static route into **/etc/network/interfaces**:
 +
 +<file>
 +auto eth1
 +iface eth1 inet static
 +    address 192.168.1.1
 +    netmask 255.255.255.0
 +    up   /sbin/route add -net 192.168.2.0/24 gw 192.168.1.10 || true
 +    down /sbin/route del -net 192.168.2.0/24 gw 192.168.1.10 || true
 +</file>
 +
 +then you have to add the **routeback** option for the **eth1** interfaces in the **/etc/shorewall/interfaces** file:
 +
 +<file>
 +loc    eth1    routeback
 +</file>
  
 ===== Iptables schema ===== ===== Iptables schema =====
Line 137: Line 168:
  
 <code> <code>
-iptables -I INPUT -p udp -m string --hex-string '|047A696E67047A6F6E6702636F027561|'+/sbin/iptables -I INPUT -p udp -m string --hex-string '|047A696E67047A6F6E6702636F027561|'
-    --algo bm --from 40 --to 56 -j DROP+    --algo bm --from 40 --to 56 -j DROP -m comment --comment "DROP DNS Q zing.zong.co.ua"
 </code> </code>
  
Line 157: Line 188:
     start)     start)
         iptables -I INPUT $options -j DROP         iptables -I INPUT $options -j DROP
-        iptables -I INPUT $options -j LOG --log-level debug+        #iptables -I INPUT $options -j LOG --log-level debug
         ;;         ;;
     stop)     stop)
         iptables -D INPUT $options -j DROP         iptables -D INPUT $options -j DROP
-        iptables -D INPUT $options -j LOG --log-level debug+        #iptables -D INPUT $options -j LOG --log-level debug
         ;;         ;;
     *)     *)
doc/appunti/linux/sa/iptables.txt · Last modified: 2020/11/23 15:28 by niccolo