4 Mar 2010

firewall NAT on 3 ethernet

Posted by taryana

etho <-> ppp0 internet

eth1 -> hotspot

eth2 -> local internet sharing with squid transparent
IPTABLES=”/sbin/iptables”
EXTIF=”ppp0″
INTIF=”eth1″
LAN=”eth2″

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#Allow related and established on all interfaces (input)
$IPTABLES -A INPUT -m state –state RELATED,ESTABLISHED -j ACCEPT

#Allow releated, established and ssh on $EXTIF. Reject everything else.
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp –dport 22 –syn -j ACCEPT

#Uncomment if you want to allow http on $EXTIF
$IPTABLES -A INPUT -i $EXTIF -p tcp -m tcp –dport 80 –syn -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -j REJECT

#inet on eth2
#$IPTABLES -t nat -A PREROUTING -i eth2 -p tcp –dport 80 -j REDIRECT
–to-port 3128
#$IPTABLES -A FORWARD -i eth2 -o $INTIF -m state –state
ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i eth2 -o $EXTIF -j ACCEPT
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#$IPTABLES -t nat -A PREROUTING -i $LAN -p tcp –dport 80 -j REDIRECT
–to-port 3128
#$IPTABLES -A FORWARD -i $EXTIF -o $LAN -m state –state
ESTABLISHED,RELATED -j ACCEPT
#$IPTABLES -A FORWARD -i $LAN -o $EXTIF -j ACCEPT

#Allow related and established from $INTIF. Drop everything else.
$IPTABLES -A INPUT -i $INTIF -j DROP
$IPTABLES -A INPUT -i $LAN -j ACCEPT

#Allow http and https on other interfaces (input).
#This is only needed if authentication server is on same server as chilli
$IPTABLES -A INPUT -p tcp -m tcp –dport 80 –syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 443 –syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 22 –syn -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp –dport 3128 –syn -j ACCEPT
#Allow 3990 on other interfaces (input).
$IPTABLES -A INPUT -p tcp -m tcp –dport 3990 –syn -j ACCEPT

#Allow everything on loopback interface.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Drop everything to and from $INTIF (forward)
# This means that access points can only be managed from ChilliSpot
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -i $INTIF -j DROP
$IPTABLES -A FORWARD -o $INTIF -j DROP

#Enable NAT on output device
$IPTABLES -A FORWARD -i $LAN -j ACCEPT
$IPTABLES -A FORWARD -o $LAN -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -i $LAN -p tcp –dport 80 -j REDIRECT
–to-port 3128

Popularity: 3% [?]

Browse

or
Tentang Blog Ini

Blog ini hanyalah sebagaian catatan perjalanan kami, serta catatan-catatan teknis yang diambil dari masalah yang dihadapi dan cara penyelesaiannya, berisi kutipan, editan, atau hasil experimen pribadi yang hasilnya ditujukan untuk diri pribadi khususnya dan kepada umum sebagai catatan tangan untuk mengingatkan jika suatau waktu lupa atau membutuhkannya, semoga membantu.

Salam taryan

Chat With Me :
Komentator
Categories
- adsl
- Adventure
- cctv
- games
- Hotspot
- Informasi Technologi
- jalan-jalan
- kuliner
- Link
- Linux
- mikrotik
- modem
- Networking
- puisi
- renungan
- sms gateway
- speedy
- Umum
Pages
Tag Cloud
3g bakmi nyemek baso mantep cdma cihanjuang gado-gado gammu-smsd gprs kalkun linksys e2000 linksys wrt54gl Linux memilih modem pasir impun sms gateway tarogong tomato frimware usb wifi wavecom webbased
Link
- Ambu
- Spiritual Sharing

firewall NAT on 3 ethernet

Leave a Reply

Browse

Tentang Blog Ini

Komentator

Categories

Pages

Tag Cloud

Link