In iptables I use nat and ICS (internet connection sharing) between wlan and eth network interfaces and port forwarding to provide services from network 172.16.0.0 to 192.168.0.0.
Here are my iptables.rules:
*nat :PREROUTING ACCEPT [0:0] :INPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] ## port forwarding 1/2 -A PREROUTING -d 192.168.0.5/32 -i wlan0 -p tcp -m tcp --dport 20 -j DNAT --to-destination 172.16.0.2:20 -A PREROUTING -d 192.168.0.5/32 -i wlan0 -p tcp -m tcp --dport 21 -j DNAT --to-destination 172.16.0.2:21 #-A PREROUTING -d 192.168.0.5/32 -i wlan0 -p tcp -m tcp --dport 22 -j DNAT --to-destination 172.16.0.2:22 ## xinetd service for irc notifications -A PREROUTING -d 192.168.0.5/32 -i wlan0 -p tcp -m tcp --dport 2233 -j DNAT --to-destination 172.16.0.2:2233 ## ICS sharing (also FORWARD chain needs to be ACCEPT) -A POSTROUTING -o wlan0 -j MASQUERADE ## port forward to krisko Z560 2/2 #-A POSTROUTING -o eth0 -j MASQUERADE ## ircnotify -A POSTROUTING -o eth0 -p tcp --dport 2233 -j MASQUERADE COMMIT *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] :TCP - [0:0] :UDP - [0:0] -A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m conntrack --ctstate INVALID -j DROP -A INPUT -p igmp -j ACCEPT #-A INPUT -p icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT -A INPUT -p udp -m conntrack --ctstate NEW -j UDP -A INPUT -p tcp --syn -m conntrack --ctstate NEW -j TCP -A INPUT -p udp -j REJECT --reject-with icmp-port-unreach -A INPUT -p tcp -j REJECT --reject-with tcp-rst -A INPUT -j REJECT --reject-with icmp-proto-unreach ## Allow sshd and https -A TCP -p tcp --dport 2222 -j ACCEPT -A TCP -p tcp --dport 443 -j ACCEPT ## Allow connection to mysql -A TCP -p tcp --dport 3306 -j ACCEPT ## Allow NFS -A TCP -p tcp --dport 111 -j ACCEPT -A UDP -p udp --dport 111 -j ACCEPT -A TCP -p tcp --dport 829 -j ACCEPT -A UDP -p udp --dport 829 -j ACCEPT -A TCP -p tcp --dport 20048 -j ACCEPT -A UDP -p udp --dport 20048 -j ACCEPT -A TCP -p tcp --dport 2049 -j ACCEPT -A UDP -p udp --dport 2049 -j ACCEPT ## Allow DNS #-A TCP -p tcp --dport 53 -j ACCEPT #-A UDP -p udp --dport 53 -j ACCEPT ## port forwarding (this is not valid) #-A FORWARD -d 192.168.0.5/32 -i wlan0 -p tcp -m state --state NEW -m tcp --dport 20 -j ACCEPT #-A FORWARD -d 192.168.0.5/32 -i wlan0 -p tcp -m state --state NEW -m tcp --dport 21 -j ACCEPT #-A FORWARD -d 192.168.0.5/32 -i wlan0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT COMMITNOTE: for ICS you need to set net.ipv4.ip_forward=1. For this I've created file /etc/sysctl.d/30-ipforward.conf:
net.ipv4.ip_forward=1
No comments:
Post a Comment