NAT & bash questions

Jordi Ferrando Fabra jferrando at netplc.com
Fri Jan 27 09:37:06 GMT 2006


I use an own-written init script to enable iptables at start-up: 
/etc/init.d/iptables_tc:

/#!/bin/sh/
/#/
/# iptables_tc - ipables/tc init script/
/#/
/# wRitten by Jordi Ferrando/
/# Debian.etch/
/# jferrando at netplc.com/

TC="/sbin/tc"
IPTABLES="/sbin/iptables"

*start()* *{*
	*echo* "Starting outbound shaping..."

	/# Reset everything to a known state (cleared)/
	/#flush de reglas/
	$IPTABLES -F
	$IPTABLES -X
	$IPTABLES -Z
	$IPTABLES -t nat -F
	/#Borrar clase entera/
	$TC qdisc del dev eth0 root

	/#Router linux con firewall y traffic shaping/
	/#(c)NETPLC, J.Ferrando, Ene-2005/1-Dic-2005/
	/#Interfaz eth0 192.168.7.5/255.255.255.248 (192.168.7.1 .. 192.168.7.6, broadcast 192.168.7.7, 192.168.7.0/29)/
	/#         eth1 192.168.8.5/255.255.255.0 (192.168.8.0/24, LAN)/
	/#Default gateway 192.168.7.1/
	
	/#DNAT tables/
	/#HTTP tcp/80/
	iptables --table nat --append PREROUTING -i eth0 -d 192.168.7.5 -p tcp --dport 80 -j DNAT --to 192.168.8.5
	(...)
	/#ROUTER SNAT para la LAN/
	iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
	
	/#Firewall red 192.168.8.0/24/
	iptables -A FORWARD -s 192.168.8.5 -j ACCEPT
	iptables -A INPUT -s 192.168.8.5 -j ACCEPT
	/#servicios a la red local surera/
	/#DNS/
	iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p tcp --sport 53 -j ACCEPT
	iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p tcp --dport 53 -j ACCEPT
	iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p udp --sport 53 -j ACCEPT
	iptables -A INPUT -s 192.168.8.0/24 -i eth1 -p udp --dport 53 -j ACCEPT
	(...)
	/#Acceso internet/
	/#portpascual/
	iptables -A FORWARD -s 192.168.8.70 -i eth1 -m mac --mac-source 00:08:0D:C8:CE:D9 -j ACCEPT
	(...)
	/#Acceso al servidor/
	/#particularidades ordenadores/
	/#portpascual/
	iptables -A INPUT -s 192.168.8.70 -i eth1 -m mac --mac-source 00:08:0D:C8:CE:D9 -j ACCEPT
	(...)
	/#Default policy INPUT/
	iptables -A INPUT -s 192.168.8.0/24 -i eth1 -j DROP
	/#Default polity FORWARD/
	iptables -A FORWARD -s 192.168.8.0/24 -i eth1 -j DROP
	
	/#Filtrado de red 192.168.7.0/248/
	iptables -A INPUT -s 192.168.7.1 -i eth0 -m mac --mac-source 00:13:49:19:BE:A4 -j ACCEPT
	iptables -A INPUT -s 192.168.7.0/29 -i eth0 -j DROP
	
	*echo* 1 *>* /proc/sys/net/ipv4/ip_forward
	
	/#tc "Traffic Control"/
	/#This command attaches queue discipline HTB to eth0 and gives it the "handle" 1:0/
	/#This is just a name or identifier with which to refer to it below. The default 20 means that /
	/#any traffic that is not otherwise classified will be assigned to class 1:20/
	tc qdisc add dev eth0 root handle 1:0 htb default 20
	
	/#tc class add dev eth0 parent 1:0 classid 1:1 htb rate 576kbit ceil 576kbit prio 1 burst 32k cburst 32k/
	tc class add dev eth0 parent 1:0 classid 1:1 htb rate 576kbit ceil 576kbit prio 1 burst 32k cburst 3200
	/#tc class add dev eth0 parent 1:1 classid 1:5 htb rate 384kbit ceil 576kbit prio 5 burst 16k cburst 16k/
	tc class add dev eth0 parent 1:1 classid 1:5 htb rate 384kbit ceil 576kbit prio 5 burst 16k cburst 1600
	/#tc class add dev eth0 parent 1:1 classid 1:10 htb rate 256kbit ceil 576kbit prio 10 burst 8k cburst 8k/
	tc class add dev eth0 parent 1:1 classid 1:10 htb rate 256kbit ceil 576kbit prio 10 burst 8k cburst 800
	/#tc class add dev eth0 parent 1:1 classid 1:15 htb rate 128kbit ceil 576kbit prio 15 burst 4k cburst 4k/
	tc class add dev eth0 parent 1:1 classid 1:15 htb rate 128kbit ceil 576kbit prio 15 burst 4k cburst 400
	/#tc class add dev eth0 parent 1:1 classid 1:20 htb rate 64kbit ceil 576kbit prio 20 burst 2k cburst 2k/
	tc class add dev eth0 parent 1:1 classid 1:20 htb rate 64kbit ceil 576kbit prio 20 burst 2k cburst 200
	/#tc class add dev eth0 parent 1:1 classid 1:25 htb rate 8kbit ceil 16kbit prio 25 burst 1k cburst 1k/
	tc class add dev eth0 parent 1:1 classid 1:25 htb rate 2kbit ceil 4kbit prio 25 burst 8 cburst 8
	
	/#/
	tc qdisc add dev eth0 parent 1:5 handle 5:0 sfq perturb 10
	tc qdisc add dev eth0 parent 1:10 handle 10:0 sfq perturb 10
	tc qdisc add dev eth0 parent 1:15 handle 15:0 sfq perturb 10
	tc qdisc add dev eth0 parent 1:20 handle 20:0 sfq perturb 10
	iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --sport 80 -j MARK --set-mark 10
	iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --dport 80 -j MARK --set-mark 10
	iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --sport 443 -j MARK --set-mark 10
	iptables -A FORWARD -t mangle -s 192.168.8.0/24 -i eth1 -p tcp --dport 443 -j MARK --set-mark 10

	/#Privileged computers (Whitelist)/
	/#surera/
	iptables -A OUTPUT -t mangle -o eth0 --source 192.168.7.5 -j MARK --set-mark 5
	(...)	
	/#/
	tc filter add dev eth0 protocol ip parent 1:0 prio 5 handle 5 fw flowid 1:5
	tc filter add dev eth0 protocol ip parent 1:0 prio 10 handle 10 fw flowid 1:10
	tc filter add dev eth0 protocol ip parent 1:0 prio 15 handle 15 fw flowid 1:15
	tc filter add dev eth0 protocol ip parent 1:0 prio 20 handle 20 fw flowid 1:20
	tc filter add dev eth0 protocol ip parent 1:0 prio 25 handle 25 fw flowid 1:25
	
	/#Print tc statictics/
	/#tc -s -d class show dev eth0/
	/#tc -s -d qdisc show dev eth0/

	*echo* "Outbound shaping added to surera"  
*}*

*stop()* *{*
	*echo* "stop ..."
	/# Reset everything to a known state (cleared)/
	/#flush de reglas/
	$IPTABLES -F
	$IPTABLES -X
	$IPTABLES -Z
	$IPTABLES -t nat -F
	/#Borrar clase entera/
	$TC qdisc del dev eth0 root

	*echo* "Shaping removed on surera"
*}*

*status()* *{*
	*echo* "[iptables]"
	$IPTABLES -L -v -n
	$IPTABLES -L -v -n -t nat
	*echo* "---- qdisc parameters ----------"
	tc qdisc *ls* dev eth0
	*echo* "---- Class parameters ----------"
	tc class *ls* dev eth0
	*echo* "---- filter parameters ---------"
	tc filter *ls* dev eth0
	/#Print tc statictics/
	*echo* "---- tc class statistics -------"
	tc -s -d class show dev eth0
	*echo* "---- tc qdisc statistics -------"
	tc -s -d qdisc show dev eth0
*}*

*restart()* *{*
	*echo* "restart ..."
   start
*}*

*reload()* *{*
	*echo* "start ..."
	start
*}*

*force_reload()* *{*
	*echo* "force-reload ..."
	start
*}*

*case* $1* in* 
	start*)*
		start
		*;;*
	stop*)*
		stop
		*;;*
	status*)*
		status
		*;;*
	restart*)*
		restart
		*;;*
	reload*)*
		reload
		*;;*	
	force-reload*)*
		force_reload
		*;;*	
	**)*
	*echo* "Usage: iptables_tc {start|stop|restart|reload|force-reload|status}"
	/#echo "Usage: ${0##*/} {start|stop|restart|reload|status}"/
	*;;*
*esac*

*exit* 0


C Hamel wrote:

>(1)  I have set up NAT on kubuntu the same as I did on three other distros 
>--and was delighted that I didn't have to roll my own kernel, this time! :-)   
>The rub lies in the fact that I do not know where to save the iptables file.  
>The command, '/etc/init.d/iptables save' yields an error because the 
>directory is not there.  Obviously, the Debian architecture is different from 
>Gentoo/SuSE/Red Hat, et. al., and I am uncertain as to where to save the 
>rules.  Consequently (for now) I have unlocked root access to VTs & created 
>the 'boot.local' file in /etc/init.d with the necessary commands in it which 
>symlink resides in /etc/rcS.d (again, for now, hopefully) until I can find 
>out where it actually belongs.  I didn't find it in the docs.  Did I miss 
>something?
>
>(2)  I like the screen to clear when I log out from a VT.  SuSE had a neat 
>file in /etc/bash called 'bash_logout' in which one could enter the word 
>'clear' and that would happen automagically from then, on.  I emulated that 
>w/Gentoo but it doesn't seem to work in Debian.  Again, no /etc/bash 
>directory and when it was created it was ignored. 
>
>Anyone able to solve these issues will have my blessing. ;-)
>
>Thanks!
>  
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.ubuntu.com/archives/kubuntu-users/attachments/20060127/3867c5f9/attachment.htm


More information about the kubuntu-users mailing list