firewall NAT tables with dynamic assign IP [solved]
Noah
admin2 at enabled.com
Sun Oct 22 21:52:18 UTC 2006
Allan,
actually that is not what I was looking for. This is the answer I was
looking for. The sed/awk command will find the IP that dhcpd definded
to the address. even if the lease expires and a new IP address is
assigned then EXTIP is figured again after running the script.
----s nip ---
EXTIF="eth1"
INTIF="eth0"
echo " External Interface: $EXTIF"
echo " Internal Interface: $INTIF"
EXTIP="`ifconfig $EXTIF | grep 'inet addr' | \
awk '{print $2}' | sed -e 's/.*://'`"
echo " External IP: $EXTIP"
---- snip ----
cheers,
Noah
Allan Spagnol Comar wrote:
> Hi noah, I do not understand your doubt, if you want the DHCP ip to be
> changed from the internal network to the external network you donĀ“t
> need the $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
> line, you just need
>
> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>
> holpe it helps, Allan
> On 10/20/06, Noah <admin2 at enabled.com> wrote:
>
>> Hi there,
>>
>> So I am wanting to learn how to modify my firewall-tables script to figure
>> out the current dynamically assigned IP address on fxp1 and also update the
>> firewall-tables if the dhcpd running on fxp1 reassigns a new IP.
>>
>>
>> Here is the script:
>>
>> #!/bin/sh
>> #
>> #firewall-iptables
>> FWVER= 0.76
>> #
>> # Initial SIMPLE IP Masquerade test for 2.6 / 2.4 kernels
>> # using IPTABLES.
>> #
>> # Once IP Masquerading has been tested, with this simple
>> # ruleset, it is highly recommended to use a stronger
>> # IPTABLES ruleset either given later in this HOWTO or
>> # from another reputable resource.
>> #
>> #
>> #
>> # Log:
>> # 0.76 - Added comments on why the default policy is ACCEPT
>> # 0.75 - Added more kernel modules to the comments section
>> # 0.74 - the ruleset now uses modprobe vs. insmod
>> # 0.73 - REJECT is not a legal policy yet; back to DROP
>> # 0.72 - Changed the default block behavior to REJECT not DROP
>> # 0.71 - Added clarification that PPPoE users need to use
>> # "ppp0" instead of "eth0" for their external interface
>> # 0.70 - Added commented option for IRC nat module
>> # - Added additional use of environment variables
>> # - Added additional formatting
>> # 0.63 - Added support for the IRC IPTABLES module
>> # 0.62 - Fixed a typo on the MASQ enable line that used eth0
>> # instead of $EXTIF
>> # 0.61 - Changed the firewall to use variables for the internal
>> # and external interfaces.
>> # 0.60 - 0.50 had a mistake where the ruleset had a rule to DROP
>> # all forwarded packets but it didn't have a rule to ACCEPT
>> # any packets to be forwarded either
>> # - Load the ip_nat_ftp and ip_conntrack_ftp modules by default
>> # 0.50 - Initial draft
>> #
>>
>> echo -e "\n\nLoading simple rc.firewall-iptables version $FWVER..\n"
>>
>>
>> # The location of the iptables and kernel module programs
>> #
>> # If your Linux distribution came with a copy of iptables,
>> # most likely all the programs will be located in /sbin. If
>> # you manually compiled iptables, the default location will
>> # be in /usr/local/sbin
>> #
>> # ** Please use the "whereis iptables" command to figure out
>> # ** where your copy is and change the path below to reflect
>> # ** your setup
>> #
>> IPTABLES=/sbin/iptables
>> #IPTABLES=/usr/local/sbin/iptables
>> DEPMOD=/sbin/depmod
>> MODPROBE=/sbin/modprobe
>>
>>
>> #Setting the EXTERNAL and INTERNAL interfaces for the network
>> #
>> # Each IP Masquerade network needs to have at least one
>> # external and one internal network. The external network
>> # is where the natting will occur and the internal network
>> # should preferably be addressed with a RFC1918 private address
>> # scheme.
>> #
>> # For this example, "eth0" is external and "eth1" is internal"
>> #
>> #
>> # NOTE: If this doesnt EXACTLY fit your configuration, you must
>> # change the EXTIF or INTIF variables above. For example:
>> #
>> # If you are a PPPoE or analog modem user:
>> #
>> # EXTIF="ppp0"
>> #
>> #
>> EXTIF="eth1"
>> INTIF="eth0"
>> #INTIF2="eth0"
>> echo " External Interface: $EXTIF"
>> echo " Internal Interface: $INTIF"
>> #echo " Internal Interface: $INTIF2"
>>
>> #EXTIP="your external IP address"
>> EXTIP="<dhcpd_assigned_ip>"
>> echo " External IP: $EXTIP"
>>
>> #======================================================================
>> #== No editing beyond this line is required for initial MASQ testing ==
>>
>>
>> echo -en " loading modules: "
>>
>> # Need to verify that all modules have all required dependencies
>> #
>> echo " - Verifying that all kernel modules are ok"
>> $DEPMOD -a
>>
>> # With the new IPTABLES code, the core MASQ functionality is now either
>> # modular or compiled into the kernel. This HOWTO shows ALL IPTABLES
>> # options as MODULES. If your kernel is compiled correctly, there is
>> # NO need to load the kernel modules manually.
>> #
>> # NOTE: The following items are listed ONLY for informational reasons.
>> # There is no reason to manual load these modules unless your
>> # kernel is either mis-configured or you intentionally disabled
>> # the kernel module autoloader.
>> #
>>
>> # Upon the commands of starting up IP Masq on the server, the
>> # following kernel modules will be automatically loaded:
>> #
>> # NOTE: Only load the IP MASQ modules you need. All current IP MASQ
>> # modules are shown below but are commented out from loading.
>> #
>> ===============================================================
>>
>> echo
>> "----------------------------------------------------------------------"
>>
>> #Load the main body of the IPTABLES module - "iptable"
>> # - Loaded automatically when the "iptables" command is invoked
>> #
>> # - Loaded manually to clean up kernel auto-loading timing issues
>> #
>> echo -en "ip_tables, "
>> $MODPROBE ip_tables
>>
>>
>> #Load the IPTABLES filtering module - "iptable_filter"
>> # - Loaded automatically when filter policies are activated
>>
>>
>> #Load the stateful connection tracking framework - "ip_conntrack"
>> #
>> # The conntrack module in itself does nothing without other specific
>> # conntrack modules being loaded afterwards such as the "ip_conntrack_ftp"
>> # module
>> #
>> # - This module is loaded automatically when MASQ functionality is
>> # enabled
>> #
>> # - Loaded manually to clean up kernel auto-loading timing issues
>> #
>> echo -en "ip_conntrack, "
>> $MODPROBE ip_conntrack
>>
>>
>> #Load the FTP tracking mechanism for full FTP tracking
>> #
>> # Enabled by default -- insert a "#" on the next line to deactivate
>> #
>> echo -en "ip_conntrack_ftp, "
>> $MODPROBE ip_conntrack_ftp
>>
>>
>> #Load the IRC tracking mechanism for full IRC tracking
>> #
>> # Enabled by default -- insert a "#" on the next line to deactivate
>> #
>> echo -en "ip_conntrack_irc, "
>> $MODPROBE ip_conntrack_irc
>>
>>
>> #Load the general IPTABLES NAT code - "iptable_nat"
>> # - Loaded automatically when MASQ functionality is turned on
>> #
>> # - Loaded manually to clean up kernel auto-loading timing issues
>> #
>> echo -en "iptable_nat, "
>> $MODPROBE iptable_nat
>>
>>
>> #Loads the FTP NAT functionality into the core IPTABLES code
>> # Required to support non-PASV FTP.
>> #
>> # Enabled by default -- insert a "#" on the next line to deactivate
>> #
>> echo -en "ip_nat_ftp, "
>> $MODPROBE ip_nat_ftp
>>
>>
>> #Loads the IRC NAT functionality into the core IPTABLES code
>> # Required to support NAT of IRC DCC requests
>> #
>> # Disabled by default -- remove the "#" on the next line to activate
>> #
>> #echo -e "ip_nat_irc"
>> #$MODPROBE ip_nat_irc
>>
>> echo
>> "----------------------------------------------------------------------"
>>
>> # Just to be complete, here is a partial list of some of the other
>> # IPTABLES kernel modules and their function. Please note that most
>> # of these modules (the ipt ones) are automatically loaded by the
>> # master kernel module for proper operation and don't need to be
>> # manually loaded.
>> #
>> --------------------------------------------------------------------
>> #
>> # ip_nat_snmp_basic - this module allows for proper NATing of some
>> # SNMP traffic
>> #
>> # iptable_mangle - this target allows for packets to be
>> # manipulated for things like the TCPMSS
>> # option, etc.
>> #
>> # --
>> #
>> # ipt_mark - this target marks a given packet for future action.
>> # This automatically loads the ipt_MARK module
>> #
>> # ipt_tcpmss - this target allows to manipulate the TCP MSS
>> # option for braindead remote firewalls.
>> # This automatically loads the ipt_TCPMSS module
>> #
>> # ipt_limit - this target allows for packets to be limited to
>> # to many hits per sec/min/hr
>> #
>> # ipt_multiport - this match allows for targets within a range
>> # of port numbers vs. listing each port individually
>> #
>> # ipt_state - this match allows to catch packets with various
>> # IP and TCP flags set/unset
>> #
>> # ipt_unclean - this match allows to catch packets that have invalid
>> # IP/TCP flags set
>> #
>> # iptable_filter - this module allows for packets to be DROPped,
>> # REJECTed, or LOGged. This module automatically
>> # loads the following modules:
>> #
>> # ipt_LOG - this target allows for packets to be
>> # logged
>> #
>> # ipt_REJECT - this target DROPs the packet and returns
>> # a configurable ICMP
>> packet back to the
>> # sender.
>> #
>>
>> echo -e " Done loading modules.\n"
>>
>>
>>
>> #CRITICAL: Enable IP forwarding since it is disabled by default since
>> #
>> # Redhat Users: you may try changing the options in
>> # /etc/sysconfig/network from:
>> #
>> # FORWARD_IPV4=false
>> # to
>> # FORWARD_IPV4=true
>> #
>> echo " Enabling forwarding.."
>> echo "1" > /proc/sys/net/ipv4/ip_forward
>>
>>
>> # Dynamic IP users:
>> #
>> # If you get your IP address dynamically from SLIP, PPP, or DHCP,
>> # enable this following option. This enables dynamic-address hacking
>> # which makes the life with Diald and similar programs much easier.
>> #
>> echo " Enabling DynamicAddr.."
>> echo "1" > /proc/sys/net/ipv4/ip_dynaddr
>>
>>
>> # Enable simple IP forwarding and Masquerading
>> #
>> # NOTE: In IPTABLES speak, IP Masquerading is a form of SourceNAT or
>> SNAT.
>> #
>> # NOTE #2: The following is an example for an internal LAN address in the
>> # 192.168.0.x network with a 255.255.255.0 or a "24" bit subnet
>> mask
>> # connecting to the Internet on external interface "eth0". This
>> # example will MASQ internal traffic out to the Internet but not
>> # allow non-initiated traffic into your internal network.
>> #
>> #
>> # ** Please change the above network numbers, subnet mask, and your
>> # *** Internet connection interface name to match your setup
>> #
>>
>>
>> #Clearing any previous configuration
>> #
>> # Unless specified, the defaults for INPUT and OUTPUT is ACCEPT
>> # The default for FORWARD is DROP (REJECT is not a valid policy)
>> #
>> # Isn't ACCEPT insecure? To some degree, YES, but this is our testing
>> # phase. Once we know that IPMASQ is working well, I recommend you run
>> # the rc.firewall-*-stronger rulesets which set the defaults to DROP but
>> # also include the critical additional rulesets to still let you connect
>> to
>> # the IPMASQ server, etc.
>> #
>> echo " Clearing any existing rules and setting default policy.."
>> $IPTABLES -P INPUT ACCEPT
>> $IPTABLES -F INPUT
>> $IPTABLES -P OUTPUT ACCEPT
>> $IPTABLES -F OUTPUT
>> $IPTABLES -P FORWARD DROP
>> $IPTABLES -F FORWARD
>> $IPTABLES -t nat -F
>>
>> echo " FWD: Allow all connections OUT and only existing and related ones
>> IN"
>> $IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state
>> ESTABLISHED,RELATED -j ACCEPT
>> $IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
>> $IPTABLES -A FORWARD -j LOG
>> #$IPTABLES -A FORWARD -i $EXTIF -o $INTIF2 -m state --state
>> ESTABLISHED,RELATED \-j ACCEPT
>> #$IPTABLES -A FORWARD -i $INTIF -o $INTIF2 -m state --state
>> ESTABLISHED,RELATED \-j ACCEPT
>> #$IPTABLES -A FORWARD -i $INTIF2 -o $INTIF -m state --state
>> ESTABLISHED,RELATED \-j ACCEPT
>> #$IPTABLES -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT
>> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP
>>
>>
>> echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
>> $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
>>
>> echo -e "\nrc.firewall-iptables v$FWVER done.\n"
>>
>>
>>
>> cheers,
>>
>> Noah
>>
>>
>> --
>> ubuntu-users mailing list
>> ubuntu-users at lists.ubuntu.com
>> https://lists.ubuntu.com/mailman/listinfo/ubuntu-users
>>
>>
>>
>>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ubuntu.com/archives/ubuntu-users/attachments/20061022/5cd75c04/attachment.html>
More information about the ubuntu-users
mailing list