LeRoy Cressy on Wed, 1 May 2002 08:50:22 +0200


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] port forwarding question 

David Calkins wrote:
> 

> ok, I guess I'll give IPTABLES a try.  One concern I have is that I'm
> using the Roaring Penguin DSL client.  I'm not sure if thats aware of
> IPTABLES or not.  If not, I guess I just have to configure the
> masquerading manually.
> 

The first step in using iptables is to make a custom kernel paying
strict attention to the netfilter stuff.  To do this you need to grab
the linux source from 

ftp://ftp.kernel.org/pub/linux/kernel/v2.4/

2.4.18 is the latest stable kernel

The kernel source tar file when unpacked will create a directory ./linux
from whatever directory you unpack it from.  I personally like to do all
compilation as a normal user.

On my system I have set up /usr/local/src/linux/v2.4/ as the directory
to unpack 2.4.x series of kernels.  You can use any directory on your
system you choose.  

After you unpack the tar file, cd into the linux directory.

if you are using X do 

make xconfig

else

make menuconfig

either will work fine.

When creating a custom kernel it is important to know what hardware you
have on your system.  Also you will find that your custom kernel will be
a lot smaller than the installation kernel.  Now for the
netfilter/iptables stuff you will find the info under Networking
options.  choose `y' for Network packet filtering (replaces ipchains)

There is a sub menu IP:Netfilter Configuration that has all of the good
stuff about netfilter.  Read the help for each item and choose yes for
most of the items.  

After you have configured your kernel you need to save it and do the
following:

make dep
make clean
make bzImage
make modules

the rest you must be root
make modules_install
cp arch/i386/boot/bzImage /boot/bzImage-2.4.18
cp System.map /boot/System.map-2.4.18

next you need to set up symlinks from / -> /boot/filename

cd /

ln -s boot/dist-kernel vmlinuz.dist	# Never wipe out the distribution
					# kernel

ln -s boot/old-kernel vmlinuz.old	# If this is your first custom 
					# kernel the link will be the same
					# as the dist. kernel
ln -s boot/bzImage-2.4.18 vmlinuz	# Your new kernel

Next you need to edit the /etc/lilo.conf file to reflect your symlinks
in the root directory.  Finally you need to run lilo 

Now you need to create a bash script to reflect the firewall rules.

Attached is an experemental firewall script that I am using.  There are
some items in it that call items that are not in the default kernel
source and I have patched the kernel source with the source from the
netfilter people.  This is fairly complicated and I won't go into it
here.

#! /bin/bash
echo 0 > /proc/sys/net/ipv4/ip_forward

# Zero all byte counters
iptables -Z
iptables -Z -t nat

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT

iptables -F block
iptables -X block

iptables -N block

# Block Port Scans

iptables -A block   -m psd -m limit --limit 1/hour  -j LOG --log-prefix
"Port Sc
an "
iptables -A block   -m psd -j DROP

# Block known current viruses

iptables -A block -p tcp --dport http -m state --state
NEW,ESTABLISHED,RELATED -
m string --string "default.ida" -m limit --limit 1/hour  -j LOG
--log-prefix "Co
deRed virus "
iptables -A block -p tcp --dport http -m state --state
NEW,ESTABLISHED,RELATED -
m string --string "default.ida" -j DROP

iptables -A block -p tcp --dport http -m state --state
NEW,ESTABLISHED,RELATED -
m string --string "root.exe" -m limit --limit 1/hour -j LOG --log-prefix
"Nimda 
virus "
iptables -A block -p tcp --dport http -m state --state
NEW,ESTABLISHED,RELATED -
m string --string "root.exe" -j DROP

iptables -A block -p tcp --dport http -m state --state
NEW,ESTABLISHED,RELATED -
m string --string "cmd.exe" -m limit --limit 1/hour  -j LOG --log-prefix
"Nimda 
virus "
iptables -A block -p tcp --dport http -m state --state
NEW,ESTABLISHED,RELATED -
m string --string "cmd.exe" -j DROP

iptables -A block -p tcp --dport http -m state --state
NEW,ESTABLISHED,RELATED -
m string --string "x.ida" -m limit --limit 1/hour  -j LOG --log-prefix
"Nimda vi
rus "
iptables -A block -p tcp --dport http -m state --state
NEW,ESTABLISHED,RELATED -m string --string "x.ida" -j DROP

# Block Unauthorized SSH login  Problem sites

iptables -A block -p tcp --dport 22 -s 202.103.134.119 -m limit --limit
2/hour -
j LOG --log-prefix "Bad SSH -> 202.103.134.119 "
iptables -A block -p tcp --dport 22 -s 202.103.134.119 -j DROP

iptables -A block -p tcp --dport 22 -s 158.42.33.12 -m limit --limit
2/hour -j L
OG --log-prefix "Bad SSH -> 158.42.33.12 "
iptables -A block -p tcp --dport 22 -s 158.42.33.12 -j DROP

iptables -A block -p tcp --dport 22 -s 63.236.0.200 -m limit --limit
2/hour -j L
OG --log-prefix "Bad SSH -> 63.236.0.200 "
iptables -A block -p tcp --dport 22 -s 63.236.0.200 -j DROP

# Block SPAM sites who have become a personal problem

iptables -A block -p tcp --dport smtp -m string --string "From:
lifequote1aa4211
00@altavista.se" -m limit --limit 1/hour -j LOG --log-prefix "SPAM
lifequote1aa"
iptables -A block -p tcp --dport smtp -m string --string "From:
lifequote1aa4211
00@altavista.se" -j DROP
# iptables -A block -p tcp --dport smtp -m string --string "From: 

iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT


             ###########################################
             #                                         #
             #                INTERNET                 #
             #                                         #
             ###########################################

# Drop all packets destined to private Internet addresses

iptables -A OUTPUT -p all -d 10.0.0.0/8     -o eth0 -m limit --limit
1/hour -j L
OG  --log-level info --log-prefix "Dropped Private Network "
iptables -A OUTPUT -p all -d 10.0.0.0/8     -o eth0 -j DROP
iptables -A OUTPUT -p all -d 172.16.0.0/12  -o eth0 -m limit --limit
1/hour  -j 
LOG  --log-level info --log-prefix "Dropped Private Network "
iptables -A OUTPUT -p all -d 172.16.0.0/12  -o eth0 -j DROP
iptables -A OUTPUT -p all -d 192.168.0.0/16 -o eth0 -m limit --limit
1/hour  -j 
LOG  --log-level info --log-prefix "Dropped Private Network "
iptables -A OUTPUT -p all -d 192.168.0.0/16 -o eth0 -j DROP
iptables -A OUTPUT -j ACCEPT

# Drop all private network addresses from the Internet

iptables -A block -m state --state NEW -p tcp -s 10.0.0.0/8     -i eth0
-m limit
 --limit 1/hour  -j  LOG --log-level info --log-prefix "Dropped Private
Network 
"
iptables -A block -m state --state NEW -p tcp -s 10.0.0.0/8     -i eth0
-j  DROP
iptables -A block -m state --state NEW -p udp -s 10.0.0.0/8     -i eth0
-m limit
 --limit 1/hour  -j  LOG --log-level info --log-prefix "Dropped Private
Network 
"
iptables -A block -m state --state NEW -p udp -s 10.0.0.0/8     -i eth0
-j  DROP

iptables -A block -m state --state NEW -p tcp -s 172.16.0.0/12  -i eth0
-m limit
 --limit 1/hour  -j  LOG --log-level info --log-prefix "Dropped Private
Network 
"
iptables -A block -m state --state NEW -p tcp -s 172.16.0.0/12  -i eth0
-j  DROP
iptables -A block -m state --state NEW -p udp -s 172.16.0.0/12  -i eth0
-m limit
 --limit 1/hour  -j  LOG --log-level info --log-prefix "Dropped Private
Network 
"
iptables -A block -m state --state NEW -p udp -s 172.16.0.0/12  -i eth0
-j  DROP

iptables -A block -m state --state NEW -p tcp -s 192.168.0.0/16 -i eth0
-m limit
 --limit 1/hour  -j  LOG --log-level info --log-prefix "Dropped Private
Network 
"
iptables -A block -m state --state NEW -p tcp -s 192.168.0.0/16 -i eth0
-j  DROP
iptables -A block -m state --state NEW -p udp -s 192.168.0.0/16 -i eth0
-m limit
 --limit 1/hour  -j  LOG --log-level info --log-prefix "Dropped Private
Network 
"
iptables -A block -m state --state NEW -p udp -s 192.168.0.0/16 -i eth0
-j  DROP

# Drop port scans

# Block Port Scans

#iptables -A block   -m psd -m limit --limit 1/hour  -j LOG --log-prefix
"Port S
can "
#iptables -A block   -m psd -j DROP

# Allow the following:

iptables -A block -m state --state NEW -p tcp -i eth0 --dport 80 -m
limit --limi
t 1/hour  -j LOG --log-level info --log-prefix "Web Access Request "
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 80 -j
ACCEPT

iptables -A block -m state --state NEW -p tcp -i eth0 --dport 25 -m
limit --limi
t 1/hour  -j LOG --log-level info --log-prefix "SMTP Access Request "
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 25 -j
ACCEPT

iptables -A block -m state --state NEW -p tcp -i eth0 --dport 22 -m
limit --limi
t 1/hour  -j LOG --log-level info --log-prefix "SSH login Request " 
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 22 -j
ACCEPT

iptables -A block -m state --state NEW -p tcp -i eth0 --dport 465 -m
limit --lim
it 1/hour  -j LOG --log-level info --log-prefix "SSMTP Access Request "
iptables -A block -m state --state NEW -p tcp -i eth0 --dport 465 -j
ACCEPT

iptables -A block -m state --state NEW -p tcp -i eth0 -m limit --limit
1/hour  -
j  LOG --log-level info --log-prefix "Dropped Internet "
iptables -A block -m state --state NEW -p tcp -i eth0 -j  DROP


             ###########################################
             #                                         #
             #                  LAN                    #
             #                                         #
             ###########################################         

# iptables -A block -m state --state NEW -i eth1 -m limit --limit
1/hour  -j LOG
 --log-level info --log-prefix "Accepted Packets from eth1 "
iptables -A block -m state --state NEW -i eth1 -j ACCEPT

             ###########################################
             #                                         #
             #                  DMZ                    #
             #                                         #
             ###########################################

iptables  -A block -m state --state NEW -p tcp  -i eth2 -o eth0 --dport
80 -j AC
CEPT

iptables  -A block -m state --state NEW -p tcp  -i eth2 --dport 37 -m
limit --li
mit 1/hour   -j LOG --log-level info --log-prefix "RDATE "
iptables  -A block -m state --state NEW -p tcp  -i eth2 --dport 37  -j
ACCEPT

#iptables -A block -m state --state NEW -p tcp  -i eth2 --dport 53 -m
limit --li
mit 1/hour    -j LOG --log-level info --log-prefix "DMZ DNS "
iptables -A block -m state --state NEW -p tcp  -i eth2 --dport 53   -j
ACCEPT
#iptables -A block -m state --state NEW -p udp  -i eth2 --dport 53  -m
limit --l
imit 1/hour   -j LOG --log-level info --log-prefix "DMZ DNS "
iptables -A block -m state --state NEW -p udp  -i eth2 --dport 53   -j
ACCEPT

iptables -A block -m state --state NEW -p tcp  -i eth2 --dport 111  -d
192.168.1
.1 -m limit --limit 1/hour   -j LOG --log-level info --log-prefix "DMZ
Portmapper "
iptables -A block -m state --state NEW -p tcp  -i eth2 --dport 111  -d
192.168.1
.1  -j ACCEPT
iptables -A block -m state --state NEW -p udp  -i eth2 --dport 111  -d
192.168.1
.1 -m limit --limit 1/hour   -j LOG --log-level info --log-prefix "DMZ
Portmappe
r "
iptables -A block -m state --state NEW -p udp  -i eth2 --dport 111  -d
192.168.1
.1  -j ACCEPT

# mountd stuff

iptables -A block -m state --state NEW -p tcp -i eth2 --sport 896 -s
192.168.10.
2 -d 192.168.1.1 -j ACCEPT

port=`rpcinfo -p dmz | grep "100005    1   udp" | awk '{ print $4 }'`
iptables -A block -m state --state NEW -p udp  -i eth2 --sport $port  -s
192.168
.10.1 -d 192.168.1.0/24  -m limit --limit 1/hour  -j LOG --log-level
info --log-
prefix "DMZ NFS response "
iptables -A block -m state --state NEW -p udp  -i eth2 --sport $port  -s
192.168
.10.1 -d 192.168.1.0/24  -j ACCEPT

port=`rpcinfo -p patches-place | grep "100005    1   udp" | awk '{ print
$4 }'`
iptables -A block -m state --state NEW -p udp  -i eth2 --dport $port  -d
192.168.1.1 -m limit --limit 1/hour   -j LOG --log-level info
--log-prefix "DMZ NFS mou
ntd "
iptables -A block -m state --state NEW -p udp  -i eth2 --dport $port  -d
192.168
.1.1  -j ACCEPT

iptables -A block -m state --state NEW -p tcp  -i eth2 --dport 2049 -d
192.168.1
.1 -m limit --limit 1/hour   -j LOG --log-level info --log-prefix "DMZ
NFS Activ
ity "
iptables -A block -m state --state NEW -p tcp  -i eth2 --dport 2049 -d
192.168.1
.1  -j ACCEPT
iptables -A block -m state --state NEW -p udp  -i eth2 --dport 2049 -d
192.168.1
.1 -m limit --limit 1/hour   -j LOG --log-level info --log-prefix "DMZ
NFS Activ
ity "
iptables -A block -m state --state NEW -p udp  -i eth2 --dport 2049 -d
192.168.1
.1  -j ACCEPT

iptables -A block -m state --state NEW -p tcp  -i eth2 --dport 25 -m
limit --lim
it 1/hour   -j LOG --log-level info --log-prefix "DMZ SMTP Activity "
iptables -A block -m state --state NEW -p tcp  -i eth2 --dport 25 -j
ACCEPT
iptables -A block -m state --state NEW -p udp  -i eth2 --dport 25 -m
limit --lim
it 1/hour   -j LOG --log-level info --log-prefix "DMZ SMTP Activity "
iptables -A block -m state --state NEW -p udp  -i eth2 --dport 25  -j
ACCEPT

iptables -A block -m state --state NEW -p tcp  -i eth2 --dport 465 -m
limit --li
mit 1/hour   -j LOG --log-level info --log-prefix "DMZ SSMTP Activity "
iptables -A block -m state --state NEW -p tcp  -i eth2 --dport 465 -j
ACCEPT
iptables -A block -m state --state NEW -p udp  -i eth2 --dport 465  -m
limit --l
imit 1/hour  -j LOG --log-level info --log-prefix "DMZ SSMTP Activity "
iptables -A block -m state --state NEW -p udp  -i eth2 --dport 465  -j
ACCEPT

iptables -A block -m state --state NEW -i eth2 -d 192.168.1.0/16 -p icmp
-m limi
t --limit 1/hour -j LOG --log-level info --log-prefix "DMZ ping Activity
"
iptables -A block -m state --state NEW -i eth2 -d 192.168.1.0/16 -p icmp
-j ACCE
PT

iptables -A block -m state --state NEW -p tcp -i eth2 --dport 113 -j
DROP
iptables -A block -m state --state NEW -p udp -i eth2 --dport 113 -j
DROP

iptables -A block -m state --state NEW -i eth1 -m limit --limit 1/hour
-j LOG --
log-level info --log-prefix "Dropped from eth1 "
iptables -A block -m state --state NEW -i eth1 -j DROP


iptables -A block -m state --state NEW -i eth2 -m limit --limit 1/hour
-j LOG --
log-level info --log-prefix "Dropped from eth2 "
iptables -A block -m state --state NEW -i eth2 -j DROP

iptables -A block -m state --state NEW -i eth0 -m limit --limit 1/hour
-j LOG --
log-level info --log-prefix "Dropped from eth0 "
iptables -A block -m state --state NEW -i eth0 -j DROP

iptables -A block -m limit --limit 1/hour -j LOG --log-level info
--log-prefix "
Dropped Packets in block "
iptables -A block -j DROP


iptables -A INPUT -j block

iptables -A FORWARD -j block


             ###########################################
             #                                         #
             #                  NAT                    #
             #                                         #
             ###########################################


iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING


# Set up the ip forwarding for the local network to get to the outside:

iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
20   -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
21   -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
22   -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport
25   -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport
465  -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport
53   -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/16 --dport
80   -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
443  -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
110  -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
113  -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
119  -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
389  -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
873  -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
1024 -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.0/24 --dport
53   -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p udp -s 192.168.1.0/24 --dport
1024 -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p icmp -s
192.168.1.0/16             -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
43   -j 
SNAT --to 64.194.227.197
iptables -t nat -A POSTROUTING -o eth0 -p tcp -s 192.168.1.0/24 --dport
37   -j 
SNAT --to 64.194.227.197

# Block these nasties from being forwarded


iptables -t nat -A PREROUTING -p tcp --dport http -m state --state
NEW,ESTABLISH
ED,RELATED -m string --string "/default.ida" -m limit --limit 1/hour -j
LOG --lo
g-prefix "CodeRed virus "
iptables -t nat -A PREROUTING -p tcp --dport http -m state --state
NEW,ESTABLISH
ED,RELATED -m string --string "/default.ida" -j DROP

iptables -t nat -A PREROUTING -p tcp --dport http -m state --state
NEW,ESTABLISH
ED,RELATED -m string --string "root.exe" -m limit --limit 1/hour -j LOG
--log-pr
efix "Nimda virus "
iptables -t nat -A PREROUTING -p tcp --dport http -m state --state
NEW,ESTABLISH
ED,RELATED -m string --string "root.exe" -j DROP

iptables -t nat -A PREROUTING -p tcp --dport http -m state --state
NEW,ESTABLISH
ED,RELATED -m string --string "cmd.exe" -m limit --limit 1/hour -j LOG
--log-pre
fix "Nimda virus "
iptables -t nat -A PREROUTING -p tcp --dport http -m state --state
NEW,ESTABLISH
ED,RELATED -m string --string "cmd.exe" -j DROP

iptables -t nat -A PREROUTING -p tcp --dport http -m state --state
NEW,ESTABLISH
ED,RELATED -m string --string "x.ida" -m limit --limit 1/hour -j LOG
--log-prefi
x "Nimda virus "
iptables -t nat -A PREROUTING -p tcp --dport http -m state --state
NEW,ESTABLISHED,RELATED -m string --string "x.ida" -j DROP


# Block Port Scans

iptables -t nat -A PREROUTING            -m psd -m limit --limit 1/hour
-j LOG -
-log-prefix "Port Scan "
iptables -t nat -A PREROUTING -i ! eth2  -m psd -j DROP



# Allow these ports from the outside to be forwarded to the appropriate
machine:

iptables -t nat -A PREROUTING  -i eth0 -p tcp --dport 80 -m limit
--limit 1/hour
  -j LOG --log-level info --log-prefix "Forward WWW Request "
iptables -t nat -A PREROUTING  -i eth0 -p tcp --dport 80  -j DNAT --to
192.168.1
0.1
iptables -t nat -A PREROUTING  -i eth0 -p tcp --dport 25  -m limit
--limit 1/hou
r -j LOG --log-level info --log-prefix "Forward Mail Request "
iptables -t nat -A PREROUTING  -i eth0 -p tcp --dport 25  -j DNAT --to
192.168.1
0.1
iptables -t nat -A PREROUTING  -i eth0 -p tcp --dport 22  -m limit
--limit 1/hou
r -j LOG --log-level info --log-prefix "Forward SSH Login "
iptables -t nat -A PREROUTING  -i eth0 -p tcp --dport 22  -j DNAT --to
192.168.1
0.1
iptables -t nat -A PREROUTING  -i eth0 -p tcp --dport 1024 -m limit
--limit 1/ho
ur -j LOG --log-level info --log-prefix "Forward SSH activity "
iptables -t nat -A PREROUTING  -i eth0 -p tcp --dport 1024 -j DNAT --to
192.168.
10.1

# Allow local subnet to access dmz for everything

# iptables -t nat -A POSTROUTING  -o eth2 -p all -s 192.168.1.0/24  -j
SNAT --to
 192.168.10.10

# Allow partial dmz to access local subnet

#icmp
#iptables -t nat -A POSTROUTING  -o eth1 -p icmp -s 192.168.10.0/24 -m
limit --l
imit 1/hour -j LOG --log-level info --log-prefix "ping from dmz "
#iptables -t nat -A POSTROUTING  -o eth1 -p icmp -s 192.168.10.0/24 -j
SNAT --to
 192.168.1.10
# portmapper
#iptables -t nat -A POSTROUTING  -o eth1 -p tcp -s 192.168.10.0/24
--dport 111 -
m limit --limit 1/hour  -j LOG  --log-level info --log-prefix "Forward
111 from 
dmz "#
#iptables -t nat -A POSTROUTING  -o eth1 -p tcp -s 192.168.10.0/24
--dport 111  
-j SNAT --to 192.168.1.10
#iptables -t nat -A POSTROUTING  -o eth1 -p udp -s 192.168.10.0/24
--dport 111 -
m limit --limit 1/hour  -j LOG  --log-level info --log-prefix "Forward
111 from 
dmz "
#iptables -t nat -A POSTROUTING  -o eth1 -p udp -s 192.168.10.0/24
--dport 111  
-j SNAT --to 192.168.1.10
# nfs
#iptables -t nat -A POSTROUTING  -o eth1 -p tcp -s 192.168.10.0/24
--dport 2049 
-m limit --limit 1/hour -j LOG --log-level info --log-prefix "nfs "
#iptables -t nat -A POSTROUTING  -o eth1 -p tcp -s 192.168.10.0/24
--dport 2049 
-j SNAT --to 192.168.1.10
#iptables -t nat -A POSTROUTING  -o eth1 -p udp -s 192.168.10.0/24
--dport 2049 
-j LOG --log-level info --log-prefix "nfs "
#iptables -t nat -A POSTROUTING  -o eth1 -p udp -s 192.168.10.0/24
--dport 2049 
-j SNAT --to 192.168.1.10
# mountd
#iptables -t nat -A POSTROUTING  -o eth1 -p tcp -s 192.168.10.0/24
--dport 984  
-j LOG --log-level info --log-prefix "mountd "
#iptables -t nat -A POSTROUTING  -o eth1 -p tcp -s 192.168.10.0/24
--dport 984  
-j SNAT --to 192.168.1.10
#iptables -t nat -A POSTROUTING  -o eth1 -p udp -s 192.168.10.0/24
--dport 987  
-j LOG --log-level info --log-prefix "mountd "
#iptables -t nat -A POSTROUTING  -o eth1 -p udp -s 192.168.10.0/24
--dport 987  
-j SNAT --to 192.168.1.10
# ssh
#iptables -t nat -A POSTROUTING  -o eth1 -p tcp -s 192.168.10.0/24
--dport 22   
-j LOG --log-level info --log-prefix "ssh login "
#iptables -t nat -A POSTROUTING  -o eth1 -p tcp -s 192.168.10.0/24
--dport 22   
-j SNAT --to 192.168.1.10
#iptables -t nat -A POSTROUTING  -o eth1 -p udp -s 192.168.10.0/24
--dport 22   
-j LOG --log-level info --log-prefix "ssh login "
#iptables -t nat -A POSTROUTING  -o eth1 -p udp -s 192.168.10.0/24
--dport 22   
-j SNAT --to 192.168.1.10
#iptables -t nat -A POSTROUTING  -o eth1 -p tcp -s 192.168.10.0/24
--dport 1024 
-j LOG --log-level info --log-prefix "ssh connection "
#iptables -t nat -A POSTROUTING  -o eth1 -p tcp -s 192.168.10.0/24
--dport 1024 
-j SNAT --to 192.168.1.10
#iptables -t nat -A POSTROUTING  -o eth1 -p udp -s 192.168.10.0/24
--dport 1024 
-j LOG --log-level info --log-prefix "ssh connection "
#iptables -t nat -A POSTROUTING  -o eth1 -p udp -s 192.168.10.0/24
--dport 1024 
-j SNAT --to 192.168.1.10

                   #######################################
                   #                                     #
                   # The following is only for debugging #
                   #         Turn off when fixed         #
                   #                                     #
                   #######################################

#iptables -t nat -A POSTROUTING  -o eth1 -p all -s 192.168.10.0/24  -j
LOG --log
-level debug --log-prefix "Everything Forward DMZ "
#iptables -t nat -A POSTROUTING  -o eth1 -p all -s 192.168.10.0/24  -j
SNAT --to
 192.168.1.10




echo 1 > /proc/sys/net/ipv4/ip_forward



> I checked out ssh, however, this only appears to forward TCP
>  connections.  I need to forward UDP traffic :-(
> 

-- 
Rev. LeRoy D. Cressy   mailto:leroy@lrcressy.com   /\_/\
                       http://lrcressy.com        ( o.o )
                       Phone:  215-535-4037        > ^ <

Jesus saith unto him, I am the way, the truth, and the life: 
no man cometh unto the Father, but by me. (John 14:6)


______________________________________________________________________
Philadelphia Linux Users Group       -      http://www.phillylinux.org
Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce
General Discussion  -  http://lists.phillylinux.org/mail/listinfo/plug