[ previous ] [ next ] [ threads ]
 
 From:  Sebastian Rodriguez <sniper dot mdr at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Planing moving to M0n0wall, but not sure if he can does what I need
 Date:  Tue, 24 May 2005 13:48:09 +0000 
First of all, little description of my situation.
I am in a Hight school room, where we acces to the lan via a proxy.
I have also behind the school connection and adsl connection (ppp0)
I am using a Server (connected to the school lan, to the adsl and to
my computer) to determine the connection I use. I 've set up iptables
rules who works fine for me.
I am planning moving to monowall and i would like to know if he is capable 
of doing the same thing my iptable's script is capable of.
Here is my script


-- #!/bin/sh

#----------------------------- --------------------
#eth0--> 00:0C:6E:2B:CF:94 Internal LAN (my Pc to server) IP fixe
#eth1--> 00:02:44:29:C7:45 School LAN DHCPD
#eth2--> 00:26:54:0C:04:18 ADSL
#------------------------------------------------- 

# Configuration des routes
route del default gw 10.133.15.254 <http://10.133.15.254/>
route add -host 10.133.15.254 <http://10.133.15.254/> dev eth1
route add -net 10.0.0.0/8 <http://10.0.0.0/8> gw
10.133.15.254<http://10.133.15.254/>
route add -net 192.168.2.0/24 <http://192.168.2.0/24> gw
10.133.15.254<http://10.133.15.254/>
route add default gw 84.97.32.1 <http://84.97.32.1/>

# On efface tout
iptables -F
iptables -t nat -F
# Regles pour le NAT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 <http://192.168.1.0/24> -d 
10.0.0.0/8 <http://10.0.0.0/8> -o eth1
-j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 <http://192.168.1.0/24> -d 
192.168.2.0/24 <http://192.168.2.0/24> -o
eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 <http://192.168.1.0/24> -o 
ppp0 -j MASQUERADE 

# Anti Ping OF Death
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit
1/s -j ACCEPT
#---------------------------
# ETH1
#--------------------------
# Refuser les ports sur eth1 
iptables -A INPUT -i eth1 -m state --state NEW,INVALID -j REJECT
iptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j REJECT

#Ouverture de ports
iptables -I INPUT -i eth1 -p tcp --dport 80 -j ACCEPT 
iptables -I INPUT -i eth1 -p udp --dport 80 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 20:21 -j ACCEPT
iptables -I INPUT -i eth1 -p udp --dport 20:21 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 6666:6670 -j ACCEPT 
iptables -I INPUT -i eth1 -p tcp --dport 7000 -j ACCEPT

#---------------------------
# PPP0
#--------------------------

# Refuser les ports sur ppp0
iptables -A INPUT -i ppp0 -m state --state NEW,INVALID -j DROP 
iptables -A FORWARD -i ppp0 -m state --state NEW,INVALID -j DROP

#Ouverture de ports
iptables -I INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
iptables -I INPUT -i ppp0 -p udp --dport 80 -j ACCEPT
iptables -I INPUT -i ppp0 -p tcp --dport 20:21 -j ACCEPT 
iptables -I INPUT -i ppp0 -p udp --dport 20:21 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 6666:6670 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 7000 -j ACCEPT
iptables -I INPUT -i eth1 -p tcp --dport 4000 -j ACCEPT 
iptables -I INPUT -i eth1 -p tcp --dport 6112:6119 -j ACCEPT
iptables -I INPUT -i eth1 -p udp --dport 4000 -j ACCEPT
iptables -I INPUT -i eth1 -p udp --dport 6112:6119 -j ACCEPT

#------------------------- 
# Routage Programmes
#------------------------
# Partage Direct Connect
iptables -I FORWARD -i eth1 -p tcp --dport 4120:4121 -j ACCEPT
iptables -I FORWARD -i eth1 -p udp --dport 4120:4121 -j ACCEPT
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 4120 -j DNAT --to 
192.168.1.111:4120 <http://192.168.1.111:4120/>
iptables -A PREROUTING -t nat -i eth1 -p tcp --dport 4121 -j DNAT --to
192.168.1.111:4121 <http://192.168.1.111:4121/>
iptables -A PREROUTING -t nat -i eth1 -p udp --dport 4120 -j DNAT --to
192.168.1.111:4120 <http://192.168.1.111:4120/>
iptables -A PREROUTING -t nat -i eth1 -p udp --dport 4121 -j DNAT --to
192.168.1.111:4121 <http://192.168.1.111:4121/>

# Routage Emule 
iptables -I FORWARD -i ppp0 -p tcp --dport 4662 -j ACCEPT
iptables -I FORWARD -i ppp0 -p udp --dport 4672 -j ACCEPT
iptables -I FORWARD -i ppp0 -p udp --dport 4665 -j ACCEPT
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 4662 -j DNAT --to 
192.168.1.111:4662 <http://192.168.1.111:4662/>
iptables -A PREROUTING -t nat -i ppp0 -p udp --dport 4672 -j DNAT --to
192.168.1.111:4672 <http://192.168.1.111:4672/>
iptables -A PREROUTING -t nat -i ppp0 -p udp --dport 4665 -j DNAT --to
192.168.1.111:4665 <http://192.168.1.111:4665/>

# Routage BitTorrent
iptables -I FORWARD -i ppp0 -p tcp --dport 6881:6889 -j ACCEPT
iptables -I FORWARD -i ppp0 -p udp --dport 6881:6889 -j ACCEPT
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6881 -j DNAT --to 
192.168.1.111:6881 <http://192.168.1.111:6881/>
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6882 -j DNAT --to
192.168.1.111:6882 <http://192.168.1.111:6882/>
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6883 -j DNAT --to
192.168.1.111:6883 <http://192.168.1.111:6883/>
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6884 -j DNAT --to
192.168.1.111:6884 <http://192.168.1.111:6884/>
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6885 -j DNAT --to 
192.168.1.111:6885 <http://192.168.1.111:6885/>
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6886 -j DNAT --to
192.168.1.111:6886 <http://192.168.1.111:6886/>
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6887 -j DNAT --to
192.168.1.111:6887 <http://192.168.1.111:6887/>
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6888 -j DNAT --to
192.168.1.111:6888 <http://192.168.1.111:6888/>
iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport 6889 -j DNAT --to 
192.168.1.111:6889 <http://192.168.1.111:6889/>

#-----------------------------------
#Partage nk IP: 10.133.8.1 <http://10.133.8.1/>
#------------------------#-----------------------------------
#Partage nk IP:10.133.8.1 <http://10.133.8.1/>
#---------------------------------- 
#Regles Generales
iptables -I INPUT -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -j ACCEPT
#iptables -t nat -A POSTROUTING -s 10.133.8.1/32 <http://10.133.8.1/32> -d 
192.168.2.0/24 <http://192.168.2.0/24> -o
eth1 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.133.8.1 <http://10.133.8.1/> -o ppp0 -j 
MASQUERADE
#iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -j ACCEPT

#IRC
iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p tcp 
--dport 6666:6670 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p tcp 
--dport 7000 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p udp 
--dport 6666:6670 -j ACCEPT 
iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p udp 
--dport 7000 -j ACCEPT

#Battle.net
iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p tcp 
--dport 4000 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p udp 
--dport 4000 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p tcp 
--dport 6112:6119 -j ACCEPT 
iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p udp 
--dport 6112:6119 -j ACCEPT

iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p tcp 
--dport 20:21 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p udp 
--dport 20:21 -j ACCEPT
iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p tcp 
--dport 80 -j ACCEPT 
iptables -I FORWARD -i eth1 -s 10.133.8.1 <http://10.133.8.1/> -p udp 
--dport 80 -j ACCEPT



Thank you very much

-- 
Sebastien Rodriguez