Script NAT Proxy untuk Modem 3G
(Redirected from FIREWALL: iptables: Create NAT)
Jump to navigation
Jump to search
Pastikan terlebih dulu sambungan 3G telah terjalin dengan baik. Salah satu yang paling mudah adalah Penggunaan Vodafone Mobile Connect Card Driver For Linux.
Selanjutnya baru kita dapat menjalankan script Internet Connection Sharing ini. Isi detail script silahkan lihat di bawah. Untuk menjalankan script
# ./script.sh start
Untuk mematikan
# ./script.sh stop
Agar script.sh langsung on waktu komputer di booting, anda dapat menuliskan script tersebut di folder (misalnya) /root. Masukan pada file /etc/rc/local perintah
/root/script.sh start
Isi script.sh adalah seperti tampak di bawah ini. Ada beberapa parameter yang perlu di perhatikan yaitu
- UPLINK
- NAT
- INTERFACES
Pastikan bahwa anda mengisi ketiga-nya dengan benar.
Script Internet Connection Sharing
#!/bin/bash # From: AHK <akuhon@kompas.com> # To: linux-admin@linux.or.id # Save this file and activate through # file_name start # and de-activate through # file_name stop
# This firewall-script can be used for workstation, laptop, router # or server that are not running network service (such as web server, ftp # server etc)
# change the parameter UPLINK with Interface device to the Internet. # In our case WLAN router with NIC wlan0 connected to the Internet # and LAN connection with eth0. # if you use dial-up modem, you might use ppp0 as your UPLINK
UPLINK="ppp0"
# if you run the gateway as router and forward IP packet between eth devices # please fill .yes., if not, please fill .no.
ROUTER="yes" # Please change 192.168.1.100 to your static IP address of UPLINK device. # For those who use dial-up or dynamic IP, please enter .dynamic.
# NAT="192.168.1.100"
NAT="dynamic"
# please list all network interfaces including eth devices # as well as dial-up interface such as ppp0
INTERFACES="lo eth0 eth1 eth2 ppp0"
if [ "$1" = "start" ] then echo "Activate Firewall ..... " /sbin/iptables -F /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT /sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset /sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
# turn off packet spoofing in all interfaces for x in ${INTERFACES} do echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter done
if [ "$ROUTER" = "yes" ] then # Activate IP forwarding at router echo 1 > /proc/sys/net/ipv4/ip_forward if [ "$NAT" = "dynamic" ] then # Dynamic IP address, activate Masquerading echo "Activate Masquerading (Dynamic IP) ...." /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE elif [ "$NAT" != "" ] then # Static IP address use source NAT echo "Activate SNAT (static IP) ...." /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT} fi
fi elif [ "$1" = "stop" ] then echo "Deactivate Firewall ..." /sbin/iptables -F INPUT /sbin/iptables -P INPUT ACCEPT /sbin/iptables -F FORWARD /sbin/iptables -P FORWARD ACCEPT /sbin/iptables -F OUTPUT /sbin/iptables -P OUTPUT ACCEPT # Turn off NAT or MASQUERADING /sbin/iptables -t nat -F POSTROUTING fi