Difference between revisions of "Script NAT Proxy"
Jump to navigation
Jump to search
Onnowpurbo (talk | contribs) (New page: ==Contoh script NAT / Proxy== Untuk menjalankan # ./script.sh start Untuk mematikan # ./script.sh stop Isi script.sh adalah ---- #!/bin/bash # From: AHK <akuhon@kompas.com> # ...) |
Onnowpurbo (talk | contribs) |
||
| Line 16: | Line 16: | ||
---- | ---- | ||
| − | #!/bin/bash | + | #!/bin/bash |
| − | # From: AHK <akuhon@kompas.com> | + | # From: AHK <akuhon@kompas.com> |
| − | # To: linux-admin@linux.or.id | + | # To: linux-admin@linux.or.id |
| − | # Save this file and activate through # file_name start | + | # Save this file and activate through # file_name start |
| − | # and de-activate through # file_name stop | + | # and de-activate through # file_name stop |
| − | # This firewall-script can be used for workstation, laptop, router | + | # This firewall-script can be used for workstation, laptop, router |
| − | # or server that are not running network service (such as web server, ftp | + | # or server that are not running network service (such as web server, ftp |
| − | # server etc) | + | # server etc) |
| − | # change the parameter UPLINK with Interface device to the Internet. | + | # change the parameter UPLINK with Interface device to the Internet. |
| − | # In our case WLAN router with NIC wlan0 connected to the Internet | + | # In our case WLAN router with NIC wlan0 connected to the Internet |
| − | # and LAN connection with eth0. | + | # and LAN connection with eth0. |
| − | # if you use dial-up modem, you might use ppp0 as your UPLINK | + | # if you use dial-up modem, you might use ppp0 as your UPLINK |
| − | UPLINK="eth1" | + | UPLINK="eth1" |
| − | # if you run the gateway as router and forward IP packet between eth devices | + | # if you run the gateway as router and forward IP packet between eth devices |
| − | # please fill .yes., if not, please fill .no. | + | # please fill .yes., if not, please fill .no. |
| − | ROUTER="no" | + | ROUTER="no" |
| − | # Please change 202.150.10.45 to your static IP address of UPLINK device. | + | # Please change 202.150.10.45 to your static IP address of UPLINK device. |
| − | # For those who use dial-up or dynamic IP, please enter .dynamic. | + | # For those who use dial-up or dynamic IP, please enter .dynamic. |
| − | # NAT="192.168.1.100" | + | # NAT="192.168.1.100" |
| − | NAT="dynamic" | + | NAT="dynamic" |
| − | # please list all network interfaces including eth devices | + | # please list all network interfaces including eth devices |
| − | # as well as dial-up interface such as ppp0 | + | # as well as dial-up interface such as ppp0 |
| − | INTERFACES="lo eth0 eth1 eth2" | + | INTERFACES="lo eth0 eth1 eth2" |
| − | if [ "$1" = "start" ] | + | if [ "$1" = "start" ] |
| − | + | then | |
| − | + | echo "Activate Firewall ..... " | |
| − | + | /sbin/iptables -F | |
| − | + | /sbin/iptables -P INPUT DROP | |
| − | + | /sbin/iptables -A INPUT -p tcp -i eth0 --destination-port 25 -s ! 192.168.0.1 -j DROP | |
| − | + | /sbin/iptables -A INPUT -p tcp -i eth1 --destination-port 25 -s ! 192.168.0.1 -j DROP | |
| − | + | /sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT | |
| − | + | /sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT | |
| − | + | /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT | |
| − | + | /sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset | |
| − | + | /sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable | |
| − | /sbin/iptables -A FORWARD -p tcp --destination-port 25 -s ! 192.168.0.1 -j DROP | + | /sbin/iptables -A FORWARD -p tcp --destination-port 25 -s ! 192.168.0.1 -j DROP |
| − | # block bad sites | + | # block bad sites |
| − | /sbin/iptables -I INPUT -s 68.178.211.34 -j DROP | + | /sbin/iptables -I INPUT -s 68.178.211.34 -j DROP |
| − | /sbin/iptables -I INPUT -d 68.178.211.34 -j DROP | + | /sbin/iptables -I INPUT -d 68.178.211.34 -j DROP |
| − | /sbin/iptables -I INPUT -s 64.27.5.168 -j DROP | + | /sbin/iptables -I INPUT -s 64.27.5.168 -j DROP |
| − | /sbin/iptables -I INPUT -d 64.27.5.168 -j DROP | + | /sbin/iptables -I INPUT -d 64.27.5.168 -j DROP |
| + | # turn off packet spoofing in all interfaces | ||
| + | for x in ${INTERFACES} | ||
| + | do | ||
| + | echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter | ||
| + | done | ||
| + | if [ "$ROUTER" = "yes" ] | ||
| + | then | ||
| + | # Activate IP forwarding at router | ||
| + | echo 1 > /proc/sys/net/ipv4/ip_forward | ||
| + | if [ "$NAT" = "dynamic" ] | ||
| + | then | ||
| + | # Dynamic IP address, activate Masquerading | ||
| + | echo "Activate Masquerading (Dynamic IP) ...." | ||
| + | /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE | ||
| + | elif [ "$NAT" != "" ] | ||
| + | then | ||
| + | # Static IP address use source NAT | ||
| + | echo "Activate SNAT (static IP) ...." | ||
| + | /sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT} | ||
| + | fi | ||
| + | # echo "Activate Port Forwarding .." | ||
| + | # /sbin/iptables -t nat -A PREROUTING -i ${UPLINK} -m multiport -p tcp \ | ||
| + | # --dport 25 -d ${NAT} -j DNAT --to 192.168.0.1:25 | ||
| + | # /sbin/iptables -A FORWARD -i ${UPLINK} -m multiport -p tcp -d 192.168.0.1 \ | ||
| + | # --dport 25 -j ACCEPT | ||
| − | + | fi | |
| − | + | elif [ "$1" = "stop" ] | |
| − | + | then | |
| − | + | echo "Deactivate Firewall ..." | |
| − | + | /sbin/iptables -F INPUT | |
| − | + | /sbin/iptables -P INPUT ACCEPT | |
| − | + | /sbin/iptables -F FORWARD | |
| − | + | /sbin/iptables -P FORWARD ACCEPT | |
| − | + | /sbin/iptables -F OUTPUT | |
| − | + | /sbin/iptables -P OUTPUT ACCEPT | |
| − | + | # Turn off NAT or MASQUERADING | |
| − | + | /sbin/iptables -t nat -F POSTROUTING | |
| − | + | fi | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | fi | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | fi | ||
Revision as of 15:06, 11 February 2008
Contoh script NAT / Proxy
Untuk menjalankan
# ./script.sh start
Untuk mematikan
# ./script.sh stop
Isi script.sh adalah
#!/bin/bash
# From: AHK <akuhon@kompas.com> # To: linux-admin@linux.or.id
# Save this file and activate through # file_name start # and de-activate through # file_name stop
# This firewall-script can be used for workstation, laptop, router # or server that are not running network service (such as web server, ftp # server etc)
# change the parameter UPLINK with Interface device to the Internet. # In our case WLAN router with NIC wlan0 connected to the Internet # and LAN connection with eth0. # if you use dial-up modem, you might use ppp0 as your UPLINK
UPLINK="eth1"
# if you run the gateway as router and forward IP packet between eth devices # please fill .yes., if not, please fill .no.
ROUTER="no"
# Please change 202.150.10.45 to your static IP address of UPLINK device. # For those who use dial-up or dynamic IP, please enter .dynamic.
# NAT="192.168.1.100"
NAT="dynamic"
# please list all network interfaces including eth devices # as well as dial-up interface such as ppp0
INTERFACES="lo eth0 eth1 eth2"
if [ "$1" = "start" ] then echo "Activate Firewall ..... " /sbin/iptables -F /sbin/iptables -P INPUT DROP /sbin/iptables -A INPUT -p tcp -i eth0 --destination-port 25 -s ! 192.168.0.1 -j DROP /sbin/iptables -A INPUT -p tcp -i eth1 --destination-port 25 -s ! 192.168.0.1 -j DROP
/sbin/iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
/sbin/iptables -A INPUT -i ${UPLINK} -p tcp -s 0/0 --dport 25 -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
/sbin/iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A FORWARD -p tcp --destination-port 25 -s ! 192.168.0.1 -j DROP
# block bad sites
/sbin/iptables -I INPUT -s 68.178.211.34 -j DROP /sbin/iptables -I INPUT -d 68.178.211.34 -j DROP
/sbin/iptables -I INPUT -s 64.27.5.168 -j DROP /sbin/iptables -I INPUT -d 64.27.5.168 -j DROP
# turn off packet spoofing in all interfaces
for x in ${INTERFACES}
do
echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
done
if [ "$ROUTER" = "yes" ]
then
# Activate IP forwarding at router
echo 1 > /proc/sys/net/ipv4/ip_forward
if [ "$NAT" = "dynamic" ]
then
# Dynamic IP address, activate Masquerading
echo "Activate Masquerading (Dynamic IP) ...."
/sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j MASQUERADE
elif [ "$NAT" != "" ]
then
# Static IP address use source NAT
echo "Activate SNAT (static IP) ...."
/sbin/iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT --to ${NAT}
fi
# echo "Activate Port Forwarding .."
# /sbin/iptables -t nat -A PREROUTING -i ${UPLINK} -m multiport -p tcp \
# --dport 25 -d ${NAT} -j DNAT --to 192.168.0.1:25
# /sbin/iptables -A FORWARD -i ${UPLINK} -m multiport -p tcp -d 192.168.0.1 \
# --dport 25 -j ACCEPT
fi
elif [ "$1" = "stop" ]
then
echo "Deactivate Firewall ..."
/sbin/iptables -F INPUT
/sbin/iptables -P INPUT ACCEPT
/sbin/iptables -F FORWARD
/sbin/iptables -P FORWARD ACCEPT
/sbin/iptables -F OUTPUT
/sbin/iptables -P OUTPUT ACCEPT
# Turn off NAT or MASQUERADING
/sbin/iptables -t nat -F POSTROUTING
fi