Google
 

IPTABLES Scenario 2.1 - Transparent Proxy

Example2

In this example, we will share the internet with allowed ports on the LAN side. With the use of transparent proxy, port 80 is redirected to port 3128

#NAT Table

*nat

:OUTPUT ACCEPT [0:0]

:POSTROUTING ACCEPT [0:0]

:PREROUTING ACCEPT [0:0]

-A POSTROUTING -o eth0 -j SNAT --to 203.189.11.73

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

COMMIT

# Completed on Tue Oct 11 20:53:45 2005

# Generated by iptables-save v1.3.0 on Tue Oct 11 20:53:45 2005

*filter

:FORWARD DROP [0:0]

:INPUT DROP [0:0]

:OUTPUT ACCEPT [0:0]

-A FORWARD -m state --state INVALID -j DROP

-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p tcp -m multiport --dport smtp,pop3,imap,6301,443,5100,13,554,1101,8080,5

900,5901,5902 -o eth0 -i eth1 -j ACCEPT

-A FORWARD -s 192.168.0.0/24 -d 0/0 -m state --state NEW -p icmp -o eth0 -i eth1 -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state INVALID -j DROP

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# SSS Access from outside

-A INPUT -s 203.189.xxx.5 -i eth0 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# Application Access from LAN

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 8080 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 1101 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 631 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 554 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 445 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 139 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p udp -m state --state NEW -m udp --dport 137 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p udp -m state --state NEW -m udp --dport 138 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p tcp -m state --state NEW -m tcp --dport 3128 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p udp -m state --state NEW -m udp --dport 53 -j ACCEPT

-A INPUT -s 192.168.0.0/255.255.255.0 -i eth1 -p icmp -m state --state NEW -m icmp -j ACCEPT

-A OUTPUT -o lo -j ACCEPT

-A OUTPUT -m state --state INVALID -j DROP

-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Logging

-A INPUT -j LOG

-A OUTPUT -j LOG

-A FORWARD -j LOG

COMMIT

# Completed on Tue Oct 11 20:53:45 2005