«
»

PGF server

By Mohammad Mahmudul Hasan

NAT, Firewall, Proxy

1st Step: Setup IP in Interface

auto lo

iface lo inet loopback

auto eth0

iface eth0 inet static

address 221.120.99.72

netmask 255.255.255.224

network 221.120.99.64

gateway 221.120.99.65

auto eth1

iface eth1 inet static

address 192.168.100.1

netmask 255.255.255.0

auto eth1:0

iface eth1:0 inet static

address 192.168.0.1

netmask 255.255.255.0

auto eth1:1

iface eth1:1 inet static

OR
auto eth1:aknet
iface eth1:aknet

address 192.168.110.1

netmask 255.255.255.0

2nd Step: Squid Configuration

  1. apt-get   install squid
  2. vi   /etc/squid/squid.conf

3rd Step: Rules.sh Configuration

  1. 1. vi   /etc/init.d/rules.sh OR any name of the file

#!/bin/sh

any=0.0.0.0/0.0.0.0

local_net=192.168.0.0/24

echo 1 > /proc/sys/net/ipv4/ip_forward

#echo 163760 > /proc/sys/net/ipv4/ip_conntrack_max

#echo 3072 > /proc/sys/net/ipv4/neigh/default/gc_thresh1

#echo 4608 > /proc/sys/net/ipv4/neigh/default/gc_thresh2

#echo 6144 > /proc/sys/net/ipv4/neigh/default/gc_thresh3

########################### Flush all rules ###############################

/sbin/iptables   -F à Flash all firewall (INPUT, OUTPUT, FORWARD)

/sbin/iptables -F INPUT

/sbin/iptables -F OUTPUT

/sbin/iptables -F FORWARD

/sbin/iptables -F -t nat

########################## Set default policy ############################

iptables   -P   INPUT   ACCEPT or  iptables – -policy INPUT ACCEPT Accept

All incoming packet from internet inside gateway server.
iptables   -P   OUTPUT   ACCEPT Accept all output from gateway server to internet
iptables   -P   FORWARD   DROP – Drop all forward packet.

################# Accept all internal communications with loop back ############

/sbin/iptables -A INPUT -j ACCEPT -i lo

/sbin/iptables -A OUTPUT -o lo -p all -j ACCEPT

######################## Rules for external interface ########################

/sbin/iptables -A INPUT -p ip -i eth0 -j ACCEPT

/sbin/iptables -A INPUT -p ip -i eth1 -j ACCEPT

/sbin/iptables -A INPUT -p ip -i ppp+ -j ACCEPT

##################### Accept Forwarding WAN interface ####################

iptables   -A   FORWARD   -i   eth0 –  Allow all packet from Local  PC to internet

Connected by Gateway server.

iptables   -A   FORWARD   -i   eth0   -j   ACCEPT Allow all packet from local pc to Internet connected by Gateway server.

iptables   -A   FORWAD   -s   0/0   -d   0/0   -j   ACCEPT – Allow all packet from
Local PC to internet connected by Gateway server.

iptables   -A   FORWAD   -s   192.168.100.0/24   -d   0/0   -j   ACCEPT à Allow  all

Packets from 192.168.100.0/24 block Local PC to all destinations (internet).

iptables   -A   FORWAD   -s   192.168.100.2/32   -d   4.2.2.2   -j   ACCEPT à Allow all Packet from 192.168.100.2 local pc to only 4.2.2.2 (destination)

########################   MAC base firewall   ############################

iptables   -A   FORWAD   -s   192.168.100.2  -d 0/0   -m  mac  – -mac-source
00:02:21:D4:C2:11  -j ACCEPT – Allow the packet from a single local  PC whose

(IP- 192.168.100.2 and MAC – 00:02:21:D4:C2:11) to all destination (internet)

##########################   Rules for PPP interface   ######################

/sbin/iptables -A INPUT -p ip -i ppp+ -j ACCEPT

/sbin/iptables -A OUTPUT -p ip -o ppp+ -j ACCEPT

/sbin/iptables -A FORWARD -p ip -i ppp+ -j ACCEPT

####################### Rules for unnecessary ports ######################

NETBIOS_TCP=”135,136,137,138,139,445,3127,3198,5100,5001″

NETBIOS_UDP=”60,66,72,78,100,135,136,137,138,139,5100,5001″

/sbin/iptables -A INPUT -s 0/0 -p tcp -m multiport –dport $NETBIOS_TCP -j DROP

/sbin/iptables -A INPUT -s 0/0 -p udp -m multiport –dport $NETBIOS_UDP -j DROP

/sbin/iptables -A FORWARD -s 0/0 -p tcp -m multiport –dport $NETBIOS_TCP -j DROP

/sbin/iptables -A FORWARD -s 0/0 -p udp -m multiport –dport $NETBIOS_UDP -j DROP

########################### Trojan Block ###################

TROJAN_PORTS_TCP=”12345,12346,1524,27665,31337,19006,3969,9996,5554″

TROJAN_PORTS_UDP=”12345,12346,27444,31337,19006,3969,9996,5554″

/sbin/iptables -A INPUT -p tcp -s 0/0 -m multiport –dport $TROJAN_PORTS_TCP -j DROP

/sbin/iptables -A INPUT -p udp -s 0/0 -m multiport –dport $TROJAN_PORTS_UDP -j DROP

/sbin/iptables -A FORWARD -p tcp -s 0/0 -m multiport –dport $TROJAN_PORTS_TCP -j DROP

/sbin/iptables -A FORWARD -p udp -s 0/0 -m multiport –dport $TROJAN_PORTS_UDP -j DROP

######################## Block Susser worm  ################

#/sbin/iptables -A INPUT -p tcp –dport 9996 -s 0/0 -d 0/0 -j DROP

#/sbin/iptables -A INPUT -p tcp –dport 5554 -s 0/0 -d 0/0 -j DROP

####################### Allow ping replies on BOTH interface ################

iptables -A INPUT -p ICMP -i eth0 -j ACCEPT

iptables -A INPUT -p ICMP -i eth1 -j ACCEPT

#################### Open ftp port OUTSIDE interface ######################

iptables -A INPUT -p tcp -i eth0 –dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –dport 21 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 –dport 21 -j ACCEPT
iptables -A INPUT -p udp -i eth1 –dport 21 -j ACCEPT

################## Open secure shell port BOTH Interfaces ##################

iptables -A INPUT -p tcp -i eth0 –dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth0 –dport 22 -j ACCEPT
iptables -A INPUT -p tcp -i eth1 –dport 22 -j ACCEPT
iptables -A INPUT -p udp -i eth1 –dport 22 -j ACCEPT

######################### IP/ URL block ###############

iptables -A INPUT -s 192.168.0.5/32 -d 0/0 -j DROP

iptables -A FORWARD -s 192.168.0.5/32 -d 0/0 -j DROP

iptables -A INPUT -s 0/0  -d 192.168.2.11/32 -j DROP

iptables -A FORWARD -s 0/0 -d 192.168.2.11/32  -j DROP

iptables -A INPUT -s 192.168.0.0/24 -d facebook.com  -p tcp –dport 443 -j DROP

iptables -A FORWARD -s 192.168.0.0/24 -d facebook.com  -p tcp –dport 443 -j DROP

########################## Proxy rules #################

/sbin/iptables -t nat -A PREROUTING -p tcp -i eth1 -s 192.168.0.0/24   –dport 80 -j REDIRECT –to-port 8080

######################## Rules for Nating / Maquerading ####

#iptables -t   nat   -A   POSTROUTING   -s   192.168.100.0/24 -o eth0 -j   MASQUERADE

#/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE -s ${any} -d ${any}

#/sbin/iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE -s ${local_net} -d ${any}

/sbin/iptables -t nat -A POSTROUTING -s 192.168.100.0/24 -d 0/0 -j SNAT –to-source 221.120.99.72 – without proxy

/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -d 0/0 -j SNAT –to-source 221.120.99.72 – using proxy server

# iptables -t nat –A PREROUTING –i eth1 –p tcp –d 0/0 – -dport 80 –j DNAT – -to
192.168.0.3:3128 – 192.168.0.1 is Gateway and 192.168.0.3 is Proxy server

  1. 2. chmod 744 rules.sh OR chmode   +x   rules.sh – Give executable permission to the file rules.sh.
  2. 3. /etc/init.d/rules.sh

  1. 4. Execute the sonic file during startup the machine

Debian

ln -s   /etc/init.d/rules.sh   /etc/rc2.d/S98rules.sh –Run this file during startup.

Red Hat

[#]   cp   rules.sh   /usr/bin/rules.sh– for give command by file name Ex – sonic.

[#]   vi   /etc/rc.local
rules.sh
:x !

This entry was posted on June 18, 2009 at 6:25 am and is filed under PGF server. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply