hi nixcraft,
it is obvious that i am really new to linux so i will paste this script that i have modified for you to analyze it(pl
coz i dont wanna mess out with my linux gateway again and again.i know i am really pissing you off right now but i guess I just want to LEARN.
Code:
#!/bin/sh
# ------------------------------------------------------------------------------------
# See URL: http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html
# (c) 2006, nixCraft under GNU/GPL v2.0+
# -------------------------------------------------------------------------------------
# squid server IP
SQUID_SERVER="192.168.1.1"
# Interface connected to Internet
INTERNET="eth1"
# Interface connected to LAN
LAN_IN="eth0"
# Squid port
SQUID_PORT="3128"
# DO NOT MODIFY BELOW
# Clean old firewall
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
# Load IPTABLES modules for NAT and IP conntrack support
modprobe ip_conntrack
modprobe ip_conntrack_ftp
# For win xp ftp client
modprobe ip_nat_ftp
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting default filter policy
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Unlimited access to loop back
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
# Allow UDP, DNS and Passive FTP
iptables -A INPUT -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
#############################################################################
# this part was copied on http://www.cyberciti.biz/faq/iptables-open-ftp-port-21/
# and REPLACE the -d option with INTERNET to make it work??
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d INTERNET --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s INTERNET --sport 21 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d INTERNET --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p tcp -s INTERNET --sport 1024:65535 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -s INTERNET --sport 20 -d 0/0 --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --sport 1024:65535 -d INTERNET --dport 20 -m state --state ESTABLISHED -j ACCEPT
#############################################################################
#forward ftp port 21 to ftp server 192.168.1.250(this is what nixcraft suggested)
iptables -t nat -A PREROUTING -i INTERNET -p tcp --dport 21 -j DNAT --to-destination 192.168.1.250
#############################################################################
# set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface $INTERNET -j MASQUERADE
iptables --append FORWARD --in-interface $LAN_IN -j ACCEPT
# unlimited access to LAN
iptables -A INPUT -i $LAN_IN -j ACCEPT
iptables -A OUTPUT -o $LAN_IN -j ACCEPT
# DNAT port 80 request comming from LAN systems to squid 3128 ($SQUID_PORT) aka transparent proxy
iptables -t nat -A PREROUTING -i $LAN_IN -p tcp --dport 80 -j DNAT --to $SQUID_SERVER:$SQUID_PORT
# if it is same system
iptables -t nat -A PREROUTING -i $INTERNET -p tcp --dport 80 -j REDIRECT --to-port $SQUID_PORT
# DROP everything and Log it
iptables -A INPUT -j LOG
iptables -A INPUT -j DROP
i have also added the following lines on my squid.conf file
acl ftp proto FTP
http_access allow ftp
what do you think about the script ive modified?is it okay?how about the iptable rules?is it in order?do you think i would be able to connect to my ftp server now when im outside my network?my ftp server(cerberu
is running on a windows 2003 machine(inside my network) with firewall disabled.
i will not touch anything on my linux gateway coz i would be waiting for your reply first
thanks
03-28-2007, 01:02 PM
will this work?
Linear Mode
