Trace: » proxy.sh

Login

You are currently not logged in! Enter your authentication credentials below to log in. You need to have cookies enabled to log in.

Login

You don't have an account yet? Just get one: Register

Forgotten your password? Get a new one: Send new password

This script forwards traffic from one interface to another. It’s primary use is for setting up a router in WiFiDog. I’ve added a rule to prevent wireless client users accessing the gateway machine on port 22. 

#!/bin/sh 
# IPTABLES  PROXY  script for the Linux 2.4 kernel.
# This script is a derivitive of the script presented in
# the IP Masquerade HOWTO page at:
# www.tldp.org/HOWTO/IP-Masquerade-HOWTO/firewall-examples.html
# It was simplified to coincide with the configuration of
# the sample system presented in the Guides section of
# www.aboutdebian.com

# This script is presented as an example for testing ONLY
# and should not be used on a production proxy server.

#    PLEASE SET THE USER VARIABLES
#    IN SECTIONS A AND B OR C
echo -e "\n\nSETTING UP IPTABLES PROXY..."
 
# === SECTION A ===
#   FOR EVERYONE SET THE INTERFACE DESIGNATION FOR THE NIC CONNECTED TO YOUR INTERNAL NETWORK
#   The default value below is for "eth0".  This value 
#   could also be "eth1" if you have TWO NICs in your system.
#   You can use the ifconfig command to list the interfaces
#   on your system.  The internal interface will likely have
#   have an address that is in one of the private IP address
#   ranges.
#   Note that this is an interface DESIGNATION - not
#   the IP address of the interface.
#   Enter the internal interfaces designation for the INTIF variable

 
INTIF="eth1"
 
 
#   SET THE INTERFACE DESIGNATION FOR YOUR "EXTERNAL" (INTERNET) CONNECTION
#   The default value below is "ppp0" which is appropriate 
#   for a MODEM connection.
#   If you have two NICs in your system change this value
#   to "eth0" or "eth1" (whichever is opposite of the value
#   set for INTIF above).  This would be the NIC connected
#   to your cable or DSL modem (WITHOUT a cable/DSL router).
#   Note that this is an interface DESIGNATION - not
#   the IP address of the interface.
#   Enter the external interfaces designation for the EXTIF variable:

 
EXTIF="eth0"
 
 
# ! ! ! ! !  Use ONLY Section B  *OR*  Section C depending on
#  ! ! ! !   the type of Internet connection you have.
# === SECTION B
# -----------   FOR THOSE WITH STATIC PUBLIC IP ADDRESSES
  # SET YOUR EXTERNAL IP ADDRESS
  #   If you specified a NIC (i.e. "eth0" or "eth1" for
  #   the external interface (EXTIF) variable above,
  #   AND if that external NIC is configured with a
  #   static, public IP address (assigned by your ISP),
  #   UNCOMMENT the following EXTIP line and enter the 
#   IP address for the EXTIP variable:

EXTIP="192.168.1.3"
 
# === SECTION C
# ----------   DIAL-UP MODEM, AND RESIDENTIAL CABLE-MODEM/DSL (Dynamic IP) USERS
# SET YOUR EXTERNAL INTERFACE FOR DYNAMIC IP ADDRESSING
#   If you get your IP address dynamically from SLIP, PPP,
#   BOOTP, or DHCP, UNCOMMENT the command below.
#   (No values have to be entered.)
#         Note that if you are uncommenting these lines then
#         the EXTIP line in Section B must be commented out.
#EXTIP="`/sbin/ifconfig ppp0 | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
# --------  No more variable setting beyond this point  --------

echo "Loading required stateful/NAT kernel modules..."
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe iptable_nat
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo "    Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "    External interface: $EXTIF"
echo "       External interface IP address is: $EXTIP" 
echo "    Loading proxy server rules..."
 
# Clearing any existing rules and setting default policy

iptables -P INPUT ACCEPT
iptables -F INPUT 
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT 
iptables -P FORWARD DROP
iptables -F FORWARD 
iptables -t nat -F
 
#This is where you would probably want to put rules banning MAC addresses of naughty users

# FWD: Allow all connections OUT and only existing and related ones IN
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
 
# Chriss rule to stop port 22 traffic passing from wireless clients

iptables -A INPUT -p tcp -i $INTIF --dport 22 -j DROP
 
# Enabling SNAT (MASQUERADE) functionality on $EXTIF

iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
echo -e "       Proxy server rule loading complete\n\n"
 
echo -e " We are now starting the DHCP server on eth1 \n\n"
dhcpd eth1
 

Back to top