Un petit script de pare-feu qui sait faire du NAT

J’avais envie de pouvoir faire un routeur sous Linux avec Iptables, c’est chose faite !

#!/bin/shIPT="/sbin/iptables"MODPROBE="/sbin/modprobe"IFACE_EXT="ra0"#"ppp0"IFACE_INT="eth0"PRIVATE_ADDR="192.168.1.254"PRIVATE_NET="192.168.1.0/255.255.255.0"test -f $IPT || exit 0test -f $MODPROBE || exit 0case "$1" instart)echo -n "Loading firwall's rules: "############################# FLUSH TABLES############################$IPT -t filter -F$IPT -t nat -F$IPT -t mangle -F############################# MASQUERADING############################$IPT -t nat -A POSTROUTING -s $PRIVATE_NET -j MASQUERADE############################# FORWARDING RULES############################$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT # ESTABLISHED$IPT -A FORWARD -p UDP -i $IFACE_INT --dport 53 -j ACCEPT # DOMAIN$IPT -A FORWARD -p TCP -i $IFACE_INT --dport 21 -j ACCEPT # FTP$IPT -A FORWARD -p TCP -i $IFACE_INT --dport 22 -j ACCEPT # SSH$IPT -A FORWARD -p TCP -i $IFACE_INT --dport 25 -j ACCEPT # SMTP$IPT -A FORWARD -p TCP -i $IFACE_INT --dport 80 -j ACCEPT # HTTP#$IPT -A FORWARD -p TCP -i $IFACE_INT --dport 110 -j ACCEPT # POP3#$IPT -A FORWARD -p TCP -i $IFACE_INT --dport 443 -j ACCEPT # HTTPS$IPT -A FORWARD -p TCP -i $IFACE_EXT --dport 3389 -j ACCEPT # REMOTE DESKTOP$IPT -A FORWARD -p TCP -i $IFACE_EXT --dport 445 -j ACCEPT # needed for samba$IPT -A FORWARD -p TCP -i $IFACE_EXT --dport 139 -j ACCEPT # needed for samba$IPT -A FORWARD -p TCP -i $IFACE_EXT --dport 113 -j ACCEPT # AUTH$IPT -A FORWARD -p TCP -i $IFACE_EXT --dport 3690 -j ACCEPT # SVN$IPT -A FORWARD -i $IFACE_INT -s $PRIVATE_NET -j ACCEPT# $IPT -A FORWARD -j LOG --log-prefix "Forwarding table : "#$IPT -A FORWARD -j DROP############################# INPUT LOOPBACK############################$IPT -A INPUT -i lo -j ACCEPT############################# INPUT INTRANET############################$IPT -A INPUT -p UDP -i $IFACE_INT --dport 53 -j ACCEPT # DNS$IPT -A INPUT -p UDP -i $IFACE_INT --dport 123 -j ACCEPT # NTP$IPT -A INPUT -p UDP -i $IFACE_INT --dport 137 -j ACCEPT # NETBIOS-NS$IPT -A INPUT -p UDP -i $IFACE_INT --dport 138 -j ACCEPT # NETBIOS-DGM$IPT -A INPUT -p TCP -i $IFACE_INT --dport 139 -j ACCEPT # NETBIOS-SSN############################# INPUT INTERNET######################################################### INPUT GENERAL############################$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # ESTABLISHED$IPT -A INPUT -p ICMP -j ACCEPT # ICMP$IPT -A INPUT -p TCP --dport 21 -j ACCEPT # FTP$IPT -A INPUT -p TCP --dport 22 -j ACCEPT # SSH$IPT -A INPUT -p TCP --dport 80 -j ACCEPT # HTTP$IPT -A INPUT -p TCP --dport 113 -j ACCEPT # AUTH$IPT -A INPUT -p TCP --dport 443 -j ACCEPT # HTTPS$IPT -A INPUT -p TCP --dport 3000 -j ACCEPT # NTOP$IPT -A INPUT -p tcp --dport 2222 -j ACCEPT# $IPT -A INPUT -i $IFACE_EXT -j LOG --log-prefix "Input ppp0 : " # LOG..# $IPT -A INPUT -i $IFACE_INT -j LOG --log-prefix "Input eth0 : " # LOG..#$IPT -A INPUT -j DROP # DENY ALL############################ TRANSLATION###########################$IPT -t nat -A PREROUTING -p tcp --dport 2222 -j DNAT --to-destination 192.168.1.251:22$IPT -t nat -A PREROUTING -p tcp --dport 8080 -j DNAT --to-destination 192.168.1.251:80echo "Done.";;stop)echo -n "Flushing firwall's rules: "############################ FLUSH TABLES###########################$IPT -t filter -F$IPT -t nat -F$IPT -t mangle -Fecho "Done.";;restart)/etc/init.d/firewall stop/etc/init.d/firewall start;;status)# List tablesechoecho "---------- FILTER TABLE -----------"echo$IPT -t filter -L -vechoecho "---------- NAT TABLE -----------"echo$IPT -t nat -L -vecho;;*)echo "Usage: /etc/init.d/firewall {start|stop|status}"exit 1;;esacexit 0

Tirée de http://christian.caleca.free.fr/net... http://www.glatozen.org/iptables.php http://christian.caleca.free.fr/dhc...