* this feature clashes with setnapt.sh because both of them reset nat table
* do not use them (setfilter and setnapt.sh) at the same same time
* accept connections to local services from WAN
* ACCEPT and REDIRECT examples
git-svn-id: https://lab.mitty.jp/svn/lab/trunk@13
7d2118f6-f56c-43e7-95a2-
4bb3031d96e7
log_action_begin_msg "Setting network filter"
error=""
- tables="raw mangle"
+ tables="raw mangle nat"
for table in $tables
do
RULES="$RULES_PATH/$table.rules"
log_action_begin_msg "Stopping network filter"
error=""
- tables="raw mangle"
+ tables="raw mangle nat"
for table in $tables
do
iptables -F -t $table || error="yes"
:ufw-after-forward - [0:0]
# End required lines
+## allow connections to the local services from WAN
+# ssh 22/tcp
+-A ufw-after-input -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT
+# https 443/tcp
+-A ufw-after-input -p tcp --syn -m state --state NEW --dport 443 -j ACCEPT
+
# don't log noisy services by default
-A ufw-after-input -p udp --dport 137 -j RETURN
-A ufw-after-input -p udp --dport 138 -j RETURN
--- /dev/null
+#
+# This file is used by /etc/init.d/setfilter
+#
+# Rules that should be stored in nat table.
+# These are mainly used to IP MASQUERADE and REDIRECT.
+
+
+*nat
+
+## IP MASQUERADE to WAN(eth1)
+-A POSTROUTING -o eth1 -j MASQUERADE
+
+## port REDIRECT to local services
+# 8443/tcp -> 443/tcp
+-A PREROUTING -p tcp --dport 8443 -j REDIRECT --to-port 443
+# WAN 8000/tcp -> 443/tcp
+-A PREROUTING -p tcp -i eth1 --dport 8000 -j REDIRECT --to-port 443
+# LAN 8000/tcp -> 22/tcp
+-A PREROUTING -p tcp -i eth0 --dport 8000 -j REDIRECT --to-port 22
+
+COMMIT
projects / lab.git / commitdiff