From 71b798cb5d5acf287fe80c4c343c6fe703e19c0c Mon Sep 17 00:00:00 2001
From: mitty <mitty@7d2118f6-f56c-43e7-95a2-4bb3031d96e7>
Date: Sun, 5 Jul 2009 03:58:46 +0000
Subject: [PATCH]  * NEW setfilter now sets nat table    * this feature
 clashes with setnapt.sh because both of them reset nat
 table    * do not use them (setfilter and setnapt.sh) at
 the same same time  * accept connections to local services
 from WAN    * ACCEPT and REDIRECT examples

git-svn-id: https://lab.mitty.jp/svn/lab/trunk@13 7d2118f6-f56c-43e7-95a2-4bb3031d96e7
---
 iptables/setfilter       |    4 ++--
 iptables/ufw/after.rules |    6 ++++++
 iptables/ufw/nat.rules   |   21 +++++++++++++++++++++
 3 files changed, 29 insertions(+), 2 deletions(-)
 create mode 100644 iptables/ufw/nat.rules

diff --git a/iptables/setfilter b/iptables/setfilter
index 4b31e85..b953a5e 100755
--- a/iptables/setfilter
+++ b/iptables/setfilter
@@ -33,7 +33,7 @@ start)
         log_action_begin_msg "Setting network filter"
         error=""
         
-        tables="raw mangle"
+        tables="raw mangle nat"
         for table in $tables
         do
             RULES="$RULES_PATH/$table.rules"
@@ -73,7 +73,7 @@ stop)
     log_action_begin_msg "Stopping network filter"
     error=""
     
-    tables="raw mangle"
+    tables="raw mangle nat"
     for table in $tables
     do
         iptables -F -t $table || error="yes"
diff --git a/iptables/ufw/after.rules b/iptables/ufw/after.rules
index 37fc6e7..f98d8f1 100644
--- a/iptables/ufw/after.rules
+++ b/iptables/ufw/after.rules
@@ -15,6 +15,12 @@
 :ufw-after-forward - [0:0]
 # End required lines
 
+## allow connections to the local services from WAN
+# ssh 22/tcp
+-A ufw-after-input -p tcp --syn -m state --state NEW --dport 22 -j ACCEPT
+# https 443/tcp
+-A ufw-after-input -p tcp --syn -m state --state NEW --dport 443 -j ACCEPT
+
 # don't log noisy services by default
 -A ufw-after-input -p udp --dport 137 -j RETURN
 -A ufw-after-input -p udp --dport 138 -j RETURN
diff --git a/iptables/ufw/nat.rules b/iptables/ufw/nat.rules
new file mode 100644
index 0000000..ce375a1
--- /dev/null
+++ b/iptables/ufw/nat.rules
@@ -0,0 +1,21 @@
+#
+# This file is used by /etc/init.d/setfilter
+#
+# Rules that should be stored in nat table.
+# These are mainly used to IP MASQUERADE and REDIRECT.
+
+
+*nat
+
+## IP MASQUERADE to WAN(eth1)
+-A POSTROUTING -o eth1 -j MASQUERADE
+
+## port REDIRECT to local services
+# 8443/tcp -> 443/tcp
+-A PREROUTING -p tcp --dport 8443 -j REDIRECT --to-port 443
+# WAN 8000/tcp -> 443/tcp
+-A PREROUTING -p tcp -i eth1 --dport 8000 -j REDIRECT --to-port 443
+# LAN 8000/tcp -> 22/tcp
+-A PREROUTING -p tcp -i eth0 --dport 8000 -j REDIRECT --to-port 22
+
+COMMIT
-- 
1.7.9.5