FANDOM



Questo script serve ad abilitare il masquerading (Source NAT). La configurazione si effettua editando le variabili INTERNAL, EXTERNAL ed INTERNAL_NET

  • INTERNAL definisce l'interfaccia interna
  • EXTERNAL definisce l'interfaccia esterna
  • INTERNAL_NET definisce l'indirizzo di rete/maschera della rete interna

nella sezione DNAT è possibile configurare dei port forwarding (PAT)


#!/bin/bash

set -e
IPTABLES="/sbin/iptables"	# Default IPTables
LOOPBACK="lo"			# Loopback
EXTERNAL="eth0"			# Esterna
INTERNAL="eth1"			# Interna

INTERNAL_NET=192.168.2.0/24

#prendi IP interno del fw da ifconfig
INT_IP=`ifconfig $INTERNAL |grep inet |cut -d : -f 2 |cut -d \  -f 1`

#prendi IP esterno del fw da ifconfig
EXT_IP=`ifconfig $EXTERNAL |grep inet |cut -d : -f 2 |cut -d \  -f 1`


LOG_LEVEL="notice"		# Livello di logging

$IPTABLES -F -t nat

############################################################################
#DNAT
############################################################################
# SSH  esempio
#$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport \
#      4000:4500 -j DNAT --to-destination 192.168.0.1

############################################################################
# WWW esempio
############################################################################
#	$IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport \
#	80 -j DNAT --to-destination 192.168.0.1:80
####
# Aggiungi tutti i NAT che ti servono (se anche DNS ricordati UDP)
####
#############################################################################
#SNAT
#############################################################################
#Questo di seguito è per fare il masquerdading, (condivisione della connessione)
#se hai ip statico usa lo statico altrimenti il dinamico

# IP statico
#	$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET \
#	-j SNAT --to-source $EXT_IP

# IP dinamico
	$IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -s $INTERNAL_NET \
	-j MASQUERADE
       	
	$IPTABLES -A FORWARD -d $INTERNAL_NET -j ACCEPT

#############################################################################
#Configurazioni Kernel
#############################################################################

#massimo num di conntrack
	if [ -e /proc/sys/net/ipv4/ip_conntrack_max ]; then
  		echo "4096" > /proc/sys/net/ipv4/ip_conntrack_max
	fi

#range delle porte
	if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
  		echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
	fi

#source routing
	if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
		for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
  			echo "0" > $i;
		done
	fi
# rp filter
	if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
		for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
			echo "1" > $i;
		done
	fi

#broadcast icmp echo-requests
	if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
		echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
	fi

#Logga pacchetti con indirizzi impossibili (martians)
	if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
		echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
	fi

#ICMP redirects
#su tutte le interfaccie
#	if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
#		echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
#	fi

#solo sull'interfaccia esterna
	if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then
		echo "0" > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects
	fi
#IP Forwarding
	if [ -e /proc/sys/net/ipv4/ip_forward ]; then
		echo "1" > /proc/sys/net/ipv4/ip_forward
	else
		echo "muy grave ;)))"
		echo
	fi

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.

Inoltre su FANDOM

Wiki casuale