server question

Rashkae ubuntu at tigershaunt.com
Wed Oct 15 01:47:24 UTC 2008 

Anna EdwARds wrote:
> I am planning to replace my low-on-features microsoft office small business web-site with a much more feature ridden setup that I have come up with. It will have a setup like the following.
> it will have a computer with 2 e-cards, one connected to comcast, one connected to the LAN. It needs to act as a router, forewarding the web server requests to annas-web-server and the emails to anything to annas-email-server. For the rest of the packets, I need them sent to were they are meant for. I want any inter-lan data to be forwarded to were it was origionally intended for. I also need a web server and email server and a mailing list server. I am not able to specify very much. Sorry.
> _________________________________________________________________
> Want to do more with Windows Live? Learn “10 hidden secrets” from Jamie.
> http://windowslive.com/connect/post/jamiethomson.spaces.live.com-Blog-cns!550F681DAD532637!5295.entry?ocid=TXT_TAGLM_WL_domore_092008
> 
Here is a sample iptables script.  You'll have to ajust it to your
needs, and I strongly suggest you understand what it's doing before
putting in use.  Beware the line breaks from e-mail formatting.



/usr/sbin/iptables -N pass
/usr/sbin/iptables -A pass -m state --state ESTABLISHED,RELATED -j ACCEPT
/usr/sbin/iptables -A pass -m state --state NEW -s
10.0.0.0/255.255.255.0 -j ACCEPT

/usr/sbin/iptables -A INPUT -s localhost -j ACCEPT
/usr/sbin/iptables -A INPUT -i eth0 -p udp --dport 67 -j ACCEPT
/usr/sbin/iptables -A INPUT -p icmp -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport ssh -j ACCEPT
/usr/sbin/iptables -A INPUT -p tcp --dport ident -j REJECT
/usr/sbin/iptables -A INPUT -j pass


/usr/sbin/iptables -t nat -A POSTROUTING -o eth1  -j MASQUERADE


#Block Pesky MSN
/usr/sbin/iptables -A FORWARD -s 64.4.12.0/24 -j DROP
/usr/sbin/iptables -A FORWARD -d 64.4.12.0/24 -j DROP
/usr/sbin/iptables -A FORWARD -s 207.46.107.0/24 -j DROP
/usr/sbin/iptables -A FORWARD -d 207.46.107.0/24 -j DROP
/usr/sbin/iptables -A FORWARD -s 207.46.104.0/24 -j DROP


#Here I forward vnc and another app to a computer inside the network..
this can be web and e-mail instead, if required

/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5900 -j DNAT --to
10.0.0.2

/usr/sbin/iptables -t nat -A PREROUTING -p tcp --dport 710 -j DNAT --to
10.0.0.2

/usr/sbin/iptables -A FORWARD -d 10.0.0.2 -p tcp --dport 5900 -j ACCEPT
/usr/sbin/iptables -A FORWARD -d 10.0.0.2 -p tcp --dport 710 -j ACCEPT


/usr/sbin/iptables -A FORWARD -j pass

# Here is an optional source nat.  If I use these, then the internal
servers don't need to have an internet connection (ie, they have no
configured router). and can therefore never communicate with a computer
on the Internet unless the connection came through this script first.

/usr/sbin/iptables -t nat -A POSTROUTING -d 10.0.0.2 -j SNAT --to 10.0.0.1


/usr/sbin/iptables -P INPUT DROP
/usr/sbin/iptables -P FORWARD DROP

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

More information about the ubuntu-users mailing list