n1hck
n00b
Joined: 20 Jan 2003
Posts: 34
|
 Posted: Tue Oct 26, 2004 2:32 pm Post subject: IPTables/iproute2 Bittorrent question |
 |
|
I have a box with 2 interface cards. eth1 is my domain name ip address, and eth0 is another ip address on the same subnet.
Right now my route table looks like:
'Kernel IP routing table
| Code: |
Destination Gateway Genmask Flags Metric Ref Use Iface
131.xxx.82.0 * 255.255.255.0 U 0 0 0 eth0
131.xxx.82.0 * 255.255.255.0 U 0 0 0 eth1
loopback localhost 255.0.0.0 UG 0 0 0 lo
default 131.xxx.82.1 0.0.0.0 UG 1 0 0 eth1
|
so eth1 (my domain name ip) is the default route.
I want all bittorrent traffic to go out over eth0.
I posted before and found out a good way of doing this was to use MANGLE and mark them then create a new default route, map the packets marked from netfilter to that table and all should be well.. so my firewall right now looks like this:
| Code: |
IPT="/sbin/iptables"
modprobe ip_conntrack_ftp
#Flush old rules, delete the firewall chain if it exists
$IPT -F
$IPT -X firewall
#Set up the firewall chain
$IPT -N firewall
$IPT -A firewall -j DROP
#Accept ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#Accept DNS
$IPT -A INPUT -i eth0 -p udp --source-port 53 -j ACCEPT
$IPT -A INPUT -i eth1 -p udp --source-port 53 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --source-port 113 -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --source-port 113 -j ACCEPT
$IPT -A INPUT -i eth0 -p tcp --destination-port 113 -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --destination-port 113 -j ACCEPT
#Accept Port 80 http
$IPT -A INPUT -i eth0 -p tcp --destination-port 80 -j DROP
$IPT -A INPUT -i eth1 -p tcp --destination-port 80 -j ACCEPT
#Accept Port 1983 gnump3d
$IPT -A INPUT -i eth0 -p tcp --destination-port 1983 -j DROP
$IPT -A INPUT -i eth1 -p tcp --destination-port 1983 -j ACCEPT
#BT
$IPT -A INPUT -i eth0 -p tcp --destination-port 6881:6999 -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --destination-port 6881:6999 -j DROP
$IPT -A INPUT -i eth0 -p tcp --source-port 6881:6999 -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --source-port 6881:6999 -j DROP
#FTP
iptables -A INPUT -i eth1 -p tcp -m tcp --sport ftp -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport ftp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -m tcp --sport ftp-data -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp -m tcp --dport ftp-data -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o eth1 -p tcp --sport 1024: --dport 1024: -m state --state ESTABLISHED,RELATED -j ACCEPT
#BT
$IPT -A INPUT -i eth1 -p tcp --destination-port 6881:6999 -j DROP
$IPT -A INPUT -i eth1 -p tcp --source-port 6881:6999 -j DROP
$IPT -A PREROUTING -i eth0 -t mangle -p tcp --dport 6881:6999 -j MARK --set-mark 2
$IPT -A PREROUTING -i eth0 -t mangle -p tcp --sport 6881:6999 -j MARK --set-mark 2
$IPT -A PREROUTING -i eth1 -t mangle -p tcp --dport 6881:6999 -j MARK --set-mark 2
$IPT -A PREROUTING -i eth1 -t mangle -p tcp --sport 6881:6999 -j MARK --set-mark 2
#Allow SSH connections from specific hosts
$IPT -A INPUT -i eth0 -p tcp --destination-port 22 -j DROP
$IPT -A INPUT -i eth1 -p tcp --destination-port 22 -j ACCEPT
#Accept ntpdate
$IPT -A INPUT -i eth0 -p udp --destination-port 123 -j DROP
$IPT -A INPUT -i eth1 -p udp --destination-port 123 -j ACCEPT
$IPT -A INPUT -i eth0 -p udp --destination-port 54 -j DROP
$IPT -A INPUT -i eth1 -p udp --destination-port 54 -j ACCEPT
#Accept icmp echo-reply (to allow pinging out)
$IPT -A INPUT -i eth1 -p icmp -j ACCEPT
#Send everything else to the firewall.
$IPT -A INPUT -i eth0 -p icmp -j firewall
$IPT -A INPUT -i eth1 -p icmp -j firewall
$IPT -A INPUT -i eth0 -p tcp --syn -j firewall
$IPT -A INPUT -i eth1 -p tcp --syn -j firewall
$IPT -A INPUT -i eth0 -p udp -j firewall
$IPT -A INPUT -i eth1 -p udp -j firewall
|
Does this look right?
and how would i go about using iproute2 to create a new default routing table and such?
Thank you |
|
Networking & Security
