Re: lost in a sea of iptables docs

[David Purton <dcpurton@chariot.net.au>]

On Sun, Aug 17, 2003 at 11:38:42PM -0400, Bret Comstock Waldow wrote:
> I want to get iptables running on my laptop.  I'm behind a
> gateway/router now, but I'll be on the road in a few weeks.
> 
> I see lots of docs about what rules to write for doing this, stopping
> that, etc.
> 
> Where do I put them?
> 
> How do I start an iptable firewall when my system starts?  What file
> where holds all those keen rules all the docs are giving me recipes for?

I use a script from /etc/init.d with approrpriate links to rc*.d (make
with update-rc.d)

If you want to set things up on ppp0, then put the script in
/etc/ppp/ip-up.d to bring firewall up and /etc/ppp/ip-down.d/ to
take it down again.

I basically made this up myself from a few docs, do I take no
responsibility if it's a dodgy script:

Hope that helps

cheers

dc





#! /bin/sh
# /etc/init.d/firewall
#

case "$1" in
  start)
    echo "Bringing up firewall..."

# start traffic shaping
    /usr/local/bin/wshaper-dsl start

# initialise iptables chains
    iptables -t filter -F
    iptables -t nat -F
    iptables -t mangle -F

    iptables -t filter -P INPUT DROP
    iptables -t filter -P FORWARD DROP
    iptables -t filter -P OUTPUT ACCEPT

# make sure ftp module is insterted

    if ! (lsmod | grep -q ip_conntrack_ftp); then
        modprobe -q ip_conntrack_ftp;
    fi

# setup nat

    iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE
    echo 1 > /proc/sys/net/ipv4/ip_forward

# create block table
    iptables -N block_in


# incoming connection blocking

# allow established connections
    iptables -A block_in -m state --state ESTABLISHED,RELATED -j ACCEPT

# allow new connections from inside machine and localnet
    iptables -A block_in -m state --state NEW -i ! eth1 -j ACCEPT

# allow ping
    iptables -A block_in -p icmp -j ACCEPT

# allow ssh and a few other connections
    iptables -A block_in -m state --state NEW -p tcp --dport ssh -j ACCEPT
    iptables -A block_in -m state --state NEW -p udp --dport 68 --sport 67 -d 255.255.255.255 -j ACCEPT
    iptables -A block_in -m state --state NEW -p tcp --dport http -j ACCEPT
    iptables -A block_in -m state --state NEW -p udp --dport 53 -j ACCEPT
    iptables -A block_in -m state --state NEW -p tcp --dport 25 -j ACCEPT

#open port 400 for circlmud
    iptables -A block_in -m state --state NEW -p tcp --dport 4000 -j ACCEPT


# some things we don't bother to log
    iptables -A block_in -m state --state NEW -p tcp --dport 113 -j REJECT
    iptables -A block_in -i eth1 -s 203.87.20.174 -d 203.87.20.255 -p udp --dport 513 --sport 513 -j REJECT
    iptables -A block_in -m state --state NEW -p tcp --dport 445 -j DROP
    iptables -A block_in -m state --state NEW -p tcp --dport 80 -j DROP

# drop and log everything else
    iptables -A block_in -j LOG

    iptables -A INPUT -j block_in
    iptables -A FORWARD -j block_in

    ;;
  stop)
    echo "Bringing down firewall..."

    /usr/local/bin/wshaper-dsl stop

    iptables -t filter -F
    iptables -t nat -F
    iptables -t mangle -F
    iptables -X block_in
#    iptables -X block_out

    iptables -t filter -P INPUT ACCEPT
    iptables -t filter -P FORWARD ACCEPT
    iptables -t filter -P OUTPUT ACCEPT

    ;;
  restart|reload|force-reload)
    /etc/init.d/firewall stop
    /etc/init.d/firewall start
    ;;
  *)
    echo "Usage: /etc/init.d/firewall {start|stop|restart|reload}"
    exit 1
    ;;
esac



-- 
David Purton
dcpurton@chariot.net.au

If you, O LORD, kept a record of sins, O Lord, who could stand?
					Psalm 130:3

Attachment: pgpStFEzkDTLB.pgp
Description: PGP signature