lightweight ipchains config

To: debian-firewall@lists.debian.org
Subject: lightweight ipchains config
From: Chris Zubrzycki <beren@mac.com>
Date: Sun, 4 Nov 2001 00:26:15 -0500
Message-id: <[🔎] 777F2BFB-D0E4-11D5-B60B-003065B02AE8@mac.com>

ok, i have an old 100 MHZ 486/DX4 as a simple gateway/dialout server.after upgrading my kernel to the 2.4.x series and iptables, my netspeeds have suffered. i have a feeling my firewall is too complex. icustomized it from one on the net. can anyone help me to streamline itand get rid of the extras? i'm only on dialup and dont need anythingthat fancy. also, what do i need to change in order to make active ftpwork?



<begin>
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall test script for 2.4.x
#
# Author: Oskar Andreasson <blueflux@koffein.net>

# (c) of BoingWorld.com, use at your own risk, do whatever you pleasewith

# it as long as you don't distribute this with due credits to
# BoingWorld.com
#

###########
# Configuration options, these will speed you up getting this script to
# work with your own setup.

#

# your LAN's IP range and localhost IP. /24 means to only use the first24

# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#
# STATIC_IP is used by me to allow myself to do anything to myself, might

# be a security risc but sometimes I want this. If you don't have astatic

# IP, I suggest not using this option at all for now but it's still

# enabled per default and will add some really nifty security bugs forall

# those who skips reading the documentation=)

LAN_IP_RANGE="192.168.0.0/24"
LAN_IP="192.168.0.1/32"
LAN_BCAST_ADRESS="192.168.0.255/32"
LOCALHOST_IP="127.0.0.1/32"
#STATIC_IP="194.236.50.155/32"
INET_IFACE="ppp0"
LAN_IFACE="eth0"
IPTABLES="/sbin/iptables"

#########
# Load all required IPTables modules
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_REDIRECT
#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc


#CRITICAL:  Enable IP forwarding since it is disabled by default.
#
echo "1" > /proc/sys/net/ipv4/ip_forward


# Dynamic IP users:
#

# If you get your IP address dynamically from SLIP, PPP, or DHCP,enable this# option. This enables dynamic-ip address hacking in IP MASQ, makingthe connection

#   with Diald and similar programs much easier.
#
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

# Enable simple IP FORWARDing and Masquerading
#
#  NOTE:  The following is an example for an internal LAN, where the lan
#         runs on eth0, and the Internet is on ppp0.
#

# Please change the network devices to match your ownconfiguration.

#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG--log-level DEBUG --log-prefix "IPT FORWARD packet died: "


#fix speeds????

$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS--clamp-mss-to-pmtu


#
# set default policies for the INPUT, FORWARD and OUTPUT chains
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

#$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# the allowed chain for TCP connections
#
# This chain will be utilised if someone tries to connect to an allowed
# port from the internet. If they are opening the connection, or if it's

# already established we ACCEPT the packages, if not we fuck them. Thisis

# where the state matching is performed also, we allow ESTABLISHED and
# RELATED packets.

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT

$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -jACCEPT

$IPTABLES -A allowed -p TCP -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#
#commented out just now...

#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
#$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#

#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
#$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 -j allowed


#
# UDP ports
#

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -jACCEPT#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -jACCEPT#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -jACCEPT#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -jACCEPT

$IPTABLES -A udpincoming_packets -p UDP -s 0/0  -j ACCEPT

#
# PREROUTING chain.
#
# Do some checks for obviously spoofed IP's
#

$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -t nat -A PREROUTING -i $INET_IFACE -s 172.16.0.0/12 -j DROP


#
# INPUT chain
#
# establish the basic INPUT chain and filter the packets onto the correct
# chains.
#


#$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

$IPTABLES -A INPUT -p TCP -m state --state RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $LAN_IP -j ACCEPT

#$IPTABLES -A INPUT -p ALL -d $STATIC_IP -m state --stateESTABLISHED,RELATED -j ACCEPT#$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG--log-level DEBUG --log-prefix "IPT INPUT packet died: "


#
# OUTPUT chain
#
# establish the basic OUTPUT chain and filter them onto the correct chain
#

$IPTABLES -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
#$IPTABLES -A OUTPUT -p ALL -s $STATIC_IP -j ACCEPT

#$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "


</end>



========================================================
Security Is A Series Of Well-Defined Steps...

chmod -R 0 / ; and smile :)

Reply to:

Prev by Date: OT: Apology was Re: be hot
Next by Date: mailserver problem.
Previous by thread: OT: Apology was Re: be hot
Next by thread: mailserver problem.
Index(es):
- Date
- Thread