Hello, i have included the changes suggested by Jason and Sven. The end result is below. It might be interesting for other people who have a similar setup. It's basically the same script with these changes: * i changed the internal_in rules to include imap and smtp * added an internal_out rule to OUTPUT to allow imap, dhcp and smtp from the firewall to the lan * removed 4 forward rules and added port 443 One thing that i'm not sure is the internal_out rule. I've changed the ports on the rule like this: $IPT -A internal_out -p udp --sport 68 --dport 67 -j ACCEPT I'm not sure if this is correct. The in rule had --sport 67 --dport 68 so i figured it's the other way round for the outgoing connection. Is this correct? Anway, thanks to the people who have helped me on this. It's very much appreciated. Only a few more weeks and this script is going to see some action :) Thanks! ========================= sript v 0.3 ============================== #!/bin/sh # Set variables needed for a 2 interfaces system where interface eth0 gets # an ip from the isp (cable modem) over dhcp and eth1 is 192.168.0.1 and serves the LAN with # ip's in the range 192.168.0.2-192.168.0.10 IPT=`which iptables` DEP=`which depmod` INS=`which insmod` EXTIF="eth0" INTIF="eth1" LO="lo" LAN="192.168.0.0/24" # i need to check this list so it's possible it's not up to date. I used the Dotted Decimal Non-aggregated list # of http://www.cymru.com/Documents/bogon-dd.html RESERVED_NET=" 0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \ 5.0.0.0/8 \ 7.0.0.0/8 \ 10.0.0.0/8 \ 23.0.0.0/8 \ 27.0.0.0/8 \ 31.0.0.0/8 \ 36.0.0.0/8 37.0.0.0/8 \ 39.0.0.0/8 \ 41.0.0.0/8 42.0.0.0/8 49.0.0.0/8 \ 50.0.0.0/8 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \ 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \ 74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 \ 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \ 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \ 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \ 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \ 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \ 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \ 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \ 126.0.0.0/8 127.0.0.0/8 \ 169.254.0.0/16 172.16.0.0/255.240.0.0 \ 192.0.2.0/24 192.168.0.0/16 \ 197.0.0.0/8 198.18.0.0/255.254.0.0 \ 201.0.0.0/8 222.0.0.0/8 223.0.0.0/8 224.0.0.0/224.0.0.0" #Insert necessary modules $INS ip_tables $INS ip_conntrack $INS ip_conntrack_ftp $INS ip_conntrack_irc $INS iptable_filter $INS ipt_limit $INS ipt_state $INS ipt_unclean $INS ipt_LOG $INS iptables_nat $INS ipt_MASQUERADE $INS ip_nat_ftp #Clearing any previous configuration $IPT -F $IPT -X $IPT -Z $IPT -P INPUT DROP $IPT -F INPUT $IPT -P OUTPUT DROP $IPT -F OUTPUT $IPT -P FORWARD DROP $IPT -F FORWARD $IPT -t nat -F $IPT -t nat -X $IPT -t mangle -F $IPT -t mangle -X # Create the rules $IPT -N inet_in $IPT -N local_in $IPT -N checkspoof $IPT -N logspoof $IPT -N inet_out $IPT -N local_out # Dynamic IP echo "1" > /proc/sys/net/ipv4/ip_dynaddr # Disable spoofing echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter # Block all echo requests #echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all # Add synflood protection echo "1" > /proc/sys/net/ipv4/tcp_syncookies # Log martians echo "1" > /proc/sys/net/ipv4/conf/all/log_martians # Not accept ICMP redirect messages echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects # Track nr of connections echo "16384" > /proc/sys/net/ipv4/ip_conntrack_max # Disable ICMP send_redirect echo "0" > /proc/sys/net/ipv4/conf/eth0/send_redirects # Don't accept source routed packets. echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route # ICMP Broadcasting protection (smurf amplifier protection) echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # ICMP Dead Error Messages protection echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses # LooseUDP patch is required by some internet-based games #echo "1" > /proc/sys/net/ipv4/ip_masq_udp_dloose # IP forwarding (need it to perform for example NAT) # echo "1" > /proc/sys/net/ipv4/ip_forward # Reduce DoS'ing ability by reducing timeouts # Defaults: # echo 60 > /proc/sys/net/ipv4/tcp_fin_timeout # echo 7200 > /proc/sys/net/ipv4/tcp_keepalive_time # echo 1 > /proc/sys/net/ipv4/tcp_window_scaling # echo 1 > /proc/sys/net/ipv4/tcp_sack echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time echo "0" > /proc/sys/net/ipv4/tcp_window_scaling echo "0" > /proc/sys/net/ipv4/tcp_sack # Set out local port range # Default echo "1024 4999" > /proc/sys/net/ipv4/ip_local_port_range echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range # Time To Live (TTL) is the term for a data field in the internet # protocol. TTL is today interpreted to indicate the maximum number of # routers a packet may transit. echo "64" > /proc/sys/net/ipv4/ip_default_ttl # Increase the default queuelength. (Kernel Default: 1024) #echo "2048" > /proc/sys/net/ipv4/ip_queue_maxlen # Enable ECN? (Explicit Congestion Notification) echo "1" > /proc/sys/net/ipv4/tcp_ecn ############################################################################## ### logspoof #### ############################################################################### $IPT -A logspoof -m limit --limit 3/min -j LOG \ --log-prefix "ip spoofing detected " \ --log -tcp-sequence --log-level info $IPT -A logspoof -j DROP ############################################################################### ### checkspoof #### ############################################################################### # this ip is used by my isp for something (don't know what) and is send # every 2 minutes so i do not even want to log this! Annoying isp. # It goes to address 224.0.0.1 which is IGMP multicast # network $IPT -A checkspoof -s 10.95.11.80 -j DROP ## Class A Reserved $IPT -A checkspoof -s 10.0.0.0/8 -j logspoof ## Class B Reserved $IPT -A checkspoof -s 172.16.0.0/12 -j logspoof ## Class C Reserved $IPT -A checkspoof -s 192.168.0.0/16 -j logspoof ## Class D Reserved $IPT -A checkspoof -s 224.0.0.0/4 -j logspoof ## Class E Reserved $IPT -A checkspoof -s 240.0.0.0/5 -j logspoof for NET in $RESERVED_NET; do $IPT -A checkspoof -s $NET -j logspoof done ############################################################################### ### inet_in #### ############################################################################### ### allow inside on firewall machine: ssh, ddt $IPT -A inet_in -p tcp --dport 22 -j ACCEPT # allow ssh in $IPT -A inet_in -p udp --dport 1052 -j ACCEPT # allow ddt queries in $IPT -A inet_in -p tcp ! --syn -m state --state NEW -j LOG \ --log-prefix "inet_in: New not syn:" $IPT -A inet_in -p tcp ! --syn -m state --state NEW -j DROP $IPT -A inet_in -j checkspoof $IPT -A inet_in -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT ############################################################################### ### internal_in #### ############################################################################### # allow dhcp request to eth1 in, allow ssh to firewall machine from lan, # allow imap and smtp $IPT -A internal_in -p tcp --dport 22 -j ACCEPT $IPT -A internal_in -p tcp --dport 25 -j ACCEPT $IPT -A internal_in -p udp --sport 67 --dport 68 -j ACCEPT $IPT -A internal_in -p tcp --dport 143 -j ACCEPT ############################################################################### ### local_in #### ############################################################################### $IPT -A local_in -j ACCEPT ############################################################################### ### inet_out #### ############################################################################### ### allow outside from firewall machine: ping, dns, proxy of isp (8080), ### dhcp, news, smtp,www, imap, pop3, ftp (+ftpdata), ssh, ddt ### all tcp ports ### $IPT -A inet_out -p tcp --dport 21 -j ACCEPT # ftp $IPT -A inet_out -p tcp --dport 22 -j ACCEPT # ssh $IPT -A inet_out -p tcp --dport 25 -j ACCEPT # smtp $IPT -A inet_out -p tcp --dport 53 -j ACCEPT # dns $IPT -A inet_out -p tcp --dport 80 -j ACCEPT # www $IPT -A inet_out -p tcp --dport 110 -j ACCEPT # pop3 $IPT -A inet_out -p tcp --dport 143 -j ACCEPT # imap $IPT -A inet_out -p tcp --dport 1052 -j ACCEPT # ddt project ports $IPT -A inet_out -p tcp --dport 8080 -j ACCEPT # proxy isp ### all udp ports ### $IPT -A inet_out -p udp --dport 53 -j ACCEPT # dns $IPT -A inet_out -p udp --sport 67 --dport 68 -j ACCEPT # DHCP to isp $IPT -A inet_out -p udp --dport 1052 -j ACCEPT # ddt project ports ### all icmp ### $IPT -A inet_out -p icmp --icmp-type 0 -j ACCEPT $IPT -A inet_out -p icmp --icmp-type 3 -j ACCEPT $IPT -A inet_out -p icmp --icmp-type 8 -j ACCEPT $IPT -A inet_out -p icmp --icmp-type 11 -j ACCEPT ############################################################################### ### internal_out #### ############################################################################### # from FW to lan: imap, dhcp, smtp $IPT -A internal_out -p tcp --dport 25 -j ACCEPT $IPT -A internal_out -p udp --sport 68 --dport 67 -j ACCEPT $IPT -A internal_out -p tcp --dport 143 -j ACCEPT ############################################################################### ### local_out #### ############################################################################### $IPT -A local_out -j ACCEPT ############################################################################### ### INPUT #### ############################################################################### $IPT -A INPUT -i $EXTIF -j inet_in $IPT -A INPUT -i $INTIF -j internal_in $IPT -A INPUT -i $LO -j local_in $IPT -A INPUT -i $EXTIF -p ALL -j LOG \ --log-prefix "INPUT: dropped packets" $IPT -A INPUT -i $EXTIF -p ALL -j DROP ############################################################################### #### OUTPUT #### ############################################################################### $IPT -A OUTPUT -o $EXTIF -j inet_out $IPT -A OUTPUT -o $INTIF -j internal_out $IPT -A OUTPUT -o $LO -j local_out $IPT -A OUTPUT -o $EXTIF -p ALL -j LOG --log-level info \ --log-prefix "OUTPUT: dropped packets" $IPT -A OUTPUT -o $EXTIF -p ALL -j DROP ############################################################################### #### FORWARD #### ############################################################################### $IPT -A FORWARD -m state --state INVALID -j LOG \ --log-prefix "FORWARD: invalid packets" $IPT -A FORWARD -m state --state INVALID -j DROP ### allow forwarding to the net from the lan # Took it out for more restrictive rules # $IPT -A FORWARD -o $INTIF -i $EXTIF -d $LAN -s ! $LAN -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 21 -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 22 -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 25 -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 53 -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 80 -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 110 -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 443 -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p tcp --dport 8080 -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 0 -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 3 -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 8 -j ACCEPT $IPT -A FORWARD -i $INTIF -o $EXTIF -p icmp --icmp-type 11 -j ACCEPT ### allow forwarding to the lan from the net for established or related connections $IPT -A FORWARD -o $EXTIF -i $INTIF -s $LAN -d ! $LAN \ -m state --state ESTABLISHED,RELATED -j ACCEPT ### log all the rest (i shouldn't get packets here?) ### $IPT -A FORWARD -p ALL -j LOG --log-level info \ --log-prefix "FORWARD: dropped packets" $IPT -A FORWARD -p ALL -j DROP ############################################################################### #### POSTROUTING #### ############################################################################### $IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE ========================= sript v 0.3 ============================== ------ Benedict Verheyen Linux 2.4.20 AMD Athlon(tm) Processor AuthenticAMD GNU/Linux
Attachment:
signature.asc
Description: Dit berichtdeel is digitaal gesigneerd