[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: my iptables script

On Monday 01 September 2003 09:07, Jule Slootbeek wrote:
> Hello all,
> As some of you might remember, i came here for help with my gateway at
> thhe beginning of summer, and all of you helped me out very much, i'm
> very gratefull. Now i finally came closer to finishing up the firewall
> script, and i was wondering if when i have done is a safe way to set up
> a firewall. I'll post my script below, and any feedback would be very
> much appreciated. This script runs out of /etc/init.d and i put a
> symlink in /etc/rcS.d named S42firewall. I'm not sure if this is the
> best way to start and stop the script, but it's the best that I know.
> Thanks in Advance,
> Jule
> ps. i did block off my ip.

Well, there are a few problems I see with the script, I'll detail them below.

> //script
> #!/bin/sh
> case "$1" in
>   start)
>     echo "Setting firewall rules..."
>     #ipforwarding and masquerading
>     iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

>     iptables -t nat -A POSTROUTING -s -j MASQUERADE

Why the duplications? This could (should) be put on one line, like so:

iptables -t nat -A POSTROUTING -o eth0 -s -j MASQUERADE

>     iptables -A INPUT -m state --stat ESTABLISHED,RELATED -j ACCEPT

('stat' a typo for 'state'?)

This is all well and good, but you have no corresponding "--state NEW" rule 
that would use this, except for the MASQUERADE rule, which will hit the 
FORWARD chain, not the INPUT chain. I'd add these rules:

iptables -A OUTPUT -m state --state NEW -j ACCEPT

- This says : allow this machine (the firewall) to initiate connections.

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -s -j ACCEPT

- This says : allow connections I know about through the firewall, keep track 
of connections from my internal network. You may need to add specific allows 
for your port-forwards below, something like this :

iptables -A FORWARD -m state --state NEW -p tcp -s 140.232.x.x --dport 2401 -j 
- etc ...

Now, lastly, and most importantly, you aren't actually blocking anything 
specifically. I'd add rules similar to this :

iptables -A INPUT -s ! -j DROP

- This says don't let anything except my internal network talk directly to 
me.. previously established connections are caught by the 'state' rule above. 
You could also use '-i ! ppp0' (or whatever your external interface is) 
rather than '-s !'.

iptables -A FORWARD -j DROP

- This says block everything I haven't already dealt with with the stateful 

>     iptables -A INPUT -i lo -j ACCEPT
>     #redirecting ports
>     iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 2401 -j
> DNAT --to-destination
>     iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 80 -j
> DNAT --to-destination
>     iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 22 -j
> DNAT --to-destination

I expect the line above is a typo, should be ?

>   ;;
>   stop)
>     echo "Stopping firewall..."
>     #ipforwarding and masquerading

This is a much easier way to clear the firewall :

iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle

GPG: http://n12turbo.com/tarragon/public.key

Reply to: