Re: my iptables script
On Monday 01 September 2003 09:07, Jule Slootbeek wrote:
> Hello all,
> As some of you might remember, i came here for help with my gateway at
> thhe beginning of summer, and all of you helped me out very much, i'm
> very gratefull. Now i finally came closer to finishing up the firewall
> script, and i was wondering if when i have done is a safe way to set up
> a firewall. I'll post my script below, and any feedback would be very
> much appreciated. This script runs out of /etc/init.d and i put a
> symlink in /etc/rcS.d named S42firewall. I'm not sure if this is the
> best way to start and stop the script, but it's the best that I know.
>
> Thanks in Advance,
>
> Jule
>
> ps. i did block off my ip.
Well, there are a few problems I see with the script, I'll detail them below.
> //script
>
> #!/bin/sh
>
> case "$1" in
> start)
> echo "Setting firewall rules..."
> #ipforwarding and masquerading
> iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
Why the duplications? This could (should) be put on one line, like so:
iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
> iptables -A INPUT -m state --stat ESTABLISHED,RELATED -j ACCEPT
('stat' a typo for 'state'?)
This is all well and good, but you have no corresponding "--state NEW" rule
that would use this, except for the MASQUERADE rule, which will hit the
FORWARD chain, not the INPUT chain. I'd add these rules:
iptables -A OUTPUT -m state --state NEW -j ACCEPT
- This says : allow this machine (the firewall) to initiate connections.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -s 192.168.0.0/24 -j ACCEPT
- This says : allow connections I know about through the firewall, keep track
of connections from my internal network. You may need to add specific allows
for your port-forwards below, something like this :
iptables -A FORWARD -m state --state NEW -p tcp -s 140.232.x.x --dport 2401 -j
ACCEPT
- etc ...
Now, lastly, and most importantly, you aren't actually blocking anything
specifically. I'd add rules similar to this :
iptables -A INPUT -s ! 192.168.0.0/24 -j DROP
- This says don't let anything except my internal network talk directly to
me.. previously established connections are caught by the 'state' rule above.
You could also use '-i ! ppp0' (or whatever your external interface is)
rather than '-s ! 192.168.0.0/24'.
iptables -A FORWARD -j DROP
- This says block everything I haven't already dealt with with the stateful
rules.
> iptables -A INPUT -i lo -j ACCEPT
> #redirecting ports
> iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 2401 -j
> DNAT --to-destination 192.168.0.2:2401
> iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 80 -j
> DNAT --to-destination 192.168.0.2:80
> iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 22 -j
> DNAT --to-destination 192.168.0.2:80
I expect the line above is a typo, should be 192.168.0.2:22 ?
> ;;
> stop)
> echo "Stopping firewall..."
> #ipforwarding and masquerading
This is a much easier way to clear the firewall :
iptables -F
iptables -X
iptables -F -t nat
iptables -X -t nat
iptables -F -t mangle
iptables -X -t mangle
t
--
GPG: http://n12turbo.com/tarragon/public.key
Reply to: