Re: my iptables script
I´d also set the default policy to DROP and log whatever is dropped in the end:
#!/bin/sh
iptables -F
iptables -X
for tabla in nat mangle ; do
iptables -F -t $tabla
iptables -X -t $tabla
done
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
(all your rules go here)
iptables -A INPUT -j LOG -m limit --limit 10/minute
iptables -A OUTPUT -j LOG -m limit --limit 10/minute
iptables -A FORWARD -j LOG -m limit --limit 10/minute
Set the --limit to whatever is acceptable for your setup.
Also, if I had the chance and time, I´d be more picky about accepting every new
connection in the OUTPUT chain, call me paranoid but I prefer to allow only
what´s needed and nothing more; although it may be less flexible and requires
more maintenance.
José
Mensaje citado por Tarragon Allen <tarragon@onthe.net.au>:
> On Monday 01 September 2003 09:07, Jule Slootbeek wrote:
> > Hello all,
> > As some of you might remember, i came here for help with my gateway at
> > thhe beginning of summer, and all of you helped me out very much, i'm
> > very gratefull. Now i finally came closer to finishing up the firewall
> > script, and i was wondering if when i have done is a safe way to set up
> > a firewall. I'll post my script below, and any feedback would be very
> > much appreciated. This script runs out of /etc/init.d and i put a
> > symlink in /etc/rcS.d named S42firewall. I'm not sure if this is the
> > best way to start and stop the script, but it's the best that I know.
> >
> > Thanks in Advance,
> >
> > Jule
> >
> > ps. i did block off my ip.
>
> Well, there are a few problems I see with the script, I'll detail them
> below.
>
> > //script
> >
> > #!/bin/sh
> >
> > case "$1" in
> > start)
> > echo "Setting firewall rules..."
> > #ipforwarding and masquerading
> > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
>
> > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
>
> Why the duplications? This could (should) be put on one line, like so:
>
> iptables -t nat -A POSTROUTING -o eth0 -s 192.168.0.0/24 -j MASQUERADE
>
> > iptables -A INPUT -m state --stat ESTABLISHED,RELATED -j ACCEPT
>
> ('stat' a typo for 'state'?)
>
> This is all well and good, but you have no corresponding "--state NEW" rule
>
> that would use this, except for the MASQUERADE rule, which will hit the
> FORWARD chain, not the INPUT chain. I'd add these rules:
>
> iptables -A OUTPUT -m state --state NEW -j ACCEPT
>
> - This says : allow this machine (the firewall) to initiate connections.
>
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A FORWARD -m state --state NEW -s 192.168.0.0/24 -j ACCEPT
>
> - This says : allow connections I know about through the firewall, keep track
>
> of connections from my internal network. You may need to add specific allows
>
> for your port-forwards below, something like this :
>
> iptables -A FORWARD -m state --state NEW -p tcp -s 140.232.x.x --dport 2401
> -j
> ACCEPT
> - etc ...
>
> Now, lastly, and most importantly, you aren't actually blocking anything
> specifically. I'd add rules similar to this :
>
> iptables -A INPUT -s ! 192.168.0.0/24 -j DROP
>
> - This says don't let anything except my internal network talk directly to
> me.. previously established connections are caught by the 'state' rule above.
>
> You could also use '-i ! ppp0' (or whatever your external interface is)
> rather than '-s ! 192.168.0.0/24'.
>
> iptables -A FORWARD -j DROP
>
> - This says block everything I haven't already dealt with with the stateful
>
> rules.
>
> > iptables -A INPUT -i lo -j ACCEPT
> > #redirecting ports
> > iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 2401 -j
> > DNAT --to-destination 192.168.0.2:2401
> > iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 80 -j
> > DNAT --to-destination 192.168.0.2:80
> > iptables -t nat -A PREROUTING -d 140.232.x.x -p tcp --dport 22 -j
> > DNAT --to-destination 192.168.0.2:80
>
> I expect the line above is a typo, should be 192.168.0.2:22 ?
>
> > ;;
> > stop)
> > echo "Stopping firewall..."
> > #ipforwarding and masquerading
>
> This is a much easier way to clear the firewall :
>
> iptables -F
> iptables -X
> iptables -F -t nat
> iptables -X -t nat
> iptables -F -t mangle
> iptables -X -t mangle
>
> t
> --
> GPG: http://n12turbo.com/tarragon/public.key
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
José
---
Reply to: