Default Policy = DROP. Help-me

To: Debian Firewall <debian-firewall@lists.debian.org>
Subject: Default Policy = DROP. Help-me
From: Yuri Rodrigues <yurirbraz@gmail.com>
Date: Wed, 24 Oct 2007 09:13:10 -0200
Message-id: <[🔎] 471F28C6.3050102@gmail.com>

Hello Debian Geeks,

I am mounting a firewall, but I am having great difficulty because ofthe policy of chains that I adopted.I usually browse the Internet, get ssh servers for my network and get myssh server when I am in a remote location. But can not access serversssh from my server firewall. Somebody help me with that firewall?


Very Thank's,

Yuri Rodrigues.

Ps: Excuse me for the mistakes, I am Brazilian and translate with thehelp of google.

Pss: The file of firewall is attached.


#!/bin/sh

# Sistema de Firewall
# Autor - Yuri Rodrigues
# Mail - yurirbraz@gmail.com
#
# Admite-se que:
# Eth0 = Intranet
# Eth1 = Internet

intranet="eth0"
iptables="/sbin/iptables"
internet="eth1"
rede="192.168.121.0/24"

echo "-----------------======= Firewall =======------------------"
echo "                    Por: Yuri Rodrigues      "
echo "Monitoramento: [ /var/log/syslog ]                 "
echo ""
echo "Iniciando o script                                         "
echo ""

# Para monitoramento ver logs em
# /var/log/syslog

#### Limpando regras ####
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F
echo "Limpando Regras Antigas ............................ [ OK ]"

#### Ativar Modulos ####
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Ativando Modulos ................................... [ OK ]"

#### Definicao de Policiamento ####
# Tabela filter
$iptables -t filter -P INPUT DROP
$iptables -t filter -P OUTPUT DROP
$iptables -t filter -P FORWARD DROP
# Tabela nat
$iptables -t nat -P PREROUTING DROP
$iptables -t nat -P OUTPUT DROP
$iptables -t nat -P POSTROUTING DROP
# Tabela mangle
$iptables -t mangle -P PREROUTING DROP
$iptables -t mangle -P OUTPUT DROP
$iptables -t mangle -P INPUT DROP
$iptables -t mangle -P POSTROUTING DROP
echo "Definindo Policiamento ............................. [ OK ]"

####  Permitindo conexoes ja estabelecidas  ####
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#### Trafego LoopBack Aceito ####
$iptables -A INPUT -i lo -j ACCEPT

echo ">>>>>>>>>>>>>>>>>> Regras para usuarios <<<<<<<<<<<<<<<<<<"

#### Servidor SSH Rede > Internet ####
$iptables -t nat -A POSTROUTING -p tcp --dport 22 -o $internet -j MASQUERADE
$iptables -A FORWARD -p tcp -i $internet --sport 22 -j ACCEPT
$iptables -A FORWARD -p tcp -i $intranet --dport 22 -j ACCEPT
$iptables -t nat -A PREROUTING -i $internet -p tcp --dport 22 -j ACCEPT
$iptables -t nat -A PREROUTING -i $intranet -p tcp --dport 22 -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $internet --sport 22 -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $intranet --dport 22 -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $internet --dport 22 -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $intranet --sport 22 -j ACCEPT
echo "Servidor ssh Internet .............................. [ OK ]"

#### Acesso ssh Internet > Servidor ####
$iptables -A INPUT -p tcp --dport 22 -i $internet -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 22 -o $internet -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $internet --dport 22 -j ACCEPT
$iptables -t mangle -A INPUT -p tcp --dport 22 -i $internet -j ACCEPT
$iptables -t mangle -A OUTPUT -p tcp --sport 22 -o $internet -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $internet --sport 22 -j ACCEPT

#### Acesso ssh Servidor > Internet ####
$iptables -A INPUT -p tcp --sport 22 -i $internet -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 22 -o $internet -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $internet --sport 22 -j ACCEPT
$iptables -t mangle -A INPUT -p tcp --sport 22 -i $internet -j ACCEPT
$iptables -t mangle -A OUTPUT -p tcp --dport 22 -o $internet -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $internet --dport 22 -j ACCEPT

#### Servidor SSH Intranet ####
$iptables -A INPUT -i $intranet -p tcp --dport 22 -j ACCEPT
$iptables -A INPUT -i $intranet -p tcp --syn --dport 22 -j ACCEPT

$iptables -A INPUT -i $intranet -p tcp --dport 22 -j LOG --log-prefix"SSH INTRA: "

$iptables -A OUTPUT -o $intranet -d $rede -p tcp --sport 22 -j ACCEPT

$iptables -t mangle -A INPUT -i $intranet -s $rede -p tcp --dport 22 -jACCEPT

$iptables -t mangle -A INPUT -i $intranet -p tcp --syn --dport 22 -j ACCEPT

$iptables -t mangle -A OUTPUT -o $intranet -d $rede -p tcp --sport 22 -jACCEPT

echo "Servidor ssh Intranet .............................. [ OK ]"

#### Compartilhamento de Internet ####

$iptables -t nat -A POSTROUTING -p tcp --dport 80 -o $internet -s192.168.121.0/24 -j MASQUERADE

$iptables -A FORWARD -p tcp -i $internet --sport 80 -j ACCEPT
$iptables -A FORWARD -p tcp -i $intranet --dport 80 -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $internet --sport 80 -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $intranet --dport 80 -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $internet --dport 80 -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $intranet --sport 80 -j ACCEPT
$iptables -t nat -A PREROUTING -p tcp -i $internet --dport 80 -j ACCEPT
$iptables -t nat -A PREROUTING -p tcp -i $intranet --dport 80 -j ACCEPT
$iptables -t nat -A POSTROUTING -p tcp -o $internet --dport 80 -j ACCEPT
$iptables -t nat -A POSTROUTING -p tcp -o $intranet --sport 80 -j ACCEPT
$iptables -t nat -A OUTPUT -p tcp -o $internet --dport 80 -j ACCEPT
$iptables -t nat -A OUTPUT -p tcp -o $intranet --sport 80 -j ACCEPT
echo "Compartilhamento de Internet ....................... [ OK ]"

echo "<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"

#### Protecao contra SynFloods ####
$iptables -A FORWARD -p tcp --syn -m limit --limit 3/s -j ACCEPT
echo "Protecao contra SynFloods .......................... [ OK ]"

#### Protecao contra ping da morte ####

$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit1/s -j ACCEPT

echo "Protecao contra ping da morte ...................... [ OK ]"

#### Bloqueando pacotes fragmentados ####
$iptables -A INPUT -f -i $internet -j LOG --log-prefix "Fragmentos: "
$iptables -A INPUT -f -i $internet -j DROP
echo "Bloquando pacotes fragmentados ..................... [ OK ]"

#### Protecao contra ping flood ####
$iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
echo "Protecao contra ping flood ......................... [ Ok ]"

#### Conexoes Locais ####
$iptables -t nat -A POSTROUTING -o lo -j ACCEPT

echo ""
echo "-------------======= Firewall  Ativado =======--------------"

#!/bin/sh

# Sistema de Firewall
# Autor - Yuri Rodrigues
# Mail - yurirbraz@gmail.com
# 
# Admite-se que:
# Eth0 = Intranet
# Eth1 = Internet

intranet="eth0"
iptables="/sbin/iptables"
internet="eth1"
rede="192.168.121.0/24"

echo "-----------------======= Firewall =======------------------"
echo "					Por: Yuri Rodrigues      "
echo "Monitoramento: [ /var/log/syslog ]		         "
echo ""
echo "Iniciando o script                                         "
echo ""

# Para monitoramento ver logs em 
# /var/log/syslog

#### Limpando regras ####
$iptables -F
$iptables -t nat -F
$iptables -t mangle -F
echo "Limpando Regras Antigas ............................ [ OK ]"

#### Ativar Modulos ####
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe ip_queue
modprobe ip_tables
modprobe ipt_LOG
modprobe ipt_MARK
modprobe ipt_MASQUERADE
modprobe ipt_REDIRECT
modprobe ipt_REJECT
modprobe ipt_TCPMSS
modprobe ipt_TOS
modprobe ipt_limit
modprobe ipt_mac
modprobe ipt_mark
modprobe ipt_multiport
modprobe ipt_owner
modprobe ipt_state
modprobe ipt_tcpmss
modprobe ipt_tos
modprobe iptable_filter
modprobe iptable_mangle
modprobe iptable_nat
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Ativando Modulos ................................... [ OK ]"

#### Definicao de Policiamento ####
# Tabela filter
$iptables -t filter -P INPUT DROP
$iptables -t filter -P OUTPUT DROP
$iptables -t filter -P FORWARD DROP
# Tabela nat
$iptables -t nat -P PREROUTING DROP
$iptables -t nat -P OUTPUT DROP
$iptables -t nat -P POSTROUTING DROP
# Tabela mangle
$iptables -t mangle -P PREROUTING DROP
$iptables -t mangle -P OUTPUT DROP
$iptables -t mangle -P INPUT DROP
$iptables -t mangle -P POSTROUTING DROP
echo "Definindo Policiamento ............................. [ OK ]"

####  Permitindo conexoes ja estabelecidas  ####
$iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#### Trafego LoopBack Aceito ####
$iptables -A INPUT -i lo -j ACCEPT

echo ">>>>>>>>>>>>>>>>>> Regras para usuarios <<<<<<<<<<<<<<<<<<"

#### Servidor SSH Rede > Internet ####
$iptables -t nat -A POSTROUTING -p tcp --dport 22 -o $internet -j MASQUERADE
$iptables -A FORWARD -p tcp -i $internet --sport 22 -j ACCEPT
$iptables -A FORWARD -p tcp -i $intranet --dport 22 -j ACCEPT
$iptables -t nat -A PREROUTING -i $internet -p tcp --dport 22 -j ACCEPT
$iptables -t nat -A PREROUTING -i $intranet -p tcp --dport 22 -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $internet --sport 22 -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $intranet --dport 22 -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $internet --dport 22 -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $intranet --sport 22 -j ACCEPT
echo "Servidor ssh Internet .............................. [ OK ]"

#### Acesso ssh Internet > Servidor ####
$iptables -A INPUT -p tcp --dport 22 -i $internet -j ACCEPT
$iptables -A OUTPUT -p tcp --sport 22 -o $internet -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $internet --dport 22 -j ACCEPT
$iptables -t mangle -A INPUT -p tcp --dport 22 -i $internet -j ACCEPT
$iptables -t mangle -A OUTPUT -p tcp --sport 22 -o $internet -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $internet --sport 22 -j ACCEPT

#### Acesso ssh Servidor > Internet ####
$iptables -A INPUT -p tcp --sport 22 -i $internet -j ACCEPT
$iptables -A OUTPUT -p tcp --dport 22 -o $internet -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $internet --sport 22 -j ACCEPT
$iptables -t mangle -A INPUT -p tcp --sport 22 -i $internet -j ACCEPT
$iptables -t mangle -A OUTPUT -p tcp --dport 22 -o $internet -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $internet --dport 22 -j ACCEPT

#### Servidor SSH Intranet ####
$iptables -A INPUT -i $intranet -p tcp --dport 22 -j ACCEPT
$iptables -A INPUT -i $intranet -p tcp --syn --dport 22 -j ACCEPT
$iptables -A INPUT -i $intranet -p tcp --dport 22 -j LOG --log-prefix "SSH INTRA: " 
$iptables -A OUTPUT -o $intranet -d $rede -p tcp --sport 22 -j ACCEPT
$iptables -t mangle -A INPUT -i $intranet -s $rede -p tcp --dport 22 -j ACCEPT
$iptables -t mangle -A INPUT -i $intranet -p tcp --syn --dport 22 -j ACCEPT
$iptables -t mangle -A OUTPUT -o $intranet -d $rede -p tcp --sport 22 -j ACCEPT
echo "Servidor ssh Intranet .............................. [ OK ]"

#### Compartilhamento de Internet ####
$iptables -t nat -A POSTROUTING -p tcp --dport 80 -o $internet -s 192.168.121.0/24 -j MASQUERADE
$iptables -A FORWARD -p tcp -i $internet --sport 80 -j ACCEPT
$iptables -A FORWARD -p tcp -i $intranet --dport 80 -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $internet --sport 80 -j ACCEPT
$iptables -t mangle -A PREROUTING -p tcp -i $intranet --dport 80 -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $internet --dport 80 -j ACCEPT
$iptables -t mangle -A POSTROUTING -p tcp -o $intranet --sport 80 -j ACCEPT
$iptables -t nat -A PREROUTING -p tcp -i $internet --dport 80 -j ACCEPT
$iptables -t nat -A PREROUTING -p tcp -i $intranet --dport 80 -j ACCEPT
$iptables -t nat -A POSTROUTING -p tcp -o $internet --dport 80 -j ACCEPT
$iptables -t nat -A POSTROUTING -p tcp -o $intranet --sport 80 -j ACCEPT
$iptables -t nat -A OUTPUT -p tcp -o $internet --dport 80 -j ACCEPT
$iptables -t nat -A OUTPUT -p tcp -o $intranet --sport 80 -j ACCEPT
echo "Compartilhamento de Internet ....................... [ OK ]"

echo "<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"

#### Protecao contra SynFloods ####
$iptables -A FORWARD -p tcp --syn -m limit --limit 3/s -j ACCEPT
echo "Protecao contra SynFloods .......................... [ OK ]"

#### Protecao contra ping da morte ####
$iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
echo "Protecao contra ping da morte ...................... [ OK ]"

#### Bloqueando pacotes fragmentados ####
$iptables -A INPUT -f -i $internet -j LOG --log-prefix "Fragmentos: "
$iptables -A INPUT -f -i $internet -j DROP
echo "Bloquando pacotes fragmentados ..................... [ OK ]"

#### Protecao contra ping flood ####
$iptables -A INPUT -p icmp -m limit --limit 1/s -j ACCEPT
echo "Protecao contra ping flood ......................... [ Ok ]"

#### Conexoes Locais ####
$iptables -t nat -A POSTROUTING -o lo -j ACCEPT

echo ""
echo "-------------======= Firewall  Ativado =======--------------"

Reply to:

Follow-Ups:
- Re: Default Policy = DROP. Help-me
  - From: Ansgar -59cobalt- Wiechers <lists@planetcobalt.net>
- Re: Default Policy = DROP. Help-me
  - From: Stefan Weilhartner <whylee@whylee.at>

Prev by Date: Re: iptables not working on Etch AMD64 (same rule works on Sarge i686)
Next by Date: Re: Default Policy = DROP. Help-me
Previous by thread: Re: iptables not working on Etch AMD64 (same rule works on Sarge i686)
Next by thread: Re: Default Policy = DROP. Help-me
Index(es):
- Date
- Thread