[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: my debian does not read my own iptables script

Hi,

I have rewritten your script as follows.

1.  Ensure there is nothing like selinux running in your machine.
2. Telnet is not recommend since it transmit in plain text including your password. Use SSH instead. 3. ICMP message control, source address spoofing and logging are not included in the script. 4. I prefer the route setting-up is done through rc.local instead of the firewall script and the default gateway should be defined in /etc/network/interfaces 
5.  I have not tested the script.

Kinglok, FONG.

----------------------------------Start------------------------------------------
#!/bin/bash

###############################################################
# Adding default gateway
/sbin/route add default gateway 202.155.0.1

###############################################################
# Initialize some parameter
INET_INTERFACE="eth5"
LAN_INTERFACE="eth2"
LOOPBACK_INTERFACE="lo"

IPT="/sbin/iptables"
INET_ADDR="202.155.0.1"
LAN_ADDR="192.168.23.2"
LAN_SSH="192.168.23.20"   # SSH server in LAN
LAN_ADDRESSES="192.168.23.0/24"  # LAN Addresses range
LAN_DNS=""    # Please specify your DNS server in LAN

FTPPORT="21"
SSHPORT="22"
TELNETPORT="23"
DNSPORT="53"
UNPRIVPORTS="1024:65535"  # unprivileged port range

###############################################################
# Enable connection tracking for FTP

/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp

###############################################################
# Initialization

# Enable IP forwarding since it is disabled by default
echo 1 > /proc/sys/net/ipv4/ip_forward

# Enable broadcast echo Protection (default: 1)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets (default: 0)
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
   echo 0 > $f
done

# Enable TCP SYN Cookie Protection (default: 1)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance (default: 0)
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
   echo 0 > $f
done

# Do not send Redirect Messages (default: 0)
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
   echo 0 > $f
done

# Drop Spoofed Packets coming in on an interface, which if replied to, would
# result in the reply going out a different interface. (default: 1)
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
   echo 1 > $f
done

# Log packets with impossible addresses. (default: 1)
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
   echo 0 > $f
done

###############################################################
# Remove any existing rules from all chains
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
if [ "$1" = "stop" ]; then
echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL RUNNING." 
exit
fi

# Unlimited traffic on the loopback interface
$IPT -A INPUT  -i $LOOPBACK_INTERFACE -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

# Set the default policy to drop
$IPT --policy INPUT   DROP
$IPT --policy OUTPUT  DROP
$IPT --policy FORWARD DROP

###############################################################
# NAT rules
# Opening port 23 (telnet) to internet is not recommended, open port 22 for SSH instead $IPT -t nat -A PREROUTING -p tcp -i $INET_INTERFACE -p tcp --sport $UNPRIVPORTS -d $INET_ADDR --dport $SSHPORT -j DNAT --to-destination $LAN_SSH 

# There is no need for NAT inside LAN
#$IPT -t nat -I PREROUTING -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -d 192.168.23.2 --dport 23 -j DNAT --to-destination 192.168.23.20:23 

# NAT rules for Reaching Internet Space
$IPT -t nat -A POSTROUTING -p tcp -o $INET_INTERFACE -s $LAN_ADDRESSES -j SNAT --to-source $INET_ADDR #$IPT -t nat -A POSTROUTING -p tcp -o $LAN_INTERFACE -d $LAN_ADDRESSES -j SNAT --to-source 192.168.23.2 # There is no need for NAT to reach other addresses situated in LAN 

# It is not recommended to allow all icmp messages
#$IPT -t nat -I POSTROUTING -p icmp -o $INET_INTERFACE -d 0/0 -j SNAT --to-source 202.155.0.1 #$IPT -t nat -I POSTROUTING -p icmp -o $LAN_INTERFACE -d $LAN_ADDRESSES -j SNAT --to-source 192.168.23.2 

###############################################################
# Using Connection State to By-pass Rule Checking
$IPT -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

###############################################################
# Open needed ports
$IPT -A INPUT -i $LAN_INTERFACE -s $LAN_ADDRESSES -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT #$IPT -A INPUT -i $INET_INTERFACE -s 0/0 -p icmp --icmp-type echo-request -m state --state NEW -j ACCEPT # Not recommended
$IPT -A OUTPUT -o $LAN_INTERFACE -d $LAN_ADDRESSES -p icmp --icmp-type echo-reply -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $INET_INTERFACE -p icmp --icmp-type echo-reply -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $FTPPORT -m state --state NEW -j ACCEPT $IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $SSHPORT -m state --state NEW -j ACCEPT $IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $TELNETPORT -m state --state NEW -j ACCEPT $IPT -A INPUT -i $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $FTPPORT -m state --state NEW -j ACCEPT $IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $SSHPORT -m state --state NEW -j ACCEPT # $IPT -A INPUT -i $INET_INTERFACE -p tcp --dport 23 -j ACCEPT # Not recommended $IPT -A INPUT -i $INET_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $FTPPORT -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $SSHPORT -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $TELNETPORT -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $FTPPORT -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $SSHPORT -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $TELNETPORT -m state --state NEW -j ACCEPT $IPT -A OUTPUT -o $INET_INTERFACE -p udp --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $FTPPORT -m state --state NEW -j ACCEPT $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $SSHPORT -m state --state NEW -j ACCEPT $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $TELNETPORT -m state --state NEW -j ACCEPT $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o $INET_INTERFACE --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES --dport $FTPPORT -m state --state NEW -j ACCEPT $IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES -d $LAN_SSH --dport $SSHPORT -m state --state NEW -j ACCEPT # $IPT -A FORWARD -p tcp -i $INET_INTERFACE -s 0/0 -o $LAN_INTERFACE -d $LAN_ADDRESSES --dport 23 -m state --state NEW -j ACCEPT # Not recommended $IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d $LAN_ADDRESSES -d $LAN_DNS --dport $DNSPORT -m state --state NEW -j ACCEPT 

-------------------------------------------------End-------------------------------------------
----- Original Message ----- From: "Patrik Hasibuan" <patrikhasibuan@ymail.com> 
To: <debian-firewall@lists.debian.org>
Sent: Wednesday, January 28, 2009 3:36 PM
Subject: my debian does not read my own iptables script


Dear my friends,
I am building a firewall with Debian Sarge on my internet gateway. But lookslike my debian does not read my iptables script after I run my own iptables script.
This is the result of the firewall on my debian-box. '192.168.23.0' is the subnet of my internal LAN. eth2 faces my internal LAN whose IP '192.168.23.2' and eth5 faces my ISP whose IP '202.155.0.1': 
==
nmap 192.168.23.2

Starting Nmap 4.20 ( http://insecure.org ) at 2009-01-28 15:12 WIT
Interesting ports on 192.168.23.2:
Not shown: 1692 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
25/tcp  open  smtp
111/tcp open  rpcbind
113/tcp open  auth
515/tcp open  printer

Nmap finished: 1 IP address (1 host up) scanned in 13.029 seconds
==
nmap 202.155.0.1

Starting Nmap 4.20 ( http://insecure.org ) at 2009-01-28 15:12 WIT
Interesting ports on 202.155.0.1:
Not shown: 1693 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
111/tcp open  rpcbind
113/tcp open  auth
515/tcp open  printer

Nmap finished: 1 IP address (1 host up) scanned in 14.010 seconds
==
I haven't open the rpcbind,auth,printer. And the 21,23,53 are not opened by my iptables. Where is the mistake? Please tell me. I am new in debian and iptables. Usually I use OpenSuSE and SuSEfirewall2 and I configure the firewall with YaST2 so easily. But now I want to get close to debian too. And I am stucked on this case. 
==
here is my script
==
#!/bin/bash
#Zero...zero...from beginning
iptables -F

route add default gateway 202.155.0.1

#Log....them
iptables -I INPUT -j LOG
iptables -I OUTPUT -j LOG
iptables -I FORWARD -j LOG

#Open needed ports
iptables -I INPUT -i eth2 -s 192.168.23.0/24 -p icmp --icmp-type echo-request -j ACCEPT 
iptables -I INPUT -i eth5 -s 0/0 -p icmp --icmp-type echo-request -j ACCEPT
iptables -I OUTPUT -o eth2 -d 192.168.23.0/24 -p icmp --icmp-type echo-reply -j ACCEPT 
iptables -I OUTPUT -o eth5 -d 0/0 -p icmp --icmp-type echo-reply -j ACCEPT

iptables -I INPUT -i eth2 -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -i eth2 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i eth2 -p tcp --dport 23 -j ACCEPT
iptables -I INPUT -i eth2 -p udp --dport 53 -j ACCEPT

iptables -I INPUT -i eth5 -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -i eth5 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i eth5 -p tcp --dport 23 -j ACCEPT
iptables -I INPUT -i eth5 -p udp --dport 53 -j ACCEPT

iptables -I OUTPUT -o eth2 -p tcp --dport 21 -j ACCEPT
iptables -I OUTPUT -o eth2 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -o eth2 -p tcp --dport 23 -j ACCEPT
iptables -I OUTPUT -o eth2 -p udp --dport 53 -j ACCEPT

iptables -I OUTPUT -o eth5 -p tcp --dport 21 -j ACCEPT
iptables -I OUTPUT -o eth5 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -o eth5 -p tcp --dport 23 -j ACCEPT
iptables -I OUTPUT -o eth5 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport 21 -j ACCEPT iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport 22 -j ACCEPT iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport 23 -j ACCEPT iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport 53 -j ACCEPT
iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport 21 -j ACCEPT iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport 22 -j ACCEPT iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport 23 -j ACCEPT iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport 53 -j ACCEPT
iptables -t nat -I POSTROUTING -p icmp -o eth5 -d 0/0 -j SNAT --to-source 202.155.0.1 iptables -t nat -I POSTROUTING -p icmp -o eth2 -d 192.168.23.0/24 -j SNAT --to-source 192.168.23.2
iptables -t nat -I POSTROUTING -p tcp -o eth5 -d 0/0 -j SNAT --to-source 202.155.0.1 iptables -t nat -I POSTROUTING -p tcp -o eth2 -d 192.168.23.0/24 -j SNAT --to-source 192.168.23.2
iptables -t nat -I PREROUTING -p tcp -i eth5 -s 0/0 -d 202.155.0.1 --dport 23 -j DNAT --to-destination 192.168.23.20:23 iptables -t nat -I PREROUTING -p tcp -i eth2 -s 192.168.23.0/24 -d 192.168.23.2 --dport 23 -j DNAT --to-destination 192.168.23.20:23
Selalu bersama teman-teman di Yahoo! Messenger. Tambahkan mereka dari email atau jaringan sosial Anda sekarang! http://id.messenger.yahoo.com/invite/ 


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: