IRLP radio node and iptable firewall rules review

To: Richard Van Hoose <wb6hii@reninet.com>
Cc: questions@irlp.net, debian Hams <debian-hams@lists.debian.org>
Subject: IRLP radio node and iptable firewall rules review
From: Jaye Inabnit ke6sls <ke6sls@arrl.net>
Date: Mon, 22 Dec 2003 00:00:37 -0800
Message-id: <[🔎] 200312220000.37618.ke6sls@arrl.net>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Greetings all:

A friend and fellow ham worked on creating a set of iptable rules for IRLP use 
behind a Gnu/Linux firewall.  He is a FreeBSD guru, but took time to learn 
iptables for this adventure today into the IRLP zone.  The reason for this 
post is to encourage review of this script for security/useability purposes 
and request feedback.  It is also intended to help others who may also want 
to put an IRLP behind a Gnu/Linux firewall by making this post searchable via 
a google search (debian-user.)

Here's what is needed for IRLP to function behind a firewall:
* UDP ports 2074-2093 bidirectional to IRLP computer
* TCP ports 15425-15427 bidirectional to IRLP computer
* special port-forward of port 3522 to IRLP computer on port 22 (SSH)
(I conjured port 3522 out of thin air, did not want to change what port my 
firewall listened to, nor change the port the IRLP computer listened to)

I assigned the IRLP node a static IP of 192.168.10.25 and added that IP to my 
hosts file in my firewall computer.

So far, the node is working better than it has before with hardware firewalls.  
Further, we can now trace all packets with tcpdump--something we couldn't do 
with the hardware firewall.

My original goal was to come up with three lines of iptables 
commands--something like an add-on module to existing rules:
- -one iptables command to forward the TCP ports to 192.168.10.25 from 
192.168.10.1 firewall
- -one iptables command to forward the UDP ports to 192.168.10.25 from 
192.168.10.1 firewall
- -one iptables command to route port 3522 directly to 192.168.10.25 on port 22 
(for SSH)
I would still love to achieve this.  I recall doing something like this for a 
Internet game at one point many moons ago.

Again, if you could review the script, I would be most appreciative.

Thank you.  73

- -- 

Wishing you well.

Jaye Inabnit, ke6sls   (A fortunate GNU/Linux user)
Questions, especially really dumb questions, can reveal the oblivious.
Free software isn't about money, it's about freedom. Please Support GNU!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (GNU/Linux)
Comment: My key available from www.keyserver.net

iD8DBQE/5qSlZHBxKsta6kMRAnzdAJ0XtOd8sE44aHU62C1wzfsUFgiUPwCfQPpy
fbNpZJnw2gOxT5wIjFz3sOw=
=qwHB
-----END PGP SIGNATURE-----

#!/bin/bash

#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*
# /usr/local/sbin/firewall
# -by Andrius Ilgunas kg6jui
#
# This is a script that will get a machine running irlp as a node on
# the internet from behind a linux box running iptables.
#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#* 


#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*
#
# A few notes:
#
# Please, by no means should you take this script and run it, thinking
# that you have a good firewall and forget about it.  This is just
# a basic script to get irlp working through iptables.   
#
# This has only been tested on Linux 2.4.18 running iptables v1.2.6a
#
#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*#*

##
# where's the iptables binary?
##
IPT="/sbin/iptables"

###
# Lock everyone out while we reset the rules.
###
$IPT -P INPUT   DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT  DROP
$IPT -t nat -P PREROUTING  DROP
$IPT -t nat -P POSTROUTING DROP
$IPT -t nat -P OUTPUT      DROP

##
# Flush existing tables.
##
$IPT -F -t filter
$IPT -F -t nat

##
# Your external interface
##
OUT_IF="eth0"

##
# The internal IP address that's hosting irlp.
##
IN_HOST="192.168.10.25"

##
# List the port ranges that need to stay open for irlp
##
TCP_PORT_RANGE=15425:15427
UDP_PORT_RANGE=2074:2093

##
# Leave this port open for ssh connections. This is not necessary, 
# but useful.
##
TCP_LISTENING_PORT=3522

##
# Start masquerading on the external interface
##
$IPT -t nat -A POSTROUTING -o $OUT_IF -j MASQUERADE

##
# Start port forwarding on the incoming traffic. 
##
$IPT -t nat -I PREROUTING 1 -i $OUT_IF -p tcp --dport $TCP_PORT_RANGE -j DNAT --to-dest $IN_HOST
$IPT -t nat -I PREROUTING 1 -i $OUT_IF -p udp --dport $UDP_PORT_RANGE -j DNAT --to-dest $IN_HOST
$IPT -t  nat -I PREROUTING 1 -i $OUT_IF -p tcp --dport $TCP_LISTENING_PORT -j DNAT --to-dest $IN_HOST:22

##
# ... and allow packets that come in on those ports
##
$IPT -I FORWARD 1 -p tcp -i $OUT_IF --dport $TCP_PORT_RANGE -d $IN_HOST -j ACCEPT
$IPT -I FORWARD 1 -p udp -i $OUT_IF --dport $UDP_PORT_RANGE -d $IN_HOST -j ACCEPT
$IPT -I FORWARD 1 -p tcp -i $OUT_IF --dport $TCP_LISTENING_PORT -d $IN_HOST -j ACCEPT

###
# Reset policies
###
$IPT -P INPUT   ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT  ACCEPT
$IPT -t nat -P PREROUTING  ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT      ACCEPT



##
# eot
##

Reply to:

Follow-Ups:
- Re: IRLP radio node and iptable firewall rules review
  - From: w9ya <w9ya@arrl.net>

Prev by Date: IRLP & iptables
Next by Date: Re: IRLP radio node and iptable firewall rules review
Previous by thread: IRLP & iptables
Next by thread: Re: IRLP radio node and iptable firewall rules review
Index(es):
- Date
- Thread