* jeff (jmr71769@earthlink.net) [011120 22:24]: > dearest debian maniacs, > > here's my current simple ipchains firewall for my box that runs no services: > -------------------------------------------------- > # Interface to Internet > EXTIF=ppp+ > > ANY=0.0.0.0/0 > > ipchains -P input ACCEPT > ipchains -P output ACCEPT > ipchains -P forward DENY > > ipchains -F forward > ipchains -F input > ipchains -F output > > # Deny TCP and UDP packets to privileged ports > ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p udp -j DENY > ipchains -A input -l -i $EXTIF -d $ANY 0:1023 -p tcp -j DENY > > # Deny TCP connection attempts > ipchains -A input -l -i $EXTIF -p tcp -y -j DENY > > # Deny ICMP echo-requests > ipchains -A input -l -i $EXTIF -s $ANY echo-request -p icmp -j DENY > > # Do masquerading > ipchains -A forward -j MASQ > echo 1 > /proc/sys/net/ipv4/ip_forward > -------------------------------------------------- > > could you help me convert this to iptables? I can try... EXTIF=ppp+ iptables -P INPUT ACCEPT iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F iptables -X iptables -N logndrop iptables -A logndrop -j LOG iptables -A logndrop -j DROP #Deny TCP and UDP packets to privileged ports iptables -A INPUT -i $EXTIF -p udp --dport 0:1023 -j logndrop iptables -A INPUT -i $EXTIF -p tcp --dport 0:1023 -j logndrop #Deny TCP connection attempts iptables -A INPUT -i $EXTIF -p tcp -m state --state NEW -j logndrop #Deny ICMP echo-requests iptables -A INPUT -i $EXTIF -p icmp --icmp-type echo-request -j logndrop #Do masquerading iptables -t nat -A POSTROUTING -j MASQUERADE echo 1 > /proc/sys/net/ipv4/ip_forward The above is entirely untested; I just tried to convert what you had to iptables syntax. You should note that the system has changed quite a bit, and there are better ways to do a lot of things now. For instance, the INPUT chain now refers only to locally-destined packets. Similarly, the OUTPUT chain only deals with locally-generated packets. I also changed your FORWARD policy to ACCEPT to keep things mostly the same as your original setup. Here's how I'd prefer to see you set this up under iptables, though: EXTIF=ppp+ INTIF=eth0 LOCALNET=192.168.0.0/27 iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD # allow incoming packets that are part of established outbound # connections. This includes icmp packets necessary for good operation # (i.e. fragmentation-needed) and convenience (pong and time-exceeded) but # only as "replies" -- inbound pings, etc. will be dropped. iptables -A INPUT -j ACCEPT -i $EXTIF -s ! $LOCALNET\ -m state --state ESTABLISHED,RELATED #Do masquerading iptables -t nat -A POSTROUTING -j MASQUERADE # allow the forwarded traffic to pass iptables -A FORWARD -j ACCEPT -i $INTIF -o $EXTIF \ -s $LOCALNET -d ! $LOCALNET iptables -A FORWARD -j ACCEPT -i $EXTIF -i $INTIF \ -s ! $LOCALNET -d $LOCALNET \ -m state --state ESTABLISHED,RELATED # let everyone know ident is closed (speeds up some mail connections) iptables -A INPUT -j REJECT --reject-with tcp-reset \ -i $EXTIF -s ! $LOCALNET -p tcp --dport ident #set packets to be logged before being DROPped by policy iptables -A INPUT -j LOG iptables -A FORWARD -j LOG As you can see, connection tracking makes everything beautiful =) this way you get the recommended drop-by-default filter set up and it's very easy to allow your return traffic (i.e. no more checking for SYNs, priviliged ports, pings, etc. explicitly). The setup I gave here is untested (just made it off the top of my head) so please give it a good inspection before employing it. (Hopefully someone else on the list will point out if I made an egregious blunder.) Feel free to ask any followup questions about it, or why I chose to do certain things here (and why it wasn't necessary to do others). good times, Vineet -- Satan laughs when # "I disapprove of what you say, but I will we kill each other. # defend to the death your right to say it." Peace is the only way. # --Beatrice Hall, The Friends of Voltaire, 1906
Attachment:
pgpferNmvBojX.pgp
Description: PGP signature