Re: Iptables scripts
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Saturday 22 December 2001 1:26 am, Daniel Toffetti wrote:
> Hi all !
>
> I need to set up some simple (to start with) iptables rules for
> masquerading and port forwarding. I guess I need to write some init script,
> put it in /etc/init.d/ and link it from some /etc/rcX.d/ Can somebody
> please point me to some specific documentation and example scripts ??
>
> Thanks in advance !!
>
> Daniel
Here is a script I call firewall - its stored in /etc/init.d and linked into
rcX.d directories using update-rc.d [Apologies for mail wrapping the script].
It all commented - although a brief word of explanation. GPL refers to
"Grand Prix Legends" a car racing game with multiplayer support over the
internet. My internal network behind the firewall is 10.0.10.0/24 with the
firewall on 10.0.10.100 and the machine I "race" GPL on is 10.0.10.1. My
family use a machine on 10.0.10.2 - so some stuff for my daughter (Napster)
gets redirected there. Finally, a portable from work connects to my lan and
I have set up dhcp to always allocated it (based on MAC address) the ip
address of 10.0.10.30
===================================
#/bin/sh
#
# firewall This file sets up a firewall and port forwarding
# It should be run before any external connection to
# the internet is set-up
#
# from skeleton
# written by Miquel van Smoorenburg <miquels@cistron.nl>.
# Modified for Debian GNU/Linux
# by Ian Murdock <imurdock@gnu.ai.mit.edu>.
#
# Version: @(#)skeleton 1.8 03-Mar-1998 miquels@cistron.nl
# firewall 1.2 16-Dec-2000 AKC
# 1.3 29-Dec-2000 AKC to switch to iptables for kernel
2.4
#
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
DESC="Firewall"
NAME=firewall
#
# Change the following when ppp is no longer used (cable modem for instance)
#
INETIF=eth0
test -x /usr/bin/iptables || exit 0
set -e
flush_rules () {
#
# Start up ensuring that the tables are all empty
# (ignoring any errors because there is nothing there yet)
#
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
iptables -t mangle -F OUTPUT
iptables -F inet-in
iptables -X inet-in
iptables -F inet-fwd
iptables -X inet-fwd
iptables -F from-inet
iptables -X from-inet
iptables -F to-inet
iptables -X to-inet
}
build_rules () {
#
# Route packets going out from here onto a new table so that we can do
# things with them (logging etc)
#
iptables -N to-inet
#
# Just want to count a few things
#
iptables -A to-inet -p tcp --dport www -j ACCEPT
iptables -A to-inet -p tcp --dport pop3 -j ACCEPT
iptables -A to-inet -p udp --dport domain -j ACCEPT
iptables -A to-inet -p tcp --dport nntp -j ACCEPT
iptables -A to-inet -p udp --dport 67:68 -j ACCEPT
#
# Prevent any netbios stuff leaking out from here
#
iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j LOG
iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j DROP
iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j LOG
iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j DROP
#
# See what icmp stuff we send
#
# iptables -A to-inet -p icmp -j LOG
#
# Accept every thing else
#
iptables -A to-inet -j ACCEPT
#
# Now make the connection to the table
#
iptables -A OUTPUT -o $INETIF -j to-inet
#
# Common internet Stuff
#
iptables -N from-inet
#
# Stuff already established is allowed
#
iptables -A from-inet -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Deal with ICMP packets
#
iptables -A from-inet -p icmp --icmp-type destination-unreachable -j
ACCEPT
iptables -A from-inet -p icmp --icmp-type source-quench -j ACCEPT
iptables -A from-inet -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A from-inet -p icmp --icmp-type parameter-problem -j ACCEPT
#
# Ignore pings
#
iptables -A from-inet -p icmp --icmp-type echo-request -j DROP
#
# Already accepted by related
#
iptables -A from-inet -p icmp --icmp-type echo-reply -j ACCEPT
#
# ftp-data started by mine (already accepted in related)
#
iptables -A from-inet -m state --state NEW -p tcp --dport ftp-data -j
ACCEPT
#
# Socks probes should be dropped so that IRC does not thing we are
screwwing them
#
iptables -A from-inet -p tcp --dport socks -j DROP
#
# Drop these before logging them (just collecting them to see what they are)
#
iptables -A from-inet -p tcp --dport 1635 -j DROP
iptables -A from-inet -p tcp --dport 1370 -j DROP
#
# Too many of these in the log - probably code red but easier to just ignore
#
iptables -A from-inet -p tcp --dport 80 -j DROP
#
# seem to get these during boot - I don't think they matter
#
iptables -A from-inet -p udp --dport 67:68 -j DROP
#
# log and drop the rest (except 192.168 stuff which we silently loose)
#
iptables -A from-inet -s 192.168.0.0/16 -j DROP
iptables -A from-inet -j LOG
iptables -A from-inet -j DROP
#
# Create a chain which protects gateway
#
iptables -N inet-in
#
# Allow DNS stuff
#
iptables -A inet-in -p udp --dport domain -j ACCEPT
iptables -A inet-in -p tcp --dport domain -j ACCEPT
#
# Allow connections to my ssh port
#
iptables -A inet-in -m state --state NEW -p tcp --dport ssh -j ACCEPT
iptables -A inet-in -p udp --dport ssh -j ACCEPT
#
# Allow boot stuff so I can configure interface
#
iptables -A inet-in -p udp --dport 67:68 -j ACCEPT
#
# Do Common Stuff
#
iptables -A inet-in -j from-inet
#
# Create table from forwarded stuff from Inet
#
iptables -N inet-fwd
#
# Following is for GPL and WinVROC and must be forwarded on
#
iptables -A inet-fwd -p udp --dport 32766:32786 -j ACCEPT
iptables -A inet-fwd -p udp --dport 6970:6971 -j ACCEPT
# to see them seperately
iptables -A inet-fwd -p udp --dport 6969 -j ACCEPT
iptables -A inet-fwd -p tcp --dport auth -j ACCEPT
#
#
# allow Secure Remote stuff into my portable
#
iptables -A inet-fwd -p udp --dport 259 -j ACCEPT
#
# Allow NAPSTER stuff through
#
iptables -A inet-fwd -p tcp --dport 6690:6700 -j ACCEPT
iptables -A inet-fwd -p tcp --dport 4983 -j ACCEPT
#
# Do common stuff
#
iptables -A inet-fwd -j from-inet
#
# Link new tables in
#
iptables -A INPUT -i $INETIF -j inet-in
# doesn't work
# iptables -A FORWARD -m unclean -j LOG
iptables -A FORWARD -i $INETIF -j inet-fwd
#
# need to MASQUERADE outgoing stuff
#
iptables -t nat -A POSTROUTING -s 10.0.10.0/24 -o $INETIF -j MASQUERADE
#
# Stuff comming in for GPL and WinVROC needs destination changing
#
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 32766:32786 -j
DNAT --to-destination 10.0.10.1
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6970:6971 -j DNAT
- --to-destination 10.0.10.1
# seperate out to see if used
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6969 -j DNAT
- --to-destination 10.0.10.1
iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport auth -j DNAT
- --to-destination 10.0.10.1
#
# This should be the secure remote traffic for my portable
#
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 259 -j DNAT
- --to-destination 10.0.10.30
#
# Forward Napster Connections to that machine.
#
iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6690:6700 -j DNAT
- --to-destination 10.0.10.2
iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 4983 -j DNAT
- --to-destination 10.0.10.2
#
# I want to mangle outgoing packets so that I can
# take maximum benefit of different types of connection
# in terms of priority
#
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport www -j TOS
- --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp -j TOS
- --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp-data -j TOS
- --set-tos Maximize-Throughput
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport smtp -j TOS
- --set-tos Maximize-Reliability
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport pop3 -j TOS
- --set-tos Maximize-Reliability
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport nntp -j TOS
- --set-tos Minimize-Cost
iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport domain -j TOS
- --set-tos Maximize-Reliability
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport domain -j TOS
- --set-tos Maximize-Reliability
#
# Following is for GPL and should be sent fast
#
iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 32766:32786 -j TOS
- --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 6970:6971 -j TOS
- --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 32766:32786 -j TOS
- --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 6970:6971 -j TOS
- --set-tos Minimize-Delay
}
case "$1" in
start)
echo -n "Starting $DESC: "
build_rules
echo "Done."
;;
stop)
echo -n "Stopping $DESC: "
flush_rules
echo "Done."
;;
restart|reload|force-reload)
echo -n "Restarting $DESC: "
flush_rules
build_rules
echo "Done."
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop|restart|reload|force-reload}" >&2
# echo "Usage: $N {start|stop|restart|force-reload}" >&2
exit 1
;;
esac
exit 0
- --
Alan - alan@chandlerfamily.org.uk
http://www.chandlerfamily.org.uk
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8JD4/1mf3M5ZDr2kRAoKWAJ9MBcruj7oFR1OVZCaKFIv2GquAzgCeLaX4
oc4R6psqo1U+fFkBIRJNJLU=
=pdwZ
-----END PGP SIGNATURE-----
Reply to: