iptables firewall, help.
I'm trying to make a good firewall/gateway iptables script, this is what
I have so far but I would love input and ideas, as well as some help
with a few features.
Below is the script I've put together so far, hopefully this post could
get a nice allround firewall/gateway iptables script made for a home
LAN, that doesn't require too much knowledge of setting up.
I'm hoping to get it working for a 2.6.3+ kernel with all iptables
optoins enabled, without having to patch in any other stuff.
Features I'm looking for, that I would love help for:
* Send REJECT as default for none-opened ports rather than DROP.
* Logging mechanism of misc. attacks and portscans.
* Blocking of IP ranges
* Parsing of PeerGuardian file for easy blocking of IPranges.
So far the script I've made (please correct any errors) supports:
* Opening ports with a simple FOR loop on a string (variable).
* Forwarding ports with a simple FOR loop on a string (variable).
* Denying IP's with a simple FOR loop on a string (variable).
Sincerely
Brian Schmidt
----- Firewall-iptables.sh -----
#!/bin/sh
# Executables
IPTABLES="/sbin/iptables"
# LAN configuration
LAN_IP="10.0.0.1"
LAN_IP_RANGE="10.0.0.0/24"
LAN_BCAST_ADDRESS="10.0.0.255"
LAN_IFACE="eth1"
# Internet configuration
INET_IP="1.2.3.4"
INET_IFACE="eth0"
# WorkStation configuration
WS_IP="10.0.0.2"
WS_MISC_RANGE="5200:5999"
# Notebook configuration
NB_IP="10.0.0.3"
NB_MISC_RANGE="6800:6999"
# Various ports
PROFTPD_PASSIVE_RANGE="49900:50000"
IRCD="6667:6669 7000"
# Ports to ACCEPT connections to from INET, syntax: "port port:range"
PORTS_ACCEPT="21 22 80 113 $WS_MISC_RANGE $NB_MISC_RANGE
$PROFTPD_PASSIVE_RANGE"
# Ports to forward to LAN, syntax:
"source_port>destination_ip,destination_port"
PORTS_FORWARD="$NB_MISC_RANGE>$NB_IP,$NB_MISC_RANGE
$WS_MISC_RANGE>$WS_IP,$WS_MISC_RANGE"
# IP's to deny, both from LAN and INET, syntax: "10.0.0.5 192.168.10.32"
#DENY_IPS=""
####
## Don't edit anything below here unless you know what you are doing. ##
# Name of our custom blockchain
BLOCKCHAIN="block"
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
# Flush chains
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F
# Check to see if our custom blockchain is set, if not create
$IPTABLES -L $BLOCKCHAIN | grep target &> /dev/null
if [ $? = 1 ]; then
$IPTABLES -N $BLOCKCHAIN
fi
# Allow local traffic
$IPTABLES -A INPUT -i lo -j ACCEPT
# Allow traffic on established connections
$IPTABLES -A $BLOCKCHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow connections coming from the LAN
$IPTABLES -A $BLOCKCHAIN -m state --state NEW -i $LAN_IFACE -j ACCEPT
# Deny connections from AND to specific IP's
for i in $DENY_IPS; do
$IPTABLES -A INPUT -s $i -j DROP
$IPTABLES -A INPUT -d $i -j DROP
done
# Activate source NAT
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d "!" $LAN_IP_RANGE -j
SNAT --to $INET_IP
# Log something. FIXME: Throttle how many log entries?
#$IPTABLES -A INPUT -p tcp -d $INET_IP --dport http -j ULOG --ulog-nlgroup 1
# Allow access to specific services from the Internet
for i in $PORTS_ACCEPT; do
$IPTABLES -A INPUT -p tcp -d $INET_IP --dport $i -j ACCEPT
$IPTABLES -A INPUT -p udp -d $INET_IP --dport $i -j ACCEPT
done
# Accept pings, but throttle it to max 10 packets per second, to avoid
flooding.
$IPTABLES -A INPUT -p icmp -d $INET_IP --icmp-type 8 -m limit --limit
10/s -j ACCEPT
# Ignore invalid packets
$IPTABLES -t mangle -A PREROUTING -m state --state INVALID -j DROP
# Attach our custom blockchain to INPUT and FORWARD chains
$IPTABLES -A INPUT -j $BLOCKCHAIN
$IPTABLES -A FORWARD -j $BLOCKCHAIN
# Optimize SSH for low delay and FTP for high throughout
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos
Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ftp -j TOS --set-tos
Maximize-Throughput
# Forwards to machines on the LAN
for i in $PORTS_FORWARD; do
_SRC_PORT=`echo $i | awk -F '>' {'print $1'}`
_DEST=`echo $i | awk -F '>' {'print $2'}`
_DEST_IP=`echo $_DEST | awk -F ',' {'print $1'}`
_DEST_PORT=`echo $_DEST | awk -F ',' {'print $2'} | sed s/:/-/;`
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport
$_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IP --dport
$_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
done
Reply to: