iptables firewall, help.

To: Debian User <debian-user@lists.debian.org>
Subject: iptables firewall, help.
From: Brian Schmidt <lists@brianman.dk>
Date: Tue, 02 Mar 2004 07:53:26 +0100
Message-id: <[🔎] 40442F66.7040601@brianman.dk>

I'm trying to make a good firewall/gateway iptables script, this is whatI have so far but I would love input and ideas, as well as some helpwith a few features.Below is the script I've put together so far, hopefully this post couldget a nice allround firewall/gateway iptables script made for a homeLAN, that doesn't require too much knowledge of setting up.I'm hoping to get it working for a 2.6.3+ kernel with all iptablesoptoins enabled, without having to patch in any other stuff.


Features I'm looking for, that I would love help for:
* Send REJECT as default for none-opened ports rather than DROP.
* Logging mechanism of misc. attacks and portscans.
* Blocking of IP ranges
* Parsing of PeerGuardian file for easy blocking of IPranges.

So far the script I've made (please correct any errors) supports:
* Opening ports with a simple FOR loop on a string (variable).
* Forwarding ports with a simple FOR loop on a string (variable).
* Denying IP's with a simple FOR loop on a string (variable).

Sincerely

Brian Schmidt


----- Firewall-iptables.sh -----
#!/bin/sh

# Executables
IPTABLES="/sbin/iptables"

# LAN configuration
LAN_IP="10.0.0.1"
LAN_IP_RANGE="10.0.0.0/24"
LAN_BCAST_ADDRESS="10.0.0.255"
LAN_IFACE="eth1"

# Internet configuration
INET_IP="1.2.3.4"
INET_IFACE="eth0"

# WorkStation configuration
WS_IP="10.0.0.2"
WS_MISC_RANGE="5200:5999"

# Notebook configuration
NB_IP="10.0.0.3"
NB_MISC_RANGE="6800:6999"

# Various ports
PROFTPD_PASSIVE_RANGE="49900:50000"
IRCD="6667:6669 7000"

# Ports to ACCEPT connections to from INET, syntax: "port port:range"

PORTS_ACCEPT="21 22 80 113 $WS_MISC_RANGE $NB_MISC_RANGE$PROFTPD_PASSIVE_RANGE"

# Ports to forward to LAN, syntax:"source_port>destination_ip,destination_port"PORTS_FORWARD="$NB_MISC_RANGE>$NB_IP,$NB_MISC_RANGE$WS_MISC_RANGE>$WS_IP,$WS_MISC_RANGE"


# IP's to deny, both from LAN and INET, syntax: "10.0.0.5 192.168.10.32"
#DENY_IPS=""

####
##  Don't edit anything below here unless you know what you are doing. ##

# Name of our custom blockchain
BLOCKCHAIN="block"

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Default policies
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# Flush chains
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -t filter -F

# Check to see if our custom blockchain is set, if not create
$IPTABLES -L $BLOCKCHAIN | grep target &> /dev/null
if [ $? = 1 ]; then
    $IPTABLES -N $BLOCKCHAIN
fi

# Allow local traffic
$IPTABLES -A INPUT -i lo -j ACCEPT

# Allow traffic on established connections
$IPTABLES -A $BLOCKCHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow connections coming from the LAN
$IPTABLES -A $BLOCKCHAIN -m state --state NEW -i $LAN_IFACE -j ACCEPT

# Deny connections from AND to specific IP's
for i in $DENY_IPS; do
    $IPTABLES -A INPUT -s $i -j DROP
    $IPTABLES -A INPUT -d $i -j DROP
done

# Activate source NAT

$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d "!" $LAN_IP_RANGE -jSNAT --to $INET_IP


# Log something. FIXME: Throttle how many log entries?
#$IPTABLES -A INPUT -p tcp -d $INET_IP --dport http -j ULOG --ulog-nlgroup 1

# Allow access to specific services from the Internet
for i in $PORTS_ACCEPT; do
    $IPTABLES -A INPUT -p tcp -d $INET_IP --dport $i -j ACCEPT
    $IPTABLES -A INPUT -p udp -d $INET_IP --dport $i -j ACCEPT
done

# Accept pings, but throttle it to max 10 packets per second, to avoidflooding.$IPTABLES -A INPUT -p icmp -d $INET_IP --icmp-type 8 -m limit --limit10/s -j ACCEPT


# Ignore invalid packets
$IPTABLES -t mangle -A PREROUTING -m state --state INVALID -j DROP

# Attach our custom blockchain to INPUT and FORWARD chains
$IPTABLES -A INPUT -j $BLOCKCHAIN
$IPTABLES -A FORWARD -j $BLOCKCHAIN

# Optimize SSH for low delay and FTP for high throughout

$IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tosMinimize-Delay$IPTABLES -t mangle -A PREROUTING -p tcp --dport ftp -j TOS --set-tosMaximize-Throughput


# Forwards to machines on the LAN

for i in $PORTS_FORWARD; do
    _SRC_PORT=`echo $i | awk -F '>' {'print $1'}`
    _DEST=`echo $i | awk -F '>' {'print $2'}`
    _DEST_IP=`echo $_DEST | awk -F ',' {'print $1'}`
    _DEST_PORT=`echo $_DEST | awk -F ',' {'print $2'} | sed s/:/-/;`

$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport$_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IP --dport$_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT

done

Reply to:

Follow-Ups:
- Re: iptables firewall, help.
  - From: John Hedge <john@hedge.com.au>

Prev by Date: Re: Exporting running display ala Remote Desktop or VNC for windows
Next by Date: Exim/fetchmail problem
Previous by thread: Re: wireless bridge, & nic IP addressing (FIXED)
Next by thread: Re: iptables firewall, help.
Index(es):
- Date
- Thread