Re: iptables firewall, help.

To: Debian User <debian-user@lists.debian.org>
Subject: Re: iptables firewall, help.
From: John Hedge <john@hedge.com.au>
Date: Tue, 02 Mar 2004 18:11:27 +1100
Message-id: <[🔎] 1078211487.609.2.camel@zaphod.dna>
In-reply-to: <[🔎] 40442F66.7040601@brianman.dk>
References: <[🔎] 40442F66.7040601@brianman.dk>

Brian,

You might like to take a look at www.shorewall.net. It helped me when I
was at a similar stage as it seems you may be.

Another idea is to join debian-firewall@lists.debian.org.

John



On Tue, 2004-03-02 at 17:53, Brian Schmidt wrote:
> I'm trying to make a good firewall/gateway iptables script, this is what 
> I have so far but I would love input and ideas, as well as some help 
> with a few features.
> Below is the script I've put together so far, hopefully this post could 
> get a nice allround firewall/gateway iptables script made for a home 
> LAN, that doesn't require too much knowledge of setting up.
> I'm hoping to get it working for a 2.6.3+ kernel with all iptables 
> optoins enabled, without having to patch in any other stuff.
> 
> Features I'm looking for, that I would love help for:
> * Send REJECT as default for none-opened ports rather than DROP.
> * Logging mechanism of misc. attacks and portscans.
> * Blocking of IP ranges
> * Parsing of PeerGuardian file for easy blocking of IPranges.
> 
> So far the script I've made (please correct any errors) supports:
> * Opening ports with a simple FOR loop on a string (variable).
> * Forwarding ports with a simple FOR loop on a string (variable).
> * Denying IP's with a simple FOR loop on a string (variable).
> 
> Sincerely
> 
> Brian Schmidt
> 
> 
> ----- Firewall-iptables.sh -----
> #!/bin/sh
> 
> # Executables
> IPTABLES="/sbin/iptables"
> 
> # LAN configuration
> LAN_IP="10.0.0.1"
> LAN_IP_RANGE="10.0.0.0/24"
> LAN_BCAST_ADDRESS="10.0.0.255"
> LAN_IFACE="eth1"
> 
> # Internet configuration
> INET_IP="1.2.3.4"
> INET_IFACE="eth0"
> 
> # WorkStation configuration
> WS_IP="10.0.0.2"
> WS_MISC_RANGE="5200:5999"
> 
> # Notebook configuration
> NB_IP="10.0.0.3"
> NB_MISC_RANGE="6800:6999"
> 
> # Various ports
> PROFTPD_PASSIVE_RANGE="49900:50000"
> IRCD="6667:6669 7000"
> 
> # Ports to ACCEPT connections to from INET, syntax: "port port:range"
> PORTS_ACCEPT="21 22 80 113 $WS_MISC_RANGE $NB_MISC_RANGE 
> $PROFTPD_PASSIVE_RANGE"
> 
> # Ports to forward to LAN, syntax: 
> "source_port>destination_ip,destination_port"
> PORTS_FORWARD="$NB_MISC_RANGE>$NB_IP,$NB_MISC_RANGE 
> $WS_MISC_RANGE>$WS_IP,$WS_MISC_RANGE"
> 
> # IP's to deny, both from LAN and INET, syntax: "10.0.0.5 192.168.10.32"
> #DENY_IPS=""
> 
> ####
> ##  Don't edit anything below here unless you know what you are doing. ##
> 
> # Name of our custom blockchain
> BLOCKCHAIN="block"
> 
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
> 
> # Default policies
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
> 
> # Flush chains
> $IPTABLES -F
> $IPTABLES -t nat -F
> $IPTABLES -t mangle -F
> $IPTABLES -t filter -F
> 
> # Check to see if our custom blockchain is set, if not create
> $IPTABLES -L $BLOCKCHAIN | grep target &> /dev/null
> if [ $? = 1 ]; then
>      $IPTABLES -N $BLOCKCHAIN
> fi
> 
> # Allow local traffic
> $IPTABLES -A INPUT -i lo -j ACCEPT
> 
> # Allow traffic on established connections
> $IPTABLES -A $BLOCKCHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
> 
> # Allow connections coming from the LAN
> $IPTABLES -A $BLOCKCHAIN -m state --state NEW -i $LAN_IFACE -j ACCEPT
> 
> # Deny connections from AND to specific IP's
> for i in $DENY_IPS; do
>      $IPTABLES -A INPUT -s $i -j DROP
>      $IPTABLES -A INPUT -d $i -j DROP
> done
> 
> # Activate source NAT
> $IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d "!" $LAN_IP_RANGE -j 
> SNAT --to $INET_IP
> 
> # Log something. FIXME: Throttle how many log entries?
> #$IPTABLES -A INPUT -p tcp -d $INET_IP --dport http -j ULOG --ulog-nlgroup 1
> 
> # Allow access to specific services from the Internet
> for i in $PORTS_ACCEPT; do
>      $IPTABLES -A INPUT -p tcp -d $INET_IP --dport $i -j ACCEPT
>      $IPTABLES -A INPUT -p udp -d $INET_IP --dport $i -j ACCEPT
> done
> 
> # Accept pings, but throttle it to max 10 packets per second, to avoid 
> flooding.
> $IPTABLES -A INPUT -p icmp -d $INET_IP --icmp-type 8 -m limit --limit 
> 10/s -j ACCEPT
> 
> # Ignore invalid packets
> $IPTABLES -t mangle -A PREROUTING -m state --state INVALID -j DROP
> 
> # Attach our custom blockchain to INPUT and FORWARD chains
> $IPTABLES -A INPUT -j $BLOCKCHAIN
> $IPTABLES -A FORWARD -j $BLOCKCHAIN
> 
> # Optimize SSH for low delay and FTP for high throughout
> $IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos 
> Minimize-Delay
> $IPTABLES -t mangle -A PREROUTING -p tcp --dport ftp -j TOS --set-tos 
> Maximize-Throughput
> 
> # Forwards to machines on the LAN
> 
> for i in $PORTS_FORWARD; do
>      _SRC_PORT=`echo $i | awk -F '>' {'print $1'}`
>      _DEST=`echo $i | awk -F '>' {'print $2'}`
>      _DEST_IP=`echo $_DEST | awk -F ',' {'print $1'}`
>      _DEST_PORT=`echo $_DEST | awk -F ',' {'print $2'} | sed s/:/-/;`
> 
>      $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport 
> $_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
>      $IPTABLES -t nat -A PREROUTING -p udp -d $INET_IP --dport 
> $_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
> done
>

Reply to:

Follow-Ups:
- Re: iptables firewall, help.
  - From: Roberto Sanchez <rcsanchez97@yahoo.es>

References:
- iptables firewall, help.
  - From: Brian Schmidt <lists@brianman.dk>

Prev by Date: Re: ntpdate leap year
Next by Date: corrupt dpkg + kernel panic --HELP!
Previous by thread: iptables firewall, help.
Next by thread: Re: iptables firewall, help.
Index(es):
- Date
- Thread