Re: iptables firewall, help.
Brian,
You might like to take a look at www.shorewall.net. It helped me when I
was at a similar stage as it seems you may be.
Another idea is to join debian-firewall@lists.debian.org.
John
On Tue, 2004-03-02 at 17:53, Brian Schmidt wrote:
> I'm trying to make a good firewall/gateway iptables script, this is what
> I have so far but I would love input and ideas, as well as some help
> with a few features.
> Below is the script I've put together so far, hopefully this post could
> get a nice allround firewall/gateway iptables script made for a home
> LAN, that doesn't require too much knowledge of setting up.
> I'm hoping to get it working for a 2.6.3+ kernel with all iptables
> optoins enabled, without having to patch in any other stuff.
>
> Features I'm looking for, that I would love help for:
> * Send REJECT as default for none-opened ports rather than DROP.
> * Logging mechanism of misc. attacks and portscans.
> * Blocking of IP ranges
> * Parsing of PeerGuardian file for easy blocking of IPranges.
>
> So far the script I've made (please correct any errors) supports:
> * Opening ports with a simple FOR loop on a string (variable).
> * Forwarding ports with a simple FOR loop on a string (variable).
> * Denying IP's with a simple FOR loop on a string (variable).
>
> Sincerely
>
> Brian Schmidt
>
>
> ----- Firewall-iptables.sh -----
> #!/bin/sh
>
> # Executables
> IPTABLES="/sbin/iptables"
>
> # LAN configuration
> LAN_IP="10.0.0.1"
> LAN_IP_RANGE="10.0.0.0/24"
> LAN_BCAST_ADDRESS="10.0.0.255"
> LAN_IFACE="eth1"
>
> # Internet configuration
> INET_IP="1.2.3.4"
> INET_IFACE="eth0"
>
> # WorkStation configuration
> WS_IP="10.0.0.2"
> WS_MISC_RANGE="5200:5999"
>
> # Notebook configuration
> NB_IP="10.0.0.3"
> NB_MISC_RANGE="6800:6999"
>
> # Various ports
> PROFTPD_PASSIVE_RANGE="49900:50000"
> IRCD="6667:6669 7000"
>
> # Ports to ACCEPT connections to from INET, syntax: "port port:range"
> PORTS_ACCEPT="21 22 80 113 $WS_MISC_RANGE $NB_MISC_RANGE
> $PROFTPD_PASSIVE_RANGE"
>
> # Ports to forward to LAN, syntax:
> "source_port>destination_ip,destination_port"
> PORTS_FORWARD="$NB_MISC_RANGE>$NB_IP,$NB_MISC_RANGE
> $WS_MISC_RANGE>$WS_IP,$WS_MISC_RANGE"
>
> # IP's to deny, both from LAN and INET, syntax: "10.0.0.5 192.168.10.32"
> #DENY_IPS=""
>
> ####
> ## Don't edit anything below here unless you know what you are doing. ##
>
> # Name of our custom blockchain
> BLOCKCHAIN="block"
>
> echo 1 > /proc/sys/net/ipv4/ip_forward
> echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
>
> # Default policies
> $IPTABLES -P INPUT DROP
> $IPTABLES -P FORWARD ACCEPT
> $IPTABLES -P OUTPUT ACCEPT
>
> # Flush chains
> $IPTABLES -F
> $IPTABLES -t nat -F
> $IPTABLES -t mangle -F
> $IPTABLES -t filter -F
>
> # Check to see if our custom blockchain is set, if not create
> $IPTABLES -L $BLOCKCHAIN | grep target &> /dev/null
> if [ $? = 1 ]; then
> $IPTABLES -N $BLOCKCHAIN
> fi
>
> # Allow local traffic
> $IPTABLES -A INPUT -i lo -j ACCEPT
>
> # Allow traffic on established connections
> $IPTABLES -A $BLOCKCHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Allow connections coming from the LAN
> $IPTABLES -A $BLOCKCHAIN -m state --state NEW -i $LAN_IFACE -j ACCEPT
>
> # Deny connections from AND to specific IP's
> for i in $DENY_IPS; do
> $IPTABLES -A INPUT -s $i -j DROP
> $IPTABLES -A INPUT -d $i -j DROP
> done
>
> # Activate source NAT
> $IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d "!" $LAN_IP_RANGE -j
> SNAT --to $INET_IP
>
> # Log something. FIXME: Throttle how many log entries?
> #$IPTABLES -A INPUT -p tcp -d $INET_IP --dport http -j ULOG --ulog-nlgroup 1
>
> # Allow access to specific services from the Internet
> for i in $PORTS_ACCEPT; do
> $IPTABLES -A INPUT -p tcp -d $INET_IP --dport $i -j ACCEPT
> $IPTABLES -A INPUT -p udp -d $INET_IP --dport $i -j ACCEPT
> done
>
> # Accept pings, but throttle it to max 10 packets per second, to avoid
> flooding.
> $IPTABLES -A INPUT -p icmp -d $INET_IP --icmp-type 8 -m limit --limit
> 10/s -j ACCEPT
>
> # Ignore invalid packets
> $IPTABLES -t mangle -A PREROUTING -m state --state INVALID -j DROP
>
> # Attach our custom blockchain to INPUT and FORWARD chains
> $IPTABLES -A INPUT -j $BLOCKCHAIN
> $IPTABLES -A FORWARD -j $BLOCKCHAIN
>
> # Optimize SSH for low delay and FTP for high throughout
> $IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos
> Minimize-Delay
> $IPTABLES -t mangle -A PREROUTING -p tcp --dport ftp -j TOS --set-tos
> Maximize-Throughput
>
> # Forwards to machines on the LAN
>
> for i in $PORTS_FORWARD; do
> _SRC_PORT=`echo $i | awk -F '>' {'print $1'}`
> _DEST=`echo $i | awk -F '>' {'print $2'}`
> _DEST_IP=`echo $_DEST | awk -F ',' {'print $1'}`
> _DEST_PORT=`echo $_DEST | awk -F ',' {'print $2'} | sed s/:/-/;`
>
> $IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport
> $_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
> $IPTABLES -t nat -A PREROUTING -p udp -d $INET_IP --dport
> $_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
> done
>
Reply to: