Re: Firewall Setup

To: Alan Chandler <alan@chandlerfamily.org.uk>
Cc: debian-user@lists.debian.org
Subject: Re: Firewall Setup
From: Jude DaShiell <jdashiel@shellworld.net>
Date: Tue, 2 Aug 2011 03:04:46 -0400 (EDT)
Message-id: <[🔎] alpine.BSF.2.00.1108020304150.86954@freire1.furyyjbeyq.arg>
In-reply-to: <[🔎] 4E378FBF.7010703@chandlerfamily.org.uk>
References: <[🔎] CAEe=7Li3a_EsWc=btFtRd8OGGFfbU96iWmujPpq2xjrA9oFnRA@mail.gmail.com> <[🔎] 4E378FBF.7010703@chandlerfamily.org.uk>
Why not check out arnos-iptables-firewall?

On Tue, 2 Aug 2011, Alan Chandler wrote:

> On 01/08/11 21:56, Paul Stuffins wrote:
> > Hi Guys,
> >
> > I am trying to set iptables up, but am getting into a right mess editing
> > the rules direct in the init script.
> >
> > What are peoples recommendations of a front end, either one that I can
> > run via an Apache VirtualHost, obviously on a secured and locked down
> > VirtualHost so that only I can access it, or via SSH.
> >
> > --Paul
> 
> 
> I am not sure I understand exactly what you mean, but this is my set of
> firewall rules which I reference in /etc/network/interfaces/pre-up. They are
> stored in file /etc/firewall
> 
> Unlike the other replies I hand crafted these from scratch quite a few years
> ago now and they seem to have stood me in good stead.  Although some of the
> destination changing rules refer to programs I haven't used for at least 5
> years (GPL refers to Grand Prix Legends - a car racing sim)
> 
> The only other rules are generated by fail2ban dynamically locking out smtp
> attempts to send me junk.
> 
> #!/bin/sh
> #
> #
> 
> INETIF=$1
> 
> KANGA="192.168.0.12"
> POOH="192.168.0.11"
> 
> 
> test -x /sbin/iptables || exit 0
> 
> #set -e
> echo "Setting up firewall on interface $INETIF"
> #
> #   Start up ensuring that the tables are all empty
> #   (ignoring any errors because there is nothing there yet)
> #
>     iptables -F
>     iptables -t nat -F
>     iptables -t mangle -F
>     iptables -X
> 
> #
> #   This is for established communications coming in from the internet just
> #   so that I can get an idea what sort of packets they are.
> #
>     iptables -N i-estab
>     iptables -A i-estab -p tcp --sport www -j ACCEPT
>     iptables -A i-estab -p tcp --sport imap -j ACCEPT
>     iptables -A i-estab -p tcp --sport imaps -j ACCEPT
>     iptables -A i-estab -p tcp --sport nntp -j ACCEPT
>     iptables -A i-estab -p tcp --sport domain -j ACCEPT
>     iptables -A i-estab -p tcp --dport ssh -j ACCEPT
>     iptables -A i-estab -p tcp --sport ftp -j ACCEPT
>     iptables -A i-estab -p tcp --sport ftp-data -j ACCEPT
>     iptables -A i-estab -p tcp --sport 9418 -j ACCEPT
> 
> #   Accept everything not so far accepted
>     iptables -A i-estab -j ACCEPT
> #
> #   Route packets going out from here onto a new table so that we can do
> #   things with them (logging etc)
> #
>     iptables -N to-inet
> #
> #   Just want to count a few things
> #
>     iptables -A to-inet -p tcp --dport www -j ACCEPT
>     iptables -A to-inet -p tcp --dport imap -j ACCEPT
>     iptables -A to-inet -p udp --dport domain -j ACCEPT
>     iptables -A to-inet -p tcp --dport nntp -j ACCEPT
>     iptables -A to-inet -p udp --dport 67:68 -j ACCEPT
>     iptables -A to-inet -p tcp --dport iax -j ACCEPT
>     iptables -A to-inet -p udp --dport iax -j ACCEPT
> #
> #    Note ICMP packets I am sending out
> #
>     iptables -A to-inet -p icmp --icmp-type destination-unreachable -j ACCEPT
>     iptables -A to-inet -p icmp --icmp-type source-quench -j ACCEPT
>     iptables -A to-inet -p icmp --icmp-type time-exceeded -j ACCEPT
>     iptables -A to-inet -p icmp --icmp-type parameter-problem -j ACCEPT
>     iptables -A to-inet -p icmp --icmp-type echo-request -j ACCEPT
>     iptables -A to-inet -p icmp --icmp-type echo-reply -j ACCEPT
> #
> #   Prevent any netbios stuff leaking out from here
> #
>     iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j LOG
>     iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j DROP
>     iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j LOG
>     iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j DROP
> #
> #
> #   Accept every thing else
> #
>     iptables -A to-inet -j ACCEPT
> #
> #   Now make the connection to the table
> #
>     iptables -A OUTPUT -o $INETIF -j to-inet
> #
> #   Common internet Stuff
> #
>     iptables -N from-inet
> #
> #   Stuff already established is allowed but jump to chain to count things
> #
>     iptables -A from-inet -m state --state ESTABLISHED,RELATED -j i-estab
> #
> #    Deal with ICMP packets
> #
>     iptables -A from-inet -p icmp --icmp-type destination-unreachable -j
> ACCEPT
>     iptables -A from-inet -p icmp --icmp-type source-quench -j ACCEPT
>     iptables -A from-inet -p icmp --icmp-type time-exceeded -j ACCEPT
>     iptables -A from-inet -p icmp --icmp-type parameter-problem -j ACCEPT
>     iptables -A from-inet -p icmp --icmp-type echo-request -j ACCEPT
> #   Already accepted by related
>     iptables -A from-inet -p icmp --icmp-type echo-reply -j ACCEPT
> #
> #   ftp-data started by mine  (already accepted in related)
> #
>     iptables -A from-inet -m state --state NEW -p tcp --dport ftp-data -j
> ACCEPT
> #
> #   Socks probes should be dropped so that IRC does not thing we are 
> screwwing them
> #
>     iptables -A from-inet -p tcp --dport socks -j DROP
> #
> #   Drop these before logging them (just collecting them to see what 
> they are)
> #
>     iptables -A from-inet -p tcp --dport 1635 -j DROP
>     iptables -A from-inet -p tcp --dport 1370 -j DROP
> #
> #   DHCP messsages - I need to drop server requests
> #
>     iptables -A from-inet -p udp --dport 67 -j DROP
> #
> #   log and drop the rest (except 192.168 stuff which we silently loose)
> #
>     iptables -A from-inet -s 192.168.0.0/16 -j DROP
> #   iptables -A from-inet -j LOG
>     iptables -A from-inet -j DROP
> #
> #   Create a chain which protects gateway
> #
>     iptables -N inet-in
> #  Allow DHCP requests to me
>     iptables -A inet-in -p udp --dport 68 -j ACCEPT
> #
> #   Allow DNS stuff
> #
>     iptables -A inet-in -p udp --dport domain -j ACCEPT
>     iptables -A inet-in -p tcp --dport domain -j ACCEPT
> #
> #   Allow connections to my ssh port
> #
>     iptables -A inet-in -m state --state NEW -p tcp --dport ssh -j ACCEPT
>     iptables -A inet-in -p udp --dport ssh -j ACCEPT
> #
> #   Allow git connections
> #
>     iptables -A inet-in -m state --state NEW -p tcp --dport 9418 -j ACCEPT
>     iptables -A inet-in -p udp --dport 9418 -j ACCEPT
> 
> #   Allow mail to get in to deliver on the SMTP port
> #
>     iptables -A inet-in -p tcp --dport smtp -j ACCEPT
> 
> #   Allow mail on imap-ssl port
> #
>     iptables -A inet-in -p tcp --dport imaps -j ACCEPT
> #
> #   Allow boot stuff so I can configure interface
> #
>     iptables -A inet-in -p udp --dport 67:68 -j ACCEPT
> 
> #
> #   Allow stuff to the web site
> #
>     iptables -A inet-in -p tcp --dport www -j ACCEPT
>     iptables -A inet-in -p tcp --dport https -j ACCEPT
> #
> #   Allow traffic in to voip switch (iax,sip and a limited range of rtp)
> #   (restricted for now)
> #
> #    iptables -A inet-in -p udp --dport iax -j ACCEPT
> #    iptables -A inet-in -p udp --dport sip -j ACCEPT
> #    iptables -A inet-in -p udp --dport 14007:14096 -j ACCEPT
> #
> #   Explicitly drop 135 stuff
> #
> #    iptables -A inet-in -p tcp --dport 135 -j LOG
>     iptables -A inet-in -p tcp --dport 135 -j DROP
> #
> #    Allow pokerth stuff in
> #
>     iptables -A inet-in -p tcp --dport 7234 -j ACCEPT
> 
> #
> #   Do Common Stuff
> #
>     iptables -A inet-in -j from-inet
> #
> #   Create table from forwarded stuff from Inet
> #
> #
>     iptables -N inet-fwd
> #
> #   Following is for GPL and WinVROC and must be forwarded on
> #
>     iptables -A inet-fwd -p udp --dport 32766:32786 -j ACCEPT
>     iptables -A inet-fwd -p udp --dport 6970:6971 -j ACCEPT
> #   to see them seperately
>     iptables -A inet-fwd -p udp --dport 6969 -j ACCEPT
>     iptables -A inet-fwd -p tcp --dport auth -j ACCEPT
> #
> #   Allow bittorrent stuff
> #
>     iptables -A inet-fwd -p tcp --dport 6881:6899 -j ACCEPT
>     iptables -A inet-fwd -p udp --dport 6881:6899 -j ACCEPT
> #
> #
> #   allow Secure Remote stuff into my portable
> #
> #    iptables -A inet-fwd -p udp --dport 500 -j LOG
>     iptables -A inet-fwd -p udp --dport 500 -j ACCEPT
> #    iptables -A inet-fwd -p udp --dport 2746 -j LOG
>     iptables -A inet-fwd -p udp --dport 2746 -j ACCEPT
> 
> #
> #   Do common stuff
> #
>     iptables -A inet-fwd -j from-inet
> #
> #   Link new tables in
> #
>     iptables -A INPUT -i $INETIF -j inet-in
> 
>     iptables -A FORWARD -i $INETIF -j inet-fwd
> 
> #
> #   need to MASQUERADE outgoing stuff
> #
> #   normal internal network
> #
>     iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o $INETIF -j MASQUERADE
> #
> #
> #  Stuff comming in for GPL and WinVROC needs destination changing
> #
>     iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 32766:32786 -j
> DNAT --to-destination $KANGA
>     iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6970:6971 -j DNAT
> --to-destination $KANGA
> #   seperate out to see if used
>     iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6969 -j DNAT
> --to-destination $KANGA
>     iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport auth -j DNAT
> --to-destination $KANGA
> #
> #   Allocate bittorrent channels
> #
>     iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6881:6889 -j DNAT
> --to-destination $KANGA
>     iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6881:6889 -j DNAT
> --to-destination $KANGA
>     iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6890:6899 -j DNAT
> --to-destination $POOH
>     iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6890:6899 -j DNAT
> --to-destination $POOH
> 
> #
> #   I want to mangle outgoing packets so that I can
> #   take maximum benefit of different types of connection
> #   in terms of priority
> #
>     iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport www -j TOS
> --set-tos Minimize-Delay
>     iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp -j TOS
> --set-tos Minimize-Delay
>     iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp-data -j TOS
> --set-tos Maximize-Throughput
>     iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport smtp -j TOS
> --set-tos Maximize-Reliability
>     iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport pop3 -j TOS
> --set-tos Maximize-Reliability
>     iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport nntp -j TOS
> --set-tos Minimize-Cost
>     iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport domain -j TOS
> --set-tos Maximize-Reliability
>     iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport domain -j TOS
> --set-tos Maximize-Reliability
> #
> #   Following is for GPL and should be sent fast
> #
>     iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 32766:32786 -j TOS
> --set-tos Minimize-Delay
>     iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 6970:6971 -j TOS
> --set-tos Minimize-Delay
>     iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 32766:32786 -j TOS
> --set-tos Minimize-Delay
>     iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 6970:6971 -j TOS
> --set-tos Minimize-Delay
> #
> #   VOIP traffic - mainly RTP but also IAX needs to go fast
> #
>     iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport iax -j TOS
> --set-tos Minimize-Delay
>     iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 14007:14096 -j TOS
> --set-tos Minimize-Delay
> 
> exit 0
> 
> 
> 
>
Reply to:
Follow-Ups:
- Re: Firewall Setup
  - From: Jerome BENOIT <g6299304p@rezozer.net>
References:
- Firewall Setup
  - From: Paul Stuffins <paul.stuffins@orqoo.com>
- Re: Firewall Setup
  - From: Alan Chandler <alan@chandlerfamily.org.uk>
Prev by Date: cups usbfs: process .... (usb) did not claim interface 1 before use
Next by Date: Re: Wheezy: how to disable SSH gnome-keyring by editing desktop configuration file
Previous by thread: Re: Firewall Setup
Next by thread: Re: Firewall Setup
Index(es):
- Date
- Thread