Re: Firewall Setup
Why not check out arnos-iptables-firewall?
On Tue, 2 Aug 2011, Alan Chandler wrote:
> On 01/08/11 21:56, Paul Stuffins wrote:
> > Hi Guys,
> >
> > I am trying to set iptables up, but am getting into a right mess editing
> > the rules direct in the init script.
> >
> > What are peoples recommendations of a front end, either one that I can
> > run via an Apache VirtualHost, obviously on a secured and locked down
> > VirtualHost so that only I can access it, or via SSH.
> >
> > --Paul
>
>
> I am not sure I understand exactly what you mean, but this is my set of
> firewall rules which I reference in /etc/network/interfaces/pre-up. They are
> stored in file /etc/firewall
>
> Unlike the other replies I hand crafted these from scratch quite a few years
> ago now and they seem to have stood me in good stead. Although some of the
> destination changing rules refer to programs I haven't used for at least 5
> years (GPL refers to Grand Prix Legends - a car racing sim)
>
> The only other rules are generated by fail2ban dynamically locking out smtp
> attempts to send me junk.
>
> #!/bin/sh
> #
> #
>
> INETIF=$1
>
> KANGA="192.168.0.12"
> POOH="192.168.0.11"
>
>
> test -x /sbin/iptables || exit 0
>
> #set -e
> echo "Setting up firewall on interface $INETIF"
> #
> # Start up ensuring that the tables are all empty
> # (ignoring any errors because there is nothing there yet)
> #
> iptables -F
> iptables -t nat -F
> iptables -t mangle -F
> iptables -X
>
> #
> # This is for established communications coming in from the internet just
> # so that I can get an idea what sort of packets they are.
> #
> iptables -N i-estab
> iptables -A i-estab -p tcp --sport www -j ACCEPT
> iptables -A i-estab -p tcp --sport imap -j ACCEPT
> iptables -A i-estab -p tcp --sport imaps -j ACCEPT
> iptables -A i-estab -p tcp --sport nntp -j ACCEPT
> iptables -A i-estab -p tcp --sport domain -j ACCEPT
> iptables -A i-estab -p tcp --dport ssh -j ACCEPT
> iptables -A i-estab -p tcp --sport ftp -j ACCEPT
> iptables -A i-estab -p tcp --sport ftp-data -j ACCEPT
> iptables -A i-estab -p tcp --sport 9418 -j ACCEPT
>
> # Accept everything not so far accepted
> iptables -A i-estab -j ACCEPT
> #
> # Route packets going out from here onto a new table so that we can do
> # things with them (logging etc)
> #
> iptables -N to-inet
> #
> # Just want to count a few things
> #
> iptables -A to-inet -p tcp --dport www -j ACCEPT
> iptables -A to-inet -p tcp --dport imap -j ACCEPT
> iptables -A to-inet -p udp --dport domain -j ACCEPT
> iptables -A to-inet -p tcp --dport nntp -j ACCEPT
> iptables -A to-inet -p udp --dport 67:68 -j ACCEPT
> iptables -A to-inet -p tcp --dport iax -j ACCEPT
> iptables -A to-inet -p udp --dport iax -j ACCEPT
> #
> # Note ICMP packets I am sending out
> #
> iptables -A to-inet -p icmp --icmp-type destination-unreachable -j ACCEPT
> iptables -A to-inet -p icmp --icmp-type source-quench -j ACCEPT
> iptables -A to-inet -p icmp --icmp-type time-exceeded -j ACCEPT
> iptables -A to-inet -p icmp --icmp-type parameter-problem -j ACCEPT
> iptables -A to-inet -p icmp --icmp-type echo-request -j ACCEPT
> iptables -A to-inet -p icmp --icmp-type echo-reply -j ACCEPT
> #
> # Prevent any netbios stuff leaking out from here
> #
> iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j LOG
> iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j DROP
> iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j LOG
> iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j DROP
> #
> #
> # Accept every thing else
> #
> iptables -A to-inet -j ACCEPT
> #
> # Now make the connection to the table
> #
> iptables -A OUTPUT -o $INETIF -j to-inet
> #
> # Common internet Stuff
> #
> iptables -N from-inet
> #
> # Stuff already established is allowed but jump to chain to count things
> #
> iptables -A from-inet -m state --state ESTABLISHED,RELATED -j i-estab
> #
> # Deal with ICMP packets
> #
> iptables -A from-inet -p icmp --icmp-type destination-unreachable -j
> ACCEPT
> iptables -A from-inet -p icmp --icmp-type source-quench -j ACCEPT
> iptables -A from-inet -p icmp --icmp-type time-exceeded -j ACCEPT
> iptables -A from-inet -p icmp --icmp-type parameter-problem -j ACCEPT
> iptables -A from-inet -p icmp --icmp-type echo-request -j ACCEPT
> # Already accepted by related
> iptables -A from-inet -p icmp --icmp-type echo-reply -j ACCEPT
> #
> # ftp-data started by mine (already accepted in related)
> #
> iptables -A from-inet -m state --state NEW -p tcp --dport ftp-data -j
> ACCEPT
> #
> # Socks probes should be dropped so that IRC does not thing we are
> screwwing them
> #
> iptables -A from-inet -p tcp --dport socks -j DROP
> #
> # Drop these before logging them (just collecting them to see what
> they are)
> #
> iptables -A from-inet -p tcp --dport 1635 -j DROP
> iptables -A from-inet -p tcp --dport 1370 -j DROP
> #
> # DHCP messsages - I need to drop server requests
> #
> iptables -A from-inet -p udp --dport 67 -j DROP
> #
> # log and drop the rest (except 192.168 stuff which we silently loose)
> #
> iptables -A from-inet -s 192.168.0.0/16 -j DROP
> # iptables -A from-inet -j LOG
> iptables -A from-inet -j DROP
> #
> # Create a chain which protects gateway
> #
> iptables -N inet-in
> # Allow DHCP requests to me
> iptables -A inet-in -p udp --dport 68 -j ACCEPT
> #
> # Allow DNS stuff
> #
> iptables -A inet-in -p udp --dport domain -j ACCEPT
> iptables -A inet-in -p tcp --dport domain -j ACCEPT
> #
> # Allow connections to my ssh port
> #
> iptables -A inet-in -m state --state NEW -p tcp --dport ssh -j ACCEPT
> iptables -A inet-in -p udp --dport ssh -j ACCEPT
> #
> # Allow git connections
> #
> iptables -A inet-in -m state --state NEW -p tcp --dport 9418 -j ACCEPT
> iptables -A inet-in -p udp --dport 9418 -j ACCEPT
>
> # Allow mail to get in to deliver on the SMTP port
> #
> iptables -A inet-in -p tcp --dport smtp -j ACCEPT
>
> # Allow mail on imap-ssl port
> #
> iptables -A inet-in -p tcp --dport imaps -j ACCEPT
> #
> # Allow boot stuff so I can configure interface
> #
> iptables -A inet-in -p udp --dport 67:68 -j ACCEPT
>
> #
> # Allow stuff to the web site
> #
> iptables -A inet-in -p tcp --dport www -j ACCEPT
> iptables -A inet-in -p tcp --dport https -j ACCEPT
> #
> # Allow traffic in to voip switch (iax,sip and a limited range of rtp)
> # (restricted for now)
> #
> # iptables -A inet-in -p udp --dport iax -j ACCEPT
> # iptables -A inet-in -p udp --dport sip -j ACCEPT
> # iptables -A inet-in -p udp --dport 14007:14096 -j ACCEPT
> #
> # Explicitly drop 135 stuff
> #
> # iptables -A inet-in -p tcp --dport 135 -j LOG
> iptables -A inet-in -p tcp --dport 135 -j DROP
> #
> # Allow pokerth stuff in
> #
> iptables -A inet-in -p tcp --dport 7234 -j ACCEPT
>
> #
> # Do Common Stuff
> #
> iptables -A inet-in -j from-inet
> #
> # Create table from forwarded stuff from Inet
> #
> #
> iptables -N inet-fwd
> #
> # Following is for GPL and WinVROC and must be forwarded on
> #
> iptables -A inet-fwd -p udp --dport 32766:32786 -j ACCEPT
> iptables -A inet-fwd -p udp --dport 6970:6971 -j ACCEPT
> # to see them seperately
> iptables -A inet-fwd -p udp --dport 6969 -j ACCEPT
> iptables -A inet-fwd -p tcp --dport auth -j ACCEPT
> #
> # Allow bittorrent stuff
> #
> iptables -A inet-fwd -p tcp --dport 6881:6899 -j ACCEPT
> iptables -A inet-fwd -p udp --dport 6881:6899 -j ACCEPT
> #
> #
> # allow Secure Remote stuff into my portable
> #
> # iptables -A inet-fwd -p udp --dport 500 -j LOG
> iptables -A inet-fwd -p udp --dport 500 -j ACCEPT
> # iptables -A inet-fwd -p udp --dport 2746 -j LOG
> iptables -A inet-fwd -p udp --dport 2746 -j ACCEPT
>
> #
> # Do common stuff
> #
> iptables -A inet-fwd -j from-inet
> #
> # Link new tables in
> #
> iptables -A INPUT -i $INETIF -j inet-in
>
> iptables -A FORWARD -i $INETIF -j inet-fwd
>
> #
> # need to MASQUERADE outgoing stuff
> #
> # normal internal network
> #
> iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o $INETIF -j MASQUERADE
> #
> #
> # Stuff comming in for GPL and WinVROC needs destination changing
> #
> iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 32766:32786 -j
> DNAT --to-destination $KANGA
> iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6970:6971 -j DNAT
> --to-destination $KANGA
> # seperate out to see if used
> iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6969 -j DNAT
> --to-destination $KANGA
> iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport auth -j DNAT
> --to-destination $KANGA
> #
> # Allocate bittorrent channels
> #
> iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6881:6889 -j DNAT
> --to-destination $KANGA
> iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6881:6889 -j DNAT
> --to-destination $KANGA
> iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6890:6899 -j DNAT
> --to-destination $POOH
> iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6890:6899 -j DNAT
> --to-destination $POOH
>
> #
> # I want to mangle outgoing packets so that I can
> # take maximum benefit of different types of connection
> # in terms of priority
> #
> iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport www -j TOS
> --set-tos Minimize-Delay
> iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp -j TOS
> --set-tos Minimize-Delay
> iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp-data -j TOS
> --set-tos Maximize-Throughput
> iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport smtp -j TOS
> --set-tos Maximize-Reliability
> iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport pop3 -j TOS
> --set-tos Maximize-Reliability
> iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport nntp -j TOS
> --set-tos Minimize-Cost
> iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport domain -j TOS
> --set-tos Maximize-Reliability
> iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport domain -j TOS
> --set-tos Maximize-Reliability
> #
> # Following is for GPL and should be sent fast
> #
> iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 32766:32786 -j TOS
> --set-tos Minimize-Delay
> iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 6970:6971 -j TOS
> --set-tos Minimize-Delay
> iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 32766:32786 -j TOS
> --set-tos Minimize-Delay
> iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 6970:6971 -j TOS
> --set-tos Minimize-Delay
> #
> # VOIP traffic - mainly RTP but also IAX needs to go fast
> #
> iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport iax -j TOS
> --set-tos Minimize-Delay
> iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 14007:14096 -j TOS
> --set-tos Minimize-Delay
>
> exit 0
>
>
>
>
Reply to: