LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[CLUG] *DSL, Firewalls, IPTables & more - a simple discussion.

[CLUG] *DSL, Firewalls, IPTables & more - a simple discussion.

Peter Flynn peter at silmaril.ie
Thu Oct 23 23:02:13 IST 2003 

On Thu, 2003-10-23 at 01:06, adam beecher wrote:
> I'll figure out this networking crap if it kills me. And it probably will
> kill me, what with crawling around under the frigging table plugging stuff
> in and out all frigging day. Brings a whole new meaning to "iptables". Adam
> Beecher, killed by iptables. May he rest in PC.

Here's the script I cogged off some BB somewhere. I modded
it to suit me (trusted local eth0, outside untrusted ppp0)
and put the IP address of my gateway as a variable. Works
for me, but I haven't learned yet how to open the holes I
need for identd, etc. I call this from rc.local at boot.

///Peter
--------------------------------8<---------------------------
#!/bin/sh
# From
http://www.linuxquestions.org/questions/showthread.php?s=&postid=482103#post482103
# Set an absolute path to IPTABLES and define the interface
#
# OUTSIDE is the outside or untrusted interface that connects to the
Internet
# and INSIDE is, well that ought to be obvious.
#
# For a system to function as a firewall the kernel has to be told to
forward
# packets between interfaces, i.e., it needs to be a router. Since
# you'll save the running config with 'iptables-save' for RedHat to
reinstate
# at the next boot IP fordarding must be enabled by other than this
script for
# production use. That's best done by editing /etc/sysctl.comf and
setting
# 'net.ipv4.ip_forward = 1'.
#
# Once the rule sets are to your liking you can easily arrainge to have
them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# iptables-save >/etc/sysconfig/iptables
#
# When /etc/init.d/iptables executes it will see the file and restore
the rules.
# 
# Since that file will only be read at boot, you can uncomment the
following
# line to enable forwarding on the fly for initial testing. Just
remember that
# the saved iptables data won't include the command.
#

# echo 1 > /proc/sys/net/ipv4/ip_forward

IPTABLES="/sbin/iptables"
OUTSIDE=ppp0
INSIDE=eth0
LOOPBACK=lo
THISHOST=192.168.42.1

#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packetsthat we aren't
# willing to pass. Limiters on logging are used so as to not to swamp
the
# firewall in a DOS scenario.
#
# silent - Just drop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
# 
$IPTABLES -N silent
$IPTABLES -A silent -j DROP

$IPTABLES -N tcpflags
$IPTABLES -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix
TCPflags:
$IPTABLES -A tcpflags -j DROP

$IPTABLES -N firewalled
$IPTABLES -A firewalled -m limit --limit 15/minute -j LOG --log-prefix
Firewalled:
$IPTABLES -A firewalled -j DROP

# Use up NPAT if you have a dynamic IP. Otherwise comment out the
following
# line and use the Source NAT below.
#
$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPTABLES -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.1.0.1 (edit: 192.168.0.2)
(author's local machine, not gateway)
# The second forwards SSH to 10.1.0.1
# The third forwards a block of tcp and udp ports (2300-2400) to
10.1.0.1
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT
--to 192.168.0.2
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT
--to 192.168.0.2
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j
DNAT --to 192.168.0.2
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j
DNAT --to 192.168.0.2
#
# These are all TCP flag combinations that should never, ever, occur in
the
# wild. All of these are illegal combinations that are used to attack a
box
# in various ways.
#
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j
tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j
ACCEPT
$IPTABLES -A INPUT -p icmp -j firewalled
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break. Uncomment the line
following
# if the inside machines are trustworthy and there are services on the
firewall,
# like DNS, web, DHCP etc., that they need to access. And remember to
change the
# IP to be that of the INSIDE interface of the firewall.
#
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i $INSIDE -d $THISHOST -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Silently drop any SMB traffic. We've slipped the surly bonds of
windows
# and are dancing on the silvery wings of Linux, so block that windows
trash.
#
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j silent
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Examples of allowing inbound for the port forwarding examples above.
#
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j
ACCEPT
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j
ACCEPT
#
#Anything that hasn't already matched gets logged and then dropped.
#
#my own additions based on comments from linuxquestions.org
#
#$IPTABLES -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT
--to 192.168.0.2
#$IPTABLES -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#
$IPTABLES -A INPUT -j firewalled

------------------------------8<-------------------------------

More information about the Cork mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell