|
|
 |
|
|
Thread Tools | Display Modes |
|
|
Mar 6th, 2005, 9:00 AM
|
#1 |
|
Programmer
Join Date: Sep 2004
Location: JHB , South Africa
Posts: 79
Rep Power: 5
 |
Firewall Script using IPTABLES
Here is my firewall script. I am having some problems with it.
Required: I my pc is the gateway for my notebook and home machine. My ADSL modem is connected to it on eth0 while i am connected to a switch on eth0. I have a dynamic IP address. I have an FTP and SSH server running on my pc so i can get stuff from it from varsity when needed. I also have a samba server running. The other pc's that connect to mine need to be able to retrieve and send mail using smtp and pop. They need to be able to sign into msn messenger and browse the net. Everyone on the network needs to be able to use torrents (port 6881-6999). Problem Currently: 1. I cant ping out from my machine (gateway). Other pc's can ping out though. 2. Other pc's cant log on to msn messenger 3. Other pc's dont have access to bit torrent ports. I am really at my end now. I have tried everything  #!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=196.7.0.138
DNS2=196.7.142.132
#inside
IIP=192.168.0.1
IINTERFACE=eth1
LOCAL_NETWORK=192.168.0.0/24
#outside
#OIP=0.0.0.0
OINTERFACE=eth0
opts="${opts} status panic save restore pptions rules"
depend() {
need net
}
rules() {
stop
ebegin "Setting internal rules"
einfo "Setting default rule to drop"
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
#default rule
einfo "Creating states chain"
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG --log-prefix "Bad packet from ${IINTERFACE}:"
$IPTABLES -A allowed-connection -j DROP
#ICMP traffic
einfo "Creating icmp chain"
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp -s 0/0 --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp -s 0/0 --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp -s 0/0 --icmp-type echo-request -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp -s 0/0 --icmp-type echo-reply -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix "Bad ICMP traffic:"
$IPTABLES -A icmp_allowed -p icmp -s 0/0 -j DROP
#Incoming traffic
einfo "Creating incoming ssh traffic chain"
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 2222 -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 2222 -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 2222 -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 2222 -j ACCEPT
einfo "Creating incoming ftp traffic chain"
$IPTABLES -N allow-ftp-traffic-in
$IPTABLES -F allow-ftp-traffic-in
$IPTABLES -A allow-ftp-traffic-in -p tcp --dport ftp -j ACCEPT
$IPTABLES -A allow-ftp-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport ftp -j ACCEPT
einfo "Creating incoming samba traffic chain"
$IPTABLES -N allow-smb-traffic-in
$IPTABLES -F allow-smb-traffic-in
$IPTABLES -A allow-smb-traffic-in -p tcp --dport 137:139 -j ACCEPT
$IPTABLES -A allow-smb-traffic-in -m state --state RELATED,ESTABLISHED -p tcp --dport 137:139 -j ACCEPT
einfo "Creating incoming misc traffic chain"
$IPTABLES -N allow-misc-traffic-in
$IPTABLES -F allow-misc-traffic-in
$IPTABLES -A allow-misc-traffic-in -p tcp --dport 1863 -j ACCEPT
$IPTABLES -A allow-misc-traffic-in -p tcp --dport 6881:6999 -j ACCEPT
#outgoing traffic
einfo "Creating outgoing ssh traffic chain"
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport 2222 -j ACCEPT
einfo "Creating outgoing http/https traffic chain"
$IPTABLES -N allow-www-traffic-out
$IPTABLES -F allow-www-traffic-out
$IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT
$IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT
einfo "Creating outgoing samba traffic chain"
$IPTABLES -N allow-smb-traffic-out
$IPTABLES -F allow-smb-traffic-out
$IPTABLES -A allow-smb-traffic-out -p tcp --dport 137:139 -j ACCEPT
einfo "Creating outgoing dns traffic chain"
$IPTABLES -N allow-dns-traffic-out
$IPTABLES -F allow-dns-traffic-out
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain -j ACCEPT
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain -j ACCEPT
#Catch portscanners
einfo "Creating portscan detection chain"
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# Apply and add invalid states to the chains
einfo "Applying chains to INPUT"
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A INPUT -j icmp_allowed
$IPTABLES -A INPUT -j check-flags
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -j allow-ssh-traffic-in
$IPTABLES -A INPUT -j allow-ftp-traffic-in
$IPTABLES -A INPUT -j allow-misc-traffic-in
$IPTABLES -A INPUT -i $IINTERFACE -j allow-smb-traffic-in
$IPTABLES -A INPUT -j allowed-connection
einfo "Applying chains to FORWARD"
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -j check-flags
$IPTABLES -A FORWARD -i lo -j ACCEPT
$IPTABLES -A FORWARD -i $IINTERFACE -j ACCEPT
$IPTABLES -A FORWARD -j allow-www-traffic-out
$IPTABLES -A FORWARD -j allow-smb-traffic-out
$IPTABLES -A FORWARD -j allowed-connection
#Allow client to route through via NAT (Network Address Translation)
$IPTABLES -t nat -A POSTROUTING -s $LOCAL_NETWORK -d 0/0 -j MASQUERADE
eend $?
}
start() {
ebegin "Starting firewall"
if [ -e "${FIREWALL}" ]; then
restore
else
einfo "${FIREWALL} does not exists. Using default rules."
rules
fi
eend $?
}
stop() {
ebegin "Stopping firewall"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
eend $?
}
status() {
ebegin "Status"
$IPTABLES -L -n -v --line-numbers
einfo "NAT status"
$IPTABLES -L -n -v --line-numbers -t nat
eend $?
}
panic() {
ebegin "Setting panic rules"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
eend $?
}
save() {
ebegin "Saving Firewall rules"
$IPTABLESSAVE > $FIREWALL
eend $?
}
restore() {
ebegin "Restoring Firewall rules"
$IPTABLESRESTORE < $FIREWALL
eend $?
}
restart() {
svc_stop; svc_start
}
options() {
echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"
echo "start) will restore setting if exists else force rules"
echo "stop) delete all rules and set all to accept"
echo "rules) force settings of new rules"
echo "save) will store settings in ${FIREWALL}"
echo "restore) will restore settings from ${FIREWALL}"
echo "status) Shows the status"
}
__________________
Ravilj's OpenGL Terrain aka WinTerrain Last Updated: 17/01/2005! |
|
|
|
Mar 8th, 2005, 6:29 AM
|
#2 |
|
Programmer
Join Date: Sep 2004
Location: JHB , South Africa
Posts: 79
Rep Power: 5
|
Come on you lot, some of you have to be well aquainted with linux and iptables
__________________
Ravilj's OpenGL Terrain aka WinTerrain Last Updated: 17/01/2005! |
|
|
|
|
Mar 9th, 2005, 4:23 PM
|
#3 |
|
I eat cake for breakfast.
 
Join Date: Jul 2004
Location: In my box.
Posts: 4,434
Rep Power: 9
|
I wish...
|
|
|
|
|
Mar 9th, 2005, 9:09 PM
|
#4 |
|
Professional Programmer
Join Date: Dec 2004
Location: Worcester, MA
Posts: 441
Rep Power: 4
    |
you forgot the magic word.
|
|
|
|
|
| Bookmarks |
| Currently Active Users Viewing This Thread: 1 (0 members and 1 guests) | |
| Thread Tools | |
| Display Modes | |
|
|
Hybrid Mode
