[lug] firewall

j davis davis_compz at hotmail.com
Sun Apr 14 20:26:52 MDT 2002 

hi,

  could someone take a look at this firewall script and tell me if the logic 
is
ok. I dont plan running all the log stuff...just for now to see how chains 
are
treversed.It seems odd to leave PREROUTING open..but after reading a how to
that says not to filter in PREROUTING..or should i close prerouting and 
write
rules for my lan and for unrequested ssh sessions to lan boxes from 
internet..
but thats filtering in prerouting again..other than the prerouting stuff i 
think
all the bases are coverd..the allowed table is kinda for future purpose, ill
add some malformed paket stuff it it.But i am wondering if the rule to 
accept
--syn is allowing

thanks
jd


10.0.0.2 (linux box)is internet ip (behind cisco678..dsl)
192.168.0.1 (same linux box)is lan gateway

#! /bin/bash
#my FIREWALL

echo 1 > /proc/sys/net/ipv4/ip_forward

for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
	echo 1 > $f
done


# Needed to initially load modules

/sbin/depmod -a

#Required modules

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp


#flush
/sbin/iptables -F
/sbin/iptables -t nat -F

#create user chains
/sbin/iptables -N tcp_packets
/sbin/iptables -N icmp_packets
/sbin/iptables -N allowed

#fill user chains

#ALLOWED_CHAIN
/sbin/iptables -A allowed -p TCP --syn -j ACCEPT
/sbin/iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j 
ACCEPT
/sbin/iptables -A allowed -j LOG --log-prefix="filter WIERD_TCP:"
/sbin/iptables -A allowed -p TCP -j DROP

#TCP_PAKET
/sbin/iptables -A tcp_packets -p TCP -d 10.0.0.2 --dport 22 -j allowed
/sbin/iptables -A tcp_packets -p tcp -i eth1 -s 192.168.0.0/24  -j allowed
/sbin/iptables -A tcp_packets -j DROP

#ICMP_PACKETS
/sbin/iptables -A icmp_packets -p icmp --icmp-type echo-request -j LOG 
--log-prefix="filter ICMP_PAK:"
/sbin/iptables -A icmp_packets -p icmp --icmp-type echo-reply -j LOG 
--log-prefix="filter ICMP_PAK:"
/sbin/iptables -A icmp_packets -p ICMP -i eth1 --icmp-type 8 -j ACCEPT
/sbin/iptables -A icmp_packets -p ICMP --icmp-type 11 -j ACCEPT
#/sbin/iptables -A icmp_packets -p ICMP -j DROP

#PREROUTING and nat rules
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-request -j LOG 
--log-prefix="nat PREROUTING:"
iptables -t nat -A PREROUTING -p icmp --icmp-type echo-reply -j LOG 
--log-prefix="nat PREROUTING:"

#allow masq. and other POSTROUT
/sbin/iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-reply -j LOG 
--log-prefix="nat POSTROUTING:"
/sbin/iptables -t nat -A POSTROUTING -p icmp --icmp-type echo-request -j LOG 
--log-prefix="nat POSTROUTING:"
/sbin/iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 10.0.0.2 -j MASQUERADE
/sbin/iptables -t nat -A POSTROUTING -s 127.0.0.1 -j MASQUERADE

#set defaul policie
/sbin/iptables -P FORWARD DROP
/sbin/iptables -t nat -P POSTROUTING DROP
/sbin/iptables -P INPUT DROP

#allow traffic to pass through firewall
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-reply -j LOG   
--log-prefix="filter FORWARD:"
/sbin/iptables -A FORWARD -p icmp --icmp-type echo-request -j LOG 
--log-prefix="filter FORWARD:"
/sbin/iptables -A FORWARD -p icmp -j icmp_packets
/sbin/iptables -A FORWARD -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -d 192.168.0.0/24 -m state --state 
ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A FORWARD -p TCP -d 192.168.0.0/24 -j tcp_packets


#filter to firewall
/sbin/iptables -A INPUT -p icmp --icmp-type echo-reply -j LOG 
--log-prefix="filter INPUT:"
/sbin/iptables -A INPUT -p icmp --icmp-type echo-request -j LOG 
--log-prefix="filter INPUT:"
/sbin/iptables -A INPUT -p icmp -j icmp_packets
/sbin/iptables -A INPUT -i eth1 -s 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A INPUT -d 10.0.0.2 -m state --state ESTABLISHED,RELATED -j 
ACCEPT
/sbin/iptables -A INPUT -p TCP -i eth0 -j tcp_packets
/sbin/iptables -A INPUT -i lo -s 10.0.0.2 -j allowed
/sbin/iptables -A INPUT -i lo -s 192.168.0.0/24 -j allowed
/sbin/iptables -A INPUT -i lo -s 127.0.0.1  -j allowed







_________________________________________________________________
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com

More information about the LUG mailing list