Welcome to Linux Forums!

With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.

Linux Forum ArticlesLinux ForumsLinux Forum DownloadsLinux Hosts
Home|Register|FAQ|Member List|Calendar|Unanswered Posts|Forum Rules|Today's Posts|Advanced Search|
SEARCH FOR IN
Go Back   Linux Forums > GNU Linux Zone > Linux Security
Reload this Page Need help with Firewall Script
Linux Forums
Linux Forums
Welcome To The Linux Forums!
Welcome to Linux Forums. We pride ourselves in being one of the largest Linux communities on the web, we encourage you to REGISTER on our forums and participate in the community. There are over 150,000 members ready to answer your questions. JOINING US today will allow you to make new posts, get support, send messages to other members and submit downloads to our downloads directory and many other great features!

Linux Security Discussion about keeping your machines secure, and the crackers out.

Reply
 
Thread Tools Display Modes
Old 03-22-2008   #1 (permalink)
RobinVossen
Linux Engineer
 
RobinVossen's Avatar
 
Join Date: Aug 2007
Location: The Netherlands
Posts: 1,155
Send a message via ICQ to RobinVossen Send a message via MSN to RobinVossen
Need help with Firewall Script
I just cant figure out what I am doing wrong.
Its to allow NAT for my OpenVZ Boxes.
Code:
#!/bin/bash
#Allow some stuff.
echo 1 > /proc/sys/net/ipv4/ip_forward
##Anti-Flooding
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Here we start our Setup.
#Standaart we Drop All
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#Then we Flush All.
iptables -F INPUT 
iptables -F FORWARD 
iptables -F OUTPUT 
iptables -F -t nat

#Accept to FORWARD from eth0 to venet00
iptables -A FORWARD -i venet00 -o eth0 -j ACCEPT

# Allow all inputs to firewall from the internal network and local interfaces
#iptables -A OUTPUT -i venet00 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

# Deny any packet coming in on the public internet interface eth0  which has a spoofed source address from our local networks:
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

# Accept all tcp SYN packets from interesting protocols.
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT        #HTTP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 --syn -j ACCEPT       #HTTPS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT        #SSH
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 5900/6000 --syn -j ACCEPT #VNC
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 --syn -j ACCEPT #POP3
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 --syn -j ACCEPT #SMTP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 143 --syn -j ACCEPT #IMAP

# For DHCP server:
#iptables -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT
#iptables -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT

# Finally, DENY all connection requests to any UDP port not yet provided
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j ICMP

Any help can save me a job :P
Cheers,
Robin
__________________
Linux User: 453003
New Users, please read this..
Google first, then ask..
Eudyptes schlegeli
RobinVossen is offline   Reply With Quote
Old 03-22-2008   #2 (permalink)
HROAdmin26
Linux User
 
Join Date: Nov 2007
Posts: 487
> Are you using iptables logging to see where packets are getting blocked?

> I think this diagram will help. Note that packets not bound for the local machine don't go thru the INPUT chain.

> Any remote machine will not have a route to the network the NAT'ed machines are on. Because of that, you need to either use SNAT or MASQUERADE for packets going out from the NAT machines.

> Instead of using specific TCP flags, you may want to simplify and use the match state options with NEW, RELATED, and ESTABLISHED.

Small iptables script for a gateway machine. (This is a simple setup, but it works.)

Code:
### Firewall Startup Script ###
# Define networks first:

EXT_IFACE="eth0"
EXT_IP="10.66.X.X"

INT_IFACE="eth1"
INT_IP="172.0.10.1"

# Load all of the IPTABLES modules:
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat

# Flush the tables in case something is there:
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Set the default policies - DROP/ACCEPT
iptables -P INPUT DROP
# iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# Drop/Create DROP_LOG chain:
iptables -X DROP_LOG
iptables -N DROP_LOG

# Allow anything going to/from the loopback interface:
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

##############################
# This builds the INPUT rules:

# Allow anything from internal network:
iptables -A INPUT -i $INT_IFACE -s 172.0.10.0/24 -j ACCEPT

# Allow SSH from any 10.X address going to EXT_IP:
iptables -A INPUT -i $EXT_IFACE -p tcp -s 10.0.0.0/8 -d $EXT_IP --dport 22 -j ACCEPT

# Allow ICMP requests?
iptables -A INPUT -i $EXT_IFACE -p icmp -j ACCEPT

# Drop and log everything else:
iptables -A INPUT -j DROP_LOG

###############################
# Build the DROP_LOG rules:

iptables -A DROP_LOG -j LOG --log-prefix "FW_Logged: "
iptables -A DROP_LOG -j REJECT --reject-with icmp-net-unreachable

###############################
# Build the FORWARD rules:

iptables -A FORWARD -o $EXT_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Moving on to the NAT table:
###############################
# POSTROUTING:

iptables -A POSTROUTING -t nat -o $EXT_IFACE -s 172.0.10.0/24 -d 0/0 -j MASQUERADE
HROAdmin26 is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off




All times are GMT. The time now is 07:11 AM.



Contact Us | Advertise | Archive | Top
© 2000 - 2008 - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.0.0