Home Forums Articles Downloads Hosting Freebies Jobs
Welcome to Linux Forums! With a comprehensive Linux Forum, information on various types of Linux software and many Linux Reviews articles, we have all the knowledge you need a click away, or accessible via our knowledgeable members.
Find the answer to your Linux question:
New to Linux Forums? Register here for free!
    Linux Forums > GNU Linux Zone > Linux Security > linux ip table firewall

Forgot Password?
 Linux Security   Discussion about keeping your machines secure, and the crackers out.

Site Navigation
Linux Articles
Linux Forums
Linux Downloads
Linux Hosting
Free Magazines
Job Board
IRC Chat
RSS Feeds


Linux Forum Topics
Linux Forums
Your Distro
Linux Resources
GNU Linux Zone
The Community
Reply
 
Thread Tools Display Modes
Old 04-27-2004   #1 (permalink)
Just Joined!
 
Join Date: Apr 2004
Posts: 1
linux ip table firewall
Hi
I wrote a firewall for my router (see below)... But because I'm a linux noob I'm not fully convinced of the firewall itself. Please take some time to read it and if you know something I need to add or remove... please reply

Thx in advance

(ps: nat support)



Quote:
#variables
EXT=eth1
INT=eth0

#forwarding kernel level
echo 1 > /proc/sys/net/ipv4/ip_forward

#loading nat module (just to be shure )
modprobe iptable_nat

#telling iptables to use nat masquerading
iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

#drop everything from outside
iptables -P INPUT DROP

#accept output
iptables -P OUTPUT ACCEPT

#accept forwarding (nat, remember)
iptables -P FORWARD ACCEPT

#block some ports in & out
#

#netbus
iptables -A OUTPUT -o $EXT -p tcp --dport 31337 -j DROP
iptables -A OUTPUT -o $EXT -p tcp --sport 31337 -j DROP

iptables -A FORWARD -i $EXT -p tcp --dport 31337 -j REJECT
iptables -A INPUT -i $EXT -p tcp --dport 31337 -j DROP


iptables -A OUTPUT -o $EXT -p tcp --dport 31335 -j DROP
iptables -A OUTPUT -o $EXT -p tcp --sport 31335 -j DROP

iptables -A FORWARD -i $EXT -p tcp --dport 31335 -j REJECT
iptables -A INPUT -i $EXT -p tcp --dport 31335 -j REJECT


iptables -A OUTPUT -o $EXT -p tcp --dport 27444 -j DROP
iptables -A OUTPUT -o $EXT -p tcp --sport 27444 -j DROP

iptables -A FORWARD -i $EXT -p tcp --dport 27444 -j REJECT
iptables -A INPUT -i $EXT -p tcp --dport 27444 -j DROP


iptables -A OUTPUT -o $EXT -p tcp --dport 27665 -j DROP
iptables -A OUTPUT -o $EXT -p tcp --sport 27665 -j DROP

iptables -A FORWARD -i $EXT -p tcp --dport 27665 -j REJECT
iptables -A INPUT -i $EXT -p tcp --dport 27665 -j DROP


iptables -A OUTPUT -o $EXT -p tcp --dport 20034 -j DROP
iptables -A OUTPUT -o $EXT -p tcp --sport 20034 -j DROP

iptables -A FORWARD -i $EXT -p tcp --dport 113 -j REJECT
iptables -A INPUT -i $EXT -p tcp --dport 113 -j DROPT

#winnie
iptables -A OUTPUT -o $EXT -p tcp --dport 9704 -j DROP
iptables -A OUTPUT -o $EXT -p tcp --sport 9704 -j DROP

iptables -A FORWARD -i $EXT -p tcp --dport 9704 -j REJECT
iptables -A INPUT -i $EXT -p tcp --dport 9704 -j DROP


iptables -A OUTPUT -o $EXT -p tcp --dport 137 -j DROP
iptables -A OUTPUT -o $EXT -p tcp --sport 137 -j DROP

iptables -A FORWARD -i $EXT -p tcp --dport 137 -j REJECT
iptables -A INPUT -i $EXT -p tcp --dport 137 -j DROP


iptables -A OUTPUT -o $EXT -p tcp --dport 138 -j DROP
iptables -A OUTPUT -o $EXT -p tcp --sport 138 -j DROP

iptables -A FORWARD -i $EXT -p tcp --dport 138 -j REJECT
iptables -A INPUT -i $EXT -p tcp --dport 138 -j DROP


iptables -A OUTPUT -o $EXT -p tcp --dport 139 -j DROP
iptables -A OUTPUT -o $EXT -p tcp --sport 139 -j DROP

iptables -A FORWARD -i $EXT -p tcp --dport 139 -j REJECT
iptables -A INPUT -i $EXT -p tcp --dport 139 -j DROP

#
#end

#no ident request
iptables -A FORWARD -i $EXT -p tcp --dport 113 -j REJECT
iptables -A INPUT -i $EXT -p tcp --dport 113 -j REJECT

#icmp rules
iptables -A INPUT -i $EXT -p icmp --icmp-type 8 -j DROP
iptables -A FORWARD -i $EXT -p icmp --icmp-type 8 -j DROP
iptables -A OUTPUT -o $EXT -p icmp --icmp-type 8 -j ACCEPT

#Forward all packets from eth1 (internal network) to eth0 (the internet).
iptables -A FORWARD -i $INT -o $EXT -j ACCEPT

#Forward packets that are part of existing and related connections from eth0 to eth1.
iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Permit packets in to firewall itself that are part of existing and related connections.
iptables -A INPUT -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT

#Allow all inputs to firewall from the internal network and local interfaces
iptables -A INPUT -i $INT -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

#Accept all tcp SYN packets for protocol SSH
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT

#For DHCP server
iptables -A INPUT -i $INT -p tcp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -i $INT -p udp --sport 68 --dport 67 -j ACCEPT

iptables -A INPUT -i $EXT -p tcp --sport 68 --dport 67 -j DROP
iptables -A INPUT -i $EXT -p udp --sport 68 --dport 67 -j DROP

#For DNS server
iptables -A INPUT -i $INT -p tcp --sport 53 --dport 53 -j ACCEPT
iptables -A INPUT -i $INT -p udp --sport 53 --dport 53 -j ACCEPT

iptables -A INPUT -i $EXT -p tcp --sport 53 --dport 53 -j DROP
iptables -A INPUT -i $EXT -p udp --sport 53 --dport 53 -j DROP

#extra
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
Notorious is offline  


Reply With Quote
Old 04-27-2004   #2 (permalink)
Linux Guru
 
Join Date: Apr 2003
Location: London, UK
Posts: 3,284
Generally it is better to DROP everything, then only allow what you need, rather than allowing everything, and trying to figure out what bits to drop.

Take a look at my firewall script here for some more inspiration:
http://www.jasonlambert.com/download.php

Jason
jasonlambert is offline   Reply With Quote
Reply

« Previous Thread | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off

Free Magazines
Run Your Own Web Server Using Linux & Apache - Free 191 Page Preview
Learn about everything you'll need to build and maintain your Linux servers, and to deploy Web applications to them.
subscribe
Open Source Security Myths Dispelled
Dispel the five major myths surrounding Open Source Security and gain the tools necessary to make a truly informed decision for your IT organization
subscribe
InformationWeek
InformationWeek is the only newsweekly you'll need to stay on top of the latest developments in information technology.
subscribe



All times are GMT. The time now is 01:53 PM.





Advertise About Us Contact Us Write For Us Archive Top
© 2000 - 2009 - All Rights Reserved - Property of  MAS Media

Content Relevant URLs by vBSEO 3.3.0 RC2