I'm a bit of a newb and this is my first go at creating an iptables / nat script. however I'm not sure if this is secure enough...
i really want to make my config as secure as possible, so any suggestions/comments are greatly appreciated
notes:
- the script is run on my gateway machine
- eth0 is my local (hopefully secure) network
- wlan0 is my connection to the internet
Code:
#!/bin/sh
#
# Created by James Sullivan
# Last updated 13/07/07
#
#
PATH=/usr/sbin:/sbin:/bin:/usr/bin
# temporarily block all traffic.
iptables -P OUTPUT DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Delete/Flush old iptables rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Set default policies
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP
# Prevent external packets from using loopback addr [OPTIONAL]
iptables -A INPUT -i wlan0 -s 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -s 127.0.0.1 -j DROP
iptables -A INPUT -i wlan0 -d 127.0.0.1 -j DROP
iptables -A FORWARD -i wlan0 -d 127.0.0.1 -j DROP
# Anything coming from/going to Internet should not
# use private addresses [OPTIONAL]
iptables -A FORWARD -i wlan0 -s 172.16.0.0/12 -j DROP
iptables -A FORWARD -i wlan0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i wlan0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i wlan0 -s 10.0.0.0/8 -j DROP
# Block outgoing NetBios [OPTIONAL]
iptables -A FORWARD -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p tcp --sport 137:139 -o eth0 -j DROP
iptables -A OUTPUT -p udp --sport 137:139 -o eth0 -j DROP
# Allow local loopback [NEEDED]
iptables -A INPUT -i lo -j ACCEPT
# Allow pings [OPTIONAL]
iptables -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
iptables -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
############ STATE STUFF ############
# Accept existing connections [NEEDED]
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow any new conections from internal network
# [ONLY NEEDED IF PORTS ARE NOT EXPLITLY FORWARDED BELOW]
#iptables -A INPUT -m state --state NEW -i eth0 -j ACCEPT
#####################################
# Allow inbound services [OPTIONAL - DNS NEEDED]
iptables -A INPUT -p tcp -i wlan0 --dport 44444 -j ACCEPT #SSH
iptables -A INPUT -p tcp -i wlan0 --dport 23232 -j ACCEPT #Bittorrent
iptables -A INPUT -p udp -i wlan0 --dport 23232 -j ACCEPT #Bittorrent
iptables -A INPUT -p udp -i eth0 --dport 53 -j ACCEPT #DNS cache
iptables -A INPUT -p tcp -i eth0 --dport 53 -j ACCEPT #DNS cache
iptables -A INPUT -p udp -i eth0 --dport 137:139 -j ACCEPT #SAMBA
iptables -A INPUT -p tcp -i eth0 --dport 445 -j ACCEPT #SAMBA
# Allow forwarding of essential services [NEEDED]
iptables -A FORWARD -p tcp --dport 80 -j ACCEPT #WEB
iptables -A FORWARD -p tcp --dport 443 -j ACCEPT #HTTPS
# Don't forward from the outside to the inside [OPTIONAL]
iptables -A FORWARD -i wlan0 -o eth0 -j REJECT
# Masquerade [NEEDED]
iptables -t nat -A POSTROUTING -o wlan0 -j MASQUERADE
# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward
Linear Mode
