Rookie's iptables configuration:

Here's the problem.
I've been trying to patch up my own iptables-configuration for some days now, but I'm lacking skills and advice.

So here's my setup and what I basically want my iptables to do:
Desktop (Ubuntu/Windows 2000) <--cat5--> Server (Debian)+HP printer <--cat5--> ADSL and the Internet

1. The Desktop would be connected to the Server with a cross-linked RJ-45-cable. The Server would put the Desktop under NAT and if it could just filter out some basic stuff (like Blaster-worm attacks to ports 137 etc.) - so much the better. The Desktop would also have it's own software-based firewall.
2. The Server would also be hosting apache2, vsftpd etc. so I would want those ports to be open, but everything other incoming traffic to any other ports than 21, 80 etc. would be blocked. eth0 is connected to Internet and eth1 would be connected to the Desktop.

Here is a full list of what incoming traffic should be permitted behalf of the Server: [syntax: name (port, protocols)]

Quote:

---

* SSH (22, tcp/udp)
* NTP (123, tcp/udp)
* WWW (80:443, tcp/udp)
* apt (21:80, tcp/udp)
* wget (20:21:80:443, tcp/udp)
* FTP (20:21, tcp/udp)
* IRC (6667, tcp)
* E-Mail (No need for implementing this yet, 'cause I'm not running a mailbox-system :>)

I'm not certain if all the stuff require both TCP/UDP, but... just in case.

Also if I need something open for DHCP, then that should be open... right?
And because I'm running cups/Samba on the Server, I would want it to be as if everyone from certain IPs (the ones coming from LAN) could use the printer and other IPs would be prohibited of printing.

---

And here's something incoming traffic (for both server and desktop) what should be blocked by firewall:

Quote:

---

* Ports 137, 138, 139 - both TCP/UDP
* Port 445, 593 - both TCP/UDP
* Samba-related ports. Everyone else but certain IPs.
* Pingflood (only 1/sec)

---

... and behold. Below is my iptables-conf atm. Made from scratch mostly by using tutorials & other people configs. I haven't even tested it yet, since I'm sure it won't work. Thus it needs really much fixing.

Code:

---

# the nat-traffic that is meant to be forwarded for desktop &#58;<
-A INPUT -i eth0 -m state --state ! ESTABLISHED,RELATED -j DROP
-t nat -A POSTROUTING -o eth0 -j MASQUERADE

# hmm... if i got correct, then this is the one needed for automatic fetching of ip, or so... &#58;p
-A INPUT -i eth0 -p udp -m udp --sport 67&#58;68 --dport 67&#58;68 -j ACCEPT

# the permitted incoming traffic... but it would be necessarry that i could use the same ports for outgoing traffic. meaning that my box starts fe. a new http-clientside connection
-A INPUT -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 20 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 21 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 80 -j ACCEPT
# i was told that this was unnecessary
-A INPUT -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -m tcp --dport 123 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -m udp --dport 443 -j ACCEPT
# everything outgoing to other ports should be prohibited as well...

# the next line would block any traffic coming to other ports and log it...
-A INPUT -m multiport ! --ports 20&#58;21&#58;22&#58;80&#58;113&#58;123&#58;443 -j LDROP

# don't have idea about this one.
-A INPUT -i lo -j ACCEPT

# ping-requests allowed. only 1/sec allowed. thus icmp-echo-reply &#40;pong&#41; should be also permitted.
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT
-A INPUT -p icmp -m icmp ! --icmp-type 8 -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT

# logging ****
-A LDROP -p tcp -m limit --limit-burst 3/sec -j LOG --log-prefix "iptables&#58; TCP Dropped " --log-level 6
-A LDROP -p udp -m limit --limit-burst 3/sec -j LOG --log-prefix "iptables&#58; UDP Dropped " --log-level 6
-A LDROP -p icmp -m limit --limit-burst 3/sec -j LOG --log-prefix "iptables&#58; ICMP Dropped " --log-level 6
-A LDROP -f -m limit --limit-burst 3/sec -j LOG --log-prefix "iptables&#58; FRAGMENT Dropped "
-A LDROP -j DROP

---

Any given help is welcome and warmly accepted.

Greetings,
-d

Try this one, I got it from a friend of mine...it also logs everything with your default logger which is nice.

#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules

#inside
INT_IP=192.168.1.4
INT_IF=eth0
LOCAL_NETWORK=192.168.1.0/16

opts="${opts} showstatus panic save restore showoptions rules"

depend() {
need net
}

rules() {
ebegin "Setting firewall rules"

einfo "Flushing any old rules"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X

einfo "Setting default rule to drop"
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

#------------------------------------------------------------------------------------
einfo "Creating Connection-Tracking rule"
$IPTABLES -N state-tracking
$IPTABLES -F state-tracking
$IPTABLES -A state-tracking -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A state-tracking -m state --state INVALID -j DROP

#Catch portscanners
einfo "Creating portscan detection rule"
$IPTABLES -N portscan
$IPTABLES -F portscan
$IPTABLES -A portscan -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPTABLES -A portscan -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A portscan -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPTABLES -A portscan -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A portscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPTABLES -A portscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A portscan -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPTABLES -A portscan -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A portscan -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPTABLES -A portscan -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A portscan -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPTABLES -A portscan -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#------------------------------------------------------------------------------------

#------------------------------------------------------------------------------------
#Incoming connection rules
einfo "Creating incoming connection rules"
$IPTABLES -N incoming_con
$IPTABLES -F incoming_con

#ICMP Rules
$IPTABLES -A incoming_con -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A incoming_con -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A incoming_con -p icmp -j LOG --log-prefix "[Bad ICMP] : "
$IPTABLES -A incoming_con -p icmp -j DROP

#Enable SSH with Flood protection
$IPTABLES -A incoming_con -p tcp --dport ssh -j LOG --log-prefix "[Incoming SSH] : "
$IPTABLES -A incoming_con -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport ssh -j ACCEPT
$IPTABLES -A incoming_con -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A incoming_con -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport ssh -j ACCEPT

#Allow SMB Connections
$IPTABLES -A incoming_con -p tcp --dport 135 -j ACCEPT
$IPTABLES -A incoming_con -p udp --dport 135 -j ACCEPT
$IPTABLES -A incoming_con -p tcp --dport 137 -j ACCEPT
$IPTABLES -A incoming_con -p udp --dport 137 -j ACCEPT
$IPTABLES -A incoming_con -p tcp --dport 139 -j ACCEPT
$IPTABLES -A incoming_con -p udp --dport 139 -j ACCEPT
$IPTABLES -A incoming_con -p tcp --dport 445 -j ACCEPT
$IPTABLES -A incoming_con -p udp --dport 445 -j ACCEPT

#Bittorrent Connections
$IPTABLES -A incoming_con -p tcp --dport 54321 -j ACCEPT
$IPTABLES -A incoming_con -p tcp --dport 54322 -j ACCEPT
$IPTABLES -A incoming_con -p tcp --dport 54323 -j ACCEPT
$IPTABLES -A incoming_con -p tcp --dport 54324 -j ACCEPT
$IPTABLES -A incoming_con -p tcp --dport 54325 -j ACCEPT

#Allow FTP Connections
$IPTABLES -A incoming_con -p tcp --dport 21 -j LOG --log-prefix "[Incoming FTP] : "
$IPTABLES -A incoming_con -p tcp --dport 21 -j ACCEPT

$IPTABLES -A incoming_con -p tcp --dport 25 -j ACCEPT

#Allow MySQL Connection
$IPTABLES -A incoming_con -p tcp --dport 3306 -j ACCEPT

#Allow Webmin
$IPTABLES -A incoming_con -p tcp --dport 10000 -j ACCEPT


#Allow NETOP Connections
$IPTABLES -A incoming_con -p tcp --dport 6502 -j LOG --log-prefix "[Incoming NetOp] : "
$IPTABLES -A incoming_con -p tcp --dport 6502 -j ACCEPT
$IPTABLES -A incoming_con -p udp --dport 6502 -j ACCEPT

#Allow remote X displays
$IPTABLES -A incoming_con -p tcp --dport 6001 -j ACCEPT
$IPTABLES -A incoming_con -p tcp --dport 6000 -j ACCEPT

#Allow VMware console to connect
$IPTABLES -A incoming_con -p tcp --dport 902 -j ACCEPT

#Allow HTTP for Nagios
$IPTABLES -A incoming_con -p tcp --dport 80 -j ACCEPT
einfo "Allowing SSH FTP SMB HTTP NETOP"
#------------------------------------------------------------------------------------

#------------------------------------------------------------------------------------
#Outgoing connection rules
einfo "Creating outgoing connection rules"

$IPTABLES -N outgoing_con
$IPTABLES -F outgoing_con
$IPTABLES -A outgoing_con -j ACCEPT
#------------------------------------------------------------------------------------

#------------------------------------------------------------------------------------
# Apply and add invalid states to the chains
einfo "Applying rules to INPUT"
$IPTABLES -A INPUT -j state-tracking
$IPTABLES -A INPUT -j portscan
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -j incoming_con
#$IPTABLES -A INPUT -d 255.255.255.255 -j DROP
#$IPTABLES -A INPUT -d 192.168.255.255 -j DROP
$IPTABLES -A INPUT -j LOG --log-prefix "[Dropped Incoming con] "
$IPTABLES -A INPUT -j DROP


einfo "Applying rules to FORWARD"
$IPTABLES -A FORWARD -j state-tracking
$IPTABLES -A FORWARD -j portscan
$IPTABLES -A FORWARD -o lo -j ACCEPT
$IPTABLES -A FORWARD -j incoming_con
$IPTABLES -A FORWARD -j DROP

einfo "Applying rules to OUTPUT"
$IPTABLES -A OUTPUT -j state-tracking
$IPTABLES -A OUTPUT -o lo -j ACCEPT
$IPTABLES -A OUTPUT -j outgoing_con
$IPTABLES -A OUTPUT -j DROP

eend $?
}

start() {
ebegin "Starting firewall"
rules
eend $?
}

stop() {
ebegin "Stopping firewall"
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
eend $?
}

showstatus() {
ebegin "Status"
$IPTABLES -L -n -v --line-numbers
eend $?
}

panic() {
ebegin "Setting panic rules"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
eend $?
}

save() {
ebegin "Saving Firewall rules"
$IPTABLESSAVE > $FIREWALL
eend $?
}

restore() {
ebegin "Restoring Firewall rules"
$IPTABLESRESTORE < $FIREWALL
eend $?
}

restart() {
svc_stop; svc_start
}

showoptions() {
echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus} "
echo "start) will restore setting if exists else force rules"
echo "stop) delete all rules and set all to accept"
echo "rules) force settings of new rules"
echo "save) will store settings in ${FIREWALL}"
echo "restore) will restore settings from ${FIREWALL}"
echo "showstatus) Shows the status"
}