Find the answer to your Linux question:
Results 1 to 2 of 2
I just cant figure out what I am doing wrong. Its to allow NAT for my OpenVZ Boxes. Code: #!/bin/bash #Allow some stuff. echo 1 > /proc/sys/net/ipv4/ip_forward ##Anti-Flooding #echo 1 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. 03-22-2008 #1
    RobinVossen
    RobinVossen is offline
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429

    Need help with Firewall Script

    I just cant figure out what I am doing wrong.
    Its to allow NAT for my OpenVZ Boxes.
    Code:
    #!/bin/bash
#Allow some stuff.
echo 1 > /proc/sys/net/ipv4/ip_forward
##Anti-Flooding
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Here we start our Setup.
#Standaart we Drop All
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

#Then we Flush All.
iptables -F INPUT 
iptables -F FORWARD 
iptables -F OUTPUT 
iptables -F -t nat

#Accept to FORWARD from eth0 to venet00
iptables -A FORWARD -i venet00 -o eth0 -j ACCEPT

# Allow all inputs to firewall from the internal network and local interfaces
#iptables -A OUTPUT -i venet00 -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

# Deny any packet coming in on the public internet interface eth0  which has a spoofed source address from our local networks:
iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP

# Accept all tcp SYN packets from interesting protocols.
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT        #HTTP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 --syn -j ACCEPT       #HTTPS
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT        #SSH
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 5900/6000 --syn -j ACCEPT #VNC
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 --syn -j ACCEPT #POP3
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 --syn -j ACCEPT #SMTP
iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 143 --syn -j ACCEPT #IMAP

# For DHCP server:
#iptables -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT
#iptables -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT

# Finally, DENY all connection requests to any UDP port not yet provided
iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j ICMP

    Any help can save me a job :P
    Cheers,
    Robin
    New Users, please read this..
    Google first, then ask..
    Reply With Quote Reply With Quote
  2. 03-22-2008 #2
    HROAdmin26
    HROAdmin26 is offline
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,722
    > Are you using iptables logging to see where packets are getting blocked?

    > I think this diagram will help. Note that packets not bound for the local machine don't go thru the INPUT chain.

    > Any remote machine will not have a route to the network the NAT'ed machines are on. Because of that, you need to either use SNAT or MASQUERADE for packets going out from the NAT machines.

    > Instead of using specific TCP flags, you may want to simplify and use the match state options with NEW, RELATED, and ESTABLISHED.

    Small iptables script for a gateway machine. (This is a simple setup, but it works.)

    Code:
    ### Firewall Startup Script ###
# Define networks first:

EXT_IFACE="eth0"
EXT_IP="10.66.X.X"

INT_IFACE="eth1"
INT_IP="172.0.10.1"

# Load all of the IPTABLES modules:
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat

# Flush the tables in case something is there:
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

# Set the default policies - DROP/ACCEPT
iptables -P INPUT DROP
# iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

# Drop/Create DROP_LOG chain:
iptables -X DROP_LOG
iptables -N DROP_LOG

# Allow anything going to/from the loopback interface:
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT

##############################
# This builds the INPUT rules:

# Allow anything from internal network:
iptables -A INPUT -i $INT_IFACE -s 172.0.10.0/24 -j ACCEPT

# Allow SSH from any 10.X address going to EXT_IP:
iptables -A INPUT -i $EXT_IFACE -p tcp -s 10.0.0.0/8 -d $EXT_IP --dport 22 -j ACCEPT

# Allow ICMP requests?
iptables -A INPUT -i $EXT_IFACE -p icmp -j ACCEPT

# Drop and log everything else:
iptables -A INPUT -j DROP_LOG

###############################
# Build the DROP_LOG rules:

iptables -A DROP_LOG -j LOG --log-prefix "FW_Logged: "
iptables -A DROP_LOG -j REJECT --reject-with icmp-net-unreachable

###############################
# Build the FORWARD rules:

iptables -A FORWARD -o $EXT_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $EXT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Moving on to the NAT table:
###############################
# POSTROUTING:

iptables -A POSTROUTING -t nat -o $EXT_IFACE -s 172.0.10.0/24 -d 0/0 -j MASQUERADE
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules