Find the answer to your Linux question:
Results 1 to 2 of 2
I just cant figure out what I am doing wrong. Its to allow NAT for my OpenVZ Boxes. Code: #!/bin/bash #Allow some stuff. echo 1 > /proc/sys/net/ipv4/ip_forward ##Anti-Flooding #echo 1 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Linux Engineer RobinVossen's Avatar
    Join Date
    Aug 2007
    Location
    The Netherlands
    Posts
    1,429

    Need help with Firewall Script


    I just cant figure out what I am doing wrong.
    Its to allow NAT for my OpenVZ Boxes.
    Code:
    #!/bin/bash
    #Allow some stuff.
    echo 1 > /proc/sys/net/ipv4/ip_forward
    ##Anti-Flooding
    #echo 1 > /proc/sys/net/ipv4/tcp_syncookies
    
    #Here we start our Setup.
    #Standaart we Drop All
    iptables -P INPUT DROP
    iptables -P FORWARD DROP
    iptables -P OUTPUT ACCEPT
    
    #Then we Flush All.
    iptables -F INPUT 
    iptables -F FORWARD 
    iptables -F OUTPUT 
    iptables -F -t nat
    
    #Accept to FORWARD from eth0 to venet00
    iptables -A FORWARD -i venet00 -o eth0 -j ACCEPT
    
    # Allow all inputs to firewall from the internal network and local interfaces
    #iptables -A OUTPUT -i venet00 -s 0/0 -d 0/0 -j ACCEPT
    iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT
    
    # Deny any packet coming in on the public internet interface eth0  which has a spoofed source address from our local networks:
    iptables -A INPUT -i eth0 -s 192.168.0.0/24 -j DROP
    iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
    
    # Accept all tcp SYN packets from interesting protocols.
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 80 --syn -j ACCEPT        #HTTP
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 443 --syn -j ACCEPT       #HTTPS
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT        #SSH
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 5900/6000 --syn -j ACCEPT #VNC
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 110 --syn -j ACCEPT #POP3
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 25 --syn -j ACCEPT #SMTP
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 143 --syn -j ACCEPT #IMAP
    
    # For DHCP server:
    #iptables -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT
    #iptables -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT
    
    # Finally, DENY all connection requests to any UDP port not yet provided
    iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
    iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP
    iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j ICMP

    Any help can save me a job :P
    Cheers,
    Robin
    New Users, please read this..
    Google first, then ask..

  2. #2
    Linux Guru
    Join Date
    Nov 2007
    Posts
    1,752
    > Are you using iptables logging to see where packets are getting blocked?

    > I think this diagram will help. Note that packets not bound for the local machine don't go thru the INPUT chain.

    > Any remote machine will not have a route to the network the NAT'ed machines are on. Because of that, you need to either use SNAT or MASQUERADE for packets going out from the NAT machines.

    > Instead of using specific TCP flags, you may want to simplify and use the match state options with NEW, RELATED, and ESTABLISHED.

    Small iptables script for a gateway machine. (This is a simple setup, but it works.)

    Code:
    ### Firewall Startup Script ###
    # Define networks first:
    
    EXT_IFACE="eth0"
    EXT_IP="10.66.X.X"
    
    INT_IFACE="eth1"
    INT_IP="172.0.10.1"
    
    # Load all of the IPTABLES modules:
    modprobe ip_conntrack
    modprobe ip_nat_ftp
    modprobe ip_conntrack_ftp
    modprobe iptable_nat
    
    # Flush the tables in case something is there:
    iptables --flush
    iptables -t nat --flush
    iptables -t mangle --flush
    
    # Set the default policies - DROP/ACCEPT
    iptables -P INPUT DROP
    # iptables -P OUTPUT DROP
    iptables -P FORWARD DROP
    iptables -t nat -P POSTROUTING ACCEPT
    iptables -t nat -P PREROUTING ACCEPT
    iptables -t nat -P OUTPUT ACCEPT
    
    # Drop/Create DROP_LOG chain:
    iptables -X DROP_LOG
    iptables -N DROP_LOG
    
    # Allow anything going to/from the loopback interface:
    iptables -A INPUT -i lo -j ACCEPT
    #iptables -A OUTPUT -o lo -j ACCEPT
    
    ##############################
    # This builds the INPUT rules:
    
    # Allow anything from internal network:
    iptables -A INPUT -i $INT_IFACE -s 172.0.10.0/24 -j ACCEPT
    
    # Allow SSH from any 10.X address going to EXT_IP:
    iptables -A INPUT -i $EXT_IFACE -p tcp -s 10.0.0.0/8 -d $EXT_IP --dport 22 -j ACCEPT
    
    # Allow ICMP requests?
    iptables -A INPUT -i $EXT_IFACE -p icmp -j ACCEPT
    
    # Drop and log everything else:
    iptables -A INPUT -j DROP_LOG
    
    ###############################
    # Build the DROP_LOG rules:
    
    iptables -A DROP_LOG -j LOG --log-prefix "FW_Logged: "
    iptables -A DROP_LOG -j REJECT --reject-with icmp-net-unreachable
    
    ###############################
    # Build the FORWARD rules:
    
    iptables -A FORWARD -o $EXT_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -i $EXT_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT
    
    # Moving on to the NAT table:
    ###############################
    # POSTROUTING:
    
    iptables -A POSTROUTING -t nat -o $EXT_IFACE -s 172.0.10.0/24 -d 0/0 -j MASQUERADE

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •