Find the answer to your Linux question:
Results 1 to 2 of 2
###Basically here's a summary of what i want to achieve by using the firewall:-> HTTP port 80 is open for everyone in my network. Some specific ports such as 5000:5050 ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Dec 2005
    Posts
    2

    Firewall Specifics


    ###Basically here's a summary of what i want to achieve by using the firewall:->
    HTTP port 80 is open for everyone in my network. Some specific ports such as 5000:5050 (yahoo), 1863 (msn), 5222:5223 (gtalk), 443 (gmail) are CLOSE by default but some extra rules will take care of any exceptions in this rule. I don't want packets having my internal network address comming from the outside interface. I want to open Ssh port only to some trusted IP addresses outside of my network, for rest of the world it's closed. Similariry, I want the Ftp port (20:21) open to only some selected (trusted) candidates. I also want to enable logging. By default my network policy will be to DROP all packets if there are no extra rules to match. I want a rule that allows some candidates to bypass the SQUID proxy that runs behind IPTABLES. Lastly I want to enable the connection tracking.

    ###Here's the Firewall rules that i have come up with to do the need:->
    #!/bin/bash

    ##DEFINITIONS

    ###FOR NETWORKS
    NET1="NET1_IP_POOL" ##MY INTERNAL NETWORK, JUST ASSUME
    NET2="NET2_IP_POOL" ##MY TRUSTED NETWORK

    ###FOR PORTS
    SSH="2001"
    FTP="20:21"
    SQUID="3128"
    DNS_SPRT="53"
    DNS_DPRT="1024"
    SMTP="25"

    YAHOO="5000:5050"
    GMAIL="443"
    MSN="1863"
    GTALK_1="5222"
    GTALK_2="5223"


    ###FOR EXTERNAL NETWORK CARD CONFIGURATION
    #IF0="eth0"
    #IF0_IP=`/sbin/ifconfig $IF0|grep inet|awk -F: '{print $2}'|awk '{print $1}'`
    #IF0_MASK=`/sbin/ifconfig $IF0|grep inet|awk '{print $4}'|awk -F: '{print $2}'`
    #IF0_NET="$IF0_IP/$IF0_MASK"

    ###FOR INTERNAL NETWORK (LAN) CARD CONFIGURATION
    IF1="eth1"
    IF1_IP=`/sbin/ifconfig $IF1|grep inet|awk -F: '{print $2}'|awk '{print $1}'`
    IF1_MASK=`/sbin/ifconfig $IF1|grep inet|awk '{print $4}'|awk -F: '{print $2}'`
    IF1_NET="$IF1_IP/$IF1_MASK"

    ###FOR IPTABLES (SHORTHAND)
    FW="/sbin/iptables"
    INPUT="$FW -A INPUT"
    OUTPUT="$FW -A OUTPUT"
    FORWARD="$FW -A FORWARD"
    LOG="LOG --log-level DEBUG"
    LOGOPTIONS="-m limit --limit 3/minute --limit-burst 3"
    IN_INT="-i"
    OUT_INT="-o"
    DROP="DROP"

    ###START
    LOGGING=1
    ###LOAD STARTUP MODULES
    /sbin/depmod -a

    ###FLUSH ALL RULES BEFORE DOING NEW ONES
    $FW -F
    $FW -F -t nat
    $FW -X

    ###ACCEPT EVERYTHING
    $FW -P INPUT ACCEPT
    $FW -P OUTPUT ACCEPT
    $FW -P FORWARD ACCEPT

    ###ACCEPT EVERYTHING FROM THE LOCAL INTERFACE
    $INPUT $IN_INT lo -j ACCEPT
    $INPUT -p tcp ! --syn -d $IF0_IP --dport 1024: -j ACCEPT
    $INPUT -p tcp ! --syn -d $IF1_IP --dport 1024: -j ACCEPT
    $INPUT -p udp -d $IF0_IP --dport 1024: -j ACCEPT
    $INPUT -p udp -d $IF1_IP --dport 1024: -j ACCEPT

    ###ACCEPT ALL OUTGOING TRAFFIC
    $OUTPUT $OUT_INT lo -j ACCEPT
    OUTPUT -s $IF0_IP -j ACCEPT
    OUTPUT -s $IF1_IP -j ACCEPT
    OUTPUT -s $NET1 -j ACCEPT

    ###TRANSPROXY
    $FW -t nat -A PREROUTING -i $IF1 -p tcp --dport 80 -j REDIRECT --to-port 3128

    ###SQUID TRAFFIC
    $INPUT -p tcp -s $NET1 --dport 3128 -j ACCEPT

    ###ICMP TRAFFIC
    INPUT -p icmp -j ACCEPT
    FORWARD -p icmp -j ACCEPT

    ###DNS TRAFFIC
    INPUT -p udp --dport 53 -j ACCEPT
    INPUT -p tcp --dport 53 -j ACCEPT
    INPUT -p udp --sport 53 --dport 1024: -j ACCEPT

    ###TRACE-ROUTE TRAFFIC
    $INPUT -p udp --dport 33434:33523 -j ACCEPT
    $INPUT -p udp --sport 33434:33523 -j ACCEPT
    $FORWARD -p udp --dport 33434:33523 -j ACCEPT
    $FORWARD -p udp --sport 33434:33523 -j ACCEPT

    ###FTP TRAFFIC (ESTABLISHED)
    $INPUT -p tcp --sport 20 -j ACCEPT #CONFUSED HERE

    ###SSH TRAFFIC (ONLY TRUSTED ONES)
    $FORWARD -p tcp -s $NET1 -d SOME_IP --dport 3128 -j ACCEPT
    $FORWARD -p tcp -d $NET1 -s SOME_IP --dport 3128 -j ACCEPT

    ##DONOT ALLOW Gtalk
    $FORWARD -s $NET1 -p tcp --dport 5222 -j $DROP
    $FORWARD -s $NET1 -p tcp --dport 5223 -j $DROP

    ###DONOT ALLOW MSN
    $FORWARD -s $NET1 -p tcp --dport 1863 -j $DROP

    ###DONOT ALLOW GMAIL
    $FORWARD -s $NET1 -p tcp --dport 443 -j $DROP

    ###DEFAULT POLICYROP EVERYTHING
    $FW -P INPUT DROP
    $FW -P OUTPUT DROP
    $FW -P FORWARD DROP

    ###LOG EVERYTHING
    if [ "$LOGGING" = 1 ]
    then
    $INPUT $LOGOPTIONS -j $LOG --log-prefix "Input Logging: "
    $OUTPUT $LOGOPTIONS -j $LOG --log-prefix "Output Logging: "
    $FORWARD $LOGOPTIONS -j $LOG --log-prefix "Forward Logging: "
    fi

    ###TRACK CONNECTIONS
    echo 522496 > /proc/sys/net/ipv4/ip_conntrack_max

    #END

    I am a little confused here. Is this script going in the right direction or am i just fooling myself?

  2. #2
    Just Joined!
    Join Date
    Dec 2005
    Posts
    2

    Thumbs down forget the whole damn thing!

    Hey guys!
    Forget the whole damn episode okie! I did it myself <yeah i wrote the whole firewall> and surprisingly its good. Thanx for your unsupportive approach though.

    You keep saying that word again and again. I don't think it means what you think it means.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •