Find the answer to your Linux question:
Results 1 to 2 of 2
Hi I wrote a firewall for my router (see below)... But because I'm a linux noob I'm not fully convinced of the firewall itself. Please take some time to read ...
Enjoy an ad free experience by logging in. Not a member yet? Register.
  1. #1
    Just Joined!
    Join Date
    Apr 2004
    Posts
    1

    linux ip table firewall


    Hi
    I wrote a firewall for my router (see below)... But because I'm a linux noob I'm not fully convinced of the firewall itself. Please take some time to read it and if you know something I need to add or remove... please reply

    Thx in advance

    (ps: nat support)



    #variables
    EXT=eth1
    INT=eth0

    #forwarding kernel level
    echo 1 > /proc/sys/net/ipv4/ip_forward

    #loading nat module (just to be shure )
    modprobe iptable_nat

    #telling iptables to use nat masquerading
    iptables -t nat -A POSTROUTING -o $EXT -j MASQUERADE

    #drop everything from outside
    iptables -P INPUT DROP

    #accept output
    iptables -P OUTPUT ACCEPT

    #accept forwarding (nat, remember)
    iptables -P FORWARD ACCEPT

    #block some ports in & out
    #

    #netbus
    iptables -A OUTPUT -o $EXT -p tcp --dport 31337 -j DROP
    iptables -A OUTPUT -o $EXT -p tcp --sport 31337 -j DROP

    iptables -A FORWARD -i $EXT -p tcp --dport 31337 -j REJECT
    iptables -A INPUT -i $EXT -p tcp --dport 31337 -j DROP


    iptables -A OUTPUT -o $EXT -p tcp --dport 31335 -j DROP
    iptables -A OUTPUT -o $EXT -p tcp --sport 31335 -j DROP

    iptables -A FORWARD -i $EXT -p tcp --dport 31335 -j REJECT
    iptables -A INPUT -i $EXT -p tcp --dport 31335 -j REJECT


    iptables -A OUTPUT -o $EXT -p tcp --dport 27444 -j DROP
    iptables -A OUTPUT -o $EXT -p tcp --sport 27444 -j DROP

    iptables -A FORWARD -i $EXT -p tcp --dport 27444 -j REJECT
    iptables -A INPUT -i $EXT -p tcp --dport 27444 -j DROP


    iptables -A OUTPUT -o $EXT -p tcp --dport 27665 -j DROP
    iptables -A OUTPUT -o $EXT -p tcp --sport 27665 -j DROP

    iptables -A FORWARD -i $EXT -p tcp --dport 27665 -j REJECT
    iptables -A INPUT -i $EXT -p tcp --dport 27665 -j DROP


    iptables -A OUTPUT -o $EXT -p tcp --dport 20034 -j DROP
    iptables -A OUTPUT -o $EXT -p tcp --sport 20034 -j DROP

    iptables -A FORWARD -i $EXT -p tcp --dport 113 -j REJECT
    iptables -A INPUT -i $EXT -p tcp --dport 113 -j DROPT

    #winnie
    iptables -A OUTPUT -o $EXT -p tcp --dport 9704 -j DROP
    iptables -A OUTPUT -o $EXT -p tcp --sport 9704 -j DROP

    iptables -A FORWARD -i $EXT -p tcp --dport 9704 -j REJECT
    iptables -A INPUT -i $EXT -p tcp --dport 9704 -j DROP


    iptables -A OUTPUT -o $EXT -p tcp --dport 137 -j DROP
    iptables -A OUTPUT -o $EXT -p tcp --sport 137 -j DROP

    iptables -A FORWARD -i $EXT -p tcp --dport 137 -j REJECT
    iptables -A INPUT -i $EXT -p tcp --dport 137 -j DROP


    iptables -A OUTPUT -o $EXT -p tcp --dport 138 -j DROP
    iptables -A OUTPUT -o $EXT -p tcp --sport 138 -j DROP

    iptables -A FORWARD -i $EXT -p tcp --dport 138 -j REJECT
    iptables -A INPUT -i $EXT -p tcp --dport 138 -j DROP


    iptables -A OUTPUT -o $EXT -p tcp --dport 139 -j DROP
    iptables -A OUTPUT -o $EXT -p tcp --sport 139 -j DROP

    iptables -A FORWARD -i $EXT -p tcp --dport 139 -j REJECT
    iptables -A INPUT -i $EXT -p tcp --dport 139 -j DROP

    #
    #end

    #no ident request
    iptables -A FORWARD -i $EXT -p tcp --dport 113 -j REJECT
    iptables -A INPUT -i $EXT -p tcp --dport 113 -j REJECT

    #icmp rules
    iptables -A INPUT -i $EXT -p icmp --icmp-type 8 -j DROP
    iptables -A FORWARD -i $EXT -p icmp --icmp-type 8 -j DROP
    iptables -A OUTPUT -o $EXT -p icmp --icmp-type 8 -j ACCEPT

    #Forward all packets from eth1 (internal network) to eth0 (the internet).
    iptables -A FORWARD -i $INT -o $EXT -j ACCEPT

    #Forward packets that are part of existing and related connections from eth0 to eth1.
    iptables -A FORWARD -i $EXT -o $INT -m state --state ESTABLISHED,RELATED -j ACCEPT

    #Permit packets in to firewall itself that are part of existing and related connections.
    iptables -A INPUT -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT

    #Allow all inputs to firewall from the internal network and local interfaces
    iptables -A INPUT -i $INT -s 0/0 -d 0/0 -j ACCEPT
    iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

    #Accept all tcp SYN packets for protocol SSH
    iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT

    #For DHCP server
    iptables -A INPUT -i $INT -p tcp --sport 68 --dport 67 -j ACCEPT
    iptables -A INPUT -i $INT -p udp --sport 68 --dport 67 -j ACCEPT

    iptables -A INPUT -i $EXT -p tcp --sport 68 --dport 67 -j DROP
    iptables -A INPUT -i $EXT -p udp --sport 68 --dport 67 -j DROP

    #For DNS server
    iptables -A INPUT -i $INT -p tcp --sport 53 --dport 53 -j ACCEPT
    iptables -A INPUT -i $INT -p udp --sport 53 --dport 53 -j ACCEPT

    iptables -A INPUT -i $EXT -p tcp --sport 53 --dport 53 -j DROP
    iptables -A INPUT -i $EXT -p udp --sport 53 --dport 53 -j DROP

    #extra
    iptables -A INPUT -s 0/0 -d 0/0 -p udp -j DROP
    iptables -A INPUT -s 0/0 -d 0/0 -p tcp --syn -j DROP

  2. #2
    Linux Guru
    Join Date
    Apr 2003
    Location
    London, UK
    Posts
    3,284
    Generally it is better to DROP everything, then only allow what you need, rather than allowing everything, and trying to figure out what bits to drop.

    Take a look at my firewall script here for some more inspiration:
    http://www.jasonlambert.com/download.php

    Jason

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •