You are not logged in.

#1 2005-07-13 19:44:43

spyder
Member
From: Canada
Registered: 2004-05-17
Posts: 19
Website

iptables configuration.. can anyone improve this for me?

mostly put together using quicktables... problem i am having is weird. In order to use IE/MSN messenger i need to have squid running... but then i can disable squid and it keeps working fine.. very strange.. I would like to run without using squid perferably. Strange thing is Firefox works fine all the time... any hints / suggestions??


# set a few variables
echo ""
echo "  setting global variables"
echo ""
export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
iptables="/usr/sbin/iptables"
EXT_IP=`/sbin/ifconfig eth0 | grep "inet addr" | cut -d : -f 2 | cut -d " " -f 1`; export EXT_IP
INT_IP=`/sbin/ifconfig eth1 | grep "inet addr" | cut -d : -f 2 | cut -d " " -f 1`; export INT_IP

# adjust /proc
echo "  applying general security settings to /proc filesystem"
echo ""
if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then echo 1 > /proc/sys/net/ipv4/tcp_syncookies; fi
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter; fi
if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward; fi

# load some modules
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_irc.o ]; then modprobe ip_nat_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_irc.o ]; then modprobe ip_conntrack_irc; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then modprobe ip_nat_ftp; fi

# flush any existing chains and set default policies
$iptables -F INPUT
$iptables -F OUTPUT
$iptables -P INPUT DROP
$iptables -P OUTPUT ACCEPT

# setup nat
echo "  applying nat rules"
echo ""
$iptables -F FORWARD
$iptables -F -t nat
$iptables -P FORWARD DROP
$iptables -A FORWARD -i eth1 -j ACCEPT
$iptables -A INPUT -i eth1 -j ACCEPT
$iptables -A OUTPUT -o eth1 -j ACCEPT
$iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source $EXT_IP

# allow all packets on the loopback interface
$iptables -A INPUT -i lo -j ACCEPT
$iptables -A OUTPUT -o lo -j ACCEPT

# allow established and related packets back in
$iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# icmp
echo "  applying icmp rules"
echo ""
$iptables -A OUTPUT -p icmp -m state --state NEW -j ACCEPT
$iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
$iptables -A INPUT -p icmp --icmp-type echo-request -i eth0 -j DROP

# apply icmp type match blocking
echo "  applying icmp type match blocking"
echo ""
$iptables -I INPUT -p icmp --icmp-type redirect -j DROP
$iptables -I INPUT -p icmp --icmp-type router-advertisement -j DROP
$iptables -I INPUT -p icmp --icmp-type router-solicitation -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-request -j DROP
$iptables -I INPUT -p icmp --icmp-type address-mask-reply -j DROP

# open and forward ports to the internal machine(s)
echo "  applying port forwarding rules"
echo ""
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d $EXT_IP --dport 80 -j DNAT --to-destination 192.168.1.120:80
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d $EXT_IP --dport 22 -j DNAT --to-destination 192.168.1.120:22
$iptables -t nat -A PREROUTING -i eth0 -p tcp -d $EXT_IP --dport 8080 -j DNAT --to-destination 192.168.1.120:22
$iptables -t nat -A PREROUTING -i eth0 -p udp -d $EXT_IP --dport 53 -j DNAT --to-destination 192.168.1.120:53
$iptables -A FORWARD -i eth0 -p tcp --dport 80 -j ACCEPT
$iptables -A FORWARD -i eth0 -p tcp --dport 22 -j ACCEPT
$iptables -A FORWARD -i eth0 -p udp --dport 53 -j ACCEPT

echo "  applying bittorrent forwarding rules"
echo ""
## atlantis bittorrent ###           
$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6881:6999 -j DNAT --to-destination 192.168.1.150
$iptables -A FORWARD -p tcp -d 192.168.1.150 --dport 6881:6999 -j ACCEPT
$iptables -t nat -A PREROUTING -i eth0 -p udp --dport 6881 -j DNAT --to-destination 192.168.1.150
$iptables -A FORWARD -p udp -d 192.168.1.150 --dport 6881 -j ACCEPT

echo "  applying World of Warcraft rules"
echo ""
## atlantis blizzard ##
$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 3724 -j DNAT --to-destination 192.168.1.150:3724               
$iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 6112 -j DNAT --to-destination 192.168.1.150:6112               
$iptables -A FORWARD -p tcp -d 192.168.1.150 --dport 3724 -j ACCEPT
$iptables -A FORWARD -p tcp -d 192.168.1.150 --dport 6112 -j ACCEPT

# drop all other packets
echo "  applying default drop policies"
echo ""
$iptables -A INPUT -i eth0 -p tcp --dport 0:65535 -j DROP
$iptables -A INPUT -i eth0 -p udp --dport 0:65535 -j DROP

echo "### quicktables is loaded ###"
echo ""


also, if anyone can provide insite.. I would like to be able to log iptables to syslog-ng.. any suggestions on this? right now i cant figure out where its logging... if it is..?!

Thanks

Offline

#2 2005-07-13 20:31:28

cactus
Taco Eater
From: t͈̫̹ͨa͖͕͎̱͈ͨ͆ć̥̖̝o̫̫̼s͈̭̱̞͍̃!̰
Registered: 2004-05-25
Posts: 4,622
Website

Re: iptables configuration.. can anyone improve this for me?

I'm at work right now, so I can't really devote a lot of time to this...i will check back when i get home.
in the meantime, here is my iptables firewall setup. Maybe you can divine some useful knowledge out of it.
iptables.txt


"Be conservative in what you send; be liberal in what you accept." -- Postel's Law
"tacos" -- Cactus' Law
"t̥͍͎̪̪͗a̴̻̩͈͚ͨc̠o̩̙͈ͫͅs͙͎̙͊ ͔͇̫̜t͎̳̀a̜̞̗ͩc̗͍͚o̲̯̿s̖̣̤̙͌ ̖̜̈ț̰̫͓ạ̪͖̳c̲͎͕̰̯̃̈o͉ͅs̪ͪ ̜̻̖̜͕" -- -̖͚̫̙̓-̺̠͇ͤ̃ ̜̪̜ͯZ͔̗̭̞ͪA̝͈̙͖̩L͉̠̺͓G̙̞̦͖O̳̗͍

Offline

#3 2005-07-13 21:19:37

phrakture
Arch Overlord
From: behind you
Registered: 2003-10-29
Posts: 7,879
Website

Re: iptables configuration.. can anyone improve this for me?

cactus wrote:

I'm at work right now, so I can't really devote a lot of time to this...i will check back when i get home.
in the meantime, here is my iptables firewall setup. Maybe you can divine some useful knowledge out of it.
iptables.txt

Woah... is your box directly wired to the internet?  I just rely on my router to do all this stuff... now, if it was an OpenWrt router, then I'd have something like this...

Offline

#4 2005-07-13 22:39:26

T-Dawg
Forum Fellow
From: Charlotte, NC
Registered: 2005-01-29
Posts: 2,736

Re: iptables configuration.. can anyone improve this for me?

cactus wrote:

I'm at work right now, so I can't really devote a lot of time to this...i will check back when i get home.
in the meantime, here is my iptables firewall setup. Maybe you can divine some useful knowledge out of it.
iptables.txt

You_Are_An_Animal.  :shock:


there's also some good rules generators in the wiki if you care to check them out. Just do a search on firewall.

Offline

#5 2005-07-14 03:27:03

spyder
Member
From: Canada
Registered: 2004-05-17
Posts: 19
Website

Re: iptables configuration.. can anyone improve this for me?

phrakture wrote:
cactus wrote:

I'm at work right now, so I can't really devote a lot of time to this...i will check back when i get home.
in the meantime, here is my iptables firewall setup. Maybe you can divine some useful knowledge out of it.
iptables.txt

Woah... is your box directly wired to the internet?  I just rely on my router to do all this stuff... now, if it was an OpenWrt router, then I'd have something like this...

well this is a secured linux box doing the router work.. so yes it is open to the world.

Offline

Board footer

Powered by FluxBB