You are not logged in.
OK - based partly on Mork II's firewall script that I found floating around here and another iptables how to I put together a script to create a firewall. I have two NIC's: eth0, which is connected to the internet, and eth1 which is connected to my local network. My aims are:
1) eth1 should be 100% trusted - anything coming from that direction should go through
2) eth0 should only accept "solicited" connections - in other words, if I've asked for it (i.e. web page, email or ftp connection) then give it to me - otherwise everything should be denied
I ended up writing the following script:
#!/bin/sh
#
# /etc/rc.d/firewall: start/stop firewall
#
IPTABLES='$IPTABLES'
EXTIF='eth0'
INTIF='eth1'
if [ "$1" = "start" ]; then
$IPTABLES -F
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -A INPUT -i $EXTIF -m state
--state ESTABLISHED,RELATED -j ACCEPT
#forward LAN traffic from $INTIF to internet interface $EXTIF
$IPTABLES -A forward -i $INTIF1 -o $EXTIF -m state --state NEW,ESTABLISHED-j ACCEPT
#enable ip forwarding
/bin/echo 1 > /proc/sys/net/ipv4/ip_forward
#enable masquerading
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
elif [ "$1" = "stop" ]; then
#flush rules and delete chains
$IPTABLES -F
$IPTABLES -X
killall -q $IPTABLES
else
echo "usage: $0 start|stop"
fi
#End of file
This is entirely based on stealing from other scripts and have a vague idea of what I was doing. But this script is too string - it doesn't seem to trust eth1 as much as I'd like.
Is anyone able to help me refine my script? In particular, how to I tweak it so that it achieved my aims and is there anything in it that's redundant?
Offline
Hi.
Setting up a firewall for the first time can be really confusing.
My suggestion is to install "quicktables" which is creating a firewallscript for you based on a few question you have to answer when setting it up.
Use the script created as a base, change it for your need.
It's a really good start and when you have a "base" configuration you can start borrow things from other scripts.
/xor
Offline
I don't know iptables that well, but your script looks ok to me. It shouldn't be too hard to test if it works and does what you want, doing those commands one at a time by hand is a good start. Some comments:
In the line "$IPTABLES -A forward -i $INTIF1" you have a '1' at the end of $INTIF, looks like a typo.
"killall -q $IPTABLES" is redundant because there is no iptables process running, iptables is just an interface to the kernel.
You use $IPTABLES everywhere, why not just 'iptables'?
Offline
The only reason I use $IPTABLES everywhere instead of iptables is simpy that the script as it stands is basically ripped of from a number of different sources - an one of them used a variable. I decided to be consistent and problaby chose the wrong thing to be consistent with!
Basically the main thing I'm missing now is how to specify that a particular host can always be trusted - my email is painfully slow and will be much faster if I just trust the mail servers...
Offline
I've started trying to figure out Arno's firewall since it seems configurable and secure
I can't figure out how to allow access to ssh from my internal network, or how to specify trusted external hosts though...
same problems I guess. Setting up a firewall is a complicated business considering it's something so important...
Offline
Basically the main thing I'm missing now is how to specify that a particular host can always be trusted - my email is painfully slow and will be much faster if I just trust the mail servers...
Rejecting incoming ident (port 113) requests from the mail server might solve this... Also the bit:
IPTABLES='$IPTABLES'
Is creating a variable that has the value "$IPTABLES". I would expect something like:
IPTABLES=/usr/sbin/iptables
Offline
Rejecting incoming ident (port 113) requests from the mail server might solve this... Also the bit:
How would I go about doing that - and what are the security implications?
Offline
How about trying to use gShield. It is a highly configurable script (does everything that you'll probably need, including NAT). I've used it when I didn't know almost anything about iptables (I knew that it exists and it can do NAT ).
It requires changing only one conf file to generate the iptables rules.
Good luck.
P.S. You don't need to create the script and include start/stop/restart rules in it. gShield creates the rules for iptables, clears the chains and automatically loads them. You can save the current tables with /usr/sbin/iptables-save (no matter who generated them). They will be stored in a file known by iptables (/etc/iptables/iptables.rules) and loaded every time the boot script invokes iptables from the DAEMONS="... iptables ..." line in /etc/rc.conf - this is how Arch does it.
:: / my web presence
Offline
How would I go about doing that - and what are the security implications?
You need to use the REJECT target ie "-j REJECT".
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT
Of course it can be modified to add server IP's, state, etc.
There are no security implications. Your script already DROPs incoming ident requests by default. REJECT drops the packets but sends a rejected message to the originator. Mail servers are often configured to use ident to authenticate userids. If you don't implement an identd server but DROP the request the mail server waits for the connection to timeout before performing regular mail service. With REJECT it lets the mail server know that ident is "not implemented here". Hope that made sense.
Offline
Oddly, the only way to speed up the internet connection seems to be to open 113 up to the whole world. Rejecting it or trying to open the port simply for the mail server doesn't seem to work.
I'll try and figure this out since I'm not really happy about leaving that port open to anyone...
Offline
:? Check what's going on with ethereal or tcpdump.
Offline
It's all sorted now - I have a firewall set up exactly how I'd like it now - using arno's firewall
Odlly the port 113 was xinetd doing something odd everytime I tried to connect - it's been sorted out server side now, so my firewall is still rock solid and DENYing everything
Offline