iptables - general comments please and port forwarding question

From: Jim & Carolyn (cbowenj@shaw.ca)
Date: 02/10/02


From: Jim & Carolyn <cbowenj@shaw.ca>
Date: Sun, 10 Feb 2002 04:24:53 GMT

Hi all,

I am new to iptables and have spent the last two days reading and trying
to hack together something that works on my server. Eth0 heads out to
the real world and eth1 heads to my LAN.

1) I would like to have some feedback as to my first crack at a script.
(Many thanks to the original authour) . Any glaring mistakes?

2) the very last section I am trying to have all TS traffic routed to a
Win2K box...with little success. I think I have the DNAT stuff right.
Are my input chains problematic? Masquerading is only for PPP...right?
You can see I am somewhat confused.

Thanks in advance,
Jim

<begin>
#!/bin/sh
#
# rc.firewall - Initial SIMPLE IP Firewall script for Linux 2.4.x and
iptables
#
# Copyright (C) 2001 Oskar Andreasson &lt;blueflux@koffein.net&gt;
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
# Last Modified: 02/02/09 (Jim)

###########################################################################

#
# 1. Configuration options.
#

###########################################################################

#
# Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first
24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="yyy.yyy.yyy.yyy"
LAN_IP_RANGE="yyy.yyy.yyy.0/24"
LAN_BCAST_ADRESS="yyy.yyy.yyy.yyy"
LAN_IFACE="eth1"

###########################################################################

#
# Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

###########################################################################

#
# Internet Configuration.
#

INET_IP="xxx.xxx.xxx.xxx"
INET_IFACE="eth0"

###########################################################################

#
# IPTables Configuration.
#

IPTABLES="/sbin/iptables"

###########################################################################

#
# Port Forwarding Configuration.
#

TERM_SERVER="yyy.yyy.yyy.223"

###########################################################################

#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a

#
# Adds some iptables targets like LOG, REJECT and MASQUARADE.
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE

#
# Support for owner matching
#
#/sbin/modprobe ipt_owner

#
# Support for connection tracking of FTP and IRC.
#
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################

#
# 3. /proc set up.
#
# Enable ip_forward if you have two or more networks, including the
# Internet, that needs forwarding of packets through this box. This is
# critical since it is turned off as default in Linux.
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# Dynamic IP users:
#
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################

#
# 4. IPTables rules set up.
#
# Clean old rules (Jim)
#
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z

# Set default policies for the INPUT, FORWARD and OUTPUT chains.
# (Block all requests)

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# bad_tcp_packets chain
#
# Take care of bad TCP packets that we don't want.
#

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
\
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# Do some checks for obviously spoofed IP's
#

$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 192.168.0.0/16 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 10.0.0.0/8 -j DROP
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -s 172.16.0.0/12 -j DROP

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source
$INET_IP

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# The allowed chain for TCP connections
#

$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j
ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
# (TS) $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3389 -j
allowed
# JTB $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j
allowed

#
# UDP ports
#

# nondocumented commenting out of these rules
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j
ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j
ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j
ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j
ACCEPT

##########################
# INPUT chain
#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for incoming packets from the internet.
#

$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udpincoming_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BCAST_ADRESS -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state
ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

###############################
# OUTPUT chain
#
#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

###############################
# Port forwarding
#
#
# Route tcp requests to appropriate box
#

#Permit forward in firewall
#$IPTABLES -A FORWARD -p tcp -i eth0 -d $TERM_SERVER --dport 3389 -j
ACCEPT
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp -d $TERM_SERVER --dport 3389
-j ACCEPT
# $IPTABLES -A FORWARD -p TCP -s 0/0 --dport 3389 -j ACCEPT

#DNAT
$IPTABLES -t nat -A PREROUTING -i eth0 -p tcp -d $INET_IP --dport 3389
-j DNAT --to $TERM_SERVER

######################################################
## TESTING ZONE...JUNK SNIPPETS
######################################################
# Masquerade
# iptables -t nat -P POSTROUTING DROP
#$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#SNAT
#$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to $INET_IP

<end>