IPTables firewall script non-funtional. Help please

• Previous message: Wine Development: "Re: Buffer overflow exploits - general question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: daveellison2000@yahoo.com (Dave)
Date: 27 Feb 2002 13:20:04 -0800

Hi,
I upgraded to the 2.4 kernel (RedHat) and getting my old firewall
script to function at all has been very difficult. I'm a beginner, but
was able to successfully create my ipchains script by following
examples of others, but no such luck with iptables. Can someone please
take a look at my simple script and see if they can spot any problems.
Nothing seems to work after my repeated trial and error debugging
attempts. Version below is my attempt at absolute simplicity, no
spoofing protection, etc., which I plan to add on after core is
functional. Cannot currently ping Internet or internal network or
access web server from outside with this script in place. IP addresses
have been changed, but I can confirm that actual IPs are all correct.

TIA,

Dave

######################## IPTABLES SCRIPT ########################

INTERNAL_INTERFACE="eth1"
INTERNAL_NETWORK="192.168.1.10/24"
EXTERNAL_INTERFACE="eth0"
LOOPBACK='lo'
LO_IP='127.0.0.0'
BROADCAST_0="66.139.882.255"
BROADCAST_1="192.168.10.255"
ANYWHERE="0.0.0.0/0"
INTERNAL_WEBSERVER="192.168.10.48"
INTERNAL_DATABASE="192.168.10.81"
IPADDR=`/sbin/ifconfig eth0 | grep "inet addr" | awk -F":"
'{print$2}' | awk '{print $1}'`

TCPIN="80,443,8080,1433"
TCPOUT="80,443,8080"
TCPWEB="20,21,80,443,8080"
TCPDB="1433"

# the name and location of the iptables program
IPTABLES='/usr/local/bin/iptables'

# load kernel modules
modprobe iptable_nat
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_tables
modprobe iptable_filter

# flush any existing chains
IPTABLES -F
IPTABLES -Z
IPTABLES -t filter -F INPUT
IPTABLES -t filter -F OUTPUT
IPTABLES -t filter -F FORWARD
IPTABLES -t nat -F
IPTABLES -t nat -F PREROUTING
IPTABLES -t nat -F POSTROUTING
IPTABLES -t nat -F OUTPUT
IPTABLES -t nat -Z
IPTABLES -t mangle -F
IPTABLES -t mangle -F PREROUTING
IPTABLES -t mangle -F OUTPUT
IPTABLES -t mangle -Z

# set default policies
IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP

IPTABLES -t nat -P PREROUTING DROP
IPTABLES -t nat -P POSTROUTING DROP
IPTABLES -t nat -P OUTPUT DROP

IPTABLES -t mangle -P PREROUTING DROP
IPTABLES -t mangle -P POSTROUTING DROP
IPTABLES -t mangle -P OUTPUT DROP

# Accept incoming web requests from anywhere
iptables --append INPUT \
                --protocol TCP \
                --source $ANYWHERE \
                --destination $INTERNAL_WEBSERVER \
                --destination-port $TCPIN \
                --in-interface $EXTERNAL_INTERFACE \
                --jump ACCEPT

iptables --append OUTPUT \
                --protocol TCP \
                --source $ANYWHERE \
                --destination $INTERNAL_WEBSERVER \
                --destination-port $TCPIN \
                --in-interface $EXTERNAL_INTERFACE \
                --jump ACCEPT

# Accept internal traffic
iptables --append INPUT \
                --source $INTERNAL_NETWORK \
                --in-interface $INTERNAL_INTERFACE \
                --jump ACCEPT

iptables --append OUTPUT \
                --source $INTERNAL_NETWORK \
                --in-interface $INTERNAL_INTERFACE \
                --jump ACCEPT

# Accept loopback traffic
iptables --append INPUT \
                --in-interface $loopback \
                --jump ACCEPT

iptables --append OUTPUT \
                --in-interface $loopback \
                --jump ACCEPT

# Port forwarding rules
iptables -t nat \
                -A PREROUTING \
                -i $EXTERNAL_INTERFACE \
                -p tcp \
                --dport "80,443,8080" \
                -j DNAT \
                --to-destination $INTERNAL_WEBSERVER:80

iptables -t nat \
                -A PREROUTING \
                -i $EXTERNAL_INTERFACE \
                -p tcp \
                --dport "1443" \
                -j DNAT \
                --to-destination $INTERNAL_DATABASE:1433

iptables -t nat \
                -A PREROUTING \
                -i $EXTERNAL_INTERFACE \
                -p tcp \
                --dport 20 \
                -j DNAT \
                --to-destination $INTERNAL_WEBSERVER:20

iptables -t nat \
                -A PREROUTING \
                -i $EXTERNAL_INTERFACE \
                -p tcp \
                --dport 21 \
                -j DNAT \
                --to-destination $INTERNAL_WEBSERVER:21

• Next message: Bill Unruh: "Re: Help with system attack"
• Previous message: Wine Development: "Re: Buffer overflow exploits - general question"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]