Re: iptables woes

From: Josh (JoshAsbury@spamthisbuddy.yahoo.com)
Date: 07/04/02


From: "Josh" <JoshAsbury@spamthisbuddy.yahoo.com>
Date: Thu, 4 Jul 2002 02:32:03 -0400

I didn't want to clutter my initial post, but in case you need more
information, my complete firewall script is below.

Thanks again,
Josh

#!/bin/sh
#----------------------------------------------------------------------
#This is my Iptables script. Used as firewall, routing, and filtering
#it script replaces /etc/init.d/iptables in RedHat 7.2. I also
#recommend making sym-links in /etc/rc.d/rc3.d, rc4.d, rc5.d.
#Make sure it loads before your network loads, that way you're
#always covered!
#
#This script may be used by anyone for any reason in accordance to the
#GNU License stuff
#----------------------------------------------------------------------
# Sources |
#----------------------------------------
. /etc/init.d/functions
. /etc/sysconfig/network
#----------------------------------------------------------
#CODE||||||||||||||||||||||||||||||||||||||||||||||||||||||
#----------------------------------------------------------
#Check that network is up. |
#----------------------------------------
if [ ${NETWORKING} = "no" ]
then
exit 0
fi

if [ ! -x /sbin/iptables ]; then
exit 0
fi

#----------------------------------------
#Case {start|stop|status|restart|reload} |
#----------------------------------------
case "$1" in
start)
echo -n "Starting Firewall/Router: "
#----------------------------------------
#Variable Definitions |
#----------------------------------------
EXTINT="eth0" # External network device
LOOP="lo" # Loopback device
INTINT="eth1" # Internal network device
INTRA="192.168.0.1/24" # Private Internal Network IP Range
#----------------------------------------
#Iptables Module Loading |

/sbin/modprobe ip_tables
/sbin/modprobe iptable_nat
/sbin/modprobe ip_conntrack
/sbin/modprobe ipt_state
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe iptable_mangle

#End Module Loading |
#----------------------------------------
#END CODE||||||||||||||||||||||||||||||||||||||||||||||||||
#----------------------------------------------------------
# RULES
#----------------------------------------
#Initializing Tables |
#----------------------------------------
iptables -F #Flushing Rules for INPUT, OUTPUT, FORWARD
iptables -F -t nat #Flushing Rules for PREROUTING, POSTROUTING
iptables -X #Flushing User Defined Tables
#----------------------------------------
#Setting Default Policy-> DROP |
#----------------------------------------
iptables -P INPUT DROP #Drop all undefined incoming packets
iptables -P OUTPUT DROP #Drop all undefined outgoing packets
iptables -P FORWARD DROP #Drop all undefined forwarded packets
#----------------------------------------
#----------------------------------------
#Unrestricting Loopback Device |
#----------------------------------------
iptables -A INPUT -i $LOOP -j ACCEPT
iptables -A OUTPUT -o $LOOP -j ACCEPT
#----------------------------------------
#Unrestrict Local Network |
#----------------------------------------
iptables -A INPUT -i $INTINT -s $INTRA -j ACCEPT
iptables -A OUTPUT -o $INTINT -d $INTRA -j ACCEPT
#----------------------------------------
#Routing Internal -> Out |
#----------------------------------------
iptables -A OUTPUT -o $EXTINT -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
iptables -A OUTPUT -o $INTINT -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
#----------------------------------------
#Routing Related External -> In |
#----------------------------------------
iptables -A INPUT -i $EXTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $INTINT -m state --state ESTABLISHED,RELATED -j ACCEPT
#----------------------------------------
#Forwarding to/from Internal Network |
#----------------------------------------
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! $EXTINT -j ACCEPT
#----------------------------------------
#Masquerading Internal to External |
#----------------------------------------
iptables -t nat -A POSTROUTING -o $EXTINT -j MASQUERADE
#----------------------------------------
#Allow DHCP Server, Port 67 |
#----------------------------------------
iptables -A INPUT -p tcp -i $INTINT --dport 67 -j ACCEPT
iptables -A INPUT -p udp -i $INTINT --dport 67 -j ACCEPT
iptables -A OUTPUT -p tcp -o $INTINT --sport 67 -j ACCEPT
iptables -A OUTPUT -p udp -o $INTINT --sport 67 -j ACCEPT
#----------------------------------------
#Allow HTTP Server, Port 80 |
#----------------------------------------
iptables -A INPUT -p tcp -i $EXTINT --dport 80 -j ACCEPT
iptables -A INPUT -p udp -i $EXTINT --dport 80 -j ACCEPT
iptables -A OUTPUT -p tcp -o $EXTINT --sport 80 -j ACCEPT
iptables -A OUTPUT -p udp -o $EXTINT --sport 80 -j ACCEPT

#----------------------------------------
#Allow HTTP Server, Port 8888 |
#----------------------------------------
iptables -A INPUT -p tcp -i $INTINT --dport 8888 -j ACCEPT
iptables -A INPUT -p udp -i $INTINT --dport 8888 -j ACCEPT
iptables -A OUTPUT -p tcp -o $INTINT --sport 8888 -j ACCEPT
iptables -A OUTPUT -p udp -o $INTINT --sport 8888 -j ACCEPT

#----------------------------------------
#Allow SSH Server, Port 22 |
#----------------------------------------
iptables -A INPUT -p tcp -i $EXTINT --dport 22 -j ACCEPT
iptables -A OUTPUT -p tcp -o $EXTINT --sport 22 -j ACCEPT
iptables -A INPUT -p udp -i $EXTINT --dport 22 -j ACCEPT
iptables -A OUTPUT -p udp -o $EXTINT --sport 22 -j ACCEPT
#----------------------------------------
#SAMBA Connectivity |
#----------------------------------------
#iptables -A INPUT -p tcp -s $INTRA --destination-port 139 -j ACCEPT
#iptables -A INPUT -p udp -s $INTRA --destination-port 139 -j ACCEPT
#----------------------------------------
#Drop Spoofed packets with internal IP's |
#----------------------------------------
iptables -t nat -A PREROUTING -i $EXTINT -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $EXTINT -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $EXTINT -s 172.16.0.0/12 -j DROP
#----------------------------------------
#Uncomment for debugging or logging |
# Log is in /var/log/messages |
#----------------------------------------
#iptables -A INPUT -j LOG --log-prefix "INPUT_DROP: "
#iptables -A OUTPUT -j LOG --log-prefix "OUTPUT_DROP: "
#-----------------------------------------------------------
#################################################-----#END RULES
#CODE-------------------------------------------------------
#Activate IP-Forwarding |
#----------------------------------------
echo "1" > /proc/sys/net/ipv4/ip_forward
#----------------------------------------
#Activate TCPsyncookies |
#----------------------------------------
echo "2" > /proc/sys/net/ipv4/tcp_syncookies
#----------------------------------------
#Activate lock file
touch /var/lock/subsys/iptables
#-----------------------------------------------------------
#STOP Module |||||||||||||||||||
#-----------------------------------------------------------
;;
stop)
echo -n "Shutting Firewall Down: "
#----------------------------------------
#Flush all coded chains |
#----------------------------------------
iptables -F
#----------------------------------------
#Delete all user defined chains |
#----------------------------------------
iptables -X
#----------------------------------------
#Set the firewall wide open |
#----------------------------------------
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
#----------------------------------------
#Remove file lock |
#----------------------------------------
rm -f /var/lock/subsys/iptables
#-----------------------------------------------------------
#STATUS Module |||||||||||||||||||
#-----------------------------------------------------------
;;
status)
tables=`cat /proc/net/ip_tables_names 2 >/dev/null`
for table in $tables; do
 echo $"Table: $table"
 iptables -t $table --list
done
#-----------------------------------------------------------
#RESTART Module |||||||||||||||||||
#-----------------------------------------------------------
;;
restart|reload)
$0 stop
$0 start
#-----------------------------------------------------------
#UNKNOWN Module |||||||||||||||||||
#-----------------------------------------------------------
;;
*)
echo "Try iptables {start|stop|status|restart|reload}"
exit 1
esac
echo "DONE"
exit 0



Relevant Pages

  • iptables script migration from Red Hat 9 To Fedora Core 4
    ... I'm working towards replacing an old firewall box with a new one. ... old box runs Red Hat Linux 9. ... I have an iptables script that works well ...
    (Fedora)
  • Firewall Rules Summary
    ... Subject: Firewall Rules Summary ... This script is provided "as is" with no implied warranty. ... this came from various howtos and articles on iptables that existed around ... #specific port denies>1024 tcp ...
    (Focus-Linux)
  • Re: [opensuse] IP tables - DIY
    ... At that time there was little YaST for the firewall, and I worked with the config file directly. ... Not knowing how IP-Filters work, it was not clear to me what exactly is happening in my firewall. ... I learnt to list the kernel IP-Table (iptables -nL), and was totally clueless what I saw there and how all this works. ... A friend came over and gave me 2-3 hours of tutoring on kernel IP-Filtering while we wrote a complete script for my network with a VPN included in the rules. ...
    (SuSE)
  • Re: Feedback solicited - best way to harden a mail/web server?
    ... Was the system protected by a properly configured firewall? ... it's not a bad "starting point" and it can generate an IPtables rule ... > nor is there a web or ftp server; aside from that I haven't tried to secure ... Before I'll install some nifty application ...
    (comp.os.linux.security)
  • Re: some reality about iptables, please
    ... >>the script which can only be run by a root user. ... but it could re-inforce the fact that maybe running your iptables ... "I'm a packet filtering interface not a firewall tool." ... Generally Debian systems run at init runlevel 3 (this is a change if ...
    (Debian-User)