Re: IPTables F*&%-up part 2

From: D W (--reverse)
Date: 07/09/03

Next message: D W: "Re: IPTables F*&%-up part 3"

Previous message: D W: "Re: IPTables F*&%-up part 1"
In reply to: Mairhtin O'Feannag: "Re: IPTables F*&%-up :("
Next in thread: D W: "Re: IPTables F*&%-up part 3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 08 Jul 2003 23:18:01 -0400

Here is your script revised.

I hope you are able to understand most of it with help from the comments.

Replace $INT with the name of your internal interface.
Replace $EXT with the name of your external interface.

> IPTABLES-SCRIPT FOLLOWS ********************************************
>
> # iptables script generator: V0.1-2002
> # Comes with no warranty!
> # e-mail: michael@1go.dk
>
> # move forwarding to top and comment out the disable line
>
> # Disable forwarding
> # echo 0 > /proc/sys/net/ipv4/ip_forward
>
> # further forwarding chains based upon above
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> iptables -F -t nat
> iptables -F -t mangle
> iptables -X
> iptables -F
> iptables -F
> iptables -P INPUT DROP
> iptables -P FORWARD DROP
> iptables -P OUTPUT ACCEPT
>
> # enable Masquerade and forwarding
> # if the next two lines work for you, then not much need to change
> # I simply have $IPT -t nat -A POSTROUTING -o $EXT -j MASQUERADE
> # to enable masquerading and omit this entire section
> iptables -t nat -A POSTROUTING -s 10.0.0.1/8 -o eth0 -j SNAT --to-source
> 67.117.74.180
> iptables -A FORWARD -j ACCEPT -i eth1 -s 10.0.0.1/8
> iptables -A FORWARD -m state --state ESTABLISHED,RELATED
> -j ACCEPT
>
> # user definded chain for accepted TCP packets
> iptables -N okay
> iptables -A okay -p TCP --syn -j ACCEPT
> iptables -A okay -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
> # to enable forwarding, you must first accept the connections, else they
> # never make it to the FORWARDING chain
> iptables -A block -m state --state NEW -i $EXT -p tcp -m tcp --dport
1417:1420 -j ACCEPT
> iptables -A block -m state --state NEW -i $EXT -p udp -m udp --dport 407
-j
ACCEPT
> iptables -A okay -p TCP -j DROP
>
> # You must have the following, or the previous section does nothing
> iptables -A INPUT -j okay
>
> # rules for incoming packets from LAN
> # looks good. could define as a table (like above), but it
> # will work for now
> iptables -A INPUT -p ALL -i eth1 -s 10.0.0.0/8 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 127.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 10.0.0.1 -j ACCEPT
> iptables -A INPUT -p ALL -i lo -s 67.117.74.180 -j ACCEPT
> iptables -A INPUT -p ALL -i eth1 -s 67.117.74.178 -j ACCEPT
> iptables -A INPUT -p ALL -i eth1 -d 10.0.0.255 -j ACCEPT
>
> # Open ports on router for server/services
> # okay, this is where your firewall building program
> # wants you to place the openings for ports
> # that we put in above (in the 'okay' table)
# think about closing some of these
# they allow attempts to connect to these ports from the outside
# which is bad, unless you really are offering these services
# to the world--consider commenting out the mail ports
> iptables -A INPUT -j ACCEPT -p tcp -s 67.117.74.180
# webserver--are you running a web server? if not, comment out
> iptables -A INPUT -j ACCEPT -p tcp --dport 80 -m state --state NEW
# ftpserver--do you run an ftp server? if not, comment out
> iptables -A INPUT -j ACCEPT -p tcp --dport 20 -m state --state NEW
# ftpserver--comment out if you don't run an ftpserver
> iptables -A INPUT -j ACCEPT -p tcp --dport 21 -m state --state NEW
# pop3 (mail) server--are you running a mail server for everyone?
> iptables -A INPUT -j ACCEPT -p tcp --dport 110 -m state --state NEW
# smtp (mail) server--are you running a mail server for everyone?
# you probably don't want that, or sendmail/exim/postfix/qmail
# could be used by spammers if the mail server is not setup
# most distros install a mail server to deliver local mail,
# so it is unlikely that you want the world to be able to use it
> iptables -A INPUT -j ACCEPT -p tcp --dport 25 -m state --state NEW
# ssh--you probably want to keep this open for remote access
# if it is open, lengthen the root password and disable ssh login
# by root (RootLogin no /etc/ssh/sshd.config)
> iptables -A INPUT -j ACCEPT -p tcp --dport 22 -m state --state NEW
# Not sure what these are--not listed in my /etc/services file
> iptables -A INPUT -j ACCEPT -p tcp --dport 5800 -m state --state NEW
> iptables -A INPUT -j ACCEPT -p tcp --dport 5900 -m state --state NEW
# allow .40 to do anything
# masquerading should already take care of this
# since it is an internal machine
> iptables -A INPUT -j ACCEPT -p tcp -s 10.0.0.40
# allow your machine in the DMZ to do anything
# make sure it is secured
> iptables -A INPUT -j ACCEPT -p tcp -s 67.117.74.178
# allow .5 to do anything -- same comment as for .40 machine
> iptables -A INPUT -j ACCEPT -p tcp -s 10.0.0.5
>
> # may not need the following with stateful filtering (NEW)
> # -m state --state NEW can replace all of the --tcp-flags mess
> # simply add -m state --state NEW to the lines above
> # that's all these lines do
> #iptables -A INPUT -p tcp -m tcp --dport 80 --tcp-flags SYN,RST,ACK SYN -j
> ACCEPT
> #iptables -A INPUT -p tcp -m tcp --dport 21 --tcp-flags SYN,RST,ACK SYN -j
> ACCEPT
> #iptables -A INPUT -p tcp -m tcp --dport 22 --tcp-flags SYN,RST,ACK SYN -j
> ACCEPT
> #iptables -A INPUT -p tcp -m tcp --dport 23 --tcp-flags SYN,RST,ACK SYN -j
> ACCEPT
> #iptables -A INPUT -p tcp -m tcp --dport 20 --tcp-flags SYN,RST,ACK SYN -j
> ACCEPT
>
> # UDP rules
> # same lecture as above
> # dns--needed by some ISP's to keep you connected
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 53 -j ACCEPT
> # ftpserver--may not need
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 20 -j ACCEPT
> # ftpserver--may not need
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 21 -j ACCEPT
> # ssh
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 22 -j ACCEPT
> # following two are not in my /etc/services file
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 2074 -j ACCEPT
> iptables -A INPUT -p UDP -i eth0 -s 0/0 --dport 4000 -j ACCEPT
> # masquerading should take care of this
> iptables -A INPUT -p UDP -i eth0 -s 10.0.0.40 -j ACCEPT
> # your DMZ machine
> iptables -A INPUT -p UDP -i eth0 -s 67.117.74.178 -j ACCEPT
> # masquerading should take care of this
> iptables -A INPUT -p UDP -i eth0 -s 10.0.0.5 -j ACCEPT
>
> # ICMP rules
> # allow pings--fair enough, just don't see where they are disallowed
> # to begin with
> iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 8 -j ACCEPT
> iptables -A INPUT -p ICMP -i eth0 -s 0/0 --icmp-type 11 -j ACCEPT
>
> # OUTPUT chain rules
> # only packets with local addresses (no spoofing)
> # looks good
> iptables -A OUTPUT -p ALL -s 127.0.0.1 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 10.0.0.1/8 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 67.117.74.180 -j ACCEPT
> iptables -A OUTPUT -p ALL -s 67.117.74.178 -j ACCEPT
>
> # STATE RELATED for router
> # already in use up top in 'okay' chain
> #iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>
> # Open ports to server on LAN
> iptables -A FORWARD -j ACCEPT -p tcp --dport 80
> #iptables -t nat -A PREROUTING -i eth0 -p UDP -s 0/0 -d 67.117.74.180 --
> dport 53 -j DNAT --to 10.0.0.80
>
> #iptables -t nat -A PREROUTING -i eth0 -p tcp -d 67.117.74.180 --dport 80
> -j DNAT --to 10.0.0.5:80
>
> # Here are the new forwarding rules
# you can specify a range of addresses at once
# replace $EXT and $INT with the correct interface (eth0 and eth1 in the
# proper place--I'm not sure which you use for internal and external)
$IPT -t nat -A PREROUTING -i $EXT -p tcp -m tcp --dport 1417:1420 -j DNAT
--to-destination 10.0.0.5
$IPT -A FORWARD -i $EXT -o $INT -p tcp -m tcp --dport 1417:1420 -m state
--state NEW -j ACCEPT

$IPT -t nat -A PREROUTING -i $EXT -p udp -m udp --dport 407 -j DNAT
--to-destination 10.0.0.5
$IPT -A FORWARD -i $EXT -o $INT -p udp -m udp --dport 407 -m state --state
NEW -j ACCEPT

# just in case, allow 67.117.74.178 to use TCP,UDP,SYN,ACK,etc.
# you can also add this to be safe (allow 67.117.74.178 for any port):
# you can probably comment this out
$IPT -A FORWARD -s 67.117.74.178 -p ALL -m state --state NEW -j ACCEPT

# EOF

Next message: D W: "Re: IPTables F*&%-up part 3"

Previous message: D W: "Re: IPTables F*&%-up part 1"
In reply to: Mairhtin O'Feannag: "Re: IPTables F*&%-up :("
Next in thread: D W: "Re: IPTables F*&%-up part 3"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Port forwarding with iptables not working
... I have a probably rather simple problem with iptables and port ... Everything except the forwarding is working nicely. ... allowed ports in lines 7-8. ... iptables -t filter -P FORWARD DROP ...
(comp.os.linux.networking)
Port forwarding with iptables not working
... I have a probably rather simple problem with iptables and port ... Everything except the forwarding is working nicely. ... allowed ports in lines 7-8. ... iptables -t filter -P FORWARD DROP ...
(comp.os.linux.networking)
Unable to connect to SMTP over internet
... to forward request via these ports to my Exchange server. ... POP3 clients are able to connect from the internet and get ... the mail server cannot be contacted on port 25. ... users from within my network are able to send emails using ...
(microsoft.public.exchange2000.admin)
Re: Win XP
... replaced the mail server IP with "." ... so I had ports 25 and 110 mapped. ... #Software: Microsoft Internet Connection Firewall ... date time action protocol src-ip dst-ip src-port dst-port size ...
(microsoft.public.security)
Amazin Amavis!
... in a "dual Sendmail" setup, ... mail server I broke something about Sendmail ... It worked beautifully in a test environment, ... PS> build from ports, and read up in: ...
(freebsd-newbies)