iptables firewall

[sweeze]

anyone have any experience w/ setting up a minimalist iptables firewall?

i currently have NAT/masquerade set up, but the machine acting as a firewall is open to the world.

what I would like to do is maintain nat functionality, but block off all incoming traffic on ports other than ssh, web, ssl web, ssl imap, etc. playing around w/ iptables and the HOWTOs, etc, i seem to keep getting to the point wehre I'm blocking outgoing traffic, which is not at all desired.

[Boner]

Here's a very stripped down version of my firewall script below. In my real script, I also clamp down on some outgoing connections. I don't allow IRC connections (ports 6666-6669) to any IRC servers except the Irvingnet servers. I also restrict SMTP connections to only be made to my normal mail server. I also do a little logging, but not a lot.



#!/bin/bash
# IPTABLES Firewall for host

# eth0 is my internal interface
# eth1 is the external interface, public IP from the ISP

# Put your public IP below
ETH1="68.68.68.68"

# Required modules
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_ftp

# Flush old rules
/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -X

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Set default policies
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT

# Allow established and related connections
/sbin/iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block Netbios going out from network and local host
/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 137 -j DROP
/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 138 -j DROP
/sbin/iptables -A OUTPUT -o eth1 -p tcp --dport 137 -j DROP
/sbin/iptables -A OUTPUT -o eth1 -p tcp --dport 138 -j DROP

# Allow all traffic to travel to the outside
/sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Allow all loopback traffic
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Allow internal network to access the firewall unrestricted
/sbin/iptables -A INPUT -i eth0 -j ACCEPT

# Allow dhcp for external interface
/sbin/iptables -A INPUT -i eth1 -p udp --sport 67 --dport 68 -j ACCEPT



###################################################
# NAT rules

# 192.168.1.3 is a Windows machine on the private internal network

# Turn on NAT for traffic going to eth1
# Although my IP is assigned via DHCP, it NEVER changes. At least
# it hasn't in over a year. NAT is more efficient that masquerading (which
# you should do if the IP changes).
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $ETH1

# Allow BitTorrent
/sbin/iptables -t nat -A PREROUTING -p udp --dport 6881 -i eth1 -j DNAT --to 192.168.1.3:6881
/sbin/iptables -A FORWARD -p udp -i eth1 -o eth0 -d 192.168.1.3 --dport 6881 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 6881 -i eth1 -j DNAT --to 192.168.1.3:6881
/sbin/iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.3 --dport 6881 -j ACCEPT

# Allow Yahoo! Messenger webcam
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5100 -i eth1 -j DNAT --to 192.168.1.3:5100
/sbin/iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.3 --dport 5100 -j ACCEPT


####################################################
# INPUT Chain

# Allow traffic to SSH (on port 22) and ICMP directly to eth1
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p icmp -j ACCEPT

# Allow port 53 for DNS
# I run a caching DNS server, so I don't have rules allowing
# forwarding for DNS. Just need INPUT for the caching server (THIS MACHINE)
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

# Accept IDENT requests
/sbin/iptables -A INPUT -p tcp -i eth1 --dport ident -j ACCEPT

####################################################

[yotta]

heh, well, good place to start is http://easyfwgen.morizot.net/gen/, it'll build you a basic script....

[Boner]

Excellent link, yotta!