Tilted Forum Project Discussion Community

Tilted Forum Project Discussion Community (https://thetfp.com/tfp/)
-   Tilted Technology (https://thetfp.com/tfp/tilted-technology/)
-   -   iptables firewall (https://thetfp.com/tfp/tilted-technology/22771-iptables-firewall.html)

sweeze 08-17-2003 09:56 AM

iptables firewall
 
anyone have any experience w/ setting up a minimalist iptables firewall?

i currently have NAT/masquerade set up, but the machine acting as a firewall is open to the world.

what I would like to do is maintain nat functionality, but block off all incoming traffic on ports other than ssh, web, ssl web, ssl imap, etc. playing around w/ iptables and the HOWTOs, etc, i seem to keep getting to the point wehre I'm blocking outgoing traffic, which is not at all desired.

Boner 08-17-2003 11:24 PM

Here's a very stripped down version of my firewall script below. In my real script, I also clamp down on some outgoing connections. I don't allow IRC connections (ports 6666-6669) to any IRC servers except the Irvingnet servers. I also restrict SMTP connections to only be made to my normal mail server. I also do a little logging, but not a lot.



#!/bin/bash
# IPTABLES Firewall for host

# eth0 is my internal interface
# eth1 is the external interface, public IP from the ISP

# Put your public IP below
ETH1="68.68.68.68"

# Required modules
modprobe iptable_nat
modprobe ip_conntrack_ftp
modprobe ip_conntrack_irc
modprobe ip_nat_ftp

# Flush old rules
/sbin/iptables -F
/sbin/iptables -F -t nat
/sbin/iptables -X

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Set default policies
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT

# Allow established and related connections
/sbin/iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Block Netbios going out from network and local host
/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 137 -j DROP
/sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 138 -j DROP
/sbin/iptables -A OUTPUT -o eth1 -p tcp --dport 137 -j DROP
/sbin/iptables -A OUTPUT -o eth1 -p tcp --dport 138 -j DROP

# Allow all traffic to travel to the outside
/sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT

# Allow all loopback traffic
/sbin/iptables -A INPUT -i lo -j ACCEPT

# Allow internal network to access the firewall unrestricted
/sbin/iptables -A INPUT -i eth0 -j ACCEPT

# Allow dhcp for external interface
/sbin/iptables -A INPUT -i eth1 -p udp --sport 67 --dport 68 -j ACCEPT



###################################################
# NAT rules

# 192.168.1.3 is a Windows machine on the private internal network

# Turn on NAT for traffic going to eth1
# Although my IP is assigned via DHCP, it NEVER changes. At least
# it hasn't in over a year. NAT is more efficient that masquerading (which
# you should do if the IP changes).
/sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $ETH1

# Allow BitTorrent
/sbin/iptables -t nat -A PREROUTING -p udp --dport 6881 -i eth1 -j DNAT --to 192.168.1.3:6881
/sbin/iptables -A FORWARD -p udp -i eth1 -o eth0 -d 192.168.1.3 --dport 6881 -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 6881 -i eth1 -j DNAT --to 192.168.1.3:6881
/sbin/iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.3 --dport 6881 -j ACCEPT

# Allow Yahoo! Messenger webcam
/sbin/iptables -t nat -A PREROUTING -p tcp --dport 5100 -i eth1 -j DNAT --to 192.168.1.3:5100
/sbin/iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.3 --dport 5100 -j ACCEPT


####################################################
# INPUT Chain

# Allow traffic to SSH (on port 22) and ICMP directly to eth1
/sbin/iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p icmp -j ACCEPT

# Allow port 53 for DNS
# I run a caching DNS server, so I don't have rules allowing
# forwarding for DNS. Just need INPUT for the caching server (THIS MACHINE)
/sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT
/sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT

# Accept IDENT requests
/sbin/iptables -A INPUT -p tcp -i eth1 --dport ident -j ACCEPT

####################################################

yotta 08-18-2003 12:03 AM

heh, well, good place to start is http://easyfwgen.morizot.net/gen/, it'll build you a basic script....

Boner 08-18-2003 12:09 AM

Excellent link, yotta!


All times are GMT -8. The time now is 10:03 PM.

Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
Search Engine Optimization by vBSEO 3.6.0 PL2
© 2002-2012 Tilted Forum Project


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73