08-17-2003, 09:56 AM | #1 (permalink) |
Tilted
|
iptables firewall
anyone have any experience w/ setting up a minimalist iptables firewall?
i currently have NAT/masquerade set up, but the machine acting as a firewall is open to the world. what I would like to do is maintain nat functionality, but block off all incoming traffic on ports other than ssh, web, ssl web, ssl imap, etc. playing around w/ iptables and the HOWTOs, etc, i seem to keep getting to the point wehre I'm blocking outgoing traffic, which is not at all desired. |
08-17-2003, 11:24 PM | #2 (permalink) |
Insane
Location: Plugged In
|
Here's a very stripped down version of my firewall script below. In my real script, I also clamp down on some outgoing connections. I don't allow IRC connections (ports 6666-6669) to any IRC servers except the Irvingnet servers. I also restrict SMTP connections to only be made to my normal mail server. I also do a little logging, but not a lot.
#!/bin/bash # IPTABLES Firewall for host # eth0 is my internal interface # eth1 is the external interface, public IP from the ISP # Put your public IP below ETH1="68.68.68.68" # Required modules modprobe iptable_nat modprobe ip_conntrack_ftp modprobe ip_conntrack_irc modprobe ip_nat_ftp # Flush old rules /sbin/iptables -F /sbin/iptables -F -t nat /sbin/iptables -X # Turn on IP forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # Set default policies /sbin/iptables -P FORWARD DROP /sbin/iptables -P INPUT DROP /sbin/iptables -P OUTPUT ACCEPT # Allow established and related connections /sbin/iptables -A FORWARD -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # Block Netbios going out from network and local host /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 137 -j DROP /sbin/iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 138 -j DROP /sbin/iptables -A OUTPUT -o eth1 -p tcp --dport 137 -j DROP /sbin/iptables -A OUTPUT -o eth1 -p tcp --dport 138 -j DROP # Allow all traffic to travel to the outside /sbin/iptables -A FORWARD -i eth0 -o eth1 -j ACCEPT # Allow all loopback traffic /sbin/iptables -A INPUT -i lo -j ACCEPT # Allow internal network to access the firewall unrestricted /sbin/iptables -A INPUT -i eth0 -j ACCEPT # Allow dhcp for external interface /sbin/iptables -A INPUT -i eth1 -p udp --sport 67 --dport 68 -j ACCEPT ################################################### # NAT rules # 192.168.1.3 is a Windows machine on the private internal network # Turn on NAT for traffic going to eth1 # Although my IP is assigned via DHCP, it NEVER changes. At least # it hasn't in over a year. NAT is more efficient that masquerading (which # you should do if the IP changes). /sbin/iptables -t nat -A POSTROUTING -o eth1 -j SNAT --to $ETH1 # Allow BitTorrent /sbin/iptables -t nat -A PREROUTING -p udp --dport 6881 -i eth1 -j DNAT --to 192.168.1.3:6881 /sbin/iptables -A FORWARD -p udp -i eth1 -o eth0 -d 192.168.1.3 --dport 6881 -j ACCEPT /sbin/iptables -t nat -A PREROUTING -p tcp --dport 6881 -i eth1 -j DNAT --to 192.168.1.3:6881 /sbin/iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.3 --dport 6881 -j ACCEPT # Allow Yahoo! Messenger webcam /sbin/iptables -t nat -A PREROUTING -p tcp --dport 5100 -i eth1 -j DNAT --to 192.168.1.3:5100 /sbin/iptables -A FORWARD -p tcp -i eth1 -o eth0 -d 192.168.1.3 --dport 5100 -j ACCEPT #################################################### # INPUT Chain # Allow traffic to SSH (on port 22) and ICMP directly to eth1 /sbin/iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT /sbin/iptables -A INPUT -i eth1 -p icmp -j ACCEPT # Allow port 53 for DNS # I run a caching DNS server, so I don't have rules allowing # forwarding for DNS. Just need INPUT for the caching server (THIS MACHINE) /sbin/iptables -A INPUT -p udp --dport 53 -j ACCEPT /sbin/iptables -A INPUT -p tcp --dport 53 -j ACCEPT # Accept IDENT requests /sbin/iptables -A INPUT -p tcp -i eth1 --dport ident -j ACCEPT #################################################### |
08-18-2003, 12:03 AM | #3 (permalink) |
Irresponsible
|
heh, well, good place to start is http://easyfwgen.morizot.net/gen/, it'll build you a basic script....
__________________
I am Jack's signature. |
Tags |
firewall, iptables |
|
|