Linux Firewall (iptables)
Antonis Sidiropoulos
asidirop at csd.auth.gr
Wed Sep 3 16:26:12 EEST 2003
Profantws eixa steilei ena mail sxetika me ena linux bridge/firewall
pou prospathousa na steisw (OK).
To problhma pou antimetopizw twra einai oti den douleuei panta to ftp
apo ta mixanakia pisw apo to firewall.
Diladi, otan paw na ferw ena arxeio:
* me wget kanei login,CWD kai kolaei sto LIST
* me mozilla (kapou kolaei)
* me paradosiako ftp ola paizoun mia xara.
Ypothetw oti ftaiei to firewall, kai oti stis 2 prwtes periptwseis
den mporei na anagnwrisei oti to neo data stream pou paei na
anoiksei einai related me kapoia hdh establed connection.
Gia to firewalled gateway xrhsimopoiw to iptables.
Mporei kapoios na bohthisei?
Parakatw stelnw to script me to opoio kanw enable to bridge.
Pou den paei kati kala? Kati me ta --syn h' RELATED ypothetw
h' kati me tin seira twn kanonwn???
Euxaristw, kai zhtw sygnwmi apo tin lista pou stelnw olokliro script.
-------------------------------------------
#!/bin/bash
source /etc/init.d/functions
source /etc/sysconfig/config
IPTABLES="/usr/sbin/iptables"
BR_IP="xxx.yyy.xxx.yyy"
BR_IFACE=br0
LAN_BCAST_ADDRESS="xxx.yyy.xxx.255"
INTERNAL_ADDRESS_RANGE=""
INTERNAL_ADDRESSES="xxx.xxx.xxx.xxx yyy.yyy.yyy.yyy" # ena-ena ola ta
IPs pisw apo to firewall
INET_IFACE="eth1"
LAN_IFACE="eth0"
LO_IFACE="lo"
LO_IP="127.0.0.1"
SERVER_IP="ppp.ppp.ppp.ppp"
ifconfig $INET_IFACE down
ifconfig $LAN_IFACE down
ifconfig $INET_IFACE 0.0.0.0
ifconfig $LAN_IFACE 0.0.0.0
# Clean up for a restart
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t mangle -A PREROUTING -j ACCEPT
#Next we create a bridge and assign the Ethernet interfaces to it.
brctl addbr $BR_IFACE
brctl addif $BR_IFACE $INET_IFACE
brctl addif $BR_IFACE $LAN_IFACE
if [ "$BR_IP" != "" ] ; then
ifconfig $BR_IFACE $BR_IP netmask 255.255.255.0 broadcast
155.207.113.255
else
ifconfig $BR_IFACE up
fi
if [ "$DEFAULTGATEWAY" != "" ]; then
echo -n "Setting up routing for $INET_IFACE interface"
route add default gateway $DEFAULTGATEWAY netmask 0.0.0.0 # metric 1
dev $INET_IFACE
evaluate_retval
fi
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -t mangle -A PREROUTING -j ACCEPT
#
# Block obvious spoofs
$IPTABLES -t mangle -A PREROUTING -s 192.168.0.0/16 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPTABLES -t mangle -A PREROUTING -s 172.16.0.0/12 -j DROP
# Accept internal packets on the internal i/f
# Accept external packets on the external i/f
if [ "$INTERNAL_ADDRESS_RANGE" != "" ]; then
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s
$INTERNAL_ADDRESS_RANGE -j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE ! -s
$INTERNAL_ADDRESS_RANGE -j ACCEPT
else
for IP_ADDRESS in $INTERNAL_ADDRESSES; do
$IPTABLES -t mangle -A PREROUTING -i $LAN_IFACE -s $IP_ADDRESS
-j ACCEPT
$IPTABLES -t mangle -A PREROUTING -i $INET_IFACE -s $IP_ADDRESS
-j DROP
done
fi
#
# Accept the packets from internal I/F
if [ "$INTERNAL_ADDRESS_RANGE" != "" ]; then
$IPTABLES -A FORWARD -p ALL -s $INTERNAL_ADDRESS_RANGE -j ACCEPT
else
for IP_ADDRESS in $INTERNAL_ADDRESSES; do
$IPTABLES -A FORWARD -p ALL -s $IP_ADDRESS -j ACCEPT
done
fi
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level 7 --log-prefix "IPT FORWARD packet died: "
#
# UDP ports
#
$IPTABLES -N udpincoming_packets
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j
ACCEPT # DNS
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j
ACCEPT # ntp
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j
ACCEPT #icq
$IPTABLES -A FORWARD -p UDP -j udpincoming_packets
$IPTABLES -N tcp_packets
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p tcp --destination-port 465 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -p tcp --destination-port 25 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $SERVER_IP --destination-port 80 -m state
--state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $SERVER_IP --destination-port 443 -m
state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $SERVER_IP --destination-port 993 -m
state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -d $SERVER_IP --destination-port 22 -m state
--state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp --destination-port 53 -m state --state NEW
-j ACCEPT
$IPTABLES -A FORWARD -p udp --destination-port 123 -m state --state NEW
-j ACCEPT
#
# The allowed chain for TCP connections
#
$IPTABLES -N allowed
$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP
#
# Bad TCP packets we don't want
#
$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j LOG
--log-prefix "New not syn:"
$IPTABLES -A tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d $SERVER_IP --dport 80 -j
allowed # smtp
$IPTABLES -A tcp_packets -p TCP -s 0/0 -d $SERVER_IP --dport 25 -j
allowed # smtp
$IPTABLES -A FORWARD -p TCP -j tcp_packets
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -d $LO_IP -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG
--log-level 7 --log-prefix "IPT INPUT packet died: "
More information about the Linux-greek-users
mailing list