Firewall Wizards mailing list archives
Big Question
From: Chris Malott <chrismalott () chameleonweb net>
Date: Tue, 31 Oct 2000 15:10:57 -0800
I just upgraded to kern 2.4.0-test9 due to my wish to use iptables. Here is my iptables configuration file. For some reason I can't get it to port forward. Any help is greatly appreciated. And Yes I'm a newbie to iptables #!/bin/sh ################################################################## # ## rc.firewall.iptables # ################################################################## ## Variables IPTABLES="/usr/local/bin/iptables" INTERNAL="eth1" # Internal Interface EXTERNAL="eth0" # External Interface ## Flush Built-in Rules $IPTABLES -F $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD $IPTABLES -F -t mangle $IPTABLES -X ## Set Default Policies $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT ## Special Chains First, INPUT/OUTPUT chains will follow ############################################################################ # ## Special Chains ############################################################################ # ############################################################################ # ## Special chain KEEP_STATE to handle incoming, outgoing, and ## established connections. $IPTABLES -N KEEP_STATE $IPTABLES -F KEEP_STATE ## ACCEPT certain packets which are starting a new connection or are ## related to an established connection. ## ACCEPT packets whose input interface is anything but the external interface. $IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT $IPTABLES -A KEEP_STATE -i ! $EXTERNAL -m state --state NEW -j ACCEPT ## DROP packets associated with a NEW or "INVALID" connection. ## DROP TCP packets with only the SYN, SYN/URG, or SYN/PUSH flag set, ## perhaps a bit redundant. $IPTABLES -A KEEP_STATE -i $EXTERNAL -m state --state INVALID,NEW -j DROP $IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp --tcp-flags SYN,ACK SYN -j DROP ############################################################################ # ## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain ## TCP flags set. ## We set some limits here to limit the amount of crap that gets sent to the logs. ## Keep in mind that the first dozen rules should never match normal traffic, these ## rules are designed to capture obviously messed up packets... But there's ## alot of wierd shit out there, so who knows. $IPTABLES -N CHECK_FLAGS $IPTABLES -F CHECK_FLAGS $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NMAP-XMAS:" ## NMAP Stuff $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "Merry XMAS:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ## Make some types of port scanning annoyingly slow, also provides some protection ## against certain DoS attacks. Adjust for your network. The rule in chain ## KEEP_STATE referring to the INVALID state should catch most TCP packets with ## the RST or FIN bits set that aren't associate with an established connection. ## Still, these will limit the amount of stuff that is accepted through our open ports. #$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT #$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT #$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT ############################################################################ # ## Firewall Input Chains ############################################################################ # ############################################################################ # ## New chain for input to the external interface $IPTABLES -N EXTERNAL-input $IPTABLES -F EXTERNAL-input # Flush chain ## Just DROP all unroutables. ## Since we're on Roger's cable network, there are some legitimate ## unroutables out there, so some of these remain commented for now. (fuqed) $IPTABLES -A EXTERNAL-input -i $EXTERNAL -s 10.0.0.0/8 -j DROP $IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 10.0.0.0/8 -j DROP $IPTABLES -A EXTERNAL-input -i $EXTERNAL -s 172.16.0.0/12 -j DROP $IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 172.16.0.0/12 -j DROP $IPTABLES -A EXTERNAL-input -i $EXTERNAL -s 192.168.0.0/16 -j DROP $IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 192.168.0.0/16 -j DROP $IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 224.0.0.0/8 -j DROP ## Check TCP packets coming in on the external interface for wierd flags $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -j CHECK_FLAGS ## These next few serve to block particular ports on the external interface. ## Usually to confine the use of certain services or daemons. ## These are sometimes usefull. ## NFS, X, VNC, SMB, blah blah # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 137:139 -j DROP # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 137:139 -j DROP # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 1433 -j DROP # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 1433 -j DROP # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 2049 -j DROP # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 2049 -j DROP # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5432 -j DROP # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5432 -j DROP # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5999:6010 -j DROP # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport 5900:5910 -j DROP ## ALLOW foreign machines to access certain services. $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 20 -j ACCEPT $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 21 -j ACCEPT $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 80 -j ACCEPT $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 443 -j ACCEPT $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 25 -j ACCEPT $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 22 -j ACCEPT $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 --dport 110 -j ACCEPT $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 53 -j ACCEPT $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 110 -j ACCEPT $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 113 -j REJECT ## ICMP Stuff, we're going to allow some ICMP. ## DROP fragmented ICMP packets(sure, why not) ## This will only catch the second and further fragments. $IPTABLES -A EXTERNAL-input -i $EXTERNAL -f -p icmp -j DROP ## Echo Reply (pong) $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT ## Destination Unreachable (blah) $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT ## Echo Request (ping) -- Comment this if you don't like to be pinged # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT ## TTL Exceeded (traceroute) $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT ## DROP all icmp network broadcasts ## This may actually break things in a few cases $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP ############################################################################ # ## New chain for input to the internal interface $IPTABLES -N INTERNAL-input $IPTABLES -F INTERNAL-input ## ACCEPT internal to internal traffic $IPTABLES -A INTERNAL-input -i $INTERNAL -s 192.168.0.0/16 -d 0/0 -j ACCEPT ## DROP anything not coming from the internal network $IPTABLES -A INTERNAL-input -i $INTERNAL -s ! 192.168.0.0/16 -d 0/0 -j DROP ############################################################################ # ## New chain for input to the loopback interface $IPTABLES -N lo-input $IPTABLES -F lo-input ## Accept packets to the loopback interface $IPTABLES -A lo-input -i lo -j ACCEPT ############################################################################ # ## Firewall Output Chains ############################################################################ # ############################################################################ # ## New chain for output from the external interface $IPTABLES -N EXTERNAL-output $IPTABLES -F EXTERNAL-output ## ACCEPT outgoing packets on the external interface $IPTABLES -A EXTERNAL-output -o $EXTERNAL -j ACCEPT ## Just DROP all outgoing unroutables. $IPTABLES -A EXTERNAL-output -o $EXTERNAL -s 10.0.0.0/8 -j DROP $IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 10.0.0.0/8 -j DROP $IPTABLES -A EXTERNAL-output -o $EXTERNAL -s 172.16.0.0/12 -j DROP $IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 172.16.0.0/12 -j DROP $IPTABLES -A EXTERNAL-output -o $EXTERNAL -s 192.168.0.0/16 -j DROP $IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 192.168.0.0/16 -j DROP $IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 224.0.0.0/8 -j DROP ############################################################################ # ## New chain for output across the internal interface $IPTABLES -N INTERNAL-output $IPTABLES -F INTERNAL-output ## ACCEPT all outbound traffic across the internal interfaces $IPTABLES -A INTERNAL-output -o $INTERNAL -j ACCEPT ############################################################################ # ## New chain for output across the loopback device $IPTABLES -N lo-output $IPTABLES -F lo-output ## ACCEPT all traffic across loopback device $IPTABLES -A lo-output -o lo -j ACCEPT ############################################################################ # ## Main Stuff ############################################################################ # ## Jumping to our INPUT chains. $IPTABLES -A INPUT -i $INTERNAL -j INTERNAL-input $IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input $IPTABLES -A INPUT -i lo -j lo-input ## Jump to KEEP_STATE to accept packets that are part of an established ## connection, and DROP packets that may be trying to establish a new connection. $IPTABLES -A INPUT -i $EXTERNAL -j KEEP_STATE # $IPTABLES -A FORWARD -o $INTERNAL -p tcp -d 192.168.1.1 -j ACCEPT $IPTABLES -A FORWARD -j KEEP_STATE ## Jump to our OUTPUT chains. $IPTABLES -A OUTPUT -o $INTERNAL -j INTERNAL-output $IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output $IPTABLES -A OUTPUT -o lo -j lo-output ############################################################################ # ## More Stuff: ############################################################################ # ## Rule to mangle TOS values ## TOS stuff: (type: iptables -m tos -h) ## Minimize-Delay 16 (0x10) ## Maximize-Throughput 8 (0x08) ## Maximize-Reliability 4 (0x04) ## Minimize-Cost 2 (0x02) ## Normal-Service 0 (0x00) ## - Most of these are the RFC 1060/1349 compliant TOS values, yours might vary. ## - The -d 0/0 is a bit redundant. ## - To view mangle table, type: iptables -L -t mangle $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 80 -j TOS --set-tos 8 # 0x08 $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 443 -j TOS --set-tos 16 # 0x10 $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 25 -j TOS --set-tos 16 # 0x10 $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 20 -j TOS --set-tos 16 # 0x10 $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 21 -j TOS --set-tos 16 # 0x10 $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 110 -j TOS --set-tos 16 # 0x10 $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p udp -d 0/0 --dport 22 -j TOS --set-tos 16 # 0x10 ### END FIREWALL RULES ### ## Might be a good idea to keep the NAT stuff in a separate file. ############################################################################ ### ## IPTABLES Network Address Translation(NAT) Rules ############################################################################ ### ####################################################### ## Destination NAT -- (DNAT) ####################################################### extip="xxx.xxx.xxx.xxx" ## Redirect packets headed for certain ports on our external interface to other ## machines on the network. $IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 80 -j DNAT --to 192.168.1.2:80 $IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 443 -j DNAT --to 192.168.1.2:443 $IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 25 -j DNAT --to 192.168.1.2:25 $IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 20 -j DNAT --to 192.168.1.2:20 $IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 21 -j DNAT --to 192.168.1.2:21 $IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 110 -j DNAT --to 192.168.1.2:110 $IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 22 -j DNAT --to 192.168.1.2:22 #for internal machines $IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 80 -j DNAT --to 192.168.1.2:80 $IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 443 -j DNAT --to 192.168.1.2:443 $IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 25 -j DNAT --to 192.168.1.2:25 $IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 20 -j DNAT --to 192.168.1.2:20 $IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 21 -j DNAT --to 192.168.1.2:21 $IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 110 -j DNAT --to 192.168.1.2:110 $IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 22 -j DNAT --to 192.168.1.2:22 ####################################################### ## Source NAT -- (SNAT/Masquerading) ####################################################### ## Static IP address ## ## Change source address of outgoing packets on external ## interface to our IP address. $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to $extip ## Dynamic IP address ## #$IPTABLES -t nat -A POSTROUTING -eth0 -j MASQUERADE ### END NAT RULES ### ############################################################################ ### ## Additional Kernel Configuration ############################################################################ ### ## Adjust for your requirements/preferences. ## Make sure you understand what these things are doing before you uncomment ## any of them. A good place to start would be some of the resources listed ## at the top of this script. ## These are certainly not the only cool things you can tweek in the /proc/sys, ## check out some of the documentation with your Kernel source for more info. ## Brief Explaination: ## - Disable source routing of packets #if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then # for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do # echo 0 > $i; # done #fi ## - Enable rp_filter #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then # for i in /proc/sys/net/ipv4/conf/*/rp_filter; do # echo 1 > $i; # done #fi ## - Ignore any broadcast icmp echo requests #if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #fi ## - Ignore all icmp echo requests on all interfaces #if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then # echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all #fi ## - Local port range for TCP/UDP connections #if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then # echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range #fi ## - "Log packets with impossible addresses to kernel log." (ip-sysctl.txt) #if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then # echo 1 > /proc/sys/net/ipv4/conf/all/log_martians #fi ## - Don't accept ICMP redirects #if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then # echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects #fi ## - Don't accept ICMP redirects ## (You may only want to disable on the external interface) #if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then # echo 0 > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects #fi ## Additional options for dialup connections with a dynamic ip address ## See: linux/Documentation/networking/ip_dynaddr.txt #if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then # echo 1 > /proc/sys/net/ipv4/ip_dynaddr #fi ## - Enable IP Forwarding if [ -e /proc/sys/net/ipv4/ip_forward ]; then echo 1 > /proc/sys/net/ipv4/ip_forward else echo "Error: /proc/sys/net/ipv4/ip_forward doesn't exist" echo "(That may be a problem)" fi _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Big Question Chris Malott (Nov 02)