Firewall Setup

[Jermaine Crawford <faysspv () bellsouth net>]

Well, I think I have the whole single ip problem worked out.  Thank
you guys for the suggestions.  I'm working to get the firewall rules
worked out I think I have everything, but I need to know if I missed
anything blatant. Any improvement suggestions would be appreciated. 
Wasn't totally sure about the limiting connections. Attached is the
current setup.

#!/bin/bash

IPT  = "/sbin/iptables"

INT  =  "ppp0"
LAN_IFACE  = "eth1"
HNY_IFACE = "eth2"
HNY_IP = "x.x.x.x"

#Flushing all Rules
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F         -t nat
$IPT -X

#Setting Default Policies 
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

#Setting up forwarding 
echo 1 > proc/sys/net/ipv4/ip_forward

$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE


$IPT -A FORWARD -i $INT  -d HNY_IP -m state --state NEW, -j log --log-prefix Honeypot:

#Redirecting specific ports to honeypot
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 21 -j DNAT --to $HNY_IP:21
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to $HNY_IP:53
$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to $HNY_IP:53
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 23 -j DNAT --to $HNY_IP:23
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 111 -j DNAT --to $HNY_IP:111
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to $HNY_IP:25
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 110 -j DNAT --to $HNY_IP:110

# Accepting the redirected ports on the input table
$IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 21 -j ACCEPT
$IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 23 -j ACCEPT
$IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 25 -j ACCEPT
$IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 110 -j ACCEPT
$IPT -A INPUT -i $INT -d 0/0 -p tcp --dport 111 -j ACCEPT
$IPT -A INPUT -i $INT -d 0/0 -p udp --dport 53 -j ACCEPT

# Accept connections from trusted interface
# and  local interface.
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i eth1 -j ACCEPT

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -P icmp -j DROP

# Setting some basic state-matching.  Allows me 
# to accept related and established connections.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT


#Dropping  windows netbios broadcasts.
$IPT -A INPUT -p udp --sport 135:137  -j DROP

#Creating some test tables to help with debugging
#Remove after testing
$IPT -N testinput
$IPT -A testinput -m limit --limit 20/minute -j LOG --log-prefix testinput:
$IPT -A testinput -j DROP

$IPT -N testoutput
$IPT -A testoutput -m limit --limit 20/minute -j LOG --log-prefix testoutput:
$IPT -A testoutput -j DROP

#Sending all traffic to debugging chains
$IPT -A INPUT -j testinput
$IPT -A OUTPUT -j testoutput

#Logging connection and limiting from honeypot
$IPT -A OUTPUT -s $HNY_IP -m state --state NEW -j LOG --log-prefix Honeypot:
$IPT -A OUTPUT -i eth2 -m limit --limit 6/h -j LOG --log-prefix Honeypot:
$IPT -A OUTPUT -I eth2 -m limit --limit 6/h --limit-burst 6 -j REJECT