[plug] Iptables Firewall

Brad Campbell brad at seme.com.au
Mon Dec 9 16:28:12 WST 2002 

G'day all,
With the office ADSL line pending (It was due last week), I thought it
was high time I upgraded the old gateway machine from 2.2.20 to 2.4.20
and at the same time write up a new firewall using iptables.
If this firewall is not a complete cock up, then I have to say iptables is
a quantum leap from ipchains :p)


Anyway, inlined for your critical eyes is my new firewall script.
It passes the cursory web based port scanner at grc.com anyway.

At the moment, the world is on ppp0, soon to be eth1 and the office
net 192.168.0.0/24 is on eth0.

Critisisim welcome.


#!/bin/sh
#
# Local Interface
# This is the interface that is your link to the world
                        
IF="ppp0"
                        
# Internal Interface
# This is the interface for your local network
# NOTE: INTERNALNET is a *network* address. All host bits should be 0 
                        
INTERNALNET="192.168.0.0/16"
SEME="192.168.0.0/24"
DEFENCE="192.168.1.0/24"
ROUTER="192.168.0.100"
PRINTER="192.168.0.10"
MAX="192.168.0.1"
                        
#------------------------------------------------------- Variable  definition - #
# Set the location of iptables.
                        
IPTABLES="/sbin/iptables"
                        
echo "IF: $IF"
                        
# -------------------------------------- Flush everything, start from scratch - 
                        
echo -n "Flushing rulesets..."
                        
$IPTABLES --flush
$IPTABLES --table nat --flush
$IPTABLES --delete-chain
$IPTABLES --table nat --delete-chain 
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT 
                       
echo -n "..."
echo "Done!"
                        
# ---------------------------------- Allow all connections within the network - 
                        
echo -n "Internal..."
$IPTABLES -A INPUT -i eth0 -p all -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p all -j ACCEPT
echo -n "..."
echo "Done!"
                        
# -------------------------------------------------- Allow loopback interface - 
                        
echo -n "Loopback..."
$IPTABLES -A INPUT -i lo -p all -j ACCEPT
$IPTABLES -A OUTPUT -o lo -p all -j ACCEPT
echo -n "..."
echo "Done!"
                        
#--------------------------------------------------------------Masquerading - 

echo -n "Masquerading..."

# Allow DNS requests from MAX
$IPTABLES -A FORWARD -p tcp -s $MAX --dport 53 -j ACCEPT
$IPTABLES -A FORWARD -p udp -s $MAX --dport 53 -j ACCEPT

# block direct DNS requests from inside
$IPTABLES -A FORWARD -p tcp -s $INTERNALNET --dport 53 -j REJECT
$IPTABLES -A FORWARD -p udp -s $INTERNALNET --dport 53 -j REJECT

# masquerade all internal IP's going outside

$IPTABLES -t nat -A POSTROUTING -s $DEFENCE -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $ROUTER -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $PRINTER -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s $MAX -j MASQUERADE

echo -n "..."
echo "Done!"

                        
# --------------------- Misc port blocks - 
                        
echo -n "Opening Services .."

echo -n "SSH." 
$IPTABLES -A INPUT -p tcp -i $IF --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p udp -i $IF --dport 22 -j ACCEPT

#echo -n "SMTP."
#$IPTABLES -A INPUT -p tcp -i $IF --dport 25 -j ACCEPT
#$IPTABLES -A INPUT -p udp -i $IF --dport 25 -j ACCEPT

echo -n "..."
echo "Done!"

echo -n "Blocking all other ports..."
echo -n "..."

$IPTABLES -A INPUT -i $IF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp --tcp-option ! 2 -j DROP
echo -n "..."
echo "Done!"


#allow the forwarding to begin
echo 1 > /proc/sys/net/ipv4/ip_forward
echo ""
echo "Finished Establishing Firewall."


-- 
Brad....
                   /"\
Save the Forests   \ /     ASCII RIBBON CAMPAIGN
Burn a Greenie.     X      AGAINST HTML MAIL
                   / \

More information about the plug mailing list