[plug] NAT on a linux box
Daniel Pearson
plug at flashware.net
Tue Feb 18 23:16:41 WST 2003
Ok, this is what i've come up with -- but my box isn't here currently to
test it out on.
Could someone evaluate this for me and tell me if I need to
add/remove/modify anything? It would be *hugely* appreciated.
#!/bin/sh
#
# firewall
#
# Author: Flashware Solutions <contact at flashware.net>
#
case "$1" in
start)
# Our Interface to the outside world
OUTINT="ppp0"
# This many connections per sec on services before we
# start dropping packets
CNPS=3
CMD="`which iptables`"
if [ ! -x $CMD ]; then
echo "Firewall Startup: Unable to locate iptables"
exit
fi
# Setup inital base policies
$CMD -F
$CMD -P INPUT ACCEPT
$CMD -P FORWARD DROP
$CMD -P OUTPUT ACCEPT
# Prevent stale TCP sockets
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Die evil packets!
$CMD -A INPUT -m unclean -j DROP
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 129 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/tcp_ecn
# Stop automatic rerouting
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
# Deny Pings
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Start masquerading
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
$CMD -t nat -F
$CMD -t nat -A POSTROUTING -d ! 192.168.1.0/24 -j MASQUERADE
$CMD -A FORWARD -s 192.168.1.0/24 -j ACCEPT
$CMD -A FORWARD -d 192.168.1.0/24 -j ACCEPT
# Allow from localhost
$CMD -I INPUT -i lo -s 127.0.0.0/24 -j ACCEPT
$CMD -I OUTPUT -d 127.0.0.0/24 -j ACCEPT
# Kill replies to closed ports
# no port-unreach
# EXCEPT auth (113)
$CMD -A OUTPUT -p tcp --tcp-flags RST RST --source-port 113 -j ACCEPT
$CMD -A OUTPUT -p tcp --tcp-flags RST RST -j DROP
$CMD -A OUTPUT -p icmp --icmp-type port-unreachable -j DROP
# Deny X Connections from the outside
$CMD -A INPUT -i $OUTINT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 6000 -j
DROP
# Deny printer connections from the outside
$CMD -A INPUT -i $OUTINT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 515 -j
DROP
# Deny rpc connections from the outside
$CMD -A INPUT -i $OUTINT -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 111 -j
DROP
;;
stop)
echo 0 > /proc/sys/net/ipv4/ip_forward
$CMD -F
;;
restart|reload)
$0 stop
$0 start
;;
*)
echo "$0 [start|stop|restart|reload]"
;;
esac
Daniel
----- Original Message -----
From: "Brad Campbell" <brad at seme.com.au>
To: <plug at plug.linux.org.au>
Sent: Tuesday, February 18, 2003 1:55 PM
Subject: Re: [plug] NAT on a linux box
> Daniel Pearson wrote:
> > Ok, this is what I want to ultimately achieve: a NAT/Firewall script
that
> > can be controlled through /etc/init.d/ (debian)
> > No services other than ppp, ssh, postfix, qpopper, mutt, fethcmail
> > Very simple dial out get the mail and distribute it to mailboxes and to
> > allow workstations to browse the internet
> >
> > Note: IPTables, not IPChains
> >
> > Any ideas at all?
>
> Set up a pair of box*ES*, grab one of Rustys unreliable guides to
> iptables and experiment until you get the desired result.
> I wanted a firewall for the office, asked the list, got some great
> advice, BUT found I had learned nothing about how iptables actually
> worked and really did not understand what I was typing in.
> SO I grabbed the abovementioned document and went at it. A couple of
> hours later I emerged knowing slightly more than enough to be dangerous
> and actually understanding how it all worked.
>
> Now I can make it do what I want whenever I change some network
> infrastructure here and I'm pretty confident that it works the way I
> want it to.
> An external host and nmap helps a lot here. At a pinch the scanner at
> www.grc.com will give you a very brief rundown.
>
> In this case, the *fine* manual is begging to be read and will help you
> far more than any of us can over such a limiting medium.
>
> Here is where I'd normally post my firewall script, but without me
> explaining the various vpn's and redirects to you, it would make no
> sense and probably confuse you further.
>
> Start with a basic set of rules. Do something like a ping and watch the
> counters with an watch -n 1 iptables -L -v.
> Then you can actually see where the packets go in real time.
> Even set up individual rules for things that are implicity allowed, and
> you can count the packets to see what is going on and how the firewall
> works.
> I ended up with a stack of rules that are redundant as they match the
> default rule anyway, but my default rule packet counters stay at zero
> and I can acconut for every single packet crossing the network. If the
> default counters are > 0 then there is something going on I don't know
> about and I need to figure out what it is.
>
>
> Brad
>
>
>
More information about the plug
mailing list