Home page logo
/

firewall-wizards logo Firewall Wizards mailing list archives

Big Question
From: Chris Malott <chrismalott () chameleonweb net>
Date: Tue, 31 Oct 2000 15:10:57 -0800

I just upgraded to kern 2.4.0-test9 due to my wish to use iptables.

Here is my iptables configuration file. For some reason I can't get it to
port forward.

Any help is greatly appreciated. And Yes I'm a newbie to iptables

#!/bin/sh

##################################################################
#
## rc.firewall.iptables
#
##################################################################

## Variables
IPTABLES="/usr/local/bin/iptables"
INTERNAL="eth1"            # Internal Interface
EXTERNAL="eth0"            # External Interface

## Flush Built-in Rules
$IPTABLES -F
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -F -t mangle
$IPTABLES -X

## Set Default Policies
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT

## Special Chains First, INPUT/OUTPUT chains will follow

############################################################################
#
## Special Chains
############################################################################
#

############################################################################
#
## Special chain KEEP_STATE to handle incoming, outgoing, and
## established connections.

    $IPTABLES -N KEEP_STATE
    $IPTABLES -F KEEP_STATE

    ## ACCEPT certain packets which are starting a new connection or are
    ##   related to an established connection.
    ## ACCEPT packets whose input interface is anything but the external
interface.

    $IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT
    $IPTABLES -A KEEP_STATE -i ! $EXTERNAL -m state --state NEW -j ACCEPT

    ## DROP packets associated with a NEW or "INVALID"  connection.
    ## DROP TCP packets with only the SYN, SYN/URG, or SYN/PUSH flag set,
    ## perhaps a bit redundant.

    $IPTABLES -A KEEP_STATE -i $EXTERNAL -m state --state INVALID,NEW -j
DROP
    $IPTABLES -A KEEP_STATE -i $EXTERNAL -p tcp --tcp-flags SYN,ACK SYN -j
DROP


############################################################################
#
## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain
## TCP flags set.

## We set some limits here to limit the amount of crap that gets sent to the
logs.
## Keep in mind that the first dozen rules should never match normal
traffic, these
## rules are designed to capture obviously messed up packets... But there's
## alot of wierd shit out there, so who knows.

    $IPTABLES -N CHECK_FLAGS
    $IPTABLES -F CHECK_FLAGS

    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit
--limit 5/minute -j LOG --log-level 1 --log-prefix "NMAP-XMAS:"  ## NMAP
Stuff
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit --limit
5/minute -j LOG --log-level 1 --log-prefix "Merry XMAS:"
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m
limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j
DROP
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit --limit
5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
    $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

    ## Make some types of port scanning annoyingly slow, also provides some
protection
    ## against certain DoS attacks. Adjust for your network. The rule in
chain
    ## KEEP_STATE referring to the INVALID state should catch most TCP
packets with
    ## the RST or FIN bits set that aren't associate with an established
connection.
    ## Still, these will limit the amount of stuff that is accepted through
our open ports.

    #$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags
ALL RST -j ACCEPT
    #$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags
ALL FIN -j ACCEPT
    #$IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags
ALL SYN -j ACCEPT


############################################################################
#
## Firewall Input Chains
############################################################################
#

############################################################################
#
## New chain for input to the external interface

    $IPTABLES -N EXTERNAL-input
    $IPTABLES -F EXTERNAL-input  # Flush chain

## Just DROP all unroutables.
## Since we're on Roger's cable network, there are some legitimate
## unroutables out there, so some of these remain commented for now. (fuqed)

    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -s 10.0.0.0/8 -j DROP
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 10.0.0.0/8 -j DROP

    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -s 172.16.0.0/12 -j DROP
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 172.16.0.0/12 -j DROP

    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -s 192.168.0.0/16 -j DROP
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 192.168.0.0/16 -j DROP

    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -d 224.0.0.0/8 -j DROP

## Check TCP packets coming in on the external interface for wierd flags
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -j CHECK_FLAGS

## These next few serve to block particular ports on the external interface.
## Usually to confine the use of certain services or daemons.
## These are sometimes usefull.

    ## NFS, X, VNC, SMB, blah blah
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport
137:139 -j DROP
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport
137:139 -j DROP
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport
1433 -j DROP
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport
1433 -j DROP
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport
2049 -j DROP
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport
2049 -j DROP
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport
5432 -j DROP
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport
5432 -j DROP
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport
5999:6010 -j DROP
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport
5999:6010 -j DROP
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 -d 0/0 --dport
5900:5910 -j DROP
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 -d 0/0 --dport
5900:5910 -j DROP

## ALLOW foreign machines to access certain services.
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 20 -j
ACCEPT
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 21 -j
ACCEPT
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 80 -j
ACCEPT
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 443 -j
ACCEPT
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 25 -j
ACCEPT
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 22 -j
ACCEPT
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p udp -s 0/0 --dport 110 -j
ACCEPT
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 53 -j
ACCEPT
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 110 -j
ACCEPT
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -s 0/0 --dport 113 -j
REJECT

## ICMP Stuff, we're going to allow some ICMP.

    ## DROP fragmented ICMP packets(sure, why not)
    ## This will only catch the second and further fragments.
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -f -p icmp -j DROP

    ## Echo Reply (pong)
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT

    ## Destination Unreachable (blah)
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT

    ## Echo Request (ping) -- Comment this if you don't like to be pinged
#    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j
ACCEPT
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit
--limit 1/second -j ACCEPT

    ## TTL Exceeded (traceroute)
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j
ACCEPT

    ## DROP all icmp network broadcasts
    ## This may actually break things in a few cases
    $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp -d 224.0.0.0/8 -j DROP

############################################################################
#
## New chain for input to the internal interface

    $IPTABLES -N INTERNAL-input
    $IPTABLES -F INTERNAL-input

## ACCEPT internal to internal traffic
    $IPTABLES -A INTERNAL-input -i $INTERNAL -s 192.168.0.0/16 -d 0/0 -j
ACCEPT

## DROP anything not coming from the internal network
    $IPTABLES -A INTERNAL-input -i $INTERNAL -s ! 192.168.0.0/16 -d 0/0 -j
DROP


############################################################################
#
## New chain for input to the loopback interface

    $IPTABLES -N lo-input
    $IPTABLES -F lo-input

## Accept packets to the loopback interface
    $IPTABLES -A lo-input -i lo -j ACCEPT


############################################################################
#
## Firewall Output Chains
############################################################################
#

############################################################################
#
## New chain for output from the external interface

    $IPTABLES -N EXTERNAL-output
    $IPTABLES -F EXTERNAL-output

## ACCEPT outgoing packets on the external interface
    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -j ACCEPT

## Just DROP all outgoing unroutables.
    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -s 10.0.0.0/8 -j DROP
    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 10.0.0.0/8 -j DROP

    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -s 172.16.0.0/12 -j DROP
    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 172.16.0.0/12 -j DROP

    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -s 192.168.0.0/16 -j DROP
    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 192.168.0.0/16 -j DROP

    $IPTABLES -A EXTERNAL-output -o $EXTERNAL -d 224.0.0.0/8 -j DROP


############################################################################
#
## New chain for output across the internal interface

    $IPTABLES -N INTERNAL-output
    $IPTABLES -F INTERNAL-output

## ACCEPT all outbound traffic across the internal interfaces
    $IPTABLES -A INTERNAL-output -o $INTERNAL -j ACCEPT


############################################################################
#
## New chain for output across the loopback device

    $IPTABLES -N lo-output
    $IPTABLES -F lo-output

## ACCEPT all traffic across loopback device
    $IPTABLES -A lo-output -o lo -j ACCEPT


############################################################################
#
## Main Stuff
############################################################################
#

## Jumping to our INPUT chains.
    $IPTABLES -A INPUT -i $INTERNAL -j INTERNAL-input
    $IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input
    $IPTABLES -A INPUT -i lo -j lo-input

## Jump to KEEP_STATE to accept packets that are part of an established
## connection, and DROP packets that may be trying to establish a new
connection.
    $IPTABLES -A INPUT -i $EXTERNAL -j KEEP_STATE
#    $IPTABLES -A FORWARD -o $INTERNAL -p tcp -d 192.168.1.1 -j ACCEPT
    $IPTABLES -A FORWARD -j KEEP_STATE

## Jump to our OUTPUT chains.
    $IPTABLES -A OUTPUT -o $INTERNAL -j INTERNAL-output
    $IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output
    $IPTABLES -A OUTPUT -o lo -j lo-output


############################################################################
#
## More Stuff:
############################################################################
#

## Rule to mangle TOS values
## TOS stuff: (type: iptables -m tos -h)
## Minimize-Delay 16 (0x10)
## Maximize-Throughput 8 (0x08)
## Maximize-Reliability 4 (0x04)
## Minimize-Cost 2 (0x02)
## Normal-Service 0 (0x00)

##   - Most of these are the RFC 1060/1349 compliant TOS values, yours might
vary.
##   - The -d 0/0 is a bit redundant.
##   - To view mangle table, type: iptables -L -t mangle

    $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 80 -j
TOS --set-tos 8    # 0x08
    $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 443 -j
TOS --set-tos 16  # 0x10
    $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 25 -j
TOS --set-tos 16   # 0x10
    $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 20 -j
TOS --set-tos 16   # 0x10
    $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 21 -j
TOS --set-tos 16   # 0x10
    $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p tcp -d 0/0 --dport 110 -j
TOS --set-tos 16  # 0x10
    $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -p udp -d 0/0 --dport 22 -j
TOS --set-tos 16   # 0x10



### END FIREWALL RULES ###

## Might be a good idea to keep the NAT stuff in a separate file.

############################################################################
###
## IPTABLES Network Address Translation(NAT) Rules
############################################################################
###

#######################################################
## Destination NAT -- (DNAT)
#######################################################
extip="xxx.xxx.xxx.xxx"

## Redirect packets headed for certain ports on our external interface to
other
## machines on the network.

$IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 80 -j DNAT --to
192.168.1.2:80
$IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 443 -j DNAT --to
192.168.1.2:443
$IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 25 -j DNAT --to
192.168.1.2:25
$IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 20 -j DNAT --to
192.168.1.2:20
$IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 21 -j DNAT --to
192.168.1.2:21
$IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 110 -j DNAT --to
192.168.1.2:110
$IPTABLES -A PREROUTING -t nat -p tcp -d $extip --dport 22 -j DNAT --to
192.168.1.2:22

#for internal machines


$IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 80 -j DNAT --to
192.168.1.2:80
$IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 443 -j DNAT --to
192.168.1.2:443
$IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 25 -j DNAT --to
192.168.1.2:25
$IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 20 -j DNAT --to
192.168.1.2:20
$IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 21 -j DNAT --to
192.168.1.2:21
$IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 110 -j DNAT --to
192.168.1.2:110
$IPTABLES -A OUTPUT -t nat -p tcp -d $extip --dport 22 -j DNAT --to
192.168.1.2:22
    
#######################################################
## Source NAT -- (SNAT/Masquerading)
#######################################################

## Static IP address ##
    ## Change source address of outgoing packets on external
    ## interface to our IP address.
    $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to $extip
 
## Dynamic IP address ##
    #$IPTABLES -t nat -A POSTROUTING -eth0 -j MASQUERADE
    

### END NAT RULES ###


############################################################################
###
## Additional Kernel Configuration
############################################################################
###

## Adjust for your requirements/preferences.
## Make sure you understand what these things are doing before you uncomment
## any of them. A good place to start would be some of the resources listed
## at the top of this script.

## These are certainly not the only cool things you can tweek in the
/proc/sys,
## check out some of the documentation with your Kernel source for more
info.

## Brief Explaination:

## - Disable source routing of packets
#if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then
#    for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
#        echo 0 > $i;
#    done
#fi

## - Enable rp_filter
#if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
#    for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
#        echo 1 > $i;
#    done
#fi

## - Ignore any broadcast icmp echo requests
#if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
#    echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#fi

## - Ignore all icmp echo requests on all interfaces
#if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then
#    echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
#fi

## - Local port range for TCP/UDP connections
#if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then
#    echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range
#fi

## - "Log packets with impossible addresses to kernel log." (ip-sysctl.txt)
#if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then
#    echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#fi

## - Don't accept ICMP redirects
#if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
#    echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#fi

## - Don't accept ICMP redirects
## (You may only want to disable on the external interface)
#if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then
#    echo 0 > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects
#fi

## Additional options for dialup connections with a dynamic ip address
## See: linux/Documentation/networking/ip_dynaddr.txt
#if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then
#    echo 1 > /proc/sys/net/ipv4/ip_dynaddr
#fi

## - Enable IP Forwarding
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
    echo 1 > /proc/sys/net/ipv4/ip_forward
else
    echo "Error: /proc/sys/net/ipv4/ip_forward doesn't exist"
    echo "(That may be a problem)"
fi



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


  By Date           By Thread  

Current thread:
  • Big Question Chris Malott (Nov 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]