firewall part I



This is only a small firewall-skript. The skript will be improved one day. You're invited to send me emails with suggestions for improvements.



the firewall script :


The new lopster-rules are taken from here:

http://perso.club-internet.fr/archi_l/Doc_NetFilter/Ressources/Script_iptables.html



#!/bin/sh

#

# rc.firewall 0.2.5

# written by piewie

#

#----------------------------------------------------------------------------

# section I - load necessary modules

#----------------------------------------------------------------------------

/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_conntrack_irc

/sbin/modprobe iptable_nat

/sbin/modprobe ip_nat_ftp

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

#

#----------------------------------------------------------------------------

# section II : delete old rules and set new standard policy :

#----------------------------------------------------------------------------

iptables -F

iptables -P INPUT DROP

iptables -P FORWARD DROP

iptables -P OUTPUT DROP

#

#----------------------------------------------------------------------------

# section III : general rules

#----------------------------------------------------------------------------

# dns (Domain Name Server)

iptables -A OUTPUT -p udp --sport 1024: --dport 53 -j ACCEPT

iptables -A INPUT -p udp -s 194.25.2.129 --sport 53 --dport 1024: -j ACCEPT

iptables -A OUTPUT -p tcp --sport 1024: --dport 53 -j ACCEPT

iptables -A INPUT -p tcp -s 194.25.2.129 --sport 53 --dport 1024: ! --syn -j ACCEPT

#

# http ( Hyper Text Transfer Protokol ) - browsing in the www

iptables -A OUTPUT -p tcp --sport 1024: --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --sport 80 --dport 1024: ! --syn -j ACCEPT

#

# https ( Hyper Text Transfer Protokol Security ) - secure browsing in the www(

iptables -A OUTPUT -p tcp --sport 1024: --dport 443 -j ACCEPT

iptables -A INPUT -p tcp --sport 443 --dport 1024: ! --syn -j ACCEPT

#

# loopback network interface

iptables -A INPUT -i lo -j ACCEPT

iptables -A OUTPUT -o lo -j ACCEPT

#--------------------------------------------------------------------------

# section IV : additional rules

#----------------------------------------------------------------------------

# smtp ( Simple Mail Transfer Protokol ) - send e-mail

iptables -A OUTPUT -p tcp --sport 1024: --dport 25 -j ACCEPT

iptables -A INPUT -p tcp --sport 25 --dport 1024: ! --syn -j ACCEPT

# pop3 ( Post Office Protokoll 3 ) - receive e-mail

iptables -A OUTPUT -p tcp --sport 1024: --dport 110 -j ACCEPT

iptables -A INPUT -p tcp --sport 110 --dport 1024: ! --syn -j ACCEPT

# realplayer - Real Audio halt

iptables -A INPUT -p tcp --sport 554 --dport 1024: ! --syn -j ACCEPT

iptables -A INPUT -p udp --dport 7070 -j ACCEPT

iptables -A OUTPUT -p tcp --sport 1024: --dport 554 -j ACCEPT

#

# nfs ( Network File System ) - allow internal

iptables -A INPUT -i eth1 -s 192.168.20.50 -p tcp --sport 602: --dport 111 -j ACCEPT

iptables -A INPUT -i eth1 -s 192.168.20.50 -p udp --sport 602: --dport 900: -j ACCEPT

iptables -A INPUT -i eth1 -s 192.168.20.50 -p udp --sport 646: --dport 111 -j ACCEPT

iptables -A OUTPUT -o eth1 -d 192.168.20.50 -p udp --sport 1024: --dport 634: -j ACCEPT

iptables -A OUTPUT -o eth1 -d 192.168.20.50 -p udp --sport 111 --dport 600: -j ACCEPT

iptables -A OUTPUT -o eth1 -d 192.168.20.50 -p tcp --sport 1011 --dport 900: -j ACCEPT

iptables -A OUTPUT -o eth1 -d 192.168.20.50 -p tcp --sport 111 --dport 600: -j ACCEPT

#

# ssh ( Secure Shell ) - secure remote connection, only internal

iptables -A INPUT -i eth1 -p tcp -s 192.168.20.50 -d 192.168.20.1 --sport 32000:38000 --dport 22 -j ACCEPT

iptables -A OUTPUT -o eth1 -p tcp -s 192.168.20.1 -d 192.168.20.50 --sport 22 --dport 32000:38000 ! --syn -j ACCEPT

iptables -A OUTPUT -o eth1 -p tcp -s 192.168.20.1 -d 192.168.20.50 --sport 22 --dport 32000:38000 ! --syn -j ACCEPT

iptables -A INPUT -i eth1 -p tcp -s 192.168.20.50 -d 192.168.20.1 --sport 22 --dport 32000:38000 ! --syn -j ACCEPT

# telnet - do not use !

# iptables -A INPUT -i eth1 -p tcp -s 192.168.20.50 -d 192.168.20.1 --sport 32000: --dport 23 -j ACCEPT

# iptables -A OUTPUT -o eth1 -p tcp -s 192.168.20.1 -d 192.168.20.50 --sport 23 --dport 32000: ! --syn -j ACCEPT

# iptables -A OUTPUT -o eth1 -p tcp -s 192.168.20.1 -d 192.168.20.50 --sport 1024: --dport 23 -j ACCEPT

# iptables -A INPUT -i eth1 -p tcp -s 192.168.20.50 -d 192.168.20.1 --sport 23 --dport 1024: ! --syn -j ACCEPT

#

# whois - Netzwerk-Managment

iptables -A OUTPUT -p tcp --sport 1024: --dport 43 -j ACCEPT

iptables -A INPUT -p tcp --sport 43 --dport 1024: ! --syn -j ACCEPT

#

# finger - Netzwerk-Managment

iptables -A OUTPUT -p tcp --sport 1024: --dport 79 -j ACCEPT

iptables -A INPUT -p tcp --sport 79 --dport 1024: ! --syn -j ACCEPT

#---------------------------------------------------------------------------

# section V : ICMP

#--------------------------------------------------------------------------

# icmp ping - network-managment

iptables -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT

iptables -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT

iptables -A FORWARD -o ppp0 -p icmp --icmp-type echo-request -j ACCEPT

iptables -A FORWARD -i ppp0 -p icmp --icmp-type echo-reply -j ACCEPT

#

# icmp destination unreachables - network-managment

iptables -A OUTPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT

iptables -A FORWARD -o ppp0 -p icmp --icmp-type destination-unreachable -j ACCEPT

iptables -A FORWARD -i ppp0 -p icmp --icmp-type destination-unreachable -j ACCEPT

#

# icmp source-quench - network-managment

iptables -A INPUT -p icmp --icmp-type source-quench -j ACCEPT

iptables -A FORWARD -i ppp0 -p icmp --icmp-type source-quench -j ACCEPT

#

# icmp time-exceeded - network-managment

iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

iptables -A FORWARD -i ppp0 -p icmp --icmp-type time-exceeded -j ACCEPT

#

# icmp parameter-problem - network-managment

iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT

iptables -A FORWARD -i ppp0 -p icmp --icmp-type parameter-problem -j ACCEPT

#

# externe netbios-question ( Network Basic Input/Output System ) - give windows no chance

iptables -A INPUT -p udp --dport netbios-ns -j DROP

iptables -A INPUT -p udp --dport netbios-dgm -j DROP

iptables -A INPUT -p tcp --dport netbios-ssn -j DROP

#

#--------------------------------------------------------------------------

# section VI : forwarding and masquerading, ICQ and lopster

#------------------------------------------------------------------------------------------------------------

# abgehende Pakete FORWARDING - ( routing ) port-forwarding

iptables -A FORWARD -o ppp0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

#

# ankommende Pakete FORWARDING - ( Routing )

iptables -A FORWARD -i ppp0 -m state --state ESTABLISHED,RELATED -j ACCEPT

#

# NAT ( Network Address Translation ) - maquerading

iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE

#

# ICQ ( IRC - Internet Relay Chat )

iptables -t nat -A PREROUTING -i 192.168.20.1 -p tcp --dport 30000:30005 -j DNAT --to 192.168.20.50

#

# es folgen Einstellungen für lopster

LOPSTER="6680:6699"

LOPSTER_NET="3333,3456,4444,5555,6000,6666,6667,6699,7777,8888,8899,9999"

iptables -A PREROUTING -t nat -i ppp0 -p tcp --dport $LOPSTER -j DNAT --to 192.168.20.50

iptables -A PREROUTING -t nat -i ppp0 -p tcp --sport $LOPSTER -j DNAT --to 192.168.20.50

iptables -A FORWARD -i ppp0 -p tcp --dport $LOPSTER -d 192.168.217.5 -m state -- state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -o ppp0 -p tcp --sport $LOPSTER -s 192.168.20.1 -m state -- state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i eth1 -o ppp0 -p tcp -m multiport --dport $LOPSTER_NET -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -i ppp0 -p tcp -m multiport --sport $LOPSTER_NET -m state -- state NEW,ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -o eth1 -p tcp -m multiport --dport $LOPSTER_NET -m state -- state NEW,RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -o ppp0 -p tcp -m multiport --sport $LOPSTER_NET -m state -- state NEW,ESTABLISHED,RELATED -j ACCEPT

#

#----------------------------------------------------------------------------

# section VII : finishing rules

#---------------------------------------------------------------------------

# log everything else

iptables -A INPUT -j LOG

iptables -A OUTPUT -j LOG

#

# ftp identification

iptables -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset

iptables -A FORWARD -i ppp0 -p tcp --dport auth -j REJECT --reject-with tcp-reset

#

# drop the rest

iptables -A INPUT -j DROP

#

# error messages to programms

iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset

iptables -A OUTPUT -p udp -j REJECT

iptables -A OUTPUT -j DROP



Save file as rc.firewall and copy it to /etc/rc.d

make file executable :

chmod +x rc.firewall

For automatical executing at system startup add entry in /etc/rc.d/rc.local

/etc/rc.d/rc.firewall

or :

for executing at every connection, add entry in /etc/ppp/ip-up.local

/etc/rc.d/rc.firewall

Perhaps you have to create this file by yourself.





===> iptables part II