Mailinglist Archive: opensuse-security (485 mails)

< Previous Next >
RE: [suse-security] firewall help..
  • From: egilmore <egilmore@xxxxxx>
  • Date: Wed, 3 Mar 2004 14:39:48 -0500
  • Message-id: <40894216@zathras>
OK, Thanks for all your help Maarten. Here's what I have so far, that is
FINALLY doing something close to what I need. I haven't blocked everything
yet, but I an developing rules to keep out alot of the nasties.

Tell me what you think.

-e

///////////////////////////////////////////////////////////////

#!/bin/sh

#####################################################################
# /etc/init.d/firewall {start|stop}
#
# a simple iptables firewall
#
# based on various scripts found online
# to support virtual hosts, NAT rules and masquerading
#
# Last Rev.3/3/2004
#####################################################################
PATH="$PATH:/usr/bin/:/usr/sbin"
DEPMOD=/sbin/depmod
INSMOD=/sbin/insmod

EXTIF=eth0
INTIF1=eth1
INTIF2=eth2

case "$1" in

'start')
#=======================================================
# Set policy for tables
#=======================================================
echo "Clearing any existing rules and setting default policy.."
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT


#=======================================================
# Flush rules in tables
#=======================================================
iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD


#=======================================================
# Delete empty tables
#=======================================================
iptables -X


#=======================================================
# Flush the nat table and set it's policies
#=======================================================
iptables -t nat -F
iptables -t nat --policy PREROUTING ACCEPT
iptables -t nat --policy OUTPUT ACCEPT
iptables -t nat --policy POSTROUTING ACCEPT


#=======================================================
# Allow unlimited loopback
#=======================================================
echo "Setting up loopback access..."

iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT


#=======================================================
# Masquerade everything out eth0
#=======================================================
echo "Setting up masquerading..."

iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE


#=======================================================
# Allow all outbound connections from LAN(eth1 & eth2)
# to Internet(eth0)
# Allow only return traffic from those connections
#=======================================================
echo "Allow forwarding for 192.168.48.0 subnet..."
echo "Allow forwarding for 192.168.5.0 subnet..."

iptables -A FORWARD -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT


#=======================================================
# Allow all connections from LAN1(eth1) to LAN2(eth2)
#=======================================================
echo "Allow forwarding between internal networks..."

iptables -A FORWARD -i $INTIF1 -o $INTIF2 -j ACCEPT
iptables -A FORWARD -i $INTIF2 -o $INTIF1 -j ACCEPT


#=======================================================
# Allow unlimited outbound connections and return
# traffic from firewall
#=======================================================

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $INTIF1 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A INPUT -i $INTIF2 -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A OUTPUT -o $EXTIF -m state --state NEW,ESTABLISHED,RELATED
-j ACCEPT
iptables -A OUTPUT -o $INTIF1 -m state --state NEW,ESTABLISHED,RELATED
-j ACCEPT
iptables -A OUTPUT -o $INTIF2 -m state --state NEW,ESTABLISHED,RELATED
-j ACCEPT


#=======================================================
# Allow ssh at the firewall machine (JANUS)
#=======================================================

iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp --dport 22 -j ACCEPT


#=======================================================
# Routing packets from the external LAN to EMDX
#=======================================================
echo "Associating internal address 192.168.48.211 with external
address 193.54.48.211"

iptables -t nat -A PREROUTING -p tcp --dst 193.54.48.211 -j DNAT
--to-destination 192.168.48.211
iptables -t nat -A PREROUTING -p udp --dst 193.54.48.211 -j DNAT
--to-destination 192.168.48.211
iptables -t nat -A PREROUTING -p icmp --dst 193.54.48.211 -j DNAT
--to-destination 192.168.48.211


#=======================================================
# Routing packets from an internal LAN to EMDX
#=======================================================
iptables -t nat -A POSTROUTING -p tcp --dst 193.54.48.211 -j SNAT
--to-source 192.168.48.211
iptables -t nat -A POSTROUTING -p udp --dst 193.54.48.211 -j SNAT
--to-source 192.168.48.211
iptables -t nat -A POSTROUTING -p icmp --dst 193.54.48.211 -j SNAT
--to-source 192.168.48.211


#=======================================================
# Routing packets from the external LAN to EMDSNAP
#=======================================================
echo "Associating internal address 192.168.5.217 with external address
193.54.48.217"

iptables -t nat -A PREROUTING -p tcp --dst 193.54.48.217 -j DNAT
--to-destination 192.168.5.217
iptables -t nat -A PREROUTING -p udp --dst 193.54.48.217 -j DNAT
--to-destination 192.168.5.217
iptables -t nat -A PREROUTING -p icmp --dst 193.54.48.217 -j DNAT
--to-destination 192.168.5.217


#=======================================================
# Routing packets from an internal LAN to EMDSNAP
#=======================================================

iptables -t nat -A POSTROUTING -p tcp --dst 193.54.48.217 -j SNAT
--to-source 192.168.5.217
iptables -t nat -A POSTROUTING -p udp --dst 193.54.48.217 -j SNAT
--to-source 192.168.5.217
iptables -t nat -A POSTROUTING -p icmp --dst 193.54.48.217 -j SNAT
--to-source 192.168.5.217


#=======================================================
# Drop everything else (not implemented yet)
#=======================================================

#iptables -A block -j DROP
#iptables -A INPUT -j block
#iptables -A FORWARD -j block
#iptables -L -n
#iptables -t nat -L -n


#=======================================================
# Setup logging
#=======================================================
echo "Logging started..."

iptables -A INPUT -j LOG
#iptables -A FORWARD -j LOG
#iptables -t nat -A PREROUTING -j LOG
#iptables -t nat -A POSTROUTING -j LOG
#iptables -A OUTPUT -j LOG
#iptables -A block -j LOG
;;
'stop')
echo "Flushing iptables firewall..."
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
#iptables -F block
iptables -t nat -F
;;
'restart')
$0 stop
$0 start
;;
*)
echo "$0 {start|stop}"
exit 1
;;

esac

exit 0

//////////////////////////////////////////////////////////////////////////////
///////////////


< Previous Next >