LinuxQuestions.org
Did you know LQ has a Linux Hardware Compatibility List?
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
LinkBack Search this Thread
Old 11-18-2007, 01:51 AM   #1
Net_Spy
Member
 
Registered: Nov 2006
Posts: 97

Rep: Reputation: 17
Firewall-Rule


Greetings To All.....

Code:
#!/bin/sh
#
# ********** VARIABLE DEFINITIONS **********
#
# External interface
EXTIF="eth1"
# Internal interface
INTIF="eth0"
# Loop device/localhost
LPDIF="lo"
LPDIP="127.0.0.1"
LPDMSK="255.0.0.0"
LPDNET="$LPDIP/$LPDMSK"
# Text tools variables
IPT="/sbin/iptables"
IFC="/sbin/ifconfig"
G="/bin/grep"
SED="/bin/sed"
AWK="/usr/bin/awk"
ECHO="/bin/echo"
# Setting up external interface environment variables
# Set LC_ALL to "en" to avoid problems when awk-ing the IPs etc.
export LC_ALL="en"
EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
EXTBC="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
EXTNET="$EXTIP/$EXTMSK"
$ECHO "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
# Due to absence of EXTBC I manually set it to 255.255.255.255
# this (hopefully) will serve the same purpose
# Setting up environment variables for internal interface
INTIP="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
INTBC="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"
INTMSK="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
INTNET="$INTIP/$INTMSK"
$ECHO "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"

##Iptables Accepts#######

$IPT -t nat -A PREROUTING -j ACCEPT

# $IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j SNAT --to $EXTIP
# Comment out next line (that has "MASQUERADE") to not NAT internal network

$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE
#$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET2 -j MASQUERADE
$IPT -t nat -A POSTROUTING                       -j ACCEPT
$IPT -t nat -A OUTPUT                            -j ACCEPT
$IPT -A INPUT   -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

##Iptables Flushing######

SED='/bin/sed'
 # Flush all existing chains and erase personal chains
  CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
  for i in $CHAINS
  do
   $IPT -t $i -F
  done
  for i in $CHAINS
  do
   $IPT -t $i -X
  done

##Local Interfaces#######

$IPT -A INPUT   -i $LPDIF -s   $LPDIP   -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $EXTIP   -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP   -j ACCEPT
#$IPT -A INPUT   -i $LPDIF -s   $INTIP2  -j ACCEPT

##Blocking Broadcasting######

$IPT -A INPUT   -i $EXTIF  -d  $EXTBC   -j DROPl
$IPT -A INPUT   -i $INTIF  -d  $INTBC   -j DROPl
#$IPT -A INPUT   -i $INTIF  -d  $INTBC   -j DROPl
$IPT -A OUTPUT  -o $EXTIF  -d  $EXTBC   -j DROPl
$IPT -A OUTPUT  -o $INTIF  -d  $INTBC   -j DROPl
#$IPT -A OUTPUT  -o $INTIF  -d  $INTBC   -j DROPl
$IPT -A FORWARD -o $EXTIF  -d  $EXTBC   -j DROPl
$IPT -A FORWARD -o $INTIF  -d  $INTBC   -j DROPl
#$IPT -A FORWARD -o $INTIF  -d  $INTBC   -j DROPl

##Block Wan to Lan######

# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into our external interface isn't being sent to our isp assigned
# ip address, drop it like a hot potato"
$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl

##Tightening the internal Lan########

# Now we will block internal addresses originating from anything but our
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need
# to ensure that they either have the same ip or that you add a line explicitly
# that IP as well
##Interface one/internal net one######

#$IPT -A INPUT   -i $INTIF1 -s ! $INTNET1 -j DROPl
#$IPT -A OUTPUT  -o $INTIF1 -d ! $INTNET1 -j DROPl
#$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
#$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl

##Interface two/internal net two#####

#$IPT -A INPUT   -i $INTIF2 -s ! $INTNET2 -j DROPl
#$IPT -A OUTPUT  -o $INTIF2 -d ! $INTNET2 -j DROPl
#$IPT -A FORWARD -i $INTIF2 -s ! $INTNET2 -j DROPl
#$IPT -A FORWARD -o $INTIF2 -d ! $INTNET2 -j DROPl

##An additional Egress check########

$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl

##Block outbound ICMP (except for PING)####

$IPT -A OUTPUT  -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl

##Ports Settings############

# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
 COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
# TCP ports:
# 98 is Linuxconf
# 512-515 is rexec, rlogin, rsh, printer(lpd)
#   [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
 TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"

# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
 UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000 9 6346 3128 8000 8008 8080 12345 65535"

###Assigning Rule to Port####

echo -n "FW: Blocking attacks to TCP port"
for i in $TCPBLOCK;
do
 echo -n "$i "
  $IPT -A INPUT   -p tcp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
  $IPT -A FORWARD -p tcp --dport $i  -j DROPl
done
echo ""

echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
 echo -n "$i "
   $IPT -A INPUT   -p udp --dport $i  -j DROPl
   $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
   $IPT -A FORWARD -p udp --dport $i  -j DROPl
done
echo ""

##Jump back to start######
# Deny than accept: this keeps holes from opening up
# while we close ports and such
 $IPT        -P INPUT       DROP
 $IPT        -P OUTPUT      DROP
 $IPT        -P FORWARD     DROP


##Flush all existing chains and erase personal chains######
 
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
 for i in $CHAINS;
 do
   $IPT -t $i -F
 done
 for i in $CHAINS;
 do
   $IPT -t $i -X
 done
 $IPT -A INPUT   -i $INTIF -p tcp --dport 10022 --syn -m state --state NEW -j ACCEPT 

##Activating Sysctl######

echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo 1280 > /proc/sys/net/ipv4/tcp_max_syn_backlog
echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle
echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 130864 > /proc/sys/net/ipv4/ip_conntrack_max
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
 echo 1 > $f
done

# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
 echo 0 > $f
done

##
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
 echo 0 > $f
done

##
for f in /proc/sys/net/ipv4/conf/*/secure_redirects
         do
     echo 0 > $f
 done

##
for f in /proc/sys/net/ipv4/conf/*/send_redirects
         do
     echo 0 > $f
 done

##
for f in /proc/sys/net/ipv4/conf/*/shared_media
         do
         echo 0 > $f
 done

##
 for f in /proc/sys/net/ipv4/conf/*/rp_filter
         do
         echo 0 > $f
 done
#echo 1 > /proc/sys/net/ipv4/ip_forward

## Opening up ftp connection tracking ###

MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
 echo "Inserting module $i"
 modprobe $i
done

##Basic Service NAT these setting is for behind firewall######
##Allow ftp,doamin.... no one will ftp to ur LAN

#IRC='ircd'
#MSN=1863
#ICQ=5190
#NFS='sunrpc'
# We have to sync!!
#PORTAGE='rsync'
#OpenPGP_HTTP_Keyserver=11371
# All services ports are read from /etc/services
#TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver"
#UDPSERV="domain time"
#echo -n "FW: Allowing inside systems to use service:"
#for i in $TCPSERV;
#do

#echo -n "$i "
# $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
 #$IPT -A FORWARD -i $INTIF -p tcp -s $INTNET1 --dport $i --syn -m state --state NEW -j ACCEPT
 #$IPT -A FORWARD -i $INTIF2 -p tcp -s $INTNET2 --dport $i --syn -m state --state NEW -j ACCEPT
#done
#echo ""

#echo -n "FW: Allowing inside systems to use service:"
#for i in $UDPSERV;
#do
# echo -n "$i "
# $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
 #$IPT -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT
   #$IPT -A FORWARD -i $INTIF2 -p udp -s $INTNET2
#done
#echo ""

### Allow to ping out####

$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
#$IPT -A FORWARD -i $INTIF2 -p icmp -s $INTNET2 --icmp-type 8 -m state --state NEW -j ACCEPT

### Allow firewall to ping internal systems########

$IPT -A OUTPUT  -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT
#$IPT -A OUTPUT  -o $INTIF2 -p icmp -s $INTNET2 --icmp-type 8 -m state --state NEW -j ACCEPT
Im using Redhat enterprise 5.Whern I run this script,I can not ssh to my pc from another location.and also get some messages of iptables

Code:
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.3.5: Couldn't load target `DROPl':/lib/iptables/libipt_DROPl.so: cannot open shared object file: No such file or directory
Looking forward for your kind response.

Regards
Net_Spy
 
Old 11-18-2007, 03:42 AM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I haven't analyzed the logic of your firewall yet, but I can tell you why you are getting that error message: Many of your statements have a target of DROPl, yet you have not defined a user chain by that name. If you still have a problem after correcting that error, I'll be happy to look at the logic.

Last edited by blackhole54; 11-18-2007 at 03:44 AM.
 
Old 11-18-2007, 03:58 AM   #3
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Quote:
$IPT -A INPUT -i $EXTIF -d $EXTBC -j DROPl
What makes you think that "DROPl" is a valid target?

Quote:
##Iptables Accepts#######
Explicit accepts are pointless with a defauld ACCEPT policy. All you're doing is putting all these packets ahead of any other tests.

Quote:
$IPT -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
What are you trying to do here?

Quote:
##Iptables Flushing######
What happens to your rules made before this section, when this bit gets executed?

Usually, the flush rules are put after the definitions but before any rules.

Looks like you are using this tutorial in the gentoo wiki
http://gentoo-wiki.com/HOWTO_Iptables_for_newbies
... or something derived from it.
Copy and paste won't work with this tutorial, you have to understand it.

Conclusion:
Basically, you have a lot of DROP rules. Why not set up a default DROP policy to start with, then explicitly allow only those packets you want to. That way, every time something doesn't happen, you can set up another ACCEPT rule to account for it.
 
Old 11-20-2007, 12:48 AM   #4
Net_Spy
Member
 
Registered: Nov 2006
Posts: 97

Original Poster
Rep: Reputation: 17
Thanks for your kind response

Ive made few changes in my rule here it is

Code:
#set LC_ALL to en to avoid l10n problems when awk-ing IPs etc.
export LC_ALL="en"
# External interface
EXTIF=eth1
# Internal interface
INTIF=eth0
#INTIF2=eth2
# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
# Text tools variables
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'
# Last but not least, the users
#JAMES=192.168.1.77
#TERESA=192.168.2.77

# Deny then accept: this keeps holes from opening up
# while we close ports and such
$IPT        -P INPUT       DROP
$IPT        -P OUTPUT      DROP
$IPT        -P FORWARD     DROP

# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
 $IPT -t $i -F
done
for i in $CHAINS;
do
 $IPT -t $i -X
done

####Settingup sysctl
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter;
do
 echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
 echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
 echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/ip_forward

####Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
#echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
##### Due to absence of EXTBC I manually set it to 255.255.255.255
# this (hopefully) will serve the same purpose
# Setting up environment variables for internal interface one
INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET="$INTIP/$INTMSK"
echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"

######Setting up environment variables for internal interface two
#INTIP2="`$IFC $INTIF2|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
#INTBC2="`$IFC $INTIF2|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
#INTMSK2="`$IFC $INTIF2|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
#INTNET2="$INTIP2/$INTMSK2"
#echo "INTIP2=$INTIP2 INTBC2=$INTBC2 INTMSK2=$INTMSK2 INTNET2=$INTNET2"

# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT

####Now we are going to accpet all traffic from our loopback device
# if the IP matches any of our interfaces.
$IPT -A INPUT   -i $LPDIF -s   $LPDIP   -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $EXTIP   -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP   -j ACCEPT


#####Blocking Broadcasts
$IPT -A INPUT   -i $EXTIF  -d   $EXTBC   -j DROPl
$IPT -A INPUT   -i $INTIF  -d   $INTBC   -j DROPl

$IPT -A OUTPUT  -o $EXTIF  -d   $EXTBC   -j DROPl
$IPT -A OUTPUT  -o $INTIF  -d   $INTBC   -j DROPl

$IPT -A FORWARD -o $EXTIF  -d   $EXTBC   -j DROPl
$IPT -A FORWARD -o $INTIF  -d   $INTBC   -j DROPl


####Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into our external interface does not originate from our isp assigned
# ip address, drop it like a hot potato
$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl

# Now we will block internal addresses originating from anything but our
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need
# to ensure that they either have the same ip or that you add a line explicitly
# for that IP as well
# Interface one/internal net one
$IPT -A INPUT   -i $INTIF -s ! $INTNET -j DROPl
$IPT -A OUTPUT  -o $INTIF -d ! $INTNET -j DROPl
$IPT -A FORWARD -i $INTIF -s ! $INTNET -j DROPl
$IPT -A FORWARD -o $INTIF -d ! $INTNET -j DROPl





####An additional Egress check
$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl

###Block outbound ICMP (except for PING)
$IPT -A OUTPUT  -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl

####COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"

####TCP ports:
# 98 is Linuxconf
# 512-515 is rexec, rlogin, rsh, printer(lpd)
#   [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
echo -n "FW: Blocking attacks to TCP port "
for i in $TCPBLOCK;
do
  echo -n "$i "
  $IPT -A INPUT   -p tcp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
  $IPT -A FORWARD -p tcp --dport $i  -j DROPl
done
echo ""
echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
  echo -n "$i "
  $IPT -A INPUT   -p udp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
  $IPT -A FORWARD -p udp --dport $i  -j DROPl
done
echo ""
# Opening up ftp connection tracking
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
 echo "Inserting module $i"
 modprobe $i
done
# Defining some common chat clients. Remove these from your accepted list for better security.
# ICQ and AOL are 5190
# MSN is 1863
# Y! is 5050
# Jabber is 5222
# Y! and Jabber ports not added by author and therefore left out of the script
IRC='ircd'
MSN=1863
ICQ=5190
NFS='sunrpc'
# We have to sync!!
#PORTAGE='rsync'
OpenPGP_HTTP_Keyserver=11371
# All services ports are read from /etc/services
TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 \
         time  $IRC $MSN $ICQ  $OpenPGP_HTTP_Keyserver"
UDPSERV="domain time"
echo -n "FW: Allowing inside systems to use service:"
for i in $TCPSERV;
do
  echo -n "$i "
  $IPT -A OUTPUT  -o $EXTIF  -p tcp -s $EXTIP   --dport $i --syn -m state --state NEW -j ACCEPT
  $IPT -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT

done
echo ""
echo -n "FW: Allowing inside systems to use service:"
for i in $UDPSERV;
do
  echo -n "$i "
  $IPT -A OUTPUT  -o $EXTIF  -p udp -s $EXTIP   --dport $i -m state --state NEW -j ACCEPT
  $IPT -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state NEW -j ACCEPT
  
done
echo ""

####Allow to ping out
$IPT -A OUTPUT  -o $EXTIF  -p icmp -s $EXTIP   --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT

###Allow firewall to ping internal systems
$IPT -A OUTPUT  -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A INPUT   -i $INTIF -p tcp --dport 10022 --syn -m state --state NEW -j ACCEPT
$IPT -t nat -A PREROUTING  -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE

$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT
$IPT -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

####Block and log what me may have forgot
$IPT -A INPUT   -j DROPl
$IPT -A OUTPUT  -j REJECTl
$IPT -A FORWARD -j DROPl
Now the iptables error is resolved,But I my laptop which having 117.x.x.2 and dns/gate is eth1 ip.can not access the net.Ive conected my laptop to my linux machine eth0 using a cross cable.Looking forward for your kind response.


Regards
Net_Spy
 
Old 11-20-2007, 11:06 AM   #5
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
I don't see any obvious error in your firewall with the possible exception of using MASQUERADE. It is correct to use MASQUERADE if you have a dynamic IP address. If you have a static IP address, then you should use DNAT.


First, make sure you can ping your laptop from the firewall machine. Then I suggest looking at the system log for your firewall machine (after you have tried to access the Internet from the laptop) and see if you see any packets blocked with port TCP/80 or UDP/53 that look like they pertain to your laptop. If you don't see anything there, check for a DNS problem by executing the following 2 statements, on your laptop.

Code:
ping 64.179.4.146
ping www.linuxquestions.org
If the first statement works and the second does not, then you have a DNS problem.

BTW, is something on your network providing DHCP for your laptop or are you configuring it manually?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
how to write this firewall rule ? naihe2010 Linux - Networking 1 01-15-2007 09:56 PM
newbie - firewall rule danimalz Linux - Security 3 07-30-2005 07:25 AM
funny new firewall rule tom_from_van Linux - Security 3 07-19-2005 11:39 AM
APF Firewall Rule Help embsupafly Linux - Security 1 03-08-2005 11:00 PM
Need A Firewall Rule linuxboy69 Linux - Software 1 11-26-2003 04:29 PM


All times are GMT -5. The time now is 12:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration