OK, heres the background...
Network layout:
/\/\/\/\/\/\/\/\/\/\/\/\ ..... /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
\ .. 192.168.0.2/51 .. / ===== \ 192.168.0.1 ... SERVER ..[DHCP]... / ====== (next line)
/ ....... LAN ........ \ ===== / .. eth1 ................... eth0 . \ ======
\/\/\/\/\/\/\/\/\/\/\/\/ ..... \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
..... /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ ....... /\/\/\/\/\/\/\/\/\
===== \ ............ ROUTER .................. / ======= \ .. INTERNET .. /
===== / 10.0.0.1 ............. 123.123.123.123 \ ======= / .............. \
..... \/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/ ....... \/\/\/\/\/\/\/\/\/
I need to write a firewall script that allows:
- Secure protection for the server (from internet and LAN side), as all ports will be forwarded from the router to the server, it needs protecting...
- Internet access for the workstations on the LAN, however not through a proxy like squid
- Access to the server's web server, ssh server, ftp server, and any other services which are running and I want access to (DNS etc...)
- port forwarding to workstations on the LAN (for services like bittorrent)
- Allow internet access to the server (so that I can use wget and lynx for example)
If this is not possible with the server having a DHCP assigned IP for the internet side, then I can make it static, however I would like to keep it DHCP based
I've read many howtos and tutorials on iptables scripting, NATing etc... But I just find that each tutorial does it their own way, which gets a bit confusing.
So, heres what I've got already...
PHP Code:
#!/bin/bash
# Define variables
LAN=eth1
WAN=eth0
# Tell the kernel that ip forwarding is OK
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
# Clear out any iptables rules
iptables -F
iptables -t nat -F
# Set up default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
# Should 'iptables -P FORWARD DROP' be here?
# ------ TCP,UDP,ICMP Rules for server firewall ------
# Rules for new incoming packets (from LAN + WAN)
iptables -A INPUT -p TCP --destination-port 21 -j ACCEPT
iptables -A INPUT -p TCP --destination-port 22 -j ACCEPT
iptables -A INPUT -p TCP --destination-port 80 -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type 8 -j ACCEPT
iptables -A INPUT -p ICMP --icmp-type 11 -j ACCEPT
# Rules for new incoming packets (from LAN)
iptables -A INPUT -m state --state NEW -i ! $WAN -j ACCEPT
# Rules for new incoming packets (from WAN)
# Rules for incoming packets from established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# ------ (END) TCP,UDP,ICMP Rules for server firewall ------
# NAT rules
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
I know this script doesnt do port forwarding (yet).
Please could someone verify
A) that this will work
B) that it's working as a firewall (protecting the server)
C) It does everything else that I want it to do
If anyone has any ideas on how to improve this (or make it work, dunno if it will yet), then please speak up! :P
Any information would be of great help, as I'm a little confused by iptables's workings
Thanks in advance, Buck