Howdy all..
I have my network setup with ppp0 frontend to net which server gateway/router to the other 2 boxes on net IPs (not NAT).
Anyhow I originally was using NAT and wrote firewall using IN to block data. I think now I need to write it using different rules, cause each the other machines are getting every connection attempt coming through.
My firewall goes something like this:
Code:
#!/bin/sh
iptables=/sbin/iptables
modprobe=/sbin/modprobe
mynetwork=A.B.C.144/29
# Flushing tables..
$iptables -F
$iptables -t nat -F
# MASQ rules for gateway
echo "1" > /proc/sys/net/ipv4/ip_forward
# Loading modules
$modprobe ip_conntrack_irc
$modprobe ip_nat_irc
$modprobe ip_conntrack_ftp
$modprobe ip_nat_ftp
# Functions
allowPorts () {
case "$1" in
permit)
$iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.146 --dport A -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.146 --dport B -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.146 --dport C -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.146 --dport 146 -j ACCEPT
;;
forward)
;;
esac
}
blockAll () {
$iptables -A INPUT -i ppp0 -p all -j DROP
}
# Switch
case "$1" in
start|restart|reload)
# PERMIT SELECTED PORTS
$iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.143 --dport 22 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.143 --dport 80 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.145 --dport 22 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.145 --dport 80 -j ACCEPT
$iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.146 --dport 113 -j ACCEPT
allowPorts permit
# ALLOW INCOMING BASED ON EXISTING
$iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
$iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# BLOCK REMAINING
blockAll
# ETHERNET PORT FORWARDING
allowPorts forward
echo "Firewall rules loaded successfully!"
;;
stop|kill|drop)
echo "Firewall rules unloaded successfully!"
;;
paranoid|insane)
# ALLOW INCOMING SSH
$iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT
# BLOCK REMAINING
blockAll
echo "Firewall rules loaded successfully! Only allowing SSH connections."
;;
*)
echo "Usage: /etc/init.d/firewall (start|stop|reload|restart|paranoid)"
exit 1
;;
esac
exit 0
Sort of ignore the opened port access and A,B,Cs but you should get the idea.
143 is the gateway and I want only 22 and 80 open on it, as for remaining network I I want 22,80 open on 145 and the rest DROPPED.
I guess more than anything i'm after the command. I tried using -A FORWARD but that blocked outgoing traffic too..
Please, any help would be great!