Hi, everyone,
I got this script from the network specialist whom setup our network in other country?
I am not familiar with IPTABLES and i want to understand it so i can modify something, and i hope you guys can give the directions and explanations of this scripts, really i need your guys help
here is the scripts that i got in /etc/rc.d/firewall.fw
firewall.fw
#!/bin/sh
#
# This is automatically generated file. DO NOT MODIFY !
#
# Firewall Builder fwb_ipt v1.0.7-
#
# Generated Sun Apr 6 20:53:36 2003 MYT by root
#
#
#
#
check() {
if test ! -x "$1"; then
echo "$1 not found or is not executable"
exit 1
fi
}
log() {
if test -x "$LOGGER"; then
logger -p info "$1"
fi
}
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
IP="/sbin/ip"
LOGGER="/usr/bin/logger"
check $MODPROBE
check $IPTABLES
check $IP
cd /etc || exit 1
log "Activating firewall script generated Sun Apr 6 20:53:36 2003 MYT by root"
MODULE_DIR="/lib/modules/`uname -r`/kernel/net/ipv4/netfilter/"
MODULES=`(cd $MODULE_DIR; ls *_conntrack_* *_nat_* | sed 's/\.o.*$//')`
for module in $(echo $MODULES); do
if [ -e "${MODULE_DIR}/${module}.o" -o -e "${MODULE_DIR}/${module}.o.gz" ]; then
$MODPROBE -k ${module} || exit 1
fi
done
FWD=`cat /proc/sys/net/ipv4/ip_forward`
echo "0" > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_intvl
$IP -4 neigh flush dev eth0
$IP -4 addr flush dev eth0 label "eth0:FWB*"
$IP -4 neigh flush dev eth1
$IP -4 addr flush dev eth1 label "eth1:FWB*"
$IPTABLES -P OUTPUT DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
cat /proc/net/ip_tables_names | while read table; do
$IPTABLES -t $table -L -n | while read c chain rest; do
if test "X$c" = "XChain" ; then
$IPTABLES -t $table -F $chain
fi
done
$IPTABLES -t $table -X
done
#
# Rule 0(NAT)
#
#
$IPTABLES -t nat -A PREROUTING -s 192.168.xxx.0/24 -d xxx.xxx.xx.xxx -j ACCEPT
$IPTABLES -t nat -A PREROUTING -s 192.168.xxx.0/24 -d 192.168.xxx.2 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.xxx.0/24 -d xxx.xxx.xx.xxx -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -s 192.168.xxx.0/24 -d 192.168.xxx.2 -j ACCEPT
#
# Rule 1(NAT)
#
#
$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.xxx.0/24 -j SNAT --to-source xxx.xxx.xx.xxx
$IPTABLES -t nat -A POSTROUTING -o eth1 -s 192.168.xxx.0/24 -j SNAT --to-source 192.168.xxx.2
#
#
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Rule 0(eth0)
#
#
#
$IPTABLES -A INPUT -i eth0 -p icmp --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s xxx.xxx.xx.zzz/32 -j ACCEPT
#
# Rule 0(eth1)
#
#
#
$IPTABLES -A INPUT -i eth1 -p icmp -s 192.168.xxx.0/24 --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p icmp -s 192.168.xxx.0/24 -d xxx.xxx.xx.xxx --icmp-type 0/0 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -o eth1 -p icmp -s 192.168.xxx.0/24 -d 192.168.xxx.2 --icmp-type 0/0 -m state --state NEW -j ACCEPT
#
# Rule 0(global)
#
#
#
$IPTABLES -N RULE_0
$IPTABLES -A INPUT -p tcp -m multiport -s 192.168.xxx.0/24 --destination-port 110,25 -m state --state NEW -j RULE_0
$IPTABLES -A RULE_0 -j LOG --log-level info --log-prefix "RULE 0 -- ACCEPT "
$IPTABLES -A RULE_0 -j ACCEPT
#
# Rule 1(global)
#
#
#
$IPTABLES -A INPUT -s 192.168.xxx.90 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 192.168.xxx.89 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -s 192.168.xxx.88 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.xxx.90 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.xxx.89 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -s 192.168.xxx.88 -m state --state NEW -j ACCEPT
#
# Rule 2(global)
#
#
#
$IPTABLES -N RULE_2
$IPTABLES -A OUTPUT -j RULE_2
$IPTABLES -A INPUT -j RULE_2
$IPTABLES -A FORWARD -j RULE_2
$IPTABLES -A RULE_2 -j LOG --log-level info --log-prefix "RULE 2 -- DROP "
#IPTABLES -A RULE_2 -j DROP
#
#
echo 1 > /proc/sys/net/ipv4/ip_forward
it is look like block every connections right?
Thanks in advance