LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 07-25-2004, 05:57 AM   #1
sarah_t_s
LQ Newbie
 
Registered: Feb 2004
Posts: 10

Rep: Reputation: 0
firewall not allowing dhcp?


Greetings,

I've searched through the forums (and via google) looking for an answer to this problem, simply put as far as I can tell my iptables firewall script is not allowing clients to talk to dhcpd.

Sans firewall everything works fine. Run it and no machine can pull an IP.
I am using Slackware 10 as the distro and I've made no moves from the default packages that it installs.

eth0 = Realtek NIC connected to cable modem ip assigned via dhcpcd.
eth1 = Nvidia nForce 2 embeded NIC.

I'm using IPTABLES Firewall v 0.86 by shadow999@firemail.de, [Script Here]

and this is my .conf file for dhcpd:

# dhcpd.conf
#
# Configuration file for ISC dhcpd (see 'man dhcpd.conf')
#
default-lease-time 43200;
max-lease-time 432000;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.0.255;
option domain-name-servers 194.168.4.100, 194.168.8.100;
option domain-name "foo.org";
option routers 192.168.0.1;
ddns-update-style ad-hoc;

subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.21 192.168.0.250;
}

Sorry for being such a

Sarah
 
Old 07-25-2004, 06:41 AM   #2
charon79m
Member
 
Registered: Oct 2003
Distribution: Just about anything... so long as it is Debain based.
Posts: 297

Rep: Reputation: 30
Need more info...

A dup of your firewall rules would help to solve this.

I think DHCP responses use UDB 67 & 68, but I don't remember which port in what direction.

Just out of curriosicty, why not just disable the firewall on your LAN interface?

Cheers,

MrKnisely
 
Old 07-25-2004, 08:05 AM   #3
sarah_t_s
LQ Newbie
 
Registered: Feb 2004
Posts: 10

Original Poster
Rep: Reputation: 0
Re: Need more info...

Quote:
Originally posted by charon79m
A dup of your firewall rules would help to solve this.

I think DHCP responses use UDB 67 & 68, but I don't remember which port in what direction.

Just out of curriosicty, why not just disable the firewall on your LAN interface?

Cheers,

MrKnisely
Ok, I've cut n' pasted the complete firewall script that I'm using underneath... it is quiet litterally the same script I linked to with the correct interfaces selected.

udp 68 & 67 would appear to be the correct ports. I think it's in on 68 and out at 67 but don't quote me on that.

To be honest, I don't know how to shut the firewall off on the local lan... I can fiddle with a few things on the machine but iptables is still a dark and arcane art to me for the most part

Here is the firewall script I'm using. I've had to trim out some of the stuff due to post length but the meat and most of the bones are there.
Quote:
#!/bin/sh

# This is the location of the iptables command
IPTABLES="/usr/sbin/iptables"


case "$1" in
stop)
echo "Shutting down firewall..."
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "...done"
;;
status)
echo $"Table: filter"
iptables --list
echo $"Table: nat"
iptables -t nat --list
echo $"Table: mangle"
iptables -t mangle --list
;;
restart|reload)
$0 stop
$0 start
;;
start)
echo "Starting Firewall..."
echo ""

## Default external interface (used, if EXTIF isn't specified on command line)
DEFAULT_EXTIF="eth0"

## Default internal interface (used, if INTIF isn't specified on command line)
DEFAULT_INTIF="eth1"

# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"

# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"

# Specification of X Window System (TCP) ports.
XWINPORTS="6000:6063"

# Ports for IRC-Connection-Tracking
IRCPORTS="6665,6666,6667,6668,6669,7000"

#For port-forwarding to an internal host, define a variable with the appropriate
#internal IP-Address here and take a look at the port-forwarding sections in the FORWARD +
#PREROUTING-chain:

#These are examples, uncomment to activate

#IP for forwarded Battlecom-traffic
#BATTLECOMIP="192.168.0.5"

#IP for forwarded HTTP-traffic
#HTTPIP="192.168.0.20"


#----Flood Variables-----#

# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"

# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"

# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"



#----Automatically determine infos about involved interfaces-----#

### External Interface:

## Get external interface from command-line
## If no interface is specified then set $DEFAULT_EXTIF as EXTIF
if [ "x$2" != "x" ]; then
EXTIF=$2
else
EXTIF=$DEFAULT_EXTIF
fi
echo External Interface: $EXTIF

## Determine external IP
EXTIP="`ifconfig $EXTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$EXTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $EXTIF !"
exit 1
fi
echo External IP: $EXTIP

## Determine external gateway
EXTGW=`route -n | grep -A 4 UG | awk '{ print $2}'`
echo Default GW: $EXTGW


echo " --- "


### Internal Interface:

## Get internal interface from command-line
## If no interface is specified then set $DEFAULT_INTIF as INTIF
if [ "x$3" != "x" ]; then
INTIF=$3
else
INTIF=$DEFAULT_INTIF
fi
echo Internal Interface: $INTIF

## Determine internal IP
INTIP="`ifconfig $INTIF | grep inet | cut -d : -f 2 | cut -d \ -f 1`"
if [ "$INTIP" = '' ]; then
echo "Aborting: Unable to determine the IP-address of $INTIF !"
exit 1
fi
echo Internal IP: $INTIP

## Determine internal netmask
INTMASK="`ifconfig $INTIF | grep Mask | cut -d : -f 4`"
echo Internal Netmask: $INTMASK

## Determine network address of the internal network
INTLAN=$INTIP'/'$INTMASK
echo Internal LAN: $INTLAN

echo ""


#----Load IPTABLES-modules-----#


#Insert modules- should be done automatically if needed

#If the IRC-modules are available, uncomment them below

echo "Loading IPTABLES modules"

dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6

echo " --- "


#----Clear/Reset all chains-----#

#Clear all IPTABLES-chains

#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat

#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP


#----Set network sysctl options-----#


echo "Setting sysctl options"

#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward

#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter

#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range

#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack


echo " --- "

echo "Creating user-chains"



#----Create logging chains-----#

##These are the logging-chains. They all have a certain limit of log-entries/sec to prevent log-flooding
##The syslog-entries will be fireparse-compatible (see http://www.fireparse.com)


#Invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -N LINVALID
$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "
$IPTABLES -A LINVALID -j DROP

#TCP-Packets with one ore more bad flags
$IPTABLES -N LBADFLAG
$IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
$IPTABLES -A LBADFLAG -j DROP

#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
$IPTABLES -N LSPECIALPORT
$IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP "
$IPTABLES -A LSPECIALPORT -j DROP

#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
$IPTABLES -A LSYNFLOOD -j DROP

#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
$IPTABLES -A LPINGFLOOD -j DROP


#All other dropped packets
$IPTABLES -N LDROP
$IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
$IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
$IPTABLES -A LDROP -j DROP

#All other rejected packets
$IPTABLES -N LREJECT
$IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT "
$IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT "
$IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT "
$IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT "
$IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A LREJECT -j REJECT



#----Create Accept-Chains-----#


#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in

$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT


#----Create special User-Chains-----#


#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)

$IPTABLES -N CHECKBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG



#FILTERING FOR SPECIAL PORTS


#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)

#SMB-Traffic
$IPTABLES -N SMB

$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP

$IPTABLES -A SMB -p tcp --sport 137 -j DROP
$IPTABLES -A SMB -p tcp --sport 138 -j DROP
$IPTABLES -A SMB -p tcp --sport 139 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 137 -j DROP
$IPTABLES -A SMB -p udp --sport 138 -j DROP
$IPTABLES -A SMB -p udp --sport 139 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP


#Inbound Special Ports

$IPTABLES -N SPECIALPORTS

#Deepthroat Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j LSPECIALPORT

#Subseven Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT

#Netbus Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT

#Back Orifice scan
$IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT

#X-Win
$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j LSPECIALPORT

#Hack'a'Tack 2000
$IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT



#ICMP/TRACEROUTE FILTERING


#Inbound ICMP/Traceroute

$IPTABLES -N ICMPINBOUND

#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
#
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD

#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP

#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP

#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP


#Allow all other ICMP in
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT




#Outbound ICMP/Traceroute

$IPTABLES -N ICMPOUTBOUND

#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP

#Block ICMP-TTL-Expired
#MS Traceroute (MS uses ICMP instead of UDp for tracert)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP

#Block ICMP-Parameter-Problem
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP

#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP

#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP


##Accept all other ICMP going out
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT



#----End User-Chains-----#



echo " --- "


#----Start Ruleset-----#

echo "Implementing firewall rules..."


#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################


##GENERAL Filtering

# Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID

# Check TCP-Packets for Bad Flags
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG


##Packets FROM FIREWALL-BOX ITSELF

#Local IF
$IPTABLES -A INPUT -i lo -j ACCEPT
#
#Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)
$IPTABLES -A INPUT -d 127.0.0.0/8 -j LREJECT


##Packets FROM INTERNAL NET


##Allow unlimited traffic from internal network using legit addresses to firewall-box
##If protection from the internal interface is needed, alter it

$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT

#Kill anything from outside claiming to be from internal network (Address-Spoofing --> Should be already catched by rp_filter)
$IPTABLES -A INPUT -s $INTLAN -j LREJECT



##Packets FROM EXTERNAL NET


##ICMP & Traceroute filtering

#Filter ICMP
$IPTABLES -A INPUT -i $EXTIF -p icmp -j ICMPINBOUND

#Block UDP-Traceroute
$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP


##Silent Drops/Rejects (Things we don't want in our logs)

#Drop all SMB-Traffic
$IPTABLES -A INPUT -i $EXTIF -j SMB

#Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset


##Public services running ON FIREWALL-BOX (comment out to activate):

# ftp-data
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 20 -j TCPACCEPT

# ftp
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 21 -j TCPACCEPT

# ssh
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j TCPACCEPT

#telnet
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 23 -j TCPACCEPT

# smtp
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 25 -j TCPACCEPT

# DNS
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 53 -j TCPACCEPT
#$IPTABLES -A INPUT -i $EXTIF -p udp --dport 53 -j ACCEPT

# http
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 80 -j TCPACCEPT

# https
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 443 -j TCPACCEPT

# POP-3
#$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 110 -j TCPACCEPT



##Separate logging of special portscans/connection attempts

$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS



##Allow ESTABLISHED/RELATED connections in

$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT


##Catch all rule
$IPTABLES -A INPUT -j LDROP





##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################



##Packets TO FIREWALL-BOX ITSELF

#Local IF
$IPTABLES -A OUTPUT -o lo -j ACCEPT
##Packets TO INTERNAL NET

#Allow unlimited traffic to internal network using legit addresses
$IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -j ACCEPT

##Packets TO EXTERNAL NET


##ICMP & Traceroute

$IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND
##Silent Drops/Rejects (Things we don't want in our logs)

#SMB
$IPTABLES -A OUTPUT -o $EXTIF -j SMB

#Ident
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset



##Public services running ON FIREWALL-BOX (comment out to activate):

# ftp-data
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 20 -j ACCEPT

# ftp
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 21 -j ACCEPT

# ssh
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 22 -m state --state ESTABLISHED -j ACCEPT

#telnet
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 23 -m state --state ESTABLISHED -j ACCEPT

# smtp
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 25 -m state --state ESTABLISHED -j ACCEPT

# DNS
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 53 -j ACCEPT
#$IPTABLES -A OUTPUT -o $EXTIF -p udp --sport 53 -j ACCEPT

# http
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 80 -m state --state ESTABLISHED -j ACCEPT

# https
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 443 -m state --state ESTABLISHED -j ACCEPT

# POP-3
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 110 -m state --state ESTABLISHED -j ACCEPT




##Accept all tcp/udp traffic on unprivileged ports going out

$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT



##Catch all rule

$IPTABLES -A OUTPUT -j LDROP




####################
## FORWARD-Chain ## (everything that passes the firewall)
####################


##GENERAL Filtering

#Kill invalid packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID

# Check TCP-Packets for Bad Flags
$IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG


##Filtering FROM INTERNAL NET


##Silent Drops/Rejects (Things we don't want in our logs)

#SMB
$IPTABLES -A FORWARD -o $EXTIF -j SMB
##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)

#HTTP-Forwarding
#$IPTABLES -A FORWARD -o $EXTIF -s $HTTPIP -p tcp --sport 80 -j ACCEPT


##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT



##Filtering FROM EXTERNAL NET


##Silent Drops/Rejects (Things we don't want in our logs)

#SMB
$IPTABLES -A FORWARD -i $EXTIF -j SMB


##Allow replies coming in
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT


##Port-Forwarding [inbound] (--> Also see chain PREROUTING)

#HTTP-Forwarding
#$IPTABLES -A FORWARD -i $EXTIF -p tcp -d $HTTPIP --dport 80 -j ACCEPT

##Catch all rule/Deny every other forwarding

$IPTABLES -A FORWARD -j LDROP

################
## PREROUTING ##
################

##Port-Forwarding (--> Also see chain FORWARD)

##HTTP
#$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp -d $EXTIP --dport 80 -j DNAT --to $HTTPIP

###################
## POSTROUTING ##
###################

#Masquerade from Internal Net to External Net
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Allowing Jabber through firewall. TheRealDeal Linux - Security 2 03-19-2005 11:34 PM
Allowing DHCP server access only to certain hostnames TVH Linux - Networking 3 11-23-2004 12:50 AM
Allowing ssh ftp through the firewall jmg1894 Linux - Newbie 5 07-08-2004 02:42 PM
allowing bittorrent through an ipchains firewall chucky88 Linux - Security 1 04-15-2004 06:10 PM
allowing IP traffic on firewall - unsafe? complus Linux - Security 4 09-04-2003 03:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 02:20 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration