LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 10-01-2013, 11:02 PM   #1
mckinnon81
LQ Newbie
 
Registered: Feb 2010
Location: Brisbane, QLD
Distribution: Ubuntu, Debian
Posts: 7

Rep: Reputation: 0
iptables linux router


Hi Guys;

I have started a small project where I am building a linux firewall/router from the ground up.

PLEASE NOTE I am not interested in the pre build distros pfsense, clearos etc. I am doing this from scratch as I want to learn how the system works and what it does so I am in control.

OK anyway, the distro I am using is Debian, I have pppoeconfig working with my bridged modem. I have dnsmasq working where it gives out IP Address and DNS.

Now I am working on the iptables for the firewall and port forwarding. I have found a few basic scripts which I have put together to get some function and will be using these as a base.

Can I please get some advice if this looks OK or if I need to change it.

I have added a port forward as well to test and see if I have it working (and understand)

Advice is appreciated

Thanks.

Code:
#!/bin/bash
#
#EXTIF – WAN Interface
#INTIF – LAN Interface
#
#
#
#Need to add net.ipv4.ip_forward=1 to /etc/sysctl.conf
#to allow iptables to work
#
#Define network interfaces
#
EXTIF="eth0"
INTIF="eth1"
#
#
#Flushing out existing iptables entries
iptables -P INPUT ACCEPT
iptables -F INPUT
iptables -P OUTPUT ACCEPT
iptables -F OUTPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -t nat -F
#
#Allow all outbound traffic and only allow established and related connections back in
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -j LOG
#
#Masquerade NAT functionality on $EXTIF
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
#
#Allows ssh inbound connections
iptables -A INPUT -p tcp --dport ssh -j ACCEPT
#
#Ping on EXTIF
iptables -A INPUT -p icmp -j ACCEPT
#
#Allows lo interface to work
iptables -A INPUT -i lo -j ACCEPT
#
#Default DROP
iptables -A INPUT -i $EXTIF -j DROP
#
#PORT FORWARDS
#
#RDP
iptables -A PREROUTING -t nat -i $EXTIF -p tcp --dport 3389  -j DNAT --to 192.168.2.110:3389
iptables -A FORWARD -p tcp -d 192.168.2.110 --dport 3389 -j ACCEPT

Last edited by mckinnon81; 10-01-2013 at 11:04 PM.
 
Old 10-02-2013, 01:32 AM   #2
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665

Rep: Reputation: Disabled
looks ok to me on the basic side.. i will though suggest to use outbound flow for ssh too ...
 
Old 10-02-2013, 10:29 AM   #3
mckinnon81
LQ Newbie
 
Registered: Feb 2010
Location: Brisbane, QLD
Distribution: Ubuntu, Debian
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks SAbhi

Cool so I have a base now to start adding all my inbound firewall port rules and I am set. Then to start installing other packages ntop, snort, VPN (PPTP/L2TP), squid/dansguardian transparent proxy and maybe some others?

Can you please elaborate on "outbound flow for ssh too"?

Thanks
 
Old 10-02-2013, 11:35 AM   #4
SAbhi
Member
 
Registered: Aug 2009
Location: Bangaluru, India
Distribution: CentOS 6.5, SuSE SLED/ SLES 10.2 SP2 /11.2, Fedora 11/16
Posts: 665

Rep: Reputation: Disabled
it is as simple ... you are allowing connections coming from destination port 22(default) but not allowing connections from source port 22.

incoming is allowed but not outgoing... (if there is'nt any need you can omit it)

well forgot to mention in last post it is good to use port number with "--dport".
 
Old 10-02-2013, 12:27 PM   #5
eSelix
Senior Member
 
Registered: Oct 2009
Location: Wroclaw, Poland
Distribution: Arch, Kubuntu
Posts: 1,281

Rep: Reputation: 320Reputation: 320Reputation: 320Reputation: 320
You should filter off INVALID packets
Code:
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP
Also ESTABLISHED,RELATED should be assigned in INPUT chain. So ssh in this chain will use connection tracking.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
linux router setup... use iptables??? atuk1 Linux - Networking 2 02-05-2006 05:15 PM
Linux as router, iptables and eMule thugic Linux - Networking 2 01-12-2006 07:03 AM
Linux router IPTABLES Howto hakcenter Linux - Networking 1 07-14-2003 10:03 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:06 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration