LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-08-2006, 07:34 AM   #1
th_dan
LQ Newbie
 
Registered: Nov 2006
Location: UK
Distribution: Debian 3.1
Posts: 18

Rep: Reputation: 0
IPtables Scripts?


Hi Guys,

I manged to get my gateway working after the advice people gave me here. I currently have this iptables script and need to add port forwarding plus some gateway security because at the moment all ports are visible from the outside.

Here is what I have below, however its just gets it all working. My question is do any of you guys have an iptables script with what I need that all works correctly?

#!/bin/sh

PATH=/usr/sbin:/sbin:/bin:/usr/bin

#
# delete all existing rules.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X

# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT


# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth1 -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow outgoing connections from the LAN side.
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

# Masquerade.
iptables -t nat -A POSTROUTING -o eth1 -s 10.0.0.0/24 -j MASQUERADE

# Don't forward from the outside to the inside.
iptables -A FORWARD -i eth1 -o eth0 -j REJECT

# Enable routing.
echo 1 > /proc/sys/net/ipv4/ip_forward


Dan
 
Old 11-08-2006, 07:46 AM   #2
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
First thing to get secure is to set the Policies of your chains.
use
iptables -P OUTPUT DROP
iptables -P INPUT DROP

as a first thing. Through this you deny everything on these chains.
Then try to only open the ports you want to be used.
Like outgoing http

iptables -A FORWARD -p tcp --dport 80 --sport 1024:65535 -j ACCEPT

A fine iptables script I use for my gateway with a few one made modifications can be found on

http://sourceforge.net/projects/homelansecurity/

It nearly got everything you mentioned and is imho very good. If you need any help with it gimme a call.
 
Old 11-08-2006, 04:24 PM   #3
th_dan
LQ Newbie
 
Registered: Nov 2006
Location: UK
Distribution: Debian 3.1
Posts: 18

Original Poster
Rep: Reputation: 0
Hi zhjim,

Thanks for your reply. I had a iptables script before that let me do what I needed to do. What you mentioned isn't really what i'm looking for.

Dan
 
Old 11-09-2006, 08:36 AM   #4
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
Ok, if you still need any help. I'm glad to do it.
 
Old 11-10-2006, 02:24 AM   #5
basileus
Member
 
Registered: Nov 2004
Location: Turku, Finland
Distribution: Debian, Ubuntu, Gentoo
Posts: 388

Rep: Reputation: 30
You might want to take a look at fwbuilder at http://www.fwbuilder.org. It's a great GUI for managing packet filters, including IPTables. I find the packet filter chains much easier to visualize when they are made of pretty colored icons .

Fwbuilder can be found from Debian 3.1 repositories.
 
Old 11-10-2006, 07:26 AM   #6
th_dan
LQ Newbie
 
Registered: Nov 2006
Location: UK
Distribution: Debian 3.1
Posts: 18

Original Poster
Rep: Reputation: 0
Hi,

Yeah thanks basileus i'm only running the box in a shell mode non gui as its only a router. I'm still looking and playing around trying to make a script that does:

Port Forwarding
Is secure
Doesn't allow ports on the box to be open
Doesn't reject network traffic and can cause outlook to take upto 1 minute sending an email.

I did have a script that did all of this but sadly I had to reinstall it.

Dan
 
Old 11-10-2006, 07:29 AM   #7
th_dan
LQ Newbie
 
Registered: Nov 2006
Location: UK
Distribution: Debian 3.1
Posts: 18

Original Poster
Rep: Reputation: 0
Ah,

You can run that in Windows. I'll give it a go.

Dan
 
Old 11-11-2006, 05:59 PM   #8
th_dan
LQ Newbie
 
Registered: Nov 2006
Location: UK
Distribution: Debian 3.1
Posts: 18

Original Poster
Rep: Reputation: 0
Hi All,

Okay I've now got a working iptables script. I have a small problem, when I send an email from outlook 2003 it takes upto 1 minute to send a small email. Has anyone had this issue and knows the fix for it?

Dan
 
Old 11-11-2006, 06:58 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by th_dan
Hi All,

Okay I've now got a working iptables script. I have a small problem, when I send an email from outlook 2003 it takes upto 1 minute to send a small email. Has anyone had this issue and knows the fix for it?

Dan
can you post your *current* iptables script?? also, please post the output of:
Code:
iptables -t nat -v -n -L
Code:
iptables -v -n -L
 
Old 11-12-2006, 05:58 AM   #10
th_dan
LQ Newbie
 
Registered: Nov 2006
Location: UK
Distribution: Debian 3.1
Posts: 18

Original Poster
Rep: Reputation: 0
Hi Win32sux,

#!/bin/sh
# The location of the IPtables binary file on your system.
IPT="/sbin/iptables"

# The Network Interface you will be protecting. For ADSL/dialup users,
# ppp0 should be fine. If you are using a cable internet connection or
# are connected to a LAN, you will have to change this to "eth0".
INT="eth1"

# The following rules will clear out any existing firewall rules,
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# The following line below enables IP forwarding and thus
# by extension, NAT. Turn this on if you're going to be
# doing NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the $INT (external)
# interface to be the given IP. If you have a dynamic IP
# address or a DHCP IP that changes semi-regularly, comment out
# the first line and uncomment the second line.
#
# Remember to change the ip address below to your static ip.
#
$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 12.12.12.12
$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE

# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

# If you would like to forward specific ports to other machines
# on your home network, edit and uncomment the rules below. They are
# currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51.
# Anything incoming over your $INT through your gateway will
# be automatically redirected invisibly to port 25 & 53 on 10.1.1.51
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to 10.0.0.1:25
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 81 -j DNAT --to 10.0.0.1:81
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to 10.1.1.51:53

# These two redirect a block of ports, in both udp and tcp.
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 2300:2400 -j DNAT --to 10.1.1.50
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 2300:2400 -j DNAT --to 10.1.1.50


# Now, our firewall chain. We use the limit commands to
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the
# network below.
$IPT -A INPUT -i lo -j ACCEPT
#$IPT -A INPUT -s 10.1.1.50 -d 0/0 -p all -j ACCEPT
#$IPT -A INPUT -s 10.1.1.51 -d 0/0 -p all -j ACCEPT
#$IPT -A INPUT -s 10.1.1.52 -d 0/0 -p all -j ACCEPT

# Drop those nasty packets! These are all TCP flag
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that
# are used to attack a box in various ways, so we
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall

# If you would like to open up port 22 (SSH Access) to various IP's
# simply edit the IP's below and uncomment the line. If youw wish to
# enable SSH access from anywhere, uncomment the second line only.
$IPT -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT

# Lets do some basic state-matching. This allows us
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
#$IPT -A FORWARD -m state --state NEW -p tcp --dport 25 -j ACCEPT
#$IPT -A FORWARD -m state --state NEW -p tcp --dport 110 -j ACCEPT
#$IPT -A FORWARD -m state --state NEW -p tcp --dport 53 -j ACCEPT

and the output of iptables -t nat -v -n -L and iptables -v -n -L

core2:~# iptables -t nat -v -n -L
Chain PREROUTING (policy ACCEPT 86564 packets, 6304K bytes)
pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 5544 packets, 793K bytes)
pkts bytes target prot opt in out source destination
10 470 SNAT all -- * eth1 0.0.0.0/0 0.0.0.0/0 to:83.67.2.227
0 0 MASQUERADE all -- * eth1 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT 12016 packets, 1167K bytes)
pkts bytes target prot opt in out source destination
core2:~#

core2:~# iptables -v -n -L
Chain INPUT (policy DROP 18 packets, 2635 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
0 0 badflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
0 0 badflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
0 0 badflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
0 0 badflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
0 0 badflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
0 0 badflags tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 8 limit: avg 1/sec burst 5
0 0 firewall icmp -- * * 0.0.0.0/0 0.0.0.0/0
9 600 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
0 0 ACCEPT tcp -- eth1 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED

Chain FORWARD (policy ACCEPT 990 packets, 135K bytes)
pkts bytes target prot opt in out source destination
0 0 DROP all -- eth1 * 0.0.0.0/0 0.0.0.0/0 state INVALID,NEW

Chain OUTPUT (policy ACCEPT 8 packets, 1460 bytes)
pkts bytes target prot opt in out source destination

Chain badflags (6 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 15/min burst 5 LOG flags 0 level 4 prefix `Badflags:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain dropwall (0 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 15/min burst 5 LOG flags 0 level 4 prefix `Dropwall:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain firewall (1 references)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 limit: avg 15/min burst 5 LOG flags 0 level 4 prefix `Firewall:'
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0

Chain silent (0 references)
pkts bytes target prot opt in out source destination
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
core2:~#


Cheers
Dan

Last edited by th_dan; 11-15-2006 at 12:18 PM.
 
Old 11-15-2006, 12:19 PM   #11
th_dan
LQ Newbie
 
Registered: Nov 2006
Location: UK
Distribution: Debian 3.1
Posts: 18

Original Poster
Rep: Reputation: 0
Hi,

Anyone got any clues or ideas on this? I've been playing around but gotten nowhere.

Dan
 
Old 11-15-2006, 01:37 PM   #12
zhjim
Senior Member
 
Registered: Oct 2004
Distribution: Debian Squeeze x86_64
Posts: 1,748
Blog Entries: 11

Rep: Reputation: 233Reputation: 233Reputation: 233
These are only things from my mind but might be worth checking out:

See if you get any icmp messages when using mailservice. Might be some icmp-source-quenche.

Another thing is related to dns. Some mail server try a reversed dns lookup.

In Generell just insert a

iptables -I INPUT 1 -j LOG --log-prefix "IN: " --log-ip-options
iptables -I FORWARD1 -j LOG --log-prefix "FOR: " --log-ip-options

to see what things happen when you going for mail. And watch traffic with tail -f /var/log/messages
or whereever your iptables log to.

Hope it helps a bit.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 08:20 PM
VPN: Debian Scripts -> Mandriva 2006 Scripts Undefined Mandriva 0 11-30-2005 12:10 PM
IPTables: config files, scripts, saving etc...confused tarballed Linux - Security 4 12-30-2004 06:41 PM
IPTables Scripts Won't allow Firewall Internet Access rootking Linux - Networking 3 09-12-2004 02:50 PM
iptables scripts munisp Linux - Networking 1 12-05-2001 02:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration