NAT/router iptables script

don_wombat · 09-13-2005, 02:29 PM

Hey All,

A while back I found a script on this forum that would setup an iptables NAT/Router. I searched all through this forum and haven't been able to find the same script.

It was a really nice one. It would check the iptables location I beleive, then check the kernel modules, then setup the forwarding for the inside/outside and all.

Anyone know what I'm babbling about??

TIA

rjkfsm · 09-14-2005, 01:14 PM

You really should build your own. No two person's situation is exactly the same.

Learn how to filter out bad packets at
http://www.linuxguruz.com/iptables/h...les-HOWTO.html

and how to setup NAT/IP Forwarding at:
http://iptables-tutorial.frozentux.n...-tutorial.html

As an example, here is an iptables script from a production web server with external SSH access filtered to a fixed IP and unlimited LAN access

Quote:

#!/bin/bash

IPTABLES="/sbin/iptables"

#This flushes the iptables
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

$IPTABLES -N safe
$IPTABLES -N allowed
$IPTABLES -N blocked
$IPTABLES -N ports

$IPTABLES -A safe -i lo -j ACCEPT
$IPTABLES -A safe -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A safe -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A allowed -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A allowed -p tcp -s aaa.bbb.ccc.ddd --dport 22 -j ports
$IPTABLES -A allowed -p tcp --dport 80 -j ports

$IPTABLES -A ports -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT
$IPTABLES -A ports -m limit --limit 1/second -p tcp --tcp-flags ALL RST,ACK -j ACCEPT
$IPTABLES -A ports -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT

$IPTABLES -A blocked -m state --state NEW -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A blocked -m state --state NEW -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A blocked -m state --state NEW -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A blocked -m state --state NEW -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A blocked -m state --state NEW -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A blocked -p tcp --dport 0 -j DROP
$IPTABLES -A blocked -p udp --dport 0 -j DROP
$IPTABLES -A blocked -p tcp --sport 0 -j DROP
$IPTABLES -A blocked -p udp --sport 0 -j DROP
$IPTABLES -A blocked -p icmp --icmp-type address-mask-request -j DROP
$IPTABLES -A blocked -p icmp --icmp-type address-mask-reply -j DROP
$IPTABLES -A blocked -m state --state INVALID -j DROP

/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/secure_redirects
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

for i in /proc/sys/net/ipv4/conf/*; do
/bin/echo "1" > $i/rp_filter
done

$IPTABLES -A INPUT -j safe
$IPTABLES -A INPUT -j blocked
$IPTABLES -A INPUT -j allowed

$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT

don_wombat · 09-14-2005, 01:17 PM

You know, I'm going to. Once I get the routing part working properly!

rjkfsm · 09-14-2005, 01:25 PM

http://iptables-tutorial.frozentux.n....html#NATINTRO

RK

don_wombat · 09-14-2005, 01:46 PM

Appreciate the NAT lesson. Now anyone wanna really help me?

saneax · 09-16-2005, 04:35 AM

You are asking for this
http://www.linuxguruz.com/iptables/s...c.firewall.txt

regards

don_wombat · 09-16-2005, 07:56 AM

SWEET! Yes. That is the exact script I was looking for. I'm going to hopefully use this to build the router portion, and then built the firewall around that.

THANKS!!!

OhSimma · 09-16-2005, 09:56 AM

I am looking to do basically the same thing. I have not been looking into this too intensly yet, but I was wondering if anyone has created a GUI frontend for this?

don_wombat · 09-16-2005, 09:58 AM

I haven't seen a gui for this script as it's an executable. One thing I've had problems with on FCx is that on restart it doesn't work. The iptables ruleset reloads, but it doesn't work. I'm thinking it has to do with forwarding being turned off by default. If you look at the script, it enables IPv4 forwarding. But this doesn't do it after a restart. Still looking at this......

adasko · 09-16-2005, 10:11 AM

Hi don_wombat,

in traditional forum style, I can't help you resolve your problem but will point to a different script

I recommend Arno's iptables-firewall script : http://freshmeat.net/projects/iptabl.../?topic_id=151

It certainly made things easier for me. Good luck!

Adasko