LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 06-21-2004, 11:48 AM   #1
fiftybucks
LQ Newbie
 
Registered: Jun 2004
Posts: 1

Rep: Reputation: 0
slackware 9.1 firewall script


Hi Guys,

I'm a realtive newbie to this and I am trying to work a problem out with my firewall scripting. This is the background to the prob:

Linux Slackware 9.1 server with three 3com 3c905c NICs. One nic for the public (internet), one nic for the DMZ, one nic for the lan. The DMZ has a citrix server farm in it consisting of a Web Interface server and a services gateway server. These two operate on ports 80 and 443. All the lan traffic on port 80 is redirected to a squid proxy on port 3128.

I want the outside to be able to log on to the DMZ servers and then via them be able to see the citrix server sitting on the lan side. The DMZ pcs have public and private ip ranges that get NATTED by the firewall.

Anyways to cut a long story short the NATTING works within all the IP ranges of the local cards but the outside access keep geting firewalled out. Please have a look at my firewall script below and let me know your thoughts:
# !/bin/sh

#############################################################################
# Initialise Firewall Configuration
#############################################################################

modprobe ip_nat_ftp

#
# Defaults
#
iptables -F
iptables -F -t nat
iptables -X

##
## Allow loopback interface
##
iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
iptables -A OUTPUT -o lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT

##
## state
##
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#############################################################################
# Forwarding / Masquerading
#############################################################################

iptables -t nat -A PREROUTING -i eth0 -p tcp s 0.0.0.0/0 -d 196.28.25.141 --dport 443 -j DNAT --to 10.0.0.2:443
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0.0.0.0/0 d 196.28.25.142 --dport 443 -j DNAT --to 10.0.0.3:443
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0.0.0.0/0 d 196.28.25.141 --dport 80 -j DNAT --to 10.0.0.2:80
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0.0.0.0/0 d 196.28.25.142 --dport 80 -j DNAT --to 10.0.0.3:80

iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -d ! 196.28.25.140/32 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.2/32 -d ! 196.28.25.141/32 -j MASQUERADE
iptables -t nat -A POSTROUTING -s 10.0.0.3/32 -d ! 196.28.25.142/32 -j MASQUERADE
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/24 -d 0.0.0.0/0 --dport 80 -j REDIRECT --to-ports 3128

#############################################################################
# Input/Forward/Output Firewall Rules
#############################################################################

#Rules::

##
## Local
##
iptables -A INPUT -i eth0 -s 196.28.25.136/29 -d 196.28.25.136/29 -j ACCEPT
iptables -A INPUT -i eth0 -s 196.28.25.136/29 -d 10.0.0.0/8 -j ACCEPT
iptables -A FORWARD -i eth0 -s 196.28.25.136/29 -d 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -d 196.28.25.136/29 -j ACCEPT
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -d 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth1 -s 10.0.0.0/8 -d 196.28.25.136/29 -j ACCEPT
iptables -A FORWARD -i eth1 -s 10.0.0.0/8 -d 10.0.0.0/8 -j ACCEPT
iptables -A FORWARD -i eth1 -s 10.0.0.0/8 -d 0.0.0.0/0 -j ACCEPT
iptables -A FORWARD -i eth1 -s 10.0.0.0/8 -d 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -i eth2 -s 192.168.1.0/24 -d 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -i eth2 -s 192.168.1.0/24 -d 192.168.1.0/24 -j ACCEPT
iptables -A FORWARD -i eth2 -s 192.168.1.0/24 -d 10.0.0.0/8 -j ACCEPT

##
## Citrix services
##
iptables -A FORWARD -i eth2 -p tcp -s 192.168.1.0/24 -d 10.0.0.0/8 --dport 80 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp -s 192.168.1.0/24 -d 10.0.0.0/8 --dport 1494 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -s 10.0.0.0/8 -d 192.168.1.0/24 --dport 1494 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -s 0.0.0.0/0 -d 10.0.0.0/8 --dport 80 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -s 0.0.0.0/0 -d 10.0.0.0/8 --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -s 10.0.0.0/8 -d 0.0.0.0/0 --dport 443 -j ACCEPT
iptables -A FORWARD -i eth1 -p tcp -s 10.0.0.0/0 -d 0.0.0.0/0 --dport 80 -j ACCEPT

##
## mail
##
iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 25 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 113 -j REJECT --reject-with tcp-reset
iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 110 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 25 -j ACCEPT
iptables -A FORWARD -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 110 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 25 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 113 -j REJECT --reject-with tcp-reset
#iptables -A INPUT -i eth2 -p tcp -s 196.22.196.62 -d 0.0.0.0/0 --dport 143 -j ACCEPT
iptables -A INPUT -i eth2 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 110 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 25 -j ACCEPT
iptables -A FORWARD -i eth2 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 110 -j ACCEPT

##
## ssh
##
iptables -A INPUT -i eth1 -p tcp -s 10.0.0.0/8 -d 10.0.0.0/8 --dport 22 -j ACCEPT

##
## ftp
##
iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 21 -j ACCEPT

##
## http
##
iptables -A INPUT -i eth0 -p tcp -s 196.28.25.136/29 -d 0.0.0.0/0 --dport 80 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -s 10.0.0.0/8 -d 196.28.25.136/29 --dport 80 -j ACCEPT
iptables -A INPUT -i eth1 -p tcp -s 10.0.0.0/8 -d 192.168.1.0/24 --dport 80 -j ACCEPT

##
## dns
##
iptables -A INPUT -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 53 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 53 -j ACCEPT

##
## dhcp
##
#iptables -A INPUT -i eth0 -p udp -s 0.0.0.0/0 -d 255.255.255.255 --dport 67:68 -j ACCEPT
#echo "dhcp"

##
## IPSec
##
#iptables -A INPUT -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 500 -j ACCEPT
#iptables -A INPUT -i eth0 -p 50 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A INPUT -i eth0 -p 51 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A INPUT -i ipsec0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A FORWARD -i ipsec0 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A FORWARD -i eth0 -s 192.168.0.0/16 -d 10.255.255.0/24 -j ACCEPT

##
## icmp
##
#iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 5 -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEP
#iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A INPUT -i eth0 -p icmp --icmp-type network-unreachable -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A INPUT -i eth0 -p icmp --icmp-type host-unreachable -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A INPUT -i eth0 -p icmp --icmp-type port-unreachable -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A INPUT -i eth0 -p icmp --icmp-type fragmentation-needed -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
#iptables -A INPUT -i eth0 -p udp -s 0.0.0.0/0 -d 0.0.0.0/0 --dport 33444:33450 -j ACCEPT


#############################################################################
# Default Rules
#############################################################################

#iptables -A FORWARD -j LOG --log-prefix 'FORWARD policy [DROP]: '
iptables -P FORWARD DROP

iptables -P OUTPUT ACCEPT

#iptables -A INPUT -j LOG --log-prefix "INPUT [DROP]:"
iptables -P INPUT DROP
IW /etc/rc.d/firewall Row 205 Col 1 2:41 F1 for help

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr

for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $file
done
### IPsec needs this
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter

# no source routes
for file in /proc/sys/net/ipv4/conf/*/accept_source_route;
do
echo 0 > $file
done

# TCP SYN cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# ICMP redirects
for file in /proc/sys/net/ipv4/conf/*/accept_redirects;
do
echo 0 > $file
done

#Log martians so you can tell your friends youve seen them
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

#Explicit congestion notification - disabled coz some things like hotmail dont work
#echo 0 > /proc/sys/net/ipv4/tcp_ecn

#TCP timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps

# icmp broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

## icmp reply rate .. need to read some more on this. in 1/100s
#echo 1 > /proc/sys/net/ipv4/icmp_echoreply_rate

# "bogus" icmp responses
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

#allow 8192 tracked connections .. each conn uses 350 bytes of ram. 8192 is for 128 meg ram
#echo "8192" >/proc/sys/net/ipv4/ip_conntrack_max


### END
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Firewall script simcox1 Linux - Security 7 11-13-2005 01:08 PM
Where should this firewall script be placed? wardialer Linux - Security 84 02-14-2005 08:06 PM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 10:15 PM
Firewall script help!!!! cirkut5732 Linux - Newbie 8 04-17-2003 07:09 PM
Firewall script help jfall Linux - Networking 6 10-23-2002 04:46 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 09:36 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration