Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
03-21-2007, 11:00 AM
|
#1
|
Member
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555
Rep:
|
Can you guys help me get my firewall set up???
Yeah I don't really know what I am doing that much, but the security of my company's (small) network relies on me!
So, here's what I have.
IBM SystemX 3000 server, intel dual-core, 1 GB RAM with Ubuntu Edgy 6.10 for AMD64 installed (no GUI though).
This server stands between the Internet (adsl modem) and a LAN with about 20 Windows computers. For now it runs squid, squidGuard, and apache (only for serving the squid cachemgr status pages, and squidGuard error pages).
It is replacing a Mandrake Multi Network Firewall server that was unreliable and has finally crashed for good.
On my old server I had a iptables script that set my firewall rules. Everything worked well with it.
On my new server, this same script doesn't work so well. I cannot get email, FTP, or HTTPS through it. It is also possible that something other than the firewall is screwed up.
Currently we are not using the script. I just boot up the server and away we go. I have manually configured the browsers to use squid as a proxy, since the way I normally would do it is use iptables to just redirect the traffic to squid.
iptables -L
Code:
root@proxy:/home/angela# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN tcpmss match 1400:1536 TCPMSS clamp to PMTU
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
With the above setup, we can access HTTP, HTTPS, and e-mail, but obviously this is not the ideal setup.
I guess my old firewall script must not be compatible with my 2.6 kernel. Can someone point me to a working sample script and maybe give some hints on protecting my network? I read some of the other posters' questions but a lot of it seems quite advanced for me. Anything step-by-step would be great.
Thanks in advance.
--A
|
|
|
03-21-2007, 11:31 AM
|
#2
|
LQ 5k Club
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,399
|
I always recommend to people such as yourself to use a canned, pre-configured firewall package such as my favorite HomeLANSecurity. If you haven't mastered the art of iptables setup, it makes sense to use a package that has been developed and tested over time, with numerous users and a feedback history. Since your setup sounds like a typical home network (local class C LAN routed to the Internet through a firewall), the HomeLANSecurity packge seems appropriate. It is fairly easy to understand and modify or expand, if you have specific requirements. There are other similar packages out there.
--- rod.
|
|
|
03-21-2007, 12:44 PM
|
#3
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
would it be possible for us to see the iptables script??
|
|
|
03-21-2007, 01:27 PM
|
#4
|
Member
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555
Original Poster
Rep:
|
Sure, here it is (comments stripped out)
Code:
echo " Enabling Dynamic Addressing ... "
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " ---- "
echo " Clearing existing iptables rules ..."
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
if [ -n "'iptables -L | grep drop-and-log'" ]; then
iptables -F drop-and-log
fi
echo " .. existing iptables rules cleared."
echo " Setting default policy to DROP"
iptables -F -t mangle
echo " Creating a DROP chain ..."
iptables -N drop-and-log
iptables -A drop-and-log -j DROP
echo " Creating a ACCEPT chain ..."
iptables -N pass-and-log
iptables -A pass-and-log -j ACCEPT
echo -e "\n Loading INPUT rulesets ..."
iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -d 0.0.0.0/0 -j pass-and-log
iptables -A INPUT -i ppp0 -s 192.168.1.0/24 -d 0.0.0.0/0 -j drop-and-log
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -j drop-and-log
iptables -A INPUT -i ppp0 -p ICMP -s 0.0.0.0/0 -j pass-and-log
iptables -A INPUT -i eth0 -p ICMP -s 0.0.0.0/0 -j pass-and-log
iptables -A INPUT -i eth1 -p tcp --dport 135:139 -j pass-and-log
iptables -A INPUT -i eth1 -p udp --dport 135:139 -j pass-and-log
iptables -A INPUT -i eth1 -p tcp --dport 445 -j pass-and-log
iptables -A INPUT -i eth1 -p udp --dport 445 -j pass-and-log
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j pass-and-log
iptables -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
iptables -A INPUT -p udp --dport 6881:6889 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j drop-and-log
echo -e " Loading FORWARD rulesets ..."
echo " Allow NetBIOS connections for Windows Shares"
iptables -A FORWARD -p tcp --dport 135:139 -j pass-and-log
iptables -A FORWARD -p udp --dport 135:139 -j pass-and-log
iptables -A FORWARD -p tcp --dport 445 -j pass-and-log
iptables -A FORWARD -p udp --dport 445 -j pass-and-log
echo " Drop Windoze SQL Slammer virus packets"
iptables -A FORWARD -p tcp --dport 1434 -j drop-and-log
iptables -A FORWARD -p udp --dport 1434 -j drop-and-log
echo " Block the Windows XP RPC DCOM worm"
iptables -A FORWARD -p tcp --dport 4444 -j drop-and-log
iptables -A FORWARD -p udp --dport 4444 -j drop-and-log
iptables -A FORWARD -p tcp --dport 593 -j drop-and-log
iptables -A FORWARD -p udp --dport 593 -j drop-and-log
iptables -A FORWARD -p tcp --dport 69 -j drop-and-log
iptables -A FORWARD -p udp --dport 69 -j drop-and-log
iptables -A FORWARD -p tcp --dport 6969 -j drop-and-log
iptables -A FORWARD -p udp --dport 6969 -j drop-and-log
iptables -A FORWARD -p tcp --dport 666 -j drop-and-log
iptables -A FORWARD -p udp --dport 666 -j drop-and-log
echo " Redirect all outbound http traffic to squid"
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3328
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j pass-and-log
iptables -A FORWARD -i eth1 -o ppp0 -j pass-and-log
iptables -A FORWARD -j drop-and-log
echo " Enabling masquerading functionality on ppp0"
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
echo " Loading OUTPUT ruleset"
iptables -A OUTPUT -o lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j pass-and-log
iptables -A OUTPUT -o ppp0 -s 0.0.0.0/0 -d 192.168.1.0/24 -j drop-and-log
iptables -A OUTPUT -o eth0 -s 0.0.0.0/0 -d 192.168.1.0/24 -j drop-and-log
iptables -A OUTPUT -o ppp0 -d 0.0.0.0/0 -j pass-and-log
iptables -A OUTPUT -o eth0 -d 0.0.0.0/0 -j pass-and-log
iptables -A OUTPUT -o eth1 -p tcp -s 192.168.1.0/24 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp -s 192.168.1.0/24 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j drop-and-log
echo -e "\nFirewall loaded."
This worked fine on the old 2.4 kernel system.
|
|
|
03-21-2007, 03:31 PM
|
#5
|
Member
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555
Original Poster
Rep:
|
After much googling, I have discovered that I need to add "modprobe ip_nat_ftp" somewhere in there in order to get my ftp working (it works now, but won't after reboot). Where should it go? at the beginning?
theNbombr, thanks for the tip. I read through the website you provided. My plan is to eventually get a Smoothwall box up in between my server and the ADSL modem. For the short term, I just need some simple firewall rules for basic protection. Unfortunately I didn't understand a lot of the options provided by homeLANsecurity, and I can't really afford much more down time for configuration. (That's why my server is running sans firewall right now.
|
|
|
03-21-2007, 03:36 PM
|
#6
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by Avatar
Sure, here it is (comments stripped out)
Code:
echo " Enabling Dynamic Addressing ... "
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo " ---- "
echo " Clearing existing iptables rules ..."
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
if [ -n "'iptables -L | grep drop-and-log'" ]; then
iptables -F drop-and-log
fi
echo " .. existing iptables rules cleared."
echo " Setting default policy to DROP"
iptables -F -t mangle
echo " Creating a DROP chain ..."
iptables -N drop-and-log
iptables -A drop-and-log -j DROP
echo " Creating a ACCEPT chain ..."
iptables -N pass-and-log
iptables -A pass-and-log -j ACCEPT
echo -e "\n Loading INPUT rulesets ..."
iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
iptables -A INPUT -i eth1 -s 192.168.1.0/24 -d 0.0.0.0/0 -j pass-and-log
iptables -A INPUT -i ppp0 -s 192.168.1.0/24 -d 0.0.0.0/0 -j drop-and-log
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -d 0.0.0.0/0 -j drop-and-log
iptables -A INPUT -i ppp0 -p ICMP -s 0.0.0.0/0 -j pass-and-log
iptables -A INPUT -i eth0 -p ICMP -s 0.0.0.0/0 -j pass-and-log
iptables -A INPUT -i eth1 -p tcp --dport 135:139 -j pass-and-log
iptables -A INPUT -i eth1 -p udp --dport 135:139 -j pass-and-log
iptables -A INPUT -i eth1 -p tcp --dport 445 -j pass-and-log
iptables -A INPUT -i eth1 -p udp --dport 445 -j pass-and-log
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j pass-and-log
iptables -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT
iptables -A INPUT -p tcp --dport 6881:6889 -j ACCEPT
iptables -A INPUT -p udp --dport 6881:6889 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j drop-and-log
echo -e " Loading FORWARD rulesets ..."
echo " Allow NetBIOS connections for Windows Shares"
iptables -A FORWARD -p tcp --dport 135:139 -j pass-and-log
iptables -A FORWARD -p udp --dport 135:139 -j pass-and-log
iptables -A FORWARD -p tcp --dport 445 -j pass-and-log
iptables -A FORWARD -p udp --dport 445 -j pass-and-log
echo " Drop Windoze SQL Slammer virus packets"
iptables -A FORWARD -p tcp --dport 1434 -j drop-and-log
iptables -A FORWARD -p udp --dport 1434 -j drop-and-log
echo " Block the Windows XP RPC DCOM worm"
iptables -A FORWARD -p tcp --dport 4444 -j drop-and-log
iptables -A FORWARD -p udp --dport 4444 -j drop-and-log
iptables -A FORWARD -p tcp --dport 593 -j drop-and-log
iptables -A FORWARD -p udp --dport 593 -j drop-and-log
iptables -A FORWARD -p tcp --dport 69 -j drop-and-log
iptables -A FORWARD -p udp --dport 69 -j drop-and-log
iptables -A FORWARD -p tcp --dport 6969 -j drop-and-log
iptables -A FORWARD -p udp --dport 6969 -j drop-and-log
iptables -A FORWARD -p tcp --dport 666 -j drop-and-log
iptables -A FORWARD -p udp --dport 666 -j drop-and-log
echo " Redirect all outbound http traffic to squid"
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3328
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j pass-and-log
iptables -A FORWARD -i eth1 -o ppp0 -j pass-and-log
iptables -A FORWARD -j drop-and-log
echo " Enabling masquerading functionality on ppp0"
iptables -A POSTROUTING -t nat -o ppp0 -j MASQUERADE
echo " Loading OUTPUT ruleset"
iptables -A OUTPUT -o lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
iptables -A OUTPUT -o eth1 -d 192.168.1.0/24 -j pass-and-log
iptables -A OUTPUT -o ppp0 -s 0.0.0.0/0 -d 192.168.1.0/24 -j drop-and-log
iptables -A OUTPUT -o eth0 -s 0.0.0.0/0 -d 192.168.1.0/24 -j drop-and-log
iptables -A OUTPUT -o ppp0 -d 0.0.0.0/0 -j pass-and-log
iptables -A OUTPUT -o eth0 -d 0.0.0.0/0 -j pass-and-log
iptables -A OUTPUT -o eth1 -p tcp -s 192.168.1.0/24 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
iptables -A OUTPUT -o eth1 -p udp -s 192.168.1.0/24 --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
iptables -A OUTPUT -s 0.0.0.0/0 -d 0.0.0.0/0 -j drop-and-log
echo -e "\nFirewall loaded."
This worked fine on the old 2.4 kernel system.
|
well, i just ran your script and it only generated one (harmless) error... it was due to your if/then statement ( iptables: No chain/target/match by that name)... i don't see anything in your script that would make it so that it would work on a vanilla 2.4 while not working on a vanilla 2.6 - all the matches you are using a ubiquitous ones, etc...
i would just point-out that squid listens by default on port 3128 (not 3328 as you used) although of course you might have your squid listening on a non-default port... but there's also no rule in your FORWARD chain for TCP packets with --dport 443... that would be necessary if you want the LAN to be able to browse HTTPS sites...
BTW, you are doing an *incredible* amount of logging... are you sure it isn't overkill??
|
|
|
03-21-2007, 04:03 PM
|
#7
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by Avatar
After much googling, I have discovered that I need to add "modprobe ip_nat_ftp" somewhere in there in order to get my ftp working (it works now, but won't after reboot). Where should it go? at the beginning?
|
from the /etc/modules file on Ubuntu 6.06:
Code:
# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with "#" are ignored.
Quote:
theNbombr, thanks for the tip. I read through the website you provided. My plan is to eventually get a Smoothwall box up in between my server and the ADSL modem. For the short term, I just need some simple firewall rules for basic protection. Unfortunately I didn't understand a lot of the options provided by homeLANsecurity, and I can't really afford much more down time for configuration. (That's why my server is running sans firewall right now.
|
i can hook-you-up with a simple custom-made iptables script if you want... just let me know what services you are running on the internal and external interfaces... also, what kinda outgoing traffic you wanna allow for clients on your LAN, etc...
Last edited by win32sux; 03-21-2007 at 04:20 PM.
|
|
|
03-21-2007, 04:17 PM
|
#8
|
LQ 5k Club
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,399
|
Quote:
Originally Posted by Avatar
A
Unfortunately I didn't understand a lot of the options provided by homeLANsecurity, and I can't really afford much more down time for configuration. (That's why my server is running sans firewall right now.
|
Hmm. I see what you mean. It's gotten a lot more complex since I first started using it. My existing implementations were basically just a cut and paste from the web site into a shell script. Might have to re-think my standard recommendation for beginners.
--- rod.
|
|
|
03-21-2007, 07:05 PM
|
#9
|
LQ 5k Club
Registered: Aug 2005
Distribution: OpenSuse, Fedora, Redhat, Debian
Posts: 5,399
|
Actually, now that I've had a closer look, I'm going to rescind that last statement. There is really only one file to configure, and the options for that file are clearly documented in the file itself (terse), and in the README (more verbose). It looks like the default configuration stands a pretty good chance of working for many people right out of the box.
--- rod.
|
|
|
03-22-2007, 03:49 PM
|
#10
|
Member
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555
Original Poster
Rep:
|
win32sux: Yes, my squid is configured to listen on port 3328, i should have mentioned that. When my browsers are configured manually to use squid for a proxy, browsing seems fine. (Even https).
Also, if you look carefully, my pass-and-log and my drop-and-log chains do not actually log anything (they used to, but I have removed it.) So now it is just -j ACCEPT or -j DROP.
What services we are running. Well I have SAMBA, squid/squidguard, and apache webserver running on that box. The webserver only serves to internal clients on the LAN (squidGuard error pages, squid cachemgr status pages, etc). LAN clients can surf the web (80 and 443) and the managers have email (25 and 110), and I need to be able to SSH in to the server and SSH out to some remote servers too. Does that help?
I would like to use squid in transparent mode, so that traffic trying to pass through to the Internet is automatically redirected to 3328.
Rod -- I think this product would be great for someone starting out; I just don't have the confidence to try it at this point as I have spent days debugging and tweaking my squid/squidguard setup and don't have it in me to have to tweak/debug a firewall implementation. The net access would be going up and down as I try to get it running with our setup. I would be much more interested if I wasn't planning on hooking up a second dedicated firewall (Smoothwall) box. Thanks for the suggestion though.
|
|
|
03-23-2007, 03:33 AM
|
#11
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
here's an iptables script i wrote for you, based on the requirements you posted above... i commented as many of the rules as i could, in an effort to make it as clear as possible... you should be able to get it working without having to edit anything but the top part with the variables...
the script assumes you have three managers (please let me know how many you really have), and matches them using IP and MAC... it also does this for *your* client machine, and it provides you with unrestricted access to the WAN... let me know if you don't wish to use MAC filtering...
HTTP is transparently proxied, and everything else (including HTTPS) is NATed...
Code:
#!/bin/sh
IPT="/sbin/iptables"
SQUID_PORT="3328"
WAN_IFACE="eth1"
LAN_IFACE="eth0"
LAN_IFACE_IP="192.168.1.1"
LAN_IFACE_SUBNET="192.168.1.0/24"
AVATAR_IP="192.168.1.101"
AVATAR_MAC="xx:xx:xx:xx:xx:xx"
MANAGER_01_IP="192.168.1.111"
MANAGER_01_MAC="xx:xx:xx:xx:xx:xx"
MANAGER_02_IP="192.168.1.112"
MANAGER_02_MAC="xx:xx:xx:xx:xx:xx"
MANAGER_03_IP="192.168.1.113"
MANAGER_03_MAC="xx:xx:xx:xx:xx:xx"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -N AVATAR_ACCESS
$IPT -N MANAGER_ACCESS
$IPT -N REGULAR_ACCESS
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# HTTP service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IFACE_SUBNET --dport 80 \
-m state --state NEW -j ACCEPT
# Proxy service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IFACE_SUBNET --dport $SQUID_PORT \
-m state --state NEW -j ACCEPT
# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IFACE_SUBNET --dport 137 \
-m state --state NEW -j ACCEPT
# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_IFACE_SUBNET --dport 138 \
-m state --state NEW -j ACCEPT
# NETBIOS session service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IFACE_SUBNET --dport 139 \
-m state --state NEW -j ACCEPT
# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_IFACE_SUBNET --dport 445 \
-m state --state NEW -j ACCEPT
# SSH service (Avatar only):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $AVATAR_IP --dport 22 \
-m mac --mac-source $AVATAR_MAC \
-m state --state NEW -j ACCEPT
$IPT -A INPUT -j LOG --log-prefix "INPUT DROP: "
$IPT -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# Connection by Avatar?
$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $AVATAR_IP \
-m mac --mac-source $AVATAR_MAC \
-m state --state NEW -j AVATAR_ACCESS
# Connection by Manager #1?
$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $MANAGER_01_IP \
-m mac --mac-source $MANAGER_01_MAC \
-m state --state NEW -j MANAGER_ACCESS
# Connection by Manager #2?
$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $MANAGER_02_IP \
-m mac --mac-source $MANAGER_02_MAC \
-m state --state NEW -j MANAGER_ACCESS
# Connection by Manager #3?
$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $MANAGER_03_IP \
-m mac --mac-source $MANAGER_03_MAC \
-m state --state NEW -j MANAGER_ACCESS
# Connection by LAN client?
$IPT -A FORWARD -i $LAN_IFACE -o $WAN_IFACE -s $LAN_IFACE_SUBNET \
-m state --state NEW -j REGULAR_ACCESS
$IPT -A FORWARD -j LOG --log-prefix "FORWARD DROP: "
# Unrestricted remote access for Avatar:
$IPT -A AVATAR_ACCESS -j ACCEPT
# Only remote HTTPS/SMTP/POP3 access for managers:
$IPT -A MANAGER_ACCESS -p TCP -m multiport \
--dport 443,25,110 -j ACCEPT
# Only remote HTTPS access for LAN clients:
$IPT -A REGULAR_ACCESS -p TCP --dport 443 -j ACCEPT
# Transparent proxy:
$IPT -t nat -A PREROUTING -p TCP -i $LAN_IFACE --dport 80 \
-d ! $LAN_IFACE_IP -j REDIRECT --to-ports $SQUID_PORT
$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
EDIT: just noticed you never mentioned DNS... are you running a DNS daemon on this box or do clients on the LAN use your ISP's DNS servers?? web suring won't work until rules for DNS are put in the script...
Last edited by win32sux; 03-23-2007 at 01:47 PM.
|
|
|
03-23-2007, 10:14 PM
|
#12
|
LQ Newbie
Registered: Mar 2007
Location: Toronto, Canada
Distribution: Gentoo GNU/Linux
Posts: 15
Rep:
|
You can also use webmin to configure iptables - as fun as writing iptable chain rules is by hand, webmin makes the process incredibly easy. If you're running Ubuntu, then you can probably just 'apt-get install webmin', login, head over to Networking->Linux Firewall, there's even several prebuilt scripts which would help you get started.
|
|
|
04-25-2007, 01:28 PM
|
#13
|
Member
Registered: May 2001
Location: Canada
Distribution: old ones
Posts: 555
Original Poster
Rep:
|
UPDATE
win32sux:
I didn't try your script before because I somehow got everything working, wasn't sure how so I didn't want to touch it.
Well today for some reason the connection went down and nothing worked again!
The script you wrote works like a charm! Everything works! Even e-mail which was getting me worried. I guess we use the ISP DNS server because when I connect using pon, it sets the servers automatically.
I like how the script gives different access rights to different people. I also didn't know you could go by MAC address with iptables. Now I know, thanks.
Petro: I don't have any GUI installed on my UBUNTU, it's pretty barebones. Just the kernel, basic services, apt-get and a C compiler. However my next project is to set up a smoothwall box so my network is protected better.
Thanks for the help everyone.
|
|
|
04-26-2007, 03:05 PM
|
#14
|
LQ Newbie
Registered: Mar 2007
Location: Toronto, Canada
Distribution: Gentoo GNU/Linux
Posts: 15
Rep:
|
Quote:
Originally Posted by Avatar
UPDATE
Petro: I don't have any GUI installed on my UBUNTU, it's pretty barebones. Just the kernel, basic services, apt-get and a C compiler. However my next project is to set up a smoothwall box so my network is protected better.
|
Webmin is not a graphical program, it's a background server. What makes it graphical is when you access it like a webpage from another system (think of a router config page from your home DSL router).
Glad to see it worked out though.
|
|
|
All times are GMT -5. The time now is 10:01 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|