LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Firewall\Gateway Script (https://www.linuxquestions.org/questions/linux-security-4/firewall%5Cgateway-script-94552/)

ASP 09-19-2003 12:17 PM
Firewall\Gateway Script
 
I'm sure someone will flame me for this, but oh well...

Here's my problem. I've got a linux box set up as a gateway, and now I need a firewall script. Here's my set up...

INTERNET
| (ETH0, 10.10.10.10, bogus ip for example)
GATEWAY
|+-+-+ (ETH1, 192.168.111.1)
C C C
(192.168.111.10-14) (C is a computer, two running linux one windoze)

I've got the gateway set up already (somehow I managed that), but I know very little about iptables and how-tos I've managed to find have just confused me, so I need some help with a firewall script.

What I want the script to do is to block all incoming SYN Packets, and anything using UDP or ICMP from eth0. It should block all UDP and ICMP from eth1. It should forward all incoming requests on port 80, and 81 (or whatever the https port is) to 192.168.111.10. Also, any other things that you would consider essential in a firewall script.

If that is not possible, would someone please tell me why? Also, if there is a site that contains some VERY simple information on making a script like that, PLEASE tell me.

Oh, I'm running Redhat 9 using iptables.

:scratch: :newbie: :scratch:

Saraev 09-19-2003 05:59 PM
Rule 1) get rid of ICMP on eth1
iptables -A INPUT -i eth1 -p icmp -j DROP
You'll want to keep ICMP on eth0 (the "inside" NIC) in case you need to ping it.

Rule 2) Dump some of those SYN/FIN scan flood things
iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i eth1 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth1 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP


Rule 3) Redirect web requests (I don't know if this one works, been forever since I've used it)

iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 80 -j DNAT --to $WEB_SERVER_IP:80


Here's a simple iptables page I put together awhile back, might help you form your rules to be more fitting for your situation.

http://www.technocore.org/nerdCore/iptables.php

Cheers!

/bin/bash 09-21-2003 07:30 AM
RedHat should have some sort of "Control Panel" app that would allow you to setup all that.

Check out the Basic Firewall Configuration section of the RedHat Configuration Guide.

ASP 09-21-2003 11:09 PM
Thanks
 
Thanks, your website helped out quite a bit. Very
simple and easy to understand.

Yes, I beleive there is a GUI utility for configuring that,
but it only allows you to set a general system security
(HIGH, MEDIUM or OFF), and anyway, I don't have XWindows
on my firewall so I can't use the GUI utility. Thanks anyway.

ASP 09-22-2003 01:40 AM
After further testing, I found if I block the ICMP packets that I can no longer resolve DNS queries... any reason you can think of?

seabass55 09-22-2003 10:15 PM
DNS uses udp packets. I can block all ICMP and have no problems with DNS. You sure you aren't blocking something else? I won't say it's impossilbe..just that i haven't seen it. TCP/IP does use ICMP for diagnostics. For instance you'll never get a "host unreachable" with ICMP totally turned off. Here's a table of ICMP types...
http://www.faqs.org/docs/iptables/icmptypes.html


All times are GMT -5. The time now is 10:23 AM.