Firewall\Gateway Script

ASP · 09-19-2003, 12:17 PM

I'm sure someone will flame me for this, but oh well...

Here's my problem. I've got a linux box set up as a gateway, and now I need a firewall script. Here's my set up...

INTERNET
| (ETH0, 10.10.10.10, bogus ip for example)
GATEWAY
|+-+-+ (ETH1, 192.168.111.1)
C C C
(192.168.111.10-14) (C is a computer, two running linux one windoze)

I've got the gateway set up already (somehow I managed that), but I know very little about iptables and how-tos I've managed to find have just confused me, so I need some help with a firewall script.

What I want the script to do is to block all incoming SYN Packets, and anything using UDP or ICMP from eth0. It should block all UDP and ICMP from eth1. It should forward all incoming requests on port 80, and 81 (or whatever the https port is) to 192.168.111.10. Also, any other things that you would consider essential in a firewall script.

If that is not possible, would someone please tell me why? Also, if there is a site that contains some VERY simple information on making a script like that, PLEASE tell me.

Oh, I'm running Redhat 9 using iptables.

Saraev · 09-19-2003, 05:59 PM

Rule 1) get rid of ICMP on eth1
iptables -A INPUT -i eth1 -p icmp -j DROP
You'll want to keep ICMP on eth0 (the "inside" NIC) in case you need to ping it.

Rule 2) Dump some of those SYN/FIN scan flood things
iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i eth1 -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i eth1 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth1 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

Rule 3) Redirect web requests (I don't know if this one works, been forever since I've used it)

iptables -t nat -A PREROUTING -p tcp -d $EXTERNAL_IP --dport 80 -j DNAT --to $WEB_SERVER_IP:80

Here's a simple iptables page I put together awhile back, might help you form your rules to be more fitting for your situation.

http://www.technocore.org/nerdCore/iptables.php

Cheers!

/bin/bash · 09-21-2003, 07:30 AM

RedHat should have some sort of "Control Panel" app that would allow you to setup all that.

Check out the Basic Firewall Configuration section of the RedHat Configuration Guide.

ASP · 09-21-2003, 11:09 PM

Thanks, your website helped out quite a bit. Very
simple and easy to understand.

Yes, I beleive there is a GUI utility for configuring that,
but it only allows you to set a general system security
(HIGH, MEDIUM or OFF), and anyway, I don't have XWindows
on my firewall so I can't use the GUI utility. Thanks anyway.

ASP · 09-22-2003, 01:40 AM

After further testing, I found if I block the ICMP packets that I can no longer resolve DNS queries... any reason you can think of?

seabass55 · 09-22-2003, 10:15 PM

DNS uses udp packets. I can block all ICMP and have no problems with DNS. You sure you aren't blocking something else? I won't say it's impossilbe..just that i haven't seen it. TCP/IP does use ICMP for diagnostics. For instance you'll never get a "host unreachable" with ICMP totally turned off. Here's a table of ICMP types...
http://www.faqs.org/docs/iptables/icmptypes.html