iptables question
hi guys! i have setup my firewall with iptables and was setup to be the gateway of my internal network. i was a bit confused on how to make my firewall to allow my internal network to access ports/services say 80,143,443,25,22,21,8080,8088 and other port that i will be needing in the future and block all other ports that are not specified. the current configuration allow my network to access almost everything in the internet. again, how do i just selectively open ports that i will be using and all others that are not specified. i am posting my current configuration for your reference. any suggestions or modifications are very much welcomed. thanks!
#!/bin/sh
#--------------------------
# rc.firewall-iptables
#--------------------------------------------------------
# Setting up the location of iptables and kernel modules
#--------------------------------------------------------
IPTABLES=/sbin/iptables
DEPMOD=/sbin/depmod
MODPROBE=/sbin/modprobe
EXTIP="xxx.xxx.xxx.xx"
#-------------------------------------------------
# Verification of modules/Load necessary modules
#------------------------------------------------
$DEPMOD -a
$MODPROBE ip_tables
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
#-----------------------------------------------------------------------------
# clear ang existing rules: set default policy
#-----------------------------------------------------------------------------
echo " Clearing any existing rules and setting default policy.."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -t nat -F
#---------------------------------------------------------------------------
# Enable IP forwarding
#---------------------------------------------------------------------------
#echo " Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward
#-----------------------------------------------------------------
# Prevent SYN floods from consuming memory resources:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#to be placed into /etc/rc.d/rc.local
#----------------------------------------------------------------
# Allow ESTABLISHED and RELATED packets to all chains
#----------------------------------------------------------------
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Allow port 22 (SSH) connection to the firewall (for remote admin purposes)
#---------------------------------------------------------------
$IPTABLES -A INPUT -p tcp -i eth0 --dport 24 --sport 1024:65535 -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -p tcp -i eth1 --dport 24 --sport 1024:65535 -m state --state NEW -j ACCEPT
#-------------------
# Allow DNS traffic
#-------------------
$IPTABLES -A OUTPUT -p udp -o eth0 --dport 53 --sport 1024:65535 -j ACCEPT
$IPTABLES -A INPUT -p udp -i eth0 --sport 53 --dport 1024:65535 -j ACCEPT
#---------------------------------------------------------------
# Allow FW to send ICMP echo-request and receive echo-replies
#------------------------------------------
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
#----------------------------------
# Allow FW to receive ICMP echo-requet and send echo-replies
#-----------------------------------------------------------
$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type echo-reply -j ACCEPT
# For DHCP server:
#------------------------------------------
$IPTABLES -A INPUT -i eth1 -p tcp --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i eth1 -p udp --sport 68 --dport 67 -j ACCEPT
#---------------------------------------------------------------
# Enable simple IP forwarding and Masquerading
# Allow Outbound: NEW,ESTABLISHED,ReLATED; Allow Inbound: ESTABLISED,RLATED
#---------------------------------------------------------------
#echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
#$IPTABLES -t nat -A POSTROUTING -o $EXTIF -s 192.168.3.0/24 -j MASQUERADE
$IPTABLES -A POSTROUTING -t nat -o eth0 -s 192.168.3.0/24 -d 0/0 -j MASQUERADE
$IPTABLES -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
#alternative
#$IPTABLES -t nat -A POSTROUTING -o eth0 -s 192.168.3.0/24 -j SNAT --to $EXTIP
#---------------------------------------------------------------
# Allow all bidirectional traffic from your firewall to the
# internal network
#---------------------------------------------------------------
#$IPTABLES -A INPUT -j ACCEPT -p all -s 192.168.3.0/24 -i eth1
#$IPTABLES -A OUTPUT -j ACCEPT -p all -d 192.168.3.0/24 -o eth1
#--------------------------------------------------------------------------
# Deny any incoming packet outside the network which has a spoofed source address from the local networks
#-------------------------------------------------------------------------------------------
$IPTABLES -A INPUT -i eth0 -s 192.168.3.0/24 -j DROP
$IPTABLES -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
#--------------------------------------------------------------------------
# Enable PORTFW of defined ports' traffic from the external interface
#--------------------------------------------------------------------------
#SMTP on 192.168.3.2
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 25 --sport 1024:65535 -j DNAT --to 192.168.3.2:25
#HTTP on 192.168.3.200
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 80 --sport 1024:65535 -j DNAT --to 192.168.3.200:80
#POP3 on 192.168.3.2
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 110 --sport 1024:65535 -j DNAT --to 192.168.3.2:110
#SSH on 192.168.3.2
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 22 --sport 1024:65535 -j DNAT --to 192.168.3.2:22
#HTTP/mascad on 192.168.3.200
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 7070 --sport 1024:65535 -j DNAT --to 192.168.3.200:7070
#HTTP 192.168.3.2
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 -d $EXTIP --dport 82 --sport 1024:65535 -j DNAT --to 192.168.3.2:82
#------------------------------------------------------------------------------------
# Allow forwarding of new and existing defined ports connectins from the external interface.
# This is required if the default FORWARD policy is DENY.
#--------------------------------------------------------------------------------
#port 25/SMTP on 192.168.3.2
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.2 --dport 25 --sport 1024:65535 -m state --state NEW -j ACCEPT
#PORT 80/HTTP on 192.168.3.200
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.200 --dport 80 --sport 1024:65535 -m state --state NEW -j ACCEPT
#port 110/POP on 192.168.3.2
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.2 --dport 110 --sport 1024:65535 -m state --state NEW -j ACCEPT
#port 22/SSH on 192.168.3.2
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.2 --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
#port 8081 on 192.168.3.200
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.200 --dport 7070 --sport 1024:65535 -m state --state NEW -j ACCEPT
#port 82 on 192.168.3.2
$IPTABLES -A FORWARD -p tcp -i eth0 -o eth1 -d 192.168.3.2 --dport 82 --sport 1024:65535 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -t filter -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -t filter -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
Last edited by yongitz; 09-28-2006 at 06:39 AM.
|