is this iptables script correct?
Can anyone tell me how this iptable script looks? Is it correct? Is it efficient? Is there anything in there that does not look right or should not be there? Is there anything i should add?
I am trying to setup a firewall/Ip Masq. for an internal network. The firewall needs to accept ports 1444 & 1433 form 222.222.222.20 thanks in advance' #!/bin/sh echo 0 > /proc/sys/net/ipv4/ip_forward LAN_IP_NET='192.168.1.1/24' LAN_NIC='eth1' WAN_IP='222.22.222.22' WAN_NIC='eth0' iptables -t nat -F POSTROUTING iptables -t nat -F PREROUTING iptables -t nat -F OUTPUT iptables -F iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT # Start additional Rules iptables -A INPUT -p tcp --source-port 1433 -s 222.222.222.20 -j ACCEPT iptables -A INPUT -p tcp --source-port 1444 -s 222.222.222.20 -j ACCEPT # End additional rules iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT echo 1 > /proc/sys/net/ipv4/ip_forward |
Good enough. If the 2 ports you let through in the beginning are all you need to let through on the Internet interface then the firewall will hold on. You might want to try limiting the number SYN you take per second on ports 1433 and 1444.
--tarballedtux |
There are a few things I can see that won't work...
Quote:
These rules would affect new connections coming in and should really refer to destination ports, ie server ports on your pc. If they were intended for outgoing connections, they are covered by the iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT rule.. Quote:
iptables -t nat -A POSTROUTING -o $WAN_NIC -j MASQUERADE And you are making a lot of references to "-s ip.number.on.lan" . Only needs to be done if you are a router, not a host/gateway. This is best handled by the reverse path filter echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter Have a read of this tutorial and then a look at Firestarter and Shorewall packages.. |
All times are GMT -5. The time now is 04:21 AM. |