is this iptables script correct?

pollux0 · 12-13-2002, 11:12 AM

Can anyone tell me how this iptable script looks? Is it correct? Is it efficient? Is there anything in there that does not look right or should not be there? Is there anything i should add?

I am trying to setup a firewall/Ip Masq. for an internal network. The firewall needs to accept ports 1444 & 1433 form 222.222.222.20

thanks in advance'

#!/bin/sh

echo 0 > /proc/sys/net/ipv4/ip_forward

LAN_IP_NET='192.168.1.1/24'
LAN_NIC='eth1'
WAN_IP='222.22.222.22'
WAN_NIC='eth0'

iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

# Start additional Rules
iptables -A INPUT -p tcp --source-port 1433 -s 222.222.222.20 -j ACCEPT
iptables -A INPUT -p tcp --source-port 1444 -s 222.222.222.20 -j ACCEPT
# End additional rules

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

tarballedtux · 12-14-2002, 09:50 AM

Good enough. If the 2 ports you let through in the beginning are all you need to let through on the Internet interface then the firewall will hold on. You might want to try limiting the number SYN you take per second on ports 1433 and 1444.

--tarballedtux

peter_robb · 12-14-2002, 02:38 PM

There are a few things I can see that won't work...

Quote:

iptables -A INPUT -p tcp --source-port 1433 -s 222.222.222.20 -j ACCEPT
iptables -A INPUT -p tcp --source-port 1444 -s 222.222.222.20 -j ACCEPT

Are you sure the source port will always be the same?
These rules would affect new connections coming in and should really refer to destination ports, ie server ports on your pc.
If they were intended for outgoing connections, they are covered by the iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT rule..

Quote:

iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE

This would cause problems when replies come back from forwarded connections. It should only apply to the outgoing interface eg
iptables -t nat -A POSTROUTING -o $WAN_NIC -j MASQUERADE

And you are making a lot of references to "-s ip.number.on.lan" . Only needs to be done if you are a router, not a host/gateway.
This is best handled by the reverse path filter
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

Have a read of this tutorial and then a look at Firestarter and Shorewall packages..