Linux gateway with iptables - Everybody help me, please
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Linux gateway with iptables - Everybody help me, please
This is the firewall script that i collect from Internet, i have applied it to my network, however i have more problem with it such as:
- Can not restrict FTP
- Can deny software download: xmule, BitTorrent.
Here is network diagram:
======================================================================
#######################################################################
# Local Area Network Configuration
#######################################################################
#
LAN_IP="192.168.1.10"
#
LAN_IP_RANGE="192.168.1.0/24"
#
LAN_BCAST_ADDRESS="192.168.255.255"
#
LAN_IFACE="eth1"
#
#######################################################################
# Localhost Configuration
#######################################################################
#
LO_IFACE="lo"
#
LO_IP="127.0.0.1"
#
#######################################################################
# Internet Configuration
#######################################################################
#
INET_IP="192.168.2.10"
#
INET_IFACE="eth0"
#
#######################################################################
# iptables configuration
#######################################################################
#
iptables="/usr/sbin/iptables"
#
#######################################################################
# Module Loading
#######################################################################
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUERADE
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#/sbin/modprobe ipt_owner
#
# Non require modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#
######################################################################
# /proc setup - Enable ip_forward
######################################################################
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
######################################################################
# iptables rule setup
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables --delete-chain
#
#Create chain for bad tcp packets
#
iptables -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets
#
######################################################################
# Create content in userspecified chains
######################################################################
#
#bad_tcp_packets chain
#
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
#allowed chain
#
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
#
# TCP rules
#
##iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
##iptables -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
##iptables -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP
#
# ICMP rules
#
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
####################################################################
# INPUT chain
####################################################################
#
# Bad TCP packets we don't want.
#
iptables -A INPUT -p tcp -j bad_tcp_packets
#
###################################################################
# Rules for special networks not part of the Internet
###################################################################
#
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
#
###################################################################
# special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
###################################################################
#
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
#
###################################################################
# Rules for incoming packets from the internet.
###################################################################
#
iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
#
# Log weird packets that don't match the above.
#
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
###################################################################
# FORWARD chain
###################################################################
#
# Bad TCP packets we don't want
#
iptables -A FORWARD -p tcp -j bad_tcp_packets
iptables -A FORWARD -s 192.168.16.0/24 -d 192.168.16.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Accept the packets we actually want to forward
#
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
###################################################################
# OUTPUT chain
###################################################################
#
# Bad TCP packets we don't want.
#
iptables -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
#
# Log weird packets that don't match the above.
#
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
#
###################################################################
# POSTROUTING chain
###################################################################
#
# Enable simple IP Forwarding and Network Address Translation
#
##iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
#
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3128 -j REDIRECT --to-port 8008
#
#################################################################
###################### Private Rule #############################
#################################################################
##################
##################
# rule for FTP connection
iptables -N ftp_rule
# admin
iptables -A ftp_rule -m mac --mac-source 00:50:8B:AF:73:C4 -p tcp --dport 20:21 -j ACCEPT
# manager
iptables -A ftp_rule -m mac --mac-source 00:02:55:64:03:6D -p tcp --dport 20:21 -j ACCEPT
# drop all
iptables -A ftp_rule -p tcp --dport 20:21 -j DROP
#
##################
##################
##################
===================================================================
And network's status:
Purpose:
- Localnetwork connect Internet through Squid proxy
- POP3, SMTP
- FTP only allow for admin and manager
- No protocol run through Linux Gateway
Current problems:
- Can't filter FTP as my purpose
- Some users can use BitTorrent, xmule,...
Please help me to find the error in my firewall script. I really need your help ,and more idea from all of you.
Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.