LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Closed Thread
  Search this Thread
Old 03-30-2005, 08:07 AM   #1
b:z
Member
 
Registered: Mar 2005
Posts: 146

Rep: Reputation: 15
Question Linux gateway with iptables - Everybody help me, please


This is the firewall script that i collect from Internet, i have applied it to my network, however i have more problem with it such as:
- Can not restrict FTP
- Can deny software download: xmule, BitTorrent.
Here is network diagram:

(((Internet)))========((<eth0>=====<eth1>))======((LAN))===

Here is the firewall script:

======================================================================
#######################################################################
# Local Area Network Configuration
#######################################################################
#
LAN_IP="192.168.1.10"
#
LAN_IP_RANGE="192.168.1.0/24"
#
LAN_BCAST_ADDRESS="192.168.255.255"
#
LAN_IFACE="eth1"
#
#######################################################################
# Localhost Configuration
#######################################################################
#
LO_IFACE="lo"
#
LO_IP="127.0.0.1"
#
#######################################################################
# Internet Configuration
#######################################################################
#
INET_IP="192.168.2.10"
#
INET_IFACE="eth0"
#
#######################################################################
# iptables configuration
#######################################################################
#
iptables="/usr/sbin/iptables"
#
#######################################################################
# Module Loading
#######################################################################
#
/sbin/depmod -a
#
# Adds some iptables targets like LOG, REJECT and MASQUERADE
#
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
#
# Support for owner matching
#/sbin/modprobe ipt_owner
#
# Non require modules
#
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#
######################################################################
# /proc setup - Enable ip_forward
######################################################################
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
# Non-Required proc configuration
#
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
######################################################################
# iptables rule setup
# Set default policies for the INPUT, FORWARD and OUTPUT chains
#
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -F
iptables --delete-chain
#
#Create chain for bad tcp packets
#
iptables -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
iptables -N allowed
iptables -N tcp_packets
iptables -N udp_packets
iptables -N icmp_packets
#
######################################################################
# Create content in userspecified chains
######################################################################
#
#bad_tcp_packets chain
#
iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
#
#allowed chain
#
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP
#
# TCP rules
#
##iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
##iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
#
# UDP ports
#
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
#iptables -A udp_packets -p UDP -s 0/0 --destination-port 123 -j ACCEPT
##iptables -A udp_packets -p UDP -s 0/0 --destination-port 2074 -j ACCEPT
##iptables -A udp_packets -p UDP -s 0/0 --destination-port 4000 -j ACCEPT
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d $INET_BROADCAST \
#--destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
#$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
#--destination-port 67:68 -j DROP
#
# ICMP rules
#
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
####################################################################
# INPUT chain
####################################################################
#
# Bad TCP packets we don't want.
#
iptables -A INPUT -p tcp -j bad_tcp_packets
#
###################################################################
# Rules for special networks not part of the Internet
###################################################################
#
iptables -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT
#
###################################################################
# special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
###################################################################
#
iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
#
###################################################################
# Rules for incoming packets from the internet.
###################################################################
#
iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
iptables -A INPUT -p UDP -i $INET_IFACE -j udp_packets
iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#
#$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP
#
#
# Log weird packets that don't match the above.
#
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "
#
###################################################################
# FORWARD chain
###################################################################
#
# Bad TCP packets we don't want
#
iptables -A FORWARD -p tcp -j bad_tcp_packets
iptables -A FORWARD -s 192.168.16.0/24 -d 192.168.16.0/24 -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Accept the packets we actually want to forward
#
iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
# Log weird packets that don't match the above.
#
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "
#
###################################################################
# OUTPUT chain
###################################################################
#
# Bad TCP packets we don't want.
#
iptables -A OUTPUT -p tcp -j bad_tcp_packets
#
# Special OUTPUT rules to decide which IP's to allow.
#
iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT
#
# Log weird packets that don't match the above.
#
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
#
###################################################################
# POSTROUTING chain
###################################################################
#
# Enable simple IP Forwarding and Network Address Translation
#
##iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
iptables -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE
#
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8080 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 8000 -j REDIRECT --to-port 8008
iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 3128 -j REDIRECT --to-port 8008
#
#################################################################
###################### Private Rule #############################
#################################################################
##################
##################
# rule for FTP connection
iptables -N ftp_rule
# admin
iptables -A ftp_rule -m mac --mac-source 00:50:8B:AF:73:C4 -p tcp --dport 20:21 -j ACCEPT
# manager
iptables -A ftp_rule -m mac --mac-source 00:02:55:64:03:6D -p tcp --dport 20:21 -j ACCEPT
# drop all
iptables -A ftp_rule -p tcp --dport 20:21 -j DROP
#
##################
##################
##################

===================================================================
And network's status:

Purpose:
- Localnetwork connect Internet through Squid proxy
- POP3, SMTP
- FTP only allow for admin and manager
- No protocol run through Linux Gateway
Current problems:
- Can't filter FTP as my purpose
- Some users can use BitTorrent, xmule,...

Please help me to find the error in my firewall script. I really need your help ,and more idea from all of you.
 
Old 03-30-2005, 06:58 PM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Please do not post the same thread in more than one forum. Picking the most relevant forum and posting it once there makes it easier for other members to help you and keeps the discussion all in one place.

http://www.linuxquestions.org/rules.php

Forward replies to the original thread:
http://www.linuxquestions.org/questi...hreadid=307760
 
  


Closed Thread


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Home gateway + iptables kurrupt Linux - Security 2 08-08-2005 07:48 AM
Linux gateway with iptables - Everybody help me, please b:z Linux - Networking 14 03-31-2005 05:01 AM
IPTables setting up gateway using dsl garymayor Linux - Networking 4 02-11-2005 03:41 AM
dhcpd , bind, iptables gateway help munkie_poo Linux - Networking 1 01-25-2005 04:21 AM
iptables rules on gateway alon005 Linux - Security 7 10-05-2004 07:37 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:21 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration