LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 02-14-2020, 04:28 AM   #1
omardesko
LQ Newbie
 
Registered: Feb 2020
Posts: 3

Rep: Reputation: Disabled
Linux FW/Gateway with iptables


Hi, i am a linux PC and i use it with 3 eth (1 outside, 1 Lan, 1 DMZ)
Use it also for gateway.
I have some problem with a script. in DMZ i have a Web server and also ssh server, ssh is not accessible from Internet but only from LAN and from a specify IP but if i try with other IP from lan access is accept.
Another problem is, in linux firewall pc if i try to go on internet like visit web site with browser is not possible.
i post here the script.
Thanks for your help

Code:
#!/bin/sh
#

#
# 1.1 Internet Configuration.
#

INET_IP="192.168.0.45"
INET_IFACE="ens33"
#INET_BROADCAST="151.13.109.161"

#
# 1.2 Local Area Network configuration.

LAN_IP="192.168.6.1"
LAN_IP_RANGE="192.168.6.0/24"
LAN_BROADCAST_ADDRESS="192.168.255.255"
LAN_IFACE="ens39"

#
# 1.3 DMZ Configuration.
#

DMZ_HTTP_IP="192.168.5.2"
DMZ_IP="192.168.5.1"
DMZ_IFACE="ens38"

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

############################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#
/sbin/depmod -a



#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

echo " Loading iptables rules..."

#####################################
# Pulisco la configurazione corrente
#####################################

# Cancellazione delle regole presenti nelle chains
echo " Cancellazione delle regole presenti nelle chains"
iptables -F
iptables -F -t nat

# Eliminazione delle chains non standard vuote
echo " Eliminazione delle chains non standard vuote "
iptables -X

# Inizializzazione dei contatori (utile per il 7ging)
echo " Inizializzazione dei contatori (utile per il 7ging) "
iptables -Z
###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

#
# Create chain for bad tcp packets
#

iptables -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

iptables -N allowed
iptables -N icmp_packets

#
# bad_tcp_packets chain
#

iptables -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
iptables -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

#
# ICMP rules
#

# Changed rules totally
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

iptables -A INPUT -p tcp -j bad_tcp_packets

iptables -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# From DMZ Interface to DMZ firewall IP
#

iptables -A INPUT -p ALL -i $DMZ_IFACE -d $DMZ_IP -j ACCEPT

#
# From LAN Interface to LAN firewall IP
#

iptables -A INPUT -p ALL -i $LAN_IFACE -d $LAN_IP -j ACCEPT

#
# From Localhost interface to Localhost IP's
#

iptables -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
iptables -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#

iptables -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# All established and related packets incoming from the internet to the
# firewall
#

iptables -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT

iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 7 --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

iptables -A FORWARD -p tcp -j bad_tcp_packets
iptables -A INPUT -s 194.168.6.0/255.255.255.0 -j ACCEPT


#
# DMZ section
#
# General rules
#

iptables -A FORWARD -i $DMZ_IFACE -o $INET_IFACE -j ACCEPT
iptables -A FORWARD -i $INET_IFACE -o $DMZ_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $LAN_IFACE -o $DMZ_IFACE -j ACCEPT
iptables -A FORWARD -i $DMZ_IFACE -o $LAN_IFACE -m state \
--state ESTABLISHED,RELATED -j ACCEPT

echo "SERVER WEB"
iptables -A PREROUTING -t nat -p tcp -i $INET_IFACE -d $INET_IP --dport 80 -j DNAT --to-destination $DMZ_HTTP_IP:80
iptables -A FORWARD -p tcp -d $DMZ_HTTP_IP --dport 80 -o $DMZ_IFACE -j ACCEPT
#iptables -t nat -A POSTROUTING -p tcp --dport 80 -j MASQUERADE
echo "SERVER WEB OK"

echo "SERVER SSH"
iptables -A INPUT -i $DMZ_IFACE -p tcp ! -s 192.168.6.69 --dport 6724 -m state --state NEW,ESTABLISHED -j DROP
iptables -A OUTPUT -o $LAN_IFACE -p tcp --sport 6724 -m state --state ESTABLISHED -j ACCEPT


#
# LAN section
#

iptables -A FORWARD -i $LAN_IFACE -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 7 --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

iptables -A OUTPUT -p tcp -j bad_tcp_packets

iptables -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level 7 --log-prefix "IPT OUTPUT packet died: "



#
# 4.2.5 POSTROUTING chain
#

iptables -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
iptables error in android: iptables-save and iptables-restore not working preetb123 Linux - Mobile 5 04-11-2011 02:56 PM
lm10.0 gateway is set but when I reboot I have to set the gateway rharvey32 Mandriva 8 02-13-2006 02:35 PM
iptables v1.2.9: Unknown arg `/sbin/iptables' Try `iptables -h' or 'iptables --help' Niceman2005 Linux - Security 4 12-29-2005 09:20 PM
Odd problem: Gateway unreachable after certain amount of time (Win XP Gateway) SocialEngineer Linux - Networking 2 08-13-2004 01:54 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 08:13 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration