SlackwareThis Forum is for the discussion of Slackware Linux.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been having a bit of trouble getting my firewall to work correctly. I was wondering if anyone had a script I could use.
What I'm looking for is a script which has a simple masc statment to share my connection ppp0 from my linux box 192.168.1.1 to my windows 192.168.1.2 on eth0 with all the usual stuff and leave port 22 open for ssh. Heres What I got, any suggestions. It comes up with errors when I add it to RC.M
I did the chmod a+x for execution
Thx guys
#!/bin/sh
echo Firewall Starting...
#set TCP/IP stack options
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Accept any connections from lan
/sbin/iptables -A INPUT -s 192.168.1.0/16 -j ACCEPT
#ICMP
#/sbin/iptables -A INPUT -p icmp -j ACCEPT
#SSH
/sbin/iptables -A INPUT -p tcp -dport 22 -j ACCEPT
#allow packets from established connections in
/sbin/iptables -A INPUT -m state --state ESTABLISHED -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 1024:65535 -m state --state RELATED -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p udp --dport 1024:65535 -m state --state RELATED -j ACCEPT
#drop any other attempted connections
/sbin/iptables -A INPUT -j LOG --log-prefix "DROPPED PACKET"
/sbin/iptables -A INPUT -j DROP
#masquerade for lan
/sbin/iptables -t nat -A POSTROUTING -i eth0 -o ppp0 -j MASQUERADE
Here's an rc.firewall that I made....
I didn't leave port 22 open. I forward it to my linux box and then I can ssh from there to my router if I need to. Hope it helps!
Code:
#!/bin/bash
#
# stops and start the firewall definitions
firewall_start() {
echo "Starting Firewall..."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
EXTERNAL=eth0
INTERNAL=eth1
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -A INPUT -i lo -p all -j ACCEPT
iptables -A OUTPUT -o lo -p all -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! $EXTERNAL -j ACCEPT
iptables -A FORWARD -s 10.0.0.0/8 -i $EXTERNAL -j REJECT
iptables -A FORWARD -s 176.16.0.0/12 -i $EXTERNAL -j REJECT
iptables -A FORWARD -s 192.168.0.0/16 -i $EXTERNAL -j REJECT
iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 22 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -p tcp -d 176.16.1.3 -s 216.76.29.66 --dport 5900 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -p tcp -d 176.16.1.2 -s 149.149.0.0/16 --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# iptables -A FORWARD -p tcp -d 176.16.1.2 --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A FORWARD -j REJECT
iptables -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 5900 -j DNAT --to-destination 176.16.1.3
iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 22 -j DNAT --to-destination 176.16.1.2
# iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 21 -j DNAT --to-destination 176.16.1.2
# iptables -t nat -A PREROUTING -i $EXTERNAL -p tcp --dport 80 -j DNAT --to-destination 176.16.1.2
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $EXTERNAL -j ACCEPT
iptables -A INPUT -i $INTERNAL -j ACCEPT
iptables -A INPUT -j REJECT
iptables -A OUTPUT -j ACCEPT
}
firewall_stop() {
echo "Disabling Firewall..."
iptables -t filter --flush
iptables -t filter --delete-chain
iptables -t nat --flush
iptables -t nat --delete-chain
iptables -t nat -X
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
}
firewall_restart() {
firewall_stop
sleep 1
firewall_start
}
case "$1" in
'start')
firewall_start
;;
'stop')
firewall_stop
;;
'restart')
firewall_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.