Bradley Molnar on Tue, 1 Jul 2003 21:05:30 -0400


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] iptables assistance


Hello All-

I've been spending the past 4-5 days working on learning and implimenting an
iptables firewall.  I was wondering if the group could help me find some
glaring errors before I try to run it.

I do know that there isn't much spoof protection in there yet -- I just want
something that will get the job done (security is for next week).

So, here is the script, only thing I removed were some old lines that were
commented out and the lines with the actual ip's in them (although the
subnet is correct).

Also, for some reason it is not liking the --dport option.  It spits out 2
errors when I try to run it on my testing machine dealing with --dport.
And, it looks like my test machine has closed all ports to me right now.
So, if anyone can find what I missed it would be most appreciated.

Thanks
-b

quick note about network topology -- there are two real NIC's, one (eth1:1)
is aliased to another (eth2).  I do not fully know how this would work,
iptables choked before telling me that it can't use aliases interfaces.
This is only for the time being, I can get another card without much
trouble.

Also, eth0 and eth1 are bridged using ebtables and the bridge-nf patches
(see last week's discussion and thanks David).

But, eth0 and eth1 are set up as a packet filtering bridge (the bridge
interface is br0 and has a real, as in globally unique, ip address).  All
machines on the inside of the bridge have real ip's, everything on the
inside of eth2 have private ip's.

All machines connected to eth2 will not have restrictions on what they can
do.  The bridge is only supposed to allow ports 80 and 22 through.

Much was built off of the info from a book (Redhat Linux Firewalls) and some
google info.  I think the comments at least say what the lines are
_supposed_ to do.
---------

#!/bin/sh

# this should only be run AFTER the bridge is created
#  see /root/bridgestart.sh

IPT=/sbin/iptables

# set eth0 to external nic
# set eth1 to the one with the servers
# set eth2 to the private ip range

EXT="eth0"
SER="eth1"
INT="eth2"

# The following rules will clear out any existing firewall rules,
#  and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

# add chains

$IPT -N EXT_IP
$IPT -N DMZ
$IPT -N INT_IP

# might already exist, but I don't think it is saved btwn reboots

# These will setup our default policies.

# unless specifically permitted, drop the packet if it is incoming, do not
tell
#  sender that we did - this is called a 'stealth' firewall
$IPT -P INPUT DROP

# permit all outgoing unless specifically disabled (no real reason to
disable
#  it)
$IPT -P OUTPUT ACCEPT

# permit forwarding of packet (this is good, right?)
$IPT -P FORWARD ACCEPT

# any ports not specifically mentioned below will be blocked

# allow all incoming packet destined to port 80/tcp and 22/tcp

#enable later, when rule OUT_ICMP and TCP_FLAGS exit -b
#$IPT -A EXT_IP -p icmp -j OUT_ICMP
#$IPT -A EXT_IP -p tcp -j TCP_FLAGS

$IPT -A EXT_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow internal net (servers) to connect to whatever they want
# for the time being

$IPT -A DMZ -m state --state NEW -s 0.0.0.129/255.255.255.248 -p tcp -j
ACCEPT

# NAT packet coming from the internal destined for the internet

$IPT -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE

# filter what comes in.  only permit it to go to
# 0.0.0.129/255.255.255.248
# allow only 80, 22 for time being

$IPT -A EXT_IP --dport 80 -i $EXT -p tcp -m state --state NEW -j ACCEPT
$IPT -A EXT_IP --dport 22 -i $EXT -p tcp -m state --state NEW -j ACCEPT

# This has no spoof protection, yet


# Protect the firewall itself, allow 80/tcp 22/tcp ONLY, and on all
# intefaces

$IPT -A EXT_IP -p tcp -s 0.0.0.0/0 --dport 22 -m state --state NEW -j ACCEPT
$IPT -A EXT_IP -p tcp -s 0.0.0.0/0 --dport 80 -m state --state NEW -j ACCEPT
$IPT -A INT_IP -p tcp -s 0.0.0.0/0 --dport 22 -m state --state NEW -j ACCEPT
$IPT -A INT_IP -p tcp -s 0.0.0.0/0 --dport 80 -m state --state NEW -j ACCEPT
$IPT -A DMZ -p tcp -s 0.0.0.0/0 --dport 22 -m state --state NEW -j ACCEPT
$IPT -A DMZ -p tcp -s 0.0.0.0/0 --dport 80 -m state --state NEW -j ACCEPT

# these allow the server to connect to itself (on all ports, how nice)

$IPT -A EXT_IP -p tcp -s 127.0.0.1 -m state --state NEW -j ACCEPT

# Allow that which is related to another conection a free pass
# in other words, if it has already passed the 'inspection'
# don't check it again

$IPT -A DMZ -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A EXT_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INT_IP -m state --state ESTABLISHED,RELATED -j ACCEPT

# make it so that the forwarding rules know which rules to call

$IPT -A FORWARD -i $EXT -j EXT_IP
$IPT -A FORWARD -i $SER -j DMZ
$IPT -A FORWARD -i $INT -j INT_IP

# let the input rules know which rules to call

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -j EXT_IP
$IPT -A INPUT -j INT_IP
$IPT -A INPUT -j DMZ

# let the output rules know which rules to call

$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -j EXT_IP
$IPT -A OUTPUT -j INT_IP
$IPT -A OUTPUT -j DMZ

_________________________________________________________________________
Philadelphia Linux Users Group        --       http://www.phillylinux.org
Announcements - http://lists.netisland.net/mailman/listinfo/plug-announce
General Discussion  --   http://lists.netisland.net/mailman/listinfo/plug