Firewall questions

JStay at mediageneral.com JStay at mediageneral.com
Wed Mar 2 09:56:25 MST 2005


Greetings! (long time, no post)

I just got my firewall setup at home - it is a Linksys WRT54G based on
Linux.  So far, I have http, smtp, vpn, and skype all allowed to go out
of the firewall, and I have forwarding with http, smtp, and ssh
(tunneled through the telnet port) all allowed to come into the firewall
and forwarded to another Linux server I have in the closet.  I want by
default everything to be blocked except what I allow through.

What I am trying to do now is get it so that only the Linux box in a
closet at home can access the internet from within the network (instead
of everything in the LAN).  Everything else will proxy through to the
Linux server in my closet.  I have tried:

$IPT -t filter -A FORWARD -s 192.168.1.5 -p tcp --sport 80 -m state
--state RELATED,ESTABLISHED -j ACCEPT

And disabling the line that gives access to port 80 to the network, but
it disables internet entirely, including the Linux box in my closet.
Anyone know what line I need to add to only allow http access to
192.168.1.5 from within the LAN?  My firewall script is below.  Also,
any suggestions you have as to how I could write it better are
appreciated:

#!/bin/sh
. /etc/functions.sh

WAN=$(nvram get wan_ifname)
WAN_IP=$(nvram get wan_ipaddr)
WIFI=$(nvram get wifi_ifname)
LAN=$(nvram get lan_ifname)
LAN_IP=$(nvram get lan_ipaddr)

IPT=/usr/sbin/iptables

for T in filter nat mangle ; do
  $IPT -t $T -F
  $IPT -t $T -X
done

# Default: drop all
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT

# Allow all traffic on loopback interface 
$IPT -A INPUT -i lo -j ACCEPT 
$IPT -A OUTPUT -o lo -j ACCEPT

# Allow DNS access to firewall
$IPT -A OUTPUT -p udp -o $WAN --dport 53 --sport 1024:65535 -j ACCEPT 
$IPT -A INPUT -p udp -i $WAN --sport 53 --dport 1024:65535 -j ACCEPT

# Allow all internal machines to access router 
$IPT -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i $LAN 
$IPT -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o $LAN

$IPT -A FORWARD -j ACCEPT -p all -s 192.168.1.0/24

# port forwarding to closet
# ssh
$IPT -A FORWARD -p tcp -i $WAN --dport 23 -j ACCEPT $IPT -t nat -A
PREROUTING -p tcp -i $WAN --dport 23 -j DNAT --to 192.168.1.5:23
# http
$IPT -A FORWARD -p tcp -i $WAN --dport 80 -j ACCEPT 
$IPT -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 80 -j DNAT --to
192.168.1.5:80 
## smtp 
$IPT -A FORWARD -p tcp -i $WAN --dport 25 -j ACCEPT 
$IPT -t nat -A PREROUTING -p tcp -i $WAN --dport 25 -j DNAT --to
192.168.1.5:25

# masquerade internal traffic
$IPT -A POSTROUTING -t nat -o $WAN -s 192.168.1.0/24 -d 0/0 -j
MASQUERADE

$IPT -t filter -A FORWARD -m state --state INVALID -j DROP $IPT -t
filter -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP

# all ports allowed from network through firewall go here 
# web 
#$IPT -t filter -A FORWARD -s 192.168.1.5 -m state --state
RELATED,ESTABLISHED -j ACCEPT 
$IPT -t filter -A FORWARD -p tcp --sport 80 -m state --state
RELATED,ESTABLISHED -j ACCEPT 
# https 
$IPT -t filter -A FORWARD -p tcp --sport 443 -m state --state
RELATED,ESTABLISHED -j ACCEPT 
# smtp 
$IPT -t filter -A FORWARD -p tcp --sport 25 -m state --state
RELATED,ESTABLISHED -j ACCEPT 
# vpn 
$IPT -t filter -A FORWARD -p udp --sport 500 -m state --state
RELATED,ESTABLISHED -j ACCEPT 
# skype 
$IPT -t filter -A FORWARD -p udp --sport 1784 -m state --state
RELATED,ESTABLISHED -j ACCEPT

####################################
### Jesse Stay                   ###
### Lead Applications Developer  ###
### IMD Classifieds              ###
### Media General, Inc.          ###
### (804)649-6534                ###
####################################
#!/usr/bin/perl
$^=q;@!>~|{>krw>yn{u<$$<Sn||n<|}j=<$$<Yn{u<Qjltn{ > 0gFzD gD,
00Fz, 0,,( 0hF 0g)F/=, 0> "L$/GEIFewe{,$/ 0C$~> "@=,m,|,(e 0.),
01,pnn,y{
rw} >;,$0=q,$,,($_=$^)=~y,$/ C-~><@=\n\r,-~$:-u/
#y,d,s,(\$.),$1,gee,print



More information about the PLUG mailing list