iptables Firewall

Robert Lawrence robertlawrence1281 at gmail.com
Sat Jan 14 10:50:28 MST 2006


I've been having some problems with a firewall script that I've written.
I'm running debian if I run the script at bootup the script doesnt work.  If
i disable the script at bootup and then run it from the command line
everything works as it should but if I run it at bootup I can't connect in
or out until I either flush and rerun the script or simply rerun the
script.  I've added loggin to the input chain and nothing is logged until I
rerun the script.  It's as if the script when run upon bootup locks down
every port but doesnt open the ports I've specified further on in the script
even though I see all of the echoed messages that are placed throughout the
script.

I was wondering if anybody has had a problem similar to this in the past and
has any ideas.  I attached the script as well as the flush script I'm
using.  Any help would be appreciated.

Robert
-------------- next part --------------
#!/bin/sh
# organized by Robert Lawrence
# robert at zyzz dot net
# this script is based on many different scripts from the internet
# I only claim that I was the one who put it together into the format you see now
echo "setting up IPTABLES...."

SAFENET=eth0
INTERNET=eth2
INTERNET_IP=192.168.123.22
DEVELOP=eth1
DEVELOP_IP=192.168.122.22

IPT=/sbin/iptables
MP=/sbin/modprobe

#### turn on required kernel modules
echo "loading modules"
$MP ip_tables
$MP ip_conntrack
$MP iptable_filter
$MP iptable_mangle
$MP iptable_nat
$MP ipt_LOG
$MP ipt_limit
$MP ipt_state
$MP ip_conntrack_ftp
$MP ip_nat_ftp
$MP ipt_MASQUERADE

#$MP ipt_owner
#$MP ipt_REJECT
#$MP ip_conntrack_irc
#$MP ip_nat_irc



#### Set flags
echo "setting flags"
echo " forwarding"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " RP filter"
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter


#### Set default policies
## set default to drop
echo "setting policies"
$IPT -P FORWARD DROP  
$IPT -P INPUT DROP 
## keep allow on any outbound
$IPT -P OUTPUT ACCEPT     

#### DoS protection
##Syn-flood protection:
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
##Furtive port scanner:
# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
##Ping of death:
# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

#### port forwarding
## SSH
$IPT -A PREROUTING -t nat -p tcp -d $INTERNET_IP --dport 2201 \
        -j DNAT --to 192.168.122.16:22
## HTTP
$IPT -A PREROUTING -t nat -p tcp -d $INTERNET_IP --dport 2202 \
        -j DNAT --to 192.168.122.16:80

#### FORWARDING RULES
echo "setting up forwarding rules"
$IPT -A FORWARD -p ALL -i $SAFENET -j ACCEPT
$IPT -A FORWARD -p ALL -i $DEVELOP -o $INTERNET -j ACCEPT
$IPT -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A FORWARD -p ALL -j LOG --log-prefix "FORWARD "

#### Change source addresses to internet IP
echo "setting up nat"
$IPT -t nat -A POSTROUTING -o $INTERNET -j SNAT --to-source $INTERNET_IP
$IPT -t nat -A POSTROUTING -o $DEVELOP -j SNAT --to-source $DEVELOP_IP



#### INPUT RULES
echo "setting up input rules"
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT -i $SAFENET -j ACCEPT
echo " localnet"
$IPT -A INPUT -i lo -p ALL -j ACCEPT 
echo " dansguardian"
$IPT -A INPUT -i $SAFENET -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -i $SAFENET -p udp --dport 8080 -j ACCEPT
echo " DNS"
$IPT -A INPUT -i ! $INTERNET -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -i ! $INTERNET -p udp --dport 53 -j ACCEPT
echo " DHCP"
$IPT -A INPUT -i $SAFENET -p udp --dport 67:68 --sport 67:68 -j ACCEPT
#echo " SSH"
#$IPT -A INPUT -i $SAFENET -p tcp --dport 22 -j ACCEPT
echo " Pings"
$IPT -A INPUT -i ! $INTERNET -p ICMP --icmp-type 8 -j ACCEPT
echo " Specifically ignoring netbios!"
$IPT -A INPUT -p udp --dport 137:139 -j DROP
$IPT -A INPUT -p ALL -j LOG --log-prefix "INPUT "
$IPT -A INPUT -j DROP

#### OUTPUT RULES
#$IPT -A OUTPUT -p ALL -j LOG --log-prefix "OUTPUT "


echo "DONE!"











-------------- next part --------------
#!/bin/sh
# 
# rc.flush-iptables - Resets iptables to default values. 
# 
# Copyright (C) 2001  Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA  02111-1307   USA

echo "flushing tables"

#
# Configurations
#
IPTABLES="/sbin/iptables"

#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT

#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT

#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT

#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F

#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X













More information about the PLUG mailing list