Hi, I wrote an IPTables script. It seems to work fine when the default policies are set as follows: iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT
This obviously isn't the most secure way of doing things. I would like to have the default policies set like this instead: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP As soon as I do this it breaks the rest of my script and nothing works properly. Could anyone enlighten me on how I can keep the default policy drops and keep my script functional? Also, I would really appreciate any suggestions on more elegant ways of doing things with IP tables. Any suggestions would be great. Thank you very much, Brian H. IPTABLES SCRIPT: #!/bin/bash # ----------------------------------------------------- # # Activate / Deactivate Interfaces # ----------------------------------------------------- # ifdown eth0 ifup eth0 ifdown eth1 ifup eth1 ifdown eth0:1 ifup eth0:1 ifdown eth0:2 ifup eth0:2 ifdown eth0:3 ifup eth0:3 ifdown eth0:4 ifup eth0:4 ifdown eth0:5 ifup eth0:5 ifdown eth0:6 ifup eth0:6 ifdown eth0:7 ifup eth0:7 ifdown eth0:8 ifup eth0:8 ifdown eth0:9 ifup eth0:9 ifdown eth0:10 ifup eth0:10 ifdown eth0:11 ifup eth0:11 ifdown eth0:12 ifup eth0:12 ifdown eth0:13 ifup eth0:13 # ----------------------------------------------------- # # Restart IPTables # ----------------------------------------------------- # /etc/init.d/iptables stop /etc/init.d/iptables start # ----------------------------------------------------- # # Default Policies # ----------------------------------------------------- # iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # ----------------------------------------------------- # # Flush # ----------------------------------------------------- # iptables -F iptables -F INPUT iptables -F FORWARD iptables -F OUTPUT iptables -F -t mangle iptables -F -t nat iptables -X # ----------------------------------------------------- # # Goodguys list # ----------------------------------------------------- # #iptables -A INPUT -s x.x.x.x -j ACCEPT # ----------------------------------------------------- # # Enables ip forwarding, and by extension, NAT & masquerading # ----------------------------------------------------- # echo '1'> /proc/sys/net/ipv4/ip_forward iptables --table nat --append POSTROUTING -o eth0 -j MASQUERADE iptables --append FORWARD --in-interface eth1 -j ACCEPT # ----------------------------------------------------- # # Forward all packets from eth1 (DMZ network) to eth0 (internet) # ----------------------------------------------------- # iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT iptables -A OUTPUT -o eth0 -j ACCEPT # ----------------------------------------------------- # # Forward packets that are part of existing and related connections from eth0 to eth1 # ----------------------------------------------------- # iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # ----------------------------------------------------- # # Permit packets in to firewall itself that are part of existing and related connections # ----------------------------------------------------- # iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT # ----------------------------------------------------- # # Allow all inputs to firewall from the internal network and local interfaces # ----------------------------------------------------- # iptables -A INPUT -i eth1 -s 0/0 -d 0/0 -j ACCEPT iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT # ----------------------------------------------------- # # 60.30.135.209 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.209 -j SNAT --to-source 60.30.135.209 iptables -A FORWARD -p tcp -s 192.168.1.209 -d 60.30.135.209 -m multiport --destination-port 53 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.209 -d 60.30.135.209 -m multiport --destination-port 53 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.209 -d 60.30.135.209 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.209 -j DNAT --to 192.168.1.209 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 -j DNAT --to 192.168.1.209 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -i -j DNAT --to 192.168.1.209 # ----------------------------------------------------- # # 60.30.135.210 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.210 -j SNAT --to-source 60.30.135.210 iptables -A FORWARD -p tcp -s 192.168.1.210 -d 60.30.135.210 -m multiport --destination-port 53 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.210 -d 60.30.135.210 -m multiport --destination-port 53 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.210 -d 60.30.135.210 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.210 -j DNAT --to 192.168.1.210 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 -j DNAT --to 192.168.1.210 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -j DNAT --to 192.168.1.210 # ----------------------------------------------------- # # 60.30.135.211 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.211 -o -j SNAT --to-source 60.30.135.211 iptables -A FORWARD -p tcp -s 192.168.1.211 -d 60.30.135.211 -m multiport --destination-port 1723 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.211 -d 60.30.135.211 -m multiport --destination-port 1723 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.211 -d 60.30.135.211 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.211 -j DNAT --to 192.168.1.211 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 1723 -j DNAT --to 192.168.1.211 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 1723 -j DNAT --to 192.168.1.211 # ----------------------------------------------------- # # 60.30.135.212 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.212 -j SNAT --to-source 60.30.135.212 iptables -A FORWARD -p tcp -s 192.168.1.212 -d 60.30.135.212 -m multiport --destination-port 443,25 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.212 -d 60.30.135.212 -m multiport --destination-port 443,25 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.212 -d 60.30.135.212 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.212 -j DNAT --to 192.168.1.212 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 443,25 -j DNAT --to 192.168.1.212 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 443,25 -j DNAT --to 192.168.1.212 # ----------------------------------------------------- # # 60.30.135.213 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.213 -j SNAT --to-source 60.30.135.213 iptables -A FORWARD -p tcp -s 192.168.1.213 -d 60.30.135.213 -m multiport --destination-port 53 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.213 -d 60.30.135.213 -m multiport --destination-port 53 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.213 -d 60.30.135.213 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.213 -j DNAT --to 192.168.1.213 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 -j DNAT --to 192.168.1.213 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -j DNAT --to 192.168.1.213 # ----------------------------------------------------- # # 60.30.135.214 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.214 -j SNAT --to-source 60.30.135.214 iptables -A FORWARD -p tcp -s 192.168.1.214 -d 60.30.135.214 -m multiport --destination-port 53 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.214 -d 60.30.135.214 -m multiport --destination-port 53 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.214 -d 60.30.135.214 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.214 -j DNAT --to 192.168.1.214 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 -j DNAT --to 192.168.1.214 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -j DNAT --to 192.168.1.214 # ----------------------------------------------------- # # 60.30.135.215 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.215 -j SNAT --to-source 60.30.135.215 iptables -A FORWARD -p tcp -s 192.168.1.215 -d 60.30.135.215 -m multiport --destination-port 53,80,443 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.215 -d 60.30.135.215 -m multiport --destination-port 53 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.215 -d 60.30.135.215 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.215 -j DNAT --to 192.168.1.215 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53,80,443 -j DNAT --to 192.168.1.215 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -j DNAT --to 192.168.1.215 # ----------------------------------------------------- # # 60.30.135.216 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.216 -j SNAT --to-source 60.30.135.216 iptables -A FORWARD -p tcp -s 192.168.1.216 -d 60.30.135.216 -m multiport --destination-port 53 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.216 -d 60.30.135.216 -m multiport --destination-port 53 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.216 -d 60.30.135.216 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.216 -j DNAT --to 192.168.1.216 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 -j DNAT --to 192.168.1.216 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -j DNAT --to 192.168.1.216 # ----------------------------------------------------- # # 60.30.135.217 Rules (FIREWALL) # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.1 -j SNAT --to-source 60.30.135.217 iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.217 -j DNAT --to 192.168.1.1 # ----------------------------------------------------- # # 60.30.135.218 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.218 -j SNAT --to-source 60.30.135.218 iptables -A FORWARD -p tcp -s 192.168.1.218 -d 60.30.135.218 -m multiport --destination-port 53 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.218 -d 60.30.135.218 -m multiport --destination-port 53 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.218 -d 60.30.135.218 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.218 -j DNAT --to 192.168.1.218 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 -j DNAT --to 192.168.1.218 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -j DNAT --to 192.168.1.218 # ----------------------------------------------------- # # 60.30.135.219 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.219 -j SNAT --to-source 60.30.135.219 iptables -A FORWARD -p tcp -s 192.168.1.219 -d 60.30.135.219 -m multiport --destination-port 53 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.219 -d 60.30.135.219 -m multiport --destination-port 53 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.219 -d 60.30.135.219 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.219 -j DNAT --to 192.168.1.219 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 -j DNAT --to 192.168.1.219 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -j DNAT --to 192.168.1.219 # ----------------------------------------------------- # # 60.30.135.220 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.220 -j SNAT --to-source 60.30.135.220 iptables -A FORWARD -p tcp -s 192.168.1.220 -d 60.30.135.220 -m multiport --destination-port 53 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.220 -d 60.30.135.220 -m multiport --destination-port 53 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.220 -d 60.30.135.220 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.220 -j DNAT --to 192.168.1.220 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53 -j DNAT --to 192.168.1.220 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -j DNAT --to 192.168.1.220 # ----------------------------------------------------- # # 60.30.135.221 Rules # ----------------------------------------------------- # iptables -A POSTROUTING -t nat -s 192.168.1.221 -j SNAT --to-source 60.30.135.221 iptables -A FORWARD -p tcp -s 192.168.1.221 -d 60.30.135.221 -m multiport --destination-port 53,80 --syn -j ACCEPT iptables -A FORWARD -p udp -s 192.168.1.221 -d 60.30.135.221 -m multiport --destination-port 53 -j ACCEPT iptables -A FORWARD -p icmp --icmp-type ping -s 192.168.1.221 -d 60.30.135.221 -j ACCEPT iptables -A PREROUTING -t nat -s 192.168.1.0/24 -i eth1 -d 60.30.135.221 -j DNAT --to 192.168.1.221 iptables -A PREROUTING -t nat -p tcp -m multiport --destination-port 53,80 -j DNAT --to 192.168.1.221 iptables -A PREROUTING -t nat -p udp -m multiport --destination-port 53 -j DNAT --to 192.168.1.221
