Dear my generous friend, Kinglok. Thank you very much for your help.
You helped me a lot. Thank you thousand times..... You solved my problem. --- Pada Sab, 31/1/09, Kinglok, FONG <[email protected]> menulis: > Dari: Kinglok, FONG <[email protected]> > Topik: Re: my debian does not read my own iptables script > Kepada: [email protected], [email protected] > Tanggal: Sabtu, 31 Januari, 2009, 6:51 AM > Hi, > > I have rewritten your script as follows. > > 1. Ensure there is nothing like selinux running in your > machine. > 2. Telnet is not recommend since it transmit in plain text > including your password. Use SSH instead. > 3. ICMP message control, source address spoofing and > logging are not included in the script. > 4. I prefer the route setting-up is done through rc.local > instead of the firewall script and the default gateway > should be defined in /etc/network/interfaces > 5. I have not tested the script. > > Kinglok, FONG. > > ----------------------------------Start------------------------------------------ > #!/bin/bash > > ############################################################### > # Adding default gateway > /sbin/route add default gateway 202.155.0.1 > > ############################################################### > # Initialize some parameter > INET_INTERFACE="eth5" > LAN_INTERFACE="eth2" > LOOPBACK_INTERFACE="lo" > > IPT="/sbin/iptables" > INET_ADDR="202.155.0.1" > LAN_ADDR="192.168.23.2" > LAN_SSH="192.168.23.20" # SSH server in LAN > LAN_ADDRESSES="192.168.23.0/24" # LAN Addresses > range > LAN_DNS="" # Please specify your DNS server in > LAN > > FTPPORT="21" > SSHPORT="22" > TELNETPORT="23" > DNSPORT="53" > UNPRIVPORTS="1024:65535" # unprivileged port > range > > ############################################################### > # Enable connection tracking for FTP > > /sbin/modprobe ip_conntrack_ftp > /sbin/modprobe ip_nat_ftp > > ############################################################### > # Initialization > > # Enable IP forwarding since it is disabled by default > echo 1 > /proc/sys/net/ipv4/ip_forward > > # Enable broadcast echo Protection (default: 1) > echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts > > # Disable Source Routed Packets (default: 0) > for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do > echo 0 > $f > done > > # Enable TCP SYN Cookie Protection (default: 1) > echo 1 > /proc/sys/net/ipv4/tcp_syncookies > > # Disable ICMP Redirect Acceptance (default: 0) > for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do > echo 0 > $f > done > > # Do not send Redirect Messages (default: 0) > for f in /proc/sys/net/ipv4/conf/*/send_redirects; do > echo 0 > $f > done > > # Drop Spoofed Packets coming in on an interface, which if > replied to, would > # result in the reply going out a different interface. > (default: 1) > for f in /proc/sys/net/ipv4/conf/*/rp_filter; do > echo 1 > $f > done > > # Log packets with impossible addresses. (default: 1) > for f in /proc/sys/net/ipv4/conf/*/log_martians; do > echo 0 > $f > done > > ############################################################### > # Remove any existing rules from all chains > $IPT --flush > $IPT -t nat --flush > $IPT -t mangle --flush > $IPT -X > $IPT -t nat -X > $IPT -t mangle -X > $IPT --policy INPUT ACCEPT > $IPT --policy OUTPUT ACCEPT > $IPT --policy FORWARD ACCEPT > $IPT -t nat --policy PREROUTING ACCEPT > $IPT -t nat --policy OUTPUT ACCEPT > $IPT -t nat --policy POSTROUTING ACCEPT > $IPT -t mangle --policy PREROUTING ACCEPT > $IPT -t mangle --policy OUTPUT ACCEPT > if [ "$1" = "stop" ]; then > echo "Firewall completely stopped! WARNING: THIS HOST > HAS NO FIREWALL RUNNING." > exit > fi > > # Unlimited traffic on the loopback interface > $IPT -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT > $IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT > > # Set the default policy to drop > $IPT --policy INPUT DROP > $IPT --policy OUTPUT DROP > $IPT --policy FORWARD DROP > > ############################################################### > # NAT rules > # Opening port 23 (telnet) to internet is not recommended, > open port 22 for SSH instead > $IPT -t nat -A PREROUTING -p tcp -i $INET_INTERFACE -p tcp > --sport $UNPRIVPORTS -d $INET_ADDR --dport $SSHPORT -j DNAT > --to-destination $LAN_SSH > > # There is no need for NAT inside LAN > #$IPT -t nat -I PREROUTING -p tcp -i $LAN_INTERFACE -s > $LAN_ADDRESSES -d 192.168.23.2 --dport 23 -j DNAT > --to-destination 192.168.23.20:23 > > # NAT rules for Reaching Internet Space > $IPT -t nat -A POSTROUTING -p tcp -o $INET_INTERFACE -s > $LAN_ADDRESSES -j SNAT --to-source $INET_ADDR > #$IPT -t nat -A POSTROUTING -p tcp -o $LAN_INTERFACE -d > $LAN_ADDRESSES -j SNAT --to-source 192.168.23.2 # There is > no need for NAT to reach other addresses situated in LAN > > # It is not recommended to allow all icmp messages > #$IPT -t nat -I POSTROUTING -p icmp -o $INET_INTERFACE -d > 0/0 -j SNAT --to-source 202.155.0.1 > #$IPT -t nat -I POSTROUTING -p icmp -o $LAN_INTERFACE -d > $LAN_ADDRESSES -j SNAT --to-source 192.168.23.2 > > ############################################################### > # Using Connection State to By-pass Rule Checking > $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j > ACCEPT > $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j > ACCEPT > $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j > ACCEPT > > ############################################################### > # Open needed ports > $IPT -A INPUT -i $LAN_INTERFACE -s $LAN_ADDRESSES -p icmp > --icmp-type echo-request -m state --state NEW -j ACCEPT > #$IPT -A INPUT -i $INET_INTERFACE -s 0/0 -p icmp > --icmp-type echo-request -m state --state NEW -j ACCEPT # > Not recommended > > $IPT -A OUTPUT -o $LAN_INTERFACE -d $LAN_ADDRESSES -p icmp > --icmp-type echo-reply -m state --state NEW -j ACCEPT > $IPT -A OUTPUT -o $INET_INTERFACE -p icmp --icmp-type > echo-reply -m state --state NEW -j ACCEPT > > $IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $FTPPORT -m > state --state NEW -j ACCEPT > $IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $SSHPORT -m > state --state NEW -j ACCEPT > $IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $TELNETPORT > -m state --state NEW -j ACCEPT > $IPT -A INPUT -i $LAN_INTERFACE -p udp --dport $DNSPORT -m > state --state NEW -j ACCEPT > > $IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $FTPPORT -m > state --state NEW -j ACCEPT > $IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $SSHPORT -m > state --state NEW -j ACCEPT > # $IPT -A INPUT -i $INET_INTERFACE -p tcp --dport 23 -j > ACCEPT # Not recommended > $IPT -A INPUT -i $INET_INTERFACE -p udp --dport $DNSPORT -m > state --state NEW -j ACCEPT > > $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $FTPPORT -m > state --state NEW -j ACCEPT > $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $SSHPORT -m > state --state NEW -j ACCEPT > $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $TELNETPORT > -m state --state NEW -j ACCEPT > $IPT -A OUTPUT -o $LAN_INTERFACE -p udp --dport $DNSPORT -m > state --state NEW -j ACCEPT > > $IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $FTPPORT > -m state --state NEW -j ACCEPT > $IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $SSHPORT > -m state --state NEW -j ACCEPT > $IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport > $TELNETPORT -m state --state NEW -j ACCEPT > $IPT -A OUTPUT -o $INET_INTERFACE -p udp --dport $DNSPORT > -m state --state NEW -j ACCEPT > > $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES > -o $INET_INTERFACE --dport $FTPPORT -m state --state NEW -j > ACCEPT > $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES > -o $INET_INTERFACE --dport $SSHPORT -m state --state NEW -j > ACCEPT > $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES > -o $INET_INTERFACE --dport $TELNETPORT -m state --state NEW > -j ACCEPT > $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES > -o $INET_INTERFACE --dport $DNSPORT -m state --state NEW -j > ACCEPT > > $IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE > -d $LAN_ADDRESSES --dport $FTPPORT -m state --state NEW -j > ACCEPT > $IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE > -d $LAN_ADDRESSES -d $LAN_SSH --dport $SSHPORT -m state > --state NEW -j ACCEPT > # $IPT -A FORWARD -p tcp -i $INET_INTERFACE -s 0/0 -o > $LAN_INTERFACE -d $LAN_ADDRESSES --dport 23 -m state --state > NEW -j ACCEPT # Not recommended > $IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE > -d $LAN_ADDRESSES -d $LAN_DNS --dport $DNSPORT -m state > --state NEW -j ACCEPT > > -------------------------------------------------End------------------------------------------- > > ----- Original Message ----- From: "Patrik > Hasibuan" <[email protected]> > To: <[email protected]> > Sent: Wednesday, January 28, 2009 3:36 PM > Subject: my debian does not read my own iptables script > > > Dear my friends, > > I am building a firewall with Debian Sarge on my internet > gateway. But lookslike my debian does not read my iptables > script after I run my own iptables script. > > This is the result of the firewall on my debian-box. > '192.168.23.0' is the subnet of my internal LAN. > eth2 faces my internal LAN whose IP '192.168.23.2' > and eth5 faces my ISP whose IP '202.155.0.1': > == > nmap 192.168.23.2 > > Starting Nmap 4.20 ( http://insecure.org ) at 2009-01-28 > 15:12 WIT > Interesting ports on 192.168.23.2: > Not shown: 1692 closed ports > PORT STATE SERVICE > 22/tcp open ssh > 25/tcp open smtp > 111/tcp open rpcbind > 113/tcp open auth > 515/tcp open printer > > Nmap finished: 1 IP address (1 host up) scanned in 13.029 > seconds > == > nmap 202.155.0.1 > > Starting Nmap 4.20 ( http://insecure.org ) at 2009-01-28 > 15:12 WIT > Interesting ports on 202.155.0.1: > Not shown: 1693 closed ports > PORT STATE SERVICE > 22/tcp open ssh > 111/tcp open rpcbind > 113/tcp open auth > 515/tcp open printer > > Nmap finished: 1 IP address (1 host up) scanned in 14.010 > seconds > == > I haven't open the rpcbind,auth,printer. And the > 21,23,53 are not opened by my iptables. Where is the > mistake? Please tell me. I am new in debian and iptables. > Usually I use OpenSuSE and SuSEfirewall2 and I configure the > firewall with YaST2 so easily. But now I want to get close > to debian too. And I am stucked on this case. > == > here is my script > == > #!/bin/bash > #Zero...zero...from beginning > iptables -F > > route add default gateway 202.155.0.1 > > #Log....them > iptables -I INPUT -j LOG > iptables -I OUTPUT -j LOG > iptables -I FORWARD -j LOG > > #Open needed ports > iptables -I INPUT -i eth2 -s 192.168.23.0/24 -p icmp > --icmp-type echo-request -j ACCEPT > iptables -I INPUT -i eth5 -s 0/0 -p icmp --icmp-type > echo-request -j ACCEPT > iptables -I OUTPUT -o eth2 -d 192.168.23.0/24 -p icmp > --icmp-type echo-reply -j ACCEPT > iptables -I OUTPUT -o eth5 -d 0/0 -p icmp --icmp-type > echo-reply -j ACCEPT > > iptables -I INPUT -i eth2 -p tcp --dport 21 -j ACCEPT > iptables -I INPUT -i eth2 -p tcp --dport 22 -j ACCEPT > iptables -I INPUT -i eth2 -p tcp --dport 23 -j ACCEPT > iptables -I INPUT -i eth2 -p udp --dport 53 -j ACCEPT > > iptables -I INPUT -i eth5 -p tcp --dport 21 -j ACCEPT > iptables -I INPUT -i eth5 -p tcp --dport 22 -j ACCEPT > iptables -I INPUT -i eth5 -p tcp --dport 23 -j ACCEPT > iptables -I INPUT -i eth5 -p udp --dport 53 -j ACCEPT > > iptables -I OUTPUT -o eth2 -p tcp --dport 21 -j ACCEPT > iptables -I OUTPUT -o eth2 -p tcp --dport 22 -j ACCEPT > iptables -I OUTPUT -o eth2 -p tcp --dport 23 -j ACCEPT > iptables -I OUTPUT -o eth2 -p udp --dport 53 -j ACCEPT > > iptables -I OUTPUT -o eth5 -p tcp --dport 21 -j ACCEPT > iptables -I OUTPUT -o eth5 -p tcp --dport 22 -j ACCEPT > iptables -I OUTPUT -o eth5 -p tcp --dport 23 -j ACCEPT > iptables -I OUTPUT -o eth5 -p udp --dport 53 -j ACCEPT > > iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o > eth5 -d 0/0 --dport 21 -j ACCEPT > iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o > eth5 -d 0/0 --dport 22 -j ACCEPT > iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o > eth5 -d 0/0 --dport 23 -j ACCEPT > iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o > eth5 -d 0/0 --dport 53 -j ACCEPT > > iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d > 192.168.23.0/24 --dport 21 -j ACCEPT > iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d > 192.168.23.0/24 --dport 22 -j ACCEPT > iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d > 192.168.23.0/24 --dport 23 -j ACCEPT > iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d > 192.168.23.0/24 --dport 53 -j ACCEPT > > iptables -t nat -I POSTROUTING -p icmp -o eth5 -d 0/0 -j > SNAT --to-source 202.155.0.1 > iptables -t nat -I POSTROUTING -p icmp -o eth2 -d > 192.168.23.0/24 -j SNAT --to-source 192.168.23.2 > > iptables -t nat -I POSTROUTING -p tcp -o eth5 -d 0/0 -j > SNAT --to-source 202.155.0.1 > iptables -t nat -I POSTROUTING -p tcp -o eth2 -d > 192.168.23.0/24 -j SNAT --to-source 192.168.23.2 > > iptables -t nat -I PREROUTING -p tcp -i eth5 -s 0/0 -d > 202.155.0.1 --dport 23 -j DNAT --to-destination > 192.168.23.20:23 > iptables -t nat -I PREROUTING -p tcp -i eth2 -s > 192.168.23.0/24 -d 192.168.23.2 --dport 23 -j DNAT > --to-destination 192.168.23.20:23 > > > Selalu bersama teman-teman di Yahoo! Messenger. > Tambahkan mereka dari email atau jaringan sosial Anda > sekarang! http://id.messenger.yahoo.com/invite/ > > > -- To UNSUBSCRIBE, email to > [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] > > > -- To UNSUBSCRIBE, email to > [email protected] > with a subject of "unsubscribe". Trouble? Contact > [email protected] ___________________________________________________________________________ Nama baru untuk Anda! Dapatkan nama yang selalu Anda inginkan di domain baru @ymail dan @rocketmail. Cepat sebelum diambil orang lain! http://mail.promotions.yahoo.com/newdomains/id/ -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
