Hi All, I am trying to configure a Linux Box into a firewall,I am using these sets of iptables rules shown at the bottom of this message for this particular task.
While using Nmap ,its showing some open ports like smtp,http,https and domain which i have directed (DNAT) it to the internal servers [Web Server ,Mail Server , SSH and DNS server] through Iptables. Is there any possible way to hide/Stealth these ports . I want to make this firewall in a stealth mode .(No Visible Ports) --------------------------------Starts Here ------ # Internal Interface INTIF="eth0" # Internal NETWORK address INTNET="10.0.0.0/24" # Enter the IP address of the Internal Interface INTIP="10.0.0.204/24" ISP=a.b.c.d # External Interface & External IP EXTIF="eth1" EXTIP="e.f.g.h" /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe iptable_nat /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc #IP forwarding echo "1" > /proc/sys/net/ipv4/ip_forward UNIVERSE="0/0" # Clear any existing rules and setting default policy to DROP iptables -P INPUT DROP iptables -F INPUT iptables -P OUTPUT DROP iptables -F OUTPUT iptables -P FORWARD DROP iptables -F FORWARD iptables -F -t nat iptables -X iptables -Z iptables -N drop-and-log-it iptables -A drop-and-log-it -j LOG --log-level info iptables -A drop-and-log-it -j REJECT iptables -A INPUT -i eth1 -j LOG iptables -A OUTPUT -o eth1 -j LOG # INPUT rulesets" iptables -A INPUT -i lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT iptables -A INPUT -i $INTIF -s $INTNET -d $UNIVERSE -j ACCEPT iptables -A INPUT -i $EXTIF -s $INTNET -d $UNIVERSE -j drop-and-log-it iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -j ACCEPT iptables -A INPUT -i $EXTIF -s $UNIVERSE -d $EXTIP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it # OUTPUT Rule iptables -A OUTPUT -o lo -s $UNIVERSE -d $UNIVERSE -j ACCEPT iptables -A OUTPUT -o $INTIF -s $EXTIP -d $INTNET -j ACCEPT iptables -A OUTPUT -o $INTIF -s $INTIP -d $INTNET -j ACCEPT iptables -A OUTPUT -o $EXTIF -s $UNIVERSE -d $INTNET -j drop-and-log-it iptables -A OUTPUT -o $EXTIF -s $EXTIP -d $UNIVERSE -j ACCEPT iptables -A OUTPUT -s $UNIVERSE -d $UNIVERSE -j drop-and-log-it # Loading FORWARD rulesets iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # Forwarding Incomming Traffic to Servers iptables -A FORWARD -i $EXTIF -o $INTIF -d 10.0.0.10 -p tcp --dport 25 -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF -d 10.0.0.6 -p tcp --dport 80 -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF -d 10.0.0.6 -p tcp --dport 443 -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF -d 10.0.0.204 -p tcp --dport 53 -j ACCEPT iptables -A FORWARD -j drop-and-log-it # Enable SNAT iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to $EXTIP iptables -t nat -A POSTROUTING -o $EXTIF -s 10.0.0.10 -d 0/0 -p tcp --sport 25 -j SNAT --to $EXTIP:25 iptables -t nat -A POSTROUTING -o $EXTIF -s 10.0.0.6 -d 0/0 -p tcp --sport 80 -j SNAT --to $EXTIP:80 iptables -t nat -A POSTROUTING -o $EXTIF -s 10.0.0.6 -d 0/0 -p tcp --sport 443 -j SNAT --to $EXTIP:443 # Enable DNAT to Internal Servers iptables -t nat -A PREROUTING -i eth1 -d $EXTIP -p tcp --dport 25 -j DNAT --to 10.0.0.10:25 iptables -t nat -A PREROUTING -i eth1 -d $EXTIP -p tcp --dport 80 -j DNAT --to 10.0.0.6:80 iptables -t nat -A PREROUTING -i eth1 -d $EXTIP -p tcp --dport 443 -j DNAT --to 10.0.0.6:443
