Re: [gentoo-user] [OT] tips on my 1st try at iptables?

Mon, 30 May 2005 02:17:28 -0700 

Travis Osterman wrote:

>I've spent the weekend attempting to mold an old p3 400mHz machine
>into a firewall/router so I can replace my current linksys box. 
>Basically, I read the howtos at netfilter.org and the
>gentoo-home-router-howto and put together the following script for
>loading my rules.
>
>This meets the functionality I need at this point in the project (ssh
>access from inside and outside, port forwarding, and masquerading),
>but I'm not well versed on security concerns so I'm hoping a few
>experienced users could point out redundancies and potential security
>issues.
>
>Thanks in advance for taking the time to help.
>
>#!/bin/bash
>IPT=/sbin/iptables
>WAN_IFACE=eth0
>LAN_IFACE=eth1
>LAN_ADDY=192.168.0.0/24
>
># flush and reset rules
>$IPT -F
>$IPT -t nat -F
>$IPT -t mangle -F
>$IPT -X
>$IPT -t nat -X
>$IPT -t mangle -X
>$IPT -P INPUT ACCEPT
>$IPT -P FORWARD ACCEPT
>$IPT -P OUTPUT ACCEPT
>$IPT -t nat -P PREROUTING ACCEPT
>$IPT -t nat -P POSTROUTING ACCEPT
>$IPT -t nat -P OUTPUT ACCEPT
>$IPT -t mangle -P PREROUTING ACCEPT
>$IPT -t mangle -P OUTPUT ACCEPT
>
># begin rules
>$IPT -I INPUT 1 -i $LAN_IFACE -j ACCEPT
>$IPT -I INPUT 1 -i lo -j ACCEPT
>$IPT -A INPUT -p UDP --dport bootps -i ! $LAN_IFACE -j REJECT
>$IPT -A INPUT -p UDP --dport domain -i ! $LAN_IFACE -j REJECT
>$IPT -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
>$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>$IPT -A INPUT --protocol tcp --dport 22 -i $WAN_IFACE -j ACCEPT
>$IPT -P INPUT DROP
>$IPT -A INPUT -i ! $LAN_IFACE -j DROP
>
>$IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 80 \
>                       -j DNAT --to 192.168.0.20
>$IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 1022 \
>                       -j DNAT --to 192.168.0.20:22
>
>$IPT -I FORWARD -i $LAN_IFACE -d $LAN_ADDY -j DROP
>$IPT -A FORWARD -i $LAN_IFACE -s $LAN_ADDY -j ACCEPT
>$IPT -A FORWARD -i $WAN_IFACE -d $LAN_ADDY -j ACCEPT
>$IPT -P FORWARD DROP
>
>$IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
>
>for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>    echo 1 > $f
>done
>/etc/init.d/iptables save
>
>-- Travis Osterman
>
>  
>
Personally I found it much easier to use Shorewall, this is a firewall
which does all the low-level ip-tables config and gives you more
high-level access. Personally since switching i have not used IP-tables
rules at all.

Search google and have a look, you may find it more flexible then a script.


-- 
[email protected] mailing list

Reply via email to