rob3 wrote: > # > INET_IFACE="eth0" > # > # Information pertaining to DHCP over the Internet, > if needed. > # > # Set DHCP variable to no if you don't get IP from DHCP. > If you get DHCP > # over the Internet set this variable to yes, and set up > the proper IP > # address for the DHCP server in the DHCP_SERVER variable. > > # > DHCP="yes" > DHCP_SERVER="192.168.1.1" > # > # your LAN's IP range and > localhost IP. /24 means to only use the first 24 > # bits of the 32 bit IP > address. the same as netmask 255.255.255.0 > # > LAN_IP="192.168.1.1" > LAN_IP_RANGE="192.168.0.0/16" > > LAN_IFACE="eth0" > # > # 1.4 Localhost Configuration. > # > LO_IFACE="lo" > > LO_IP="127.0.0.1" > # > # 1.5 IPTables Configuration. > # > IPTABLES="/sbin/iptables" > > # > # Needed to initially load modules > # > /sbin/depmod -a > # > # no modules > needed as everything compiled into kernel > # > > ########################################################################### > > # > # 3.1 Required proc configuration > # > echo "1" > /proc/sys/net/ipv4/ip_forward > > # > > ########################################################################### > > # > # 4.1.1 Set policies > # > $IPTABLES -P INPUT DROP > $IPTABLES -P OUTPUT > DROP > # > # Create chain for bad tcp packets > # > $IPTABLES -N bad_tcp_packets > > # > # Create separate chains for ICMP, TCP and UDP to traverse > # > $IPTABLES > -N tcp_packets > $IPTABLES -N udp_packets > $IPTABLES -N icmp_packets > $IPTABLES > -N out_packets > # > # > # Special OUTPUT rules to decide which IP's to allow. > > # > $IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT > $IPTABLES -A OUTPUT > -p ALL -s $LAN_IP -j ACCEPT > $IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j > ACCEPT > # > # Rules for outgoing packets to the internet > # > $IPTABLES > -A out_packets -p tcp -o $INET_IFACE --sport 111 -j DROP > $IPTABLES -A out_packets > -p tcp -o $INET_IFACE --sport 631 -j DROP > $IPTABLES -A out_packets -p tcp > -o $INET_IFACE --sport 657 -j DROP > $IPTABLES -A out_packets -p tcp -o $INET_IFACE > --sport 2049 -j DROP > $IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport > 3049 -j DROP > # > $IPTABLES -A out_packets -p udp -o $INET_IFACE --sport > 111 -j DROP > $IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 631 > -j DROP > $IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 657 -j DROP > > $IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 2049 -j DROP > $IPTABLES > -A out_packets -p udp -o $INET_IFACE --sport 3049 -j DROP > # > # Let LO_IP > input packets > # > $IPTABLES -A INPUT -p ALL -s $LO_IP -j ACCEPT > # > # > ICMP rules > # > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j > ACCEPT > $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT > > # > # Rules for incoming packets from the internet. > # > $IPTABLES -A INPUT > -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \ > -j ACCEPT > > $IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets > $IPTABLES -A INPUT > -p UDP -i $INET_IFACE -j udp_packets > $IPTABLES -A INPUT -p ICMP -i $INET_IFACE > -j icmp_packets > # > # Bad TCP packets we don't want. > # > $IPTABLES -A > INPUT -p tcp -j bad_tcp_packets > # > # bad_tcp_packets chain > # > $IPTABLES > -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \ > -m state --state > NEW -j REJECT --reject-with tcp-reset > $IPTABLES -A bad_tcp_packets -p tcp > ! --syn -m state --state NEW -j LOG \ > --log-prefix "New not syn:" > $IPTABLES > -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP > $IPTABLES > -A OUTPUT -p tcp -j bad_tcp_packets > # > # TCP RULES > # > $IPTABLES -A > tcp_packets -p TCP --syn -j ACCEPT > $IPTABLES -A tcp_packets -p TCP -m state > --state ESTABLISHED,RELATED -j ACCEPT > $IPTABLES -A tcp_packets -p TCP -j > DROP > # > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed > > $IPTABLES -A tcp_packets -P TCP -s 0/0 --dport 25 -j allowed > $IPTABLES > -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed > $IPTABLES -A tcp_packets > -p TCP -s 0/0 --dport 80 -j allowed > $IPTABLES -A tcp_packets -p TCP -s > 0/0 --dport 113 -j allowed > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport > 1024: -j allowed > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 111 -j > DROP > $IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 631 -j DROP > $IPTABLES > -A tcp_packets -p TCP -s 0/0 --dport 657 -j DROP > $IPTABLES -A tcp_packets > -p TCP -s 0/0 --dport 2049 -j DROP > $IPTABLES -A tcp_packets -p TCP -s 0/0 > --dport 3049 -j DROP > # > # UDP ports > # > if [ $DHCP == "yes" ] ; then > > $IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67 \ > --dport > 68 -j ACCEPT > fi > # > $IPTABLES -A udp_packets -p UDP -s 0/0 --source-port > 53 -j ACCEPT > $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 1024: -j ACCEPT > > $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 111 -j DROP > $IPTABLES -A > udp_packets -p UDP -s 0/0 --dport 631 -j DROP > $IPTABLES -A udp_packets > -p UDP -s 0/0 --dport 657 -j DROP > $IPTABLES -A udp_packets -p UDP -s 0/0 > --dport 2049 -j DROP > $IPTABLES -A udp_packets -p UDP -s 0/0 --dport 3049 > -j DROP > # > # In Microsoft Networks you will be swamped by broadcasts. > These lines > # will prevent them from showing up in the logs. > # > $IPTABLES > -A udp_packets -p UDP -i $INET_IFACE \ > --destination-port 135:139 -j DROP > > # > # If we get DHCP requests from the Outside of our network, our logs will > > # be swamped as well. This rule will block them from getting logged. > # > > $IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \ > --destination-port > 67:68 -j DROP > # > # Special rule for DHCP requests from LAN, which are > not caught properly > # otherwise. > # > $IPTABLES -A INPUT -p UDP -i $LAN_IFACE > --dport 67 --sport 68 -j ACCEPT > # > # Log weird packets that don't match > the above. > # > $IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst > 3 -j LOG \ > --log-level DEBUG --log-prefix "OUT packet" > $IPTABLES -A INPUT > -m limit --limit 3/minute --limit-burst 3 -j LOG \ > --log-level DEBUG --log-prefix > "IN packet" > #user] [OT] tips on my 1st try at iptables? >References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL >PROTECTED]> <[EMAIL PROTECTED]> >In-Reply-To: <[EMAIL PROTECTED]> >X-Enigmail-Version: 0.91.0.0 >Content-Type: text/plain; charset=ISO-8859-1 >Content-Transfer-Encoding: 7bit > >david wrote: > > > >>Here is my /var/lib/iptables/rules-save # Generated by >>iptables-save v1.2.11 on Sat May 21 16:58:29 2005 *nat :PREROUTING >>ACCEPT [29:1670] :POSTROUTING ACCEPT [431:26255] :OUTPUT ACCEPT >>[0:0] [30:1841] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT # >>Completed on Sat May 21 16:58:29 2005 # Generated by iptables-save >>v1.2.11 on Sat May 21 16:58:29 2005 *mangle :PREROUTING ACCEPT >>[16422:18018799] :INPUT ACCEPT [16422:18018799] :FORWARD ACCEPT >>[0:0] :OUTPUT ACCEPT [13453:2622146] :POSTROUTING ACCEPT >>[13453:2622146] COMMIT # Completed on Sat May 21 16:58:29 2005 # >>Generated by iptables-save v1.2.11 on Sat May 21 16:58:29 2005 >>*filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT >>[13453:2622146] [440:320869] -A INPUT -m state --state >>RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -i ! eth0 -m state >>--state NEW -j ACCEPT [0:0] -A INPUT -p icmp -j ACCEPT [3:180] -A >>INPUT -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A INPUT -p tcp -m >>tcp --dport 21 -j ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 20 -j >>ACCEPT COMMIT # Completed on Sat May 21 16:58:29 2005 I followed >>the guide here and it works great.Simple to set up. >>http://gentoo-wiki.com/HOWTO_setup_a_home-server >> >> > >Here's mine. The innocent redacted to protect the guilty, ha??? > >#!/bin/sh ># >########################################################################### ># >INET_IFACE="eth0" ># ># Information pertaining to DHCP over the Internet, if needed. ># ># Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP ># over the Internet set this variable to yes, and set up the proper IP ># address for the DHCP server in the DHCP_SERVER variable. ># >DHCP="yes" >DHCP_SERVER="192.168.1.1" ># ># your LAN's IP range and localhost IP. /24 means to only use the first 24 ># bits of the 32 bit IP address. the same as netmask 255.255.255.0 ># >LAN_IP="192.168.1.1" >LAN_IP_RANGE="192.168.0.0/16" >LAN_IFACE="eth0" ># ># 1.4 Localhost Configuration. ># >LO_IFACE="lo" >LO_IP="127.0.0.1" ># ># 1.5 IPTables Configuration. ># >IPTABLES="/sbin/iptables" ># ># Needed to initially load modules ># >/sbin/depmod -a ># ># no modules needed as everything compiled into kernel ># >########################################################################### ># ># 3.1 Required proc configuration ># >echo "1" > /proc/sys/net/ipv4/ip_forward ># >########################################################################### ># ># 4.1.1 Set policies ># (notes- always >know your default policy, it all stems from this) >$IPTABLES -P INPUT DROP >$IPTABLES -P OUTPUT DROP ># ># Create chain for bad tcp packets ># >$IPTABLES -N bad_tcp_packets ># ># Create separate chains for ICMP, TCP and UDP to traverse ># >$IPTABLES -N tcp_packets >$IPTABLES -N udp_packets >$IPTABLES -N icmp_packets >$IPTABLES -N out_packets ># ># ># Special OUTPUT rules to decide which IP's to allow. ># >$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT >$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT >$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT ># ># Rules for outgoing packets to the internet (notes, ie NFS) ># >$IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport 111 -j DROP >$IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport 631 -j DROP >$IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport 657 -j DROP >$IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport 2049 -j DROP >$IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport 3049 -j DROP ># >$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 111 -j DROP >$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 631 -j DROP >$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 657 -j DROP >$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 2049 -j DROP >$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 3049 -j DROP ># ># Let LO_IP input packets ># (no restrictions on loopbackk) >$IPTABLES -A INPUT -p ALL -s $LO_IP -j ACCEPT ># ># ICMP rules ># (could be several more added here) >$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT >$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT ># ># Rules for incoming packets from the internet. ># >$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state >ESTABLISHED,RELATED \ >-j ACCEPT >$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets >$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets >$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets ># ># Bad TCP packets we don't want. ># >$IPTABLES -A INPUT -p tcp -j bad_tcp_packets ># ># bad_tcp_packets chain ># >$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \ >-m state --state NEW -j REJECT --reject-with tcp-reset >$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \ >--log-prefix "New not syn:" >$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP >$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets ># ># TCP RULES ># >$IPTABLES -A tcp_packets -p TCP --syn -j ACCEPT >$IPTABLES -A tcp_packets -p TCP -m state --state ESTABLISHED,RELATED >-j ACCEPT >$IPTABLES -A tcp_packets -p TCP -j DROP ># > >(notes, allow mail, ssh, dns, www, ident, above 1024; drop NFS, LPR >$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed >$IPTABLES -A tcp_packets -P TCP -s 0/0 --dport 25 -j allowed >$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed >$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed >$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed >$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1024: -j allowed >$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 111 -j DROP >$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 631 -j DROP >$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 657 -j DROP >$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2049 -j DROP >$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3049 -j DROP ># ># UDP ports ># (notes, accept DHCP) >if [ $DHCP == "yes" ] ; then > $IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67 \ > --dport 68 -j ACCEPT >fi ># > >(notes- accept DNS, above 1024, exceptijng NFS) >$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT >$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 1024: -j ACCEPT >$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 111 -j DROP >$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 631 -j DROP >$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 657 -j DROP >$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 2049 -j DROP >$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 3049 -j DROP ># ># In Microsoft Networks you will be swamped by broadcasts. These lines ># will prevent them from showing up in the logs. ># > >(note, its impossible to seperate wheat from chaffe without this) >$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \ >--destination-port 135:139 -j DROP ># ># If we get DHCP requests from the Outside of our network, our logs will ># be swamped as well. This rule will block them from getting logged. ># > > >(note, same as above explanation) >$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \ >--destination-port 67:68 -j DROP ># ># Special rule for DHCP requests from LAN, which are not caught properly ># otherwise. ># > > >(accept DHCP) >$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT ># ># Log weird packets that don't match the above. ># >$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ >--log-level DEBUG --log-prefix "OUT packet" >$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \ >--log-level DEBUG --log-prefix "IN packet" ># > > > > > Sorry this all got garbled, Rob. -- gentoo-user@gentoo.org mailing list
