Hey there, I've been around on some of these lists for a while and the time has come for me to write my own iptables script. You can find it attached. Problem is, I can't test it yet since the system won't be hung onto the internet until tomorrow. Anyways, I'd like some opinions/remarks/suggestions/ideas/possible extra features and things to look at, etc. Ofcourse you're all free to use it for your own purpose. I've replaced the IP addresses for my own adsl line and the one here at work with others but that shouldn't matter.
What we need/the setup: The linux box will have 3 network cards, 1 for the local network 192.168.0.0/24 one for the local network 10.0.0.0/24 and one to communicate with the ADSL router (172.16.0.0/24) which isn't used in the script since PPP will be started over it using VPN so we get a ppp* interface (yes my internet connection is setup through VPN not PPPoE, I know it's a bit strange but I didn't choose the ADSL's setup KPN (mxstream) uses in the netherlands :-), perhaps we can secure it a bit though by only allow data from and to the VPN tunnel to the router (Alcatel Speed Touch Home). I doubt that will do anything, any opinions are welcome. Note that the 2 networks (192.168.0.x and 10.0.0.x) are NOT allowed to communicate with each other. (192.168.0.x is a test network where we also test cards that might be defective and stuff like that and it should not be able to interfear with our production/sales network). The Linux box will function as a: gateway (NAT for ICQ, IRC, MSN whatever) webserver (everyone, HTTP and HTTPS) ftp server (only for localnets) ssh (localnets and my homebox only) telnet (localnets and my homebox only) mailserver (SMTP and POP, POP is only allowed for localnets) dns server (localnets only) proxyserver (localnets only) firewall (this speaks for itself I assume :-)) database (mysql, only localhost and localnets for now so they can update with access or something) dhcp (only for the 192.168.0.x network but it's setup to bind only to that interface). fileserver (SaMBa, localnets only) This is one heavily loaded P-II 333 :-), only the webserver and the SMTP server (qmail) should be accessible from the outside for anyone, so I think we're reasonably safe. >From the internet only the SMTP server (so we can receive mail) and the webserver (apache + SSL so 80 & 443) should be available. People here don't have any restrictions, so if they want to ICQ, MSN, visit porn sites, whatever I'm fine with that. Please note that both telnet and ssh are protected by both the firewall and tcpwrappers to only allow my homebox (with static ip) and the localnets to connect to them. I would like to urge you, if you say something like this or that is insecure that you also explain to me (and the rest of the list) why that it is, so we can actually learn something and understand why it is so, which is, far more interesting than just knowing it's insecure, cuz without knowing why it will get poor judgement. Hoping to get some good replies and learn a thing or two. Things I'm really interested in are among other things the files in /proc/sys/net/ipv4 if I left any interesting/nice feature ones out. Also I'd like to hear from someone on the limit options, which are nice for syn flood protection. Only it's my understanding that such a limit counts for all IP's (thus if IP 1.1.1.1 sends so much packets the limit runs out IP 2.2.2.2 can't connect any more either) and I'm really unsure what those limits should be on HTTP(S) and SMTP. This won't be a really crowded server but older browsers don't reuse connections and thus might trigger the limit a lot and I don't want to stop legitimate traffic. Well, I'll hear how I did it I guess.... This is the first time I actually wrote a firewall from scratch myself so I'm hoping I did a reasonable job atleast. Kind regards, Ferry van Steen PS, I'm thinking of adding start and stop functionality, but I doubt it's worth the effort since the firewall shouldn't go down ever anyways and the rest of the people here won't be using the box. Perhaps some checks if every rule gets inserted properly could be nice and if not just shutdown the whole net access by dropping everything (in case of failure thus)
rc.firewall
Description: application/shellscript
