I've been having some problems with a firewall script that I've written.
I'm running debian if I run the script at bootup the script doesnt work. If
i disable the script at bootup and then run it from the command line
everything works as it should but if I run it at bootup I can't connect in
or out until I either flush and rerun the script or simply rerun the
script. I've added loggin to the input chain and nothing is logged until I
rerun the script. It's as if the script when run upon bootup locks down
every port but doesnt open the ports I've specified further on in the script
even though I see all of the echoed messages that are placed throughout the
script.
I was wondering if anybody has had a problem similar to this in the past and
has any ideas. I attached the script as well as the flush script I'm
using. Any help would be appreciated.
Robert
#!/bin/sh
# organized by Robert Lawrence
# robert at zyzz dot net
# this script is based on many different scripts from the internet
# I only claim that I was the one who put it together into the format you see
now
echo "setting up IPTABLES...."
SAFENET=eth0
INTERNET=eth2
INTERNET_IP=192.168.123.22
DEVELOP=eth1
DEVELOP_IP=192.168.122.22
IPT=/sbin/iptables
MP=/sbin/modprobe
#### turn on required kernel modules
echo "loading modules"
$MP ip_tables
$MP ip_conntrack
$MP iptable_filter
$MP iptable_mangle
$MP iptable_nat
$MP ipt_LOG
$MP ipt_limit
$MP ipt_state
$MP ip_conntrack_ftp
$MP ip_nat_ftp
$MP ipt_MASQUERADE
#$MP ipt_owner
#$MP ipt_REJECT
#$MP ip_conntrack_irc
#$MP ip_nat_irc
#### Set flags
echo "setting flags"
echo " forwarding"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo " RP filter"
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#### Set default policies
## set default to drop
echo "setting policies"
$IPT -P FORWARD DROP
$IPT -P INPUT DROP
## keep allow on any outbound
$IPT -P OUTPUT ACCEPT
#### DoS protection
##Syn-flood protection:
# iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
##Furtive port scanner:
# iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit
1/s -j ACCEPT
##Ping of death:
# iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j
ACCEPT
#### port forwarding
## SSH
$IPT -A PREROUTING -t nat -p tcp -d $INTERNET_IP --dport 2201 \
-j DNAT --to 192.168.122.16:22
## HTTP
$IPT -A PREROUTING -t nat -p tcp -d $INTERNET_IP --dport 2202 \
-j DNAT --to 192.168.122.16:80
#### FORWARDING RULES
echo "setting up forwarding rules"
$IPT -A FORWARD -p ALL -i $SAFENET -j ACCEPT
$IPT -A FORWARD -p ALL -i $DEVELOP -o $INTERNET -j ACCEPT
$IPT -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A FORWARD -p ALL -j LOG --log-prefix "FORWARD "
#### Change source addresses to internet IP
echo "setting up nat"
$IPT -t nat -A POSTROUTING -o $INTERNET -j SNAT --to-source $INTERNET_IP
$IPT -t nat -A POSTROUTING -o $DEVELOP -j SNAT --to-source $DEVELOP_IP
#### INPUT RULES
echo "setting up input rules"
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT -i $SAFENET -j ACCEPT
echo " localnet"
$IPT -A INPUT -i lo -p ALL -j ACCEPT
echo " dansguardian"
$IPT -A INPUT -i $SAFENET -p tcp --dport 8080 -j ACCEPT
$IPT -A INPUT -i $SAFENET -p udp --dport 8080 -j ACCEPT
echo " DNS"
$IPT -A INPUT -i ! $INTERNET -p tcp --dport 53 -j ACCEPT
$IPT -A INPUT -i ! $INTERNET -p udp --dport 53 -j ACCEPT
echo " DHCP"
$IPT -A INPUT -i $SAFENET -p udp --dport 67:68 --sport 67:68 -j ACCEPT
#echo " SSH"
#$IPT -A INPUT -i $SAFENET -p tcp --dport 22 -j ACCEPT
echo " Pings"
$IPT -A INPUT -i ! $INTERNET -p ICMP --icmp-type 8 -j ACCEPT
echo " Specifically ignoring netbios!"
$IPT -A INPUT -p udp --dport 137:139 -j DROP
$IPT -A INPUT -p ALL -j LOG --log-prefix "INPUT "
$IPT -A INPUT -j DROP
#### OUTPUT RULES
#$IPT -A OUTPUT -p ALL -j LOG --log-prefix "OUTPUT "
echo "DONE!"
#!/bin/sh
#
# rc.flush-iptables - Resets iptables to default values.
#
# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
echo "flushing tables"
#
# Configurations
#
IPTABLES="/sbin/iptables"
#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X
/*
PLUG: http://plug.org, #utah on irc.freenode.net
Unsubscribe: http://plug.org/mailman/options/plug
Don't fear the penguin.
*/
