request for iptables revision

Adam Fletcher adamf at powersteeringsoftware.com
Mon Sep 25 09:35:01 EDT 2006 

In my hazy recollection of iptables, I think you want this line:

# Keep existing connections
$IPT -A INPUT -p ALL -i ${WAN} -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT

To actually be:

# Keep existing connections
$IPT -A INPUT -p ALL -i ${WAN} -m state --state
RELATED,ESTABLISHED -j ACCEPT

If you have --state NEW there, you'll accept all new connections on the
${WAN} interface, as I believe the comma in the --state is a
non-exclusive or. 





Thanks,

Adam Fletcher
Director, Information Technology
PowerSteering Software, Inc. 

-----Original Message-----
From: discuss-bounces at blu.org [mailto:discuss-bounces at blu.org] On Behalf
Of existx
Sent: Saturday, September 23, 2006 5:30 AM
To: discuss at blu.org
Subject: request for iptables revision

Hi,

I can't seem to find the problem with this script. It runs, the old
rules get cleaned, new ones get applied (verified with iptables -nvL).
However, it doesn't block any incoming traffic on the WAN. So, there's
something that isn't right here. I'm just trying to get a simple WAN
setup, with some ports being allowed to the NAT machine.

If anybody has the time, I'd really apperciate your input!

Script is below:

------------------------------------------------------------------------
--------------
#!/bin/bash

###################
# Local Settings
###################

WAN=eth0
LAN=eth1
SQUIDPORT=3128
BOGONLIST="/etc/iptables/bogonslist"
SYSCTL="/sbin/sysctl -w"
IPT="/sbin/iptables"

###################
# Policies
###################

echo "Flushing Tables ..."

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

###################################
# modprobe
###################################

modprobe ip_conntrack
modprobe ip_conntrack_ftp

###################################
# Set policies and outbound rules
###################################

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

###################################
# Kernel Parameter
###################################

# Enable IPv4 forwarding

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/ip_forward
else
    $SYSCTL net.ipv4.ip_forward="1"
fi

# SYN flood protection

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
    $SYSCTL net.ipv4.tcp_syncookies="1"
fi

# Source validation

if [ "$SYSCTL" = "" ]
then
    echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
else
    $SYSCTL net.ipv4.conf.all.rp_filter="1"
fi

###################################
# Drop traffic from bogons
# For more information see:
# http://www.cymru.com/Bogons/
###################################

if [ -f ${BOGONLIST} ]; then
  BOGONS=( $( grep ${REGEXP} ${BOGONLIST} ) )
  for BOGON in "${BOGONS[@]}"; do
    if [ "$VERBOSE" = "1" ]; then
      echo Blocking all traffic from bogon source ${BOGON}...
    fi
    iptables -A INPUT -i ${WAN} -s ${BOGON} -j DROP
  done
fi

###################################
# Rules
###################################

$IPT -A OUTPUT -p ALL -o ${LAN} -j ACCEPT
$IPT -A INPUT -p ALL -i ${LAN} -j ACCEPT
$IPT -A INPUT -p ALL -i lo -j ACCEPT
$IPT -A OUTPUT -p ALL -o lo -j ACCEPT
$IPT -A OUTPUT -p ALL -o ${WAN} -j ACCEPT

# Keep existing connections
$IPT -A INPUT -p ALL -i ${WAN} -m state --state
NEW,RELATED,ESTABLISHED -j ACCEPT

# Ping
$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -i ${WAN} -j REJECT --reject-with icmp-port-unreachable

# Drop / Reject
$IPT -A INPUT -p UDP --dport bootps -i ! ${LAN} -j REJECT
$IPT -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT
$IPT -A INPUT -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A INPUT -p UDP -s 0/0 --destination-port 138 -j DROP
$IPT -A INPUT -m state -p icmp --state INVALID -j DROP

###################
# Services
###################

# VOIP
$IPT -A INPUT -p UDP -i ${WAN} --dport 4569 -j ACCEPT
$IPT -A INPUT -p UDP -i ${WAN} --dport 5004 -j ACCEPT
$IPT -A INPUT -p UDP -i ${WAN} --dport 5060 -j ACCEPT
$IPT -A INPUT -p UDP -i ${WAN} --dport 9000:20000 -j ACCEPT

#ejabberd
$IPT -A INPUT -p TCP -i ${WAN} --dport 5222 -j ACCEPT
$IPT -A INPUT -p TCP -i ${WAN} --dport 5223 -j ACCEPT

# PPTP VPN
#$IPT -A INPUT -p tcp -i ${WAN} --dport 1723 -j ACCEPT
#$IPT -A INPUT -p 47 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT -p 47 -j ACCEPT

# SSH
$IPT -A INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT

# HTTP/S
$IPT -A INPUT -p TCP -i ${WAN} --dport 80 -j ACCEPT
$IPT -A INPUT -p TCP -i ${WAN} --dport 443 -j ACCEPT

###################
# Routing
###################

# LAN and NAT
$IPT -I FORWARD -i ${LAN} -d 192.168.0.0/255.255.0.0 -j DROP
$IPT -I FORWARD -i ${LAN} -s 192.168.0.0/255.255.0.0 -j ACCEPT
$IPT -A FORWARD -i ${WAN} -d 192.168.0.0/255.255.0.0 -j ACCEPT
$IPT -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

# Squid
# $IPT -t nat -A PREROUTING -i ${WAN} -p tcp --dport 80 -j REDIRECT
--to-port ${SQUIDPORT}

###############################
# DROP
$IPT -A INPUT -i ${WAN} -j DROP
###############################

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

_______________________________________________
Discuss mailing list
Discuss at blu.org
http://olduvai.blu.org/mailman/listinfo/discuss

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Discuss mailing list