#!/bin/sh ################################################################## # ## rc.firewall.iptables -- Version 1.1b # ################################################################## ## Obsid@sentry.net ## http://www.sentry.net/~obsid/ ## 10/20/00 ## Example IPTables 1.1.2 script for a dual homed firewall. ## Please feel free to send me any comments or suggestions. ## Visit one of the NetFilter Project Home Pages for more information about IPTables. ## http://netfilter.kernelnotes.org/ ## More Resources: ## http://netfilter.kernelnotes.org/unreliable-guides/networking-concepts-HOWTO.html ## http://netfilter.kernelnotes.org/unreliable-guides/packet-filtering-HOWTO.html ## http://netfilter.kernelnotes.org/unreliable-guides/NAT-HOWTO.html ## http://metalab.unc.edu/pub/Linux/docs/howto/other-formats/html_single/Adv-Routing-HOWTO.html ## Variables IPTABLES="/usr/local/bin/iptables" INTERNAL="eth1" # Internal Interface EXTERNAL="eth0" # External Interface LOOPBACK="lo" # Loopback Interface INTERNAL_NET="192.168.1.0/24" ## Attempt to Flush All Rules in Filter Table $IPTABLES -F ## Flush Built-in Rules $IPTABLES -F INPUT $IPTABLES -F OUTPUT $IPTABLES -F FORWARD ## Flush Rules/Delete User Chains in Mangle Table $IPTABLES -F -t mangle $IPTABLES -t mangle -X ## Delete all user-defined chains, reduces dumb warnings if you run ## this script more than once. $IPTABLES -X ## Set Default Policies $IPTABLES -P INPUT DROP ## Highly Recommended $IPTABLES -P OUTPUT ACCEPT $IPTABLES -P FORWARD ACCEPT ## More variables further down near the NAT rules. ## NOTE: "Special Chains" First, Regular INPUT/OUTPUT chains will follow. ############################################################################### ## Special Chains ############################################################################### ############################################################################### ## Special chain KEEP_STATE to handle incoming, outgoing, and ## established connections. $IPTABLES -N KEEP_STATE $IPTABLES -F KEEP_STATE ## DROP packets associated with an "INVALID" connection. $IPTABLES -A KEEP_STATE -m state --state INVALID -j DROP ## ACCEPT certain packets which are starting a new connection or are ## related to an established connection. $IPTABLES -A KEEP_STATE -m state --state RELATED,ESTABLISHED -j ACCEPT ## ACCEPT packets whose input interface is anything but the external interface. $IPTABLES -A KEEP_STATE -i ! $EXTERNAL -m state --state NEW -j ACCEPT ############################################################################### ## Special chain CHECK_FLAGS that will DROP and log TCP packets with certain ## TCP flags set. ## We set some limits here to limit the amount of crap that gets sent to the logs. ## Keep in mind that these rules should never match normal traffic, they're ## are designed to capture obviously messed up packets... but there's alot of ## wierd shit out there, so who knows. ## Log facility/priority for these are kern.alert, please adjust for your taste. See ## the iptables and syslog.conf man pages for logging details. $IPTABLES -N CHECK_FLAGS $IPTABLES -F CHECK_FLAGS ## NMAP FIN/URG/PSH $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \ --limit 5/minute -j LOG --log-level 6 --log-prefix "NMAP-XMAS:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP ## Xmas Tree $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -m limit \ --limit 5/minute -j LOG --log-level 6 --log-prefix "Merry XMAS:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL ALL -j DROP ## Another Xmas Tree $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit \ --limit 5/minute -j LOG --log-level 6 --log-prefix "XMAS-PSH:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP ## Null Scan(possibly) $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -m limit \ --limit 5/minute -j LOG --log-level 6 --log-prefix "NULL_SCAN:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags ALL NONE -j DROP ## SYN/RST $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -m limit \ --limit 5/minute -j LOG --log-level 6 --log-prefix "SYN/RST:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP ## SYN/FIN -- Scan(possibly) $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \ --limit 5/minute -j LOG --log-level 6 --log-prefix "SYN/FIN:" $IPTABLES -A CHECK_FLAGS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP ## Make some types of port scans annoyingly slow, also provides some protection ## against certain DoS attacks. The rule in chain KEEP_STATE referring to the ## INVALID state should catch most TCP packets with the RST or FIN bits set that ## aren't associate with an established connection. Still, these will limit the ## amount of stuff that is accepted through our open ports(if any). I suggest you ## test these for your configuration before you uncomment them, as they could cause ## problems. # $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL RST -j ACCEPT # $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL FIN -j ACCEPT # $IPTABLES -A CHECK_FLAGS -m limit --limit 1/second -p tcp --tcp-flags ALL SYN -j ACCEPT ############################################################################### ## Special Chain DENY_PORTS ## This chain will DROP/LOG packets based on port number $IPTABLES -N DENY_PORTS $IPTABLES -F DENY_PORTS ## NFS, X, VNC, SMB, blah blah $IPTABLES -A DENY_PORTS -p tcp --dport 137:139 -j DROP $IPTABLES -A DENY_PORTS -p tcp --sport 137:139 -j DROP $IPTABLES -A DENY_PORTS -p tcp --dport 1433 -j DROP $IPTABLES -A DENY_PORTS -p tcp --sport 1433 -j DROP $IPTABLES -A DENY_PORTS -p tcp --dport 2049 -j DROP $IPTABLES -A DENY_PORTS -p tcp --sport 2049 -j DROP $IPTABLES -A DENY_PORTS -p tcp --dport 5432 -j DROP $IPTABLES -A DENY_PORTS -p tcp --sport 5432 -j DROP $IPTABLES -A DENY_PORTS -p tcp --dport 5999:6063 -j DROP $IPTABLES -A DENY_PORTS -p tcp --sport 5999:6063 -j DROP $IPTABLES -A DENY_PORTS -p tcp --dport 5900:5910 -j DROP $IPTABLES -A DENY_PORTS -p tcp --sport 5900:5910 -j DROP ## (Possibly) Evil Stuff ## ## Possible rpc.statd exploit shell $IPTABLES -A DENY_PORTS -p tcp --dport 9704 -j DROP $IPTABLES -A DENY_PORTS -p tcp --dport 9704 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:" $IPTABLES -A DENY_PORTS -p tcp --sport 9704 -j DROP $IPTABLES -A DENY_PORTS -p tcp --sport 9704 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "rpc.statd(9704) Shell:" ## NetBus and NetBus Pro $IPTABLES -A DENY_PORTS -p tcp --dport 20034 -j DROP $IPTABLES -A DENY_PORTS -p tcp --dport 20034 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "NetBus Pro:" $IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -j DROP $IPTABLES -A DENY_PORTS -p tcp --dport 12345:12346 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "NetBus:" ## Trinoo $IPTABLES -A DENY_PORTS -p tcp --sport 27665 -j DROP $IPTABLES -A DENY_PORTS -p tcp --dport 27665 -j DROP $IPTABLES -A DENY_PORTS -p tcp --sport 27665 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "Trinoo:" $IPTABLES -A DENY_PORTS -p tcp --dport 27665 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "Trinoo:" $IPTABLES -A DENY_PORTS -p udp --sport 27444 -j DROP $IPTABLES -A DENY_PORTS -p udp --dport 27444 -j DROP $IPTABLES -A DENY_PORTS -p udp --sport 27444 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "Trinoo:" $IPTABLES -A DENY_PORTS -p udp --dport 27444 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "Trinoo:" $IPTABLES -A DENY_PORTS -p udp --sport 31335 -j DROP $IPTABLES -A DENY_PORTS -p udp --dport 31335 -j DROP $IPTABLES -A DENY_PORTS -p udp --sport 31335 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "Trinoo:" $IPTABLES -A DENY_PORTS -p udp --dport 31335 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "Trinoo:" ## Back Orifice $IPTABLES -A DENY_PORTS -p tcp --dport 31337 -j DROP $IPTABLES -A DENY_PORTS -p udp --dport 31337 -j DROP $IPTABLES -A DENY_PORTS -p tcp --sport 31337 -j DROP $IPTABLES -A DENY_PORTS -p udp --sport 31337 -j DROP $IPTABLES -A DENY_PORTS -p tcp --dport 31337 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "BackOrifice-TCP:" $IPTABLES -A DENY_PORTS -p udp --dport 31337 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "BackOrifice-UDP:" $IPTABLES -A DENY_PORTS -p tcp --sport 31337 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "BackOrifice-TCP:" $IPTABLES -A DENY_PORTS -p udp --sport 31337 -m limit --limit 5/minute \ -j LOG --log-level 6 --log-prefix "BackOrifice-UDP:" ############################################################################### ## Special Chain SRC_EGRESS ## Rules to Provide Egress Filtering Based on Source IP Address. $IPTABLES -N SRC_EGRESS $IPTABLES -F SRC_EGRESS ##------------------------------------------------------------------------## ## DROP all reserved private IP addresses. Some of these may be legit ## for certain networks and configurations. For connection problems, ## traceroute is your friend. ## Class A Reserved $IPTABLES -A SRC_EGRESS -s 10.0.0.0/8 -j DROP ## Class B Reserved $IPTABLES -A SRC_EGRESS -s 172.16.0.0/12 -j DROP ## Class C Reserved $IPTABLES -A SRC_EGRESS -s 192.168.0.0/16 -j DROP ## Class D Reserved $IPTABLES -A SRC_EGRESS -s 224.0.0.0/4 -j DROP ## Class E Reserved $IPTABLES -A SRC_EGRESS -s 240.0.0.0/5 -j DROP ## Other Reserved Addresses ## ## The following was adapted from Jean-Sebastien Morisset's excellent IPChains ## firewall script, available at ## http://www.jsmoriss.dyndns.org/linux/rc.firewall RESERVED_NET=" 0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \ 5.0.0.0/8 \ 7.0.0.0/8 \ 23.0.0.0/8 \ 27.0.0.0/8 \ 31.0.0.0/8 \ 36.0.0.0/8 37.0.0.0/8 \ 39.0.0.0/8 \ 41.0.0.0/8 42.0.0.0/8 \ 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \ 67.0.0.0/8 68.0.0.0/8 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \ 74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 \ 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \ 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \ 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \ 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \ 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \ 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \ 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \ 126.0.0.0/8 127.0.0.0/8 \ 197.0.0.0/8 \ 201.0.0.0/8 \ 218.0.0.0/8 219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \ 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \ 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \ 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8" for NET in $RESERVED_NET; do $IPTABLES -A SRC_EGRESS -s $NET -j DROP done ##------------------------------------------------------------------------## ############################################################################### ## Special Chain DST_EGRESS ## Rules to Provide Egress Filtering Based on Destination IP Address. $IPTABLES -N DST_EGRESS $IPTABLES -F DST_EGRESS ##------------------------------------------------------------------------## ## DROP all reserved private IP addresses. Some of these may be legit ## for certain networks and configurations. For connection problems, ## traceroute is your friend. ## Class A Reserved $IPTABLES -A DST_EGRESS -d 10.0.0.0/8 -j DROP ## Class B Reserved $IPTABLES -A DST_EGRESS -d 172.16.0.0/12 -j DROP ## Class C Reserved $IPTABLES -A DST_EGRESS -d 192.168.0.0/16 -j DROP ## Class D Reserved $IPTABLES -A DST_EGRESS -d 224.0.0.0/4 -j DROP ## Class E Reserved $IPTABLES -A DST_EGRESS -d 240.0.0.0/5 -j DROP ## Other Reserved Addresses ## ## The following was adapted from Jean-Sebastien Morisset's excellent IPChains ## firewall script, available at ## http://www.jsmoriss.dyndns.org/linux/rc.firewall RESERVED_NET=" 0.0.0.0/8 1.0.0.0/8 2.0.0.0/8 \ 5.0.0.0/8 \ 7.0.0.0/8 \ 23.0.0.0/8 \ 27.0.0.0/8 \ 31.0.0.0/8 \ 36.0.0.0/8 37.0.0.0/8 \ 39.0.0.0/8 \ 41.0.0.0/8 42.0.0.0/8 \ 58.0.0.0/8 59.0.0.0/8 60.0.0.0/8 \ 67.0.0.0/8 68.0.0.0/8 69.0.0.0/8 70.0.0.0/8 71.0.0.0/8 72.0.0.0/8 73.0.0.0/8 \ 74.0.0.0/8 75.0.0.0/8 76.0.0.0/8 77.0.0.0/8 78.0.0.0/8 79.0.0.0/8 80.0.0.0/8 \ 81.0.0.0/8 82.0.0.0/8 83.0.0.0/8 84.0.0.0/8 85.0.0.0/8 86.0.0.0/8 87.0.0.0/8 \ 88.0.0.0/8 89.0.0.0/8 90.0.0.0/8 91.0.0.0/8 92.0.0.0/8 93.0.0.0/8 94.0.0.0/8 \ 95.0.0.0/8 96.0.0.0/8 97.0.0.0/8 98.0.0.0/8 99.0.0.0/8 100.0.0.0/8 101.0.0.0/8 \ 102.0.0.0/8 103.0.0.0/8 104.0.0.0/8 105.0.0.0/8 106.0.0.0/8 107.0.0.0/8 \ 108.0.0.0/8 109.0.0.0/8 110.0.0.0/8 111.0.0.0/8 112.0.0.0/8 113.0.0.0/8 \ 114.0.0.0/8 115.0.0.0/8 116.0.0.0/8 117.0.0.0/8 118.0.0.0/8 119.0.0.0/8 \ 120.0.0.0/8 121.0.0.0/8 122.0.0.0/8 123.0.0.0/8 124.0.0.0/8 125.0.0.0/8 \ 126.0.0.0/8 127.0.0.0/8 \ 197.0.0.0/8 \ 201.0.0.0/8 \ 218.0.0.0/8 219.0.0.0/8 220.0.0.0/8 221.0.0.0/8 222.0.0.0/8 223.0.0.0/8 \ 240.0.0.0/8 241.0.0.0/8 242.0.0.0/8 243.0.0.0/8 244.0.0.0/8 245.0.0.0/8 \ 246.0.0.0/8 247.0.0.0/8 248.0.0.0/8 249.0.0.0/8 250.0.0.0/8 251.0.0.0/8 \ 252.0.0.0/8 253.0.0.0/8 254.0.0.0/8 255.0.0.0/8" for NET in $RESERVED_NET; do $IPTABLES -A DST_EGRESS -d $NET -j DROP done ##------------------------------------------------------------------------## ############################################################################### ## Special Chain MANGLE_OUTPUT ## Mangle values of packets created locally. Only TOS values are mangled right ## now. ## TOS stuff: (type: iptables -m tos -h) ## Minimize-Delay 16 (0x10) ## Maximize-Throughput 8 (0x08) ## Maximize-Reliability 4 (0x04) ## Minimize-Cost 2 (0x02) ## Normal-Service 0 (0x00) $IPTABLES -t mangle -N MANGLE_OUTPUT $IPTABLES -t mangle -F MANGLE_OUTPUT ##------------------------------------------------------------------------------## ## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary. ## - To view mangle table, type: iptables -L -t mangle $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 20 -j TOS --set-tos 8 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 21 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 22 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 23 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 25 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p udp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_OUTPUT -p tcp --dport 80 -j TOS --set-tos 8 ##------------------------------------------------------------------------------## ############################################################################### ## Special Chain MANGLE_PREROUTING ## Rules to mangle TOS values of packets routed through the firewall. Only TOS ## values are mangled right now. ## TOS stuff: (type: iptables -m tos -h) ## Minimize-Delay 16 (0x10) ## Maximize-Throughput 8 (0x08) ## Maximize-Reliability 4 (0x04) ## Minimize-Cost 2 (0x02) ## Normal-Service 0 (0x00) $IPTABLES -t mangle -N MANGLE_PREROUTING $IPTABLES -t mangle -F MANGLE_PREROUTING ##-------------------------------------------------------------------------------## ## - Most of these are the RFC 1060/1349 suggested TOS values, yours might vary. ## - To view mangle table, type: iptables -L -t mangle $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 20 -j TOS --set-tos 8 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 21 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 22 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 23 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 25 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p udp --dport 53 -j TOS --set-tos 16 $IPTABLES -t mangle -A MANGLE_PREROUTING -p tcp --dport 80 -j TOS --set-tos 8 ##-------------------------------------------------------------------------------## ############################################################################### ## Special Chain ALLOW_EXTERNAL_PORTS ## Rules to allow packets destined for the external interface based on port ## number. $IPTABLES -N ALLOW_PORTS-EXTERNAL $IPTABLES -F ALLOW_PORTS-EXTERNAL ##------------------------------------------------------------------------## ## ALLOW foreign machines to access certain services.(Examples) ## SSH # $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 22 -j ACCEPT ## DNS $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 53 -j ACCEPT $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p udp --dport 53 -j ACCEPT ## WWW # $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 80 -j ACCEPT ## REJECT port 113 ident requests. $IPTABLES -A ALLOW_PORTS-EXTERNAL -i $EXTERNAL -p tcp --dport 113 -j REJECT ##------------------------------------------------------------------------## ############################################################################### ## Firewall Input Chains ############################################################################### ############################################################################### ## New chain for input to the external interface $IPTABLES -N EXTERNAL-input $IPTABLES -F EXTERNAL-input ##------------------------------------------------------------------------## ## Check TCP packets coming in on the external interface for wierd flags $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j CHECK_FLAGS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Filter incomming packets based on port number. $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p tcp -j DENY_PORTS ##------------------------------------------------------------------------## $IPTABLES -A EXTERNAL-input -i $EXTERNAL -j KEEP_STATE ##------------------------------------------------------------------------## ## Filter out Reserved/Private IP addresses. $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j SRC_EGRESS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Filter out Reserved/Private IP addresses. $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p all -j DST_EGRESS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Allow Packets On Certain External Ports $IPTABLES -A EXTERNAL-input -i $EXTERNAL -j ALLOW_PORTS-EXTERNAL ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## ICMP Stuff. We're going to allow some ICMP. ## Echo Reply (pong) $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 0 -j ACCEPT ## Destination Unreachable (blah) $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 3 -j ACCEPT ## Echo Request (ping) -- Several Options: ## Accept Pings ## $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -j ACCEPT ## Accept Pings at the rate of one per second. ## # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit \ # --limit 1/second -j ACCEPT ## LOG all pings. ## # $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 8 -m limit \ # --limit 5/minute -j LOG --log-level 1 --log-prefix "PING:" ## TTL Exceeded (traceroute) $IPTABLES -A EXTERNAL-input -i $EXTERNAL -p icmp --icmp-type 11 -j ACCEPT ##------------------------------------------------------------------------## ############################################################################### ## New chain for input to the internal interface $IPTABLES -N INTERNAL-input $IPTABLES -F INTERNAL-input ## ACCEPT internal to internal traffic $IPTABLES -A INTERNAL-input -i $INTERNAL -s $INTERNAL_NET -d 0/0 -j ACCEPT ## DROP anything not coming from the internal network $IPTABLES -A INTERNAL-input -i $INTERNAL -s ! $INTERNAL_NET -d 0/0 -j DROP ##------------------------------------------------------------------------## ## Check TCP packets coming in on the external interface for wierd flags $IPTABLES -A INTERNAL-input -i $INTERNAL -p tcp -j CHECK_FLAGS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Filter out Reserved/Private IP addresses based on Destination IP address. $IPTABLES -A INTERNAL-input -i $INTERNAL -p all -j DST_EGRESS ##------------------------------------------------------------------------## ############################################################################### ## New chain for input to the loopback interface $IPTABLES -N LO-input $IPTABLES -F LO-input ## Accept packets to the loopback interface $IPTABLES -A LO-input -i $LOOPBACK -j ACCEPT ############################################################################### ## Firewall Output Chains ############################################################################### ############################################################################### ## New chain for output from the external interface $IPTABLES -N EXTERNAL-output $IPTABLES -F EXTERNAL-output ## ACCEPT outgoing packets on the external interface $IPTABLES -A EXTERNAL-output -o $EXTERNAL -j ACCEPT ##------------------------------------------------------------------------## ## Filter out Reserved/Private IP addresses. $IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j SRC_EGRESS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Filter out Reserved/Private IP addresses. $IPTABLES -A EXTERNAL-output -o $EXTERNAL -p all -j DST_EGRESS ##------------------------------------------------------------------------## ##------------------------------------------------------------------------## ## Filter outgoing packets based on port number. $IPTABLES -A EXTERNAL-output -o $EXTERNAL -p tcp -j DENY_PORTS ##------------------------------------------------------------------------## ############################################################################### ## New chain for output across the internal interface $IPTABLES -N INTERNAL-output $IPTABLES -F INTERNAL-output ## ACCEPT all outbound traffic across the internal interfaces $IPTABLES -A INTERNAL-output -o $INTERNAL -d $INTERNAL_NET -j ACCEPT $IPTABLES -A INTERNAL-output -o $INTERNAL -j KEEP_STATE ############################################################################### ## New chain for output across the loopback device $IPTABLES -N LO-output $IPTABLES -F LO-output ## ACCEPT all traffic across loopback device $IPTABLES -A LO-output -o $LOOPBACK -j ACCEPT ############################################################################### ## Main Stuff ############################################################################### ## Jumping to our INPUT chains. $IPTABLES -A INPUT -i $INTERNAL -j INTERNAL-input $IPTABLES -A INPUT -i $LOOPBACK -j LO-input $IPTABLES -A INPUT -i $EXTERNAL -j EXTERNAL-input ## Sort of a Catch-all $IPTABLES -A INPUT -i $EXTERNAL -m state --state INVALID,NEW -j DROP ## Jump to our OUTPUT chains. $IPTABLES -A OUTPUT -o $INTERNAL -j INTERNAL-output $IPTABLES -A OUTPUT -o $EXTERNAL -j EXTERNAL-output $IPTABLES -A OUTPUT -o $LOOPBACK -j LO-output $IPTABLES -A OUTPUT -j KEEP_STATE ## Jump to our FORWARD chains. $IPTABLES -A FORWARD -i $EXTERNAL -j EXTERNAL-input $IPTABLES -A FORWARD -o $EXTERNAL -j EXTERNAL-output $IPTABLES -A FORWARD -i $INTERNAL -j INTERNAL-input $IPTABLES -A FORWARD -o $INTERNAL -j INTERNAL-output # $IPTABLES -A FORWARD -j KEEP_STATE ## Jump to mangle table rules $IPTABLES -t mangle -A OUTPUT -o $EXTERNAL -j MANGLE_OUTPUT $IPTABLES -t mangle -A PREROUTING -i $EXTERNAL -j MANGLE_PREROUTING ### END FIREWALL RULES ### ##------------------------------------------------------------------------## ## I generally prefer to keep the NAT stuff in a separate file called ## ## rc.firewall.nat, but that's just me. ## ##------------------------------------------------------------------------## ############################################################################### ## IPTABLES Network Address Translation(NAT) Rules ############################################################################### ## Variables ## #IPTABLES="/usr/local/bin/iptables" #INTERNAL="eth0" # Internal Interface #EXTERNAL="eth1" # External Interface INTERNAL_NET="192.168.1.0/24" #EXT_IP="123.123.123.123" # IP address of the External Interface. ## Flush the NAT table. #$IPTABLES -F -t nat ##------------------------------------------------------------------------## ## Destination NAT -- (DNAT) ##------------------------------------------------------------------------## ## "Redirect" packets headed for certain ports on our external interface to other ## machines on the network. (Examples) ## SSH # $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 22 \ # -j DNAT --to 192.168.69.69:22 ## WWW # $IPTABLES -t nat -A PREROUTING -i $EXTERNAL -p tcp -d $EXT_IP --dport 80 \ # -j DNAT --to 192.168.69.69:80 ##------------------------------------------------------------------------## ## Source NAT -- (SNAT/Masquerading) ##------------------------------------------------------------------------## ## Source NAT allows us to "masquerade" our internal machines behind our ## firewall. ## Static IP address ## ## Change source address of outgoing packets on external ## interface to our IP address. # $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j SNAT --to $EXT_IP ## Dynamic IP address ## # $IPTABLES -t nat -A POSTROUTING -o $EXTERNAL -j MASQUERADE ### END NAT RULES ### ############################################################################### ## Additional Kernel Configuration ############################################################################### ## Adjust for your requirements/preferences. ## Please make sure you understand what these things are doing before you ## uncomment them. A good place to start would be some of the resources ## listed at the top of this script as well as the documentation that comes ## with the linux kernel source. ## For Example: linux/Documentation/filesystems/proc.txt ## linux/Documentation/networking/ip-sysctl.txt ## - Disable source routing of packets #if [ -e /proc/sys/net/ipv4/conf/all/accept_source_route ]; then # for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do # echo 0 > $i; # done #fi ## - Enable rp_filter #if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then # for i in /proc/sys/net/ipv4/conf/*/rp_filter; do # echo 1 > $i; # done #fi ## - Ignore any broadcast icmp echo requests #if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then # echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts #fi ## - Ignore all icmp echo requests on all interfaces #if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_all ]; then # echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all #fi ## - Local port range for TCP/UDP connections #if [ -e /proc/sys/net/ipv4/ip_local_port_range ]; then # echo -e "32768\t61000" > /proc/sys/net/ipv4/ip_local_port_range #fi ## - Log packets with impossible addresses to kernel log. #if [ -e /proc/sys/net/ipv4/conf/all/log_martians ]; then # echo 1 > /proc/sys/net/ipv4/conf/all/log_martians #fi ## - Don't accept ICMP redirects #if [ -e /proc/sys/net/ipv4/conf/all/accept_redirects ]; then # echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects #fi ## - Don't accept ICMP redirects ## (You may only want to disable on the external interface) #if [ -e /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects ]; then # echo 0 > /proc/sys/net/ipv4/conf/$EXTERNAL/accept_redirects #fi ## Additional options for dialup connections with a dynamic ip address ## See: linux/Documentation/networking/ip_dynaddr.txt #if [ -e /proc/sys/net/ipv4/ip_dynaddr ]; then # echo 1 > /proc/sys/net/ipv4/ip_dynaddr #fi ## - Enable IP Forwarding #if [ -e /proc/sys/net/ipv4/ip_forward ]; then # echo 1 > /proc/sys/net/ipv4/ip_forward #else # echo "Uh oh: /proc/sys/net/ipv4/ip_forward doesn't exist" # echo "(That may be a problem)" #fi ## EOF