Please create an account to participate in the Slashdot moderation system

 


Forgot your password?
Close
typodupeerror
×
User Journal

Journal jasno's Journal: Firewall config

Journal by jasno

This is my current firewall config.. comments appreciated!

#!/bin/sh
#
# Firewall script for 3 interface router.
#
IPT=/sbin/iptables

INET=eth0
IDMZ=eth2
ILAN=eth1
DMZNET=10.10.2.0/24
LANNET=10.10.1.0/24

# Forward the following ports to the DMZ host
TCPFWD="ssh www https 8000 8001"
UDPFWD="5121"

# Turn off forwarding
echo 0 > /proc/sys/net/ipv4/ip_forward

modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ip_nat_irc
modprobe ip_conntrack_irc

###############################################################
# Setup /proc interface

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done

# Enable TCP SYN Cookie Protection
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done

# Don't send Redirect Messages
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
        echo 0 > $f
done

# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
done

# Self explanitory
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

# Log packets with impossible addresses.
#for f in /proc/sys/net/ipv4/conf/*/log_martians; do
# echo 1 > $f
#done

###############################################################
# Flush all chains and delete user chains

for i in filter nat mangle
do
$IPT -t $i -F
$IPT -t $i -X
done

# Default policy is to drop
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

###############################################################
# Stealth Scans and TCP State Flags - Are these needed?

# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP

# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP

# FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP

# PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP

# URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP

###############################################################
# Setup rules for connecting to the gateway itself

# Loopback is trusted
$IPT -A INPUT -i lo -j ACCEPT

# Allow related packets from any interface
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow all connections from LAN
$IPT -A INPUT -i $ILAN -j ACCEPT

###############################################################
# Setup rules to allow the internal nets to access the internet

# Allow LAN to connect to anything
$IPT -A FORWARD -i $ILAN -j ACCEPT

# Allow all traffic going from DMZ to outside
$IPT -A FORWARD -i $IDMZ -o $INET -j ACCEPT

# Only allow return traffic back inside - '-o ! $INET' probably not needed
$IPT -A FORWARD -o ! $INET -m state --state ESTABLISHED,RELATED -j ACCEPT

###############################################################
# Setup masquerading

# LAN S-NAT
$IPT -t nat -A POSTROUTING -o $INET -j MASQUERADE

###############################################################
# DMZ Port Forwarding
for i in $TCPFWD; do
        $IPT -A FORWARD -i $INET -o $IDMZ -p tcp --dport $i -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
        $IPT -t nat -A PREROUTING -p tcp --dport $i -i $INET -j DNAT --to 10.10.2.40
done

for i in $UDPFWD; do
        $IPT -A FORWARD -i $INET -o $IDMZ -p udp --dport $i -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
        $IPT -t nat -A PREROUTING -p udp --dport $i -i $INET -j DNAT --to 10.10.2.40
done

###############################################################
# LAN Port Forwarding
#$IPT -A FORWARD -i $INET -o $ILAN -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -t nat -A PREROUTING -p tcp --dport 80 -i $INET -j DNAT --to 10.10.1.40

# LAN D-NAT
#$IPT -t nat -A PREROUTING -p tcp --dport 80 -i $IEXT -j DNAT --to 10.10.1.40:8080

# DMZ D-NAT
#$IPT -t nat -A PREROUTING -p tcp --dport 80 -i $IEXT -j DNAT --to 10.10.2.40
#$IPT -t nat -A PREROUTING -p udp --dport 5121 -i $IEXT -j DNAT --to 10.10.2.40

echo 1 > /proc/sys/net/ipv4/ip_forward

This discussion has been archived. No new comments can be posted.

Firewall config More

Firewall config

Comments Filter:

Slashdot Top Deals

Our OS who art in CPU, UNIX be thy name. Thy programs run, thy syscalls done, In kernel as it is in user!

Close