public inbox for speakup@linux-speakup.org
 help / color / mirror / Atom feed
* firewall stuff
@  Deedra Waters
   ` Gregory Nowak
  0 siblings, 1 reply; 2+ messages in thread
From: Deedra Waters @  UTC (permalink / raw)
  To: speakup

[-- Attachment #1: Type: TEXT/PLAIN, Size: 618 bytes --]

     My current firewall script is causing some problems with some things
that I'm trying to do.... do to the fact that I don't know enough about
linux and iptables, I thought I'd try another firewall script that someone
had posted to the list.

the problem I'm having with the script is this..... when I try and run it
I get this error...
./firewall: /proc/sys/net/ipv4/ip_foward: No such file or directory
but the file appears to be there, so not really sure what I'm doing
wrong, if I could get some help off list with this I'd appreciate it...
I've attached the firewall script I'm trying to use to this message.


[-- Attachment #2: Type: TEXT/PLAIN, Size: 4720 bytes --]

#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_foward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to
#the server will be redirected invisibly to port 80 on 192.168.1.1

#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.60
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 --dport 80 -j ACCEPT

#These four redirect a block of ports, in both udp and tcp.

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2074:2076 -j DNAT --to 192.168.1.69
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2074:2076 -j DNAT --to 192.168.1.69
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4074:4076 -j DNAT --to 192.168.1.69
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4074:4076 -j DNAT --to 192.168.1.69

#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
iptables -N firewall
#iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix "fp=Firewall:1 a=DROP " 
iptables -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
iptables -N dropwall
# iptables -A dropwall -m limit --limit 15/minute -j LOG \
# --log-level 1 --log-prefix "fp=Dropwall:2 a=DROP "
iptables -A dropwall -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
iptables -N badflags
#iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix "fp=Badflags:3 a=DROP "
iptables -A badflags -j DROP
 
#And our silent logging chain
iptables -N silent
iptables -A silent -j DROP


#Accept ourselves (loopback interface), 'cause we're all warm and friendly
iptables -A INPUT -i lo -j ACCEPT

#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j firewall

#Accept SSH connections from everywhere.
#Uncomment this if you're running SSH and want to be able to access it
#from the outside world.
#
iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -d 0/0 -j ACCEPT

# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP
 
#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
#
# iptables -A INPUT -p udp --sport 137 --dport 137 -j silent
iptables -A INPUT -p udp --sport 137 --dport 137 -j ACCEPT
iptables -A INPUT -p udp --sport 138 --dport 138 -j ACCEPT
iptables -A INPUT -p udp --sport 139 --dport 139 -j ACCEPT

#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
iptables -A INPUT -j dropwall

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~ UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
 firewall stuff Deedra Waters
 ` Gregory Nowak

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).