[TriLUG] Iptables script...
Michael Thompson
thompson at easternrad.com
Tue Jan 7 15:34:36 EST 2003
Here is an iptables script that I have written for my home cable
gateway. My only question is: Is this a secure solution? I have added
comments to help a few colleagues but would like a second opinion before
I commit to this... (This is what I came up with after RTFMing for a
few hours....)
Any comments would be appreciated!
TIA, Mike.
#!/bin/sh
#
# This script will allow all outgoing connections, and
# allow ssh in from the Internet. Pick your port using
# the $SSHPort variable below. (In case your isp blocks
# port 22.)
#
# save this script as fw.sh in your /root directory.
# of course, this script must be run as root.
# just run: sh /root/fw.sh AFTER you update the
# following variables:
# set the next variable to DROP or REJECT
# I like to use REJECT for testing purposes only,
# this makes the change quick.
# Uncomment ONE of these
_DROP="DROP"
# _DROP="REJECT"
# Internet Interface
BadIF="eth1"
# Internal Interface
IntIF="eth0"
# Internal Network (use XXX.XXX.XXX.XXX/NetmaskBITS)
IntNET="192.168.1.0/24"
# What SSH port to use? (Remember to configure /etc/ssh/sshd_config)
# This is the only port that will be open on the $BadIF
# Use "22" or "ssh" if your ISP does not block
SSHPort="8022"
# set default policies to DROP & flush the chains
# $_DROP will not work, I guess REJECT is not a valid policy...
# Note: Later rules will ACCEPT what we want
iptables -P INPUT DROP
iptables -F INPUT
iptables -Z INPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -Z FORWARD
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -Z OUTPUT
# ******************************************************* #
# BEGIN CONFIGURE ACCESS TO AND FROM *THIS* WORKSTATION #
# (Does not apply to packets routing THROUGH this machine)
# disable ip spoofing of internal network
# if source is internal and interface NOT then drop it now
iptables -A INPUT -s $IntNET -i ! $IntIF -j $_DROP
# Allow connections IN that were established FROM this workstation
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow established and new connections OUT FROM this workstation
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT
# Allow ssh connections to this workstation (see variable 'SSHPort'
above)
# comment out this line if you dont want to log ssh connections.
iptables -A INPUT -p tcp --syn --dport $SSHPort -m limit -j LOG
--log-prefix "FW SSH connection:"
iptables -A INPUT -p tcp --syn --dport $SSHPort -j ACCEPT
# allow all from internal net
iptables -A INPUT -i $IntIF -j ACCEPT
# END CONFIGURE ACCESS TO AND FROM *THIS* WORKSTATION #
# ******************************************************* #
# ******************************************************* #
# BEGIN CONFIGURE ACCESS *THROUGH* THIS WORKSTATION #
# allow everything out.
iptables -A FORWARD -i $IntIF -j ACCEPT
# what to do with packets coming from the bad if to internal net
# allow established connections, default policy will DROP/REJECT rest
iptables -A FORWARD -i $BadIF -p udp -m state --state ESTABLISHED -j
ACCEPT
iptables -A FORWARD -i $BadIF -p tcp -m state --state ESTABLISHED -j
ACCEPT
iptables -A FORWARD -i $BadIF -p icmp -m state --state
ESTABLISHED,RELATED -j ACCEPT
# NAT outgoing connections
iptables -t nat -A POSTROUTING -s $IntNET -o $BadIF -j MASQUERADE
# END CONFIGURE ACCESS *THROUGH* THIS WORKSTATION #
# ******************************************************* #
echo The iptables rules have been created.
echo If you would like to have these rules established at boot,
echo use 'service iptables save' to save rules to
/etc/sysconfig/iptables,
echo AND THEN... use 'chkconfig iptables on' to enable them at bootup.
echo If you lose the ruleset, re-run this script and do 'service
iptables save' ,etc...
More information about the TriLUG
mailing list