[TriLUG] Iptables script...

Michael Thompson thompson at easternrad.com
Tue Jan 7 15:34:36 EST 2003


Here is an iptables script that I have written for my home cable
gateway.  My only question is:  Is this a secure solution?  I have added
comments to help a few colleagues but would like a second opinion before
I commit to this...  (This is what I came up with after RTFMing for a
few hours....)

Any comments would be appreciated!

TIA, Mike.

#!/bin/sh
#
# This script will allow all outgoing connections, and
# allow ssh in from the Internet. Pick your port using
# the $SSHPort variable below. (In case your isp blocks
# port 22.)
#
# save this script as fw.sh in your /root directory.
# of course, this script must be run as root.
# just run: sh /root/fw.sh AFTER you update the
# following variables:

# set the next variable to DROP or REJECT
# I like to use REJECT for testing purposes only,
# this makes the change quick.
# Uncomment ONE of these
_DROP="DROP"
# _DROP="REJECT"

# Internet Interface
BadIF="eth1"

# Internal Interface
IntIF="eth0"

# Internal Network (use XXX.XXX.XXX.XXX/NetmaskBITS)
IntNET="192.168.1.0/24"

# What SSH port to use? (Remember to configure /etc/ssh/sshd_config)
# This is the only port that will be open on the $BadIF
# Use "22" or "ssh" if your ISP does not block
SSHPort="8022"

# set default policies to DROP & flush the chains
# $_DROP will not work, I guess REJECT is not a valid policy...
# Note: Later rules will ACCEPT what we want
iptables -P INPUT DROP
iptables -F INPUT
iptables -Z INPUT
iptables -P FORWARD DROP
iptables -F FORWARD
iptables -Z FORWARD
iptables -P OUTPUT DROP
iptables -F OUTPUT
iptables -Z OUTPUT

# ******************************************************* #
# BEGIN CONFIGURE ACCESS TO AND FROM *THIS* WORKSTATION   #
# (Does not apply to packets routing THROUGH this machine)

# disable ip spoofing of internal network
# if source is internal and interface NOT then drop it now
iptables -A INPUT -s $IntNET -i ! $IntIF -j $_DROP

# Allow connections IN that were established FROM this workstation
iptables -A INPUT -p udp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow established and new connections OUT FROM this workstation
iptables -A OUTPUT -p udp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j
ACCEPT

# Allow ssh connections to this workstation (see variable 'SSHPort'
above)
# comment out this line if you dont want to log ssh connections.
iptables -A INPUT -p tcp --syn --dport $SSHPort -m limit -j LOG
--log-prefix "FW SSH connection:"
iptables -A INPUT -p tcp --syn --dport $SSHPort -j ACCEPT

# allow all from internal net
iptables -A INPUT -i $IntIF -j ACCEPT

# END CONFIGURE ACCESS TO AND FROM *THIS* WORKSTATION     #
# ******************************************************* #




# ******************************************************* #
# BEGIN CONFIGURE ACCESS *THROUGH* THIS WORKSTATION       #

# allow everything out.
iptables -A FORWARD -i $IntIF -j ACCEPT

# what to do with packets coming from the bad if to internal net
# allow established connections, default policy will DROP/REJECT rest
iptables -A FORWARD -i $BadIF -p udp -m state --state ESTABLISHED -j
ACCEPT
iptables -A FORWARD -i $BadIF -p tcp -m state --state ESTABLISHED -j
ACCEPT
iptables -A FORWARD -i $BadIF -p icmp -m state --state
ESTABLISHED,RELATED -j ACCEPT

# NAT outgoing connections
iptables -t nat -A POSTROUTING -s $IntNET -o $BadIF -j MASQUERADE

# END CONFIGURE ACCESS *THROUGH* THIS WORKSTATION       #
# ******************************************************* #

echo The iptables rules have been created.
echo If you would like to have these rules established at boot,
echo use 'service iptables save' to save rules to
/etc/sysconfig/iptables,
echo AND THEN...  use 'chkconfig iptables on' to enable them at bootup.
echo If you lose the ruleset, re-run this script and do 'service
iptables save' ,etc...





More information about the TriLUG mailing list