[wplug] iptable problems
Romano, Christopher
cjr6 at exchange.cis.pitt.edu
Sat Dec 15 14:09:26 EST 2001
so, I finally setup my firewall and part of it is working. However, I can't
ssh into it and it doesn't forward port 80 to apache. Most of this I got
from a script that I found on the net. Can anyone see where I went wrong?
#!/bin/bash
#flush all tables and reset the counters
iptables -X
iptables -F
iptables -Z
iptables -t nat -F
#set default policy to drop
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
#===========================================================
##some definitions
NAMESERVER_1="151.201.0.39"
NAMESERVER_2="151.201.0.38"
LOOPBACK="127.0.0.0/8"
BROADCAST="10.0.0.255"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/24"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
#==========================================================
#turn off responce to pings
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#turn off responce to broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Enable bad error message protection
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Enable ip forwarding
/bin/echo "1" > /proc/sys/net/ipv4/ip_forward
#start masquerading
iptables -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
iptables -A FORWARD -s 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT
iptables -A FORWARD -s ! 192.168.0.0/24 -j DROP
#allow unlimited traffic on the loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#syn-flooding protection
iptables -N syn-flood
iptables -A INPUT -i ppp0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
#make sure NEW tcp connections are SYN packets
iptables -A INPUT -i ppp0 -p tcp ! --syn -m state --state NEW -j DROP
##Fragments
iptables -A INPUT -i ppp0 -f -j LOG --log-prefix "IPTABLES FAGMENT:"
iptables -A INPUT -i ppp0 -f -j DROP
#make sure new tcp connections are syn packets
iptables -A INPUT -i ppp0 -p tcp ! --syn -m state --state NEW -j DROP
#spoofing
iptables -A INPUT -i ppp0 -s 10.0.0.1 -j DROP
iptables -A INPUT -i ppp0 -s $CLASS_A -j DROP
iptables -A INPUT -i ppp0 -s $CLASS_B -j DROP
iptables -A INPUT -i ppp0 -s $CLASS_C -j DROP
iptables -A INPUT -i ppp0 -s $CLASS_D_MULTICAST -j DROP
iptables -A INPUT -i ppp0 -s $CLASS_E_RESERVED_NET -j DROP
iptables -A INPUT -i ppp0 -d $LOOPBACK -j DROP
iptables -A INPUT -i ppp0 -d $BROADCAST -j DROP
#DNS
iptables -A INPUT -i ppp0 -p udp -s $NAMESERVER_1 --sport 53 -m state
--state ESTABLISHED -j ACCEPT
iptables -A INPUT -i ppp0 -p udp -s $NAMESERVER_2 --sport 53 -m state
--state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p udp -d $NAMESERVER_1 --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p udp -d $NAMESERVER_2 --dport 53 -m state
--state NEW,ESTABLISHED -j ACCEPT
#SSH
iptables -A INPUT -i ppp0 -p tcp --sport 22 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -A OUTPUT -o ppp0 -p tcp --dport 22 -m state --state
NEW,ESTABLISHED -j ACCEPT
#WWW
iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i ppp0 -p tcp --sport 443 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -o ppp0 -p tcp --dport 443 -m state --state
NEW,ESTABLISHED -j ACCEPT
#DNAT
iptables -A PREROUTING -t nat -p tcp -i ppp0 --dport 80 -j DNAT --to
192.168.0.3:80
#ftp
iptables -A INPUT -i ppp0 -p tcp --sport 21 -m state --state ESTABLISHED -j
ACCEPT
iptables -A OUTPUT -o ppp0 -p tcp --dport 21 -m state --state
NEW,ESTABLISHED -j ACCEPT
#active ftp
iptables -A INPUT -i ppp0 -p tcp --sport 20 -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p tcp --dport 20 -m state --state ESTABLISHED -j
ACCEPT
#passive ftp
iptables -A INPUT -i ppp0 -p tcp --sport $UP_PORTS --dport $UP_PORTS -m
state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o ppp0 -p tcp --sport $UP_PORTS --dport $UP_PORTS -m
state --state ESTABLISHED,RELATED -j ACCEPT
#auth server
iptables -A INPUT -i ppp0 -p tcp --dport 113 -j REJECT --reject-with
tcp-reset
#traceroute
iptables -A OUTPUT -o ppp0 -p udp --sport $TR_SRC_PORTS --dport
$TR_DEST_PORTS -m state --state NEW -j ACCEPT
#IMCP
iptables -A INPUT -i ppp0 -p icmp -m state --state ESTABLISHED,RELATED -j
ACCEPT
iptables -A OUTPUT -o ppp0 -p icmp -m state --state NEW,ESTABLISHED,RELATED
-j ACCEPT
thanks,
chris
More information about the wplug
mailing list