Linux Help
guides forums blogs
Home Desktops Distributions ISO Images Logos Newbies Reviews Software Support & Resources Linuxhelp Wiki

Welcome Guest ( Log In | Register )



Advanced DNS Management
New ZoneEdit. New Managment.

FREE DNS Is Back

Sign Up Now
 
Reply to this topicStart new topic
> Iptables script for second firewall, please check if correct
Robert83
post Feb 16 2007, 10:09 AM
Post #1


Its GNU/Linuxhelp.net
*******

Group: Support Specialist
Posts: 1,439
Joined: 3-January 04
From: Germany
Member No.: 2,069



Hello,

Please be so kind dear reader check if my firewall script is correct, and make suggestions in case something is wrong.

eth0 and eth1 is internal network both should be able to communicate with each other without restrictions.
eth0 and eth1 should be able to communicate with ISP lan via eth3 unrestricted via the OUTPUT rules.

eth3 should only be able to access FTP server on this firewall, the ftp server itself is running on THIS firewall.

All users of my network should be able to access computers of this ISP network 10.0.0.0/255.255.255.0 accessible
via $EXTIF or $EXTIP .

If everything is okay than this is what the following script does. The routing information is exchanged between my Linux routers
via Quagga / RIP v2 . ip_forwarding is set to 1 .

Sincerely
Robert B

#!/bin/sh
################################################################################
##
# GLOBAL VARIABLES
################################################################################
##

IFCONFIG=/sbin/ifconfig
AWK=/bin/awk

INTIF="eth0"
INTIF2="eth1"
EXTIF="eth2"
echo " External Interface: $EXTIF"
echo " Internal Interface 1: $INTIF"
echo " Internal Interface 2: $INTIF2"
echo " ---"

EXTIP="`$IFCONFIG $EXTIF | $AWK \
/$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
echo " External IP: $EXTIP"
echo " ---"


iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP

################################################################################
##
# FORWARD RULES
################################################################################
##

iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT # eth0 -> eth2
iptables -A FORWARD -i $INTIF2 -o $EXTIF -j ACCEPT # eth1 -> eth2
iptables -A FORWARD -i $INTIF -o $INTIF -j ACCEPT # eth0 -> eth0
iptables -A FORWARD -i $INTIF2 -o $INTIF2 -j ACCEPT # eth1 -> eth1
iptables -A FORWARD -i $INTIF -o $INTIF2 -j ACCEPT # eth0 -> eth1
iptables -A FORWARD -i $INTIF2 -o $INTIF -j ACCEPT # eth1 -> eth0
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT # eth3 -> eth0
iptables -A FORWARD -i $EXTIF -o $INTIF2 -m state --state ESTABLISHED,RELATED -j ACCEPT # eth3 -> eth1

################################################################################
##
# INPUT RULES
################################################################################
##

iptables -A INPUT -s 127.0.0.1 -j ACCEPT # lo
iptables -A INPUT -i $INTIF -j ACCEPT # eth0
iptables -A INPUT -i $INTIF2 -j ACCEPT # eth1
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT # eth3 + any other interface not specified just in case

# ECHO ICMP PING ALLOW
iptables -A INPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED --icmp-type echo-request -m limit --limit 1/s -j ACCEPT

################################################################################
##
# vsFTP Server on the Firewall
################################################################################
##

iptables -A INPUT -i $EXTIF -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT

# ACTIVE
iptables -A INPUT -i $EXTIF -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT

# PASSIVE
iptables -A INPUT -i $EXTIF -p tcp --sport 1024:65535 --dport 1024:65535 -m state --state ESTABLISHED -j ACCEPT


################################################################################
##
# OUTPUT RULES
################################################################################
##

iptables -A OUTPUT -s 127.0.0.1 -j ACCEPT # lo
iptables -A OUTPUT -s 192.168.1.253 -j ACCEPT # eth0
iptables -A OUTPUT -s 192.168.6.250 -j ACCEPT # eth1
iptables -A OUTPUT -s $EXTIP -j ACCEPT # eth2

################################################################################
##
# POSTROUTING
################################################################################
##

iptables -t nat -A POSTROUTING -s 192.168.0.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.2.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.3.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.4.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.5.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.6.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.10.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.11.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.56.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -s 192.168.57.0/255.255.255.0 -o $EXTIF -j SNAT --to-source $EXTIP


--------------------
Robert Becskei
robert83@linuxhelp.net
--------------------
May the source be with us!
--------------------
AMD X2-3800 @ 2400Mhz
2048MB DDR 400Mhz
DFI Lanparty UT4 NF4 ULTRA-D
GeForce 7800GT
250GB+250GB
Pioneer DVD-RW
17inch Samsung Syncmaster 757NF
WinXP Pro (SP2)/ CentOS 4.3
--------------------
Go to the top of the page
 
+Quote Post

Reply to this topicStart new topic
1 User(s) are reading this topic (1 Guests and 0 Anonymous Users)
0 Members:

 



RSS Lo-Fi Version Time is now: 23rd October 2017 - 08:42 AM