firewall stuff

Deedra Waters dmwaters at tampabay.rr.com
Wed Dec 26 09:51:29 EST 2001


     My current firewall script is causing some problems with some things
that I'm trying to do.... do to the fact that I don't know enough about
linux and iptables, I thought I'd try another firewall script that someone
had posted to the list.

the problem I'm having with the script is this..... when I try and run it
I get this error...
./firewall: /proc/sys/net/ipv4/ip_foward: No such file or directory
but the file appears to be there, so not really sure what I'm doing
wrong, if I could get some help off list with this I'd appreciate it...
I've attached the firewall script I'm trying to use to this message.

-------------- next part --------------
#!/bin/bash

iptables -F
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -F -t mangle
iptables -F -t nat
iptables -X

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT

#This enables ip forwarding, and thus by extension, NAT
#Turn this on if you're going to be doing NAT or Masquerading
echo 1 > /proc/sys/net/ipv4/ip_foward

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

#This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to
#the server will be redirected invisibly to port 80 on 192.168.1.1

#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.60
iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 --dport 80 -j ACCEPT

#These four redirect a block of ports, in both udp and tcp.

iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2074:2076 -j DNAT --to 192.168.1.69
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2074:2076 -j DNAT --to 192.168.1.69
iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4074:4076 -j DNAT --to 192.168.1.69
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4074:4076 -j DNAT --to 192.168.1.69

#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
iptables -N firewall
#iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix "fp=Firewall:1 a=DROP " 
iptables -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
iptables -N dropwall
# iptables -A dropwall -m limit --limit 15/minute -j LOG \
# --log-level 1 --log-prefix "fp=Dropwall:2 a=DROP "
iptables -A dropwall -i eth0 -p tcp --dport 80 -j ACCEPT
iptables -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
iptables -N badflags
#iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix "fp=Badflags:3 a=DROP "
iptables -A badflags -j DROP
 
#And our silent logging chain
iptables -N silent
iptables -A silent -j DROP


#Accept ourselves (loopback interface), 'cause we're all warm and friendly
iptables -A INPUT -i lo -j ACCEPT

#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT
iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
iptables -A INPUT -p icmp -j firewall

#Accept SSH connections from everywhere.
#Uncomment this if you're running SSH and want to be able to access it
#from the outside world.
#
iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -i eth1 -d 0/0 -j ACCEPT

# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP
 
#Lets do some basic state-matching
#This allows us to accept related and established connections, so
#client-side things like ftp work properly, for example.
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT

#Uncomment to drop port 137 netbios packets silently. We don't like
#that netbios stuff, and it's #way too spammy with windows machines on
#the network.
#
# iptables -A INPUT -p udp --sport 137 --dport 137 -j silent
iptables -A INPUT -p udp --sport 137 --dport 137 -j ACCEPT
iptables -A INPUT -p udp --sport 138 --dport 138 -j ACCEPT
iptables -A INPUT -p udp --sport 139 --dport 139 -j ACCEPT

#Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops
iptables -A INPUT -j dropwall


More information about the Speakup mailing list