On 01/08/11 21:56, Paul Stuffins wrote:
Hi Guys,
I am trying to set iptables up, but am getting into a right mess editing
the rules direct in the init script.
What are peoples recommendations of a front end, either one that I can
run via an Apache VirtualHost, obviously on a secured and locked down
VirtualHost so that only I can access it, or via SSH.
--Paul
I am not sure I understand exactly what you mean, but this is my set of
firewall rules which I reference in /etc/network/interfaces/pre-up.
They are stored in file /etc/firewall
Unlike the other replies I hand crafted these from scratch quite a few
years ago now and they seem to have stood me in good stead. Although
some of the destination changing rules refer to programs I haven't used
for at least 5 years (GPL refers to Grand Prix Legends - a car racing sim)
The only other rules are generated by fail2ban dynamically locking out
smtp attempts to send me junk.
#!/bin/sh
#
#
INETIF=$1
KANGA="192.168.0.12"
POOH="192.168.0.11"
test -x /sbin/iptables || exit 0
#set -e
echo "Setting up firewall on interface $INETIF"
#
# Start up ensuring that the tables are all empty
# (ignoring any errors because there is nothing there yet)
#
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
#
# This is for established communications coming in from the internet just
# so that I can get an idea what sort of packets they are.
#
iptables -N i-estab
iptables -A i-estab -p tcp --sport www -j ACCEPT
iptables -A i-estab -p tcp --sport imap -j ACCEPT
iptables -A i-estab -p tcp --sport imaps -j ACCEPT
iptables -A i-estab -p tcp --sport nntp -j ACCEPT
iptables -A i-estab -p tcp --sport domain -j ACCEPT
iptables -A i-estab -p tcp --dport ssh -j ACCEPT
iptables -A i-estab -p tcp --sport ftp -j ACCEPT
iptables -A i-estab -p tcp --sport ftp-data -j ACCEPT
iptables -A i-estab -p tcp --sport 9418 -j ACCEPT
# Accept everything not so far accepted
iptables -A i-estab -j ACCEPT
#
# Route packets going out from here onto a new table so that we can do
# things with them (logging etc)
#
iptables -N to-inet
#
# Just want to count a few things
#
iptables -A to-inet -p tcp --dport www -j ACCEPT
iptables -A to-inet -p tcp --dport imap -j ACCEPT
iptables -A to-inet -p udp --dport domain -j ACCEPT
iptables -A to-inet -p tcp --dport nntp -j ACCEPT
iptables -A to-inet -p udp --dport 67:68 -j ACCEPT
iptables -A to-inet -p tcp --dport iax -j ACCEPT
iptables -A to-inet -p udp --dport iax -j ACCEPT
#
# Note ICMP packets I am sending out
#
iptables -A to-inet -p icmp --icmp-type destination-unreachable -j
ACCEPT
iptables -A to-inet -p icmp --icmp-type source-quench -j ACCEPT
iptables -A to-inet -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A to-inet -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A to-inet -p icmp --icmp-type echo-request -j ACCEPT
iptables -A to-inet -p icmp --icmp-type echo-reply -j ACCEPT
#
# Prevent any netbios stuff leaking out from here
#
iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j LOG
iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j DROP
iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j LOG
iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j DROP
#
#
# Accept every thing else
#
iptables -A to-inet -j ACCEPT
#
# Now make the connection to the table
#
iptables -A OUTPUT -o $INETIF -j to-inet
#
# Common internet Stuff
#
iptables -N from-inet
#
# Stuff already established is allowed but jump to chain to count things
#
iptables -A from-inet -m state --state ESTABLISHED,RELATED -j i-estab
#
# Deal with ICMP packets
#
iptables -A from-inet -p icmp --icmp-type destination-unreachable
-j ACCEPT
iptables -A from-inet -p icmp --icmp-type source-quench -j ACCEPT
iptables -A from-inet -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A from-inet -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A from-inet -p icmp --icmp-type echo-request -j ACCEPT
# Already accepted by related
iptables -A from-inet -p icmp --icmp-type echo-reply -j ACCEPT
#
# ftp-data started by mine (already accepted in related)
#
iptables -A from-inet -m state --state NEW -p tcp --dport ftp-data
-j ACCEPT
#
# Socks probes should be dropped so that IRC does not thing we are
screwwing them
#
iptables -A from-inet -p tcp --dport socks -j DROP
#
# Drop these before logging them (just collecting them to see what
they are)
#
iptables -A from-inet -p tcp --dport 1635 -j DROP
iptables -A from-inet -p tcp --dport 1370 -j DROP
#
# DHCP messsages - I need to drop server requests
#
iptables -A from-inet -p udp --dport 67 -j DROP
#
# log and drop the rest (except 192.168 stuff which we silently loose)
#
iptables -A from-inet -s 192.168.0.0/16 -j DROP
# iptables -A from-inet -j LOG
iptables -A from-inet -j DROP
#
# Create a chain which protects gateway
#
iptables -N inet-in
# Allow DHCP requests to me
iptables -A inet-in -p udp --dport 68 -j ACCEPT
#
# Allow DNS stuff
#
iptables -A inet-in -p udp --dport domain -j ACCEPT
iptables -A inet-in -p tcp --dport domain -j ACCEPT
#
# Allow connections to my ssh port
#
iptables -A inet-in -m state --state NEW -p tcp --dport ssh -j ACCEPT
iptables -A inet-in -p udp --dport ssh -j ACCEPT
#
# Allow git connections
#
iptables -A inet-in -m state --state NEW -p tcp --dport 9418 -j ACCEPT
iptables -A inet-in -p udp --dport 9418 -j ACCEPT
# Allow mail to get in to deliver on the SMTP port
#
iptables -A inet-in -p tcp --dport smtp -j ACCEPT
# Allow mail on imap-ssl port
#
iptables -A inet-in -p tcp --dport imaps -j ACCEPT
#
# Allow boot stuff so I can configure interface
#
iptables -A inet-in -p udp --dport 67:68 -j ACCEPT
#
# Allow stuff to the web site
#
iptables -A inet-in -p tcp --dport www -j ACCEPT
iptables -A inet-in -p tcp --dport https -j ACCEPT
#
# Allow traffic in to voip switch (iax,sip and a limited range of rtp)
# (restricted for now)
#
# iptables -A inet-in -p udp --dport iax -j ACCEPT
# iptables -A inet-in -p udp --dport sip -j ACCEPT
# iptables -A inet-in -p udp --dport 14007:14096 -j ACCEPT
#
# Explicitly drop 135 stuff
#
# iptables -A inet-in -p tcp --dport 135 -j LOG
iptables -A inet-in -p tcp --dport 135 -j DROP
#
# Allow pokerth stuff in
#
iptables -A inet-in -p tcp --dport 7234 -j ACCEPT
#
# Do Common Stuff
#
iptables -A inet-in -j from-inet
#
# Create table from forwarded stuff from Inet
#
#
iptables -N inet-fwd
#
# Following is for GPL and WinVROC and must be forwarded on
#
iptables -A inet-fwd -p udp --dport 32766:32786 -j ACCEPT
iptables -A inet-fwd -p udp --dport 6970:6971 -j ACCEPT
# to see them seperately
iptables -A inet-fwd -p udp --dport 6969 -j ACCEPT
iptables -A inet-fwd -p tcp --dport auth -j ACCEPT
#
# Allow bittorrent stuff
#
iptables -A inet-fwd -p tcp --dport 6881:6899 -j ACCEPT
iptables -A inet-fwd -p udp --dport 6881:6899 -j ACCEPT
#
#
# allow Secure Remote stuff into my portable
#
# iptables -A inet-fwd -p udp --dport 500 -j LOG
iptables -A inet-fwd -p udp --dport 500 -j ACCEPT
# iptables -A inet-fwd -p udp --dport 2746 -j LOG
iptables -A inet-fwd -p udp --dport 2746 -j ACCEPT
#
# Do common stuff
#
iptables -A inet-fwd -j from-inet
#
# Link new tables in
#
iptables -A INPUT -i $INETIF -j inet-in
iptables -A FORWARD -i $INETIF -j inet-fwd
#
# need to MASQUERADE outgoing stuff
#
# normal internal network
#
iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o $INETIF -j
MASQUERADE
#
#
# Stuff comming in for GPL and WinVROC needs destination changing
#
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 32766:32786
-j DNAT --to-destination $KANGA
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6970:6971
-j DNAT --to-destination $KANGA
# seperate out to see if used
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6969 -j
DNAT --to-destination $KANGA
iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport auth -j
DNAT --to-destination $KANGA
#
# Allocate bittorrent channels
#
iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6881:6889
-j DNAT --to-destination $KANGA
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6881:6889
-j DNAT --to-destination $KANGA
iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6890:6899
-j DNAT --to-destination $POOH
iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6890:6899
-j DNAT --to-destination $POOH
#
# I want to mangle outgoing packets so that I can
# take maximum benefit of different types of connection
# in terms of priority
#
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport www -j TOS
--set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp -j TOS
--set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp-data -j
TOS --set-tos Maximize-Throughput
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport smtp -j TOS
--set-tos Maximize-Reliability
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport pop3 -j TOS
--set-tos Maximize-Reliability
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport nntp -j TOS
--set-tos Minimize-Cost
iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport domain -j
TOS --set-tos Maximize-Reliability
iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport domain -j
TOS --set-tos Maximize-Reliability
#
# Following is for GPL and should be sent fast
#
iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 32766:32786
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 6970:6971 -j
TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 32766:32786
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 6970:6971 -j
TOS --set-tos Minimize-Delay
#
# VOIP traffic - mainly RTP but also IAX needs to go fast
#
iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport iax -j TOS
--set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 14007:14096
-j TOS --set-tos Minimize-Delay
exit 0
--
Alan Chandler
http://www.chandlerfamily.org.uk
--
To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/4e378fbf.7010...@chandlerfamily.org.uk
