Re: [gentoo-user] [OT] tips on my 1st try at iptables?

Mon, 30 May 2005 02:23:55 -0700 

On Sun, 2005-05-29 at 20:03 -0500, Travis Osterman wrote:
> I've spent the weekend attempting to mold an old p3 400mHz machine
> into a firewall/router so I can replace my current linksys box. 
> Basically, I read the howtos at netfilter.org and the
> gentoo-home-router-howto and put together the following script for
> loading my rules.

Frankly, I've stopped trying to grok iptables but rather I use a
frontend like shorewall. It's much simpler than doing it all by
yourself.

Perhaps you can take a look , perhaps you will like it?

> This meets the functionality I need at this point in the project (ssh
> access from inside and outside, port forwarding, and masquerading),
> but I'm not well versed on security concerns so I'm hoping a few
> experienced users could point out redundancies and potential security
> issues.
> 
> Thanks in advance for taking the time to help.
> 
> #!/bin/bash
> IPT=/sbin/iptables
> WAN_IFACE=eth0
> LAN_IFACE=eth1
> LAN_ADDY=192.168.0.0/24
> 
> # flush and reset rules
> $IPT -F
> $IPT -t nat -F
> $IPT -t mangle -F
> $IPT -X
> $IPT -t nat -X
> $IPT -t mangle -X
> $IPT -P INPUT ACCEPT
> $IPT -P FORWARD ACCEPT
> $IPT -P OUTPUT ACCEPT
> $IPT -t nat -P PREROUTING ACCEPT
> $IPT -t nat -P POSTROUTING ACCEPT
> $IPT -t nat -P OUTPUT ACCEPT
> $IPT -t mangle -P PREROUTING ACCEPT
> $IPT -t mangle -P OUTPUT ACCEPT
> 
> # begin rules
> $IPT -I INPUT 1 -i $LAN_IFACE -j ACCEPT
> $IPT -I INPUT 1 -i lo -j ACCEPT
> $IPT -A INPUT -p UDP --dport bootps -i ! $LAN_IFACE -j REJECT
> $IPT -A INPUT -p UDP --dport domain -i ! $LAN_IFACE -j REJECT
> $IPT -A INPUT -m state --state NEW -i ! $WAN_IFACE -j ACCEPT
> $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> $IPT -A INPUT --protocol tcp --dport 22 -i $WAN_IFACE -j ACCEPT
> $IPT -P INPUT DROP
> $IPT -A INPUT -i ! $LAN_IFACE -j DROP
> 
> $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 80 \
>                        -j DNAT --to 192.168.0.20
> $IPT -A PREROUTING -t nat -p tcp -i $WAN_IFACE --dport 1022 \
>                        -j DNAT --to 192.168.0.20:22
> 
> $IPT -I FORWARD -i $LAN_IFACE -d $LAN_ADDY -j DROP
> $IPT -A FORWARD -i $LAN_IFACE -s $LAN_ADDY -j ACCEPT
> $IPT -A FORWARD -i $WAN_IFACE -d $LAN_ADDY -j ACCEPT
> $IPT -P FORWARD DROP
> 
> $IPT -t nat -A POSTROUTING -o $WAN_IFACE -j MASQUERADE
> 
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
>     echo 1 > $f
> done
> /etc/init.d/iptables save
> 
> -- Travis Osterman
> 

-- 
Ow Mun Heng
Gentoo/Linux on DELL D600 1.4Ghz 1.5GB RAM
98% Microsoft(tm) Free!! 
Neuromancer 17:18:11 up 2 days, 9:03, 8 users, load average: 0.95, 0.78,
1.10 


-- 
gentoo-user@gentoo.org mailing list

Reply via email to