#
INET_IFACE="eth0"
#
# Information pertaining to DHCP over the Internet,
if needed.
#
# Set DHCP variable to no if you don't get IP from DHCP.
If you get DHCP
# over the Internet set this variable to yes, and set up
the proper IP
# address for the DHCP server in the DHCP_SERVER variable.
#
DHCP="yes"
DHCP_SERVER="192.168.1.1"
#
# your LAN's IP range and
localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP
address. the same as netmask 255.255.255.0
#
LAN_IP="192.168.1.1"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth0"
#
# 1.4 Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
# 1.5 IPTables Configuration.
#
IPTABLES="/sbin/iptables"
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# no modules
needed as everything compiled into kernel
#
###########################################################################
#
# 3.1 Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
###########################################################################
#
# 4.1.1 Set policies
#
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT
DROP
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES
-N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
$IPTABLES
-N out_packets
#
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT
-p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j
ACCEPT
#
# Rules for outgoing packets to the internet
#
$IPTABLES
-A out_packets -p tcp -o $INET_IFACE --sport 111 -j DROP
$IPTABLES -A out_packets
-p tcp -o $INET_IFACE --sport 631 -j DROP
$IPTABLES -A out_packets -p tcp
-o $INET_IFACE --sport 657 -j DROP
$IPTABLES -A out_packets -p tcp -o $INET_IFACE
--sport 2049 -j DROP
$IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport
3049 -j DROP
#
$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport
111 -j DROP
$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 631
-j DROP
$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 657 -j DROP
$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 2049 -j DROP
$IPTABLES
-A out_packets -p udp -o $INET_IFACE --sport 3049 -j DROP
#
# Let LO_IP
input packets
#
$IPTABLES -A INPUT -p ALL -s $LO_IP -j ACCEPT
#
#
ICMP rules
#
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j
ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT
-p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT
-p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE
-j icmp_packets
#
# Bad TCP packets we don't want.
#
$IPTABLES -A
INPUT -p tcp -j bad_tcp_packets
#
# bad_tcp_packets chain
#
$IPTABLES
-A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state
NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp
! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES
-A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES
-A OUTPUT -p tcp -j bad_tcp_packets
#
# TCP RULES
#
$IPTABLES -A
tcp_packets -p TCP --syn -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -m state
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -j
DROP
#
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -P TCP -s 0/0 --dport 25 -j allowed
$IPTABLES
-A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
$IPTABLES -A tcp_packets
-p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s
0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport
1024: -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 111 -j
DROP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 631 -j DROP
$IPTABLES
-A tcp_packets -p TCP -s 0/0 --dport 657 -j DROP
$IPTABLES -A tcp_packets
-p TCP -s 0/0 --dport 2049 -j DROP
$IPTABLES -A tcp_packets -p TCP -s 0/0
--dport 3049 -j DROP
#
# UDP ports
#
if [ $DHCP == "yes" ] ; then
$IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67 \
--dport
68 -j ACCEPT
fi
#
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port
53 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 1024: -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 111 -j DROP
$IPTABLES -A
udp_packets -p UDP -s 0/0 --dport 631 -j DROP
$IPTABLES -A udp_packets
-p UDP -s 0/0 --dport 657 -j DROP
$IPTABLES -A udp_packets -p UDP -s 0/0
--dport 2049 -j DROP
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 3049
-j DROP
#
# In Microsoft Networks you will be swamped by broadcasts.
These lines
# will prevent them from showing up in the logs.
#
$IPTABLES
-A udp_packets -p UDP -i $INET_IFACE \
--destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
--destination-port
67:68 -j DROP
#
# Special rule for DHCP requests from LAN, which are
not caught properly
# otherwise.
#
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE
--dport 67 --sport 68 -j ACCEPT
#
# Log weird packets that don't match
the above.
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst
3 -j LOG \
--log-level DEBUG --log-prefix "OUT packet"
$IPTABLES -A INPUT
-m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix
"IN packet"
#user] [OT] tips on my 1st try at iptables?
References: <[EMAIL PROTECTED]> <[EMAIL PROTECTED]> <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
In-Reply-To: <[EMAIL PROTECTED]>
X-Enigmail-Version: 0.91.0.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
david wrote:
> Here is my /var/lib/iptables/rules-save # Generated by
> iptables-save v1.2.11 on Sat May 21 16:58:29 2005 *nat :PREROUTING
> ACCEPT [29:1670] :POSTROUTING ACCEPT [431:26255] :OUTPUT ACCEPT
> [0:0] [30:1841] -A POSTROUTING -o eth0 -j MASQUERADE COMMIT #
> Completed on Sat May 21 16:58:29 2005 # Generated by iptables-save
> v1.2.11 on Sat May 21 16:58:29 2005 *mangle :PREROUTING ACCEPT
> [16422:18018799] :INPUT ACCEPT [16422:18018799] :FORWARD ACCEPT
> [0:0] :OUTPUT ACCEPT [13453:2622146] :POSTROUTING ACCEPT
> [13453:2622146] COMMIT # Completed on Sat May 21 16:58:29 2005 #
> Generated by iptables-save v1.2.11 on Sat May 21 16:58:29 2005
> *filter :INPUT DROP [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT
> [13453:2622146] [440:320869] -A INPUT -m state --state
> RELATED,ESTABLISHED -j ACCEPT [0:0] -A INPUT -i ! eth0 -m state
> --state NEW -j ACCEPT [0:0] -A INPUT -p icmp -j ACCEPT [3:180] -A
> INPUT -p tcp -m tcp --dport 80 -j ACCEPT [0:0] -A INPUT -p tcp -m
> tcp --dport 21 -j ACCEPT [0:0] -A INPUT -p tcp -m tcp --dport 20 -j
> ACCEPT COMMIT # Completed on Sat May 21 16:58:29 2005 I followed
> the guide here and it works great.Simple to set up.
> http://gentoo-wiki.com/HOWTO_setup_a_home-server
Here's mine. The innocent redacted to protect the guilty, ha???
#!/bin/sh
#
###########################################################################
#
INET_IFACE="eth0"
#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
# over the Internet set this variable to yes, and set up the proper IP
# address for the DHCP server in the DHCP_SERVER variable.
#
DHCP="yes"
DHCP_SERVER="192.168.1.1"
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#
LAN_IP="192.168.1.1"
LAN_IP_RANGE="192.168.0.0/16"
LAN_IFACE="eth0"
#
# 1.4 Localhost Configuration.
#
LO_IFACE="lo"
LO_IP="127.0.0.1"
#
# 1.5 IPTables Configuration.
#
IPTABLES="/sbin/iptables"
#
# Needed to initially load modules
#
/sbin/depmod -a
#
# no modules needed as everything compiled into kernel
#
###########################################################################
#
# 3.1 Required proc configuration
#
echo "1" > /proc/sys/net/ipv4/ip_forward
#
###########################################################################
#
# 4.1.1 Set policies
# (notes- always
know your default policy, it all stems from this)
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
#
# Create chain for bad tcp packets
#
$IPTABLES -N bad_tcp_packets
#
# Create separate chains for ICMP, TCP and UDP to traverse
#
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
$IPTABLES -N out_packets
#
#
# Special OUTPUT rules to decide which IP's to allow.
#
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
#
# Rules for outgoing packets to the internet (notes, ie NFS)
#
$IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport 111 -j DROP
$IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport 631 -j DROP
$IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport 657 -j DROP
$IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport 2049 -j DROP
$IPTABLES -A out_packets -p tcp -o $INET_IFACE --sport 3049 -j DROP
#
$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 111 -j DROP
$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 631 -j DROP
$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 657 -j DROP
$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 2049 -j DROP
$IPTABLES -A out_packets -p udp -o $INET_IFACE --sport 3049 -j DROP
#
# Let LO_IP input packets
# (no restrictions on loopbackk)
$IPTABLES -A INPUT -p ALL -s $LO_IP -j ACCEPT
#
# ICMP rules
# (could be several more added here)
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#
# Rules for incoming packets from the internet.
#
$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state
ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
#
# Bad TCP packets we don't want.
#
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
#
# bad_tcp_packets chain
#
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
#
# TCP RULES
#
$IPTABLES -A tcp_packets -p TCP --syn -j ACCEPT
$IPTABLES -A tcp_packets -p TCP -m state --state ESTABLISHED,RELATED
-j ACCEPT
$IPTABLES -A tcp_packets -p TCP -j DROP
#
(notes, allow mail, ssh, dns, www, ident, above 1024; drop NFS, LPR
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -P TCP -s 0/0 --dport 25 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 1024: -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 111 -j DROP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 631 -j DROP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 657 -j DROP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 2049 -j DROP
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 3049 -j DROP
#
# UDP ports
# (notes, accept DHCP)
if [ $DHCP == "yes" ] ; then
$IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67 \
--dport 68 -j ACCEPT
fi
#
(notes- accept DNS, above 1024, exceptijng NFS)
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 1024: -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 111 -j DROP
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 631 -j DROP
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 657 -j DROP
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 2049 -j DROP
$IPTABLES -A udp_packets -p UDP -s 0/0 --dport 3049 -j DROP
#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
(note, its impossible to seperate wheat from chaffe without this)
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \
--destination-port 135:139 -j DROP
#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#
(note, same as above explanation)
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
--destination-port 67:68 -j DROP
#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
#
(accept DHCP)
$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT
#
# Log weird packets that don't match the above.
#
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "OUT packet"
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IN packet"
#
--
gentoo-user@gentoo.org mailing list
