I have rewritten your script as follows.
1. Ensure there is nothing like selinux running in your machine.
2. Telnet is not recommend since it transmit in plain text including your
password. Use SSH instead.
3. ICMP message control, source address spoofing and logging are not
included in the script.
4. I prefer the route setting-up is done through rc.local instead of the
firewall script and the default gateway should be defined in
/etc/network/interfaces
5. I have not tested the script.
Kinglok, FONG.
----------------------------------Start------------------------------------------
#!/bin/bash
###############################################################
# Adding default gateway
/sbin/route add default gateway 202.155.0.1
###############################################################
# Initialize some parameter
INET_INTERFACE="eth5"
LAN_INTERFACE="eth2"
LOOPBACK_INTERFACE="lo"
IPT="/sbin/iptables"
INET_ADDR="202.155.0.1"
LAN_ADDR="192.168.23.2"
LAN_SSH="192.168.23.20" # SSH server in LAN
LAN_ADDRESSES="192.168.23.0/24" # LAN Addresses range
LAN_DNS="" # Please specify your DNS server in LAN
FTPPORT="21"
SSHPORT="22"
TELNETPORT="23"
DNSPORT="53"
UNPRIVPORTS="1024:65535" # unprivileged port range
###############################################################
# Enable connection tracking for FTP
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
###############################################################
# Initialization
# Enable IP forwarding since it is disabled by default
echo 1 > /proc/sys/net/ipv4/ip_forward
# Enable broadcast echo Protection (default: 1)
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Disable Source Routed Packets (default: 0)
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Enable TCP SYN Cookie Protection (default: 1)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Disable ICMP Redirect Acceptance (default: 0)
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Do not send Redirect Messages (default: 0)
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Drop Spoofed Packets coming in on an interface, which if replied to, would
# result in the reply going out a different interface. (default: 1)
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Log packets with impossible addresses. (default: 1)
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 0 > $f
done
###############################################################
# Remove any existing rules from all chains
$IPT --flush
$IPT -t nat --flush
$IPT -t mangle --flush
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
$IPT --policy INPUT ACCEPT
$IPT --policy OUTPUT ACCEPT
$IPT --policy FORWARD ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
$IPT -t nat --policy OUTPUT ACCEPT
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t mangle --policy PREROUTING ACCEPT
$IPT -t mangle --policy OUTPUT ACCEPT
if [ "$1" = "stop" ]; then
echo "Firewall completely stopped! WARNING: THIS HOST HAS NO FIREWALL
RUNNING."
exit
fi
# Unlimited traffic on the loopback interface
$IPT -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
# Set the default policy to drop
$IPT --policy INPUT DROP
$IPT --policy OUTPUT DROP
$IPT --policy FORWARD DROP
###############################################################
# NAT rules
# Opening port 23 (telnet) to internet is not recommended, open port 22 for
SSH instead
$IPT -t nat -A PREROUTING -p tcp -i $INET_INTERFACE -p tcp --sport
$UNPRIVPORTS -d $INET_ADDR --dport $SSHPORT -j DNAT --to-destination
$LAN_SSH
# There is no need for NAT inside LAN
#$IPT -t nat -I PREROUTING -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -d
192.168.23.2 --dport 23 -j DNAT --to-destination 192.168.23.20:23
# NAT rules for Reaching Internet Space
$IPT -t nat -A POSTROUTING -p tcp -o $INET_INTERFACE -s $LAN_ADDRESSES -j
SNAT --to-source $INET_ADDR
#$IPT -t nat -A POSTROUTING -p tcp -o $LAN_INTERFACE -d $LAN_ADDRESSES -j
SNAT --to-source 192.168.23.2 # There is no need for NAT to reach other
addresses situated in LAN
# It is not recommended to allow all icmp messages
#$IPT -t nat -I POSTROUTING -p icmp -o $INET_INTERFACE -d 0/0 -j
SNAT --to-source 202.155.0.1
#$IPT -t nat -I POSTROUTING -p icmp -o $LAN_INTERFACE -d $LAN_ADDRESSES -j
SNAT --to-source 192.168.23.2
###############################################################
# Using Connection State to By-pass Rule Checking
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
###############################################################
# Open needed ports
$IPT -A INPUT -i $LAN_INTERFACE -s $LAN_ADDRESSES -p icmp --icmp-type
echo-request -m state --state NEW -j ACCEPT
#$IPT -A INPUT -i $INET_INTERFACE -s 0/0 -p icmp --icmp-type echo-request -m
state --state NEW -j ACCEPT # Not recommended
$IPT -A OUTPUT -o $LAN_INTERFACE -d $LAN_ADDRESSES -p icmp --icmp-type
echo-reply -m state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p icmp --icmp-type echo-reply -m
state --state NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $FTPPORT -m state --state
NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $SSHPORT -m state --state
NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $TELNETPORT -m state --state
NEW -j ACCEPT
$IPT -A INPUT -i $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state
NEW -j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $FTPPORT -m state --state
NEW -j ACCEPT
$IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $SSHPORT -m state --state
NEW -j ACCEPT
# $IPT -A INPUT -i $INET_INTERFACE -p tcp --dport 23 -j ACCEPT # Not
recommended
$IPT -A INPUT -i $INET_INTERFACE -p udp --dport $DNSPORT -m state --state
NEW -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $FTPPORT -m state --state
NEW -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $SSHPORT -m state --state
NEW -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $TELNETPORT -m state --state
NEW -j ACCEPT
$IPT -A OUTPUT -o $LAN_INTERFACE -p udp --dport $DNSPORT -m state --state
NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $FTPPORT -m state --state
NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $SSHPORT -m state --state
NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $TELNETPORT -m
state --state NEW -j ACCEPT
$IPT -A OUTPUT -o $INET_INTERFACE -p udp --dport $DNSPORT -m state --state
NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o
$INET_INTERFACE --dport $FTPPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o
$INET_INTERFACE --dport $SSHPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o
$INET_INTERFACE --dport $TELNETPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES -o
$INET_INTERFACE --dport $DNSPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d
$LAN_ADDRESSES --dport $FTPPORT -m state --state NEW -j ACCEPT
$IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d
$LAN_ADDRESSES -d $LAN_SSH --dport $SSHPORT -m state --state NEW -j ACCEPT
# $IPT -A FORWARD -p tcp -i $INET_INTERFACE -s 0/0 -o $LAN_INTERFACE -d
$LAN_ADDRESSES --dport 23 -m state --state NEW -j ACCEPT # Not recommended
$IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE -d
$LAN_ADDRESSES -d $LAN_DNS --dport $DNSPORT -m state --state NEW -j ACCEPT
-------------------------------------------------End-------------------------------------------
----- Original Message -----
From: "Patrik Hasibuan" <patrikhasibuan@ymail.com>
To: <debian-firewall@lists.debian.org>
Sent: Wednesday, January 28, 2009 3:36 PM
Subject: my debian does not read my own iptables script
Dear my friends,
I am building a firewall with Debian Sarge on my internet gateway. But
lookslike my debian does not read my iptables script after I run my own
iptables script.
This is the result of the firewall on my debian-box. '192.168.23.0' is the
subnet of my internal LAN. eth2 faces my internal LAN whose IP
'192.168.23.2' and eth5 faces my ISP whose IP '202.155.0.1':
==
nmap 192.168.23.2
Starting Nmap 4.20 ( http://insecure.org ) at 2009-01-28 15:12 WIT
Interesting ports on 192.168.23.2:
Not shown: 1692 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
111/tcp open rpcbind
113/tcp open auth
515/tcp open printer
Nmap finished: 1 IP address (1 host up) scanned in 13.029 seconds
==
nmap 202.155.0.1
Starting Nmap 4.20 ( http://insecure.org ) at 2009-01-28 15:12 WIT
Interesting ports on 202.155.0.1:
Not shown: 1693 closed ports
PORT STATE SERVICE
22/tcp open ssh
111/tcp open rpcbind
113/tcp open auth
515/tcp open printer
Nmap finished: 1 IP address (1 host up) scanned in 14.010 seconds
==
I haven't open the rpcbind,auth,printer. And the 21,23,53 are not opened by
my iptables. Where is the mistake? Please tell me. I am new in debian and
iptables. Usually I use OpenSuSE and SuSEfirewall2 and I configure the
firewall with YaST2 so easily. But now I want to get close to debian too.
And I am stucked on this case.
==
here is my script
==
#!/bin/bash
#Zero...zero...from beginning
iptables -F
route add default gateway 202.155.0.1
#Log....them
iptables -I INPUT -j LOG
iptables -I OUTPUT -j LOG
iptables -I FORWARD -j LOG
#Open needed ports
iptables -I INPUT -i eth2 -s 192.168.23.0/24 -p icmp --icmp-type
echo-request -j ACCEPT
iptables -I INPUT -i eth5 -s 0/0 -p icmp --icmp-type echo-request -j ACCEPT
iptables -I OUTPUT -o eth2 -d 192.168.23.0/24 -p icmp --icmp-type
echo-reply -j ACCEPT
iptables -I OUTPUT -o eth5 -d 0/0 -p icmp --icmp-type echo-reply -j ACCEPT
iptables -I INPUT -i eth2 -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -i eth2 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i eth2 -p tcp --dport 23 -j ACCEPT
iptables -I INPUT -i eth2 -p udp --dport 53 -j ACCEPT
iptables -I INPUT -i eth5 -p tcp --dport 21 -j ACCEPT
iptables -I INPUT -i eth5 -p tcp --dport 22 -j ACCEPT
iptables -I INPUT -i eth5 -p tcp --dport 23 -j ACCEPT
iptables -I INPUT -i eth5 -p udp --dport 53 -j ACCEPT
iptables -I OUTPUT -o eth2 -p tcp --dport 21 -j ACCEPT
iptables -I OUTPUT -o eth2 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -o eth2 -p tcp --dport 23 -j ACCEPT
iptables -I OUTPUT -o eth2 -p udp --dport 53 -j ACCEPT
iptables -I OUTPUT -o eth5 -p tcp --dport 21 -j ACCEPT
iptables -I OUTPUT -o eth5 -p tcp --dport 22 -j ACCEPT
iptables -I OUTPUT -o eth5 -p tcp --dport 23 -j ACCEPT
iptables -I OUTPUT -o eth5 -p udp --dport 53 -j ACCEPT
iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport
21 -j ACCEPT
iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport
22 -j ACCEPT
iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport
23 -j ACCEPT
iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o eth5 -d 0/0 --dport
53 -j ACCEPT
iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport
21 -j ACCEPT
iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport
22 -j ACCEPT
iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport
23 -j ACCEPT
iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d 192.168.23.0/24 --dport
53 -j ACCEPT
iptables -t nat -I POSTROUTING -p icmp -o eth5 -d 0/0 -j SNAT --to-source
202.155.0.1
iptables -t nat -I POSTROUTING -p icmp -o eth2 -d 192.168.23.0/24 -j
SNAT --to-source 192.168.23.2
iptables -t nat -I POSTROUTING -p tcp -o eth5 -d 0/0 -j SNAT --to-source
202.155.0.1
iptables -t nat -I POSTROUTING -p tcp -o eth2 -d 192.168.23.0/24 -j
SNAT --to-source 192.168.23.2
iptables -t nat -I PREROUTING -p tcp -i eth5 -s 0/0 -d 202.155.0.1 --dport
23 -j DNAT --to-destination 192.168.23.20:23
iptables -t nat -I PREROUTING -p tcp -i eth2 -s 192.168.23.0/24 -d
192.168.23.2 --dport 23 -j DNAT --to-destination 192.168.23.20:23
Selalu bersama teman-teman di Yahoo! Messenger. Tambahkan mereka dari
email atau jaringan sosial Anda sekarang!
http://id.messenger.yahoo.com/invite/
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
No comments:
Post a Comment