Saturday, January 31, 2009

Re: my debian does not read my own iptables script

Dear my generous friend, Kinglok.

Thank you very much for your help.

You helped me a lot. Thank you thousand times..... You solved my problem.


--- Pada Sab, 31/1/09, Kinglok, FONG <busywater@gmail.com> menulis:

> Dari: Kinglok, FONG <busywater@gmail.com>
> Topik: Re: my debian does not read my own iptables script
> Kepada: patrikhasibuan@ymail.com, debian-firewall@lists.debian.org
> Tanggal: Sabtu, 31 Januari, 2009, 6:51 AM
> Hi,
>
> I have rewritten your script as follows.
>
> 1. Ensure there is nothing like selinux running in your
> machine.
> 2. Telnet is not recommend since it transmit in plain text
> including your password. Use SSH instead.
> 3. ICMP message control, source address spoofing and
> logging are not included in the script.
> 4. I prefer the route setting-up is done through rc.local
> instead of the firewall script and the default gateway
> should be defined in /etc/network/interfaces
> 5. I have not tested the script.
>
> Kinglok, FONG.
>
> ----------------------------------Start------------------------------------------
> #!/bin/bash
>
> ###############################################################
> # Adding default gateway
> /sbin/route add default gateway 202.155.0.1
>
> ###############################################################
> # Initialize some parameter
> INET_INTERFACE="eth5"
> LAN_INTERFACE="eth2"
> LOOPBACK_INTERFACE="lo"
>
> IPT="/sbin/iptables"
> INET_ADDR="202.155.0.1"
> LAN_ADDR="192.168.23.2"
> LAN_SSH="192.168.23.20" # SSH server in LAN
> LAN_ADDRESSES="192.168.23.0/24" # LAN Addresses
> range
> LAN_DNS="" # Please specify your DNS server in
> LAN
>
> FTPPORT="21"
> SSHPORT="22"
> TELNETPORT="23"
> DNSPORT="53"
> UNPRIVPORTS="1024:65535" # unprivileged port
> range
>
> ###############################################################
> # Enable connection tracking for FTP
>
> /sbin/modprobe ip_conntrack_ftp
> /sbin/modprobe ip_nat_ftp
>
> ###############################################################
> # Initialization
>
> # Enable IP forwarding since it is disabled by default
> echo 1 > /proc/sys/net/ipv4/ip_forward
>
> # Enable broadcast echo Protection (default: 1)
> echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
> # Disable Source Routed Packets (default: 0)
> for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
> echo 0 > $f
> done
>
> # Enable TCP SYN Cookie Protection (default: 1)
> echo 1 > /proc/sys/net/ipv4/tcp_syncookies
>
> # Disable ICMP Redirect Acceptance (default: 0)
> for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
> echo 0 > $f
> done
>
> # Do not send Redirect Messages (default: 0)
> for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
> echo 0 > $f
> done
>
> # Drop Spoofed Packets coming in on an interface, which if
> replied to, would
> # result in the reply going out a different interface.
> (default: 1)
> for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
> echo 1 > $f
> done
>
> # Log packets with impossible addresses. (default: 1)
> for f in /proc/sys/net/ipv4/conf/*/log_martians; do
> echo 0 > $f
> done
>
> ###############################################################
> # Remove any existing rules from all chains
> $IPT --flush
> $IPT -t nat --flush
> $IPT -t mangle --flush
> $IPT -X
> $IPT -t nat -X
> $IPT -t mangle -X
> $IPT --policy INPUT ACCEPT
> $IPT --policy OUTPUT ACCEPT
> $IPT --policy FORWARD ACCEPT
> $IPT -t nat --policy PREROUTING ACCEPT
> $IPT -t nat --policy OUTPUT ACCEPT
> $IPT -t nat --policy POSTROUTING ACCEPT
> $IPT -t mangle --policy PREROUTING ACCEPT
> $IPT -t mangle --policy OUTPUT ACCEPT
> if [ "$1" = "stop" ]; then
> echo "Firewall completely stopped! WARNING: THIS HOST
> HAS NO FIREWALL RUNNING."
> exit
> fi
>
> # Unlimited traffic on the loopback interface
> $IPT -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
> $IPT -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT
>
> # Set the default policy to drop
> $IPT --policy INPUT DROP
> $IPT --policy OUTPUT DROP
> $IPT --policy FORWARD DROP
>
> ###############################################################
> # NAT rules
> # Opening port 23 (telnet) to internet is not recommended,
> open port 22 for SSH instead
> $IPT -t nat -A PREROUTING -p tcp -i $INET_INTERFACE -p tcp
> --sport $UNPRIVPORTS -d $INET_ADDR --dport $SSHPORT -j DNAT
> --to-destination $LAN_SSH
>
> # There is no need for NAT inside LAN
> #$IPT -t nat -I PREROUTING -p tcp -i $LAN_INTERFACE -s
> $LAN_ADDRESSES -d 192.168.23.2 --dport 23 -j DNAT
> --to-destination 192.168.23.20:23
>
> # NAT rules for Reaching Internet Space
> $IPT -t nat -A POSTROUTING -p tcp -o $INET_INTERFACE -s
> $LAN_ADDRESSES -j SNAT --to-source $INET_ADDR
> #$IPT -t nat -A POSTROUTING -p tcp -o $LAN_INTERFACE -d
> $LAN_ADDRESSES -j SNAT --to-source 192.168.23.2 # There is
> no need for NAT to reach other addresses situated in LAN
>
> # It is not recommended to allow all icmp messages
> #$IPT -t nat -I POSTROUTING -p icmp -o $INET_INTERFACE -d
> 0/0 -j SNAT --to-source 202.155.0.1
> #$IPT -t nat -I POSTROUTING -p icmp -o $LAN_INTERFACE -d
> $LAN_ADDRESSES -j SNAT --to-source 192.168.23.2
>
> ###############################################################
> # Using Connection State to By-pass Rule Checking
> $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> $IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j
> ACCEPT
> $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j
> ACCEPT
>
> ###############################################################
> # Open needed ports
> $IPT -A INPUT -i $LAN_INTERFACE -s $LAN_ADDRESSES -p icmp
> --icmp-type echo-request -m state --state NEW -j ACCEPT
> #$IPT -A INPUT -i $INET_INTERFACE -s 0/0 -p icmp
> --icmp-type echo-request -m state --state NEW -j ACCEPT #
> Not recommended
>
> $IPT -A OUTPUT -o $LAN_INTERFACE -d $LAN_ADDRESSES -p icmp
> --icmp-type echo-reply -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $INET_INTERFACE -p icmp --icmp-type
> echo-reply -m state --state NEW -j ACCEPT
>
> $IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $FTPPORT -m
> state --state NEW -j ACCEPT
> $IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $SSHPORT -m
> state --state NEW -j ACCEPT
> $IPT -A INPUT -i $LAN_INTERFACE -p tcp --dport $TELNETPORT
> -m state --state NEW -j ACCEPT
> $IPT -A INPUT -i $LAN_INTERFACE -p udp --dport $DNSPORT -m
> state --state NEW -j ACCEPT
>
> $IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $FTPPORT -m
> state --state NEW -j ACCEPT
> $IPT -A INPUT -i $INET_INTERFACE -p tcp --dport $SSHPORT -m
> state --state NEW -j ACCEPT
> # $IPT -A INPUT -i $INET_INTERFACE -p tcp --dport 23 -j
> ACCEPT # Not recommended
> $IPT -A INPUT -i $INET_INTERFACE -p udp --dport $DNSPORT -m
> state --state NEW -j ACCEPT
>
> $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $FTPPORT -m
> state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $SSHPORT -m
> state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $LAN_INTERFACE -p tcp --dport $TELNETPORT
> -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $LAN_INTERFACE -p udp --dport $DNSPORT -m
> state --state NEW -j ACCEPT
>
> $IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $FTPPORT
> -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport $SSHPORT
> -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $INET_INTERFACE -p tcp --dport
> $TELNETPORT -m state --state NEW -j ACCEPT
> $IPT -A OUTPUT -o $INET_INTERFACE -p udp --dport $DNSPORT
> -m state --state NEW -j ACCEPT
>
> $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES
> -o $INET_INTERFACE --dport $FTPPORT -m state --state NEW -j
> ACCEPT
> $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES
> -o $INET_INTERFACE --dport $SSHPORT -m state --state NEW -j
> ACCEPT
> $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES
> -o $INET_INTERFACE --dport $TELNETPORT -m state --state NEW
> -j ACCEPT
> $IPT -A FORWARD -p tcp -i $LAN_INTERFACE -s $LAN_ADDRESSES
> -o $INET_INTERFACE --dport $DNSPORT -m state --state NEW -j
> ACCEPT
>
> $IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE
> -d $LAN_ADDRESSES --dport $FTPPORT -m state --state NEW -j
> ACCEPT
> $IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE
> -d $LAN_ADDRESSES -d $LAN_SSH --dport $SSHPORT -m state
> --state NEW -j ACCEPT
> # $IPT -A FORWARD -p tcp -i $INET_INTERFACE -s 0/0 -o
> $LAN_INTERFACE -d $LAN_ADDRESSES --dport 23 -m state --state
> NEW -j ACCEPT # Not recommended
> $IPT -A FORWARD -p tcp -i $INET_INTERFACE -o $LAN_INTERFACE
> -d $LAN_ADDRESSES -d $LAN_DNS --dport $DNSPORT -m state
> --state NEW -j ACCEPT
>
> -------------------------------------------------End-------------------------------------------
>
> ----- Original Message ----- From: "Patrik
> Hasibuan" <patrikhasibuan@ymail.com>
> To: <debian-firewall@lists.debian.org>
> Sent: Wednesday, January 28, 2009 3:36 PM
> Subject: my debian does not read my own iptables script
>
>
> Dear my friends,
>
> I am building a firewall with Debian Sarge on my internet
> gateway. But lookslike my debian does not read my iptables
> script after I run my own iptables script.
>
> This is the result of the firewall on my debian-box.
> '192.168.23.0' is the subnet of my internal LAN.
> eth2 faces my internal LAN whose IP '192.168.23.2'
> and eth5 faces my ISP whose IP '202.155.0.1':
> ==
> nmap 192.168.23.2
>
> Starting Nmap 4.20 ( http://insecure.org ) at 2009-01-28
> 15:12 WIT
> Interesting ports on 192.168.23.2:
> Not shown: 1692 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 25/tcp open smtp
> 111/tcp open rpcbind
> 113/tcp open auth
> 515/tcp open printer
>
> Nmap finished: 1 IP address (1 host up) scanned in 13.029
> seconds
> ==
> nmap 202.155.0.1
>
> Starting Nmap 4.20 ( http://insecure.org ) at 2009-01-28
> 15:12 WIT
> Interesting ports on 202.155.0.1:
> Not shown: 1693 closed ports
> PORT STATE SERVICE
> 22/tcp open ssh
> 111/tcp open rpcbind
> 113/tcp open auth
> 515/tcp open printer
>
> Nmap finished: 1 IP address (1 host up) scanned in 14.010
> seconds
> ==
> I haven't open the rpcbind,auth,printer. And the
> 21,23,53 are not opened by my iptables. Where is the
> mistake? Please tell me. I am new in debian and iptables.
> Usually I use OpenSuSE and SuSEfirewall2 and I configure the
> firewall with YaST2 so easily. But now I want to get close
> to debian too. And I am stucked on this case.
> ==
> here is my script
> ==
> #!/bin/bash
> #Zero...zero...from beginning
> iptables -F
>
> route add default gateway 202.155.0.1
>
> #Log....them
> iptables -I INPUT -j LOG
> iptables -I OUTPUT -j LOG
> iptables -I FORWARD -j LOG
>
> #Open needed ports
> iptables -I INPUT -i eth2 -s 192.168.23.0/24 -p icmp
> --icmp-type echo-request -j ACCEPT
> iptables -I INPUT -i eth5 -s 0/0 -p icmp --icmp-type
> echo-request -j ACCEPT
> iptables -I OUTPUT -o eth2 -d 192.168.23.0/24 -p icmp
> --icmp-type echo-reply -j ACCEPT
> iptables -I OUTPUT -o eth5 -d 0/0 -p icmp --icmp-type
> echo-reply -j ACCEPT
>
> iptables -I INPUT -i eth2 -p tcp --dport 21 -j ACCEPT
> iptables -I INPUT -i eth2 -p tcp --dport 22 -j ACCEPT
> iptables -I INPUT -i eth2 -p tcp --dport 23 -j ACCEPT
> iptables -I INPUT -i eth2 -p udp --dport 53 -j ACCEPT
>
> iptables -I INPUT -i eth5 -p tcp --dport 21 -j ACCEPT
> iptables -I INPUT -i eth5 -p tcp --dport 22 -j ACCEPT
> iptables -I INPUT -i eth5 -p tcp --dport 23 -j ACCEPT
> iptables -I INPUT -i eth5 -p udp --dport 53 -j ACCEPT
>
> iptables -I OUTPUT -o eth2 -p tcp --dport 21 -j ACCEPT
> iptables -I OUTPUT -o eth2 -p tcp --dport 22 -j ACCEPT
> iptables -I OUTPUT -o eth2 -p tcp --dport 23 -j ACCEPT
> iptables -I OUTPUT -o eth2 -p udp --dport 53 -j ACCEPT
>
> iptables -I OUTPUT -o eth5 -p tcp --dport 21 -j ACCEPT
> iptables -I OUTPUT -o eth5 -p tcp --dport 22 -j ACCEPT
> iptables -I OUTPUT -o eth5 -p tcp --dport 23 -j ACCEPT
> iptables -I OUTPUT -o eth5 -p udp --dport 53 -j ACCEPT
>
> iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o
> eth5 -d 0/0 --dport 21 -j ACCEPT
> iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o
> eth5 -d 0/0 --dport 22 -j ACCEPT
> iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o
> eth5 -d 0/0 --dport 23 -j ACCEPT
> iptables -I FORWARD -p tcp -i eth2 -s 192.168.23.0/24 -o
> eth5 -d 0/0 --dport 53 -j ACCEPT
>
> iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d
> 192.168.23.0/24 --dport 21 -j ACCEPT
> iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d
> 192.168.23.0/24 --dport 22 -j ACCEPT
> iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d
> 192.168.23.0/24 --dport 23 -j ACCEPT
> iptables -I FORWARD -p tcp -i eth5 -s 0/0 -o eth2 -d
> 192.168.23.0/24 --dport 53 -j ACCEPT
>
> iptables -t nat -I POSTROUTING -p icmp -o eth5 -d 0/0 -j
> SNAT --to-source 202.155.0.1
> iptables -t nat -I POSTROUTING -p icmp -o eth2 -d
> 192.168.23.0/24 -j SNAT --to-source 192.168.23.2
>
> iptables -t nat -I POSTROUTING -p tcp -o eth5 -d 0/0 -j
> SNAT --to-source 202.155.0.1
> iptables -t nat -I POSTROUTING -p tcp -o eth2 -d
> 192.168.23.0/24 -j SNAT --to-source 192.168.23.2
>
> iptables -t nat -I PREROUTING -p tcp -i eth5 -s 0/0 -d
> 202.155.0.1 --dport 23 -j DNAT --to-destination
> 192.168.23.20:23
> iptables -t nat -I PREROUTING -p tcp -i eth2 -s
> 192.168.23.0/24 -d 192.168.23.2 --dport 23 -j DNAT
> --to-destination 192.168.23.20:23
>
>
> Selalu bersama teman-teman di Yahoo! Messenger.
> Tambahkan mereka dari email atau jaringan sosial Anda
> sekarang! http://id.messenger.yahoo.com/invite/
>
>
> -- To UNSUBSCRIBE, email to
> debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
>
>
> -- To UNSUBSCRIBE, email to
> debian-firewall-REQUEST@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org


___________________________________________________________________________
Nama baru untuk Anda!
Dapatkan nama yang selalu Anda inginkan di domain baru @ymail dan @rocketmail.
Cepat sebelum diambil orang lain!
http://mail.promotions.yahoo.com/newdomains/id/


--
To UNSUBSCRIBE, email to debian-firewall-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

No comments:

Post a Comment