[relug] Re: Problemino FIrewall [LUNGO]

• From: Samuele Rimella <samuele.rimella@xxxxxxxxxxxxxxxxx>
• To: relug@xxxxxxxxxxxxx
• Date: Mon, 29 Mar 2004 20:02:41 +0200

On Sun, 28 Mar 2004 11:22:31 +0200
Paolo Arnaldo Dallari <paolo.arnaldo@xxxxxxxxxxx> wrote:

PAD> Ciao a tutti, ho qualche problemino col firewall che ho settato per
PAD> una macchina server connessa 24h su 24, 
PAD> 

Ti allego un firewall che ho modificato da una versione che mi ha dato
Bova, l'originale non la possiedo più :-(
Spero che possa esserti utile!

--
Ciao
        Samu

#! /bin/sh


#-------------------------------------------------------------------------------
# Script variables
#
# Reti
#-------------------------------------------------------------------------------
echo "Setting up firewall rules..."

IF_LAN="eth0"
INTERNET="ppp0"
IP_LAN="192.168.0.1"

echo -e "\t\tdone"
#-------------------------------------------------------------------------------



#-------------------------------------------------------------------------------
# Adjust /proc
#-------------------------------------------------------------------------------
echo -ne "\t\tAdjusting /proc"

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/secure_redirects
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/conf/all/accept_source_route
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_forward

echo -e "\t\t\t\t\tdone"
#-------------------------------------------------------------------------------


#-------------------------------------------------------------------------------
# Flush existing settings
#-------------------------------------------------------------------------------
echo -ne "\t\tFlushing existing settings"

iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
iptables -t nat -F
iptables -t mangle -F

echo -e "\t\t\tdone"
#-------------------------------------------------------------------------------


#-------------------------------------------------------------------------------
# Table policies
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up tables policies"

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

echo -e "\t\t\tdone"
#-------------------------------------------------------------------------------


#-------------------------------------------------------------------------------
# Loopback traffic
#-------------------------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#-------------------------------------------------------------------------------


#-------------------------------------------------------------------------------
# Icmp settings
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up icmp rules"

# Connessioni per Samuserver
iptables -A INPUT -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p icmp --icmp-type echo-request -m length --length 128:65535 
-j DROP
iptables -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j 
ACCEPT

# Connessioni da Samuserver
iptables -A OUTPUT -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#per avere maggiore sicurezza, in ambito aziendale, io cavo il NEW dagli stati
#disponibili. cosi` il Samuserver non pinga niente "di sua iniziativa".
iptables -A OUTPUT -p icmp --icmp-type echo-request -m length --length 
128:65535 -j DROP
iptables -A OUTPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j 
ACCEPT

# Connessioni attraverso Samuserver
iptables -A FORWARD -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p icmp --icmp-type echo-request -m length 
--length 128:65535 -j DROP
iptables -A FORWARD -i $IF_LAN -p icmp --icmp-type echo-request -m limit 
--limit 1/s -j ACCEPT
iptables -A FORWARD -i $IF_WAN -p icmp --icmp-type echo-request -m length 
--length 128:65535 -j DROP
iptables -A FORWARD -i $IF_WAN -p icmp --icmp-type echo-request -m limit 
--limit 1/s -j ACCEPT
iptables -A FORWARD -i $INTERNET -p icmp --icmp-type destination-unreachable -m 
limit --limit 1/s -j ACCEPT
iptables -A FORWARD -i $INTERNET -p icmp --icmp-type redirect -m limit --limit 
1/s -j ACCEPT
iptables -A FORWARD -i $INTERNET -p icmp --icmp-type time-exceeded -m limit 
--limit 1/s -j ACCEPT

echo -e "\t\t\t\tdone"
#-------------------------------------------------------------------------------


#-------------------------------------------------------------------------------
# Filter settings
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up FILTER rules"

# Connessioni da LAN a Samuserver
iptables -A INPUT -i $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $IF_LAN -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i $IF_LAN -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $IF_LAN -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $IF_LAN -p tcp --dport 8080 -j ACCEPT
# se vuoi qua puoi mettere altre porte. altrimenti dalla lan ti connetti solo 
# alla porta ssh del server.

# Connessioni da Samuserver a LAN
#iptables -A OUTPUT -o $IF_LAN -m state --state NEW,ESTABLISHED,RELATED -j 
ACCEPT
#iptables -A OUTPUT -o $IF_LAN -p tcp --dport 22 -j ACCEPT
# stesso discorso qua. il cavo il new.
# poi se ti servono altre porte e` la solita storia.

# Connessioni da WAN a Samuserver
#iptables -A INPUT -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A INPUT -i $IF_WAN -p tcp --dport 21 -j ACCEPT
#iptables -A INPUT -i $IF_WAN -p tcp --dport 22 -j ACCEPT
#iptables -A INPUT -i $IF_WAN -p tcp --dport 80 -j ACCEPT
#iptables -A INPUT -i $IF_WAN -p tcp --dport 8080 -j ACCEPT
# se vuoi qua puoi mettere altre porte. altrimenti dalla lan ti connetti solo
# alla porta ssh del server.

# Connessioni da Samuserver a WAN
#iptables -A OUTPUT -o $IF_WAN -m state --state NEW,ESTABLISHED,RELATED -j 
ACCEPT
#iptables -A OUTPUT -o $IF_WAN -p tcp --dport 22 -j ACCEPT
# stesso discorso qua. il cavo il new.
# poi se ti servono altre porte e` la solita storia.

# Connessioni da INTERNET a Samuserver
iptables -A INPUT -i $INTERNET -m state --state NEW,ESTABLISHED,RELATED -j 
ACCEPT
iptables -A INPUT -i $INTERNET -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -i $INTERNET -p tcp --dport 4662 -j ACCEPT
iptables -A INPUT -i $INTERNET -p udp --dport 4672 -j ACCEPT
#idem

# Connessioni da Samuserver a INTERNET
#iptables -A OUTPUT -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p tcp -m multiport --dports 20,21 -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p tcp --dport 21 -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p tcp --dport 22 -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p tcp --dport 25 -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p tcp --dport 53 -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p udp --dport 53 -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p tcp --dport 80 -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p udp --dport 123 -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p tcp --dport 4662 -j ACCEPT
#iptables -A OUTPUT -o $INTERNET -p udp --dport 4672 -j ACCEPT

# Connessioni da LAN a INTERNET
iptables -A FORWARD -i $IF_LAN -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp -m multiport --dports 20,21 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp --dport 21 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp --dport 22 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp --dport 53 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p udp --dport 53 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp --dport 80 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp --dport 110 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p udp --dport 123 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp --dport 143 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp --dport 6346 -j ACCEPT
iptables -A FORWARD -i $IF_LAN -p tcp -m multiport --dports 9000,9001 -j ACCEPT

# Connessioni da INTERNET a LAN
iptables -A FORWARD -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i $INTERNET -p tcp --dport 6346 -j ACCEPT

# Connessioni da WAN a INTERNET
#iptables -A FORWARD -i $IF_WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p tcp -m multiport --dports 20,21 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p tcp --dport 21 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p tcp --dport 22 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p tcp --dport 25 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p tcp --dport 53 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p udp --dport 53 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p tcp --dport 80 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p tcp --dport 110 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p udp --dport 123 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p tcp --dport 143 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p tcp --dport 443 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p tcp --dport 6346 -j ACCEPT
#iptables -A FORWARD -i $IF_WAN -p tcp -m multiport --dports 9000,9001 -j ACCEPT

# Connessioni da INTERNET a WAN
#iptables -A FORWARD -i $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT


echo -e "\t\t\t\tdone"
#-------------------------------------------------------------------------------


#-------------------------------------------------------------------------------
# NAT settings
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up NAT rules"

# SNAT rules
iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE

# DNAT rules

echo -e "\t\t\t\tdone"
#-------------------------------------------------------------------------------


#-------------------------------------------------------------------------------
# TOS settings
#-------------------------------------------------------------------------------
echo -ne "\t\tSetting up TOS rules"

# tcp
iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports 21,22,80 
-j TOS --set-tos 0x10
iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports 20,25,143 
-j TOS --set-tos 0x08
iptables -t mangle -A PREROUTING -p tcp -m tcp -m multiport --dports 53,110 -j 
TOS --set-tos 0x04

# udp
iptables -t mangle -A PREROUTING -p udp -m udp -m multiport --dports 53,110 -j 
TOS --set-tos 0x04
iptables -t mangle -A PREROUTING -p udp -m udp -m multiport --dports 143 -j TOS 
--set-tos 0x08

echo -e "\t\t\t\tdone"
#-------------------------------------------------------------------------------


echo "The firewall is up."

• References:
  • [relug] Problemino FIrewall [LUNGO]
    • From: Paolo Arnaldo Dallari

Other related posts:

• » [relug] Problemino FIrewall [LUNGO]
• » [relug] Re: Problemino FIrewall [LUNGO]
• » [relug] Re: Problemino FIrewall [LUNGO]
• » [relug] Re: Problemino FIrewall [LUNGO]
• » [relug] Re: Problemino FIrewall [LUNGO]
• » [relug] Re: Problemino FIrewall [LUNGO]

1. Home
2. relug
3. Archive
4. 03-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---