My current firewall script is causing some problems with some things that I'm trying to do.... do to the fact that I don't know enough about linux and iptables, I thought I'd try another firewall script that someone had posted to the list. the problem I'm having with the script is this..... when I try and run it I get this error... ./firewall: /proc/sys/net/ipv4/ip_foward: No such file or directory but the file appears to be there, so not really sure what I'm doing wrong, if I could get some help off list with this I'd appreciate it... I've attached the firewall script I'm trying to use to this message. -------------- next part -------------- #!/bin/bash iptables -F iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD iptables -F -t mangle iptables -F -t nat iptables -X iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD ACCEPT #This enables ip forwarding, and thus by extension, NAT #Turn this on if you're going to be doing NAT or Masquerading echo 1 > /proc/sys/net/ipv4/ip_foward iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to #the server will be redirected invisibly to port 80 on 192.168.1.1 #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.60 iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 --dport 80 -j ACCEPT #These four redirect a block of ports, in both udp and tcp. iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2074:2076 -j DNAT --to 192.168.1.69 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2074:2076 -j DNAT --to 192.168.1.69 iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4074:4076 -j DNAT --to 192.168.1.69 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4074:4076 -j DNAT --to 192.168.1.69 #Now, our firewall chain #We use the limit commands to cap the rate at which it alerts to 15 #log messages per minute iptables -N firewall #iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall: iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix "fp=Firewall:1 a=DROP " iptables -A firewall -j DROP #Now, our dropwall chain, for the final catchall filter iptables -N dropwall # iptables -A dropwall -m limit --limit 15/minute -j LOG \ # --log-level 1 --log-prefix "fp=Dropwall:2 a=DROP " iptables -A dropwall -i eth0 -p tcp --dport 80 -j ACCEPT iptables -A dropwall -j DROP #Our "hey, them's some bad tcp flags!" chain iptables -N badflags #iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags: iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix "fp=Badflags:3 a=DROP " iptables -A badflags -j DROP #And our silent logging chain iptables -N silent iptables -A silent -j DROP #Accept ourselves (loopback interface), 'cause we're all warm and friendly iptables -A INPUT -i lo -j ACCEPT #Drop those nasty packets! #These are all TCP flag combinations that should never, ever occur in the #wild. All of these are illegal combinations that are used to attack a box #in various ways, so we just drop them and log them here. iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags iptables -A INPUT -p tcp --tcp-flags ALL ALL -j badflags iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags iptables -A INPUT -p tcp --tcp-flags ALL NONE -j badflags iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags #Drop icmp, but only after letting certain types through iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT iptables -A INPUT -p icmp -j firewall #Accept SSH connections from everywhere. #Uncomment this if you're running SSH and want to be able to access it #from the outside world. # iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 21 -j ACCEPT iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 22 -j ACCEPT iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT iptables -A INPUT -i eth1 -d 0/0 -j ACCEPT # We should not accept any datagrams with a source address matching ours # from the outside, so we deny them. iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP #Lets do some basic state-matching #This allows us to accept related and established connections, so #client-side things like ftp work properly, for example. iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT #Uncomment to drop port 137 netbios packets silently. We don't like #that netbios stuff, and it's #way too spammy with windows machines on #the network. # # iptables -A INPUT -p udp --sport 137 --dport 137 -j silent iptables -A INPUT -p udp --sport 137 --dport 137 -j ACCEPT iptables -A INPUT -p udp --sport 138 --dport 138 -j ACCEPT iptables -A INPUT -p udp --sport 139 --dport 139 -j ACCEPT #Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops iptables -A INPUT -j dropwall
