Sorry I can't help you, since I know next to nothing about iptables. However, Raul had recommended a good firewall script to me a while back, and I'm very happy with it. You can find it at: http://endoshield.sourceforge.net . Hth. Greg On Wed, Dec 26, 2001 at 09:51:29AM -0500, Deedra Waters wrote: > My current firewall script is causing some problems with some things > that I'm trying to do.... do to the fact that I don't know enough about > linux and iptables, I thought I'd try another firewall script that someone > had posted to the list. > > the problem I'm having with the script is this..... when I try and run it > I get this error... > ./firewall: /proc/sys/net/ipv4/ip_foward: No such file or directory > but the file appears to be there, so not really sure what I'm doing > wrong, if I could get some help off list with this I'd appreciate it... > I've attached the firewall script I'm trying to use to this message. > > #!/bin/bash > > iptables -F > iptables -F INPUT > iptables -F OUTPUT > iptables -F FORWARD > iptables -F -t mangle > iptables -F -t nat > iptables -X > > iptables -P INPUT DROP > iptables -P OUTPUT ACCEPT > iptables -P FORWARD ACCEPT > > #This enables ip forwarding, and thus by extension, NAT > #Turn this on if you're going to be doing NAT or Masquerading > echo 1 > /proc/sys/net/ipv4/ip_foward > > iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE > > #This one maps port 80 to 192.168.1.1. Anything incoming over eth0 to > #the server will be redirected invisibly to port 80 on 192.168.1.1 > > #iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.1.60 > iptables -t nat -A PREROUTING -i eth0 -p tcp -s 0/0 --dport 80 -j ACCEPT > > #These four redirect a block of ports, in both udp and tcp. > > iptables -t nat -A PREROUTING -i eth0 -p udp --dport 2074:2076 -j DNAT --to 192.168.1.69 > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 2074:2076 -j DNAT --to 192.168.1.69 > iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4074:4076 -j DNAT --to 192.168.1.69 > iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4074:4076 -j DNAT --to 192.168.1.69 > > #Now, our firewall chain > #We use the limit commands to cap the rate at which it alerts to 15 > #log messages per minute > iptables -N firewall > #iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall: > iptables -A firewall -m limit --limit 15/minute -j LOG --log-prefix "fp=Firewall:1 a=DROP " > iptables -A firewall -j DROP > > #Now, our dropwall chain, for the final catchall filter > iptables -N dropwall > # iptables -A dropwall -m limit --limit 15/minute -j LOG \ > # --log-level 1 --log-prefix "fp=Dropwall:2 a=DROP " > iptables -A dropwall -i eth0 -p tcp --dport 80 -j ACCEPT > iptables -A dropwall -j DROP > > #Our "hey, them's some bad tcp flags!" chain > iptables -N badflags > #iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags: > iptables -A badflags -m limit --limit 15/minute -j LOG --log-prefix "fp=Badflags:3 a=DROP " > iptables -A badflags -j DROP > > #And our silent logging chain > iptables -N silent > iptables -A silent -j DROP > > > #Accept ourselves (loopback interface), 'cause we're all warm and friendly > iptables -A INPUT -i lo -j ACCEPT > > #Drop those nasty packets! > #These are all TCP flag combinations that should never, ever occur in the > #wild. All of these are illegal combinations that are used to attack a box > #in various ways, so we just drop them and log them here. > iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags > iptables -A INPUT -p tcp --tcp-flags ALL ALL -j badflags > iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags > iptables -A INPUT -p tcp --tcp-flags ALL NONE -j badflags > iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags > iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags > > #Drop icmp, but only after letting certain types through > iptables -A INPUT -p icmp --icmp-type 0 -j ACCEPT > iptables -A INPUT -p icmp --icmp-type 3 -j ACCEPT > iptables -A INPUT -p icmp --icmp-type 11 -j ACCEPT > iptables -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT > iptables -A INPUT -p icmp -j firewall > > #Accept SSH connections from everywhere. > #Uncomment this if you're running SSH and want to be able to access it > #from the outside world. > # > iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 21 -j ACCEPT > iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -i eth1 -d 0/0 -p tcp --dport 22 -j ACCEPT > iptables -A INPUT -i eth0 -d 0/0 -p tcp --dport 25 -j ACCEPT > iptables -A INPUT -i eth1 -d 0/0 -j ACCEPT > > # We should not accept any datagrams with a source address matching ours > # from the outside, so we deny them. > iptables -A FORWARD -s 192.168.1.0/24 -i eth0 -j DROP > > #Lets do some basic state-matching > #This allows us to accept related and established connections, so > #client-side things like ftp work properly, for example. > iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT > iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT > > #Uncomment to drop port 137 netbios packets silently. We don't like > #that netbios stuff, and it's #way too spammy with windows machines on > #the network. > # > # iptables -A INPUT -p udp --sport 137 --dport 137 -j silent > iptables -A INPUT -p udp --sport 137 --dport 137 -j ACCEPT > iptables -A INPUT -p udp --sport 138 --dport 138 -j ACCEPT > iptables -A INPUT -p udp --sport 139 --dport 139 -j ACCEPT > > #Our final trap. Everything on INPUT goes to the dropwall so we don't get silent drops > iptables -A INPUT -j dropwall
