Hi there,
The script I mentioned before.
It's pretty simple and certainly could do with improvement.
But it keeps the very basic nasty stuff outside and lets you do your
stuff.
ie let everything from the local network through to the internet , and
keep the bad internet out.
Also don't allow anything but the tunnel traffic and if needed the dhcp
traffic on the external interface through.
EXTERNAL_INT="eth?" # your external interface the one connected to
# your adsl modem
INTERNAL_INT="eth?" # your internal network interface
VPN_INT="ppp?" # this is your pppoe interface (probably ppp0)
INTERNAL_IPADDR="1.2.3.4"# your internal network interface ip address
# asuming it is static or else cut and paste a
# bit below
EXTERNAL_IPADDR="1.2.3.4"# your external interface ip address
# uncomment this line and uncomment below if
# it is dynamic
# the 3 lines below should all three be unremarked if you got dynamic ip
# EXTERNAL_IPADDR= \
#`ifconfig eth1 | \
#sed -ne's/.*addr:\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/p'`
VPN_IPADDR="1.2.3.4" # if you got static ip on the vpn interface
# also unremark 2 lines below if your ppp address is dynamic
#VPN_IPADDR=`ifconfig ppp0| \
#sed -ne 's/ .*addr:\([0-9]\+\.[0-9]\+\.[0-9]\+\.[0-9]\+\).*/\1/p'`
DHCP_SERVER="1.2.3.4" # if you have dhcp on your external interface
IPTABLES="/path/to/iptables" # use `which iptables` as root to find
# out what this should be
PPP_PORT="????" # fill in the port adsl uses (beats me # what that
is)
# this script asumes it connect from the
# same port to the same port
# if not adjust the proper source and
# destination ports
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well-known, privileged port
range
UNPRIVPORTS="1024:65535" # unprivileged port range
# flush all excisting chains and erase all personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for I in $CHAINS; do $IPTABLES -t $I -F; done
for I in $CHAINS; do $IPTABLES -t $I -X; done
# default policies
$IPTABLES -t filter -P INPUT DROP
$IPTABLES -t filter -P OUTPUT DROP
$IPTABLES -t filter -P FORWARD DROP
# accept local traffic
$IPTABLES -A INPUT -i lo -d 127.0.0.1 -j ACCEPT
$IPTABLES -A OUTPUT -o lo -d 127.0.0.1 -j ACCEPT
# connection tracking and some logging for the INPUT OUTPUT and
# FORWARD chain
# this allows tracking of excisting connections
# this does not allow new traffic
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -m state --state INVALID -j LOG \
--log-prefix "INVALID input: "
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j LOG \
--log-prefix "INVALID ouput: "
$IPTABLES -A FORWARD -i $INTERNAL_INT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -i $INTERNAL_INT -m state --state INVALID -j LOG \
--log-prefix "INVALID ouput: "
#DHCP this bit is for dhcp traffic (if you need it)
# if you don't need it comment it
$IPTABLES -A OUTPUT -o $EXTERNAL_INT -p udp \
-s $BROADCAST_SRC --sport 68 \
-d $DHCP_SERVER --dport 67 -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INT -p udp \
-s $DHCP_SERVER --sport 67 \
-d $BROADCAST_DEST --dport 68 -j ACCEPT
#allow ppp traffic on external interface
$IPTABLES -A OUTPUT -o $EXTERNAL_INT -p udp \
-s $EXTERNAL_IPADDR --sport $PPP_PORT \
-d $VPN_SERVER --dport $PPP_PORT \
-m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -i $EXTERNAL_INT -p udp \
-s $VPN_SERVER --sport $PPP_PORT \
-d $EXTERNAL_IPADDR --dport $PPP_PORT \
-m state --state NEW -j ACCEPT
# at this point the gateway accepts only dhcp traffic on
# its external interface and ppp traffic
# the next rule allows all the traffic on the internal
# interface to be forwarded to another interface
# ie no traffice can come in via your external interface
# or ppp interface (unless it's a reply on your traffic from
# the internal interface
$IPTABLES -A FORWARD -i $INTERNAL_INT -s $INTERNAL_NETWORK \
-m state --state NEW -j ACCEPT
# no connections to your gateway are allowed in this script
# you need to open up a port for that or log in on the console
# example for ssh connections via the internal interface
# to the gateway machine
$IPTABLES -A INPUT -i $INTERNAL_INT -p tcp \
-s $INTERNAL_NETWORK --sport $UNPRIVPORTS \
-d $INTERNAL_IPADDR --dport 22 \
-m state --state NEW -j ACCEPT
# end script
note if you have dhcp on your external int or ppp
connection this script will only work after the ppp
connection and external interface are up
Regards
Rob
On Sun, 2003-08-10 at 13:53, rverduij@xxxxxx wrote:
> Hi there,
>
> I used to have adsl I got cable now.
>
> You need to set up a firewall configuration on your ppp0 interface.
> (asuming ppp0 is the interface you tunnel through)
>
> Because if you blok on your eth1 and/or eth0 all the traffic still get's
> through to you machine, unless you have issued global rules which blok all
> interfaces.
>
> On your eth1 card you could set up filtering rules if you don't thrust network
> the eth1 network card is connected to.
>
> If you do remember to allow the traffice that builds the vpn (your pppoe
> tunneling).
> And if you use a dynamic ip on your eth1 device to allow dhcp traffic as wel.
>
> I'm currently not at my own pc, but I'll post anexample tomorrow for you.
>
> Regards
> Rob
>
>
> Citeren Mario MerÃngolo <mmeringolo@xxxxxxxxxxxx>:
>
> > Im starting with this iptables stuff and trying to manage a home network
> > trough linux and adsl + pppoe
> >
> > I have two simple questions.
> >
> >
> >
> > I have my adsl router conected to my eth1
> >
> >
> >
> > When im setting my iptables rules, should I think that eth0 routes packages
> > through eth1 to ppp0 ?
> >
> >
> >
> > Because, if that is, my drop rules should be defined on eth1, and my input
> > ones on eth0
> >
> >
> >
> > Our should i think that eth1 does not matter and my reliable is eth0 and my
> > unreliable ppp0 ?
> >
> >
> >
> > Please forgive my crude english
> >
> >
> >
> > Thanx
> >
> >
> >
> >
> >
> >
>
>
>
>
