Can someone look over my rc script. I'm relatively new to iptables, so I
just want to make sure I'm not doing something that's just totally insane.
Any input on this would be nice, I'm still trying to figure out exactly
how secure i want to get with this.
Thanks,
Kelly Shutt
##!/bin/sh
echo -e "- rc.firewall ruleset -"
#IPTABLES=/sbin/iptables
IPTABLES=/usr/sbin/iptables
echo "Verifying that all kernel modules are ok"
/sbin/depmod -a
#/sbin/insmod ip_nat_ftp
#/sbin/insmod ip_conntrack_ftp
echo "Enabling packet forwarding in the kernel"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "Enabling dynamic addressing measures"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "Flushing old IP Tables"
$IPTABLES -F
$IPTABLES -X
echo "Setting the INPUT policies"
$IPTABLES -P INPUT REJECT
echo " -Setting tcp packet policies"
$IPTABLES -A INPUT -p tcp --dport 21 -j ACCEPT #ftp
$IPTABLES -A INPUT -p tcp --dport 22 -j ACCEPT #ssh
$IPTABLES -A INPUT -p tcp --dport 25 -j ACCEPT #smtp
$IPTABLES -A INPUT -p tcp --dport 37 -j ACCEPT #time
$IPTABLES -A INPUT -p tcp --dport 53 -j ACCEPT #domain
$IPTABLES -A INPUT -p tcp --dport 80 -j ACCEPT #http
$IPTABLES -A INPUT -p tcp --dport 113 -j ACCEPT #auth
$IPTABLES -A INPUT -p tcp --dport 3333 -j ACCEPT #eggdrop
echo " -Setting icmp packet policies"
$IPTABLES -A INPUT -p icmp --icmp-type 8 -j ACCEPT #echo
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT #time extend
echo " -Setting udp packet policies"
$IPTABLES -A INPUT -p udp --dport 53 -j ACCEPT #domain
$IPTABLES -A INPUT -p udp -i eth1 --dport 67 --sport 68 -j ACCEPT #dhcp requests
echo "Setting the OUTPUT policies"
$IPTABLES -P OUTPUT ACCEPT
echo "Setting the FORWARD policies"
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp --dport 3389 -i eth0 -j DNAT --to-destination 192.168.0.2-192.168.0.100
echo "Enabling SNAT (IPMASQ) functionality on eth0"
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo -e "\nDone.\n"