--- "Piszcz, Justin Michael"
<justin.piszcz@xxxxxxxxxxxx> wrote:
> This is one of the first iptables firewalls I made
> (2-3 years ago) and
> it does exactly that.
> Let me know if it works for you, thanks.
>
Thanks for your sample firewall.
My server is not connected to a LAN. Therefore, I have
disabled your LAN related rules. All modifications are
highlighted with "<<== Sagara".
This is what I have tried:
#!/bin/sh
fw_start() {
#######################################
# STEP 1 - SET VARIABLES
#######################################
# YOUR LOCAL LOOPBACK DEVICE
LB="lo"
# YOUR PRIVATE INTERFACE
#LAN="eth0" <<== Sagara
# YOUR PRIVATE LAN IP
#LIP="192.168.0.253" <<== Sagara
# YOUR LOCAL AREA NETWORK
#LSAT="192.168.0.0/24" <<== Sagara
# YOUR INTERNET INTERFACE
#INET="eth1" <<== Sagara
INET="eth0"
# THE PATH TO IPTABLES
#IPTABLES="/usr/sbin/iptables" <<== Sagara
IPTABLES="/sbin/iptables"
#######################################
# STEP 2 - TURN ON IP FORWARDING
#######################################
#echo "1" > /proc/sys/net/ipv4/ip_forward <<== Sagara
#######################################
# STEP 3 - FLUSH EXISTING RULES
#######################################
$IPTABLES --flush INPUT
$IPTABLES --flush OUTPUT
$IPTABLES --flush FORWARD
#######################################
# STEP 4 - SET DEFAULT POLICIES
#######################################
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
#######################################
# STEP 5 - CREATE DEFAULT BLOCK CHAIN
#######################################
$IPTABLES -N BLOCK
$IPTABLES -A BLOCK -j LOG --log-level 3 --log-prefix
"BLOCK: "
$IPTABLES -A BLOCK -j DROP
#######################################
# STEP 6 - SETUP MASQUERADING
#######################################
#$IPTABLES -t nat -A POSTROUTING -o $INET -j
MASQUERADE <<== Sagara
#######################################
# STEP 7 - ALLOW LOCAL ENTITIES
#######################################
# ALLOW LOOPBACK
$IPTABLES -A INPUT -i $LB -j ACCEPT
# ALLOW LOCAL AREA NETWORK
#$IPTABLES -A INPUT -i $LAN -s $LSAT -j ACCEPT <<==
Sagara
#######################################
# STEP 8 - ALLOW SPECIFC TRAFFIC
#######################################
# EXAMPLE OF WHERE AND HOW TO ALLOW INBOUND TRAFFIC.
$IPTABLES -A INPUT -i $INET -p tcp --dport 21 -j
ACCEPT
$IPTABLES -A INPUT -i $INET -p tcp --dport 22 -j
ACCEPT
#######################################
# STEP 9 - ALLOW IN WHAT WE SEND OUT
#######################################
$IPTABLES -A INPUT -m state --state
ESTABLISHED,RELATED -j ACCEPT
#######################################
# STEP 10 - DENY EVERYTHING NOT ALLOWED
#######################################
$IPTABLES -A INPUT -j BLOCK
#######################################
}
fw_stop() {
#IPTABLES="/usr/sbin/iptables" <<== Sagara
IPTABLES="/sbin/iptables"
$IPTABLES --flush INPUT
$IPTABLES --flush OUTPUT
$IPTABLES --flush FORWARD
$IPTABLES --flush BLOCK
$IPTABLES --delete-chain BLOCK
}
fw_restart() {
fw_stop
fw_start
}
case "$1" in
'start')
fw_start
;;
'stop')
fw_stop
;;
'restart')
fw_restart
;;
*)
echo "usage $0 start|stop|restart"
esac
This is the result of passive FTP connect try:
Jun 21 22:56:07 svr1 kernel: BLOCK: IN=eth0 OUT=
MAC=00:e0:29:34:b3:58:00:e0:29:34:bb:36:08:00
SRC=[client IP addr] DST=[server IP addr] LEN=60
TOS=0x00 PREC=0x00 TTL=64 ID=61616 DF PROTO=TCP
SPT=32936 DPT=64638 WINDOW=5840 RES=0x00 SYN URGP=0
Pls let me know have I made a mistake.
Kind regards
Sagara
__________________________________
Do you Yahoo!?
Yahoo! Mail - You care about security. So do we.
http://promotions.yahoo.com/new_mail
