PDA

Bekijk de volledige versie : How to configure Firewall/iptables



samoht
21-07-2005, 21:56
After I had some trouble with configuering my firewall, I think it could be useful to show you my working post-firewall script:


#!/bin/sh

### Info
# $1 WAN_IF $2 WAN_IP
# $3 LAN_IF $4 LAN_IP
# $5 DMZ_IF $6 DMZ_IP

# Set default policy
iptables -P INPUT DROP

# Delete last rule
iptables -D INPUT -j DROP

# Delete rules of user defined chains
iptables -F MACS
iptables -F logaccept
iptables -F logdrop

# Delete user defined chains
iptables -X MACS
iptables -X logaccept
iptables -X logdrop

# Create new chain logdrop. This act as subprogram you can easy use in other chains
iptables -N logdrop
iptables -A logdrop -j LOG --log-prefix "BLOCKED: " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A logdrop -j DROP

# Accept packets for internal Server
iptables -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 81 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 666 -j ACCEPT

# Log not accepted packets. Uses the new created chain "logdrop" to log and drop easily.
iptables -A INPUT -j logdrop

# Accepts packets for forwarding (virtual server)
iptables -A FORWARD -i $1 -p tcp --dport 5060:5061 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 5060:5061 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 16384:16482 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 5121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 5121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 6121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 6121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 6900 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 6900 --destination 192.168.1.57 -j ACCEPT

# Forwarding to other clients in LAN
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 5060:5061 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p udp --dport 5060:5061 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p udp --dport 16384:16482 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 5121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 5121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 6121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 6121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 6900 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 6900 -j DNAT --to-destination 192.168.1.57

# Make local port 81 accessable from WAN with port 80
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination $4:81

# Start WONDERSHAPER
/sbin/wshaper start "$1" 1800 270

One big problem I had was, that the webserver was no longer available from WAN when logging dropped packets was set via Webinterface. This inserts a "log and drop rule" that is placed before accepting packets for the INPUT chain...

In my webinterface I have following settings now and seems to work fine:

Disabled:

Port Trigger
Virtual Server
Virtual DMZ
LAN to WAN Filter
WAN to LAN Filter
MAC Filter
URL Filter


Enabled:

Firewall
Logged packets type: None
Enable Web Access from WAN: No
Respond LPR Request from WAN: No
Respond Ping Request from WAN: No

FilimoniC
10-08-2005, 07:51
Lamer's question:
what means wan_IF and _IP? Explain please in traditional English (I'm very bad in English)

macsat
10-08-2005, 09:17
_IP = IpAddress...so :

LAN_IP = IP Adress of the LAN interface.

_IF = InterFace

LAN_IF = LAN Interface.

rexster
14-08-2005, 02:28
how to block ALL outgoing, then,
open Only the ports we use, like web, mail, chat, etc...