samoht
21-07-2005, 20:56
After I had some trouble with configuering my firewall, I think it could be useful to show you my working post-firewall script:
#!/bin/sh
### Info
# $1 WAN_IF $2 WAN_IP
# $3 LAN_IF $4 LAN_IP
# $5 DMZ_IF $6 DMZ_IP
# Set default policy
iptables -P INPUT DROP
# Delete last rule
iptables -D INPUT -j DROP
# Delete rules of user defined chains
iptables -F MACS
iptables -F logaccept
iptables -F logdrop
# Delete user defined chains
iptables -X MACS
iptables -X logaccept
iptables -X logdrop
# Create new chain logdrop. This act as subprogram you can easy use in other chains
iptables -N logdrop
iptables -A logdrop -j LOG --log-prefix "BLOCKED: " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A logdrop -j DROP
# Accept packets for internal Server
iptables -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 81 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 666 -j ACCEPT
# Log not accepted packets. Uses the new created chain "logdrop" to log and drop easily.
iptables -A INPUT -j logdrop
# Accepts packets for forwarding (virtual server)
iptables -A FORWARD -i $1 -p tcp --dport 5060:5061 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 5060:5061 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 16384:16482 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 5121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 5121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 6121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 6121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 6900 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 6900 --destination 192.168.1.57 -j ACCEPT
# Forwarding to other clients in LAN
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 5060:5061 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p udp --dport 5060:5061 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p udp --dport 16384:16482 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 5121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 5121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 6121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 6121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 6900 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 6900 -j DNAT --to-destination 192.168.1.57
# Make local port 81 accessable from WAN with port 80
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination $4:81
# Start WONDERSHAPER
/sbin/wshaper start "$1" 1800 270
One big problem I had was, that the webserver was no longer available from WAN when logging dropped packets was set via Webinterface. This inserts a "log and drop rule" that is placed before accepting packets for the INPUT chain...
In my webinterface I have following settings now and seems to work fine:
Disabled:
Port Trigger
Virtual Server
Virtual DMZ
LAN to WAN Filter
WAN to LAN Filter
MAC Filter
URL Filter
Enabled:
Firewall
Logged packets type: None
Enable Web Access from WAN: No
Respond LPR Request from WAN: No
Respond Ping Request from WAN: No
#!/bin/sh
### Info
# $1 WAN_IF $2 WAN_IP
# $3 LAN_IF $4 LAN_IP
# $5 DMZ_IF $6 DMZ_IP
# Set default policy
iptables -P INPUT DROP
# Delete last rule
iptables -D INPUT -j DROP
# Delete rules of user defined chains
iptables -F MACS
iptables -F logaccept
iptables -F logdrop
# Delete user defined chains
iptables -X MACS
iptables -X logaccept
iptables -X logdrop
# Create new chain logdrop. This act as subprogram you can easy use in other chains
iptables -N logdrop
iptables -A logdrop -j LOG --log-prefix "BLOCKED: " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A logdrop -j DROP
# Accept packets for internal Server
iptables -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 81 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 666 -j ACCEPT
# Log not accepted packets. Uses the new created chain "logdrop" to log and drop easily.
iptables -A INPUT -j logdrop
# Accepts packets for forwarding (virtual server)
iptables -A FORWARD -i $1 -p tcp --dport 5060:5061 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 5060:5061 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 16384:16482 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 5121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 5121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 6121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 6121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 6900 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 6900 --destination 192.168.1.57 -j ACCEPT
# Forwarding to other clients in LAN
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 5060:5061 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p udp --dport 5060:5061 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p udp --dport 16384:16482 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 5121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 5121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 6121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 6121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 6900 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 6900 -j DNAT --to-destination 192.168.1.57
# Make local port 81 accessable from WAN with port 80
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination $4:81
# Start WONDERSHAPER
/sbin/wshaper start "$1" 1800 270
One big problem I had was, that the webserver was no longer available from WAN when logging dropped packets was set via Webinterface. This inserts a "log and drop rule" that is placed before accepting packets for the INPUT chain...
In my webinterface I have following settings now and seems to work fine:
Disabled:
Port Trigger
Virtual Server
Virtual DMZ
LAN to WAN Filter
WAN to LAN Filter
MAC Filter
URL Filter
Enabled:
Firewall
Logged packets type: None
Enable Web Access from WAN: No
Respond LPR Request from WAN: No
Respond Ping Request from WAN: No