How to configure Firewall/iptables

[samoht]

After I had some trouble with configuering my firewall, I think it could be useful to show you my working post-firewall script:

Code:

#!/bin/sh

### Info
# $1 WAN_IF  $2 WAN_IP
# $3 LAN_IF  $4 LAN_IP
# $5 DMZ_IF  $6 DMZ_IP

# Set default policy 
iptables -P INPUT DROP

# Delete last rule
iptables -D INPUT -j DROP

# Delete rules of user defined chains
iptables -F MACS
iptables -F logaccept
iptables -F logdrop

# Delete user defined chains
iptables -X MACS
iptables -X logaccept
iptables -X logdrop

# Create new chain logdrop. This act as subprogram you can easy use in other chains
iptables -N logdrop
iptables -A logdrop -j LOG --log-prefix "BLOCKED: " --log-tcp-sequence --log-tcp-options --log-ip-options
iptables -A logdrop -j DROP

# Accept packets for internal Server
iptables -A INPUT -p tcp -s 0/0 --dport 20 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 21 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 81 -j ACCEPT
iptables -A INPUT -p tcp -s 0/0 --dport 666 -j ACCEPT

# Log not accepted packets. Uses the new created chain "logdrop" to log and drop easily.
iptables -A INPUT -j logdrop

# Accepts packets for forwarding (virtual server)
iptables -A FORWARD -i $1 -p tcp --dport 5060:5061 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 5060:5061 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 16384:16482 --destination 192.168.1.5 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 5121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 5121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 6121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 6121 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p tcp --dport 6900 --destination 192.168.1.57 -j ACCEPT
iptables -A FORWARD -i $1 -p udp --dport 6900 --destination 192.168.1.57 -j ACCEPT

# Forwarding to other clients in LAN
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 5060:5061 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p udp --dport 5060:5061 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p udp --dport 16384:16482 -j DNAT --to-destination 192.168.1.5
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 5121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 5121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 6121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 6121 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 6900 -j DNAT --to-destination 192.168.1.57
iptables -t nat -A PREROUTING -i $1 -p udp --dport 6900 -j DNAT --to-destination 192.168.1.57

# Make local port 81 accessable from WAN with port 80
iptables -t nat -A PREROUTING -i $1 -p tcp --dport 80 -j DNAT --to-destination $4:81

# Start WONDERSHAPER
/sbin/wshaper start "$1" 1800 270

One big problem I had was, that the webserver was no longer available from WAN when logging dropped packets was set via Webinterface. This inserts a "log and drop rule" that is placed before accepting packets for the INPUT chain...

In my webinterface I have following settings now and seems to work fine:

Disabled:

• Port Trigger
• Virtual Server
• Virtual DMZ
• LAN to WAN Filter
• WAN to LAN Filter
• MAC Filter
• URL Filter

Enabled:

• Firewall
• Logged packets type: None
• Enable Web Access from WAN: No
• Respond LPR Request from WAN: No
• Respond Ping Request from WAN: No

[FilimoniC]

Lamer's question:
what means wan_IF and _IP? Explain please in traditional English (I'm very bad in English)

[macsat]

_IP = IpAddress...so :

LAN_IP = IP Adress of the LAN interface.

_IF = InterFace

LAN_IF = LAN Interface.

[rexster]

how to block ALL outgoing, then,
open Only the ports we use, like web, mail, chat, etc...