Hi. I have a personnal network at home. One machine serves as a router for the network. It is linked to a DSL box on eth0, and to my personnal network on eth1.
This is the iptables script I use on the router : ---> Begin /etc/rc.d/rc.iptables #!/bin/sh # Begin $rc_base/rc.iptables echo echo "You're using the example configuration for a setup of a firewall" echo "from Beyond Linux From Scratch." echo "This example is far from being complete, it is only meant" echo "to be a reference." echo "Firewall security is a complex issue, that exceeds the scope" echo "of the configuration rules below." echo "You can find additional information" echo "about firewalls in Chapter 4 of the BLFS book." echo "http://www.linuxfromscratch.org/blfs"; echo # Insert iptables modules (not needed if built into the kernel). # modprobe ip_tables # modprobe iptable_filter # modprobe ip_conntrack # modprobe ip_conntrack_ftp # modprobe ipt_state # modprobe iptable_nat # modprobe ip_nat_ftp # modprobe ipt_MASQUERADE # modprobe ipt_LOG # modprobe ipt_REJECT # Enable broadcast echo Protection echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts # Disable Source Routed Packets echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route # Enable TCP SYN Cookie Protection echo 1 > /proc/sys/net/ipv4/tcp_syncookies # Disable ICMP Redirect Acceptance echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects # Don�t send Redirect Messages echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects # Drop Spoofed Packets coming in on an interface where responses # would result in the reply going out a different interface. echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter # Log packets with impossible addresses. echo 1 > /proc/sys/net/ipv4/conf/all/log_martians # Be verbose on dynamic ip-addresses (not needed in case of static IP) echo 2 > /proc/sys/net/ipv4/ip_dynaddr # Disable Explicit Congestion Notification # Too many routers are still ignorant echo 0 > /proc/sys/net/ipv4/tcp_ecn # Set a known state iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT DROP # These lines are here in case rules are already in place and the # script is ever rerun on the fly. We want to remove all rules and # pre-existing user defined chains before we implement new rules. iptables -F iptables -X iptables -Z iptables -t nat -F ---> End /etc/rc.d/rc.iptables # Allow local connections iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT # Free output on any interface to any ip for any service # (equal to -P ACCEPT) iptables -A OUTPUT -j ACCEPT # Permit answers on already established connections # and permit new connections related to established ones # (e.g. port mode ftp) iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # Allow Samba transfers on the intranet iptables -A INPUT -i eth1 -j ACCEPT iptables -A OUTPUT -o eth1 -j ACCEPT # To avoid ftp delays, reject the identd requests with a 'tcp-reset' iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset # Your caching name server (e.g., named) does its lookups via UDP: # iptables -A OUTPUT -p udp --dport 53 -j ACCEPT # Anything coming from the outside should not have a private address, # this is a common attack called IP-spoofing: iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP # Allow forwarding if the initiated on the intranet iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i ! eth0 -m state --state NEW -j ACCEPT # Do masquerading # (not needed if intranet is not using private ip-addresses) iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 81 -j DNAT \ --to-destination 192.168.10.8:119 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4661 -j DNAT \ --to-destination 192.168.10.8:4661 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 4662 -j DNAT \ --to-destination 192.168.10.8:4662 iptables -t nat -A PREROUTING -i eth0 -p udp --dport 4665 -j DNAT \ --to-destination 192.168.10.8:4665 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 49350 -j DNAT \ --to-destination 192.168.10.8:49350 iptables -t nat -A PREROUTING -i eth0 -p udp --dport 27171 -j DNAT \ --to-destination 192.168.10.8:27171 iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE # Disable ping requests iptables -A INPUT -p icmp -j DROP # Configuration pour eMule, mlDonkey... # /etc/rc.d/rc.iptables.mldonkey EXTIF="eth0" INTIF="eth1" IPEMULE="192.168.10.2" iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4661 -d $IPEMULE \ -m state --state NEW -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 4662 -d $IPEMULE \ -m state --state NEW -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 4665 -d $IPEMULE \ -m state --state NEW -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF -p tcp --dport 49350 -d $IPEMULE \ -m state --state NEW -j ACCEPT iptables -A FORWARD -i $EXTIF -o $INTIF -p udp --dport 27171 -d $IPEMULE \ -m state --state NEW -j ACCEPT # Log everything for debugging # (last of all rules, but before policy rules) iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT" --log-level 5 iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD" --log-level 5 iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT" --log-level 5 # Enable IP Forwarding echo 1 > /proc/sys/net/ipv4/ip_forward Two things bother me : 1) The EMule configuration doesn't work : I'm still lowID. But I know it's not good to ask for this on Internet, so it's just a minor problem. 2) I ave problems with FTP : if a connection is to long (and I have some quite big files to send to my personnal web page), it automatically disconnects. I wonder if this could be a problem with my iptables script. Can someone help me solve at least one of these problems ? Thanks \bye -- Nicolas FRANCOIS | /\ http://nicolas.francois.free.fr | |__| X--/\\ We are the Micro$oft. _\_V Resistance is futile. You will be assimilated. darthvader penguin -- http://linuxfromscratch.org/mailman/listinfo/blfs-support FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
