Why not check out arnos-iptables-firewall? On Tue, 2 Aug 2011, Alan Chandler wrote:
> On 01/08/11 21:56, Paul Stuffins wrote: > > Hi Guys, > > > > I am trying to set iptables up, but am getting into a right mess editing > > the rules direct in the init script. > > > > What are peoples recommendations of a front end, either one that I can > > run via an Apache VirtualHost, obviously on a secured and locked down > > VirtualHost so that only I can access it, or via SSH. > > > > --Paul > > > I am not sure I understand exactly what you mean, but this is my set of > firewall rules which I reference in /etc/network/interfaces/pre-up. They are > stored in file /etc/firewall > > Unlike the other replies I hand crafted these from scratch quite a few years > ago now and they seem to have stood me in good stead. Although some of the > destination changing rules refer to programs I haven't used for at least 5 > years (GPL refers to Grand Prix Legends - a car racing sim) > > The only other rules are generated by fail2ban dynamically locking out smtp > attempts to send me junk. > > #!/bin/sh > # > # > > INETIF=$1 > > KANGA="192.168.0.12" > POOH="192.168.0.11" > > > test -x /sbin/iptables || exit 0 > > #set -e > echo "Setting up firewall on interface $INETIF" > # > # Start up ensuring that the tables are all empty > # (ignoring any errors because there is nothing there yet) > # > iptables -F > iptables -t nat -F > iptables -t mangle -F > iptables -X > > # > # This is for established communications coming in from the internet just > # so that I can get an idea what sort of packets they are. > # > iptables -N i-estab > iptables -A i-estab -p tcp --sport www -j ACCEPT > iptables -A i-estab -p tcp --sport imap -j ACCEPT > iptables -A i-estab -p tcp --sport imaps -j ACCEPT > iptables -A i-estab -p tcp --sport nntp -j ACCEPT > iptables -A i-estab -p tcp --sport domain -j ACCEPT > iptables -A i-estab -p tcp --dport ssh -j ACCEPT > iptables -A i-estab -p tcp --sport ftp -j ACCEPT > iptables -A i-estab -p tcp --sport ftp-data -j ACCEPT > iptables -A i-estab -p tcp --sport 9418 -j ACCEPT > > # Accept everything not so far accepted > iptables -A i-estab -j ACCEPT > # > # Route packets going out from here onto a new table so that we can do > # things with them (logging etc) > # > iptables -N to-inet > # > # Just want to count a few things > # > iptables -A to-inet -p tcp --dport www -j ACCEPT > iptables -A to-inet -p tcp --dport imap -j ACCEPT > iptables -A to-inet -p udp --dport domain -j ACCEPT > iptables -A to-inet -p tcp --dport nntp -j ACCEPT > iptables -A to-inet -p udp --dport 67:68 -j ACCEPT > iptables -A to-inet -p tcp --dport iax -j ACCEPT > iptables -A to-inet -p udp --dport iax -j ACCEPT > # > # Note ICMP packets I am sending out > # > iptables -A to-inet -p icmp --icmp-type destination-unreachable -j ACCEPT > iptables -A to-inet -p icmp --icmp-type source-quench -j ACCEPT > iptables -A to-inet -p icmp --icmp-type time-exceeded -j ACCEPT > iptables -A to-inet -p icmp --icmp-type parameter-problem -j ACCEPT > iptables -A to-inet -p icmp --icmp-type echo-request -j ACCEPT > iptables -A to-inet -p icmp --icmp-type echo-reply -j ACCEPT > # > # Prevent any netbios stuff leaking out from here > # > iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j LOG > iptables -A to-inet -p tcp --dport netbios-ns:netbios-ssn -j DROP > iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j LOG > iptables -A to-inet -p udp --dport netbios-ns:netbios-ssn -j DROP > # > # > # Accept every thing else > # > iptables -A to-inet -j ACCEPT > # > # Now make the connection to the table > # > iptables -A OUTPUT -o $INETIF -j to-inet > # > # Common internet Stuff > # > iptables -N from-inet > # > # Stuff already established is allowed but jump to chain to count things > # > iptables -A from-inet -m state --state ESTABLISHED,RELATED -j i-estab > # > # Deal with ICMP packets > # > iptables -A from-inet -p icmp --icmp-type destination-unreachable -j > ACCEPT > iptables -A from-inet -p icmp --icmp-type source-quench -j ACCEPT > iptables -A from-inet -p icmp --icmp-type time-exceeded -j ACCEPT > iptables -A from-inet -p icmp --icmp-type parameter-problem -j ACCEPT > iptables -A from-inet -p icmp --icmp-type echo-request -j ACCEPT > # Already accepted by related > iptables -A from-inet -p icmp --icmp-type echo-reply -j ACCEPT > # > # ftp-data started by mine (already accepted in related) > # > iptables -A from-inet -m state --state NEW -p tcp --dport ftp-data -j > ACCEPT > # > # Socks probes should be dropped so that IRC does not thing we are > screwwing them > # > iptables -A from-inet -p tcp --dport socks -j DROP > # > # Drop these before logging them (just collecting them to see what > they are) > # > iptables -A from-inet -p tcp --dport 1635 -j DROP > iptables -A from-inet -p tcp --dport 1370 -j DROP > # > # DHCP messsages - I need to drop server requests > # > iptables -A from-inet -p udp --dport 67 -j DROP > # > # log and drop the rest (except 192.168 stuff which we silently loose) > # > iptables -A from-inet -s 192.168.0.0/16 -j DROP > # iptables -A from-inet -j LOG > iptables -A from-inet -j DROP > # > # Create a chain which protects gateway > # > iptables -N inet-in > # Allow DHCP requests to me > iptables -A inet-in -p udp --dport 68 -j ACCEPT > # > # Allow DNS stuff > # > iptables -A inet-in -p udp --dport domain -j ACCEPT > iptables -A inet-in -p tcp --dport domain -j ACCEPT > # > # Allow connections to my ssh port > # > iptables -A inet-in -m state --state NEW -p tcp --dport ssh -j ACCEPT > iptables -A inet-in -p udp --dport ssh -j ACCEPT > # > # Allow git connections > # > iptables -A inet-in -m state --state NEW -p tcp --dport 9418 -j ACCEPT > iptables -A inet-in -p udp --dport 9418 -j ACCEPT > > # Allow mail to get in to deliver on the SMTP port > # > iptables -A inet-in -p tcp --dport smtp -j ACCEPT > > # Allow mail on imap-ssl port > # > iptables -A inet-in -p tcp --dport imaps -j ACCEPT > # > # Allow boot stuff so I can configure interface > # > iptables -A inet-in -p udp --dport 67:68 -j ACCEPT > > # > # Allow stuff to the web site > # > iptables -A inet-in -p tcp --dport www -j ACCEPT > iptables -A inet-in -p tcp --dport https -j ACCEPT > # > # Allow traffic in to voip switch (iax,sip and a limited range of rtp) > # (restricted for now) > # > # iptables -A inet-in -p udp --dport iax -j ACCEPT > # iptables -A inet-in -p udp --dport sip -j ACCEPT > # iptables -A inet-in -p udp --dport 14007:14096 -j ACCEPT > # > # Explicitly drop 135 stuff > # > # iptables -A inet-in -p tcp --dport 135 -j LOG > iptables -A inet-in -p tcp --dport 135 -j DROP > # > # Allow pokerth stuff in > # > iptables -A inet-in -p tcp --dport 7234 -j ACCEPT > > # > # Do Common Stuff > # > iptables -A inet-in -j from-inet > # > # Create table from forwarded stuff from Inet > # > # > iptables -N inet-fwd > # > # Following is for GPL and WinVROC and must be forwarded on > # > iptables -A inet-fwd -p udp --dport 32766:32786 -j ACCEPT > iptables -A inet-fwd -p udp --dport 6970:6971 -j ACCEPT > # to see them seperately > iptables -A inet-fwd -p udp --dport 6969 -j ACCEPT > iptables -A inet-fwd -p tcp --dport auth -j ACCEPT > # > # Allow bittorrent stuff > # > iptables -A inet-fwd -p tcp --dport 6881:6899 -j ACCEPT > iptables -A inet-fwd -p udp --dport 6881:6899 -j ACCEPT > # > # > # allow Secure Remote stuff into my portable > # > # iptables -A inet-fwd -p udp --dport 500 -j LOG > iptables -A inet-fwd -p udp --dport 500 -j ACCEPT > # iptables -A inet-fwd -p udp --dport 2746 -j LOG > iptables -A inet-fwd -p udp --dport 2746 -j ACCEPT > > # > # Do common stuff > # > iptables -A inet-fwd -j from-inet > # > # Link new tables in > # > iptables -A INPUT -i $INETIF -j inet-in > > iptables -A FORWARD -i $INETIF -j inet-fwd > > # > # need to MASQUERADE outgoing stuff > # > # normal internal network > # > iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -o $INETIF -j MASQUERADE > # > # > # Stuff comming in for GPL and WinVROC needs destination changing > # > iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 32766:32786 -j > DNAT --to-destination $KANGA > iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6970:6971 -j DNAT > --to-destination $KANGA > # seperate out to see if used > iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6969 -j DNAT > --to-destination $KANGA > iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport auth -j DNAT > --to-destination $KANGA > # > # Allocate bittorrent channels > # > iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6881:6889 -j DNAT > --to-destination $KANGA > iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6881:6889 -j DNAT > --to-destination $KANGA > iptables -t nat -A PREROUTING -i $INETIF -p tcp --dport 6890:6899 -j DNAT > --to-destination $POOH > iptables -t nat -A PREROUTING -i $INETIF -p udp --dport 6890:6899 -j DNAT > --to-destination $POOH > > # > # I want to mangle outgoing packets so that I can > # take maximum benefit of different types of connection > # in terms of priority > # > iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport www -j TOS > --set-tos Minimize-Delay > iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp -j TOS > --set-tos Minimize-Delay > iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport ftp-data -j TOS > --set-tos Maximize-Throughput > iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport smtp -j TOS > --set-tos Maximize-Reliability > iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport pop3 -j TOS > --set-tos Maximize-Reliability > iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport nntp -j TOS > --set-tos Minimize-Cost > iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport domain -j TOS > --set-tos Maximize-Reliability > iptables -t mangle -A OUTPUT -o $INETIF -p tcp --dport domain -j TOS > --set-tos Maximize-Reliability > # > # Following is for GPL and should be sent fast > # > iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 32766:32786 -j TOS > --set-tos Minimize-Delay > iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport 6970:6971 -j TOS > --set-tos Minimize-Delay > iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 32766:32786 -j TOS > --set-tos Minimize-Delay > iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 6970:6971 -j TOS > --set-tos Minimize-Delay > # > # VOIP traffic - mainly RTP but also IAX needs to go fast > # > iptables -t mangle -A OUTPUT -o $INETIF -p udp --dport iax -j TOS > --set-tos Minimize-Delay > iptables -t mangle -A OUTPUT -o $INETIF -p udp --sport 14007:14096 -j TOS > --set-tos Minimize-Delay > > exit 0 > > > > -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.bsf.2.00.1108020304150.86...@freire1.furyyjbeyq.arg