Below is the script I've put together so far, hopefully this post could get a nice allround firewall/gateway iptables script made for a home LAN, that doesn't require too much knowledge of setting up.
I'm hoping to get it working for a 2.6.3+ kernel with all iptables optoins enabled, without having to patch in any other stuff.
Features I'm looking for, that I would love help for: * Send REJECT as default for none-opened ports rather than DROP. * Logging mechanism of misc. attacks and portscans. * Blocking of IP ranges * Parsing of PeerGuardian file for easy blocking of IPranges.
So far the script I've made (please correct any errors) supports: * Opening ports with a simple FOR loop on a string (variable). * Forwarding ports with a simple FOR loop on a string (variable). * Denying IP's with a simple FOR loop on a string (variable).
Sincerely
Brian Schmidt
----- Firewall-iptables.sh ----- #!/bin/sh
# Executables IPTABLES="/sbin/iptables"
# LAN configuration LAN_IP="10.0.0.1" LAN_IP_RANGE="10.0.0.0/24" LAN_BCAST_ADDRESS="10.0.0.255" LAN_IFACE="eth1"
# Internet configuration INET_IP="1.2.3.4" INET_IFACE="eth0"
# WorkStation configuration WS_IP="10.0.0.2" WS_MISC_RANGE="5200:5999"
# Notebook configuration NB_IP="10.0.0.3" NB_MISC_RANGE="6800:6999"
# Various ports PROFTPD_PASSIVE_RANGE="49900:50000" IRCD="6667:6669 7000"
# Ports to ACCEPT connections to from INET, syntax: "port port:range"
PORTS_ACCEPT="21 22 80 113 $WS_MISC_RANGE $NB_MISC_RANGE $PROFTPD_PASSIVE_RANGE"
# Ports to forward to LAN, syntax: "source_port>destination_ip,destination_port"
PORTS_FORWARD="$NB_MISC_RANGE>$NB_IP,$NB_MISC_RANGE $WS_MISC_RANGE>$WS_IP,$WS_MISC_RANGE"
# IP's to deny, both from LAN and INET, syntax: "10.0.0.5 192.168.10.32" #DENY_IPS=""
#### ## Don't edit anything below here unless you know what you are doing. ##
# Name of our custom blockchain BLOCKCHAIN="block"
echo 1 > /proc/sys/net/ipv4/ip_forward echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# Default policies $IPTABLES -P INPUT DROP $IPTABLES -P FORWARD ACCEPT $IPTABLES -P OUTPUT ACCEPT
# Flush chains $IPTABLES -F $IPTABLES -t nat -F $IPTABLES -t mangle -F $IPTABLES -t filter -F
# Check to see if our custom blockchain is set, if not create $IPTABLES -L $BLOCKCHAIN | grep target &> /dev/null if [ $? = 1 ]; then $IPTABLES -N $BLOCKCHAIN fi
# Allow local traffic $IPTABLES -A INPUT -i lo -j ACCEPT
# Allow traffic on established connections $IPTABLES -A $BLOCKCHAIN -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow connections coming from the LAN $IPTABLES -A $BLOCKCHAIN -m state --state NEW -i $LAN_IFACE -j ACCEPT
# Deny connections from AND to specific IP's for i in $DENY_IPS; do $IPTABLES -A INPUT -s $i -j DROP $IPTABLES -A INPUT -d $i -j DROP done
# Activate source NAT
$IPTABLES -t nat -A POSTROUTING -s $LAN_IP_RANGE -d "!" $LAN_IP_RANGE -j SNAT --to $INET_IP
# Log something. FIXME: Throttle how many log entries? #$IPTABLES -A INPUT -p tcp -d $INET_IP --dport http -j ULOG --ulog-nlgroup 1
# Allow access to specific services from the Internet for i in $PORTS_ACCEPT; do $IPTABLES -A INPUT -p tcp -d $INET_IP --dport $i -j ACCEPT $IPTABLES -A INPUT -p udp -d $INET_IP --dport $i -j ACCEPT done
# Accept pings, but throttle it to max 10 packets per second, to avoid flooding.
$IPTABLES -A INPUT -p icmp -d $INET_IP --icmp-type 8 -m limit --limit 10/s -j ACCEPT
# Ignore invalid packets $IPTABLES -t mangle -A PREROUTING -m state --state INVALID -j DROP
# Attach our custom blockchain to INPUT and FORWARD chains $IPTABLES -A INPUT -j $BLOCKCHAIN $IPTABLES -A FORWARD -j $BLOCKCHAIN
# Optimize SSH for low delay and FTP for high throughout
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ssh -j TOS --set-tos Minimize-Delay
$IPTABLES -t mangle -A PREROUTING -p tcp --dport ftp -j TOS --set-tos Maximize-Throughput
# Forwards to machines on the LAN
for i in $PORTS_FORWARD; do _SRC_PORT=`echo $i | awk -F '>' {'print $1'}` _DEST=`echo $i | awk -F '>' {'print $2'}` _DEST_IP=`echo $_DEST | awk -F ',' {'print $1'}` _DEST_PORT=`echo $_DEST | awk -F ',' {'print $2'} | sed s/:/-/;`
$IPTABLES -t nat -A PREROUTING -p tcp -d $INET_IP --dport $_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
$IPTABLES -t nat -A PREROUTING -p udp -d $INET_IP --dport $_SRC_PORT -j DNAT --to-destination $_DEST_IP:$_DEST_PORT
done
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]