Hi,
I had been using the followingd firewall script at my home
router/gateway without
problems. However, recently started the NTPD on the box (Slack 10.2) as well. I
added relevent lines to allow the flow of NTP packets, but I think it
is not happening. Can somebody help me in figuring out what is wrong,
if something is wrong at all in the iptables script. The lines I added
were. I only want this box to go out to internet time servers and
synchronise its clock with them and the internal systems to
synchronise their clocks with this system.
# Allow NTP traffic through
$IPT_CMD --append INPUT -p udp --sport 123 --dport 123 --jump ACCEPT
# Allow NTP traffic through
$IPT_CMD --append OUTPUT -p udp --sport 123 --dport 123 --jump ACCEPT
<scr ipt>
#!/bin/sh
# Author - Ajitabh Pandey
# History -
# Ver 0.1 - 21st May 2005
# Path to the iptables command
IPT_CMD="/usr/sbin/iptables"
# ppp0 is the external interface and eth1 is the internal interface
EXT_IF="ppp0"
INT_IF="eth0"
EXT_IP="`/sbin/ifconfig $EXT_IF|grep 'inet addr'|awk '{print $2}'|sed
-e 's/.*://'`"
# This is the internal network and the internal ip-address
INT_NET="192.168.2.0/24"
INT_IP="192.168.2.1/24"
UNIVERSE="0.0.0.0/0"
echo "Flushing all rules and zero the traffic/bytes counters...."
# Flush all the rules in the filter and nat tables and zero the
# traffic counters. Although 'filter' is the default table it is
# explicitly specified for clarity.
$IPT_CMD --table filter --flush
$IPT_CMD --table nat --flush
$IPT_CMD --table filter --zero
$IPT_CMD --table nat --zero
echo "Delete all chains that are not in default filter and nat table...."
# Delete all chains that are not in default filter and nat table
$IPT_CMD --table filter --delete-chain
$IPT_CMD --table nat --delete-chain
echo "External interface is $EXT_IF"
echo "Internal interface is $INT_IF"
echo "External IP Address is $EXT_IP"
echo "Internal IP ADdress is $INT_IP"
# Setup the default policy for all chains - drop all packets by default
echo "Setting the default policy for all chains - drop all packets...."
$IPT_CMD --policy FORWARD DROP
$IPT_CMD --policy INPUT DROP
$IPT_CMD --policy OUTPUT DROP
##################################################################
# Following lines set up IP MASQUERADing and FORWARDing
##################################################################
echo "Set up IP MASQUERADEing...."
# For dialup connections the value for -j is specified as MASQUERADE, for cable
# or DSL where the external interface has static ip-address SNAT is to be used.
$IPT_CMD --table nat --append POSTROUTING --out-interface $EXT_IF -j MASQUERADE
echo "Set ip IP FORWARDING...."
$IPT_CMD --table filter --append FORWARD --in-interface $INT_IF --jump ACCEPT
# Enabling packet forwarding by kernel
echo "Enabling packet forwarding by kernel...."
echo "1" > /proc/sys/net/ipv4/ip_forward
# Enabling dynamic ip addressing
echo "Enabling dynamic IP addressing...."
echo "1">/proc/sys/net/ipv4/ip_dynaddr
# Disable smurf attack response
echo "Disable smurf attack response...."
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Don't accept source routed packets
echo "Disable source routed packets...."
for i in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $i
done
# Enable bad error message protection
echo "Enable bad error message protection...."
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# no IP spoofing
echo "Disable IP spoofing...."
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ] ; then
for i in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $i
done
fi
#############################################################
# Following lines set up a firewall
#############################################################
# Creating a new chain drop-and-log-it
$IPT_CMD --new-chain drop-and-log-it
$IPT_CMD --append drop-and-log-it --jump LOG --log-level info
$IPT_CMD --append drop-and-log-it --jump REJECT
########### INPUT ruleset ##############
# Accept all input on local loopback interface
$IPT_CMD --append INPUT --in-interface lo --source $UNIVERSE
--destination $UNIVERSE --jump ACCEPT
# Local interface, local machine can go anywhere
$IPT_CMD --append INPUT --in-interface $INT_IF --source $INT_NET
--destination $UNIVERSE --jump ACCEPT
# Remote interfaces claiming to be local machines - IP Spoofing, drop-and-log-it
$IPT_CMD --append INPUT --in-interface $EXT_IF --source $INT_NET
--destination $UNIVERSE --jump drop-and-log-it
# Allow any related traffic coming back to the MASQ server in
$IPT_CMD --append INPUT --in-interface $EXT_IF --source $UNIVERSE
--destination $EXT_IP --match state --state ESTABLISHED,RELATED --jump
ACCEPT
##### Uncomment following lines as needed to allow various services ####
# Allow ICMP. Allows this machine to be pingable from any source
$IPT_CMD --append INPUT --in-interface $EXT_IF -p ICMP --source
$UNIVERSE --destination $EXT_IP --jump ACCEPT
# If you run an internal DHCPd server
$IPT_CMD --append INPUT --in-interface $INT_IF -p tcp --sport 68
--dport 67 --jump ACCEPT
$IPT_CMD --append INPUT --in-interface $INT_IF -p udp --sport 68
--dport 67 --jump ACCEPT
# Allow NTP traffic through
$IPT_CMD --append INPUT -p udp --sport 123 --dport 123 --jump ACCEPT
# Allow HTTP
#$IPT_CMD --append INPUT --in-interface $EXT_IF --match state --state
NEW,ESTABLISHED,RELATED -p tcp --source $UNIVERSE --destination
$EXT_IP --dport 80 --jump ACCEPT
# Allow HTTPS
#$IPT_CMD --append INPUT --in-interface $EXT_IF --match state
--state NEW,ESTABLISHED,RELATED -p tcp --source $UNIVERSE
--destination $EXT_IP --dport 443 --jump ACCEPT
# Allow SSH
$IPT_CMD --append INPUT --in-interface $EXT_IF --match state --state
NEW,ESTABLISHED,RELATED -p tcp --source $UNIVERSE --destination
$EXT_IP --dport 22 --jump ACCEPT
# Allow SMTP
#$IPT_CMD --append INPUT --in-interface $EXT_IF --match state --state
NEW,ESTABLISHED,RELATED -p tcp --source $UNIVERSE --destination
$EXT_IP --dport 25 --jump ACCEPT
# Allow POP3
#$IPT_CMD --append INPUT --in-interface $EXT_IF --match state --state
NEW,ESTABLISHED,RELATED -p tcp --source $UNIVERSE --destination
$EXT_IP --dport 110 --jump ACCEPT
# Allow POP3-SSL
#$IPT_CMD --append INPUT --in-interface $EXT_IF --match state --state
NEW,ESTABLISHED,RELATED -p tcp --source $UNIVERSE --destination
$EXT_IP --dport 995 --jump ACCEPT
# All other incoming traffic is denied and logged
$IPT_CMD --append INPUT --source $UNIVERSE --destination $UNIVERSE
--jump drop-and-log-it
########### OUTPUT ruleset ##############
# Loopback is valid
$IPT_CMD --append OUTPUT --out-interface lo --source $UNIVERSE
--destination $UNIVERSE --jump ACCEPT
# Local interfaces, any source going to local net is valid
$IPT_CMD --append OUTPUT --out-interface $INT_IF --source $EXT_IP
--destination $INT_NET --jump ACCEPT
$IPT_CMD --append OUTPUT --out-interface $INT_IF --source $INT_IP
--destination $INT_NET --jump ACCEPT
# Outgoing to local net on remote interface, stuffed routing is denied
$IPT_CMD --append OUTPUT --out-interface $EXT_IF --source $UNIVERSE
--destination $INT_NET --jump drop-and-log-it
# anything else outgoing on remote interface is valid
$IPT_CMD --append OUTPUT --out-interface $EXT_IF --source $EXT_IP
--destination $UNIVERSE --jump ACCEPT
# Uncomment following rules if you run an internal DHCPd server
$IPT_CMD --append OUTPUT --out-interface -p tcp --source $INT_IP
--sport 67 --destination 255.255.255.255 --dport 68 --jump ACCEPT
$IPT_CMD --append OUTPUT --out-interface $INT_IF -p udp --source
$INT_IP --sport 67 --destination 255.255.255.255 --dport 68 --jump
ACCEPT
# Allow NTP traffic through
$IPT_CMD --append OUTPUT -p udp --sport 123 --dport 123 --jump ACCEPT
# All other outgoing is denied and logged
$IPT_CMD --append OUTPUT --source $UNIVERSE --destination $UNIVERSE
--jump drop-and-log-it
########### FORWARDing ruleset ##############
# Allow all connections OUT and only existing/related IN
$IPT_CMD --append FORWARD --in-interface $EXT_IF --out-interface
$INT_IF --match state --state ESTABLISHED,RELATED --jump ACCEPT
$IPT_CMD --append FORWARD --in-interface $INT_IF --out-interface
$EXT_IF --jump ACCEPT
# All other forwarding is denied and logged
$IPT_CMD --append FORWARD --jump drop-and-log-it
exit 0
</script>
--
Regards.
Ajitabh Pandey
http://www.ajitabhpandey.info
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
linux-india-help mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/linux-india-help
