Greetings! (long time, no post)
I just got my firewall setup at home - it is a Linksys WRT54G based on
Linux. So far, I have http, smtp, vpn, and skype all allowed to go out
of the firewall, and I have forwarding with http, smtp, and ssh
(tunneled through the telnet port) all allowed to come into the firewall
and forwarded to another Linux server I have in the closet. I want by
default everything to be blocked except what I allow through.
What I am trying to do now is get it so that only the Linux box in a
closet at home can access the internet from within the network (instead
of everything in the LAN). Everything else will proxy through to the
Linux server in my closet. I have tried:
$IPT -t filter -A FORWARD -s 192.168.1.5 -p tcp --sport 80 -m state
--state RELATED,ESTABLISHED -j ACCEPT
And disabling the line that gives access to port 80 to the network, but
it disables internet entirely, including the Linux box in my closet.
Anyone know what line I need to add to only allow http access to
192.168.1.5 from within the LAN? My firewall script is below. Also,
any suggestions you have as to how I could write it better are
appreciated:
#!/bin/sh
. /etc/functions.sh
WAN=$(nvram get wan_ifname)
WAN_IP=$(nvram get wan_ipaddr)
WIFI=$(nvram get wifi_ifname)
LAN=$(nvram get lan_ifname)
LAN_IP=$(nvram get lan_ipaddr)
IPT=/usr/sbin/iptables
for T in filter nat mangle ; do
$IPT -t $T -F
$IPT -t $T -X
done
# Default: drop all
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat --policy POSTROUTING ACCEPT
$IPT -t nat --policy PREROUTING ACCEPT
# Allow all traffic on loopback interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Allow DNS access to firewall
$IPT -A OUTPUT -p udp -o $WAN --dport 53 --sport 1024:65535 -j ACCEPT
$IPT -A INPUT -p udp -i $WAN --sport 53 --dport 1024:65535 -j ACCEPT
# Allow all internal machines to access router
$IPT -A INPUT -j ACCEPT -p all -s 192.168.1.0/24 -i $LAN
$IPT -A OUTPUT -j ACCEPT -p all -d 192.168.1.0/24 -o $LAN
$IPT -A FORWARD -j ACCEPT -p all -s 192.168.1.0/24
# port forwarding to closet
# ssh
$IPT -A FORWARD -p tcp -i $WAN --dport 23 -j ACCEPT $IPT -t nat -A
PREROUTING -p tcp -i $WAN --dport 23 -j DNAT --to 192.168.1.5:23
# http
$IPT -A FORWARD -p tcp -i $WAN --dport 80 -j ACCEPT
$IPT -t nat -A PREROUTING -d $WAN_IP -p tcp --dport 80 -j DNAT --to
192.168.1.5:80
## smtp
$IPT -A FORWARD -p tcp -i $WAN --dport 25 -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp -i $WAN --dport 25 -j DNAT --to
192.168.1.5:25
# masquerade internal traffic
$IPT -A POSTROUTING -t nat -o $WAN -s 192.168.1.0/24 -d 0/0 -j
MASQUERADE
$IPT -t filter -A FORWARD -m state --state INVALID -j DROP $IPT -t
filter -A FORWARD -i $WAN -m state --state NEW,INVALID -j DROP
# all ports allowed from network through firewall go here
# web
#$IPT -t filter -A FORWARD -s 192.168.1.5 -m state --state
RELATED,ESTABLISHED -j ACCEPT
$IPT -t filter -A FORWARD -p tcp --sport 80 -m state --state
RELATED,ESTABLISHED -j ACCEPT
# https
$IPT -t filter -A FORWARD -p tcp --sport 443 -m state --state
RELATED,ESTABLISHED -j ACCEPT
# smtp
$IPT -t filter -A FORWARD -p tcp --sport 25 -m state --state
RELATED,ESTABLISHED -j ACCEPT
# vpn
$IPT -t filter -A FORWARD -p udp --sport 500 -m state --state
RELATED,ESTABLISHED -j ACCEPT
# skype
$IPT -t filter -A FORWARD -p udp --sport 1784 -m state --state
RELATED,ESTABLISHED -j ACCEPT
####################################
### Jesse Stay ###
### Lead Applications Developer ###
### IMD Classifieds ###
### Media General, Inc. ###
### (804)649-6534 ###
####################################
#!/usr/bin/perl
$^=q;@!>~|{>krw>yn{u<$$<Sn||n<|}j=<$$<Yn{u<Qjltn{ > 0gFzD gD,
00Fz, 0,,( 0hF 0g)F/=, 0> "L$/GEIFewe{,$/ 0C$~> "@=,m,|,(e 0.),
01,pnn,y{
rw} >;,$0=q,$,,($_=$^)=~y,$/ C-~><@=\n\r,-~$:-u/
#y,d,s,(\$.),$1,gee,print
.===================================.
| This has been a P.L.U.G. mailing. |
| Don't Fear the Penguin. |
| IRC: #utah at irc.freenode.net |
`==================================='
