Simon,
Save your self allot of time and headakeee and download emerge -p
shorewall Shorewall firewall. IPtables made easy. This site is well
maintained has a great mailing list and awesome easy to follow FAQ's
for Standalone workstation, 2 nic's and 3 nic setup with DMZ.
Shorewall is very light wheight and is a full featured statefull packet
filtering firewall that uses a series of simple shell scripts to take
all the (masacostic fun) our of configuring iptables line by line, word
by word.
http://www.shorewall.net
Unless you trying to learn iptables ofcourse.. Heh. :P
JBanks
--- Simon_Kühling [EMAIL PROTECTED] wrote:
hi everyone,
i'm trying to get my gentoo box running as a firewall and nat-router
for
my home-network. therefore i took the iptables-example script as seen
in
the gentoo security guide
(http://www.gentoo.org/doc/en/gentoo-security.xml#doc_chap12) and
modified it a little.
the server is able to establish an adsl-connection and lynx has no
prob
to surf the net. the firewall script is started and from inside the
network i can easily access the server (192.168.0.1) via ssh, but
theres
no response to pings from e.g. 192.168.0.121 . the server itself is
not
able to make pings and get a strange error message:
***
tux root # ping www.google.com
PING www.google.akadns.net (216.239.59.99) 56(84) bytes of data.
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
ping: sendmsg: Operation not permitted
--- www.google.akadns.net ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2000ms
***
my firewallscript is attached to this mail.
i do not see a mistake or something in that script.
btw another strange behavior: yesterday the nat routing suddenly ran
for
about 10 minutes without changing the script (as i can remember).
i am thankful for every little hint :)
simon
#!/sbin/runscript
IPTABLES=/sbin/iptables
IPTABLESSAVE=/sbin/iptables-save
IPTABLESRESTORE=/sbin/iptables-restore
FIREWALL=/etc/firewall.rules
DNS1=145.253.2.11
DNS2=145.253.2.75
#inside
IINTERFACE=eth0
#outside
OINTERFACE=ppp0
opts=${opts} showstatus panic save restore showoptions rules
depend() {
need net procparam
}
rules() {
stop
ebegin Setting internal rules
einfo Setting default rule to drop
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
#default rule
einfo Creating states chain
$IPTABLES -N allowed-connection
$IPTABLES -F allowed-connection
$IPTABLES -A allowed-connection -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed-connection -i $IINTERFACE -m limit -j LOG
--log-prefix Bad packet from ${IINTERFACE}:
$IPTABLES -A allowed-connection -j DROP
#ICMP traffic
einfo Creating icmp chain
$IPTABLES -N icmp_allowed
$IPTABLES -F icmp_allowed
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type
time-exceeded -j ACCEPT
$IPTABLES -A icmp_allowed -m state --state NEW -p icmp --icmp-type
destination-unreachable -j ACCEPT
$IPTABLES -A icmp_allowed -p icmp -j LOG --log-prefix Bad ICMP
traffic:
$IPTABLES -A icmp_allowed -p icmp -j DROP
#Incoming traffic
einfo Creating incoming ssh traffic chain
$IPTABLES -N allow-ssh-traffic-in
$IPTABLES -F allow-ssh-traffic-in
#Flood protection
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL RST --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL FIN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp
--tcp-flags ALL SYN --dport ssh -j ACCEPT
$IPTABLES -A allow-ssh-traffic-in -m state --state
RELATED,ESTABLISHED -p tcp --dport ssh -j ACCEPT
#outgoing traffic
einfo Creating outgoing ssh traffic chain
$IPTABLES -N allow-ssh-traffic-out
$IPTABLES -F allow-ssh-traffic-out
$IPTABLES -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT
einfo Creating outgoing dns traffic chain
$IPTABLES -N allow-dns-traffic-out
$IPTABLES -F allow-dns-traffic-out
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS1 --dport domain
-j ACCEPT
$IPTABLES -A allow-dns-traffic-out -p udp -d $DNS2 --dport domain
-j ACCEPT
einfo Creating outgoing http/https traffic chain
$IPTABLES -N allow-www-traffic-out
$IPTABLES -F allow-www-traffic-out
$IPTABLES -A allow-www-traffic-out -p tcp --dport www -j ACCEPT
$IPTABLES -A allow-www-traffic-out -p tcp --dport https -j ACCEPT
#Catch portscanners
einfo Creating portscan detection chain
$IPTABLES -N check-flags
$IPTABLES -F check-flags
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m
limit --limit 5/minute -j LOG --log-level alert --log-prefix
NMAP-XMAS:
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A check-flags -p tcp --tcp-flags