Journal jasno's Journal: Firewall config
This is my current firewall config.. comments appreciated!
#!/bin/sh
#
# Firewall script for 3 interface router.
#
IPT=/sbin/iptables
INET=eth0
IDMZ=eth2
ILAN=eth1
DMZNET=10.10.2.0/24
LANNET=10.10.1.0/24
# Forward the following ports to the DMZ host
TCPFWD="ssh www https 8000 8001"
UDPFWD="5121"
# Turn off forwarding
echo 0 >
modprobe ip_tables
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe ip_nat_irc
modprobe ip_conntrack_irc
###############################################################
# Setup
echo 1 >
# Disable Source Routed Packets
for f in
echo 0 > $f
done
# Enable TCP SYN Cookie Protection
#echo 1 >
# Disable ICMP Redirect Acceptance
for f in
echo 0 > $f
done
# Don't send Redirect Messages
for f in
echo 0 > $f
done
# Drop Spoofed Packets coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in
echo 1 > $f
done
# Self explanitory
echo "1" >
# Log packets with impossible addresses.
#for f in
# echo 1 > $f
#done
###############################################################
# Flush all chains and delete user chains
for i in filter nat mangle
do
$IPT -t $i -F
$IPT -t $i -X
done
# Default policy is to drop
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
###############################################################
# Stealth Scans and TCP State Flags - Are these needed?
# All of the bits are cleared
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
# SYN and FIN are both set
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN and RST are both set
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# FIN and RST are both set
iptables -A INPUT -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A FORWARD -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
# FIN is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,FIN FIN -j DROP
# PSH is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,PSH PSH -j DROP
# URG is the only bit set, without the expected accompanying ACK
iptables -A INPUT -p tcp --tcp-flags ACK,URG URG -j DROP
iptables -A FORWARD -p tcp --tcp-flags ACK,URG URG -j DROP
###############################################################
# Setup rules for connecting to the gateway itself
# Loopback is trusted
$IPT -A INPUT -i lo -j ACCEPT
# Allow related packets from any interface
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow all connections from LAN
$IPT -A INPUT -i $ILAN -j ACCEPT
###############################################################
# Setup rules to allow the internal nets to access the internet
# Allow LAN to connect to anything
$IPT -A FORWARD -i $ILAN -j ACCEPT
# Allow all traffic going from DMZ to outside
$IPT -A FORWARD -i $IDMZ -o $INET -j ACCEPT
# Only allow return traffic back inside - '-o ! $INET' probably not needed
$IPT -A FORWARD -o ! $INET -m state --state ESTABLISHED,RELATED -j ACCEPT
###############################################################
# Setup masquerading
# LAN S-NAT
$IPT -t nat -A POSTROUTING -o $INET -j MASQUERADE
###############################################################
# DMZ Port Forwarding
for i in $TCPFWD; do
$IPT -A FORWARD -i $INET -o $IDMZ -p tcp --dport $i -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -p tcp --dport $i -i $INET -j DNAT --to 10.10.2.40
done
for i in $UDPFWD; do
$IPT -A FORWARD -i $INET -o $IDMZ -p udp --dport $i -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A PREROUTING -p udp --dport $i -i $INET -j DNAT --to 10.10.2.40
done
###############################################################
# LAN Port Forwarding
#$IPT -A FORWARD -i $INET -o $ILAN -p tcp --dport 80 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#$IPT -t nat -A PREROUTING -p tcp --dport 80 -i $INET -j DNAT --to 10.10.1.40
# LAN D-NAT
#$IPT -t nat -A PREROUTING -p tcp --dport 80 -i $IEXT -j DNAT --to 10.10.1.40:8080
# DMZ D-NAT
#$IPT -t nat -A PREROUTING -p tcp --dport 80 -i $IEXT -j DNAT --to 10.10.2.40
#$IPT -t nat -A PREROUTING -p udp --dport 5121 -i $IEXT -j DNAT --to 10.10.2.40
echo 1 >
Firewall config More Login
Firewall config
Slashdot Top Deals