faz
n00b
Joined: 02 Nov 2002
Posts: 73
Location: the Netherlands
|
 Posted: Fri Jan 17, 2003 9:42 pm Post subject: Need some help on my iptables firewall |
 |
|
I have made a firewall based on Daniel Robbins firewall as described in his Intel papers. The box for this firewall has eth0 to my local network (192.168.0.0/24) and eth1 to my cable modem.
The firewall script:
| Code: |
#!/bin/bash
IPT=/sbin/iptables
#interfaces:
# eth0: 192.168.1.1 (our trusted LAN)
# eth1: ISP assigned IP number (our untrusted DSL router)
# Uncomment this line to accept incoming connection for the listed services
# SERVICES="http smtp"
# remove old rules
$IPT -F INPUT
$IPT -P INPUT ACCEPT
$IPT -F FORWARD
$IPT -P FORWARD ACCEPT
$IPT -t nat -F POSTROUTING
$IPT -F myfilter
$IPT -X myfilter
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
# Set a default policy of DROP; deny-by-default for security:
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
#myfilter chain:
#this chain contains rules common to our FORWARD and INPUT chains, all in one place.
#first, we create a new "myfilter" chain;
#then, we add a rule to accept ESTABLISHED and RELATED connections from anywhere;
#then, we add a rule to accept NEW connections coming in from anywhere but our untrusted eth1 interface;
#then, we add a rule to log any incoming INVALID packets;
#then, we add a rule to reject any incoming tcp connection with tcp-reset for fast, stealthy disconnect;
#then, we add a rule to reject any not-yet-handled connections with icmp-port-unreachable.
#everything else falls off the end of this chain and goes back to the next rule (if any) in the
#parent INPUT or FORWARD chain.
$IPT -N myfilter
$IPT -A myfilter -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A myfilter -m state --state NEW -i ! eth1 -j ACCEPT
$IPT -A myfilter -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning
$IPT -A myfilter -p tcp -j REJECT --reject-with tcp-reset
$IPT -A myfilter -j REJECT --reject-with icmp-port-unreachable
#INPUT chain:
#first, we loop through our SERVICES variable and add a rule for each public service on our firewall;
#then, we add a rule to log any pings to our firewall box from the Internet (max 1/minute);
#then, we add a rule to accept up to 2 pings per second to our firewall box from the Internet;
#then, we direct any traffic that doesn't match these rules to our standard myfilter chain.
#everything else falls off the end of this chain and gets a default policy of DENY.
for x in $SERVICES
do
$IPT -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT
done
$IPT -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit --limit 1/minute -j LOG --log-prefix "PING:" --log-level notice
$IPT -A INPUT -p icmp -i eth1 --icmp-type echo-request -m limit --limit 2/second -j ACCEPT
$IPT -A INPUT -j myfilter
#FORWARD chain:
#simply forward all FORWARD traffic to our myfilter chain.
#if any traffic were to make it through the myfilter chain, it would fall off the end of the FORWARD
#chain and get a default policy of DENY.
$IPT -A FORWARD -j myfilter
#Set up MASQUERADE-ing so that machines on our LAN can use our DSL router:
$IPT -t nat -P POSTROUTING DROP
$IPT -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
|
This setup worked good for me.
Now, I've implemented DDNS (BIND) en DHCP on this box where DHCP updates DNS. This did not work and I found out this is due to the above firewall. When I switch off the firewall everything works. Also, with an enabled firewall I can't ping anything from this box (i get "sendto: Operation not permitted").
I'm not an IPTABLES expert. What should be altered in the above firewall to enable communications between services on the local box? Also, local pings should be working on the internal network and on this box.
Thank you for any help on this. |
|
Networking & Security
