iptables

Posted: October 23, 2008 in LINUX, SYSTEM UTILITY
Tags: , ,

#!/bin/sh
#
# iptables.sh
#
# An example of a simple iptables configuration. This script
# can enable ‘masquerading’ and will open user definable ports.
#
###################################################################
# Begin variable declarations and user configuration options ######
#
# Set the location of iptables (default).
IPTABLES=/sbin/iptables

# Local Interfaces
# This is the WAN interface that is our link to the outside world.
# For pppd and pppoe users.
# WAN_IFACE=”ppp0″
WAN_IFACE=”eth0″
#
# Local Area Network (LAN) interface.
#LAN_IFACE=”eth0″
LAN_IFACE=”eth1″

# Our private LAN address(es), for masquerading.
LAN_NET=”192.168.1.0/24″

# For static IP, set it here!
#WAN_IP=”1.2.3.4″

# Set a list of public server port numbers here…not too many!
# These will be open to the world, so use caution. The example is
# sshd, and HTTP (www). Any services included here should be the
# latest version available from your vendor. Comment out to disable
# all Public services. Do not put any ports to be forwarded here,
# this only direct access.
#PUBLIC_PORTS=”22 80 443″
PUBLIC_PORTS=”22″

# If we want to do port forwarding, this is the host
# that will be forwarded to.
#FORWARD_HOST=”192.168.1.3″

# A list of ports that are to be forwarded.
#FORWARD_PORTS=”25  80″

# If you get your public IP address via DHCP, set this.
DHCP_SERVER=66.21.184.66

# If you need identd for a mail server, set this.
MAIL_SERVER=

# A list of unwelcome hosts or nets. These will be denied access
# to everything, even our ‘Public’ services. Provide your own list.
#BLACKLIST=”11.22.33.44 55.66.77.88″

# A list of “trusted” hosts and/or nets. These will have access to
# ALL protocols, and ALL open ports. Be selective here.
#TRUSTED=”1.2.3.4/8  5.6.7.8″

## end user configuration options #################################
###################################################################

# Any and all addresses from anywhere.
ANYWHERE=”0/0″

# These modules may need to be loaded:
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp

# Start building chains and rules #################################
#
# Let’s start clean and flush all chains to an empty state.
$IPTABLES -F
$IPTABLES -X

# Set the default policies of the built-in chains. If no match for any
# of the rules below, these will be the defaults that IPTABLES uses.
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P INPUT DROP

# Accept localhost/loopback traffic.
$IPTABLES -A INPUT -i lo -j ACCEPT

# Get our dynamic IP now from the Inet interface. WAN_IP will be the
# address we are protecting from outside addresses.
[ -z “$WAN_IP” ] &&\
  WAN_IP=`ifconfig $WAN_IFACE |grep inet |cut -d : -f 2 |cut -d \  -f 1`

# Bail out with error message if no IP available! Default policy is
# already set, so all is not lost here.
[ -z “$WAN_IP” ] && echo “$WAN_IFACE not configured, aborting.” && exit 1

WAN_MASK=`ifconfig $WAN_IFACE |grep Mask |cut -d : -f 4`
WAN_NET=”$WAN_IP/$WAN_MASK”

## Reserved IPs:
#
# We should never see these private addresses coming in from outside
# to our external interface.
$IPTABLES -A INPUT -i $WAN_IFACE -s 10.0.0.0/8      -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 172.16.0.0/12   -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 192.168.0.0/16  -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 127.0.0.0/8     -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 169.254.0.0/16  -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 224.0.0.0/4     -j DROP
$IPTABLES -A INPUT -i $WAN_IFACE -s 240.0.0.0/5     -j DROP
# Bogus routing
$IPTABLES -A INPUT -s 255.255.255.255 -d $ANYWHERE -j DROP

# Unclean
$IPTABLES -A INPUT -i $WAN_IFACE -m unclean -m limit \
  –limit 15/minute -j LOG –log-prefix “Unclean: ”
$IPTABLES -A INPUT -i $WAN_IFACE -m unclean -j DROP

## LAN access and masquerading
#
# Allow connections from our own LAN’s private IP addresses via the LAN
# interface and set up forwarding for masqueraders if we have a LAN_NET
# defined above.
if [ -n “$LAN_NET” ]; then
echo 1 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -A INPUT -i $LAN_IFACE  -j ACCEPT
# $IPTABLES -A INPUT -i $LAN_IFACE -s $LAN_NET -d $LAN_NET  -j ACCEPT 
$IPTABLES -t nat -A POSTROUTING -s $LAN_NET -o $WAN_IFACE -j MASQUERADE
fi

## Blacklist
#
# Get the blacklisted hosts/nets out of the way, before we start opening
# up any services. These will have no access to us at all, and will
# be logged.
for i in $BLACKLIST; do
$IPTABLES -A INPUT -s $i -m limit –limit 5/minute \
   -j LOG –log-prefix “Blacklisted: ”
$IPTABLES -A INPUT -s $i -j DROP
done

## Trusted hosts/nets
#
# This is our trusted host list. These have access to everything.
for i in $TRUSTED; do
$IPTABLES -A INPUT -s $i -j ACCEPT
done

# Port Forwarding
#
# Which ports get forwarded to which host. This is one to one
# port mapping (ie 80 -> 80) in this case.
[ -n “$FORWARD_HOST” ] &&\
for i in $FORWARD_PORTS; do
   $IPTABLES -A FORWARD -p tcp -s $ANYWHERE -d $FORWARD_HOST \
     –dport $i -j ACCEPT
   $IPTABLES -t nat -A PREROUTING -p tcp -d $WAN_IP –dport $i \
     -j DNAT –to $FORWARD_HOST:$i
done

## Open, but Restricted Access ports
#
# Allow DHCP server (their port 67) to client (to our port 68) UDP
# traffic from outside source.
[ -n “$DHCP_SERVER” ] &&\
$IPTABLES -A INPUT -p udp -s $DHCP_SERVER –sport 67 \
   -d $ANYWHERE –dport 68 -j ACCEPT

# Allow ‘identd’ (to our TCP port 113) from mail server only.
[ -n “$MAIL_SERVER” ] &&\
$IPTABLES -A INPUT -p tcp -s $MAIL_SERVER  -d $WAN_IP –dport 113 -j ACCEPT

# Open up Public server ports here (available to the world):
for i in $PUBLIC_PORTS; do
$IPTABLES -A INPUT -p tcp -s $ANYWHERE -d $WAN_IP –dport $i -j ACCEPT
done

# So I can check my home POP3 mailbox from work. Also, so I can ssh
# in to home system. Only allow connections from my workplace’s
# various IPs. Everything else is blocked.
$IPTABLES -A INPUT -p tcp -s 255.10.9.8/29 -d $WAN_IP –dport 110 -j ACCEPT

## ICMP (ping)
#
# ICMP rules, allow the bare essential types of ICMP only. Ping
# request is blocked, ie we won’t respond to someone else’s pings,
# but can still ping out.
$IPTABLES -A INPUT  -p icmp  –icmp-type echo-reply \
   -s $ANYWHERE -d $WAN_IP -j ACCEPT
$IPTABLES -A INPUT  -p icmp  –icmp-type destination-unreachable \
   -s $ANYWHERE -d $WAN_IP -j ACCEPT
$IPTABLES -A INPUT  -p icmp  –icmp-type time-exceeded \
   -s $ANYWHERE -d $WAN_IP -j ACCEPT

# Identd Reject
#
# Special rule to reject (with rst) any identd/auth/port 113
# connections. This will speed up some services that ask for this,
# but don’t require it. Be careful, some servers may require this
# one (IRC for instance).
#$IPTABLES -A INPUT -p tcp –dport 113 -j REJECT –reject-with tcp-reset

###################################################################
# Build a custom chain here, and set the default to DROP. All
# other traffic not allowed by the rules above, ultimately will
# wind up here, where it is blocked and logged, unless it passes
# our stateful rules for ESTABLISHED and RELATED connections. Let
# connection tracking do most of the worrying! We add the logging
# ability here with the ‘-j LOG’ target. Outgoing traffic is
# allowed as that is the default policy for the ‘output’ chain.
# There are no restrictions placed on that in this script.

# New chain…
$IPTABLES -N DEFAULT
# Use the ‘state’ module to allow only certain connections based
# on their ‘state’.
$IPTABLES -A DEFAULT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A DEFAULT -m state –state NEW -i ! $WAN_IFACE -j ACCEPT
# Enable logging for anything that gets this far.
$IPTABLES -A DEFAULT -j LOG -m limit –limit 30/minute –log-prefix “Dropping: ”
# Now drop it, if it has gotten here.
$IPTABLES -A DEFAULT -j DROP

# This is the ‘bottom line’ so to speak. Everything winds up
# here, where we bounce it to our custom built ‘DEFAULT’ chain
# that we defined just above. This is for both the FORWARD and
# INPUT chains.

$IPTABLES -A FORWARD -j DEFAULT
$IPTABLES -A INPUT   -j DEFAULT

echo “Iptables firewall is up `date`.”

##– eof iptables.sh

Advertisements

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s