Open Source Library (UK): an example firewall

this one's title isnt linked because i have made several modifications to the site where i originally learnt this, but i will link that site: http://yolinux.com/TUTORIALS/LinuxTutorialIptablesNetworkGateway.html, infact, i'll link the whole place because its good: http://yolinux.com/ and most specifically, the tutorials section: http://yolinux.com/TUTORIALS/

anyway, here's the example firewalls:

firewall:

# Delete and flush. Default table is "filter". Others like "nat" must be explicitly stated.
iptables --flush # - Flush all the rules in filter and nat tables
iptables --table nat --flush
iptables --delete-chain # - Delete all chains that are not in default filter and nat table
iptables --table nat --delete-chain

# Set up IP FORWARDing and Masquerading
#iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j REDIRECT --to-port 3128 # Transparency for Squid
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT

iptables -A INPUT -i lo -p all -j ACCEPT # - Allow self access by loopback interface
iptables -A OUTPUT -o lo -p all -j ACCEPT

iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT #- Accept established connections
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT #- Accept established connections

iptables -A INPUT -p tcp --tcp-option ! 2 -j REJECT --reject-with tcp-reset

iptables -A INPUT -p tcp --dport 21 -j ACCEPT # - Open ftp port
iptables -A INPUT -p udp --dport 21 -j ACCEPT

iptables -A INPUT -p tcp --dport 22 -j ACCEPT # - Open secure shell port
iptables -A INPUT -p udp --dport 22 -j ACCEPT

iptables -A INPUT -p tcp --dport 53 -j ACCEPT # - Open DNS ports
iptables -A INPUT -p udp --dport 53 -j ACCEPT

iptables -A INPUT -p tcp --dport 80 -j ACCEPT # - Open HTTP port
iptables -A INPUT -p udp --dport 80 -j ACCEPT

iptables -A INPUT -p tcp --dport 8080 -j ACCEPT # - Open Tomcat port
iptables -A INPUT -p udp --dport 8080 -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 445 -j ACCEPT # - Open SMB port - Internal Network Only
iptables -A INPUT -p udp -i eth1 --dport 445 -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 139 -j ACCEPT # - Open NetBios port - Internal Network Only
iptables -A INPUT -p udp -i eth1 --dport 139 -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 137 -j ACCEPT # - Open NetBios-ns port - Internal Network Only
iptables -A INPUT -p udp -i eth1 --dport 137 -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 138 -j ACCEPT # - Open NetBios port-dgm - Internal Network Only
iptables -A INPUT -p udp -i eth1 --dport 138 -j ACCEPT

iptables -A INPUT -p tcp -i eth1 --dport 123 -j ACCEPT # - Open NTP port - Internal Network Only
iptables -A INPUT -p udp -i eth1 --dport 123 -j ACCEPT

iptables -A INPUT -p tcp --dport 49152:65534 -j ACCEPT # - Passive FTP ports
iptables -A INPUT -p udp --dport 49152:65534 -j ACCEPT

iptables -P INPUT DROP # - Drop all other connection attempts. Only connections defined above are allowed.

echo 1 > /proc/sys/net/ipv4/ip_forward # - Enables packet forwarding by kernel
#--END--

this works for IPv4, when the IPv6 version becomes relevant, I'll post it :)

EDIT: Another great resource is from James Stephens at: http://www.sns.ias.edu/~jns/wp/iptables/

Open Source Library (UK)

Tuesday, February 14, 2006

an example firewall

0 Comments:

About

About Me

Previous