Tuesday, July 24, 2007

FIREWALLING, NATING, AND PREROUTING SAMPLE

#!/bin/bash
# Configure Iptables for Firewalling and NAT

echo " #######################################"
echo " # Enabling Firewall #"
echo " #######################################"

### Location of the iptables and kernel module programs
IPTABLES=/sbin/iptables
#IPTABLES=/usr/local/sbin/iptables

### declaring interfaces
INET='ppp0'
LAN='eth0'

# disable forwarding - done for security - enabled at the end
echo " - Disabling forwarding (security).."
echo "0" > /proc/sys/net/ipv4/ip_forward

echo " - Enabling DynamicAddr.."
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

### Clearing previous rules and setting default policy ###
echo "Clearing previous rules and setting default policy..."

$IPTABLES -F INPUT
$IPTABLES -P INPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -F FORWARD
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -F
### Clearing previous rules and setting default policy END ###


### FORWARD ###
echo "Enabling Forwarding..."

# FORWARD: Allow all connections OUT and only existing and related ones IN..
$IPTABLES -A FORWARD -i $INET -o $LAN -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $LAN -o $INET -j ACCEPT
### FORWARD END ###



### NAT ###
echo "Enabling Nat..."

echo " - Enabling SNAT (MASQUERADE) functionality on internet interface.."
$IPTABLES -t nat -A POSTROUTING -o $INET -j MASQUERADE
### NAT END ###


### General INPUT ###
echo "Enabling General INPUT rules..."

$IPTABLES -A INPUT -i $LAN -m state --state RELATED,ESTABLISHED -j ACCEPT # allow incomming replys on outgoing lan traffic
$IPTABLES -A INPUT -i $INET -m state --state RELATED,ESTABLISHED -j ACCEPT # allow incomming replys on outgoing internet traffic
### General INPUT END ###


### Localhost ###
echo "Localhost rules..."

$IPTABLES -A INPUT -i lo -j ACCEPT # allow all incomming traffic on localhost
$IPTABLES -A OUTPUT -o lo -j ACCEPT # allow all outgoing traffic on localhost
### Localhost END ###


### ICMP ###
echo "ICMP rules..."

$IPTABLES -A INPUT -p icmp -m state --state RELATED,ESTABLISHED -j ACCEPT # allow replys on outgoing icmp traffic
$IPTABLES -A INPUT -i $LAN -p icmp --icmp-type 8 -m limit --limit 1/sec -j ACCEPT # allow echo request comming from lan
$IPTABLES -A INPUT -p icmp -j LOG --log-prefix "All other icmp:" # log all other icmp traffic
### ICMP END ###


### Samba ###
echo "Samba rules..."

$IPTABLES -A INPUT -i $LAN -p tcp --dport 137 -j ACCEPT # NetBIOS name service tcp
$IPTABLES -A INPUT -i $LAN -p udp --dport 137 -j ACCEPT # NetBIOS name service udp
$IPTABLES -A INPUT -i $LAN -p udp --dport 138 -j ACCEPT # NetBIOS datagram service
$IPTABLES -A INPUT -i $LAN -p tcp --dport 139 -j ACCEPT # NetBIOS session service File/printer sharing and other operations
$IPTABLES -A INPUT -i $LAN -p tcp --dport 445 -j ACCEPT # Used by Win2k/xp when NetBIOS over TCP/IP is disabled - Microsoft Common Internet File System
$IPTABLES -A INPUT -i $LAN -p udp --dport 445 -j ACCEPT
#$IPTABLES -A INPUT -i $LAN -p tcp --dport 901 -j ACCEPT # used by SWAT (GUI configuration tool for samba)
### Samba END ###


### SSH ###
echo "SSH rules..."

$IPTABLES -A INPUT -i $LAN -p tcp --dport 22 -j ACCEPT # allow ssh connections from lan
### SSH END ###


### Webserver ###
echo "Webserver rules..."

$IPTABLES -A INPUT -i $LAN -p tcp --dport 80 -j ACCEPT # Open Webserver to lan
### Webserver END ###



### DNAT eMULE ###
echo "DNAT eMule..."


$IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 4545
$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 4545 -j DNAT --to 192.168.0.1:4545
$IPTABLES -A FORWARD -j ACCEPT -p udp --dport 4646
$IPTABLES -t nat -A PREROUTING -i $INET -p udp --dport 4646 -j DNAT --to 192.168.0.1:4646

$IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 4661
$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 4661 -j DNAT --to 192.168.0.1:4661
$IPTABLES -A FORWARD -j ACCEPT -p udp --dport 4672
$IPTABLES -t nat -A PREROUTING -i $INET -p udp --dport 4672 -j DNAT --to 192.168.0.1:4672
$IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 4662
$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 4662 -j DNAT --to 192.168.0.1:4662
$IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 4771
$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 4771 -j DNAT --to 192.168.0.1:4771

$IPTABLES -A FORWARD -j ACCEPT -p tcp --dport 3306
$IPTABLES -t nat -A PREROUTING -i $INET -p tcp --dport 3306 -j DNAT --to 192.168.0.1:3306


### DNAT eMULE END ###

# block all outgoing traffic to the internet from port 0:1024
$IPTABLES -A OUTPUT -o $INET -p tcp --sport 1:1024 -j DROP
$IPTABLES -A OUTPUT -o $INET -p udp --sport 1:1024 -j DROP


$IPTABLES -A INPUT -i $INET -j LOG # Log all other input from internet
$IPTABLES -A FORWARD -j LOG --log-prefix "Forward:" # Log all other forward
$IPTABLES -A INPUT -i $LAN -j LOG --log-prefix "from LAN:" # log all other input form lan

# enable forwarding - done last for security
echo " - Enabling forwarding.."
echo "1" > /proc/sys/net/ipv4/ip_forward

# saving iptables rules (works for Redhat/Fedora) (perhaps other distributions too)
/sbin/iptables-save


Be a better Heartthrob. Get better relationship answers from someone who knows.
Yahoo! Answers - Check it out.

0 Comments: