Table of Contents

Iptables

Iptables provide rulebased firewall and routing functionality. Although it gets tricky in more complex environments, its base concept is really easy to understand.

How it works

Sample script

#!/bin/bash
#parameter for this script
LAN_IFACE="eth1"
EXT_IFACE="ppp0"
LAN="192.168.0.0/24"
IPTABLES="/sbin/iptables"
GUTSY="192.168.0.1"
BENDER="192.168.0.3"
 
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe iptable_nat
 
case "$1" in
 start)
  echo "Starting Firewall..."
 
  #set kernelparameter
  echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
  echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
  echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
  echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
  echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 
############# POLICIES ############
  #default-policy: deny everything
  $IPTABLES -P INPUT DROP
  $IPTABLES -P OUTPUT DROP
  $IPTABLES -P FORWARD DROP
 
############# GENERAL STUFF ##########
  #allow everything on loopback-device
  $IPTABLES -A INPUT -i lo -j ACCEPT
  $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
#ESTABLISHED,RELATED
  $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
#PING eingehend
  $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
 
######### NAT #############
  $IPTABLES -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
 
##### OPEN PORTS TO LAN #####
#  $IPTABLES -m multiport -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dports 21:22 -j DNAT --to-destination $BENDER
#  $IPTABLES -m multiport -A FORWARD -i $EXT_IFACE -p tcp --dports 21:22 -j ACCEPT
 
  $IPTABLES -m multiport -t nat -A PREROUTING -i $EXT_IFACE -p udp --dports 7777:7778,7787 -j DNAT --to-destination $BENDER
  $IPTABLES -m multiport -A FORWARD -i $EXT_IFACE -p udp --dports 7777:7778,7787 -j ACCEPT
 
 
#  $IPTABLES -m multiport -t nat -A PREROUTING -i $EXT_IFACE -p udp --dports 1200,27020,27000:27015 -j DNAT --to-destination $BENDER
#  $IPTABLES -m multiport -A FORWARD -i $EXT_IFACE -p udp --dports 1200,27020,27000:27015 -j ACCEPT
#  $IPTABLES -m multiport -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dports 27015,27030:27039 -j DNAT --to-destination $BENDER
#  $IPTABLES -m multiport -A FORWARD -i $EXT_IFACE -p tcp --dports 27015,27030:27039 -j ACCEPT
 
##### OPEN LOCAL PORTS #####
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 80 -j ACCEPT #Apache2
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 443 -j ACCEPT #Apache2 SSL
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 21 -j ACCEPT #PROFTPD
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 22 -j ACCEPT #PROFTPD
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 25 -j ACCEPT #POSTFIX
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 63393 -j ACCEPT #LFS
  $IPTABLES -A INPUT -i $EXT_IFACE -p udp --dport 63393 -j ACCEPT #LFS
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 5900 -j ACCEPT #VNC
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 14230 -j ACCEPT #Azureus
  $IPTABLES -A INPUT -i $EXT_IFACE -p udp --dport 14230 -j ACCEPT #Azureus
  $IPTABLES -A INPUT -i $EXT_IFACE -p udp --dport 8767 -j ACCEPT #Teamspeakserver
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 8010 -j ACCEPT #Jabber Incoming traffic
 
 
#LAN->FIREWALL
  $IPTABLES -A INPUT -i $LAN_IFACE -s $LAN -j ACCEPT
 
#FIREWALL->EVERYWHERE - overwrites default policy for OUTPUT
  $IPTABLES -A OUTPUT -j ACCEPT
 
#LAN->EVERYWHERE
  $IPTABLES -A FORWARD -s $LAN -j ACCEPT
 
#DROP the rest
 
#activate ip routing
  echo 1 >/proc/sys/net/ipv4/ip_forward
;;
stop)
  echo "Stopping Firewall ..."
  echo "0" >/proc/sys/net/ipv4/ip_forward
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -Z
  $IPTABLES -t nat -F
  #Defaultpolicies ändern
 # $IPTABLES -P INPUT ACCEPT
 # $IPTABLES -P OUTPUT ACCEPT
 # $IPTABLES -P FORWARD ACCEPT
;;
restart)
  $0 stop && $0 start
;;
status)
  #output active rules
  $IPTABLES -L -v
  #output nat rules
  $IPTABLES -t nat -L -v
;;
*)
  echo "Aufruf: $0 {start|stop|restart|status}"
;;
esac