You are here: home » iptables

Iptables

Iptables provide rulebased firewall and routing functionality. Although it gets tricky in more complex environments, its base concept is really easy to understand.

How it works

Sample script

#!/bin/bash
#parameter for this script
LAN_IFACE="eth1"
EXT_IFACE="ppp0"
LAN="192.168.0.0/24"
IPTABLES="/sbin/iptables"
GUTSY="192.168.0.1"
BENDER="192.168.0.3"
 
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ip_nat_ftp
modprobe iptable_nat
 
case "$1" in
 start)
  echo "Starting Firewall..."
 
  #set kernelparameter
  echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
  echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
  echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
  echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
  echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
  echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_all
  echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
  echo 1 > /proc/sys/net/ipv4/tcp_window_scaling
  echo 1 > /proc/sys/net/ipv4/tcp_syncookies
 
############# POLICIES ############
  #default-policy: deny everything
  $IPTABLES -P INPUT DROP
  $IPTABLES -P OUTPUT DROP
  $IPTABLES -P FORWARD DROP
 
############# GENERAL STUFF ##########
  #allow everything on loopback-device
  $IPTABLES -A INPUT -i lo -j ACCEPT
  $IPTABLES -A OUTPUT -o lo -j ACCEPT
 
#ESTABLISHED,RELATED
  $IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
  $IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 
#PING eingehend
  $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT
  $IPTABLES -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
 
######### NAT #############
  $IPTABLES -t nat -A POSTROUTING -o $EXT_IFACE -j MASQUERADE
 
##### OPEN PORTS TO LAN #####
#  $IPTABLES -m multiport -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dports 21:22 -j DNAT --to-destination $BENDER
#  $IPTABLES -m multiport -A FORWARD -i $EXT_IFACE -p tcp --dports 21:22 -j ACCEPT
 
  $IPTABLES -m multiport -t nat -A PREROUTING -i $EXT_IFACE -p udp --dports 7777:7778,7787 -j DNAT --to-destination $BENDER
  $IPTABLES -m multiport -A FORWARD -i $EXT_IFACE -p udp --dports 7777:7778,7787 -j ACCEPT
 
 
#  $IPTABLES -m multiport -t nat -A PREROUTING -i $EXT_IFACE -p udp --dports 1200,27020,27000:27015 -j DNAT --to-destination $BENDER
#  $IPTABLES -m multiport -A FORWARD -i $EXT_IFACE -p udp --dports 1200,27020,27000:27015 -j ACCEPT
#  $IPTABLES -m multiport -t nat -A PREROUTING -i $EXT_IFACE -p tcp --dports 27015,27030:27039 -j DNAT --to-destination $BENDER
#  $IPTABLES -m multiport -A FORWARD -i $EXT_IFACE -p tcp --dports 27015,27030:27039 -j ACCEPT
 
##### OPEN LOCAL PORTS #####
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 80 -j ACCEPT #Apache2
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 443 -j ACCEPT #Apache2 SSL
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 21 -j ACCEPT #PROFTPD
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 22 -j ACCEPT #PROFTPD
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 25 -j ACCEPT #POSTFIX
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 63393 -j ACCEPT #LFS
  $IPTABLES -A INPUT -i $EXT_IFACE -p udp --dport 63393 -j ACCEPT #LFS
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 5900 -j ACCEPT #VNC
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 14230 -j ACCEPT #Azureus
  $IPTABLES -A INPUT -i $EXT_IFACE -p udp --dport 14230 -j ACCEPT #Azureus
  $IPTABLES -A INPUT -i $EXT_IFACE -p udp --dport 8767 -j ACCEPT #Teamspeakserver
  $IPTABLES -A INPUT -i $EXT_IFACE -p tcp --dport 8010 -j ACCEPT #Jabber Incoming traffic
 
 
#LAN->FIREWALL
  $IPTABLES -A INPUT -i $LAN_IFACE -s $LAN -j ACCEPT
 
#FIREWALL->EVERYWHERE - overwrites default policy for OUTPUT
  $IPTABLES -A OUTPUT -j ACCEPT
 
#LAN->EVERYWHERE
  $IPTABLES -A FORWARD -s $LAN -j ACCEPT
 
#DROP the rest
 
#activate ip routing
  echo 1 >/proc/sys/net/ipv4/ip_forward
;;
stop)
  echo "Stopping Firewall ..."
  echo "0" >/proc/sys/net/ipv4/ip_forward
  $IPTABLES -F
  $IPTABLES -X
  $IPTABLES -Z
  $IPTABLES -t nat -F
  #Defaultpolicies ändern
 # $IPTABLES -P INPUT ACCEPT
 # $IPTABLES -P OUTPUT ACCEPT
 # $IPTABLES -P FORWARD ACCEPT
;;
restart)
  $0 stop && $0 start
;;
status)
  #output active rules
  $IPTABLES -L -v
  #output nat rules
  $IPTABLES -t nat -L -v
;;
*)
  echo "Aufruf: $0 {start|stop|restart|status}"
;;
esac
Table of Contents

Menu

Home

Projects

Studies

Bulletins

¹ - active
² - finished/deprecated

iptables.txt · Last modified: 2010/07/01 16:38 (external edit)
CC Attribution-Noncommercial-Share Alike 3.0 Unported chimeric.de = chi`s home Creative Commons License Valid CSS Driven by DokuWiki do yourself a favour and use a real browser - get firefox!! Recent changes RSS feed Valid XHTML 1.0