This shows you the differences between the selected revision and the current version of the page.
| wiki:iptables | wiki:iptables 07.04.2009 14:35 current | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== iptables ====== | ||
| + | This is a small iptables script which I run on my Debian servers. | ||
| + | |||
| + | <code> | ||
| + | #!/bin/sh -e | ||
| + | ### BEGIN INIT INFO | ||
| + | # Provides: iptables | ||
| + | # Required-Start: ifupdown | ||
| + | # Required-Stop: | ||
| + | # Default-Start: S | ||
| + | # Default-Stop: 0 6 | ||
| + | # Short-Description: Setup iptable rules. | ||
| + | ### END INIT INFO | ||
| + | |||
| + | [ -x /sbin/iptables ] || exit 0 | ||
| + | |||
| + | . /lib/lsb/init-functions | ||
| + | |||
| + | MYNAME="${0##*/}" | ||
| + | report() { echo "${MYNAME}: $*" ; } | ||
| + | report_err() { log_failure_msg "$*" ; } | ||
| + | RUN_DIR=/etc/network/run | ||
| + | [ -r /etc/default/iptables ] && . /etc/default/iptables | ||
| + | |||
| + | ## iptables executable | ||
| + | IPT=/sbin/iptables | ||
| + | |||
| + | ## Interfaces | ||
| + | IF_EXT="eth0" | ||
| + | IF_INT="eth1" | ||
| + | #IP_EXT="192.168.1.62" | ||
| + | #IP_INT="192.168.10.90" | ||
| + | IP_VPN="10.51.10.0/24" | ||
| + | |||
| + | SVC_TCP="ssh http openvpn" | ||
| + | SVC_UDP="" | ||
| + | |||
| + | case "$1" in | ||
| + | start) | ||
| + | # Set a default policy of DROP; deny-by-default for security: | ||
| + | $IPT -P INPUT ACCEPT | ||
| + | $IPT -P FORWARD ACCEPT | ||
| + | $IPT -P OUTPUT ACCEPT | ||
| + | |||
| + | #rules chain: | ||
| + | #this chain contains rules common to our FORWARD and INPUT chains, all in one place. | ||
| + | #first, we create a new "rules" chain; | ||
| + | $IPT -N rules | ||
| + | |||
| + | #allow tun0 interface (openvpn) to forward to other interfaces | ||
| + | $IPT -A rules -i tun+ -j ACCEPT | ||
| + | |||
| + | #then, we add a rule to accept ESTABLISHED and RELATED connections from anywhere; | ||
| + | $IPT -A rules -m state --state ESTABLISHED,RELATED -j ACCEPT | ||
| + | |||
| + | #then, we add a rule to accept NEW connections coming in from anywhere but our untrusted $IF_EXT interface; | ||
| + | $IPT -A rules -m state --state NEW -i ! $IF_EXT -j ACCEPT | ||
| + | |||
| + | #then, we add a rule to log any incoming INVALID packets; | ||
| + | $IPT -A rules -m state --state INVALID -j LOG --log-prefix "INVALID:" --log-level warning | ||
| + | |||
| + | #then, we add a rule to reject any incoming tcp connection with tcp-reset for fast, stealthy disconnect; | ||
| + | $IPT -A rules -p tcp -j REJECT --reject-with tcp-reset | ||
| + | |||
| + | #then, we add a rule to reject any not-yet-handled connections with icmp-port-unreachable. | ||
| + | $IPT -A rules -j REJECT --reject-with icmp-port-unreachable | ||
| + | |||
| + | #everything else falls off the end of this chain and goes back to the next rule (if any) in the | ||
| + | #parent INPUT or FORWARD chain. | ||
| + | |||
| + | #INPUT chain: | ||
| + | |||
| + | #first, we accept all openvpn authenticated connections | ||
| + | $IPT -A INPUT -i tun+ -j ACCEPT | ||
| + | |||
| + | #then, we loop through our services variable and add a rule for each public service on our firewall; | ||
| + | |||
| + | for x in $SVC_TCP | ||
| + | do | ||
| + | $IPT -A INPUT -p tcp --dport ${x} -m state --state NEW -j ACCEPT | ||
| + | done | ||
| + | |||
| + | for y in $SVC_UDP | ||
| + | do | ||
| + | $IPT -A INPUT -p udp --dport ${y} -j ACCEPT | ||
| + | done | ||
| + | |||
| + | #allow pings | ||
| + | iptables -A INPUT -p icmp -i $IF_EXT --icmp-type echo-request -j ACCEPT | ||
| + | |||
| + | #then, we add a rule to log any pings to our firewall box from the Internet (max 1/minute); | ||
| + | #then, we add a rule to accept up to 2 pings per second to our firewall box from the Internet; | ||
| + | #$IPT -A INPUT -p icmp -i $IF_EXT --icmp-type echo-request -m limit --limit 1/minute -j LOG --log-prefix "PING:" --log-level notice | ||
| + | #$IPT -A INPUT -p icmp -i $IF_EXT --icmp-type echo-request -m limit --limit 2/second -j ACCEPT | ||
| + | |||
| + | #then, we direct any traffic that doesn't match these rules to our standard rules chain. | ||
| + | $IPT -A INPUT -j rules | ||
| + | |||
| + | #everything else falls off the end of this chain and gets a default policy of DENY. | ||
| + | |||
| + | #FORWARD chain: | ||
| + | #simply forward all FORWARD traffic to our rules chain. | ||
| + | #if any traffic were to make it through the rules chain, it would fall off the end of the FORWARD | ||
| + | #chain and get a default policy of DENY. | ||
| + | $IPT -A FORWARD -j rules | ||
| + | |||
| + | #Set up masquerading | ||
| + | $IPT -t nat -A POSTROUTING -s $IP_VPN -o $IF_INT -j MASQUERADE | ||
| + | |||
| + | log_end_msg 0 | ||
| + | exit 0 | ||
| + | ;; | ||
| + | |||
| + | stop) | ||
| + | #flush chains | ||
| + | $IPT --flush | ||
| + | $IPT -t nat --flush | ||
| + | $IPT -t mangle --flush | ||
| + | #delete rules chain | ||
| + | $IPT --delete-chain | ||
| + | $IPT -t nat --delete-chain | ||
| + | $IPT -t mangle --delete-chain | ||
| + | log_end_msg 0 | ||
| + | exit 0 | ||
| + | ;; | ||
| + | |||
| + | *) | ||
| + | echo "Usage: $0 {start|stop|}" >&2 | ||
| + | exit 3 | ||
| + | ;; | ||
| + | esac | ||
| + | |||
| + | exit 0 | ||
| + | |||
| + | </code> | ||