iptables

iptables

Post by Matt Rud » Thu, 07 Nov 2002 15:32:22



I am running RedHat 8.0 and trying to set up a firewall. using iptables and
i can't get it to work.
here is what i have for a script

if you would like to email me take the RM out of my email adderss

WAN="eth1"
LAN="eth0"
IPT="/sbin/iptables"

#################################################################
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X

$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward
$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 10.1.1.2     #10.1.1.2 is my
wan
$IPT -A FORWARD -p ALL -i eth1 -o eth0 -d 10.0.0.0/24 -m state --state
ESTABLISHED -j ACCEPT

$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix Firewall:
$IPT -A firewall -j DROP

$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix Dropwall:
$IPT -A dropwall -j DROP

$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPT -A badflags -j DROP

$IPT -N silent
$IPT -A silent -j DROP

$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 10.0.0.99 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 10.0.0.98 -d 0/0 -p all -j ACCEPT            # now i dont
under stand why i need
$IPT -A INPUT -s 10.0.0.97 -d 0/0 -p all -j ACCEPT            # these entrys

$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

$IPT -A INPUT -j dropwall

 
 
 

1. TCP/IP connection cutter for IPTables

TCP/IP connection cutter for Linux/Iptables firewalls...

In case any one is interested - there's an article and free software for
download on http://www.lowth.com/cutter for a technique whereby a linux
IPTables based firewall/router can close (abort) tcp/ip connections routed
over it.

Works on (amoungst others) IPCop and Smoothwall 2.

Useful for shutting down SSH tunnels left open over night, aborting rougue
logins without taking entire servers off line, closing bandwidth-hogging
downloads, etc.

Chris
--
Real address: chris at lowth dot sea oh em.
World's first wrist-watch PDA with Palm OS, available June 30
from Amazon.com. Order now to beat the rush!
   http://www.lowth.com/shop/wrist_pda

2. SGI blues: Other OS for SGI Challenge S?

3. iptables

4. Patches for XEmacs 19.15 in precompiled Binaries?

5. Theme Designer on FP 2K?

6. iptables using MASQUERADE and static IPs

7. Does any one know how to?

8. coverting ipchains to iptables

9. iptables and ftp

10. iptables multiple clients internal network warcraft3

11. Arno's iptables fw script and httpd

12. iptables / IPv6 / Samba / NT4