Mailing List Archive

   tlug.jp -> Mailing List -> tlug archive -> tlug Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tlug] iptables and port-forwarding concerns

On Thu, 22 Apr 2004 13:45:11 +0200, Godwin Stewart <gstewart@example.com>
wrote:

> Having read the excellent documentation at the NAT HOWTO link Josh gave
> here:
> 
> > http://www.stearns.org/iptables/NAT-HOWTO.txt

I've come up with a new script for the firewall. I'll only be able to try
the port-forwarding bit tomorrow but I tried it slightly scaled down by
forwarding port 22 of my workstation to port 222 of the gateway box. I was
subsequently able to ssh directly into my workstation from a remote host by
using "-p 222" on the ssh command line, so it looks encouraging.

Here's the script I came up with anyway. Try not to show how much you're
enjoying it while tearing it to shreds:

#!/bin/bash
###################################################
# Raise a firewall and SNAT for the LAN behind it #
###################################################
# Written: 22-APR-2004                            #
###################################################

# A few useful variables:

IPT="/usr/sbin/iptables"
IPFILTER="$IPT -t filter"
IPFIN="$IPFILTER -A INPUT"
IPFOUT="$IPFILTER -A OUTPUT"
IPFWD="$IPFILTER -A FORWARD"
IPNAT="$IPT -t nat"

EXT_IF="ppp0"
INT_IF="eth0"
LO_IF="lo"

LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED="240.0.0.0/5"
PUBLIC_IP="xxx.xxx.xxx.xxx"
WINBOX="192.168.0.1"
FLY="192.168.0.3"

MY_SUBNET="192.168.0.0/23"
PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"

############################################################
# Here are a few useful functions which will save time:

# DROP incoming connections from specified IP/block on the floor
# example: dropfromblock 38.0.0.0/8
dropfromblock() {
  $IPFIN  -s $1 -i $EXT_IF -j DROP
  $IPFOUT -d $1 -o $EXT_IF -j REJECT --reject-with icmp-host-prohibited
}

# REJECT incoming connections from specified IP/block with an
# ICMP Host Prohibited message
# exmple: rejectfromblock 200.0.0.0/7
rejectfromblock() {
  $IPFIN  -s $1 -i $EXT_IF -j REJECT --reject-with icmp-host-prohibited
  $IPFOUT -d $1 -o $EXT_IF -j REJECT --reject-with icmp-host-prohibited
}

# Log attempts to connect to the specified port using the specified
# protocol.
# example: logattack tcp 1080
logattack() {
  $IPFILTER -I INPUT 1 -i $EXT_IF -p $1 --dport $2 -j LOG \
            --log-prefix "$1 $2: " --log-level notice
}

# Allow this machine to connect to the given tcp or udp port of a
# remote host.
# example: letmeconnectto tcp 80
letmeconnectto() {
  case $1 in
    tcp|TCP)
      EXTRA=" ! --syn";;
    *)
      EXTRA=""
  esac
  $IPFOUT -p $1 -o $EXT_IF --sport $UNPRIVPORTS --dport $2 -j ACCEPT
  $IPFIN  -p $1 -i $EXT_IF --sport $2$EXTRA --dport $UNPRIVPORTS -j ACCEPT
}

# Allow remote machines to connect to the given tcp or udp port of mine.
# example: openupmy tcp 443
openupmy() {
  $IPFIN  -p $1 -i $EXT_IF --sport $UNPRIVPORTS --dport $2 -j ACCEPT
  $IPFOUT -p $1 --sport $2 --dport $UNPRIVPORTS -o $EXT_IF -j ACCEPT
}
#########################################################

# Have a go at the ipv4 routing...
cd /proc/sys/net/ipv4
/bin/echo "1" > icmp_echo_ignore_all
/bin/echo "0" > icmp_echo_ignore_broadcasts
/bin/echo "0" > conf/all/accept_source_route
/bin/echo "0" > conf/all/accept_redirects
/bin/echo "1" > icmp_ignore_bogus_error_responses
/bin/echo "1" > ip_forward
for interface in conf/*/rp_filter; do
  /bin/echo "1" > ${interface}
done

# Now remove all rules and user-defined chains in the "filter" and "nat" tables
$IPFILTER -F
$IPFILTER -X
$IPFILTER -Z
$IPNAT -F
$IPNAT -X
$IPNAT -Z

# Next, set the default policy for the INPUT and OUTPUT chains to DROP
# but allow everything to pass through the FORWARD chain (we'll be
# placing a couple of restrictions just afterwards)
$IPFILTER -P INPUT   DROP
$IPFILTER -P OUTPUT  DROP
$IPFILTER -P FORWARD ACCEPT


# 192.168.0.1 is a Windoze box. Don't let it connect to port 25 of any
# machine other then the 4 official SMTP servers of my ISP and the
# other remote host I'm allowed to use. Start by allowing these
# particular connections explicitly then deny connections to port 25:
for ip in <list_of_5_IP_addresses>; do
  $IPFWD -s $WINBOX -p tcp -d $ip --dport 25 -o $EXT_IF -j ACCEPT
  $IPFWD -s $ip -p tcp -d $WINBOX --sport 25 -i $EXT_IF -j ACCEPT
done
$IPFWD -p tcp -s $WINBOX --dport 25 -o $EXT_IF -j DROP

# Now prevent the Windoze box from connecting to common proxy ports
for port in 23 81 85 1080 1180 1181 1182 1282 2280 2281 2282 2283 \
            3128 4480 6588 7033 8000 8080 8081 8085 8090 8095 \
            8100 8105 8110 8888; do
  $IPFWD -p tcp -s $WINBOX --dport $port -o $EXT_IF -j DROP
done



# Disallow connections from obviously spoofed addresses:
dropfromblock $LOOPBACK
dropfromblock $CLASS_A
dropfromblock $CLASS_B
dropfromblock $CLASS_C
dropfromblock $CLASS_D_MULTICAST
dropfromblock $CLASS_E_RESERVED
dropfromblock $PUBLIC_IP

# Disallow connections from a$$wipes on the net:

# cyveillance.com
dropfromblock 63.148.99.227/27
dropfromblock 65.118.41.192/27

# nameprotect.com
dropfromblock 12.148.209.192/26

# Allow unrestricted connectivity within the LAN
$IPFILTER -A INPUT  -s $MY_SUBNET -j ACCEPT
$IPFILTER -A OUTPUT -d $MY_SUBNET -j ACCEPT

# Allow unrestricted connectivity over the loopback interface
$IPFILTER -A INPUT  -i $LO_IF -d $LOOPBACK -j ACCEPT
$IPFILTER -A OUTPUT -o $LO_IF -s $LOOPBACK -j ACCEPT


# Allow ssh in both directions:
letmeconnectto tcp 22
openupmy tcp 22

# Allow smtp in both directions:
letmeconnectto tcp 25
openupmy tcp 25

# Allow http in both directions:
letmeconnectto tcp 80
openupmy tcp 80

# I serve https but don't need to wget any:
openupmy tcp 443

# Allow pop3 in both directions:
letmeconnectto tcp 110
openupmy tcp 110

# I'll need to access DNS but my own nameserver isn't public:
letmeconnectto tcp 53
letmeconnectto udp 53

# I need whois access
letmeconnectto tcp 43
letmeconnectto udp 43

# I also need to sync the system clock
letmeconnectto tcp 37
letmeconnectto udp 37
letmeconnectto tcp 123
letmeconnectto udp 123

# I might need to wget stuff via ftp
# Use active ftp to simplify things
letmeconnectto tcp 21
letmeconnectto tcp 20

# Open up the ProFTPd daemon to the outside and
# allow passive ftp on ports 50000-60000
openupmy tcp 21
openupmy tcp 50000:60000


# Set up SNAT for machines in the 192.168.0.0-255 range
$IPNAT -A POSTROUTING -s 192.168.0.0/24 -o $EXT_IF -j SNAT \
       --to-source $PUBLIC_IP



# portforward inbound tcp & udp ports 10000-10100 to same ports on $FLY
$IPNAT -A PREROUTING -p udp -i $EXT_IF --dport 10000:10100 \
       -j DNAT --to-destination $FLY:10000-10100
$IPNAT -A PREROUTING -p tcp -i $EXT_IF --dport 10000:10100 \
       -j DNAT --to-destination $FLY:10000-10100




# Set up proxy hijack logging
logattack tcp 1080
logattack tcp 3128
logattack tcp 6588
logattack tcp 8000
logattack tcp 8080

# Set up UDP port 135 logging
logattack udp 135

echo "Firewall up!"



-- 
G. Stewart   --   gstewart@example.com -- gstewart@example.com
Registered Linux user #284683 (Slackware 9.0, Linux 2.6.5)
--------------------------------------------------------------
Light travels faster than sound. That is why some people appear
bright until you hear them speak.

Attachment: pgp00060.pgp
Description: PGP signature

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links