Proofreading - Erik Wikström

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Erik Wikström" <eriwik@itstud.chalmers.se>
To: netfilter@lists.netfilter.org
Subject: Proofreading
Date: Wed, 14 Jul 2004 00:40:25 +0200	[thread overview]
Message-ID: <20040713224025.GA34955@itstud.chalmers.se> (raw)

[-- Attachment #1: Type: text/plain, Size: 993 bytes --]

Hi

If you happen to feel like you've got nothing better to do or if you'd
like to help me out (and maybe get rid of me :) then I'd appreciate any
coments and suggestions to my script.

My goals with the script is as follows:
+ To allow the route to get an IP via DHCP for the WAN
+ To allow local hosts to get an IP from the router
+ To allow the router to comunicate with DNS-servers
+ To allow the router to connect to HTTP-servers
+ To allow the router to conect to FTP-servers
+ To allow SSH to the router from LAN on port 22
+ To allow SSH to the router from WAN on port 2070
+ Forward SSH from WAN to a computer on LAN
+ Forward a number of other ports/services to another computer on LAN
+ Allow access to WAN from LAN
And of cource maintain some level of security.

I've blocked NetBIOS-packages from leaving the LAN, is there any other
things that I should block? The LAN consists of both Windows and Linux
computers.

Thanks in advance.

--
Erik Wikström

[-- Attachment #2: rc.iptables --]
[-- Type: text/plain, Size: 4687 bytes --]

#!/usr/bin/bash

# --------------------
# |    Initialize    |
# --------------------

# Variables
IPT="/usr/sbin/iptables"
WAN="eth0"
LAN="eth1"
LOCAL_NET="192.168.10.0/24"

# Computers
Yorthen="192.168.10.2"
Ohm="192.168.10.10"

# Clear all rules and set policies
for table in filter mangle nat ; do
	$IPT -t $table -F # Flush all rules
	$IPT -t $table -X # Remove all non-builtin chains
	$IPT -t $table -Z # Reset all counters

	# Set policies
	for chain in FORWARD INPUT OUTPUT PREROUTING POSTROUTING ; do
		if [ $table == "filter" ] ; then
			$IPT -t $table -P $chain DROP # Default to filter out all packages
		else
			$IPT -t $table -P $chain ACCEPT
		fi
	done
done

# Add custom chains
$IPT -t filter -N bad_packets



# ---------------------
# |    bad_packets    |
# ---------------------

# Drop INVALID and other bad packets
$IPT -t filter -A bad_packets -m state --state INVALID -j DROP
$IPT -t filter -A bad_packets -p TCP --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j DROP
$IPT -t filter -A bad_packets -p TCP ! --syn -m state --state NEW -j DROP
# Drop spoofed addresses
$IPT -t filter -A bad_packets -i $WAN -s 192.168.0.0/16  -j DROP
$IPT -t filter -A bad_packets -s 172.16.0.0/12 -j DROP
$IPT -t filter -A bad_packets -s 127.0.0.0/8 -j DROP
$IPT -t filter -A bad_packets -i $LAN -s ! $LOCAL_NET -j DROP



# --------------
# |    LYRA    |
# --------------

# Allow already established connections
$IPT -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow traffic on loopback interface
$IPT -t filter -A INPUT -i lo -j ACCEPT
$IPT -t filter -A OUTPUT -o lo -j ACCEPT
# Drop bad_packages
$IPT -t filter -A INPUT -j bad_packets
# Allow firewall to get WAN-IP from DHCP
$IPT -t filter -A OUTPUT -o $WAN -p UDP --dport 67 --sport 68 -j ACCEPT
$IPT -t filter -A INPUT -i $WAN -p UDP --sport 67 --dport 68 -j ACCEPT
# Allow computers on LAN to get IP from DHCP
$IPT -t filter -A INPUT -i $LAN -p UDP --dport 67 --sport 68 -j ACCEPT
$IPT -t filter -A OUTPUT -o $LAN -p UDP --sport 67 --dport 68 -j ACCEPT
# Allow SSH-connections from both LAN and WAN
$IPT -t filter -A INPUT -i $LAN -p TCP --syn -s $LOCAL_NET --dport 22 -j ACCEPT
$IPT -t filter -A INPUT -i $WAN -p TCP --syn --dport 2070 -j ACCEPT
# Allow DNS-requests
$IPT -t filter -A OUTPUT -o $WAN -p UDP --dport 53 -j ACCEPT
# Allow HTTP-requests
$IPT -t filter -A OUTPUT -o $WAN -p TCP --dport 80 -j ACCEPT
# Allow FTP-requests
$IPT -t filter -A OUTPUT -o $WAN -p TCP --dport 21 -j ACCEPT
# Allow SSH to LAN
$IPT -t filter -A OUTPUT -o $LAN -d $LOCAL_NET -p TCP --dport 22 -j ACCEPT
# Reject Ident-requests
$IPT -t filter -A INPUT -i $WAN -p TCP --dport 113 -j REJECT --reject-with tcp-reset



# -------------------
# |    LOCAL_NET    |
# -------------------

# Allow already established connections through
$IPT -t filter -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drop bad_packages
$IPT -t filter -A FORWARD -j bad_packets
# Drop SMB-packages
$IPT -t filter -A FORWARD -p TCP --sport 137:139 -j DROP
$IPT -t filter -A FORWARD -p UDP --sport 137:139 -j DROP
$IPT -t filter -A FORWARD -p TCP --sport 445 -j DROP
$IPT -t filter -A FORWARD -p UDP --sport 445 -j DROP
# Allow traffic from LAN to WAN
$IPT -t filter -A FORWARD -i $LAN -o $WAN -s $LOCAL_NET -j ACCEPT
$IPT -t nat -A POSTROUTING -o $WAN -s $LOCAL_NET -j MASQUERADE
# Forward SSH to Ohm
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 22 -j DNAT --to $Ohm
$IPT -t filter -A FORWARD -i $WAN -d $Ohm -p TCP --dport 22 -j ACCEPT
# Forward DC++ to Yorthen
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 1436 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 1436 -j ACCEPT
$IPT -t nat -A PREROUTING -i $WAN -p UDP --dport 1436 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p UDP --dport 1436 -j ACCEPT
# Forward FTP to Yorthen
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 1045:1050 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 1045:1050 -j ACCEPT
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 2069 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 2069 -j ACCEPT
# Forward DCC to Yothen
$IPT -t nat -A PREROUTING -i $WAN -p TCP --syn --dport 59 -j DNAT --to $Yorthen
$IPT -t filter -A FORWARD -i $WAN -d $Yorthen -p TCP --dport 59 -j ACCEPT



# ----------------
# |    SYSCTL    |
# ----------------
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
echo "1" > /proc&sys/net/ipv4/conf/eth0/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/eth1/rp_filter

next             reply	other threads:[~2004-07-13 22:40 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-07-13 22:40 Erik Wikström [this message]
  -- strict thread matches above, loose matches on Subject: below --
2004-07-13 23:19 Proofreading Hudson Delbert J Contr 61 CS/SCBN
2004-07-14 12:00 ` Proofreading Erik Wikström
2004-07-14 12:13   ` Proofreading Antony Stone
2004-07-14 16:10 Proofreading Hudson Delbert J Contr 61 CS/SCBN
2004-07-14 16:25 ` Proofreading Antony Stone
2004-07-14 16:48 Proofreading Hudson Delbert J Contr 61 CS/SCBN
2004-07-14 17:05 ` Proofreading Antony Stone
2004-07-14 18:02 Proofreading Hudson Delbert J Contr 61 CS/SCBN

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040713224025.GA34955@itstud.chalmers.se \
    --to=eriwik@itstud.chalmers.se \
    --cc=netfilter@lists.netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.