* firewall script
@ 2005-08-03 5:51 Craig Steadman
0 siblings, 0 replies; 8+ messages in thread
From: Craig Steadman @ 2005-08-03 5:51 UTC (permalink / raw)
To: netfilter
Hi everyone.
I've been tinkering with iptables for a few years and have created
some bash scripts to help manage my private VPN. If anyone is
interested I've made them available on sourceforge.
http://bastionx.sourceforge.net/
Any feedback is welcomed.
Cheers
Craig
^ permalink raw reply [flat|nested] 8+ messages in thread
* Firewall script
@ 2005-09-27 11:09 Boskey
2005-09-27 11:57 ` Rob Sterenborg
0 siblings, 1 reply; 8+ messages in thread
From: Boskey @ 2005-09-27 11:09 UTC (permalink / raw)
To: netfilter
[-- Attachment #1: Type: text/plain, Size: 499 bytes --]
Hi All,
A customer of ours has a firewall script made for there organization.
The customer , even after enabling the firewall script has a huge spammer
inside the network get across, and spam from the IP.
I have seen the script and feel that his firewall is good when it comes to
not allowing people into the system.
But i guess people inside the network ( local ) can get across easily.
Can someone help me by confirming this.
The firewall script is attached herewith.
Regards,
Boskey
[-- Attachment #2: itm-firewall-script --]
[-- Type: application/x-shellscript, Size: 12295 bytes --]
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Firewall script
2005-09-27 11:09 Firewall script Boskey
@ 2005-09-27 11:57 ` Rob Sterenborg
[not found] ` <65aa6af90509270654746608f7@mail.gmail.com>
0 siblings, 1 reply; 8+ messages in thread
From: Rob Sterenborg @ 2005-09-27 11:57 UTC (permalink / raw)
To: netfilter
On Tue, September 27, 2005 13:09, Boskey wrote:
> Hi All,
>
> A customer of ours has a firewall script made for there organization.
>
> The customer , even after enabling the firewall script has a huge
> spammer
> inside the network get across, and spam from the IP.
>
> I have seen the script and feel that his firewall is good when it
> comes to
> not allowing people into the system.
>
> But i guess people inside the network ( local ) can get across
> easily.
>
> Can someone help me by confirming this.
===============
#
# Bad TCP packets we don't want
#
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
[....]
#
# LAN section
#
$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
===============
Move the state rule right below the "bad tcp packets" rule (better
performance).
Then, below the state rule, log and reject packets for dport 25 :
$IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
-p tcp --dport 25 -j LOG --log-prefix "SMTP_REJECT: "
$IPTABLES -A FORWARD -i $LAN_IFACE -m state --state NEW \
-p tcp --dport 25 -j REJECT --reject-with tcp-reset
This way no-one can send email diectly to some smtp server on the
internet and at the same time you will log the offending IP.
You may want to limit (-m limit --limit 1/second or something) if your
logs get filled too quickly.
However.. If you're doing this, you need your own smtp server so
people can send (legitimate) email when they need to able to do that.
When they start spamming using *your* smtp server, you will have the
smtp logs available...
Gr,
Rob
^ permalink raw reply [flat|nested] 8+ messages in thread
* Firewall script...
@ 2003-06-05 1:19 Vilmos Branyik
0 siblings, 0 replies; 8+ messages in thread
From: Vilmos Branyik @ 2003-06-05 1:19 UTC (permalink / raw)
To: 'netfilter@lists.netfilter.org'
Hello,
I haven't written many iptables scripts but would like your input on this
one.
What I am attempting to do is to only allow connection from my dial up
routers on my public subnet on ports 645 & 646. Then use NAT to forward to
my Radius server behind the firewall.
Also I would allow ssh in from the public subnet only.
I welcome any input you may have.
$IPTABLES - location of iptables
$INTIF - Internal interface
$EXTIF - External interface
$INTNET - Internal subnet (address ie. 192.168.1.0/24)
$EXTNET - External subnet (local to us)
$EXTIP - External IP address
# Flush rules
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
$IPTABLES -t mangle -F
$IPTABLES -t mangle -X
# Drop everything
$IPTABLES -A INPUT DROP
# Kill invalid packets (too short, illegal, zero length)
$IPTABLES -A INPUT -m unclean -j DROP
$IPTABLES -A FORWARD -m unclean -j DROP
# Kill invalid packets (illegal combinations of flags)
$IPTABLES -A INPUT -m state INVALID -j DROP
$IPTABLES -A FORWARD -m state INVALID -j DROP
# Allow connections from local interface
$IPTABLES -A INPUT -i lo -j ACCEPT
# Drop connections to lo from the outside
$IPTABLES -A INPUT -d 127.0.0.0/8 -j REJECT
# Allow traffic from the inside
$IPTABLES -A INPUT -i $INTIF -s $INTNET -j ACCEPT
# Reject anything from the outside claiming to be from the inside
$IPTABLES -A INPUT -i $EXTIF -s $INTNET -j REJECT
# Allow established connections
$IPTABLES -A INPUT -m state -state ESTABLISHED, RELATED -j ACCEPT
# Allow forwarding from the inside
$IPTABLES -A FORWARD -o $EXTIF -i $INTIF -j ACCEPT
# Allow replies coming in
$IPTABLES -A FORWARD -i $EXTIF -m state -state ESTABLISHED,RELATED -j ACCEPT
# Allow ssh from local external subnet
$IPTABLES -A INPUT -s $EXTNET -p tcp -dport 22 -j ACCEPT
# Block anything directly addresses to the internal net
$IPTABLES -A PREROUTING -t nat -i $EXTIF -d $INTIF -j DROP
# Start NAT
# Service at port 645 tcp
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 645 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 645 \
-j DNAT --to $PORTFWIP:645
# Service at port 645 udp
$IPTABLES -A FORWARD -i eth0 -o eth1 -p udp --dport 645 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 645 \
-j DNAT --to $PORTFWIP:645
# Service at port 646 tcp
$IPTABLES -A FORWARD -i eth0 -o eth1 -p tcp --dport 646 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p tcp -d $EXTIP --dport 646 \
-j DNAT --to $PORTFWIP:646
# Service at port 646 udp
$IPTABLES -A FORWARD -i eth0 -o eth1 -p udp --dport 646 -j ACCEPT
$IPTABLES -A PREROUTING -t nat -p udp -d $EXTIP --dport 646 \
-j DNAT --to $PORTFWIP:646
echo " Enabling SNAT (MASQUERADE) functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Thanks for all your help.
Vilmos
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2005-09-27 14:33 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-08-03 5:51 firewall script Craig Steadman
-- strict thread matches above, loose matches on Subject: below --
2005-09-27 11:09 Firewall script Boskey
2005-09-27 11:57 ` Rob Sterenborg
[not found] ` <65aa6af90509270654746608f7@mail.gmail.com>
2005-09-27 13:55 ` Edmundo Carmona
2005-09-27 14:22 ` Rob Sterenborg
2005-09-27 14:22 ` Rob Sterenborg
2005-09-27 14:33 ` Rob Sterenborg
2003-06-05 1:19 Vilmos Branyik
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox