HomeNotes

Configuring Iptables Firewall

Submitted by Alexander on Fri, 03/19/2010 - 12:36

This is an example of Iptables firewall script.

#!/bin/sh

wan_ip="xxx.xxx.xxx.xxx"
wan_if="eth1"
lan_ip="192.168.0.1"
lan_if="eth0"
lo_if="lo"
lo_ip="127.0.0.1"

dc="192.168.0.2"
db="192.168.0.3"
itchief="192.168.0.4"
asterisk="192.168.0.5"

IPTABLES="/sbin/iptables"

# Module loading

/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

# Enable Forwarding

echo "1" > /proc/sys/net/ipv4/ip_forward

# Syn Flood Protection

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

# Flush it before start

$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F

# Set policies

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD DROP

##############  INPUT chain ################

# Bad TCP packets we don't want

$IPTABLES -A INPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP

# Loopback

$IPTABLES -A INPUT -p ALL -i $lo_if -s $lo_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $lan_ip -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $lo_if -s $wan_ip -j ACCEPT

# Rules for LAN

$IPTABLES -A INPUT -p ALL -i $lan_if -j ACCEPT

# Rules for Internet.

$IPTABLES -A INPUT -p ICMP -i $wan_if --icmp-type echo-request -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $wan_ip -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow ssh from admin's home only
$IPTABLES -A INPUT -p TCP -i $wan_if -s xxx.xxx.xxx.xxx --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $wan_if --dport 80 -j ACCEPT

# Log weird packets that don't match the above.

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level info --log-prefix "IPTABLES INPUT blocked: "

############### FORWARD chain ################

# Bad TCP packets we don't want

$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,ACK SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP

# Rules for LAN

$IPTABLES -A FORWARD -p ICMP -i $lan_if -j ACCEPT
$IPTABLES -A FORWARD -p ALL -i $lan_if -o $lan_if -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $lan_if --dport 5190 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $lan_if --dport 3389 -j ACCEPT
$IPTABLES -A FORWARD -p ALL -s $itchief -i $lan_if -j ACCEPT
$IPTABLES -A FORWARD -p UDP -s $dc -i $lan_if --dport 123 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -s $asterisk -i $lan_if --dport 80 -j ACCEPT

# Rules for Internet.

$IPTABLES -A FORWARD -i $wan_if -d $db -p tcp --dport 4899 -j ACCEPT
$IPTABLES -A FORWARD -i $wan_if -d $dc -p tcp --dport 3389 -j ACCEPT

# Log weird packets that don't match the above.

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level info --log-prefix "IPTABLES FORWARD blocked: "

############### NAT table ################

$IPTABLES -t nat -A POSTROUTING -o $wan_if -j MASQUERADE
$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if --dport 33333 -j DNAT --to-destination $db:4899
$IPTABLES -t nat -A PREROUTING -p TCP -i $wan_if --dport 33334 -j DNAT --to-destination $dc:3389

echo "Iptables rules are reloaded!"

You shoud do this script executable (chmod +x) and put it or its link into /etc/network/if-up.d/