[NCLUG] any iptables studs out there?

Mike Loseke mike at verinet.com
Tue Mar 6 11:17:39 MST 2001 

 I've been procrastinating long enough and it's time to upgrade the trusty
old firewall (don't ask how old) so I'm playing with the iptables stuff
using kernel 2.4.2 (currently) and KRUD 7 01-02-01. I have a config working
that is doing the SNAT (MASQ) stuff for internal hosts and even some cool
port forwarding. I think it's fairly complete and would be curious to see
what, if any, input you fine folks here could provide. :-)

 DNS and ssh will be running on the firewall but other services are being
forwarded to an internal machine. My main concern is that after all the
rules are taken care of that everything else is dropped.

 Any input would be greatly appreciated. :-)

--------------------------------------------------------------------
#!/bin/sh

PATH=/sbin:$PATH; export PATH

## Clear everything out before starting
iptables -F
iptables -F -t nat
iptables -X

## Make sure that these are correct
ADINET=172.20.4.237       ## IP address of the external interface
IFINET=eth0               ## device name of same

## Create the firewall chain
iptables -N firewall
iptables -A firewall -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A firewall -m state --state NEW -i ! $IFINET -j ACCEPT
iptables -A firewall -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
iptables -A firewall -s 127.0.0.1 -d 10.1.0.0/22 -i lo -j ACCEPT
iptables -A firewall -d 127.0.0.1 -s 10.1.0.0/22 -i lo -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT

## Jump to that chain from INPUT and FORWARD chains.
iptables -A INPUT -j firewall
iptables -A FORWARD -j firewall

## Drop everything else
iptables -A INPUT -j DROP

## This is the SNAT (MASQ) stuff
iptables -t nat -A POSTROUTING -o $IFINET -j SNAT --to $ADINET

## Accept ssh locally on port 440
iptables -A INPUT -p tcp --destination-port 440 -j ACCEPT

## Accept DNS
iptables -A INPUT -p udp --source-port 53 -j ACCEPT
iptables -A INPUT -p tcp --source-port 113 -j ACCEPT
iptables -A INPUT -p tcp --destination-port 113 -j ACCEPT

##
## Forward some ports.
##

## http traffic goes to cthulhu
iptables -t nat -A PREROUTING -p tcp -d $ADINET --dport 80 \
         -j DNAT --to 10.1.1.2:80
## smtp traffic goes to cthulhu
iptables -t nat -A PREROUTING -p tcp -d $ADINET --dport 25 \
         -j DNAT --to 10.1.1.2:25
## ssh traffic going to cthulhu
iptables -t nat -A PREROUTING -p tcp -d $ADINET --dport 443 \
         -j DNAT --to 10.1.1.2:22

## Turn on IP forwarding in the kernel and we're done
echo "1" >> /proc/sys/net/ipv4/ip_forward
--------------------------------------------------------------------


-- 
   Mike Loseke    | If at first you don't succeed,
 mike at verinet.com | increase the amperage.

More information about the NCLUG mailing list