[NCLUG] any iptables studs out there?

Quent quent at pobox.com
Wed Mar 7 17:23:59 MST 2001


Excellent timing!  I was just about to start down the ipchains to iptables
road :)

I'll find out when I get around to reading the documentation but, does
the new firewall code have a way to block and log goofy TCP packets
that have option bits or weird combinations of flags set?

Using "ipf", for example, one can say:

block in log quick on hme0 proto tcp from any to any flags FUP
block in log quick on hme0 from any to any with ipopts
block in log quick on hme0 proto tcp all with short
block in log quick on hme0 all with opt lsrr
block in log quick on hme0 all with opt ssrr  

This gives you a log of attempts at loose source routing and other
fun stuff.

	Quent

On Tue, Mar 06, 2001 at 11:17:39AM -0700, Mike Loseke wrote:
> 
>  I've been procrastinating long enough and it's time to upgrade the trusty
> old firewall (don't ask how old) so I'm playing with the iptables stuff
> using kernel 2.4.2 (currently) and KRUD 7 01-02-01. I have a config working
> that is doing the SNAT (MASQ) stuff for internal hosts and even some cool
> port forwarding. I think it's fairly complete and would be curious to see
> what, if any, input you fine folks here could provide. :-)
> 
>  DNS and ssh will be running on the firewall but other services are being
> forwarded to an internal machine. My main concern is that after all the
> rules are taken care of that everything else is dropped.
> 
>  Any input would be greatly appreciated. :-)
> 
> --------------------------------------------------------------------
> #!/bin/sh
> 
> PATH=/sbin:$PATH; export PATH
> 
> ## Clear everything out before starting
> iptables -F
> iptables -F -t nat
> iptables -X
> 
> ## Make sure that these are correct
> ADINET=172.20.4.237       ## IP address of the external interface
> IFINET=eth0               ## device name of same
> 
> ## Create the firewall chain
> iptables -N firewall
> iptables -A firewall -m state --state ESTABLISHED,RELATED -j ACCEPT
> iptables -A firewall -m state --state NEW -i ! $IFINET -j ACCEPT
> iptables -A firewall -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
> iptables -A firewall -s 127.0.0.1 -d 10.1.0.0/22 -i lo -j ACCEPT
> iptables -A firewall -d 127.0.0.1 -s 10.1.0.0/22 -i lo -j ACCEPT
> iptables -A INPUT -p icmp -j ACCEPT
> 
> ## Jump to that chain from INPUT and FORWARD chains.
> iptables -A INPUT -j firewall
> iptables -A FORWARD -j firewall
> 
> ## Drop everything else
> iptables -A INPUT -j DROP
> 
> ## This is the SNAT (MASQ) stuff
> iptables -t nat -A POSTROUTING -o $IFINET -j SNAT --to $ADINET
> 
> ## Accept ssh locally on port 440
> iptables -A INPUT -p tcp --destination-port 440 -j ACCEPT
> 
> ## Accept DNS
> iptables -A INPUT -p udp --source-port 53 -j ACCEPT
> iptables -A INPUT -p tcp --source-port 113 -j ACCEPT
> iptables -A INPUT -p tcp --destination-port 113 -j ACCEPT
> 
> ##
> ## Forward some ports.
> ##
> 
> ## http traffic goes to cthulhu
> iptables -t nat -A PREROUTING -p tcp -d $ADINET --dport 80 \
>          -j DNAT --to 10.1.1.2:80
> ## smtp traffic goes to cthulhu
> iptables -t nat -A PREROUTING -p tcp -d $ADINET --dport 25 \
>          -j DNAT --to 10.1.1.2:25
> ## ssh traffic going to cthulhu
> iptables -t nat -A PREROUTING -p tcp -d $ADINET --dport 443 \
>          -j DNAT --to 10.1.1.2:22
> 
> ## Turn on IP forwarding in the kernel and we're done
> echo "1" >> /proc/sys/net/ipv4/ip_forward
> --------------------------------------------------------------------
> 
> 
> -- 
>    Mike Loseke    | If at first you don't succeed,
>  mike at verinet.com | increase the amperage.
> _______________________________________________
> NCLUG mailing list
> NCLUG at nclug.org
> http://www.nclug.org/mailman/listinfo/nclug
> 



More information about the NCLUG mailing list