Hey guys,
just getting my firewall box ready for tomorrow morning
(getting an IBB install first thing), and a little unsure about a couple of the finer points of iptables port forwarding & NAT
The relevant rules are quoted below
EXTIP="x.x.x.x"
INTIP="xx.x.x"
EXTIF="eth0"
INTIF="eth1"
LAN="x.x.x.x/n"
/bin/echo "1" > /proc/sys/net/ipv4/ip_foward
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
[b][1][/b]
iptables -A FORWARD -i $EXTIF -m state --state RELATED, ESTABLISHED -j ACCEPT
[b][2][/b]
iptables -A FORWARD -i $INTIF -s $LAN -p all -j ACCEPT
[b][3][/b]
iptables -t nat -A POSTROUTING -s $LAN -o $EXTIF -j SNAT --to $EXTIP
1. This will only allow external traffic through to the internal network for requests which have been made by machines on the internal network.
2. This will allow external access to any traffic originating from within the internal network
(I also have a spoofing rule defined elsewhere to discard incoming traffic on the external interface claming to be from the LAN)3. This will NAT any traffic outbound from the internal network only
Can anyone spot any holes in there? Or can anyone see anythign that I'm overlooking. I'm intending to refine the rules further but I will need a basic script initially to avoid hassle getting (external) access running correctly. I'm planning to put in some ICMP rules later today.
If anyone's curious, here's the script in it's entirety:
#!/bin/sh
##-----------------------------------------------------
MODPROBE="/sbin/modprobe"
IPTABLES="/sbin/iptables"
EXTIP="x.x.x.x"
INTIP="10.1.x.x"
EXTIF="eth0"
INTIF="eth1"
BROADCAST="255.255.0.0"
LAN="10.1.0.0/16"
REMOTE="0/0"
NAMESERVER="x.x.x.x"
##-----------------------------------------------------
$MODPROBE ip_tables
$MODPROBE ip_conntrack
$MODPROBE ip_conntrack_ftp
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "1" > /proc/sys/net/ipv4/icmp_gnore_bogus_error_responses
# disable icmp redirect acceptance
for iface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo "0" > ${iface}
done
# log all spoofed, source-routed, & redirect packets
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
# enable ip forwarding
/bin/echo "1" > /proc/sys/net/ipv4/ip_foward
##-----------------------------------------------------
# Flush & Reset rules
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
#Create a rule to log and drop packets.
$IPTABLES -N LOGDROP 2>/dev/null
$IPTABLES -A LOGDROP --proto tcp -j LOG --log-prefix "TCP Drop:"
$IPTABLES -A LOGDROP --proto udp -j LOG --log-prefix "UDP Drop:"
$IPTABLES -A LOGDROP -f -j LOG --log-prefix "FRAG Drop:"
$IPTABLES -A LOGDROP -j DROP
$IPTABLES -P INPUT -j LOGDROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# allow local interface traffic (Loopback)
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# allow related/established inbound traffic
$IPTABLES -A INPUT -i $EXTIF -m state --state RELATED, ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -m state --state RELATED, ESTABLISHED -j ACCEPT
# allow everything from internal network
$IPTABLES -A INPUT -i $INTIF -s $LAN -p all -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -d $LAN -p all -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -s $LAN -p all -j ACCEPT
$IPTABLES -A INPUT -i $INTIF -s ! 10.1.x.n -p tcp --dport ssh -j LOGDROP
# Prevent Spoofing
$IPTABLES -A INPUT -i $EXTIF -s $LAN -p all -j LOGDROP
# NAT outgoing traffic
$IPTABLES -t nat -A POSTROUTING -s $LAN -o $EXTIF -j SNAT --to $EXTIP
#SYN-Flood protection
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -i $EXTIF -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP