A Firewall I Made

Protecting your Linux box
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear Farrukh bhai and Kashif Bhai,

I have also tried the following rules
iptables -A INPUT -i $NETWORK -p tcp --dport 20:21 -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i $NETWORK -p tcp --dport 20:21 -m state --state NEW,RELATED -j ACCEPT
iptables -A INPUT -i $NETWORK -p tcp --dport 1024:65535 -m state --state NEW,RELATED -j ACCEPT
iptables -A INPUT -i $NETWORK -p tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT

iptables -A FORWARD -i $NETWORK -p tcp --dport 1024:65535 -m state --state NEW,RELATED -j ACCEPT
iptables -A FORWARD -i $NETWORK -p tcp --dport 1024:65535 -m state --state RELATED,ESTABLISHED -j ACCEPT
Still no progress....
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear mudasir,
Salam,

Using following rule will help you.

# iptables -I INPUT -i eth0 -s 0.0.0.0 -d 192.168.0.1 -m state --state ESTABLISHED,RELATED -j ACCEPT

Best Regards.
Farrukh Ahmed
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear Farrukh bhai,

Thanks for your reply.

I will try these today, and will let you know.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear Farrukh bhai,

I tried the rule that you told me to try still no progress.

My Final Script that i am using is as follows

Code: Select all


#!/bin/sh 

###############################################
####      Firewall Script Created By       ####
####            Mudasir Mirza              ####
####       cool_mudasir@hotmail.com        ####
####          0092-321-2395320             ####  
###############################################   

#set -x 

######################## 
## Defining Variables ## 
######################## 

# Path to IPTABLES executable 
IPT="/sbin/iptables" 

# Interface Card Connected to Local Network 
NETWORK="eth1" 

# Interface Card Connected to Internet 
INTERNET="eth0" 

# Loopback Interface 
LOOPBACK="lo" 

# IP Addreses of Server
SERVER_IP="10.0.0.3"

# Local Network IP Range / Subnet 
LOC_IP="10.0.0.0/24" 

# INTERNAL Broadcast 
LOC_BCAST=10.0.0.255 

# IP On The Internet Interface 
NET_IP="192.168.1.3/24" 

# DHCP Server IP 
DHCP_SERVER="10.0.0.3" 

# SSH Port
SSH_PORT="22"

# FTP on the Network
FTP_IP="10.0.0.6"

# FTP Port
FTP_PORT="21"

# Primiry DNS Server 
P_DNS="203.99.163.240" 

# Alternate DNS Server
A_DNS="203.99.163.243"

# Path To Directory Containing MAC Addresses 
MACDIR="/macs"

# Path To File Containing MAC Addresses
MACFILE="/macs/allowed.macs"

# Path To File Containging IP Addresses
IPFILE="/macs/allowed.ips"

# Location of modprobe
MOD="/sbin/modprobe"

#########################
### Flushing IPTABLES ###
#########################

$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X


#################################################
### Calling Required IPTABLES Modules For FTP ###
#################################################


$MOD ip_conntrack
$MOD ip_conntrack_ftp
$MOD ip_nat_ftp

########################################
### Setting Default Policies to Drop ###
########################################

$IPT -P INPUT DROP
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT

echo Default Policies Set To Drop

####################################
### Setting Needed PROC Settings ###
####################################

echo 1 > /proc/sys/net/ipv4/ip_forward

##############################
### Setting IPTABLES Rules ###
##############################


###############################
### MAC Addresses Filtering ###
###############################

rm -f $MACDIR/mac.addresses
cat $MACFILE | awk '{ print $1 }' >> $MACDIR/mac1
cat $MACDIR/mac1 | sed "s/#.*//" > $MACDIR/mac2
cat $MACDIR/mac2 | sed "/^ /d;/^$/d;" > $MACDIR/mac.addresses
rm -f $MACDIR/mac1
rm -f $MACDIR/mac2


rm -f $MACDIR/ip.adresses
cat $IPFILE | awk '{ print $1 }' >> $MACDIR/ip1
cat $MACDIR/ip1 | sed "s/#.*//" > $MACDIR/ip2
cat $MACDIR/ip2 | sed "/^ /d;/^$/d;" > $MACDIR/ip.addresses
rm -f $MACDIR/ip1
rm -f $MACDIR/ip2

echo -----------------------------------------------
echo Marking Packets from Known MAC and IP Addresses
echo -----------------------------------------------

cat $MACDIR/mac.addresses | while read MACS
do
$IPT -t mangle -A PREROUTING -i $NETWORK -m mac --mac-source $MACS -j MARK --set-mark 1
done
$IPT -t mangle -A PREROUTING -i $NETWORK -s 10.0.0.10 -j MARK --set-mark 1
cat $MACDIR/ip.addresses | while read IPS
do
$IPT -t mangle -A PREROUTING -i $NETWORK -s $IPS -j MARK --set-mark 1
done

echo -----------------------------------------------
echo ---- MAC and IP Address Filtering Complete ----
echo -----------------------------------------------


$IPT -A INPUT -i $NETWORK -d $SERVER_IP -m mark --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark ! --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-net-unreachable

#########################################
### MAC Addresses Filtering Completed ###
#########################################

#####################
### Rules for FTP ###
#####################


$IPT -A INPUT -i $NETWORK -s 0.0.0.0 -d 0.0.0.0 -p tcp --dport 20:21 -j ACCEPT
$IPT -A INPUT -i $NETWORK -s 0.0.0.0 -d 0.0.0.0 -p tcp --dport 1024:65535 -j ACCEPT
$IPT -A INPUT -i $NETWORK -p tcp -s 0/0 -d $LOC_IP --dport 20:21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $NETWORK -p tcp -s 0/0 -d $LOC_IP --dport 20:21 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $NETWORK -p tcp -s 0/0 -d $LOC_IP --dport 1024:65535 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $NETWORK -p tcp -s 0/0 -d $LOC_IP --dport 1024:65535 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i $NETWORK -s 0.0.0.0 -d $LOC_IP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -t nat -A POSTROUTING -o $INTERNET -p tcp --dport 21 -m mark --mark 1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $INTERNET -p tcp --dport 20 -m mark --mark 1 -j MASQUERADE


#########################
### SSH From Internet ###
#########################


$IPT -A INPUT -i $INTERNET -p tcp --dport $SSH_PORT -j ACCEPT
$IPT -A INPUT -i $INTERNET -p udp --dport $SSH_PORT -j ACCEPT

#################################################################
### Redirecting FTP Traffic Coming From Internet To LOCAL FTP ###
#################################################################


$IPT -t nat -A PREROUTING -i $INTERNET -p udp --dport 21 -j DNAT --to $FTP_IP:$FTP_PORT
$IPT -t nat -A PREROUTING -i $INTERNET -p tcp --dport 21 -j DNAT --to $FTP_IP:$FTP_PORT


################################
### Accepting Marked Packets ###
################################


$IPT -A INPUT -i $NETWORK -m mark --mark 1 -j ACCEPT
$IPT -A FORWARD -i $NETWORK -m mark --mark 1 -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -m mark --mark 1 -j ACCEPT


####################################
### Droping All Unmarked Packets ###
####################################


$IPT -A FORWARD -i $NETWORK -m mark ! --mark 1 -j DROP
$IPT -A INPUT -i $NETWORK -m mark ! --mark 1 -j DROP


########################################################
### Accepting Voice/CAM Request for Marked Packets.  ###
########################################################


$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p udp --dport 5000:5010 -j ACCEPT
$IPT -t nat -A PREROUTING -m mark --mark 1 -i $NETWORK -p tcp --dport 5100 -j ACCEPT


#######################################################
### Droping Voice/CAM Traffic which is not Marked.  ###
#######################################################


$IPT -t nat -A PREROUTING -i $NETWORK -m mark ! --mark 1 -p tcp --dport 5000:5010 -j DROP
$IPT -t nat -A PREROUTING -m mark ! --mark 1 -i NETWORK -p tcp --dport 5100 -j DROP


################################
### Accepting DHCP Request.  ###
################################


$IPT -A INPUT -i $NETWORK -p udp -s $DHCP_SERVER --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p udp -s 255.255.255.255 --sport 68 -d $DHCP_SERVER --dport 67 -j ACCEPT


################################################################
### Redirecting HTTP and FTP Traffic to Squid Proxy Server.  ###
################################################################


$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 80 -j REDIRECT --to-port 8080
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 80 -j REDIRECT --to-port 8080
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p tcp --dport 21 -j REDIRECT --to-port 8080
$IPT -t nat -A PREROUTING -i $NETWORK -s $LOC_IP -m mark --mark 1 -p udp --dport 21 -j REDIRECT --to-port 8080


#################################################
###  MASQUERADE All packets that are Marked.  ###
#################################################


$IPT -t nat -A POSTROUTING -p all -s $LOC_IP -m mark --mark 1 -o $INTERNET -j MASQUERADE


###############################
### Rules for ICMP Protocol ###
###############################

$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $P_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $A_DNS -p icmp -j ACCEPT
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d ! $LOC_IP -p icmp --icmp-type echo-request -j DROP
#$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
$IPT -A INPUT -i $NETWORK -d $SERVER_IP -m mark --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-host-unreachable
$IPT -A INPUT -i $NETWORK -s $LOC_IP -d $SERVER_IP -m mark ! --mark 1 -p icmp --icmp-type echo-request -j REJECT --reject-with icmp-net-unreachable
$IPT -A INPUT -p icmp -s $LOC_IP -d $LOC_BCAST -j DROP


###############################################
###  No Restriction for Loopback Interface  ###
###############################################


$IPT -A INPUT -i $LOOPBACK -j ACCEPT
$IPT -A OUTPUT -o $LOOPBACK -j ACCEPT


########################################################################
### Droping Packets coming from internet claming to be from Network  ###
########################################################################


$IPT -A INPUT -i $INTERNET -s $LOC_IP -j DROP
$IPT -A INPUT -i $INTERNET -d 127.0.0.0/8 -j DROP


$IPT -A INPUT -i $NETWORK -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -j ACCEPT


#######################################################
###  Accepting Extablished and Related Connections  ###
#######################################################


$IPT -I INPUT -i $NETWORK -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -o $NETWORK -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i $INTERNET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INTERNET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT


############################################
### Droping Invalid and Unknown Packets  ###
############################################


$IPT -A FORWARD -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -m state --state INVALID -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -i $INTERNET -p tcp --tcp-flags ACK,URG URG -j DROP
#$IPT -t nat -A PREROUTING -i $NETWORK -p tcp --syn -s $LOC_IP --dport 80 -m mark ! --mark 1 -j DROP
Still No FTP site is opening behind it...FTP Site is opening on SERVER not on CLIENT. By FTP Site i do not mean LOCAL FTP.
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear mudasir,
Salam,

Use this rule before any other rule.

Code: Select all

$IPT -A INPUT -i $NETWORK -s 0.0.0.0 -d $LOC_IP -m state --state ESTABLISHED,RELATED -j ACCEPT 
Best Regards.
Farrukh Ahmed
mudasir
Captain
Posts: 565
Joined: Tue Oct 17, 2006 5:23 am
Location: Dubai
Contact:

Post by mudasir »

AOA,

Dear Farrukh Bhai,

Got it working,

Working Script is at

http://www.geocities.com/cool_mudasir/linux/macs.txt
Kind Regards
Mudasir Mirza (RHCE)
(+971)55-1045754
http://www.crystalnetworks.org
http://www.diglinux.com
Post Reply