HARD TO DEFINE IPTABLE RULES?

Discussion of programming on Linux, including shell scripting, perl, python, c/c++, mono, java. Whatever tickles your fancy.
thecooldude
Lance Naik
Posts: 43
Joined: Sun Nov 26, 2006 6:04 pm
Location: Dubai, UAE.
Contact:

HARD TO DEFINE IPTABLE RULES?

Postby thecooldude » Mon Feb 19, 2007 1:29 am


lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Postby lambda » Mon Feb 19, 2007 3:09 am

it is so hard to define iptable rules that you are better off just turning off your computer, and switching to a more honest profession, like a janitor.

iptables gave me grey hair. my recommendation for you is to stay away from it. be cautious of anyone who tries to tell you .

thecooldude
Lance Naik
Posts: 43
Joined: Sun Nov 26, 2006 6:04 pm
Location: Dubai, UAE.
Contact:

Major General

Postby thecooldude » Mon Feb 19, 2007 5:48 pm

1
Last edited by thecooldude on Thu Jul 11, 2013 11:47 pm, edited 1 time in total.

kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Re: Major General

Postby kbukhari » Mon Feb 19, 2007 6:17 pm

--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com

thecooldude
Lance Naik
Posts: 43
Joined: Sun Nov 26, 2006 6:04 pm
Location: Dubai, UAE.
Contact:

kbukhari

Postby thecooldude » Thu Feb 22, 2007 5:32 pm

Dear Syed,

It's nice.... what do you think about this one?

Even I'm making a NEW script! not a bit professional ;)

Mine and your script is a bit complicated too. So you/ me or GURU's can understand it not the user.



#!/bin/bash
function rules()
{
IPT="/sbin/iptables"
INET="eth0"
LAN="br0"
INTERNALNET="192.168.1.1/24"
INTERNALBCAST="192.168.1.255"
# Reset the firewall
for table in nat mangle
do
$IPT -F
$IPT -X
$IPT -t $table -F
$IPT -t $table -X
done
# Default DROP policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD ACCEPT
### allow localhost
# drop pcks comming from outside claiming to be from localhost
$IPT -A INPUT -i $INET -d 127.0.0.0/8 -j DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
### allow my Lan
# drop pcks comming from outside claiming to be from lan
$IPT -A INPUT -i $INET -s $INTERNALNET -j DROP
$IPT -A INPUT -i $LAN -j ACCEPT
$IPT -A OUTPUT -o $LAN -j ACCEPT
### Ping flood protection
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
# Deny icmp to broadcast address
$IPT -A INPUT -p icmp -d $INTERNALBCAST -j DROP
####################################################
## SET PORTS TO BE OPEN TO THE INTERNET HERE ##
$IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
#####################################################
$IPT -A INPUT -i $INET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
### Drop Invalid packs
#$IPT -A INPUT -i eth0 -m state --state INVALID -m limit $LOGOPT -j LOG --log-prefix "INVALID DROP:"
$IPT -A INPUT -i $INET -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
### SYN flood protection for the INPUT chain ###
SYNOPT="--limit 10/second --limit-burst 10"
# tcp
$IPT -N SYN_PROT
$IPT -A INPUT -i $INET -p tcp --syn -j SYN_PROT
$IPT -A SYN_PROT -p tcp --syn -m limit $SYNOPT -j RETURN
$IPT -A SYN_PROT -j DROP
# Drop packets that are likely to be stealth scans
$IPT -A INPUT -i $INET -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,URG URG -j DROP
### Share the internet
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
}
function pre-setup()
{
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n " * Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f
done
echo " * done."
else
echo " *** Problems setting uo IP Spoofing Protection! *** "
fi
# Activate the forwarding!
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo -n " * Turning on forwarding..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo " * done."
else
echo " *** Forwarding not turned on! *** "
fi
# Enable bad error message protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] ; then
echo -n " * Turning on bad error message protection..."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " * done."
else
echo " *** Problem turing on bad error message protection! *** "
fi
# Don't respond to broadcast pings.
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo -n " * Stopping broadcast pings..."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " * done."
else
echo " *** Problem stopping broadcast pings! *** "
fi
}
case "$1" in
start)
pre-setup
rules
;;
*)
echo "usage: $0 { start | stop } "
;;
esac

abdul_mateen
Battalion Havaldaar Major
Posts: 267
Joined: Tue Nov 18, 2003 10:28 am
Location: Rampuria Mansion
Contact:

Postby abdul_mateen » Fri Jun 15, 2007 12:08 am

Abdul Mateen,
Google Android Developer & Linux Administrator
Addictive Mobility,CA
www.addictivemobility.com.

LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Postby LinuxFreaK » Sat Jun 16, 2007 7:10 am

Dear thecooldude,
Salam,

It is not hard. All you need to understand how rules can be defined.

FYI, http://www.netfilter.org/documentation/index.html

Best Regards.
Farrukh Ahmed


Return to “Programming”

Who is online

Users browsing this forum: No registered users and 1 guest