HARD TO DEFINE IPTABLE RULES?

Discussion of programming on Linux, including shell scripting, perl, python, c/c++, mono, java. Whatever tickles your fancy.
Post Reply
thecooldude
Lance Naik
Posts: 43
Joined: Sun Nov 26, 2006 6:04 pm
Location: Dubai, UAE.
Contact:

HARD TO DEFINE IPTABLE RULES?

Post by thecooldude »

Isit hard to define iptables rules?

Ok, I'm working on a script for iptables for newbie users. So you guys would like to have a try?



Thanks

..

Regards,
Khurram Nawaz
+92-300-4141791
+92-42-5432259

cancerian_pisces@hotmail.com
lambda
Major General
Posts: 3452
Joined: Tue May 27, 2003 7:04 pm
Location: Lahore
Contact:

Post by lambda »

it is so hard to define iptable rules that you are better off just turning off your computer, and switching to a more honest profession, like a janitor.

iptables gave me grey hair. my recommendation for you is to stay away from it. be cautious of anyone who tries to tell you otherwise.
thecooldude
Lance Naik
Posts: 43
Joined: Sun Nov 26, 2006 6:04 pm
Location: Dubai, UAE.
Contact:

Major General

Post by thecooldude »

1
Last edited by thecooldude on Thu Jul 11, 2013 11:47 pm, edited 1 time in total.
kbukhari
Major General
Posts: 1222
Joined: Sat Dec 31, 2005 12:29 am
Location: Lahore
Contact:

Re: Major General

Post by kbukhari »

thecooldude wrote:Posted: Sun Feb 18, 2007 5:09 pm Post subject:

--------------------------------------------------------------------------------

it is so hard to define iptable rules that you are better off just turning off your computer, and switching to a more honest profession, like a janitor.

iptables gave me grey hair. my recommendation for you is to stay away from it. be cautious of anyone who tries to tell you otherwise.

Hello

Janab I'm making a script for Newbie users, who don't know howto play with iptables or blah blah!

I'm not asking for help, but yeah! that's for the comments :lol:


Thanks

..

Regards,
Khurram Nawaz
+92-300-4141791
+92-42-5432259

cancerian_pisces@hotmail.com
wht about this ?

Code: Select all

#!/bin/sh
#This fire wall is Writen By Kashif Ali Bukhari Please Contact him if you have
#any query Cell 0300-4295604 kbukhari@gmail.com

# Flushing the firewall. 
iptables -F
iptables -F -t mangle
iptables -X
iptables -F -t nat

# Rediract web traffic on squid cache. 
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128

# Accepting RELATED & ESTABLISHED connections.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A PREROUTING -d 204.15.5.1 -p tcp --dport 130:145 -j RETURN
iptables -t nat -A PREROUTING -d 204.15.5.1 -p udp --dport 130:145 -j RETURN
iptables -t nat -A PREROUTING -d 204.15.5.1 -p tcp --dport 445 -j RETURN
iptables -t nat -A PREROUTING -d 204.15.5.1 -p udp --dport 445 -j RETURN

# getting high preority
iptables -t mangle -A FORWARD -p udp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A FORWARD -p tcp -d 0/0 --dport 443 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A FORWARD -p tcp -d 0/0 --dport 1863 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A FORWARD -p tcp -d 0/0 --dport 5050 -j TOS --set-tos Minimize-Delay

# Script for allowing the safe ports.
pa=$(cat /etc/ipt/port-allow.conf)
for pas in $pa
do
iptables -t nat -A POSTROUTING -s 204.15.5.0/255.255.255.0 -p tcp  -j SNAT --to-sourc 192.168.0.2 --dport $pas
iptables -t nat -A POSTROUTING -s 204.15.5.0/255.255.255.0 -p udp  -j SNAT --to-sourc 192.168.0.2 --dport $pas
echo "Port Allowed" $pas
done
echo "Allowing Ports done.........................."
echo ""
echo ""
#own
iptables -N port-scan
iptables -N syn-flood
iptables -A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood 
iptables -A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP 
iptables -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j port-scan 
iptables -A port-scan -m limit --limit 1/sec --limit-burst 4 -j RETURN 
iptables -A port-scan -j DROP 
iptables -A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN 
iptables -A syn-flood -j DROP 
iptables -t nat -A PREROUTING -d 69.56.166.50 -j DROP 
iptables -t nat -A PREROUTING -d 200.183.0.43 -j DROP 
iptables -t nat -A PREROUTING -d 200.183.0.44 -j DROP 
iptables -t nat -A PREROUTING -p all -d 204.15.5.1 -j RETURN
iptables -t nat -A PREROUTING -p icmp -j DROP

# Script for allowing the safe ports.
pd=$(cat /etc/ipt/port-deny.conf)
for pds in $pd
do
iptables -t nat -A PREROUTING -p tcp -m tcp -j DROP --dport $pds
iptables -t nat -A PREROUTING -p udp -m udp -j DROP --dport $pds
echo "Port Blocked" $pds
done
echo "Blocking ports done........................."
echo ""
echo ""

# Script for adding Users in voice chat 
vc=$(cat /etc/ipt/user-vc.conf)
for vcs in $vc
do
iptables -t nat -A POSTROUTING  -j SNAT --to-sourc 192.168.0.2 -s $vcs
echo "IP address" $vcs "is allowed in voice chat"
done
echo "Users Allowing is Done........................."
echo ""
echo ""

exit

--
Syed Kashif Ali Bukhari
+92-345-8444420
http://sysadminsline.com
http://kashifbukhari.com
thecooldude
Lance Naik
Posts: 43
Joined: Sun Nov 26, 2006 6:04 pm
Location: Dubai, UAE.
Contact:

kbukhari

Post by thecooldude »

Dear Syed,

It's nice.... what do you think about this one?

Even I'm making a NEW script! not a bit professional ;)

Mine and your script is a bit complicated too. So you/ me or GURU's can understand it not the user.



#!/bin/bash
function rules()
{
IPT="/sbin/iptables"
INET="eth0"
LAN="br0"
INTERNALNET="192.168.1.1/24"
INTERNALBCAST="192.168.1.255"
# Reset the firewall
for table in nat mangle
do
$IPT -F
$IPT -X
$IPT -t $table -F
$IPT -t $table -X
done
# Default DROP policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD ACCEPT
### allow localhost
# drop pcks comming from outside claiming to be from localhost
$IPT -A INPUT -i $INET -d 127.0.0.0/8 -j DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
### allow my Lan
# drop pcks comming from outside claiming to be from lan
$IPT -A INPUT -i $INET -s $INTERNALNET -j DROP
$IPT -A INPUT -i $LAN -j ACCEPT
$IPT -A OUTPUT -o $LAN -j ACCEPT
### Ping flood protection
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
# Deny icmp to broadcast address
$IPT -A INPUT -p icmp -d $INTERNALBCAST -j DROP
####################################################
## SET PORTS TO BE OPEN TO THE INTERNET HERE ##
$IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
#####################################################
$IPT -A INPUT -i $INET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
### Drop Invalid packs
#$IPT -A INPUT -i eth0 -m state --state INVALID -m limit $LOGOPT -j LOG --log-prefix "INVALID DROP:"
$IPT -A INPUT -i $INET -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
### SYN flood protection for the INPUT chain ###
SYNOPT="--limit 10/second --limit-burst 10"
# tcp
$IPT -N SYN_PROT
$IPT -A INPUT -i $INET -p tcp --syn -j SYN_PROT
$IPT -A SYN_PROT -p tcp --syn -m limit $SYNOPT -j RETURN
$IPT -A SYN_PROT -j DROP
# Drop packets that are likely to be stealth scans
$IPT -A INPUT -i $INET -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,URG URG -j DROP
### Share the internet
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
}
function pre-setup()
{
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n " * Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f
done
echo " * done."
else
echo " *** Problems setting uo IP Spoofing Protection! *** "
fi
# Activate the forwarding!
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo -n " * Turning on forwarding..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo " * done."
else
echo " *** Forwarding not turned on! *** "
fi
# Enable bad error message protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] ; then
echo -n " * Turning on bad error message protection..."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " * done."
else
echo " *** Problem turing on bad error message protection! *** "
fi
# Don't respond to broadcast pings.
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo -n " * Stopping broadcast pings..."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " * done."
else
echo " *** Problem stopping broadcast pings! *** "
fi
}
case "$1" in
start)
pre-setup
rules
;;
*)
echo "usage: $0 { start | stop } "
;;
esac
abdul_mateen
Battalion Havaldaar Major
Posts: 267
Joined: Tue Nov 18, 2003 10:28 am
Location: Rampuria Mansion
Contact:

Post by abdul_mateen »

Hye I suggest you to implement like iptables with python.Python will be the best for this.It is good for writing standalone scripts and system administrative tasks scripts
Abdul Mateen,
Google Android Developer & Linux Administrator
Addictive Mobility,CA
www.addictivemobility.com.
LinuxFreaK
Site Admin
Posts: 5132
Joined: Fri May 02, 2003 10:24 am
Location: Karachi
Contact:

Re:

Post by LinuxFreaK »

Dear thecooldude,
Salam,

It is not hard. All you need to understand how rules can be defined.

FYI, http://www.netfilter.org/documentation/index.html

Best Regards.
Farrukh Ahmed
Post Reply