Isit hard to define iptables rules?
Ok, I'm working on a script for iptables for newbie users. So you guys would like to have a try?
Thanks
..
Regards,
Khurram Nawaz
+92-300-4141791
+92-42-5432259
cancerian_pisces@hotmail.com
HARD TO DEFINE IPTABLE RULES?
-
- Lance Naik
- Posts: 43
- Joined: Sun Nov 26, 2006 6:04 pm
- Location: Dubai, UAE.
- Contact:
it is so hard to define iptable rules that you are better off just turning off your computer, and switching to a more honest profession, like a janitor.
iptables gave me grey hair. my recommendation for you is to stay away from it. be cautious of anyone who tries to tell you otherwise.
iptables gave me grey hair. my recommendation for you is to stay away from it. be cautious of anyone who tries to tell you otherwise.
-
- Lance Naik
- Posts: 43
- Joined: Sun Nov 26, 2006 6:04 pm
- Location: Dubai, UAE.
- Contact:
Re: Major General
wht about this ?thecooldude wrote:Posted: Sun Feb 18, 2007 5:09 pm Post subject:
--------------------------------------------------------------------------------
it is so hard to define iptable rules that you are better off just turning off your computer, and switching to a more honest profession, like a janitor.
iptables gave me grey hair. my recommendation for you is to stay away from it. be cautious of anyone who tries to tell you otherwise.
Hello
Janab I'm making a script for Newbie users, who don't know howto play with iptables or blah blah!
I'm not asking for help, but yeah! that's for the comments
Thanks
..
Regards,
Khurram Nawaz
+92-300-4141791
+92-42-5432259
cancerian_pisces@hotmail.com
Code: Select all
#!/bin/sh
#This fire wall is Writen By Kashif Ali Bukhari Please Contact him if you have
#any query Cell 0300-4295604 kbukhari@gmail.com
# Flushing the firewall.
iptables -F
iptables -F -t mangle
iptables -X
iptables -F -t nat
# Rediract web traffic on squid cache.
iptables -t nat -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128
# Accepting RELATED & ESTABLISHED connections.
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -A PREROUTING -d 204.15.5.1 -p tcp --dport 130:145 -j RETURN
iptables -t nat -A PREROUTING -d 204.15.5.1 -p udp --dport 130:145 -j RETURN
iptables -t nat -A PREROUTING -d 204.15.5.1 -p tcp --dport 445 -j RETURN
iptables -t nat -A PREROUTING -d 204.15.5.1 -p udp --dport 445 -j RETURN
# getting high preority
iptables -t mangle -A FORWARD -p udp -d 0/0 --dport 53 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A FORWARD -p tcp -d 0/0 --dport 443 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A FORWARD -p tcp -d 0/0 --dport 1863 -j TOS --set-tos Minimize-Delay
iptables -t mangle -A FORWARD -p tcp -d 0/0 --dport 5050 -j TOS --set-tos Minimize-Delay
# Script for allowing the safe ports.
pa=$(cat /etc/ipt/port-allow.conf)
for pas in $pa
do
iptables -t nat -A POSTROUTING -s 204.15.5.0/255.255.255.0 -p tcp -j SNAT --to-sourc 192.168.0.2 --dport $pas
iptables -t nat -A POSTROUTING -s 204.15.5.0/255.255.255.0 -p udp -j SNAT --to-sourc 192.168.0.2 --dport $pas
echo "Port Allowed" $pas
done
echo "Allowing Ports done.........................."
echo ""
echo ""
#own
iptables -N port-scan
iptables -N syn-flood
iptables -A INPUT -i eth1 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
iptables -A INPUT -i eth1 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
iptables -A INPUT -i eth1 -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -j port-scan
iptables -A port-scan -m limit --limit 1/sec --limit-burst 4 -j RETURN
iptables -A port-scan -j DROP
iptables -A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
iptables -t nat -A PREROUTING -d 69.56.166.50 -j DROP
iptables -t nat -A PREROUTING -d 200.183.0.43 -j DROP
iptables -t nat -A PREROUTING -d 200.183.0.44 -j DROP
iptables -t nat -A PREROUTING -p all -d 204.15.5.1 -j RETURN
iptables -t nat -A PREROUTING -p icmp -j DROP
# Script for allowing the safe ports.
pd=$(cat /etc/ipt/port-deny.conf)
for pds in $pd
do
iptables -t nat -A PREROUTING -p tcp -m tcp -j DROP --dport $pds
iptables -t nat -A PREROUTING -p udp -m udp -j DROP --dport $pds
echo "Port Blocked" $pds
done
echo "Blocking ports done........................."
echo ""
echo ""
# Script for adding Users in voice chat
vc=$(cat /etc/ipt/user-vc.conf)
for vcs in $vc
do
iptables -t nat -A POSTROUTING -j SNAT --to-sourc 192.168.0.2 -s $vcs
echo "IP address" $vcs "is allowed in voice chat"
done
echo "Users Allowing is Done........................."
echo ""
echo ""
exit
-
- Lance Naik
- Posts: 43
- Joined: Sun Nov 26, 2006 6:04 pm
- Location: Dubai, UAE.
- Contact:
kbukhari
Dear Syed,
It's nice.... what do you think about this one?
Even I'm making a NEW script! not a bit professional
Mine and your script is a bit complicated too. So you/ me or GURU's can understand it not the user.
#!/bin/bash
function rules()
{
IPT="/sbin/iptables"
INET="eth0"
LAN="br0"
INTERNALNET="192.168.1.1/24"
INTERNALBCAST="192.168.1.255"
# Reset the firewall
for table in nat mangle
do
$IPT -F
$IPT -X
$IPT -t $table -F
$IPT -t $table -X
done
# Default DROP policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD ACCEPT
### allow localhost
# drop pcks comming from outside claiming to be from localhost
$IPT -A INPUT -i $INET -d 127.0.0.0/8 -j DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
### allow my Lan
# drop pcks comming from outside claiming to be from lan
$IPT -A INPUT -i $INET -s $INTERNALNET -j DROP
$IPT -A INPUT -i $LAN -j ACCEPT
$IPT -A OUTPUT -o $LAN -j ACCEPT
### Ping flood protection
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
# Deny icmp to broadcast address
$IPT -A INPUT -p icmp -d $INTERNALBCAST -j DROP
####################################################
## SET PORTS TO BE OPEN TO THE INTERNET HERE ##
$IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
#####################################################
$IPT -A INPUT -i $INET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
### Drop Invalid packs
#$IPT -A INPUT -i eth0 -m state --state INVALID -m limit $LOGOPT -j LOG --log-prefix "INVALID DROP:"
$IPT -A INPUT -i $INET -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
### SYN flood protection for the INPUT chain ###
SYNOPT="--limit 10/second --limit-burst 10"
# tcp
$IPT -N SYN_PROT
$IPT -A INPUT -i $INET -p tcp --syn -j SYN_PROT
$IPT -A SYN_PROT -p tcp --syn -m limit $SYNOPT -j RETURN
$IPT -A SYN_PROT -j DROP
# Drop packets that are likely to be stealth scans
$IPT -A INPUT -i $INET -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,URG URG -j DROP
### Share the internet
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
}
function pre-setup()
{
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n " * Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f
done
echo " * done."
else
echo " *** Problems setting uo IP Spoofing Protection! *** "
fi
# Activate the forwarding!
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo -n " * Turning on forwarding..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo " * done."
else
echo " *** Forwarding not turned on! *** "
fi
# Enable bad error message protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] ; then
echo -n " * Turning on bad error message protection..."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " * done."
else
echo " *** Problem turing on bad error message protection! *** "
fi
# Don't respond to broadcast pings.
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo -n " * Stopping broadcast pings..."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " * done."
else
echo " *** Problem stopping broadcast pings! *** "
fi
}
case "$1" in
start)
pre-setup
rules
;;
*)
echo "usage: $0 { start | stop } "
;;
esac
It's nice.... what do you think about this one?
Even I'm making a NEW script! not a bit professional
Mine and your script is a bit complicated too. So you/ me or GURU's can understand it not the user.
#!/bin/bash
function rules()
{
IPT="/sbin/iptables"
INET="eth0"
LAN="br0"
INTERNALNET="192.168.1.1/24"
INTERNALBCAST="192.168.1.255"
# Reset the firewall
for table in nat mangle
do
$IPT -F
$IPT -X
$IPT -t $table -F
$IPT -t $table -X
done
# Default DROP policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD ACCEPT
### allow localhost
# drop pcks comming from outside claiming to be from localhost
$IPT -A INPUT -i $INET -d 127.0.0.0/8 -j DROP
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
### allow my Lan
# drop pcks comming from outside claiming to be from lan
$IPT -A INPUT -i $INET -s $INTERNALNET -j DROP
$IPT -A INPUT -i $LAN -j ACCEPT
$IPT -A OUTPUT -o $LAN -j ACCEPT
### Ping flood protection
$IPT -A INPUT -p icmp --icmp-type echo-request -j DROP
# Deny icmp to broadcast address
$IPT -A INPUT -p icmp -d $INTERNALBCAST -j DROP
####################################################
## SET PORTS TO BE OPEN TO THE INTERNET HERE ##
$IPT -A INPUT -i eth0 -p tcp --dport 80 -j ACCEPT
$IPT -A OUTPUT -o eth0 -p tcp --dport 80 -j ACCEPT
#####################################################
$IPT -A INPUT -i $INET -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o $INET -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
### Drop Invalid packs
#$IPT -A INPUT -i eth0 -m state --state INVALID -m limit $LOGOPT -j LOG --log-prefix "INVALID DROP:"
$IPT -A INPUT -i $INET -m state --state INVALID -j DROP
$IPT -A FORWARD -m state --state INVALID -j DROP
### SYN flood protection for the INPUT chain ###
SYNOPT="--limit 10/second --limit-burst 10"
# tcp
$IPT -N SYN_PROT
$IPT -A INPUT -i $INET -p tcp --syn -j SYN_PROT
$IPT -A SYN_PROT -p tcp --syn -m limit $SYNOPT -j RETURN
$IPT -A SYN_PROT -j DROP
# Drop packets that are likely to be stealth scans
$IPT -A INPUT -i $INET -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,FIN FIN -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,PSH PSH -j DROP
$IPT -A INPUT -i $INET -p tcp --tcp-flags ACK,URG URG -j DROP
### Share the internet
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
}
function pre-setup()
{
if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then
echo -n " * Setting up IP spoofing protection..."
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f
done
echo " * done."
else
echo " *** Problems setting uo IP Spoofing Protection! *** "
fi
# Activate the forwarding!
if [ -e /proc/sys/net/ipv4/ip_forward ]; then
echo -n " * Turning on forwarding..."
echo 1 >/proc/sys/net/ipv4/ip_forward
echo " * done."
else
echo " *** Forwarding not turned on! *** "
fi
# Enable bad error message protection
if [ -e /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ] ; then
echo -n " * Turning on bad error message protection..."
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo " * done."
else
echo " *** Problem turing on bad error message protection! *** "
fi
# Don't respond to broadcast pings.
if [ -e /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo -n " * Stopping broadcast pings..."
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo " * done."
else
echo " *** Problem stopping broadcast pings! *** "
fi
}
case "$1" in
start)
pre-setup
rules
;;
*)
echo "usage: $0 { start | stop } "
;;
esac
-
- Battalion Havaldaar Major
- Posts: 267
- Joined: Tue Nov 18, 2003 10:28 am
- Location: Rampuria Mansion
- Contact:
Hye I suggest you to implement like iptables with python.Python will be the best for this.It is good for writing standalone scripts and system administrative tasks scripts
Abdul Mateen,
Google Android Developer & Linux Administrator
Addictive Mobility,CA
www.addictivemobility.com.
Google Android Developer & Linux Administrator
Addictive Mobility,CA
www.addictivemobility.com.
-
- Site Admin
- Posts: 5132
- Joined: Fri May 02, 2003 10:24 am
- Location: Karachi
- Contact:
Re:
Dear thecooldude,
Salam,
It is not hard. All you need to understand how rules can be defined.
FYI, http://www.netfilter.org/documentation/index.html
Best Regards.
Salam,
It is not hard. All you need to understand how rules can be defined.
FYI, http://www.netfilter.org/documentation/index.html
Best Regards.
Farrukh Ahmed