View Single Post - Custom Home Router - iptables Help

Home :: Reviews & Articles ::

» Articles
» Audio
» Cases
» Cooling
» Electronics
» Home Automation
» Input Devices
» Memory
» Miscellaneous
» Modifications
» Motherboards
» Networking
» Power
» Storage
» Systems
» Video

» Content Index

Forum :: Info :: Search :: Facebook :: Youtube :: RSS Feed

:: Register :: Log in

View Single Post

Topic: Custom Home Router - iptables Help

Author

Message

Blue|Fusion
Rated XXX

Posted: Mon, 14 May 2007 19:08:46 Post Subject:

Thanks for the links. I found a cool howto from a Stanford user and modified it slightly for my own use:

Code:

# chain policies
# drop everything and open stuff as necessary
/sbin/iptables -P INPUT DROP
/sbin/iptables -P FORWARD DROP
/sbin/iptables -P OUTPUT DROP

/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
/sbin/iptables -F -t mangle
/sbin/iptables -F -t nat
/sbin/iptables -X
/sbin/iptables -Z

# create DUMP table
/sbin/iptables -N DUMP
/sbin/iptables -F DUMP
# limited logs
/sbin/iptables -A DUMP -p icmp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT ICMPDUMP: "
/sbin/iptables -A DUMP -p tcp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT TCPDUMP: "
/sbin/iptables -A DUMP -p udp -m limit --limit 1/m --limit-burst 5 -j LOG --log-prefix "IPT UDPDUMP: "

/sbin/iptables -A DUMP -p tcp -j REJECT --reject-with tcp-reset
/sbin/iptables -A DUMP -p udp -j REJECT --reject-with icmp-port-unreachable
/sbin/iptables -A DUMP -j DROP

# Stateful table
/sbin/iptables -N STATEFUL
/sbin/iptables -F STATEFUL
/sbin/iptables -I STATEFUL -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A STATEFUL -m state --state NEW -i ! eth1 -j ACCEPT
/sbin/iptables -A STATEFUL -j DUMP

# SSH protection table
/sbin/iptables -N SSH
/sbin/iptables -F SSH
/sbin/iptables -A SSH -i eth0 -j RETURN
/sbin/iptables -A SSH -m recent --name SSH --set --rsource
/sbin/iptables -A SSH -m recent ! --rcheck --seconds 300 --hitcount 3 --name SSH --rsource -j RETURN
/sbin/iptables -A SSH -j DUMP

# SYN protection table
/sbin/iptables -N SYN-FLOOD
/sbin/iptables -F SYN-FLOOD
/sbin/iptables -A SYN-FLOOD -m limit --limit 1/s --limit-burst 4 -j RETURN
/sbin/iptables -A SYN-FLOOD -j DROP
/sbin/iptables -A INPUT -i eth1 -p tcp --syn -j SYN-FLOOD
/sbin/iptables -A INPUT -p tcp -i eth1 ! --syn -m state --state NEW -j DROP

# watch out for fragments
/sbin/iptables -A INPUT -i eth1 -f -j LOG --log-prefix "IPT FRAGMENTS: "
/sbin/iptables -A INPUT -i eth1 -f -j DROP

# allow loopback in
/sbin/iptables -A INPUT -i lo -j ACCEPT
# allow loopback and LAN out
/sbin/iptables -A OUTPUT -o lo -j ACCEPT
/sbin/iptables -A OUTPUT -p ALL -s ${lannet} -j ACCEPT

# needs to be defined before reserved addresses,
# since our ISP typically uses a reserved address for a DHCP server (sigh)
#/sbin/iptables -A INPUT -p tcp -i eth1 --sport bootps --dport bootpc -j ACCEPT
#/sbin/iptables -A INPUT -p udp -i eth1 --sport bootps --dport bootpc -j ACCEPT

# drop reserved addresses incoming as per IANA listing
/sbin/iptables -A INPUT -i eth1 -s 0.0.0.0/8 -j DUMP
/sbin/iptables -A INPUT -i eth1 -s 240.0.0.0/8 -j DUMP

# drop RFC-1918 reserved addresses
iptables -A INPUT -i eth1 -s 10.0.0.0/8 -j DUMP
iptables -A INPUT -i eth1 -s 172.16.0.0/12 -j DUMP
iptables -A INPUT -i eth1 -s 192.168.0.0/16 -j DUMP

# allow certain inbound ICMP types
/sbin/iptables -A INPUT -i eth1 -p icmp --icmp-type echo-reply -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p icmp --icmp-type destination-unreachable -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p icmp --icmp-type source-quench -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p icmp --icmp-type echo-request -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p icmp --icmp-type time-exceeded -j ACCEPT
/sbin/iptables -A INPUT -i eth1 -p icmp --icmp-type parameter-problem -j ACCEPT

# opened ports
/sbin/iptables -A INPUT -p tcp -i eth1 --dport ssh -m state --state NEW -j SSH
/sbin/iptables -A INPUT -p tcp -i eth1 --dport ssh -j ACCEPT

# accept all other public ports
#/sbin/iptables -A INPUT -p tcp -i eth1 --dport 1024: -j ACCEPT
#/sbin/iptables -A INPUT -p udp -i eth1 --dport 33434: -j ACCEPT

# masquerade from internal network
/sbin/iptables -I FORWARD -i eth0 -d ${lannet} -j DROP
/sbin/iptables -A FORWARD -i eth0 -s ${lannet} -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -d ${lannet} -j ACCEPT
/sbin/iptables -t nat -A POSTROUTING -s ${lannet} -o eth1 -j MASQUERADE

/sbin/iptables -A INPUT -j STATEFUL
/sbin/iptables -A FORWARD -j STATEFUL
/sbin/iptables -A OUTPUT -j STATEFUL

#Forward Ports to NAT
iptables -t nat -A PREROUTING -p tcp --dport http -i eth1 -j DNAT --to 10.1.1.20

Using nmap against it from one of my servers, it seems pretty solid. If you do see an issue with some of the config, let me know because I am not that experienced with iptables.
_________________
5 home-built PCs, ASUS A6Jc Laptop, and a PowerEdge 2650 - all running Gentoo. Now if only I can get a car and plane to run it. Take a look at my Gallery!

Last edited by Blue|Fusion on Tue, 15 May 2007 01:02:43; edited 1 time in total