Login or Register to Ask a Question and Join Our Community


Linux

iptables issue

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Operating Systems Linux iptables issue
# 1  
Old 10-29-2013
iptables issue
Hi all,
I'm trying to set up a virtual machine to act as a Windows host firewall.
The basic idea is that the guest OS is configured on a sub with a router and the host is configured on another sub with the guest.
I found this ancient iptables script and I did some minor mods to fit my network setup, bot for some reason it won't work. It looks like that only the default DROP policy works and nothing else. I'm pretty sure I've used this scipt some years ago and it worked flawless.
Any ideas?

Iptables 1.4.14 on Slack 14.

Code:
#!/bin/sh
#
# rc.firewall - UTIN Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
#

INET_IP="10.0.0.100"
INET_IFACE="eth0"

#
# 1.1.1 DHCP
#

#
# 1.1.2 PPPoE
#

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0
#

LAN_IP="10.0.1.1"
LAN_IP_RANGE="10.0.1.0/16"
LAN_BCAST_ADRESS="10.0.1.255"
LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ipt_MASQUERADE
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
#

$IPTABLES -N allowed
$IPTABLES -N icmp_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udpincoming_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
#

$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
#

$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 53 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
#

#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# ICMP rules
#

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
#

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT

#
# Rules for incoming packets from anywhere.
#

$IPTABLES -A INPUT -p ALL -d $INET_IP -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -j tcp_packets
$IPTABLES -A INPUT -p UDP -j udpincoming_packets
$IPTABLES -A INPUT -p ICMP -j icmp_packets

#
# Log weird packets that don't match the above.
#

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
#

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
#

$IPTABLES -A FORWARD -p tcp --dport 21 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 80 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -p tcp --dport 110 -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
#

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $INET_IP -j ACCEPT

#
# Log weird packets that don't match the above.
#

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#

#
# Enable simple IP Forwarding and Network Address Translation
#

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_IP

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#

Last edited by Scrutinizer; 10-29-2013 at 03:11 AM.. Reason: code tags
Login or Register to Ask a Question

Previous Thread | Next Thread

9 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Issue with wc -c and wc -m

Hi All, I have a small queries to get the character count i tried with wc -c and wc -m but its not returend current result For eg: wc -c wc -m echo "Name" | wc -c result: 5 but actually it should returned 4 Help me on this to ge the correct one. Thanks! ----------... (4 Replies)
Discussion started by: siva.pitchai
4 Replies

2. Shell Programming and Scripting

What could be the issue ?

Hi, when i am trying below script assume that below values are taken in code #!/bin/ksh if then echo usage: aNlist.sh QMGR NAME MQREQ fi NL=`echo 'dis qmgr'|runmqsc $1|grep REPOSNL|sed 's/.*REPOSNL\(.*\).*/\1/' |cut -d'(' -f2|cut -d')' -f1` echo 'define nl('$NL_$2')... (25 Replies)
Discussion started by: darling
25 Replies

3. Ubuntu

iptables issue

Hi all , I Have Servers in remote location and now im setting up Some of the iptables fot that this is my finall steps in my servers and i need to open only 5 ports they are 80,443,9123,1985,22 And 22 Must want to be enabled for accesing it from my location , So here is the ip tables i have... (3 Replies)
Discussion started by: babinlonston
3 Replies

4. Shell Programming and Scripting

Variable value substitution issue with awk command issue

Hi All, I am using the below script which has awk command, but it is not returing the expected result. can some pls help me to correct the command. The below script sample.ksh should give the result if the value of last 4 digits in the variable NM matches with the variable value DAT. The... (7 Replies)
Discussion started by: G.K.K
7 Replies

5. Shell Programming and Scripting

Need assistance with a file issue and a terminal issue

Hello everyone, I'm in need of some assistance. I'm currently enrolled in an introductory UNIX shell programming course and, well halfway through the semester, we are receiving our first actual assignment. I've somewhat realized now that I've fallen behind, and I'm working to get caught up, but for... (1 Reply)
Discussion started by: MrMagoo22
1 Replies

6. Shell Programming and Scripting

CP Issue

I want to copy large amount of files aproximately more than 20,000 files from one file system to another file system, but it gives me error like: #cd /opt/appserver/images #cp * /opt/appserver02/public/images Argument list is too long Also above mention error appear again when i run: ... (1 Reply)
Discussion started by: telnor
1 Replies

7. UNIX for Dummies Questions & Answers

ISSUE and ISSUE.NET files

In LINUX(CentOS, RedHat) is there a way to have the banner statement appear before the logon instead of after the logon? In UNIX and Windows the banner appears before a person actually logs on, what I'm seeing in LINUX is that it appears after the login(ftp, telnet, SSH). Thanks (0 Replies)
Discussion started by: ejjones
0 Replies

8. Shell Programming and Scripting

Unix Arithmatic operation issue , datatype issue

Hi, I have a shell scripting. This will take 7 digit number in each line and add 7 digit number with next subsequent lines ( normal addition ). Eg: 0000001 0000220 0001235 0000022 0000023 ........... ......... ........ Like this i am having around 1500000 records. After adding... (23 Replies)
Discussion started by: thambi
23 Replies

9. UNIX for Dummies Questions & Answers

ps issue

HI All, Suddenly don't know what happened to redhat linux 7.2 any program start then itsn't listing while using ps -ef ex: ./xyz this xyz program pid not showing in ps-ef Pls let me know what is the reason for the same. Thanks a lot in advance Bache (7 Replies)
Discussion started by: bache_gowda
7 Replies
Login or Register to Ask a Question