[Samba] My iptables (RH 7.2) firewall included

linux power linuxpower at operamail.com
Thu May 15 22:44:12 GMT 2003 

    It's a shell script

#!/bin/bash
IPTABLES="/sbin/iptables"
# Load required modules  
/sbin/insmod ip_tables
/sbin/insmod ip_conntrack
/sbin/insmod iptable_nat
/sbin/insmod ipt_MASQUERADE

# Then flush all rules
/sbin/iptables -F 
/sbin/iptables -t nat -F

/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT

# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out ppp0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).

/sbin/iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Below means 'route 192.168.1.x'



/sbin/iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -s ! 192.168.0.0/24 -j DROP

# Disallow NEW and INVALID incoming or forwarded packets from ppp0.
/sbin/iptables -A INPUT -i eth1 -m state --state NEW,INVALID -j DROP
/sbin/iptables -A FORWARD -i eth1 -m state --state NEW,INVALID -j DROP

# port 113 is evil ;)
/sbin/iptables -A INPUT --protocol udp --source-port 113 -j DROP
/sbin/iptables -A INPUT --protocol udp --destination-port 113 -j DROP


/sbin/iptables -A INPUT -i eth0  -p tcp -s 192.168.0.0/24 --dport 137:139 -j ACCEPT
/sbin/iptables -A INPUT -i eth0  -p udp -s 192.168.0.0/24 --dport 137:139 -j ACCEPT


/sbin/iptables -A INPUT --protocol tcp --source-port 22 -j ACCEPT
#/sbin/iptables -A INPUT --protocol udp --destination-port 22 -j ACCEPT
/sbin/iptables -A INPUT --protocol tcp --source-port 111 -j DROP
/sbin/iptables -A INPUT --protocol tcp --source-port 139 -j DROP
/sbin/iptables -A INPUT --protocol udp --source-port 138 -j DROP
/sbin/iptables -A INPUT --protocol udp --source-port 137 -j DROP
/sbin/iptables -A FORWARD -i eth1 -p tcp --dport 137:139 -j DROP
#/sbin/iptables -A FORWARD -i eth1 -p udp --dport 137:139 -j DROP
#/sbin/iptables -A OUTPUT   -p tcp --dport 137:139 -j DROP
#/sbin/iptables -A OUTPUT   -p udp --dport 137:139 -j DROP





#$IPTABLES -A INPUT -i lo -j ACCEPT

# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward


# Route incoming ppp0 at port 80, to 192.168.1.18:80
#/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 80 -j DNAT --to 192.168.0.18:80

# Route incoming ppp0 at port 21, to 192.168.1.18:21
#/sbin/iptables -A PREROUTING -t nat -p tcp -i eth1 --dport 21 -j DNAT --to 192.168.0.18:21




#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice  --log-prefix "Netfilter in: "
$IPTABLES -A firewall -j DROP

#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m  limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice  --log-prefix "Netfilter in: "
$IPTABLES -A dropwall -j DROP

#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m  limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice  --log-prefix "Netfilter in: "
$IPTABLES -A badflags -j DROP
#And our silent logging chain

$IPTABLES -N silent
$IPTABLES -A silent -j DROP

#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall


$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -j dropwall

#$IPTABLES -A INPUT -s 192.168.0.2 -d 0/0 -p all -j ACCEPT
#$IPTABLES -A INPUT -s 192.168.0.3 -d 0/0 -p all -j ACCEPT


/etc/rc.d/init.d/iptables start

/sbin/iptables-save > /etc/sysconfig/iptables



----- Original Message -----
From: "linux power" <linuxpower at operamail.com>
Date: Thu, 15 May 2003 23:24:35 +0100
To: samba at lists.samba.org
Subject: [Samba] My iptables (RH 7.2) firewall attached

>         
>     Soory the attachment in my reply didn't show, but here it is.
>     
> -- 
> ____________________________________________
> http://www.operamail.com
> Get OperaMail Premium today - USD 29.99/year
> 
> 
> Powered by Outblaze

>
> -- 
> To unsubscribe from this list go to the following URL and read the
instructions:  http://lists.samba.org/mailman/listinfo/samba
    
-- 
____________________________________________
http://www.operamail.com
Get OperaMail Premium today - USD 29.99/year


Powered by Outblaze

More information about the samba mailing list