[Lula] rc.firewall

Allen Morales allen at locos.com
Tue, 12 Mar 2002 18:20:57 -0800


This is a multi-part message in MIME format.

------=_NextPart_000_001E_01C1C9F2.A7B37870
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: 7bit

Can someone tell me what's the big error in this iptables script, it's
suppost to let port 22 and 80 go through it as well as ports 5631 and 5632,
the problem is that if the last line is commented nothing goes in or out
from the firewall.

I tried to set up this thing as simple as possible because it's just for
home use, but something is ready 8-|

Thanks in advanced.


Allen




------=_NextPart_000_001E_01C1C9F2.A7B37870
Content-Type: application/octet-stream;
	name="rc.firewall"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
	filename="rc.firewall"

#!/bin/sh
#
# - Resets iptables to default values.
#

IPTABLES=3D"/sbin/iptables"=20

#
# reset the default policies in the filter table.
#
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT=20
#
# reset the default policies in the nat table.
#
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT=20
#
# reset the default policies in the mangle table.
#
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT=20
#
# flush all the rules in the filter and nat tables.
#
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
#
# erase all chains that's not default in filter and nat table.
#
$IPTABLES -X
$IPTABLES -t nat -X
$IPTABLES -t mangle -X

#IP MASQ AND FORWARDING

echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
$IPTABLES --table nat --append POSTROUTING --out-interface eth0 -j =
MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

$IPTABLES --append FORWARD --in-interface eth1 -j ACCEPT

# loopback rules

$IPTABLES -A INPUT -i lo -p all -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

#OPEN PORTS ON ETH0 (EXTERIOR)=20

$IPTABLES -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s 0/0 -d 0/0 -p udp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -s 0/0 -d 0/0 -p udp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp --syn -s 192.168.1.0/24

#LAN RULES

$IPTABLES -A INPUT -i eth1 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#BLOCKED PORTS

$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 6000:6009 -j DROP
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 515 -j DROP
$IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --dport 515 -j DROP=20
$IPTABLES -A INPUT -p all -s localhost  -i eth1 -j ACCEPT
$IPTABLES -A INPUT -p tcp -s 0/0 -d 0/0 --dport 10000 -j DROP
$IPTABLES -A INPUT -p udp -s 0/0 -d 0/0 --dport 10000 -j DROP
$IPTABLES -A INPUT -p TCP -i eth0 -d 0/0 --dport 137:139 -j DROP

# NAT Rules

#WEB SERVER IN LAN
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT =
--to-destination 192.168.1.1:80

# PC anywhere Rules
# WIN HOST INSIDE THE LAN.

$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 5631 -j DNAT =
--to-destination 192.168.1.100:5631
$IPTABLES -t nat -A PREROUTING -p udp -i eth0 --dport 5631 -j DNAT =
--to-destination 192.168.1.100:5631

$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 5632 -j DNAT =
--to-destination 192.168.1.100:5632
$IPTABLES -t nat -A PREROUTING -p udp -i eth0 --dport 5632 -j DNAT =
--to-destination 192.168.1.100:5632


#$IPTABLES -A INPUT -j DROP

------=_NextPart_000_001E_01C1C9F2.A7B37870--