Free Hit Counter
The following is an example IPTables firewall script and its associated configuration files.
These are my translation, with additions and modifications, of Craig Zeller's
(zeller at zdi dot net)
excellent IPChains firewall scripts and configuration files
(you can find his latest and greatest versions of these on his
web site).
These files are a continuing work-in-progress. E-mail me with any suggestions or bug reports.
Notes: The script contains a port-forwarding routine (thanks to Rohan Amin and Erik Wasser), and an improved code block submitted by Chris Fincham allowing access to PPTP servers as a client.
Thanks to Jeff Carlson, we have a working DHCP client routine which should work with any commonly-used DHCP client application.
The script now blocks connections from any IP address in IANA's current list of "reserved" blocks.
It now works with private external IP addresses with auto-configuration, while still preventing spoofing.
It also allows client lists for several servers, and allows multiple external servers for POP3, POP3S, IMAP, IMAPS, SMTP and secure SMTP, TLS etc., clients. It now works with Google Mail's
TLS server.
It now allows you to run 'net-enabled game boxes (e.g. XBox) in your internal network.
Note to those using dialup services and PPPoE: The configuration file supports PPP over Ethernet - thanks to Sean Mannion for a quick addition to the main configuration file.
One further note: As is, this script is not configured to run on a machine with more than one IP address on the external
interface (aliasing). There is a way to make this work which involves placing the entire rule-generating portion of the script
inside a loop which reads in the list of aliased IP addresses from a text file. E-mail me for more information.
Some of these have been "genericized", so you'll need to customize them for your own network.
Notes for those running Debian or its derivatives (Ubuntu, etc.):
(1) Delete the following lines in firewall.iptables-generic:
#
# Source function library.
#
. /etc/rc.d/init.d/functions
(2) As root, mkdir /var/lock/subsys
(3) The command-line switches and output of the utility "ipcalc" differ significantly
between the Debian and Fedora/RedHat/Mandrake versions. If you are using DHCP to obtain the IP
address of your external interface, you will need to make a few changes:
Replace (in the DHCP section of firewall.iptables-generic):
EXTERNAL_NETWORK=$( ipcalc -n $EXTERNAL_IP $EXT_NETMASK | cut -d\= -f2 )
BROADCAST_NET=$( ipcalc -b $EXTERNAL_IP $EXT_NETMASK | cut -d\= -f2 )
with:
EXTERNAL_NETWORK=$( ipcalc -n $EXTERNAL_IP $EXT_NETMASK | grep Network | sed 's/\/[0-9].*//g' | awk '{print $2}' )
BROADCAST_NET=$( ifconfig $EXTERNAL_INTERFACE | grep 'inet[^6]' | sed 's/[a-zA-Z:]//g' | awk '{print $2}' )
Thanks to Guzmán Brasó for posting this (and saving me the trouble of figuring it out!)
For everyone:
Put firewall.conf.iptables, firewall.dns, firewall.banned, firewall.iana-reserved, and
firewall.local.iptables (remove the "-generic" from the file names)
in a directory called /etc/firewall. If you're running a distro other than Red
Hat/Fedora/Mandrake, you may need to install the functions file as
/etc/init.d/functions. Debian users, see the notes above.
Remember that your kernel needs to have iptables enabled, either via modules or hard-compiled in. If
you use modules, make sure they're loaded. Most of the time they're pulled in automatically, but
should you get odd error messages on startup, you might be missing one.
Modify /etc/firewall/firewall.conf.iptables to suit your network
and services. For several servers, you can specify a list of client IP
addresses or ranges; to allow all clients, use "any/0"; do the same for client
services which may utilize one or more external servers.
If you're running a full DNS, change the entries in firewall.dns
(may have as many as you want, one IP per line) to the IPs for your "trusted"
DNS's for zone transfers. Use the same format in firewall.banned
for any IP's/networks you'd like to completely block access to/from.
In firewall.local.iptables, you can specify any rules peculiar to
your network which you don't want to put in the main firewall script; use
the same iptables syntax as in the main script. There is no practical limit
to the number of entries in these files, but remember that each entry generates
a rule; you can wind up with some huge rule sets!
If you require port-forwarding, make sure that you create the file
/etc/firewall/firewall.nat in the format specified in this file,
specifically:
Protocol Port on firewall's external interface IP address of internal server Port on
internal server
Be sure also to eliminate any trailing newlines in all of these files; if you don't,
you'll get some spurious errors on execution of the firewall script.
As root: put firewall.iptables in /etc/init.d, then run chown root.root and chmod 700 on the file.
Then, if you're running Fedora or Mandriva, run chkconfig to enable it (/sbin/chkconfig --level 345 firewall.iptables on) - you must be in the directory /etc/init.d to do this.
Then:
/etc/init.d/firewall.iptables start
and you should be up and running. I suggest leaving the VERBOSE parameter enabled in firewall.conf.iptables;
this will give you a listing of what's going on during firewall startup.
Anyone wishing a copy of the handout from my IPTables lecture at the Simi-Conejo Linux Users' Group
meeting on 11 August 2001, you can get it here. The
associated slide show can be seen here.
Questions? E-mail me at: rcs at malibyte dot net.
Return to malibyte.net home page: Framed or non-framed versions.
This page accessed times since 1 May 2002.
Free Hit Counter