Monday, November 10, 2008

IPTABLES - sample

I used this in my test internet gateway.


#!/bin/bash
ipt="iptables"
mod="/sbin/modprobe"
INTERNET="ppp0"
LAN="eth0"
public_ip=`ifconfig | grep ppp0 -A 1 | grep inet | gawk '{print $2}' | cut -d: -f2`
#load kernel modules
$mod ip_tables
$mod iptable_filter
$mod iptable_nat
$mod ip_conntrack
$mod iptable_mangle
$mod ipt_MASQUERADE
$mod ip_nat_ftp
$mod ip_nat_irc
$mod ip_conntrack_ftp
$mod ip_conntrack_irc
#Flush all active rules and delete all custom chains
$ipt -F
$ipt -t nat -F
$ipt -t mangle -F
$ipt -X
$ipt -t nat -X
$ipt -t mangle -X
#Set default policies
$ipt -P INPUT ACCEPT
$ipt -A INPUT -p tcp -m tcp -i ppp0 --dport 0:1023 -j DROP
$ipt -A INPUT -p udp -m udp -i ppp0 --dport 0:1023 -j DROP
$ipt -A INPUT -p udp -m udp -i ppp0 --dport 0:1023 -j LOG
$ipt -A INPUT -p tcp -m tcp -i ppp0 --tcp-flags SYN,RST,ACK SYN -j DROP
$ipt -A INPUT -p icmp -m icmp -i ppp0 --icmp-type 8 -j DROP
#$ipt -A INPUT -s 192.168.253.1 -j ACCEPT
$ipt -A INPUT -i $INTERNET -p tcp --dport 8910 -j ACCEPT
$ipt -A INPUT -i $INTERNET -p tcp --dport 8999 -j ACCEPT
#
$ipt -A INPUT -i $INTERNET -s checkip.dyndns.com -j ACCEPT
$ipt -A INPUT -i $INTERNET -s 124.107.2.226 -j ACCEPT
$ipt -A INPUT -i $INTERNET -s 125.212.34.154 -j ACCEPT
#LAN
$ipt -A INPUT -i $LAN -s 192.168.253.0/24 -j ACCEPT
#
#DNS of ISP
$ipt -A INPUT -i $INTERNET -s 203.115.130.40 -p udp -m udp --dport 53 -j ACCEPT
$ipt -A INPUT -i $INTERNET -s 203.115.130.42 -p udp -m udp --dport 53 -j ACCEPT
#
$ipt -A INPUT -i $INTERNET -s 203.115.130.40 -p tcp -m tcp --dport 53 -j ACCEPT
$ipt -A INPUT -i $INTERNET -s 203.115.130.42 -p tcp -m tcp --dport 53 -j ACCEPT
#
#$ipt -A FORWARD -i $WAN_IFACE -o $DMZ_IFACE -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
$ipt -A FORWARD -i $INTERNET -o $LAN -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -P FORWARD ACCEPT
$ipt -P OUTPUT ACCEPT
$ipt -t nat -P OUTPUT ACCEPT
$ipt -A INPUT -p udp -m udp --dport 123 -j ACCEPT
$ipt -A INPUT -p udp -m udp --dport 53 -j ACCEPT
$ipt -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
$ipt -A OUTPUT -p tcp -m tcp --dport 1024:63335 -j ACCEPT

#$ipt -A INPUT -p tcp --dport 8910 -j ACCEPT
#
#
#$ipt -A INPUT -p tcp -m tcp -i ppp0 --dport 0:1023 -j DROP
#$ipt -A INPUT -p udp -m udp -i ppp0 --dport 0:1023 -j DROP
#$ipt -A INPUT -p udp -m udp -i ppp0 --dport 0:1023 -j LOG
#
#$ipt -A INPUT -p tcp -m tcp -i ppp0 --tcp-flags SYN,RST,ACK SYN -j DROP
#$ipt -A INPUT -p icmp -m icmp -i ppp0 --icmp-type 8 -j DROP
#$ipt -A INPUT -m state -s 192.168.254.1 --state INVALID -j ACCEPT
#
#Acting as Internet gateway
$ipt -t nat -P PREROUTING ACCEPT
$ipt -t nat -P POSTROUTING ACCEPT
$ipt -t mangle -P PREROUTING ACCEPT
$ipt -t mangle -P POSTROUTING ACCEPT
$ipt -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
#
$ipt -A PREROUTING -t nat -i $INTERNET -d $public_ip -m tcp -p tcp --dport 80 -j DNAT --to-destination 192.168.253.1:80
$ipt -A FORWARD -p tcp -i $INTERNET -d 192.168.253.1 --dport 80 -j ACCEPT
#
$ipt -A INPUT -i lo -j ACCEPT
$ipt -A OUTPUT -o lo -j ACCEPT
#
#$ipt -A FORWARD -j LOG
#$ipt -A INPUT -j LOG
$ipt -A INPUT -m limit --limit 3/second --limit-burst 5 -i ! lo -j LOG --log-prefix "DROP "