Hi all,
I'm trying to setup to forward from our ISP provided DNS to my
internal network, the ISP gives us an address of 150.5.200.32 with DNS
150.5.40.1 and I'm using internal addresses of 192.168.1.0
Below is my iptables script, any idea of what I'm doing wrong?
Cheers
#!/bin/sh
EXTIF="eth1"
INTIF="eth2"
EXTDNS="150.5.40.1"
EXTROUTE="150.5.200.61"
EXTTIME="150.5.3.0"
LDIF="lo"
LPDIP="127.0.0.1"
LPDMSK="255.0.0.0"
LPDNET="$LPDIP/$LPDMSK"
IPT="/sbin/iptables"
IFC="/sbin/ifconfig"
G="/bin/grep"
SED="/bin/sed"
AWK="/usr/bin/awk"
ECHO="/bin/echo"
$IPT -F
# Drop everything
$IPT -P FORWARD DROP
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
#State chains
echo "STATE"
$IPT -X allowed-connection
$IPT -N allowed-connection
$IPT -F allowed-connection
$IPT -A allowed-connection -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A allowed-connection -i eth1 -m limit -j LOG --log-prefix "Bad
packfrom from eth1:"
$IPT -A allowed-connection -j DROP
#ICMP
echo "ICMP"
$IPT -X icmp_allowed
$IPT -N icmp_allowed
$IPT -F icmp_allowed
#$IPT -A icmp_allowed -m state --state NEW -p icmp --icmp-type \
# time-exceeded -j ACCEPT
#$IPT -A icmp_allowed -m state --state NEW -p ICMP --icmp-type \
# destination-unreachable -j ACCEPT
#$IPT -A icmp_allowed -p icmp -j LOG --log-prefix "BAD ICMP traffic:"
$IPT -A icmp_allowed -p icmp -j ACCEPT
#Incomming traffic
$IPT -X allow-ssh-traffic-in
$IPT -N allow-ssh-traffic-in
$IPT -F allow-ssh-traffic-in
$IPT -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL RST --dport ssh -j ACCEPT
$IPT -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL FIN --dport ssh -j ACCEPT
$IPT -A allow-ssh-traffic-in -m limit --limit 1/second -p tcp --tcp-flags \
ALL SYN --dport ssh -j ACCEPT
$IPT -A allow-ssh-traffic-in -m state --state RELATED,ESTABLISHED -p
tcp --dport ssh -j ACCEPT
#Outgoing traffic
$IPT -X allow-ssh-traffic-out
$IPT -N allow-ssh-traffic-out
$IPT -F allow-ssh-traffic-out
$IPT -A allow-ssh-traffic-out -p tcp --dport ssh -j ACCEPT
#Outgoing DNS
$IPT -X allow-dns-traffic-out
$IPT -N allow-dns-traffic-out
$IPT -F allow-dns-traffic-out
$IPT -A allow-dns-traffic-out -p udp -d $EXTDNS --dport domain \
-j ACCEPT
#Gateway
$IPT -X allow-gateway-traffic-out
$IPT -N allow-gateway-traffic-out
$IPT -F allow-gateway-traffic-out
$IPT -A allow-gateway-traffic-out -d $EXTROUTE -j ACCEPT
$IPT -X allow-gateway-traffic-in
$IPT -N allow-gateway-traffic-in
$IPT -F allow-gateway-traffic-in
$IPT -A allow-gateway-traffic-in -d $EXTROUTE -j ACCEPT
#Outgoing HTTP
echo "HTTP OUT"
$IPT -X allow-www-traffic-out
$IPT -N allow-www-traffic-out
$IPT -F allow-www-traffic-out
$IPT -A allow-www-traffic-out -p tcp --dport www -j ACCEPT
#Outgoing ICECAST
echo "ICECAST OUT"
$IPT -X allow-icecast-traffic-out
$IPT -N allow-icecast-traffic-out
$IPT -F allow-icecast-traffic-out
$IPT -A allow-icecast-traffic-out -p tcp --dport 8000 -j ACCEPT
#Outgoing NTP
echo "OUT NTP"
$IPT -X allow-ntp-out
$IPT -N allow-ntp-out
$IPT -F allow-ntp-out
$IPT -A allow-ntp-out -p tcp -d $EXTTIME --dport ntp -j ACCEPT
$IPT -A allow-ntp-out -p udp -d $EXTTIME --dport ntp -j ACCEPT
#Incomming HTTP
echo "HTTP IN"
$IPT -X allow-www-traffic-in
$IPT -N allow-www-traffic-in
$IPT -F allow-www-traffic-in
$IPT -A allow-www-traffic-in -p tcp --dport www -j ACCEPT
#Incomming ICECAST
echo "ICECAST"
$IPT -X allow-icecast-traffic-in
$IPT -N allow-icecast-traffic-in
$IPT -F allow-icecast-traffic-in
$IPT -A allow-icecast-traffic-in -p tcp --dport 8000 -j ACCEPT
#portscanners
echo "PORT SCANNERS"
$IPT -X check-flags
$IPT -N check-flags
$IPT -F check-flags
$IPT -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit \
--limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPT -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit \
5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPT -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG \
-m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPT -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A check-flags -p tcp --tcp-flags ALL NONE -m limit \
--limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPT -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPT -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit \
--limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPT -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
#Internal forwards
$IPT -t nat -F
$IPT -t nat -A POSTROUTING -o $INTIF -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
$IPT -A FORWARD -i $INTIF -o $EXTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $EXTIF -o $INTIF -j ACCEPT
$IPT -A FORWARD -j LOG
#Apply to INPUT
echo "APPLY TO INPUT"
$IPT -A INPUT -m state --state INVALID -j DROP
$IPT -A INPUT -p icmp -j icmp_allowed
$IPT -A INPUT -j check-flags
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -j allow-gateway-traffic-in
$IPT -A INPUT -j allow-ssh-traffic-in
$IPT -A INPUT -j allow-www-traffic-in
$IPT -A INPUT -j allow-icecast-traffic-in
$IPT -A INPUT -j allowed-connection
#Apply to OUTPUT
echo "APPLY TO OUTPUT"
$IPT -A OUTPUT -m state --state INVALID -j DROP
$IPT -A OUTPUT -p icmp -j icmp_allowed
$IPT -A OUTPUT -j check-flags
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -j allow-ssh-traffic-out
$IPT -A OUTPUT -j allow-dns-traffic-out
$IPT -A OUTPUT -j allow-gateway-traffic-out
$IPT -A OUTPUT -j allow-www-traffic-out
$IPT -A OUTPUT -j allow-icecast-traffic-out
$IPT -A OUTPUT -j allow-ntp-out
$IPT -A OUTPUT -j allowed-connection
--
Peter Brooks
