# firewall forwarding issue, simple fix but what?

## nadsys

had all forwarding working with a simple firewall script, now i implement a much more detailed one based on krunk's IPTables HOWTO and it works perfectly for the server machine but not for the clients.

i can ping the server from client still so dns/dhcp still working fine.

any help much appreciated.  btw, please ignore any line wrapping, its just how it pasted  :Smile: 

heres what i have:

```

#!/bin/sh

#

# ********** VARIABLE DEFINITIONS **********

#

# External interface

EXTIF="ppp0"

# Internal interface

INTIF="eth1"

# Loop device/localhost

LPDIF="lo"

LPDIP="127.0.0.1"

LPDMSK="255.0.0.0"

LPDNET="$LPDIP/$LPDMSK"

# Text tools variables

IPT="/sbin/iptables"

IFC="/sbin/ifconfig"

G="/bin/grep"

SED="/bin/sed"

AWK="/bin/awk"

# Setting up external interface environment variables

# The following doesn't play nice with localization

#EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"

# This one does AFAIK

EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"

EXTBC="255.255.255.255"

# same problem here with localization

EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"

EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"

EXTNET="$EXTIP/$EXTMSK"

echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

# Due to absence of EXTBC I manually set it to 255.255.255.255

# this (hopefully) will serve the same purpose

# Setting up environment variables for internal interface

INTIP="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

#INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"

INTBC="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"

#INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"

INTMSK="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"

#INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"

INTNET="$INTIP/$INTMSK"

echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"

# ********** INITIALIZATION **********

#

# Deny then accept: this keeps holes from opening up

# while we close ports and such

$IPT        -P INPUT       DROP

$IPT        -P OUTPUT      DROP

$IPT        -P FORWARD     DROP

#IPT        -P INPUT       ACCEPT

#IPT        -P OUTPUT      ACCEPT

#IPT        -P FORWARD     ACCEPT

# Flush all existing chains and erase personal chains

CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`

for i in $CHAINS;

do

    $IPT -t $i -F

done

for i in $CHAINS;

do

    $IPT -t $i -X

done

# enable syncookies & ignore icmp broadcasts

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

        echo 1 > $f

done

# Disable IP source routing and ICMP redirects

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

        echo 0 > $f

done

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

        echo 0 > $f

done

# Log Martians

for i in /proc/sys/net/ipv4/conf/*/log_martians ; do

        echo 1 > $i

done

# activate forwarding & dynamic address

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Loading necessary kernel modules

# example: MODULES="ip_nat_ftp ip_conntrack_ftp"

#MODULES="ipt_owner"

#for i in $MODULES;

#do

#  echo "Inserting module $i"

#  modprobe $i

#done

# ********** LOGGING CHAINS **********

#

# We are now going to create a few custom chains that will result in

# logging of dropped packets. This will enable us to avoid having to

# enter a log command prior to every drop we wish to log. The

# first will be first log drops the other will log rejects.

# Do not complain if chain already exists (so restart is clean)

$IPT -N DROPl   2> /dev/null

$IPT -A DROPl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP BLOCKED:'

$IPT -A DROPl   -j DROP

$IPT -N REJECTl 2> /dev/null

$IPT -A REJECTl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT BLOCKED:'

$IPT -A REJECTl -j REJECT

$IPT -N DROP2   2> /dev/null

$IPT -A DROP2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP UNKNOWN:'

$IPT -A DROP2   -j DROP

$IPT -N REJECT2 2> /dev/null

$IPT -A REJECT2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT UNKNOWN:'

$IPT -A REJECT2 -j REJECT

# For testing, a logging ACCEPT chain

$IPT -N ACCEPTl   2> /dev/null

$IPT -A ACCEPTl -m limit --limit 10/second --limit-burst 50 -j LOG --log-prefix 'FIREWALL ACCEPT:'

$IPT -A ACCEPTl   -j ACCEPT

# ********** SANE COMMON RULES **********

#

# Now we are going to accept all traffic from or to our loopback device

# if the IP matches any of our interfaces.

$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT

$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT

$IPT -A INPUT   -i $LPDIF -s   $INTIP  -j ACCEPT

$IPT -A OUTPUT   -o $LPDIF -d   $LPDIP  -j ACCEPT

$IPT -A OUTPUT   -o $LPDIF -d   $EXTIP  -j ACCEPT

$IPT -A OUTPUT   -o $LPDIF -d   $INTIP  -j ACCEPT

# Blocking Broadcasts

$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl

$IPT -A INPUT   -i $INTIF -d   $INTBC  -j DROPl

$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl

$IPT -A OUTPUT  -o $INTIF -d   $INTBC  -j DROPl

$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl

$IPT -A FORWARD -o $INTIF -d   $INTBC  -j DROPl

# Block WAN access to internal network

# This also stops nefarious crackers from using our network as a

# launching point to attack other people

# iptables translation:

# "if input going into  our external interface does not  our isp assigned

# ip address, drop it like a hot potato

$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl

# Now we will block internal addresses originating from anything but our

# predefined interface.....just remember that if you jack your

# laptop or another pc into one of these NIC's directly, you'll need

# to ensure that they either have the same ip or that you add a line explicitly

# that IP as well

# Interface one/internal net one

$IPT -A INPUT   -i $INTIF -s ! $INTNET -j DROPl

$IPT -A OUTPUT  -o $INTIF -d ! $INTNET -j DROPl

$IPT -A FORWARD -i $INTIF -s ! $INTNET -j DROPl

$IPT -A FORWARD -o $INTIF -d ! $INTNET -j DROPl

# An additional Egress check

$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl

# Block outbound ICMP (except for PING)

$IPT -A OUTPUT  -o $EXTIF -p icmp \

  --icmp-type ! 8 -j DROPl

$IPT -A FORWARD -o $EXTIF -p icmp \

    --icmp-type ! 8 -j DROPl

# Allow to ping out

$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  \

    --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $INTIF -p icmp -s $INTNET \

    --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow internal network to ping internal systems

$IPT -A OUTPUT  -o $INTIF -p icmp -s $INTNET \

    --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A INPUT   -i $INTIF -p icmp -s $INTNET \

    --icmp-type 8 -m state --state NEW -j ACCEPT

# ********** BLOCKING THE EVIL PORTS **********

#

# COMmon ports:

# 0 is tcpmux; SGI had vulnerability, 1 is common attack

# 13 is daytime

# 98 is Linuxconf

# 111 is sunrpc (portmap)

# 135 is DCOM RPC

# 137:139, 445 is Microsoft

# SNMP: 161,2

# Squid flotilla: 3128, 8000, 8008, 8080

# 1214 is Morpheus or KaZaA

# 2049 is NFS

# 3049 is very virulent Linux Trojan, mistakable for NFS

# Common attacks: 1999, 4329, 6346 (gnutella - removed)

# Common Trojans 12345 65535

INTCOMBLOCK="0:1 13 21 22 98 111 135 161:162 1214 1999 2049 3049 4329 3128 8000 8008 8080 12345 65535"

EXTCOMBLOCK="137:139 445"

# TCP ports:

# 512-5!5 is rexec, rlogin, rsh, printer(lpd)

#   [very serious vulnerabilities; attacks continue daily]

# 1080 is Socks proxy server

# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)

# Block 6112 (Sun's/HP's CDE)

INTTCPBLOCK="$INTCOMBLOCK 512:515 1080 6000:6009 6112"

EXTTCPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 512:515 1080 6000:6009 6112"

# UDP ports:

# 161:162 is SNMP

# 520=RIP, 9000 is Sangoma

# 517:518 are talk and ntalk (more annoying than anything)

INTUDPBLOCK="$INTCOMBLOCK 161:162 520 517:518 1427 9000"

EXTUDPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 161:162 520 123 517:518 1427 9000"

echo -n "FW: Blocking internal attacks to TCP port: "

for i in $INTTCPBLOCK;

do

echo -n "$i "

  $IPT -A INPUT   -p tcp -s $INTNET --dport $i  -j DROPl

  $IPT -A OUTPUT  -p tcp -s $INTNET --dport $i  -j DROPl

  $IPT -A FORWARD -p tcp -s $INTNET --dport $i  -j DROPl

done

echo ""

echo -n "FW: Blocking external attacks to TCP port: "

for i in $EXTTCPBLOCK;

do

echo -n "$i "

  $IPT -A INPUT   -p tcp -s ! $INTNET --dport $i  -j DROPl

  $IPT -A OUTPUT  -p tcp -s ! $INTNET --dport $i  -j DROPl

  $IPT -A FORWARD -p tcp -s ! $INTNET --dport $i  -j DROPl

done

echo ""

echo -n "FW: Blocking internal attacks to UDP port: "

for i in $INTUDPBLOCK;

do

  echo -n "$i "

    $IPT -A INPUT   -p udp -s $INTNET --dport $i  -j DROPl

    $IPT -A OUTPUT  -p udp -s $INTNET --dport $i  -j DROPl

    $IPT -A FORWARD -p udp -s $INTNET --dport $i  -j DROPl

done

echo ""

echo -n "FW: Blocking external attacks to UDP port: "

for i in $EXTUDPBLOCK;

do

  echo -n "$i "

    $IPT -A INPUT   -p udp -s ! $INTNET --dport $i  -j DROPl

    $IPT -A OUTPUT  -p udp -s ! $INTNET --dport $i  -j DROPl

    $IPT -A FORWARD -p udp -s ! $INTNET --dport $i  -j DROPl

done

echo ""

# ********** ALLOWING INSIDE TO OUTSIDE SERVICES **********

#

# This is where things go you want to use from your network on the internet

#

# Defining some common chat clients. Remove these from your accepted list for better security.

IRC='ircd'

MSN=1863

NOIP=8245

NFS='sunrpc'

PORTAGE='rsync'

OpenPGP_HTTP_Keyserver=11371

# All services ports are read from /etc/services

TCPSERV="domain sshb http https glftpd imap3 imaps imap2 ntp $PORTAGE $IRC $NOIP $MSN $OpenPGP_HTTP_Keyserver"

UDPSERV="domain ntp"

echo -n "FW: Allowing inside systems to use services: "

for i in $TCPSERV;

do

   echo -n "$i "

   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \

    --dport $i --syn -m state --state NEW -j ACCEPT

   $IPT -A FORWARD -i $INTIF -p tcp -s $INTNET \

    --dport $i --syn -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing inside systems to use services: "

for i in $UDPSERV;

do

    echo -n "$i "

    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  \

        --dport $i -m state --state NEW -j ACCEPT

    $IPT -A FORWARD -i $INTIF -p udp -s $INTNET \

        --dport $i -m state --state NEW -j ACCEPT

done

echo ""

# ********** ALLOWING SERVICES ON FIREWALL **********

#

# DAEMONS on firewall which should be accessible to inside/outside.

# it is presumed that DAEMONS advertised to the outside can also

# be advertised safely to the inside

#

# This is generally NOT A GOOD IDEA (as told by "security experts")

# since if some service on this machine gets hacked, the firewall is

# compromised as well, but what the heck ;) it's only a home network

#

# 50369 is my p2p port

# microsoft-ds is for samba

# 5901 is vnc

# domain is nameserver

# ntp is for timeserving

GLPASV="14000:14500"

# EXTTCPDAEMONS="sshb http https imap3 imaps imap2 "

EXTTCPDAEMONS="sshb auth glftpd $GLPASV"

INTTCPDAEMONS="$EXTTCPDAEMONS microsoft-ds 5901"

EXTUDPDAEMONS=""

INTUDPDAEMONS="$EXTUDPDAEMONS domain ntp"

echo -n "FW: Allowing external systems to use tcp services on localhost: "

for i in $EXTTCPDAEMONS;

do

   echo -n "$i "

   $IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP  \

    --dport $i --syn -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing internal systems to use tcp services on localhost: "

for i in $INTTCPDAEMONS;

do

   echo -n "$i "

   $IPT -A INPUT -i $INTIF -p tcp -d $INTIP  \

    --dport $i --syn -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing external systems to use udp services on localhost: "

for i in $EXTUDPDAEMONS;

do

    echo -n "$i "

    $IPT -A INPUT -i $EXTIF -p udp -d $EXTIP  \

     --dport $i -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing internal systems to use udp services on localhost: "

for i in $INTUDPDAEMONS;

do

    echo -n "$i "

    $IPT -A INPUT -i $INTIF -p udp -d $INTIP  \

     --dport $i -m state --state NEW -j ACCEPT

done

echo ""

# ********** FINALIZING NAT & FIREWALL **********

#

# Setup NAT

$IPT -t nat -A PREROUTING                       -j ACCEPT

$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE

$IPT -t nat -A POSTROUTING                      -j ACCEPT

$IPT -t nat -A OUTPUT                           -j ACCEPT

# allow existing connections

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# block and log what me may have forgot

$IPT -A INPUT             -j DROP2

$IPT -A OUTPUT            -j REJECT2

$IPT -A FORWARD           -j DROP2

```

----------

## Hobbes-X

From your message I'm not 100% sure what sort of traffic you're trying to allow, but you're wanting to allow the firewall to access services like I was, you can add this:

```

# Allowing access to internal services from localhost

echo "FW: Allowing localhost to use tcp services on internal systems: "

for i in $INTTCPDAEMONS;

do

    echo -n "$i "

    $IPT -A OuTPUT -o $INTIF -p tcp -d $INTIP --dport $i -m state --state NEW -j ACCEPT

done

echo ""

```

HTH

----------

## nadsys

hi, thanx for the reply.  i dont think i explained my situation clearly enough before.

i have everything working on server.

i have no access however from the clients to the internet.  mozilla, irc, ping, and others i have tried all fail.  IP forwarding is enabled in the script so thats not the issue but somewhere in that script it has to allow traffic from client's through the firewall to the internet, im unsure if a rule already exists for that and its just a case of altering it or if i have to do what you just told me and add that line in for the clients to access the WWW.

got firewall from page 2, 3/4 of the way down by Krunk: https://forums.gentoo.org/viewtopic.php?t=159710&postdays=0&postorder=asc&highlight=iptables+howto&start=25

thank you,

Neil

----------

## Hobbes-X

Hi Neil,

The part of the script where you can add protocols that the clients are allowed to use is here:

```

IRC='ircd' 

 MSN=1863 

 NOIP=8245 

 NFS='sunrpc' 

 PORTAGE='rsync' 

 OpenPGP_HTTP_Keyserver=11371 

 

 # All services ports are read from /etc/services 

 

 TCPSERV="domain sshb http https glftpd imap3 imaps imap2 ntp $PORTAGE $IRC $NOIP $MSN $OpenPGP_HTTP_Keyserver" 

 UDPSERV="domain ntp" 

 
```

http, irc, and and most of the other common ones are already listed. (ping is a different case though, and is handled further up in the script.)

With the script the way it is, these are already setup to be allowed, so there's probably something else wrong. Do you have the iptables support compiled into your kernel, or are they compiled as modules?

This part of your script is commented out, so you'll need to have them built into the kernel for FTP work.

```

# Loading necessary kernel modules 

# example: MODULES="ip_nat_ftp ip_conntrack_ftp" 

#MODULES="ipt_owner" 

#for i in $MODULES; 

#do 

#  echo "Inserting module $i" 

#  modprobe $i 

#done 

```

I notice some of the lines are wrapped, and have '/'s in them. Does the script run without any errors for you? I had to do some fixing of the wrapped lines to get the script to run without errors.

----------

## Hobbes-X

By the way, the first little section I posted is to allow the firewall to access services hosted on internal clients, so that won't help with your current problem.

----------

## nadsys

ok, tried ftp instead of ping from client, same error: "network is unreachable". it gives this message instantly.  if i disable firewall on server, it works straight away. so its definetly an iptables problem.

now, as you pointed out,  the section which is allowing clients to connect has all the services they should need to use ftp/htpp and so on. so thats not the issue either i think.

only error when executing script i get is for suncookies:

-bash: /proc/sys/net/ipv4/tcp_syncookies: No such file or directory

looking in the help section in syncookies in make menuconfig, it says:

If you say Y here, note that SYN cookies aren't enabled by default; you can enable them by saying Y to "/proc file system support" and "Sysctl support" below and executing the command...

i have syncookies in kernel, i have /proc file system in kernel, i cant find "sysctl support" anywhere so i am unsure wether its in kernel or not.

an additional problem i now have is getting ftp to work.  i can ftp to any site i add to my firewall but cant get it to list using pasv or not using pasv.  i want to be able to tell it to use a certain range of ports for all passive transfers.  i allowed port 14000:14500 for this purpose (variable is GLPASV).

ftp problem is secondary to getting clients up and running. thank you for any help.

this is how iptables looks now. 

#!/bin/sh

#

# ********** VARIABLE DEFINITIONS **********

#

# External interface

EXTIF="ppp0"

# Internal interface

INTIF="eth1"

# Loop device/localhost

LPDIF="lo"

LPDIP="127.0.0.1"

LPDMSK="255.0.0.0"

LPDNET="$LPDIP/$LPDMSK"

# Text tools variables

IPT="/sbin/iptables"

IFC="/sbin/ifconfig"

G="/bin/grep"

SED="/bin/sed"

AWK="/bin/awk"

# Last but not least, the users

nads=192.168.0.09

lee=192.168.0.10

# Setting up external interface environment variables

# The following doesn't play nice with localization

#EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"

# This one does AFAIK

EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"

EXTBC="255.255.255.255"

# same problem here with localization

EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"

EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"

EXTNET="$EXTIP/$EXTMSK"

echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

# Due to absence of EXTBC I manually set it to 255.255.255.255

# this (hopefully) will serve the same purpose

# Setting up environment variables for internal interface

INTIP="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

#INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"

INTBC="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"

#INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"

INTMSK="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"

#INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"

INTNET="$INTIP/$INTMSK"

echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"

# ********** INITIALIZATION **********

#

# Deny then accept: this keeps holes from opening up

# while we close ports and such

$IPT        -P INPUT       DROP

$IPT        -P OUTPUT      DROP

$IPT        -P FORWARD     DROP

#IPT        -P INPUT       ACCEPT

#IPT        -P OUTPUT      ACCEPT

#IPT        -P FORWARD     ACCEPT

# Flush all existing chains and erase personal chains

CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`

for i in $CHAINS;

do

    $IPT -t $i -F

done

for i in $CHAINS;

do

    $IPT -t $i -X

done

# enable syncookies & ignore icmp broadcasts

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

        echo 1 > $f

done

# Disable IP source routing and ICMP redirects

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

        echo 0 > $f

done

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

        echo 0 > $f

done

# Log Martians

for i in /proc/sys/net/ipv4/conf/*/log_martians ; do

        echo 1 > $i

done

# activate forwarding & dynamic address

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Loading necessary kernel modules

# example: MODULES="ip_nat_ftp ip_conntrack_ftp"

#MODULES="ipt_owner"

#for i in $MODULES;

#do

#  echo "Inserting module $i"

#  modprobe $i

#done

# ********** LOGGING CHAINS **********

#

# We are now going to create a few custom chains that will result in

# logging of dropped packets. This will enable us to avoid having to

# enter a log command prior to every drop we wish to log. The

# first will be first log drops the other will log rejects.

# Do not complain if chain already exists (so restart is clean)

$IPT -N DROPl   2> /dev/null

$IPT -A DROPl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP BLOCKED:'

$IPT -A DROPl   -j DROP

$IPT -N REJECTl 2> /dev/null

$IPT -A REJECTl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT BLOCKED:'

$IPT -A REJECTl -j REJECT

$IPT -N DROP2   2> /dev/null

$IPT -A DROP2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP UNKNOWN:'

$IPT -A DROP2   -j DROP

$IPT -N REJECT2 2> /dev/null

$IPT -A REJECT2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT UNKNOWN:'

$IPT -A REJECT2 -j REJECT

# For testing, a logging ACCEPT chain

$IPT -N ACCEPTl   2> /dev/null

$IPT -A ACCEPTl -m limit --limit 10/second --limit-burst 50 -j LOG --log-prefix 'FIREWALL ACCEPT:'

$IPT -A ACCEPTl   -j ACCEPT

# ********** SANE COMMON RULES **********

#

# Now we are going to accept all traffic from or to our loopback device

# if the IP matches any of our interfaces.

$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT

$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT

$IPT -A INPUT   -i $LPDIF -s   $INTIP  -j ACCEPT

$IPT -A OUTPUT   -o $LPDIF -d   $LPDIP  -j ACCEPT

$IPT -A OUTPUT   -o $LPDIF -d   $EXTIP  -j ACCEPT

$IPT -A OUTPUT   -o $LPDIF -d   $INTIP  -j ACCEPT

# Blocking Broadcasts

$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl

$IPT -A INPUT   -i $INTIF -d   $INTBC  -j DROPl

$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl

$IPT -A OUTPUT  -o $INTIF -d   $INTBC  -j DROPl

$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl

$IPT -A FORWARD -o $INTIF -d   $INTBC  -j DROPl

# Block WAN access to internal network

# This also stops nefarious crackers from using our network as a

# launching point to attack other people

# iptables translation:

# "if input going into  our external interface does not  our isp assigned

# ip address, drop it like a hot potato

$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl

# Now we will block internal addresses originating from anything but our

# predefined interface.....just remember that if you jack your

# laptop or another pc into one of these NIC's directly, you'll need

# to ensure that they either have the same ip or that you add a line explicitly

# that IP as well

# Interface one/internal net one

$IPT -A INPUT   -i $INTIF -s ! $INTNET -j DROPl

$IPT -A OUTPUT  -o $INTIF -d ! $INTNET -j DROPl

$IPT -A FORWARD -i $INTIF -s ! $INTNET -j DROPl

$IPT -A FORWARD -o $INTIF -d ! $INTNET -j DROPl

# An additional Egress check

$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl

# Block outbound ICMP (except for PING)

$IPT -A OUTPUT  -o $EXTIF -p icmp \

  --icmp-type ! 8 -j DROPl

$IPT -A FORWARD -o $EXTIF -p icmp \

    --icmp-type ! 8 -j DROPl

# Allow to ping out

$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  \

    --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $INTIF -p icmp -s $INTNET \

    --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow internal network to ping internal systems

$IPT -A OUTPUT  -o $INTIF -p icmp -s $INTNET \

    --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A INPUT   -i $INTIF -p icmp -s $INTNET \

    --icmp-type 8 -m state --state NEW -j ACCEPT

# ********** BLOCKING THE EVIL PORTS **********

#

# COMmon ports:

# 0 is tcpmux; SGI had vulnerability, 1 is common attack

# 13 is daytime

# 98 is Linuxconf

# 111 is sunrpc (portmap)

# 135 is DCOM RPC

# 137:139, 445 is Microsoft

# SNMP: 161,2

# Squid flotilla: 3128, 8000, 8008, 8080

# 1214 is Morpheus or KaZaA

# 2049 is NFS

# 3049 is very virulent Linux Trojan, mistakable for NFS

# Common attacks: 1999, 4329, 6346 (gnutella - removed)

# Common Trojans 12345 65535

INTCOMBLOCK="0:1 13 22 98 111 135 161:162 1214 1999 2049 3049 4329 3128 8000 8008 8080 12345 65535"

EXTCOMBLOCK="137:139 445"

# TCP ports:

# 512-5!5 is rexec, rlogin, rsh, printer(lpd)

#   [very serious vulnerabilities; attacks continue daily]

# 1080 is Socks proxy server

# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)

# Block 6112 (Sun's/HP's CDE)

INTTCPBLOCK="$INTCOMBLOCK 512:515 1080 6000:6009 6112"

EXTTCPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 512:515 1080 6000:6009 6112"

# UDP ports:

# 161:162 is SNMP

# 520=RIP, 9000 is Sangoma

# 517:518 are talk and ntalk (more annoying than anything)

INTUDPBLOCK="$INTCOMBLOCK 161:162 520 517:518 1427 9000"

EXTUDPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 161:162 520 123 517:518 1427 9000"

echo -n "FW: Blocking internal attacks to TCP port: "

for i in $INTTCPBLOCK;

do

echo -n "$i "

  $IPT -A INPUT   -p tcp -s $INTNET --dport $i  -j DROPl

  $IPT -A OUTPUT  -p tcp -s $INTNET --dport $i  -j DROPl

  $IPT -A FORWARD -p tcp -s $INTNET --dport $i  -j DROPl

done

echo ""

echo -n "FW: Blocking external attacks to TCP port: "

for i in $EXTTCPBLOCK;

do

echo -n "$i "

  $IPT -A INPUT   -p tcp -s ! $INTNET --dport $i  -j DROPl

  $IPT -A OUTPUT  -p tcp -s ! $INTNET --dport $i  -j DROPl

  $IPT -A FORWARD -p tcp -s ! $INTNET --dport $i  -j DROPl

done

echo ""

echo -n "FW: Blocking internal attacks to UDP port: "

for i in $INTUDPBLOCK;

do

  echo -n "$i "

    $IPT -A INPUT   -p udp -s $INTNET --dport $i  -j DROPl

    $IPT -A OUTPUT  -p udp -s $INTNET --dport $i  -j DROPl

    $IPT -A FORWARD -p udp -s $INTNET --dport $i  -j DROPl

done

echo ""

echo -n "FW: Blocking external attacks to UDP port: "

for i in $EXTUDPBLOCK;

do

  echo -n "$i "

    $IPT -A INPUT   -p udp -s ! $INTNET --dport $i  -j DROPl

    $IPT -A OUTPUT  -p udp -s ! $INTNET --dport $i  -j DROPl

    $IPT -A FORWARD -p udp -s ! $INTNET --dport $i  -j DROPl

done

echo ""

# ********** ALLOWING INSIDE TO OUTSIDE SERVICES **********

#

# This is where things go you want to use from your network on the internet

#

# Defining some common chat clients. Remove these from your accepted list for better security.

IRC='ircd'

MSN=1863

NOIP=8245

NFS='sunrpc'

PORTAGE='rsync'

OpenPGP_HTTP_Keyserver=11371

GFTPPORTS="21 1336 1337 5499 5500 8082 8083 443 444 81 21620 21621"

# All services ports are read from /etc/services

TCPSERV="domain sshb http https glftpd ntp $PORTAGE $IRC $NOIP $MSN $OpenPGP_HTTP_Keyserver $GFTPPORTS"

UDPSERV="domain ntp"

echo -n "FW: Allowing inside systems to use services: "

for i in $TCPSERV;

do

   echo -n "$i "

   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \

    --dport $i --syn -m state --state NEW -j ACCEPT

   $IPT -A FORWARD -i $INTIF -p tcp -s $INTNET \

    --dport $i --syn -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing inside systems to use services: "

for i in $UDPSERV;

do

    echo -n "$i "

    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  \

        --dport $i -m state --state NEW -j ACCEPT

    $IPT -A FORWARD -i $INTIF -p udp -s $INTNET \

        --dport $i -m state --state NEW -j ACCEPT

done

echo ""

# ********** ALLOWING SERVICES ON FIREWALL **********

#

# DAEMONS on firewall which should be accessible to inside/outside.

# it is presumed that DAEMONS advertised to the outside can also

# be advertised safely to the inside

#

# This is generally NOT A GOOD IDEA (as told by "security experts")

# since if some service on this machine gets hacked, the firewall is

# compromised as well, but what the heck  :Wink:  it's only a home network

#

# 50369 is my p2p port

# microsoft-ds is for samba

# 5901 is vnc

# domain is nameserver

# ntp is for timeserving

GLPASV="14000:14500"

# EXTTCPDAEMONS="sshb http https"

EXTTCPDAEMONS="sshb auth glftpd $GLPASV $GFTPPORTS"

INTTCPDAEMONS="$EXTTCPDAEMONS microsoft-ds 5901"

EXTUDPDAEMONS=""

INTUDPDAEMONS="$EXTUDPDAEMONS domain ntp"

echo -n "FW: Allowing external systems to use tcp services on localhost: "

for i in $EXTTCPDAEMONS;

do

   echo -n "$i "

   $IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP  \

    --dport $i --syn -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing internal systems to use tcp services on localhost: "

for i in $INTTCPDAEMONS;

do

   echo -n "$i "

   $IPT -A INPUT -i $INTIF -p tcp -d $INTIP  \

    --dport $i --syn -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing external systems to use udp services on localhost: "

for i in $EXTUDPDAEMONS;

do

    echo -n "$i "

    $IPT -A INPUT -i $EXTIF -p udp -d $EXTIP  \

     --dport $i -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing internal systems to use udp services on localhost: "

for i in $INTUDPDAEMONS;

do

    echo -n "$i "

    $IPT -A INPUT -i $INTIF -p udp -d $INTIP  \

     --dport $i -m state --state NEW -j ACCEPT

done

echo ""

# ********** FINALIZING NAT & FIREWALL **********

#

# Setup NAT

$IPT -t nat -A PREROUTING                       -j ACCEPT

$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE

$IPT -t nat -A POSTROUTING                      -j ACCEPT

$IPT -t nat -A OUTPUT                           -j ACCEPT

# allow existing connections

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# block and log what me may have forgot

$IPT -A INPUT             -j DROP2

$IPT -A OUTPUT            -j REJECT2

$IPT -A FORWARD           -j DROP2

----------

## Hobbes-X

I get the same tcp_syncookies error message, and I don't have any problems. I'd guess this is normal, but I didn't look too closely at it since things were working   :Smile: 

I wonder if iptables is actually blocking the traffic, or if there's some sort of configuration problem from the script.

With this script, blocked packets are logged, so you should be able to see if they're getting blocked or not by looking at the logs.

You can try grep'ing your logs for the IP addresses of you client machines after you test one of the services, but I think it's easier to open a second terminal to watch while you try one of the problem services:

In one terminal watch the kernel messages:

```
# tail -f /var/log/kernel/current
```

(I'm not sure if that's the same for all the different loggers or not...)

And in another try to use one of the ports that aren't working:

```
 # ping google.com
```

If packets are getting blocked, you'll get a message that's something like:

```

Oct  1 14:31:24 [kernel] FIREWALL DROP BLOCKED:IN=eth1 OUT=eth0 MAC=ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff:ff SRC=192.168.0.2 DST=255.255.255.255 LEN=344 TOS=0x00 PREC=0x00 TTL=64 ID=29194 PROTO=UDP SPT=67 DPT=68 LEN=324

```

DPT is the destination port (80 for http, etc...). If you're not getting any FIREWALL DROP BLOCKED, or FIREWALL DROP UNKNOWN then iptables isn't dropping the packets, and there's some sort of network issue. (or others   :Question:  Suggestions welcome  :Smile:  )

I'm guessing that these are your client boxen?

 *Quote:*   

> 
> 
> # Last but not least, the users 
> 
> nads=192.168.0.09 
> ...

 

----------

## nadsys

ok, taken a step backwards now.  took ip_conntrack_ftp and ip_nat_ftp out of the kernel and compiled as modules.

uncommented section in script to start modules. now looks like: 

# Loading necessary kernel modules

# example: MODULES="ip_nat_ftp ip_conntrack_ftp"

MODULES="ip_nat_ftp ip_conntrack_ftp""

for i in $MODULES;

do

  echo "Inserting module $i"

  modprobe $i

done

i then go to run the script and am hit by hundreds of messages saying:

iptables v1.2.11: Couldn't load target `DROP2':/lib/iptables/libipt_DROP2.so: cannot                   open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

iptables v1.2.11: Couldn't load target `REJECT2':/lib/iptables/libipt_REJECT2.so: can                  not open shared object file: No such file or directory

Try `iptables -h' or 'iptables --help' for more information.

iptables v1.2.11: Couldn't load target `DROPl':/lib/iptables/libipt_DROPl.so: cannot                   open shared object file: No such file or directory

so, maybe this has been problem all along but just hidden because i wasn't seeing it as it was all loaded by kernel, or maybe my understanding is all wrong.

my firewall logs BEFORE this were as follows:

```
Oct  1 18:14:10 [kernel] FIREWALL DROP BLOCKED:IN=ppp0 OUT= MAC= SRC=195.121.72.227 DST=84.57.7.155 LEN=78 TOS=0x00 PREC=0x00 TTL=122 ID=9289 PROTO=UDP SPT=1029 DPT=137 LEN=58

Oct  1 18:14:57 [kernel] FIREWALL DROP BLOCKED:IN=ppp0 OUT= MAC= SRC=84.57.1.91 DST=84.57.7.155 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=44274 DF PROTO=TCP SPT=3317 DPT=135 WINDOW=11680 RES=0x00 SYN URGP=0

Oct  1 18:15:00 [kernel] FIREWALL DROP BLOCKED:IN=ppp0 OUT= MAC= SRC=84.57.1.91 DST=84.57.7.155 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=44486 DF PROTO=TCP SPT=3317 DPT=135 WINDOW=11680 RES=0x00 SYN URGP=0

Oct  1 18:15:01 [kernel] FIREWALL DROP BLOCKED:IN=ppp0 OUT= MAC= SRC=84.57.5.253 DST=84.57.7.155 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=14520 DF PROTO=TCP SPT=3741 DPT=135 WINDOW=64800 RES=0x00 SYN URGP=0

Oct  1 18:15:46 [kernel] FIREWALL DROP BLOCKED:IN=ppp0 OUT= MAC= SRC=84.57.34.148 DST=84.57.7.155 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=25938 DF PROTO=TCP SPT=4277 DPT=135 WINDOW=32767 RES=0x00 SYN URGP=0

Oct  1 18:16:07 [kernel] FIREWALL DROP UNKNOWN:IN=ppp0 OUT= MAC= SRC=83.30.157.226 DST=84.57.7.155 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=36422 DF PROTO=TCP SPT=54776 DPT=4662 WINDOW=18276 RES=0x00 SYN URGP$

Oct  1 18:16:10 [kernel] FIREWALL DROP UNKNOWN:IN=ppp0 OUT= MAC= SRC=83.30.157.226 DST=84.57.7.155 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=36423 DF PROTO=TCP SPT=54776 DPT=4662 WINDOW=18276 RES=0x00 SYN URGP$

Oct  1 18:16:16 [kernel] FIREWALL DROP UNKNOWN:IN=ppp0 OUT= MAC= SRC=83.30.157.226 DST=84.57.7.155 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=36424 DF PROTO=TCP SPT=54776 DPT=4662 WINDOW=18276 RES=0x00 SYN URGP$

Oct  1 18:16:28 [kernel] FIREWALL DROP UNKNOWN:IN=ppp0 OUT= MAC= SRC=83.30.157.226 DST=84.57.7.155 LEN=60 TOS=0x00 PREC=0x00 TTL=53 ID=36425 DF PROTO=TCP SPT=54776 DPT=4662 WINDOW=18276 RES=0x00 SYN URGP$

Oct  1 18:16:31 [kernel] FIREWALL DROP BLOCKED:IN=ppp0 OUT= MAC= SRC=84.57.8.226 DST=84.57.7.155 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=25724 DF PROTO=TCP SPT=3301 DPT=445 WINDOW=32767 RES=0x00 SYN URGP=0

Oct  1 18:16:34 [kernel] FIREWALL DROP BLOCKED:IN=ppp0 OUT= MAC= SRC=84.57.8.226 DST=84.57.7.155 LEN=48 TOS=0x00 PREC=0x00 TTL=63 ID=26174 DF PROTO=TCP SPT=3301 DPT=445 WINDOW=32767 RES=0x00 SYN URGP=0

Oct  1 18:17:04 [kernel] FIREWALL DROP BLOCKED:IN=ppp0 OUT= MAC= SRC=84.57.59.93 DST=84.57.7.155 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42266 DF PROTO=TCP SPT=2740 DPT=135 WINDOW=64800 RES=0x00 SYN URGP=0

Oct  1 18:17:07 [kernel] FIREWALL DROP BLOCKED:IN=ppp0 OUT= MAC= SRC=84.57.59.93 DST=84.57.7.155 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=42366 DF PROTO=TCP SPT=2740 DPT=135 WINDOW=64800 RES=0x00 SYN URGP=0

Oct  1 18:17:17 [kernel] FIREWALL DROP BLOCKED:IN=ppp0 OUT= MAC= SRC=148.221.217.70 DST=84.57.7.155 LEN=78 TOS=0x00 PREC=0x00 TTL=105 ID=54319 PROTO=UDP SPT=1025 DPT=137 LEN=58

```

now as you can see, two of those ips in their were using passive and its trying to use a port on my side of 1025 and 1029, now these ports are not enabled anywhere on my firewall, i set up a range of 14000:14500, i still dont know how to tell it to use that range.

anyway, problem is not so much ftp, that can be fixed later. problem now is getting firewall running again and then get client to connect to outside world.  :Sad: .  i find it hard to believe no one else has ftp problems with iptables, i cant see anything on google for help or here.

thanx for any advice.

hobbes-x, can you maybe post your iptables script so i have something to work on, do you use ftp with/without passive?

----------

## Hobbes-X

Yeah- I can post mine once I get home tonight... Those error messages look familar, might be the split lines problem I was having. 

I have the FTP modules compiled into the kernel, and that same section commented out. I haven't checked carefully enough to see if FTP's working completely- only just got my first NATing system setup about a week ago   :Smile: 

I'm betting the FTP issues will clear up once the others are straightened out- sounds like all traffic is being munged up somewhere.

----------

## nadsys

ok, got them loading as modules now BUT this is what i get when script executes them.

Inserting module ip_nat_ftp

WARNING: Error inserting ip_conntrack (/lib/modules/2.6.8-gentoo-r3/kernel/net/ipv4/netfilter/ip_conntrack.ko): Device or resource busy

Inserting module ip_conntrack_ftp

WARNING: Error inserting ip_conntrack (/lib/modules/2.6.8-gentoo-r3/kernel/net/ipv4/netfilter/ip_conntrack.ko): Device or resource busy

i do an lsmod BEFORE startiung firewall script and there not there, do it AFTER and they are there. so if there busy is that a hint that the kernel is still loading them even though i took them out of my kernel and made them M in menuconfig since.

how can i check there not part of kernel, i looked at /usr/src/linux/.config, says m next to what i specified, so all should be ok. but isn't lol. please help, its doing my head in.

----------

## Hobbes-X

Ok- here's my current set of rules for iptables:

```

#!/bin/sh 

# 

# ********** VARIABLE DEFINITIONS ********** 

# 

# External interface 

EXTIF="eth0" 

# Internal interface 

INTIF="eth1" 

# Loop device/localhost 

LPDIF="lo" 

LPDIP="127.0.0.1" 

LPDMSK="255.0.0.0" 

LPDNET="$LPDIP/$LPDMSK" 

# Text tools variables 

IPT="/sbin/iptables" 

IFC="/sbin/ifconfig" 

G="/bin/grep" 

SED="/bin/sed" 

AWK="/bin/awk" 

# Setting up external interface environment variables 

# The following doesn't play nice with localization 

#EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`" 

# This one does AFAIK 

EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");

   ->split(a[2],a," ");print a[1];exit}'`" 

#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`" 

EXTBC="255.255.255.255" 

# same problem here with localization 

EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`" 

EXTMSK="`$IFC $EXTIF|$AWK 

   ->/$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`" 

EXTNET="$EXTIP/$EXTMSK" 

echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET" 

# Due to absence of EXTBC I manually set it to 255.255.255.255 

# this (hopefully) will serve the same purpose 

# Setting up environment variables for internal interface 

INTIP="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[2],a," 

   ->");print a[1];exit}'`" 

INTBC="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[3],a," 

   ->");print a[1];exit}'`" 

INTMSK="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[4],a," 

   ->");print a[1];exit}'`" 

INTNET="$INTIP/$INTMSK" 

# Report discovered interfaces & masks:

#echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET" 

# Last but not least, the users for owner matching 

#P2PUSER="ole" 

# ********** INITIALIZATION ********** 

# 

# Deny then accept: this keeps holes from opening up 

# while we close ports and such 

$IPT        -P INPUT       DROP 

$IPT        -P OUTPUT      DROP 

$IPT        -P FORWARD     DROP 

#IPT        -P INPUT       ACCEPT 

#IPT        -P OUTPUT      ACCEPT 

#IPT        -P FORWARD     ACCEPT 

# Flush all existing chains and erase personal chains 

CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` 

for i in $CHAINS; 

do 

    $IPT -t $i -F 

done 

for i in $CHAINS; 

do 

    $IPT -t $i -X 

done 

# enable syncookies & ignore icmp broadcasts 

echo 1 > /proc/sys/net/ipv4/tcp_syncookies 

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

# Source Address Verification 

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do 

        echo 1 > $f 

done 

# Disable IP source routing and ICMP redirects 

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do 

        echo 0 > $f 

done 

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do 

        echo 0 > $f 

done 

# Log Martians 

for i in /proc/sys/net/ipv4/conf/*/log_martians ; do 

        echo 1 > $i 

done 

# activate forwarding & dynamic address 

echo 1 > /proc/sys/net/ipv4/ip_forward 

echo 1 > /proc/sys/net/ipv4/ip_dynaddr 

# Following lines commented out, since I have these compiled

# directly into the kernel, rather than as modules.

# 

# Loading necessary kernel modules 

# example: MODULES="ip_nat_ftp ip_conntrack_ftp" 

#MODULES="ipt_owner" 

#for i in $MODULES; 

#do 

#  echo "Inserting module $i" 

#  modprobe $i 

#done 

# ********** LOGGING CHAINS ********** 

# 

# We are now going to create a few custom chains that will result in 

# logging of dropped packets. This will enable us to avoid having to 

# enter a log command prior to every drop we wish to log. The 

# first will be first log drops the other will log rejects. 

# Do not complain if chain already exists (so restart is clean) 

$IPT -N DROPl   2> /dev/null 

$IPT -A DROPl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 

   ->'FIREWALL DROP BLOCKED:' 

$IPT -A DROPl   -j DROP 

$IPT -N REJECTl 2> /dev/null 

$IPT -A REJECTl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 

   ->'FIREWALL REJECT BLOCKED:' 

$IPT -A REJECTl -j REJECT 

$IPT -N DROP2   2> /dev/null 

$IPT -A DROP2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 

   ->'FIREWALL DROP UNKNOWN:' 

$IPT -A DROP2   -j DROP 

$IPT -N REJECT2 2> /dev/null 

$IPT -A REJECT2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 

   ->'FIREWALL REJECT UNKNOWN:' 

$IPT -A REJECT2 -j REJECT 

# For testing, a logging ACCEPT chain 

$IPT -N ACCEPTl   2> /dev/null 

$IPT -A ACCEPTl -m limit --limit 10/second --limit-burst 50 -j LOG 

   -> --log-prefix 'FIREWALL ACCEPT:' 

$IPT -A ACCEPTl   -j ACCEPT 

# ********** SANE COMMON RULES ********** 

# 

# Now we are going to accept all traffic from or to our loopback device 

# if the IP matches any of our interfaces. 

$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT 

$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT 

$IPT -A INPUT   -i $LPDIF -s   $INTIP  -j ACCEPT 

$IPT -A OUTPUT   -o $LPDIF -d   $LPDIP  -j ACCEPT 

$IPT -A OUTPUT   -o $LPDIF -d   $EXTIP  -j ACCEPT 

$IPT -A OUTPUT   -o $LPDIF -d   $INTIP  -j ACCEPT 

# Blocking Broadcasts 

$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl 

$IPT -A INPUT   -i $INTIF -d   $INTBC  -j DROPl 

$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl 

$IPT -A OUTPUT  -o $INTIF -d   $INTBC  -j DROPl 

$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl 

$IPT -A FORWARD -o $INTIF -d   $INTBC  -j DROPl 

# Block WAN access to internal network 

# This also stops nefarious crackers from using our network as a 

# launching point to attack other people 

# iptables translation: 

# "if input going into  our external interface does not  our isp assigned 

# ip address, drop it like a hot potato 

$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl 

# Now we will block internal addresses originating from anything but our 

# predefined interface.....just remember that if you jack your 

# laptop or another pc into one of these NIC's directly, you'll need 

# to ensure that they either have the same ip or that you add a line

# explicitly that IP as well 

# Interface one/internal net one 

$IPT -A INPUT   -i $INTIF -s ! $INTNET -j DROPl 

$IPT -A OUTPUT  -o $INTIF -d ! $INTNET -j DROPl 

$IPT -A FORWARD -i $INTIF -s ! $INTNET -j DROPl 

$IPT -A FORWARD -o $INTIF -d ! $INTNET -j DROPl 

# An additional Egress check 

$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl 

# Block outbound ICMP (except for PING) 

$IPT -A OUTPUT  -o $EXTIF -p icmp  --icmp-type ! 8 -j DROPl 

$IPT -A FORWARD -o $EXTIF -p icmp  --icmp-type ! 8 -j DROPl 

# Allow to ping out 

$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  --icmp-type 8 -m state --state 

   ->NEW -j ACCEPT 

$IPT -A FORWARD -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state 

   -> --state NEW -j ACCEPT 

# Allow internal network to ping internal systems 

$IPT -A OUTPUT  -o $INTIF -p icmp -s $INTNET --icmp-type 8 -m state 

   -> --state NEW -j ACCEPT 

$IPT -A INPUT   -i $INTIF -p icmp -s $INTNET --icmp-type 8 -m state --state 

   -> NEW -j ACCEPT 

# ********** BLOCKING THE EVIL PORTS ********** 

# 

# COMmon ports: 

# 0 is tcpmux; SGI had vulnerability, 1 is common attack 

# 13 is daytime 

# 98 is Linuxconf 

# 111 is sunrpc (portmap) 

# 135 is DCOM RPC 

# 137:139, 445 is Microsoft 

# SNMP: 161,2 

# Squid flotilla: 3128, 8000, 8008, 8080 

# 1214 is Morpheus or KaZaA 

# 2049 is NFS 

# 3049 is very virulent Linux Trojan, mistakable for NFS 

# Common attacks: 1999, 4329, 6346 (gnutella - removed) 

# Common Trojans 12345 65535 

#INTCOMBLOCK="0:1 13 98 111 135 161:162 1214 1999 2049 3049 4329 

   -> 3128 8000 8008 8080 12345 65535" 

INTCOMBLOCK="0:1 13 98 135 161:162 1999 2049 3049 4329 3128 8000 

   -> 8008 8080 12345 65535" 

EXTCOMBLOCK="137:139 445" 

# TCP ports: 

# 512-5!5 is rexec, rlogin, rsh, printer(lpd) 

#   [very serious vulnerabilities; attacks continue daily] 

# 1080 is Socks proxy server 

# 6000 is X (NOTE X over SSH is secure and runs on TCP 22) 

# Block 6112 (Sun's/HP's CDE) 

INTTCPBLOCK="$INTCOMBLOCK 512:515 1080 6000:6009 6112" 

EXTTCPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 512:515 1080 6000:6009 

   -> 6112" 

# UDP ports: 

# 161:162 is SNMP 

# 520=RIP, 9000 is Sangoma 

# 517:518 are talk and ntalk (more annoying than anything) 

INTUDPBLOCK="$INTCOMBLOCK 161:162 520 517:518 1427 9000" 

EXTUDPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 161:162 520 123 517:518 

   -> 1427 9000" 

echo "---------------------------------------------------------------------"

echo "FW: Blocking internal attacks to TCP ports: " 

for i in $INTTCPBLOCK; 

do 

echo -n "$i " 

  $IPT -A INPUT   -p tcp -s $INTNET --dport $i  -j DROPl 

  $IPT -A OUTPUT  -p tcp -s $INTNET --dport $i  -j DROPl 

  $IPT -A FORWARD -p tcp -s $INTNET --dport $i  -j DROPl 

done 

echo "" 

echo "---------------------------------------------------------------------"

echo "FW: Blocking external attacks to TCP port: " 

for i in $EXTTCPBLOCK; 

do 

echo -n "$i " 

  $IPT -A INPUT   -p tcp -s ! $INTNET --dport $i  -j DROPl 

  $IPT -A OUTPUT  -p tcp -s ! $INTNET --dport $i  -j DROPl 

  $IPT -A FORWARD -p tcp -s ! $INTNET --dport $i  -j DROPl 

done 

echo "" 

echo "---------------------------------------------------------------------"

echo "FW: Blocking internal attacks to UDP port: " 

for i in $INTUDPBLOCK; 

do 

  echo -n "$i " 

    $IPT -A INPUT   -p udp -s $INTNET --dport $i  -j DROPl 

    $IPT -A OUTPUT  -p udp -s $INTNET --dport $i  -j DROPl 

    $IPT -A FORWARD -p udp -s $INTNET --dport $i  -j DROPl 

done 

echo "" 

echo "---------------------------------------------------------------------"

echo "FW: Blocking external attacks to UDP port: " 

for i in $EXTUDPBLOCK; 

do 

  echo -n "$i " 

    $IPT -A INPUT   -p udp -s ! $INTNET --dport $i  -j DROPl 

    $IPT -A OUTPUT  -p udp -s ! $INTNET --dport $i  -j DROPl 

    $IPT -A FORWARD -p udp -s ! $INTNET --dport $i  -j DROPl 

done 

echo "" 

# ********** ALLOWING INSIDE TO OUTSIDE SERVICES ********** 

# 

# This is where things go you want to use from your network on the 

# internet. We start with defining some common chat clients. Remove

# these from your accepted list for better security. 

#IRC='ircd' 

#MSN=1863 

#ICQ=5190 

#NFS='710 sunrpc'

# We have to sync!! 

PORTAGE='rsync' 

#OpenPGP_HTTP_Keyserver=11371 

#WEBMIN='10000 1046'

#XBOXLIVE='3074 kerberos'

#MYTHTVPORTS="6543 6544 mysql 16140"

#NEWS='nntp'

# All services ports are read from /etc/services 

TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 

   -> imaps imap2 time $PORTAGE $IRC $WEBMIN $XBOXLIVE $NFS 

   -> $OpenPGP_HTTP_Keyserver $MYTHTVPORTS $NEWS"

UDPSERV="domain time $XBOXLIVE $NFS $MYTHTVPORTS $NEWS"

echo "---------------------------------------------------------------------"

echo "FW: Allowing inside systems to use services: " 

for i in $TCPSERV; 

do 

   echo -n "$i " 

   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  --dport $i --syn -m state 

   -> --state NEW -j ACCEPT 

   $IPT -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state 

   -> --state NEW -j ACCEPT 

done 

echo "" 

echo "---------------------------------------------------------------------"

echo "FW: Allowing inside systems to use services: " 

for i in $UDPSERV; 

do 

    echo -n "$i " 

    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  --dport $i -m state --state 

   -> NEW -j ACCEPT 

    $IPT -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i -m state --state 

   -> NEW -j ACCEPT 

done 

echo "" 

echo $UDPSERV

# ********** ALLOWING SERVICES ON FIREWALL ********** 

# 

# DAEMONS on firewall which should be accessible to inside/outside. 

# it is presumed that DAEMONS advertised to the outside can also 

# be advertised safely to the inside 

# 

# This is generally NOT A GOOD IDEA (as told by "security experts") 

# since if some service on this machine gets hacked, the firewall is 

# compromised as well, but what the heck  it's only a home network 

# 

# 50369 is my p2p port 

# microsoft-ds is for samba 

# 5901 is vnc 

# domain is nameserver 

# ntp is for timeserving 

#VNC="5950:5984"

EXTTCPDAEMONS="ssh http https ftp ftp-data mail pop3 pop3s imap3 

   -> imaps imap2 $WEBMIN $VNC"

INTTCPDAEMONS="$EXTTCPDAEMONS microsoft-ds 5901 $MYTHTVPORTS

   -> $NFS $PORTAGE"

EXTUDPDAEMONS="" 

INTUDPDAEMONS="$EXTUDPDAEMONS domain ntp $MYTHTVPORTS $NFS"

echo "---------------------------------------------------------------------"

echo "FW: Allowing external systems to use tcp services on localhost: " 

for i in $EXTTCPDAEMONS; 

do 

   echo -n "$i " 

   $IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP --dport $i --syn -m state --state 

   -> NEW -j ACCEPT 

done 

echo "" 

echo "---------------------------------------------------------------------"

echo "FW: Allowing internal systems to use tcp services on localhost: " 

for i in $INTTCPDAEMONS; 

do 

   echo -n "$i " 

   $IPT -A INPUT -i $INTIF -p tcp -d $INTIP --dport $i --syn -m state --state NEW -j ACCEPT 

done 

echo "" 

echo "---------------------------------------------------------------------"

echo "FW: Allowing external systems to use udp services on localhost: " 

for i in $EXTUDPDAEMONS; 

do 

    echo -n "$i " 

    $IPT -A INPUT -i $EXTIF -p udp -d $EXTIP --dport $i -m state --state NEW 

   -> -j ACCEPT 

done 

echo "" 

echo "---------------------------------------------------------------------"

echo "FW: Allowing internal systems to use udp services on localhost: " 

for i in $INTUDPDAEMONS; 

do 

    echo -n "$i " 

    $IPT -A INPUT -i $INTIF -p udp -d $INTIP --dport $i -m state --state NEW 

   -> -j ACCEPT 

done 

echo "" 

echo "---------------------------------------------------------------------"

# Allowing access to internal services from localhost

echo "FW: Allowing localhost to use tcp services on internal systems: "

for i in $INTTCPDAEMONS;

do

    echo -n "$i "

# 

    $IPT -A OUTPUT -o $INTIF -p tcp -d $INTNET --dport $i  -m state --state 

   -> NEW -j ACCEPT

done

echo ""

# ********** ALLOWING P2P FROM FIREWALL ********** 

# 

# Even worse idea :) 

# 

# Allowing all packages generated by processes owned by the P2PUSER out 

#$IPT -A OUTPUT -o $EXTIF -d ! $INTNET -m owner --uid-owner $P2PUSER 

   -> -j ACCEPT 

# ********** FINALIZING NAT & FIREWALL ********** 

# 

# Setup NAT 

$IPT -t nat -A PREROUTING                       -j ACCEPT 

$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE 

$IPT -t nat -A POSTROUTING                      -j ACCEPT 

$IPT -t nat -A OUTPUT                           -j ACCEPT 

# allow existing connections 

iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT 

iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 

# block and log what me may have forgot 

$IPT -A INPUT             -j DROP2 

$IPT -A OUTPUT            -j REJECT2 

$IPT -A FORWARD           -j DROP2 

```

It's kind of ugly, I'm still working on cleaning it up a bit.  (For example, I'm not sure wether some services require UDP or not, so I just left them in.)

Line wraps will probably be an issue here too-  I've added a '->' where the line has wrapped. I also added some lines of dashes to the output, since all the ports getting strung together made it hard to read the script's output while I was changing lines.

----------

## nadsys

ok, small bit of success finally. i can connect to my friend now on port 21 without passive on.

still cant get to outside world with my client machines though  :Sad: .

that warning message i just ignored, it still loads modules. so it now works to a degree.

port 21 successful connection looks like:

Connected to HisIP:21

220 HisName

USER  HisUsername

331 Password required for HisUsername.

PASS xxxx

230-Set you retry time to 120 seconds or be banned for a week.

230-

230-You have been warned.

230 User leech logged in.

SYST

215 UNIX Type: L8

TYPE I

200 Type set to I.

PWD

257 "/" is current directory.

PORT 84,57,5,173,130,77

200 Port command successful.

LIST -aL

150 Opening data connection for directory list.

226 Transfer ok

then i try other servers not using port 21 and i get the same as before,

with pasv on:

227 Entering Passive Mode (**,***,**,***,102,157).

Cannot create a data connection: Connection refused

with pasv off:

LIST -a

150 Opening data connection for directory list.

Disconnecting from site **.***.**.***

this shows me on pasv side its using local port 102 and sevrer port 157, not port 102 isn't open on my server, i want it to use a port between 14000:14500 like my variables above show. any idea?

----------

## nadsys

script as of 02.10.2004:

#!/bin/sh

#

# ********** VARIABLE DEFINITIONS **********

#

# External interface

EXTIF="ppp0"

# Internal interface

INTIF="eth1"

# Loop device/localhost

LPDIF="lo"

LPDIP="127.0.0.1"

LPDMSK="255.0.0.0"

LPDNET="$LPDIP/$LPDMSK"

# Text tools variables

IPT="/sbin/iptables"

IFC="/sbin/ifconfig"

G="/bin/grep"

SED="/bin/sed"

AWK="/bin/awk"

# Last but not least, the users

nads=192.168.0.9

lee=192.168.0.10

# Setting up external interface environment variables

# The following doesn't play nice with localization

#EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"

# This one does AFAIK

EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"

EXTBC="255.255.255.255"

# same problem here with localization

EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"

EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"

EXTNET="$EXTIP/$EXTMSK"

echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

# Due to absence of EXTBC I manually set it to 255.255.255.255

# this (hopefully) will serve the same purpose

# Setting up environment variables for internal interface

INTIP="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"

#INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"

INTBC="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"

#INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"

INTMSK="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"

#INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"

INTNET="$INTIP/$INTMSK"

echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"

# ********** INITIALIZATION **********

#

# Deny then accept: this keeps holes from opening up

# while we close ports and such

$IPT        -P INPUT       DROP

$IPT        -P OUTPUT      DROP

$IPT        -P FORWARD     DROP

#IPT        -P INPUT       ACCEPT

#IPT        -P OUTPUT      ACCEPT

#IPT        -P FORWARD     ACCEPT

# Flush all existing chains and erase personal chains

CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`

for i in $CHAINS;

do

    $IPT -t $i -F

done

for i in $CHAINS;

do

    $IPT -t $i -X

done

# enable syncookies & ignore icmp broadcasts

echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Source Address Verification

for f in /proc/sys/net/ipv4/conf/*/rp_filter; do

        echo 1 > $f

done

# Disable IP source routing and ICMP redirects

for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do

        echo 0 > $f

done

for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do

        echo 0 > $f

done

# Log Martians

for i in /proc/sys/net/ipv4/conf/*/log_martians ; do

        echo 1 > $i

done

# activate forwarding & dynamic address

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 > /proc/sys/net/ipv4/ip_dynaddr

# Loading necessary kernel modules

# example: MODULES="ip_nat_ftp ip_conntrack_ftp"

MODULES="ip_nat_ftp ip_conntrack_ftp"

for i in $MODULES;

do

  echo "Inserting module $i"

  modprobe $i

done

# ********** LOGGING CHAINS **********

#

# We are now going to create a few custom chains that will result in

# logging of dropped packets. This will enable us to avoid having to

# enter a log command prior to every drop we wish to log. The

# first will be first log drops the other will log rejects.

# Do not complain if chain already exists (so restart is clean)

$IPT -N DROPl   2> /dev/null

$IPT -A DROPl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP BLOCKED:'

$IPT -A DROPl   -j DROP

$IPT -N REJECTl 2> /dev/null

$IPT -A REJECTl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT BLOCKED:'

$IPT -A REJECTl -j REJECT

$IPT -N DROP2   2> /dev/null

$IPT -A DROP2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP UNKNOWN:'

$IPT -A DROP2   -j DROP

$IPT -N REJECT2 2> /dev/null

$IPT -A REJECT2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT UNKNOWN:'

$IPT -A REJECT2 -j REJECT

# For testing, a logging ACCEPT chain

$IPT -N ACCEPTl   2> /dev/null

$IPT -A ACCEPTl -m limit --limit 10/second --limit-burst 50 -j LOG --log-prefix 'FIREWALL ACCEPT:'

$IPT -A ACCEPTl   -j ACCEPT

# ********** SANE COMMON RULES **********

#

# Now we are going to accept all traffic from or to our loopback device

# if the IP matches any of our interfaces.

$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT

$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT

$IPT -A INPUT   -i $LPDIF -s   $INTIP  -j ACCEPT

$IPT -A OUTPUT   -o $LPDIF -d   $LPDIP  -j ACCEPT

$IPT -A OUTPUT   -o $LPDIF -d   $EXTIP  -j ACCEPT

$IPT -A OUTPUT   -o $LPDIF -d   $INTIP  -j ACCEPT

# Blocking Broadcasts

$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl

$IPT -A INPUT   -i $INTIF -d   $INTBC  -j DROPl

$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl

$IPT -A OUTPUT  -o $INTIF -d   $INTBC  -j DROPl

$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl

$IPT -A FORWARD -o $INTIF -d   $INTBC  -j DROPl

# Block WAN access to internal network

# This also stops nefarious crackers from using our network as a

# launching point to attack other people

# iptables translation:

# "if input going into  our external interface does not  our isp assigned

# ip address, drop it like a hot potato

$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl

# Now we will block internal addresses originating from anything but our

# predefined interface.....just remember that if you jack your

# laptop or another pc into one of these NIC's directly, you'll need

# to ensure that they either have the same ip or that you add a line explicitly

# that IP as well

# Interface one/internal net one

$IPT -A INPUT   -i $INTIF -s ! $INTNET -j DROPl

$IPT -A OUTPUT  -o $INTIF -d ! $INTNET -j DROPl

$IPT -A FORWARD -i $INTIF -s ! $INTNET -j DROPl

$IPT -A FORWARD -o $INTIF -d ! $INTNET -j DROPl

# An additional Egress check

$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl

# Block outbound ICMP (except for PING)

$IPT -A OUTPUT  -o $EXTIF -p icmp \

  --icmp-type ! 8 -j DROPl

$IPT -A FORWARD -o $EXTIF -p icmp \

    --icmp-type ! 8 -j DROPl

# Allow to ping out

$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  \

    --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A FORWARD -i $INTIF -p icmp -s $INTNET \

    --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow internal network to ping internal systems

$IPT -A OUTPUT  -o $INTIF -p icmp -s $INTNET \

    --icmp-type 8 -m state --state NEW -j ACCEPT

$IPT -A INPUT   -i $INTIF -p icmp -s $INTNET \

    --icmp-type 8 -m state --state NEW -j ACCEPT

# ********** BLOCKING THE EVIL PORTS **********

#

# COMmon ports:

# 0 is tcpmux; SGI had vulnerability, 1 is common attack

# 13 is daytime

# 98 is Linuxconf

# 111 is sunrpc (portmap)

# 135 is DCOM RPC

# 137:139, 445 is Microsoft

# SNMP: 161,2

# Squid flotilla: 3128, 8000, 8008, 8080

# 1214 is Morpheus or KaZaA

# 2049 is NFS

# 3049 is very virulent Linux Trojan, mistakable for NFS

# Common attacks: 1999, 4329, 6346 (gnutella - removed)

# Common Trojans 12345 65535

INTCOMBLOCK="0:1 13 22 98 111 135 161:162 1214 1999 2049 3049 4329 3128 8000 8008 8080 12345 65535"

EXTCOMBLOCK="137:139 445"

# TCP ports:

# 512-5!5 is rexec, rlogin, rsh, printer(lpd)

#   [very serious vulnerabilities; attacks continue daily]

# 1080 is Socks proxy server

# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)

# Block 6112 (Sun's/HP's CDE)

INTTCPBLOCK="$INTCOMBLOCK 512:515 1080 6000:6009 6112"

EXTTCPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 512:515 1080 6000:6009 6112"

# UDP ports:

# 161:162 is SNMP

# 520=RIP, 9000 is Sangoma

# 517:518 are talk and ntalk (more annoying than anything)

INTUDPBLOCK="$INTCOMBLOCK 161:162 520 517:518 1427 9000"

EXTUDPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 161:162 520 123 517:518 1427 9000"

echo -n "FW: Blocking internal attacks to TCP port: "

for i in $INTTCPBLOCK;

do

echo -n "$i "

  $IPT -A INPUT   -p tcp -s $INTNET --dport $i  -j DROPl

  $IPT -A OUTPUT  -p tcp -s $INTNET --dport $i  -j DROPl

  $IPT -A FORWARD -p tcp -s $INTNET --dport $i  -j DROPl

done

echo ""

echo -n "FW: Blocking external attacks to TCP port: "

for i in $EXTTCPBLOCK;

do

echo -n "$i "

  $IPT -A INPUT   -p tcp -s ! $INTNET --dport $i  -j DROPl

  $IPT -A OUTPUT  -p tcp -s ! $INTNET --dport $i  -j DROPl

  $IPT -A FORWARD -p tcp -s ! $INTNET --dport $i  -j DROPl

done

echo ""

echo -n "FW: Blocking internal attacks to UDP port: "

for i in $INTUDPBLOCK;

do

  echo -n "$i "

    $IPT -A INPUT   -p udp -s $INTNET --dport $i  -j DROPl

    $IPT -A OUTPUT  -p udp -s $INTNET --dport $i  -j DROPl

    $IPT -A FORWARD -p udp -s $INTNET --dport $i  -j DROPl

done

echo ""

echo -n "FW: Blocking external attacks to UDP port: "

for i in $EXTUDPBLOCK;

do

  echo -n "$i "

    $IPT -A INPUT   -p udp -s ! $INTNET --dport $i  -j DROPl

    $IPT -A OUTPUT  -p udp -s ! $INTNET --dport $i  -j DROPl

    $IPT -A FORWARD -p udp -s ! $INTNET --dport $i  -j DROPl

done

echo ""

# ********** ALLOWING INSIDE TO OUTSIDE SERVICES **********

#

# This is where things go you want to use from your network on the internet

#

# Defining some common chat clients. Remove these from your accepted list for better security.

IRC='ircd'

MSN=1863

NOIP=8245

NFS='sunrpc'

PORTAGE='rsync'

OpenPGP_HTTP_Keyserver=11371

GFTPPORTS="1336 1337 5499 5500 8082 8083 443 444 81 21620 21621"

# All services ports are read from /etc/services

TCPSERV="domain sshb ftp ftp-data http https glftpd ntp $PORTAGE $IRC $NOIP $MSN $OpenPGP_HTTP_Keyserver $GFTPPORTS"

UDPSERV="domain ntp"

echo -n "FW: Allowing inside systems to use services: "

for i in $TCPSERV;

do

   echo -n "$i "

   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \

    --dport $i --syn -m state --state NEW -j ACCEPT

   $IPT -A FORWARD -i $INTIF -p tcp -s $INTNET \

    --dport $i --syn -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing inside systems to use services: "

for i in $UDPSERV;

do

    echo -n "$i "

    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  \

        --dport $i -m state --state NEW -j ACCEPT

    $IPT -A FORWARD -i $INTIF -p udp -s $INTNET \

        --dport $i -m state --state NEW -j ACCEPT

done

echo ""

# ********** ALLOWING SERVICES ON FIREWALL **********

#

# DAEMONS on firewall which should be accessible to inside/outside.

# it is presumed that DAEMONS advertised to the outside can also

# be advertised safely to the inside

#

# This is generally NOT A GOOD IDEA (as told by "security experts")

# since if some service on this machine gets hacked, the firewall is

# compromised as well, but what the heck  :Wink:  it's only a home network

#

# 50369 is my p2p port

# microsoft-ds is for samba

# 5901 is vnc

# domain is nameserver

# ntp is for timeserving

GPASV="14000:14500"

# EXTTCPDAEMONS="sshb http https"

EXTTCPDAEMONS="ftp ftp-data sshb auth glftpd $GPASV $GFTPPORTS"

INTTCPDAEMONS="$EXTTCPDAEMONS microsoft-ds 5901"

EXTUDPDAEMONS=""

INTUDPDAEMONS="$EXTUDPDAEMONS domain ntp"

echo -n "FW: Allowing external systems to use tcp services on localhost: "

for i in $EXTTCPDAEMONS;

do

   echo -n "$i "

   $IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP  \

    --dport $i --syn -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing internal systems to use tcp services on localhost: "

for i in $INTTCPDAEMONS;

do

   echo -n "$i "

   $IPT -A INPUT -i $INTIF -p tcp -d $INTIP  \

    --dport $i --syn -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing external systems to use udp services on localhost: "

for i in $EXTUDPDAEMONS;

do

    echo -n "$i "

    $IPT -A INPUT -i $EXTIF -p udp -d $EXTIP  \

     --dport $i -m state --state NEW -j ACCEPT

done

echo ""

echo -n "FW: Allowing internal systems to use udp services on localhost: "

for i in $INTUDPDAEMONS;

do

    echo -n "$i "

    $IPT -A INPUT -i $INTIF -p udp -d $INTIP  \

     --dport $i -m state --state NEW -j ACCEPT

done

echo ""

# ********** FINALIZING NAT & FIREWALL **********

#

# Setup NAT

$IPT -t nat -A PREROUTING                       -j ACCEPT

$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE

$IPT -t nat -A POSTROUTING                      -j ACCEPT

$IPT -t nat -A OUTPUT                           -j ACCEPT

# allow existing connections

$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# block and log what me may have forgot

$IPT -A INPUT             -j DROP2

$IPT -A OUTPUT            -j REJECT2

$IPT -A FORWARD           -j DROP2

----------

## Hobbes-X

Sorry, no ideas for pasv ftp- I'm not too familiar with it. Connecting to the outside should be working though- does pinging out by IP work?

----------

## nadsys

turned pc2 on, that connected so it got me thinking that pc1 must have a client misconfiguration problem.  it was running as a server before. so i fixed it by looking in conf.d/net and making its gateway parameters correct and a few other little things.

i thought i'd checked everywhere, obviously not.

now to just get passive ftp working. ohh the joys of life  :Smile: 

----------

