# /etc/init.d/my_iptables -- 02-09-05 # an iptables-based packet-filtering script for the server of my # diskless-clients network (http://homex.subnet.at/~max/diskless/) # # eth0: interface to internet (configured as dhcp-client) # eth1: interface to local net (static 192.168.0.0/24) # # remember: outgoing traffic is filtered too... # PATH=/usr/sbin:/sbin:/usr/bin:/bin export PATH IPT=/sbin/iptables /usr/bin/test -x $IPT || exit 1 /bin/echo Setting up IPTABLES... ##### Kernel-Tuning ########################################################### # we don't want packets with source-routing set (the sender decided which route the packet should go) # we don't allow somebody else to change our routing table # (we don't try to change somebody else's one) # ignore ping's to all machines at once via sending request to broadcast address # activate general ip-packet forwarding for i in /proc/sys/net/ipv4/conf/*/{accept_source_route,accept_redirects,send_redirects}; do echo 0 >$i done echo 1 >/proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 >/proc/sys/net/ipv4/ip_forward ##### POLICIES ################################################################ # flush (delete) all currently existing rules $IPT -F $IPT -P INPUT ACCEPT $IPT -P OUTPUT ACCEPT $IPT -P FORWARD ACCEPT ##### INPUT-Chain ############################################################# # # FOR TESTING ONLY: allow nameserver-answers from everywhere # $IPT -A INPUT -p udp --sport 53 -j ACCEPT # # FOR TESTING ONLY: allow _everything_ incoming! # $IPT -A INPUT -j ACCEPT # # FOR TESTING ONLY: log all packets # $IPT -A INPUT -j LOG # allow everything from loopback device $IPT -A INPUT -i lo -j ACCEPT # if -m state is to be used: allow recognized connections # (using this, the "accept non-SYN-packets on ports >1023" are NOT needed # anymore for normal networking traffic such as mail, web and everything else) $IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # block SMTP from either network $IPT -A INPUT -i eth0 -p tcp --dport 25 -j REJECT --reject-with tcp-reset $IPT -A INPUT -i eth1 -p tcp --dport 25 -j REJECT --reject-with tcp-reset # auth-queries are rejected (with a message to the sender). # this makes logins much faster to servers which do an ident-lookup # (most IRC-servers for example). $IPT -A INPUT -p tcp --dport auth -j REJECT --reject-with tcp-reset # some things happen too often to be logged... # windows traffic (137, 138, 139, 445) $IPT -A INPUT -o eth0 -p udp -m multiport --dport 137,138,139,445 -j DROP $IPT -A INPUT -o eth0 -p tcp -m multiport --dport 137,138,139,445 -j DROP $IPT -A INPUT -o eth0 -p udp -m multiport --sport 137,138,139,445 -j DROP $IPT -A INPUT -o eth0 -p tcp -m multiport --sport 137,138,139,445 -j DROP # log the rest #$IPT -A INPUT -j LOG ##### OUTPUT-Chain ########################################################### #$IPT -A OUTPUT -j ACCEPT #$IPT -A OUTPUT -j LOG # block windows-network traffic to eth0 $IPT -A OUTPUT -o eth0 -p udp -m multiport --dport 137,138,139,445 -j DROP $IPT -A OUTPUT -o eth0 -p tcp -m multiport --dport 137,138,139,445 -j DROP $IPT -A OUTPUT -o eth0 -p udp -m multiport --sport 137,138,139,445 -j DROP $IPT -A OUTPUT -o eth0 -p tcp -m multiport --sport 137,138,139,445 -j DROP ##### FORWARD-Chain ########################################################### # FOR TESTING ONLY: log all packets #$IPT -A FORWARD -j LOG # explicitly drop Windows' network traffic $IPT -A FORWARD -o eth0 -p udp -m multiport --dport 137,138,139,445 -j DROP $IPT -A FORWARD -o eth0 -p tcp -m multiport --dport 137,138,139,445 -j DROP $IPT -A FORWARD -o eth0 -p udp -m multiport --sport 137,138,139,445 -j DROP $IPT -A FORWARD -o eth0 -p tcp -m multiport --sport 137,138,139,445 -j DROP ### OUTGOING packets $IPT -A FORWARD -o eth0 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT ### INCOMING packets # incoming packets $IPT -A FORWARD -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT # enable masquerading: nat-table! $IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE