Attachment 7871 Details for Bug 14761 – Simple script for initialising iptables the first time.

Simple script for initialising iptables the first time.

init_iptables-1.4 (text/plain), 12.40 KB, created by Guy on 2003-02-02 20:55:32 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Guy

Created: 2003-02-02 20:55:32 UTC

Size: 12.40 KB

patch

obsolete

>#!/bin/sh
>
>################################################################################
>#
># Technical Author: mbcx8nlp (did all the hard work)
># Comment Author: guycad (made all the n00b comments)
>#
># Released under the GPL version 2.
>#
># Version:
>#    1.4 - 2002, Nov 26.
>#
>################################################################################
>
>################################################################################
>#
># A simple example iptables script
>#
>#    This script is geared for single computer, home lan and small
>#    office users.
>#
>#    Primary assumption made is that the local network (if there is one)
>#    is comprised of 'trusted' computers.
>#
>#    If in doubt, the default settings are usually safest. However, it is
>#    suggested that before you start making your settings, you should read
>#    all the comments here to better understand what information you need.
>#
>################################################################################
>
>################################################################################
>#
># Constants   These should work as is for most people
>#
># IPT         The location where your 'iptables' program lives. Change ONLY
>#             if you know proof positive that your 'iptables' program is
>#             located elsewhere.
>#
># RESERVD     A list of IP addresses that are either defined (in RFC1918) or for
>#             M$'s UPnP service. By definition, these addresses are for use
>#             ONLY on private networks. This list should never be changed.
>#
>################################################################################
>
>### location of iptables binary
>IPT="/sbin/iptables"
>
>### RFC1918 (reserved) subnets dropped
>RESERVD="10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 127.0.0.0/8 169.254.0.0/16"
>
>
>################################################################################
>#
># Edit these if necessary, leave empty one's empty if N/A
>#
># RESP      Only DROP or REJECT are valid values. DROP gives you "stealth",
>#           REJECT will reply that the port is unavailable and is RFC (standards)
>#           compliant :) Lawrence Baldwin (of www.netwatchman.org) has some
>#           evidence that at least some port scanning 'bots will not scan your
>#           machine for other open ports if your machine is not 'pingable'.
>#           IE: You are running in stealth mode.
>#
># LOG       0 or 1 are valid values. If you plan on sending your logs to
>#           organizations like www.mynetwatchman.com (recommended) or if you want
>#           to inspect logs of rejected traffic yourself, set to 1. Otherwise
>#           set to 0. Go to http://www.mynetwatchman.org for more information.
>#
># LOG_LVL   The log level of the syslog messages generated. Default should be ok.
>#
># DHCP      Do not set this if you use ppp or pppoe/a (all dialup and most
>#           ADSL modems). If your ISP dynamically assigns your IP address from
>#           their DHCP server (most cable modems), then enter your ISP's DHCP
>#           server address. If you have more than one DHCP server address you
>#           may enter multiple addresses separated by spaces. You may be able
>#           to get the address(es) by executing the following in a terminal:
>#
>#           grep DHCPSID `locate *dhcpcd*.info` | cut -d = -f 2
>#
># WAN       This is the interface your computer uses to connect to the
>#           Internet. Set this to 'ppp0' if you use either ppp or pppoe/a. Set
>#           this to 'eth0' if you have only 1 ethernet card and you're NOT using
>#           ppp or pppoe. If you have two ethernet cards (as when you're using
>#           your computer as a NAT router for your network, set this either as
>#           or 'eth1' depending if your broadband (cable or ADSL) modem is
>#           'eth0' connected to your first or second ethernet card respecively.
>#
># LAN       Set this to the interface connected to your local network. This is
>#           only if you either 1) have two ethernet cards or 2) have set
>#           WAN="pppX" and have an ethernet card attached to a local network.
>#           If you have only a single ethernet card attached to a cable modem,
>#           then leave this null.
>#
># NAT       Set this to 1 only if you're using this computer as a NAT router
>#           (i.e. sharing your internet connection).
>#
># PING      Set this to 1 to become 'pingable' from the Internet.
>#
>#################################################################################
>
>### What to do with unwanted packets? DROP or REJECT?
>RESP="DROP"
>
>### Do we log stuff we reject / drop? Set to 1 to turn on logging
>LOG=1
>
>### What level do we log at?
>LOG_LVL="warn"
>
>### ISP's DHCP server address (do not define for LAN based DHCP)
>DHCP=""
>
>### WAN = WAN interface (e.g. "ppp0", "eth0", etc) *must be defined*
>WAN="ppp0"
>
>### LAN interface - leave blank ("") if not multi-homed
>LAN="eth0"
>
>### Set to 1 if you want this box to do NAT
>NAT=0
>
>### Set to 1 if you want to be 'pingable' from the WAN
>PING=0
>
>################################################################################
>#
># Set kernel params
>#
>################################################################################
>
>### Uncomment if this box routes traffic (not NAT)
># echo 1 > /proc/sys/net/ipv4/ip_forward
>
>### Don't want src routed stuff or icmp redirects
>echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
>echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
>
>### Don't want to respond to ICMP echo broadcasts
>echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
>
>### Do want reverse path filtering (unless you use FreeS/WAN!)
>echo 1 > /proc/sys/net/ipv4/conf/$WAN/rp_filter
>
>
>################################################################################
>#
># Iptables config
>#
># Flush Rules    Clear all the rules currently in iptables.
>#
># Permit         This permits this computer to talk to itself.
># Loopback
>#
># Permit LAN     If LAN is set (from above) then allow all traffic from other
>#                computers on the local network. If LAN is not set and $WAN
>#                is an ethernet device with a reserved, private address it is
>#                presumed that you are behind a NAT device and would like to
>#                permit traffic from the subnet in which you reside.
>#
># Reserved       Any packets received from private addresses which appear
>#                from the WAN (Internet) are invalid by definition (someone
>#                may be 'spoofing' a fake IP address). Log (if set) and drop
>#                the packet.
>#
># Malformed      Incomplete or internally inconsistent packets can be stealth
># Stuff          scans or other malicious activity. Log these (if logging is
>#                set) and drop the packets.
>#
># DHCP           If DHCP is set, then accept UDP packets at port 67 from the
>#                DHCP server(s) only.
>#
>#
>#
># Handle Return  Accept all traffic that is part of a conversation initiated
># Traffic        by us.
>#
>#
># Pingable       Uncomment to become "pingable"
>#
>################################################################################
>
>### flush all rules and delete all user chains
>echo ' '
>echo 'flush all rules and delete all user chains'
>$IPT -t nat -F
>$IPT -t nat -X
>$IPT -F
>$IPT -X
>echo 'done'
>
>### permit loopback
>echo ' '
>echo 'permit loopback'
>$IPT -A INPUT -i lo -j ACCEPT
>echo 'done'
>
>### permit LAN
>echo ' '
>echo 'permit LAN ' $LAN
>if [ $LAN ]
>   then
>      echo ' '
>      echo ' ' $IPT ' -A INPUT -i ' $LAN ' -j ACCEPT'
>      $IPT -A INPUT -i $LAN -j ACCEPT
>      echo 'done'
>   else
>
># if WAN is an ethernet device with a private address, presume the subnet
># in which it resides is a LAN that should be permitted.
>
>      echo ' '
>      echo ' checking $WAN for eth ' $WAN
>      if [ `echo $WAN | grep 'eth'` ]
>         then
>            ADDR=`ifconfig $WAN | grep 'inet addr' | awk '{print $2}' | cut -d : -f 2`
>            MASK=`ifconfig $WAN | grep 'inet addr' | awk '{print $4}' | cut -d : -f 2`
>            NET="$ADDR/$MASK"
>            echo ' '
>            echo ' checking ADDR MASK NET '
>            echo '  addr ' $ADDR
>            echo '  mask ' $MASK
>            echo '   net ' $NET
>            if [ `echo $ADDR | grep '^192\.168\.\|^172\.16\.\|^10\.'` ]
>               then
>               echo ' '
>               echo $IPT ' -A INPUT -s $NET -j ACCEPT'
>               $IPT -A INPUT -s $NET -j ACCEPT
>            fi
>      fi
>fi
>
>### Reserved
>echo ' '
>echo 'Reserved'
># Create a new chain to handle reserved src addresses
># so that we can log them as such..
>echo $IPT' -N RESERVED'
>$IPT -N RESERVED
>if [ $LOG == 1 ]
>then
>  $IPT -A RESERVED -j LOG --log-level $LOG_LVL --log-prefix "Reserved Source:"
>fi
>
># no point in sending an error reply / RST ;)
>
>$IPT -A RESERVED -j DROP
>for FOO in $RESERVD; do
>  $IPT -A INPUT -i $WAN -s $FOO -j RESERVED
>done
>
>### Log and drop invalid / malformed stuff
># include tcp and ip options in log
>$IPT -N UNCLEAN
>if [ $LOG == 1 ]
>then
>  $IPT -A UNCLEAN -j LOG --log-level $LOG_LVL --log-prefix "Unclean:" --log-tcp-options --log-ip-options
>fi
>$IPT -A UNCLEAN -j DROP
>$IPT -A INPUT -m unclean -j UNCLEAN
>
>### DHCP
>for BAR in $DHCP; do
>  $IPT -A INPUT -i $WAN -p udp -s $BAR --sport 67 --dport 68 -j ACCEPT
>done
>
>### Handle return / related traffic
>$IPT -A INPUT -i $WAN -m state --state ESTABLISHED,RELATED -j ACCEPT
>
>### pingable?
>if [ $PING == 1 ]
>then
>  $IPT -A INPUT -i $WAN -p icmp --icmp-type echo-request -j ACCEPT
>fi
>
>################################################################################
>#
># Some examples for allowing inbound connections to the firewall (this box)
>#
># SSH          Uncomment this if you want to be able to login to this box
>#              from the Internet (WAN).
>#
># Web server   Uncomment this if you are setting this box up to perform
>#              as a web server.
>#
>################################################################################
>
>### SSH (allows SSH to firewall, from anywhere on the WAN)
>
>$IPT -A INPUT -i $WAN -p tcp --dport 22 -m state --state NEW -j ACCEPT
>
>### Web server
>
># $IPT -A INPUT -i $WAN -p tcp --dport 80 -m state --state NEW -j ACCEPT
>
>################################################################################
>#
># Drop and log everything else arriving from the WAN
>#
>################################################################################
>
>if [ $LOG == 1 ]
>then
>  $IPT -A INPUT -i $WAN -j LOG --log-level $LOG_LVL --log-prefix "Default deny:"
>fi
>
>if [ $RESP == "DROP" ]
>then
>  $IPT -A INPUT -i $WAN -j DROP
>else
>  $IPT -A INPUT -i $WAN -p tcp -j REJECT --reject-with tcp-reset
>  $IPT -A INPUT -i $WAN -p udp -j REJECT
>  $IPT -A INPUT -i $WAN -j DROP
>fi
>
>
>################################################################################
>#
># NAT - this will enable NAT if you have set WAN, LAN and NAT properly
>#
>################################################################################
>
>if [ $NAT == 1 ]
>then
>  if [ ! $LAN ]
>  then
>    echo "NAT not enabled! You must define a LAN interface!"
>  else
>    echo 1 > /proc/sys/net/ipv4/ip_forward
>    $IPT -t nat -A POSTROUTING -o $WAN -j MASQUERADE
>  fi
>fi
>
>
>#################################################################################
>#
># Examples for port forwarding
>#
>#        If you have properly set up this computer as a NAT router, connections
>#        from WAN -> LAN are not possible. NAT provides an effect similar to that
>#        of the stateful rule above for NAT'd hosts.
>#
>#        If you wish to allow connections / unsolicited UDP to the LAN you must
>#        forward the appropriate ports. Some examples are provided below.
>#
>#################################################################################
>
>### Forward tcp, port 23 from the WAN to 192.168.2.30 port 23
>
># $IPT -t nat -A PREROUTING -i $WAN -p tcp --dport 23 -j DNAT --to-destination 192.168.2.30
>
>### Forward tcp, port 100 from the WAN to 192.168.2.30 port 50
>
># $IPT -t nat -A PREROUTING -i $WAN -p tcp --dport 100 -j DNAT --to-destination 192.168.2.30:50
>
>### Forward udp, ports 400-500 from the WAN to 192.168.2.30
>
># $IPT -t nat -A PREROUTING -i $WAN -p udp --dport 400:500 -j DNAT --to-destination 192.168.2.30
>
>### Forward all tcp to 192.168.2.30
>
># $IPT -t nat -A PREROUTING -i $WAN -p tcp -j DNAT --to-destination 192.168.2.30
>
>
>################################################################################
>#
># Display all the iptables rules
>#
>################################################################################
>
>$IPT -L -v
>
>################################################################################
>#
># The End :)
>#
>################################################################################

Actions: View

Attachments on bug 14761: 7871