Firewalling revisited...

Björn Lindberg d95-bli at nada.kth.se
Mon Oct 15 05:48:47 PDT 2001


Now I have finally set up my new firewall/router. I would very much
appreciate critique or a discussion around this.

My setup is as follows:

ikaros	-- firewall/router
nex 	-- workstation inside of firewall

I have two scripts:

/etc/init.d/filter:
-------------------
#!/bin/sh
# iptables configuration for filtering

source /etc/init.d/functions

IPTABLES=/usr/sbin/iptables

EXTDEV=eth1
INTDEV=eth0

echo -n "Setting up IP-tables for filtering..."

# flush filter table
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD

# set default policy
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP


# INPUT section
# allow only packets from internal network
$IPTABLES -A INPUT -i $INTDEV -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT

# drop everything else to this machine
$IPTABLES -A INPUT -j DROP


# FORWARD section
# allow packets belonging to already established connections
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# drop packets not belonging to a connection
$IPTABLES -A FORWARD -m state --state INVALID -j DROP

# allow forwarding of packets from internal sources
$IPTABLES -A FORWARD -i $INTDEV -o $EXTDEV -j ACCEPT

# allow SSH connections
$IPTABLES -A FORWARD -p tcp --dport 22 -j ACCEPT

# allow ping requests
$IPTABLES -A FORWARD -p icmp --icmp-type echo-request -m limit --limit
1/s -j AC
CEPT


evaluate_retval

# activate IP-forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# do reversed path validation
echo 1 > /proc/sys/net/ipv4/conf/$EXTDEV/rp_filter


/etc/init.d/route:
------------------
#!/bin/sh
# iptables configuration for routing

source /etc/init.d/functions

IPTABLES=/usr/sbin/iptables

EXTDEV=eth1
INTDEV=eth0

# get IP-information from DHCP client
source /etc/dhcpc/dhcpcd-$EXTDEV.info

echo -n "Setting up IP-tables for routing..."

# flush nat table
$IPTABLES -t nat -F

# give all packets coming from the internal LAN the router source
address
$IPTABLES -t nat -A POSTROUTING -o $EXTDEV -j SNAT --to $IPADDR

# route incoming packets to nex
$IPTABLES -t nat -A PREROUTING -i $EXTDEV -j DNAT --to 192.168.1.1

evaluate_retval
-- 
Unsubscribe: send email to listar at linuxfromscratch.org
and put 'unsubscribe blfs-support' in the subject header of the message



More information about the blfs-support mailing list