Re: How do I open for Internet accsess in iptables.

[Knut Ove Hauge <feb2000info yahoo no>]

I cant ping any machins wheter internalor external and the internet
doesnt work at the linuz box when I haverun the script below.

Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender
og Notisbok#!/bin/sh
# 
# In order to use this IPTables firewall script you
# must have IPTables installed. You also must be using 
# a 2.4.x series Kernel, with IPTables support complied 
# into it, which is standard for most newer Linux distributions.
#
# If you need help compiling IPtables into your kernel, please
# see our Kernel Compile/Upgrade Guide located at 
# www.linuxhelp.net/guides/
#
# Once the script has been edited with all your relevant
# information (IP's, Network Interfaces, etc..) simply
# make the script executable and run it as root.
#
# chmod 700 iptables-firewall
# ./iptables-firewall
#
# If you would like to see what rules are currently set, as
# root run iptables -L
#
# If you've messed up and need to bring down the firewall 
# for whatever reason, run iptables -F
#
# If you would like to have the firewall automatically
# come up at boot time, add the path to the script to
# the bottom of your /etc/rc.d/rc.local file. For instance
# /root/bin/iptables-firewall
#
# If you're not sure about something, check out the iptables
# man page by typing 'man iptables' (without the ''s) at the
# command prompt.
#
# This script is an enhanced/modified version of the 
# iptables-script written by Davion 
# 
# If you have any questions, please come see us in #Linuxhelp.net
# on the DALnet IRC network. (www.linuxhelp.net/ircinfo.shtml)

# The location of the IPtables binary file on your system.
IPT="/sbin/iptables"

# The Network Interface you will be protecting. For ADSL/dialup users,
# ppp0 should be fine. If you are using a cable internet connection or
# are connected to a LAN, you will have to change this to "eth0".
INT="eth1"

# The following rules will clear out any existing firewall rules, 
# and any chains that might have been created.
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
#$IPT -F -t mangle Gave error messages if I didnt comment it out
$IPT -F -t nat
$IPT -X

# These will setup our policies.
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT

# The following line below enables IP forwarding and thus 
# by extension, NAT. Turn this on if you're going to be 
# doing NAT or IP Masquerading.
echo 1 > /proc/sys/net/ipv4/ip_forward

# Source NAT everything heading out the $INT (external) 
# interface to be the given IP. If you have a dynamic IP 
# address or a DHCP IP that changes semi-regularly, comment out 
# the first line and uncomment the second line.
#
# Remember to change the ip address below to your static ip.
#
#$IPT -t nat -A POSTROUTING -o $INT -j SNAT --to 216.138.195.197
$IPT -t nat -A POSTROUTING -o $INT -j MASQUERADE

# This rule protects your fowarding rule.
$IPT -A FORWARD -i $INT -m state --state NEW,INVALID -j DROP

# If you would like to forward specific ports to other machines
# on your home network, edit and uncomment the rules below. They are
# currently set up to forward port 25 & 53 (Mail & DNS) to 10.1.1.51. 
# Anything incoming over your $INT through your gateway will 
# be automatically redirected invisibly to port 25 & 53 on 10.1.1.51
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 25 -j DNAT --to
192.168.0.3:25
$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 53 -j DNAT --to
192.168.0.3:53
$IPT -t nat -A PREROUTING -i $INT -p udp --dport 53 -j DNAT --to
192.168.0.3:53

# These two redirect a block of ports, in both udp and tcp.
#$IPT -t nat -A PREROUTING -i $INT -p tcp --dport 2300:2400 -j DNAT
--to 10.1.1.50
#$IPT -t nat -A PREROUTING -i $INT -p udp --dport 2300:2400 -j DNAT
--to 10.1.1.50


# Now, our firewall chain. We use the limit commands to 
# cap the rate at which it alerts to 15 log messages per minute.
$IPT -N firewall
$IPT -A firewall -m limit --limit 15/minute -j LOG --log-prefix
Firewall:
$IPT -A firewall -j DROP

# Now, our dropwall chain, for the final catchall filter.
$IPT -N dropwall
$IPT -A dropwall -m limit --limit 15/minute -j LOG --log-prefix
Dropwall:
$IPT -A dropwall -j DROP

# Our "hey, them's some bad tcp flags!" chain.
$IPT -N badflags
$IPT -A badflags -m limit --limit 15/minute -j LOG --log-prefix
Badflags:
$IPT -A badflags -j DROP

# And our silent logging chain.
$IPT -N silent
$IPT -A silent -j DROP

# This rule will accept connections from local machines. If you have
# a home network, enter in the IP's of the machines on the 
# network below.
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -s 192.168.0.3 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s 192.168.0.3 -d 0/0 -p all -j ACCEPT
$IPT -A INPUT -s  192.168.0.3 -d 0/0 -p all -j ACCEPT

# Drop those nasty packets! These are all TCP flag 
# combinations that should never, ever occur in the
# wild. All of these are illegal combinations that 
# are used to attack a box in various ways, so we 
# just drop them and log them here.
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags

# Drop icmp, but only after letting certain types through.
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewall

# If you would like to open up port 22 (SSH Access) to various IP's
# simply edit the IP's below and uncomment the line. If youw wish to 
# enable SSH access from anywhere, uncomment the second line only. 
#$IPT -A INPUT -i $INT -s 10.1.1.1 -d 0/0 -p tcp --dport 22 -j ACCEPT
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 22 -j ACCEPT

# If you are running a Web Server, uncomment the next line to open
# up port 80 on your machine.
#$IPT -A INPUT -i $INT -s 0/0 -d 0/0 -p tcp --dport 80 -j ACCEPT

# Lets do some basic state-matching. This allows us 
# to accept related and established connections, so
# client-side things like ftp work properly, for example.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

# Uncomment to drop port 137 netbios packets silently. 
# We don't like that netbios stuff, and it's way too 
# spammy with windows machines on the network.
$IPT -A INPUT -p udp --sport 137 --dport 137 -j silent

# Our final trap. Everything on INPUT goes to the dropwall 
# so we don't get silent drops.
$IPT -A INPUT -j dropwall






 --- Saul Arias <zhadu yahoo com> skrev: > At 04:35 AM 30-08-02, Knut
Ove Hauge wrote:
> >I have just installed iptables as a replacement for ipchains in my
> rh
> >7.2 system. I downloaded a shell script with the rules but I cant
> >access internet nor from my linuze or windoze client.
> >I use eth1 for my adsl line and eth0 (ip address 192.168.0.1) for my
> >lan card. The windoze has ip address 192.168.0.3.
> >I have enabled ip forwarding and can flush the rules in iptables in
> the
> >beginning of the script. The input policy is set to DROP while the
> >other two is set to accept.
> >I cant ping any machines nor external or internal.
> >I'am new to iptables so I need some help on setting it up.
> 
> Can you ping from the Linux box to, say, www.yahoo.com?
> Can you ping from the Linux box to 192.168.0.3?
> 
> Can you do the pings above with iptables shut down?
> 
> Can we see your script?
> 
> 
> -- 
> Saul Arias <zhadu yahoo com>
> 
> 
> 
> -- 
> redhat-list mailing list
> unsubscribe mailto:redhat-list-request redhat com?subject=unsubscribe
> https://listman.redhat.com/mailman/listinfo/redhat-list 

=====
Investigating the Norwegain 4.th Secret Service
The multiheaded beast.
http://hjem.sol.no/altiett/knut_ove_hauge_kuren.htm

______________________________________________________
Se den nye Yahoo! Mail på http://no.yahoo.com/
Nytt design, enklere å bruke, alltid tilgang til Adressebok, Kalender og Notisbok