==================================
#!/bin/bash
#assign variable $IPT with the iptables command
IPT=/sbin/iptables
#set policies on each chain
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT #default, but set it anyway
#flush all rules in the filter table
$IPT -F
#flush all rules in the nat table
$IPT -F -t nat
#allow established TCP connections
$IPT -A INPUT -p tcp ! --syn -j ACCEPT
#allow traffic on the loopback interface
$IPT -A INPUT -i lo -j ACCEPT
#allow icmp traffic
$IPT -A INPUT -p icmp -j ACCEPT
#allow incoming DNS traffic from DNS Server
$IPT -A INPUT -p udp --sport 53 -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -j ACCEPT
#allow incoming proxy traffic
$IPT -A INPUT -p tcp -s 10.0.0.0/24 --dport 3128 -j ACCEPT
#allow incoming ssh traffic
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
#allow port forwarding
$IPT -A FORWARD -p tcp -d 10.0.0.10 --dport 80 -j ACCEPT
$IPT -A FORWARD -p tcp -s 10.0.0.10 --sport 80 -j ACCEPT
$IPT -A FORWARD -p tcp -d 10.0.0.10 --dport 22 -j ACCEPT
$IPT -A FORWARD -p tcp -s 10.0.0.10 --sport 22 -j ACCEPT
#allow NAT
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#port forwarding
$IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.0.10:80
$IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 222 -j DNAT --to-destination 10.0.0.10:22
#Transparent Proxy
$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 10.0.0.1:3128
#$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128
==================================
Next is to make iptables persistent upon reboot, there are many ways. Let's take a look at linux's way of using some tools to do that. Linux have a few tools that makes the script easily persistence upon reboot (may not be applicable for other linux). As also mentioned by many linux users, a custom iptables script is sometimes necessary to work around the limitations of the RHEL firewall configuration tool. These are the steps:
1.Make sure that the default iptables initialization script is not running:
service iptables stop
2.Execute the custom iptables script:
sh [custom iptables script]
3. Save the newly created iptables rules:
service iptables save
4. Restart the iptables service:
service iptables restart
5. Verify that the custom iptables ruleset have taken effect:
service iptables status
6. Enable automatic start up of the iptables service on boot up:
chkconfig iptables on
The custom iptables script should now be be persistence upon system reboot
-----------------------------------------------------------------------------
Alternatively, as described in Debian Linux documentation, http://www.debian-administration.org/articles/445 we can 'attach' the script to the network interface so that when we do a ifdown and then ifup, the iptables script is brought up.
OR stick to the standard method described by Debian Linux documentation using these steps. Here we use an example:
1. Install iptables
apt-get install iptables
2. Remove any existing user-defined chains, reset the default policies on all chains, and flush all rules:
iptables -F
3. Set the firewall rules....
4. Display the firewall policy:
iptables -L
Then, Configure your system to maintain these new firewall rules across reboots / make persistent:
5. Create a text file named iptables-script containing all the rules applied.
6. Make the text file executable
chmod 755 iptables-script
7. Save the file in /etc/init.d
8. Run update-rc.d to set at which runlevel to apply the firewall rules
E.g update-rc.d firewall start 20 2 3 4 5 . stop 99 0 1 6 .
9. Reboot and verify that the policies are in place.
Further Reading:
http://electron.mit.edu/~gsteele/firewall/
http://www.tin.org/bin/man.cgi?section=8&topic=update-rc.d
http://townx.org/simple_firewall_for_ubuntu_using_iptables
No comments:
Post a Comment