A Simple PAT / Port Address Translation for outgoing traffic:
1. Remove any existing user-defined chains in the NAT table, reset the default policies on all chains, and flush all rules:
iptables –t nat -F
2. Configure NAT using Iptables (In this example eth0 is the public outgoing interface)
iptables –t nat –A POSTROUTING –o eth0 –j MASQUERADE
Tuesday, April 13, 2010
IPTABLEs script and to make persistence upon reboot
The /sbin/iptables command does not set persistence. Therefore we we need to create a script and make sure the system call it upon reboot for firewall to remain persistent. Here is a sample script.
==================================
==================================
Next is to make iptables persistent upon reboot, there are many ways. Let's take a look at linux's way of using some tools to do that. Linux have a few tools that makes the script easily persistence upon reboot (may not be applicable for other linux). As also mentioned by many linux users, a custom iptables script is sometimes necessary to work around the limitations of the RHEL firewall configuration tool. These are the steps:
1.Make sure that the default iptables initialization script is not running:
service iptables stop
2.Execute the custom iptables script:
sh [custom iptables script]
3. Save the newly created iptables rules:
service iptables save
4. Restart the iptables service:
service iptables restart
5. Verify that the custom iptables ruleset have taken effect:
service iptables status
6. Enable automatic start up of the iptables service on boot up:
chkconfig iptables on
The custom iptables script should now be be persistence upon system reboot
-----------------------------------------------------------------------------
Alternatively, as described in Debian Linux documentation, http://www.debian-administration.org/articles/445 we can 'attach' the script to the network interface so that when we do a ifdown and then ifup, the iptables script is brought up.
OR stick to the standard method described by Debian Linux documentation using these steps. Here we use an example:
1. Install iptables
apt-get install iptables
2. Remove any existing user-defined chains, reset the default policies on all chains, and flush all rules:
iptables -F
3. Set the firewall rules....
4. Display the firewall policy:
iptables -L
Then, Configure your system to maintain these new firewall rules across reboots / make persistent:
5. Create a text file named iptables-script containing all the rules applied.
6. Make the text file executable
chmod 755 iptables-script
7. Save the file in /etc/init.d
8. Run update-rc.d to set at which runlevel to apply the firewall rules
E.g update-rc.d firewall start 20 2 3 4 5 . stop 99 0 1 6 .
9. Reboot and verify that the policies are in place.
Further Reading:
http://electron.mit.edu/~gsteele/firewall/
http://www.tin.org/bin/man.cgi?section=8&topic=update-rc.d
http://townx.org/simple_firewall_for_ubuntu_using_iptables
==================================
#!/bin/bash
#assign variable $IPT with the iptables command
IPT=/sbin/iptables
#set policies on each chain
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT ACCEPT #default, but set it anyway
#flush all rules in the filter table
$IPT -F
#flush all rules in the nat table
$IPT -F -t nat
#allow established TCP connections
$IPT -A INPUT -p tcp ! --syn -j ACCEPT
#allow traffic on the loopback interface
$IPT -A INPUT -i lo -j ACCEPT
#allow icmp traffic
$IPT -A INPUT -p icmp -j ACCEPT
#allow incoming DNS traffic from DNS Server
$IPT -A INPUT -p udp --sport 53 -j ACCEPT
$IPT -A INPUT -p udp --dport 53 -j ACCEPT
#allow incoming proxy traffic
$IPT -A INPUT -p tcp -s 10.0.0.0/24 --dport 3128 -j ACCEPT
#allow incoming ssh traffic
$IPT -A INPUT -p tcp --dport 22 -j ACCEPT
#allow port forwarding
$IPT -A FORWARD -p tcp -d 10.0.0.10 --dport 80 -j ACCEPT
$IPT -A FORWARD -p tcp -s 10.0.0.10 --sport 80 -j ACCEPT
$IPT -A FORWARD -p tcp -d 10.0.0.10 --dport 22 -j ACCEPT
$IPT -A FORWARD -p tcp -s 10.0.0.10 --sport 22 -j ACCEPT
#allow NAT
$IPT -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#port forwarding
$IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j DNAT --to-destination 10.0.0.10:80
$IPT -t nat -A PREROUTING -p tcp -i eth0 --dport 222 -j DNAT --to-destination 10.0.0.10:22
#Transparent Proxy
$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j DNAT --to-destination 10.0.0.1:3128
#$IPT -t nat -A PREROUTING -p tcp -i eth1 --dport 80 -j REDIRECT --to-port 3128
==================================
Next is to make iptables persistent upon reboot, there are many ways. Let's take a look at linux's way of using some tools to do that. Linux have a few tools that makes the script easily persistence upon reboot (may not be applicable for other linux). As also mentioned by many linux users, a custom iptables script is sometimes necessary to work around the limitations of the RHEL firewall configuration tool. These are the steps:
1.Make sure that the default iptables initialization script is not running:
service iptables stop
2.Execute the custom iptables script:
sh [custom iptables script]
3. Save the newly created iptables rules:
service iptables save
4. Restart the iptables service:
service iptables restart
5. Verify that the custom iptables ruleset have taken effect:
service iptables status
6. Enable automatic start up of the iptables service on boot up:
chkconfig iptables on
The custom iptables script should now be be persistence upon system reboot
-----------------------------------------------------------------------------
Alternatively, as described in Debian Linux documentation, http://www.debian-administration.org/articles/445 we can 'attach' the script to the network interface so that when we do a ifdown and then ifup, the iptables script is brought up.
OR stick to the standard method described by Debian Linux documentation using these steps. Here we use an example:
1. Install iptables
apt-get install iptables
2. Remove any existing user-defined chains, reset the default policies on all chains, and flush all rules:
iptables -F
3. Set the firewall rules....
4. Display the firewall policy:
iptables -L
Then, Configure your system to maintain these new firewall rules across reboots / make persistent:
5. Create a text file named iptables-script containing all the rules applied.
6. Make the text file executable
chmod 755 iptables-script
7. Save the file in /etc/init.d
8. Run update-rc.d to set at which runlevel to apply the firewall rules
E.g update-rc.d firewall start 20 2 3 4 5 . stop 99 0 1 6 .
9. Reboot and verify that the policies are in place.
Further Reading:
http://electron.mit.edu/~gsteele/firewall/
http://www.tin.org/bin/man.cgi?section=8&topic=update-rc.d
http://townx.org/simple_firewall_for_ubuntu_using_iptables
Subscribe to:
Posts (Atom)