IPTABLES

IPTABLES Welcome to Notes on setting up a firewall using Debian 2.2 and Kernels 2.4.xx

Here are the basic steps to setting up a firewalling computer

1) Setup the ethernet cards (NIC's).

2) Edit /etc/lilo.conf (as needed)

3) Setup the file /etc/init.d/network.

4) Setup the file /etc/resolv.conf.

5) Setup the file /etc/hosts.conf.

6) Setup the file /etc/hostname.

7) finish Setting up in /etc/init.d/inetd

8) Compiling in the forwarding and IMASQ support into the kernel (see the ipmasq howto for more details)

9) Additional work for a modem

Ethernet - Debian 2.1/2.2

Network Card (NIC)

Start by editing /etc/modutils and add NIC modules one per line eg.

tulip
3c509

Now reboot using one of these commands:init 6 or reboot or shutdown -r now

Modular Kernel

Modconf is now available in 2.4.5 kernels

Enabling IP forwarding

Now for Debian 2.0/1/2 we probably need to turn ip_forwarding on, check with this line first,

cat /proc/sys/net/ipv4/ip_forward
if this returns 1 then forwarding is already on if it returns 0 then you need to cd /etc/networks and open options eg nano options, change ipforward=no to yes so IPforwarding will be available after boot. Now reboot to check ipforwarding is on.

Firewalling script for a firewall

Generally you want ip_forwarding and the firewall scripts to be available automatically at boot, to do this we create a firewall script.

First cd to /etc/init.d then type touch nat-fw-up followed by chmod 0755 nat-fw-up This creates an empty file ready to fill woth firewall rules. Generally we want the firewall rules to start after everything else, so therefore type, update-rc.d nat-fw-up start 99 2 3 4 5 . (note the . on the end). This puts a symbolic link from nat-fw-up to the run levels 2, 3, 4 & 5 so the firewall rules start when ever one of the 4 run levels is entered. 99 means that this will be one of the last rules started (01 would be one of the first).

nat-fw-up

Now to construct the firewall script, first start ip_forward, then allow NAT (Network Address Translation) finally firewall rulesets to protect the firewall and the computers behind it. It should be noted that most iptable modules will load when the kernel detects the modules are called for however these can be called manually.

My script below has 3 network cards, therefore normally ignore lines for inner_nic2/eth2/inner_nw2.

#!/bin/bash
#iptables firewall script
#rev 2 17/06/01
#rev 3 20/11/01 ipsec input rules added and tightened
#rev 4 8/12/01 Rule to allow netbios over ipsec added.
#rev 5 8/12/01 tidy up some unclean & invalid etc with rules

#start ip_forwarding
#echo "1" > /proc/sys/net/ipv4/ip_forward
#echo "forwarding started"
#started in /etc/network/options 

#set constants
outer_nic="eth0"
inner_nic1="eth1"
inner_nic2="eth2"
inner_nw1="172.31.0.0/16"
rh_fwall="192.168.1.253"
lh_fwall="192.168.1.254"
#inner_nw1="192.168.0.0/24"
#inner_nw2="10.0.0.0/8"
#web="172.31.0.16:80"
#web="172.16.0.20:80"
#smtp="172.16.0.20:25"
#web="192.168.0.100:80"
#ident="10.0.0.2:113"
echo "firewall constants setup"

#load any modules needed for connection tracking
#allow passive ftp
/sbin/modprobe ip_conntrack_ftp
#irc module
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe 
echo "started connection tracking"

#individual port forwarding
#www
#iptables -A PREROUTING -t nat -p tcp -i $outer_nic --dport 80 \
#-j DNAT --to $web
#smtp
#iptables -A PREROUTING -t nat -p tcp -i $outer_nic --dport 25 \
#-j DNAT --to $smtp
#ident
#iptables -A PREROUTING -t nat -p tcp -i $outer_nic --dport 113 \
#-j DNAT --to $ident
#--to $ident
iptables -A PREROUTING -t nat -i eth0 -d $inner_nw1 -j DROP
#iptables -A PREROUTING -t nat -i eth0 -d $inner_nw2 -j DROP
echo "no portfw started"
#echo "portfw started"

#forward rules
iptables -t nat -A POSTROUTING -s $inner_nw1 -o $outer_nic -j MASQUERADE
#iptables -t nat -A POSTROUTING -s $inner_nw1 -o inner_nic2 \
#-j MASQUERADE
iptables -A FORWARD -i $inner_nic1 -j ACCEPT
#iptables -A FORWARD -i $inner_nic2 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#ipsec rule for NETBIOS/SAMBA over the tunnel
iptables -A FORWARD -i ipsec0 -j ACCEPT
#clean up a bad syn which needs a specific rule
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
#clean these up as well
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m unclean -j DROP
#Final default policy
iptables -P FORWARD DROP
echo "FORWARD rules now in place"

#INPUT rules
#specific ipsec lines
iptables -A INPUT -s $lh_fwall -p udp --dport 500 -j ACCEPT
iptables -A INPUT -s $lh_fwall -p 50 -j ACCEPT
iptables -A INPUT -s $lh_fwall -p 51 -j ACCEPT
echo "ipsec rules in place"

#general
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! $outer_nic -j ACCEPT
#allow ping replies (may not be desired)
iptables -A INPUT -p icmp -s 0/0 --icmp-type echo-request -j ACCEPT
iptables -P INPUT DROP
echo "INPUT rules now in place"

#limit logging levels to save clutter and /var from being swamped
#iptables -A FORWARD -m limit --limit 3/m -j LOG
#iptables -A FORWARD -j LOG
echo "log limiting in place"

#specific defence rules eg DoS attacks
#syn-flood protection
iptables -A FORWARD -p tcp --syn -m limit  -j ACCEPT
#furtive port scanner
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit
#ping of death
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit
echo "DoS defences setup"

exit

This is a basic setup and probably needs further work, however after tests with nmap and various other attacks it does look secure.

Firewalling script for a host

*************NB*****THIS****HAS***NOT****BEEN****TESTED****YET!**********

Generally you want ip_forwarding turned off and the firewall scripts to be available automatically at boot, to do this we create a firewall script and make sure forwarding is off in /etc/network/options.

nat-fw-up

#!/bin/bash
#NAT iptables rule
#NB this script is not secure its still being worked on!
#ssj 6/10/01
#NB this has not been tested yet! its an example!

#setup some constants

outer_nic="eth0"
echo "firewall constants setup"

#load any modules needed for connection tracking
#allow passive ftp
/sbin/modprobe ip_conntrack_ftp
echo "started connection tracking"

#FORWARD rules
iptables -P FORWARD DROP
echo "FORWARD rules now in place."

#INPUT rules
#allow ssh to the firewall from any NIC
iptables -A INPUT -p tcp --syn --dport 22 -j ACCEPT
#enable these as needed for services (some may need to be tcp and udp eg Netbios)
#iptables -A INPUT -p tcp --syn --dport 25 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 80 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 110 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 113 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 137 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 138 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 139 -j ACCEPT
#iptables -A INPUT -p tcp --syn --dport 143 -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

#allow ping replies (may not be wanted)
iptables -A INPUT -p ICMP -s 0/0 --icmp-type echo-request -j ACCEPT
iptables -P INPUT DROP
echo "INPUT rules now in place."

#limit logging levels
iptables -A FORWARD -m limit -j LOG
echo "log limiting in place"

#specific defence rules eg DoS attacks
#syn-flood protection
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT
#furtive port scanner
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit \
--limit 1/s -j ACCEPT
#ping of death
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit \
--limit 1/s -j ACCEPT
echo "Dos defences set up."

exit

Copyright Thing 8/12/2001 to be used freely without restriction, however if this page is copied to your own web site please drop me a line with the URL - thanks.

The Debian logo is a trademark of Debian, who in no way endorse or take responsibility for information on this site.