Linux Software / Network & Internet / Networking Tools

NAT iptables firewall script

Date Added: November 07, 2010 | Visits: 2.217

Report Broken Link
Printer Friendly Version

Product Homepage
Download (104 downloads)

NAT iptables firewall script is an iptables firewall script. This script is meant to be run once per boot the rules will be double added if you try to run it twice if you need to add another rule during runtime, change the -A to a -I to add it to the top of the list of rules if you use -A it will go at the end after the reject rule. Sample: # interface definitions BAD_IFACE=eth0 DMZ_IFACE=eth1 DMZ_ADDR=x.x.x.96/28 GOOD_IFACE=eth2 GOOD_ADDR=192.168.1.0/24 MASQ_SERVER=x.x.x.98 FTP_SERVER=x.x.x.100 MAIL_SERVER=x.x.x.99 MAIL_SERVER_INTERNAL=192.168.1.3 # testing #set -x ip route del x.x.x.96/28 dev $BAD_IFACE ip route del x.x.x.96/28 dev $DMZ_IFACE ip route add x.x.x.97 dev $BAD_IFACE ip route add x.x.x.96/28 dev $DMZ_IFACE # we need proxy arp for the dmz network echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp # turn on ip forwarding echo 1 > /proc/sys/net/ipv4/ip_forward # turn on antispoofing protection for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done # flush all rules in the filter table #iptables -F # flush built in rules iptables -F INPUT iptables -F OUTPUT iptables -F FORWARD # deny everything for now iptables -A INPUT -j DROP iptables -A FORWARD -j DROP iptables -A OUTPUT -j DROP # make the chains to define packet directions # bad is the internet, dmz is our dmz, good is our masqed network iptables -N good-dmz iptables -N bad-dmz iptables -N good-bad iptables -N dmz-good iptables -N dmz-bad iptables -N bad-good iptables -N icmp-acc # accept related packets iptables -A FORWARD -m state --state INVALID -j DROP iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT # internal client masqing iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER # mail server masqing iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25 iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80 iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443 # to allow the above to work you need something like # iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT # set which addresses jump to which chains iptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmz iptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-bad iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz iptables -A FORWARD -o $GOOD_IFACE -j bad-good # drop anything that doesnt fit these iptables -A FORWARD -j LOG --log-prefix "chain-jump " iptables -A FORWARD -j DROP # icmp acceptance iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT # iptables -A icmp-acc -j LOG --log-prefix "icmp-acc " iptables -A icmp-acc -j DROP # from internal to dmz iptables -A good-dmz -p tcp --dport smtp -j ACCEPT iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT iptables -A good-dmz -p udp --dport domain -j ACCEPT iptables -A good-dmz -p tcp --dport domain -j ACCEPT iptables -A good-dmz -p tcp --dport www -j ACCEPT iptables -A good-dmz -p tcp --dport https -j ACCEPT iptables -A good-dmz -p tcp --dport ssh -j ACCEPT iptables -A good-dmz -p tcp --dport telnet -j ACCEPT iptables -A good-dmz -p tcp --dport auth -j ACCEPT iptables -A good-dmz -p tcp --dport ftp -j ACCEPT iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT iptables -A good-dmz -p icmp -j icmp-acc iptables -A good-dmz -j LOG --log-prefix "good-dmz " iptables -A good-dmz -j DROP # from external to dmz iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT iptables -A bad-dmz -p udp --dport domain -j ACCEPT iptables -A bad-dmz -p tcp --dport domain -j ACCEPT iptables -A bad-dmz -p tcp --dport www -j ACCEPT iptables -A bad-dmz -p tcp --dport https -j ACCEPT iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT iptables -A bad-dmz -p icmp -j icmp-acc iptables -A bad-dmz -j LOG --log-prefix "bad-dmz " iptables -A bad-dmz -j DROP # from internal to external iptables -A good-bad -j ACCEPT # iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER #iptables -A good-bad -p tcp -j MASQ #iptables -A good-bad -p udp -j MASQ #iptables -A good-bad -p icmp -j MASQ #ipchains -A good-bad -p tcp --dport www -j MASQ #ipchains -A good-bad -p tcp --dport ssh -j MASQ #ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ #ipchains -A good-bad -p tcp --dport ftp -j MASQ #ipchains -A good-bad -p icmp --icmp-type ping -j MASQ #ipchains -A good-bad -j REJECT -l # from dmz to internal # iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPT iptables -A dmz-good -p tcp --dport smtp -j ACCEPT iptables -A dmz-good -p tcp --sport smtp -j ACCEPT iptables -A dmz-good -p udp --sport domain -j ACCEPT iptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPT iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT iptables -A dmz-good -p icmp -j icmp-acc iptables -A dmz-good -j LOG --log-prefix "dmz-good " iptables -A dmz-good -j DROP # from dmz to external iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT iptables -A dmz-bad -p udp --dport domain -j ACCEPT iptables -A dmz-bad -p tcp --dport domain -j ACCEPT iptables -A dmz-bad -p tcp --dport www -j ACCEPT iptables -A dmz-bad -p tcp --dport https -j ACCEPT iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT iptables -A dmz-bad -p tcp --dport whois -j ACCEPT iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT iptables -A dmz-bad -p udp --dport ntp -j ACCEPT # ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ iptables -A dmz-bad -p icmp -j icmp-acc iptables -A dmz-bad -j LOG --log-prefix "dmz-bad " iptables -A dmz-bad -j DROP # from external to internal iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT iptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPT iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT iptables -A bad-good -j LOG --log-prefix "bad-good " iptables -A bad-good -j REJECT # rules for this machine itself iptables -N bad-if iptables -N dmz-if iptables -N good-if # set up the jumps to each chain iptables -A INPUT -i $BAD_IFACE -j bad-if iptables -A INPUT -i $DMZ_IFACE -j dmz-if iptables -A INPUT -i $GOOD_IFACE -j good-if # external iface iptables -A bad-if -p icmp -j icmp-acc iptables -A bad-if -j ACCEPT #ipchains -A bad-if -i ! ppp0 -j DENY -l #ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT #ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT #ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT #ipchains -A bad-if -j icmp-acc #ipchains -A bad-if -j DENY # dmz iface iptables -A bad-if -p icmp -j icmp-acc iptables -A dmz-if -j ACCEPT # internal iface iptables -A good-if -p tcp --dport ssh -j ACCEPT iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT iptables -A good-if -j icmp-acc iptables -A good-if -j DROP # remove the complete blocks iptables -D INPUT 1 iptables -D FORWARD 1 iptables -D OUTPUT 1.

Requirements: No special requirements

Platforms: Linux

Keyword: -j, Accept, Dmz, Drop, Forward, Icmp, Iface, Iptables, Iptables Firewall, Iptables Firewall Script, Mail, Masq, Nat, Server, Tcp

Users rating: 0/10

License: Freeware

USER REVIEWS

More Reviews or Write Review

NAT IPTABLES FIREWALL RELATED

Utilities - IPTables Firewall Script 0.1 IPTables Firewall Script contains two example firewall scripts "rc.firewall.iptables. Ive tried here to give some brief documentation for the IPTables firewall scripts contained in this directory. If youre not familiar with IPTables functionality...	440.32 KB
Networking Tools - dirwall 0.11 dirwall is a small iptables firewall script that keeps the iptables rules separate from the script. The rules are stored in separate files so that other packages may maintain them. The dirwall rules are located in...	102.4 KB
Networking Tools - HardWall Firewall 15 Stable-7 HardWall Firewall is an iptables firewall script that provides port forwarding, packet filtering, stateful packet inspection, port redirection, masquerading, SNAT, DNAT, NAT, and bridging. HardWall Firewall functions as both a workstation...	33.79 KB
Networking Tools - IP-Array 0.05.72 IP-Array is a Linux iptables firewall script written in bash. IP-Array allows the creation of precise, stateful rules, while remaining easy to configure. Goals: An easy to configure firewall - still leaving the user the possiblillity to...	71.68 KB
Utilities - uruk 20051129 Uruk is an iptables firewall script that is useful if you need similar packet filtering configurations on multiple machines. It uses a template file for source addresses and network services. Next are the generic installation instructions. The...	92.16 KB
Networking Tools - DNS Blacklist Packet Filter 0.6 Beta1 DNS Blacklist Packet Filter project is a Linux netfilter client that decides whether to accept or drop packets based on the results of a DNS blacklist query (such as MAPS, SORBS, or SPEWS, to name a few). One use is to filter all incoming SMTP...	163.84 KB
Firewalls - PHPips Easy Firewall Generator 1.17 Easy Firewall Generator is a Web application that generates an iptables firewall script designed either for a single system connected to the Internet or for a system acting as a gateway/firewall for a small private network. The generator prompts...	40.96 KB
Development Editors - Comm Tunnel 2.2.0.78 Comm Tunnel is a free tool to connect endpoints. It builds a tunnel between endpoints. The endpoints can be any of serial port, TCP/IP server, TCP/IP client or UDP. The data received on one endpoint will be forward to anther fourt endpoints. It...	44.52 KB
Server Management - PWP-OWA 0.9.6 PWP-OWA is a PHP-based drop-in replacement for Oracle's Apache/mod_plsql combination, or Oracle Internet Application Server (iAS), allowing for execution of PL/SQL Web Toolkit applications on any PHP-friendly Web server (Apache, IIS, iPlanet, etc.)
Utilities - Easy Firewall Generator for IPTables 1.17 Easy Firewall Generator for IPTables simply generate script for setting iptables. Advantage is its simplicity, because this program is written in PHP. I have generalized it to include a number of features that are commonly used, but it is...	36.86 KB

NEW DOWNLOADS IN NETWORK & INTERNET, NETWORKING TOOLS

Network & Internet - Free WiFi Hotspot 3.3.1 Free WiFi Hotspot is a super easy solution to turn your laptop or notebook into a portable Wi-Fi hotspot, wirelessly sharing your internet connections like DSL, Cable, Bluetooth, Mobile Broadband Card, Dial-Up, etc. through the built-in wireless...	1.04 MB
Network & Internet - Easy Uploads 1.8 Easy uploads is a file storage media streaming application designed by Filestreamers that allows you to upload, store, and stream your files from their virtually unlimited file storage server. Easy Uploads can backup,share, and stream your files...	615.97 KB
Network & Internet - PacketFence ZEN 3.1.0 PacketFence is a fully supported, trusted, Free and Open Source network access control (NAC) system. Boosting an impressive feature set including a captive-portal for registration and remediation, centralized wired and wireless management, 802.1X...	1024 MB
Network & Internet - django-dbstorage 1.3 A Django file storage backend for files in the database.	10.24 KB
Network & Internet - SQL Inject Me 0.4.5 SQL Inject Me is a Firefox extension used to test for SQL Injection vulnerabilities. The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.	133.12 KB
Networking Tools - gvrpad 0.1 gvrpad is a daemon that makes GVRP announcements of all VLAN interfaces on a FreeBSD system. GVRP is the GARP VLAN Registration Protocol, defined in IEEE 802.1Q (VLANS); GARP is the Generic Attribute Registration Protocol, defined in 802.1D...	15.36 KB
Networking Tools - Cheops 0.61 Cheops is an Open Source Network User Interface. It is designed to be the network equivalent of a swiss-army knife, unifying your network utilities. Cheops is for the network what a file manager is for your filesystem..	317.44 KB
Networking Tools - ssh tunnel on demand 1.0 ssh tunnel on demand provides a script that creates an SSH tunnel on demand. ssh tunnel on demand is a script that makes it possible for a user to create an SSH tunnel to a server and connect to it without needing an account on the box or any...	13.31 KB
Networking Tools - strongSwan 4.1.5 strongSwan is an OpenSource IPsec implementation for the Linux operating system. strongSwan is an OpenSource IPsec implementation for the Linux operating system. In order to have a stable IPsec platform to base our future extensions of the X.509...	1.7 MB
Networking Tools - triggers 0.41 trigger is a lightweight, asynchronous notification mechanism to set off events in and across systems. The poor mans daily snapshot, glastree builds live backup trees, with branches for each day. Users directly browse the past to recover older...	14.34 KB

Windows Software	BeOS Software
Macintosh Software	Linux Software
PDA Software	OS/2 Software
Mobile Software	Scripts