Stateful firewall [Solved]

Discussions Regarding Software

Moderator: Moderators

Stateful firewall [Solved]

Postby goodnewz » Sun Jul 06, 2008 16:58

Hola !

I've been looking for a stateful firewall totorial so I stubled upon the firewall tutorial bellow so I was wondering if anyone has anything to add to it and if there's anything to add/change when using a sabayon 3.5 ?

http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls
Last edited by goodnewz on Tue Aug 12, 2008 23:15, edited 1 time in total.
User avatar
goodnewz
Young Hen
 
Posts: 28
Joined: Tue May 01, 2007 22:14

Re: Stateful firewall

Postby goodnewz » Tue Aug 12, 2008 23:11

for the lazier ones.. here's my install adaptation with a friendlier look of the wiki firewall above so be sure you check with the wiki code since I adapted it to my conf.

Code: Select all
touch /etc/init.d/firewall
chmod +x /etc/init.d/firewall

cat > /etc/init.d/firewall << EOF
#!/bin/bash
 
        #### Colors
        white="\e[1;37m"
        gray="\e[1;30m"
        yellow="\e[1;33m"
        cyan="\e[1;36m"
        blue="\e[1;34m"
        green="\e[1;32m"
        purple="\e[1;35m"
        red="\e[1;31m"
        brown="\e[0;33m"
 
 #Our complete stateful firewall script.  This firewall can be customized for
 #a laptop, workstation, router or even a server. :)
 
 #change this to the name of the interface that provides your "uplink"
 #(connection to the Internet)
 
 UPLINK="eth0"
 
 #if you're a router (and thus should forward IP packets between interfaces),
 #you want ROUTER="yes"; otherwise, ROUTER="no"
 
 ROUTER="no"
 
 #change this next line to the static IP of your uplink interface for static SNAT, or
 #"dynamic" if you have a dynamic IP.  If you don't need any NAT, set NAT to "" to
 #disable it.
 
 NAT=""
 
 #change this next line so it lists all your network interfaces, including lo
 
 INTERFACES="lo eth0"
 
 #change this line so that it lists the assigned numbers or symbolic names  (from
 #/etc/services) of all the services that you'd like to provide to the general
 #public.  If you don't want any services enabled, set it to ""
 
 SERVICES="ftp ssh"
 
case "$1" in
        "start")
                echo -e ""
                echo -e "${red}  [ ${yellow} Starting the firewall ${red} ] ${white}"
           iptables -P INPUT DROP
           iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
           iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
           #enable public access to certain services
           for x in ${SERVICES}
           do
                   iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j  ACCEPT
           done
 
           iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
           iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
 
           #explicitly disable ECN
           if [ -e /proc/sys/net/ipv4/tcp_ecn ]
           then
                   echo 0 > /proc/sys/net/ipv4/tcp_ecn
           fi
 
           #disable spoofing on all interfaces
           for x in ${INTERFACES}
           do
                   echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
           done
 
           if [ "$ROUTER" = "yes" ]
           then
                   #we're a router of some kind, enable IP forwarding
                   echo 1 > /proc/sys/net/ipv4/ip_forward
                   if [ "$NAT" = "dynamic" ]
                   then
                           #dynamic IP address, use masquerading
                           echo "Enabling masquerading (dynamic ip)..."
                           iptables -t nat -A POSTROUTING -o ${UPLINK} -j  MASQUERADE
                   elif [ "$NAT" != "" ]
                   then
                           #static IP, use SNAT
                           echo "Enabling SNAT (static ip)..."
                           iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT  --to ${UPIP}
                   fi
           fi
                ;;
 
 
        "stop")
                echo -e ""
                echo -e "${red}  [ ${yellow} Stopping the firewall ${red} ] ${white}"
       iptables -F INPUT
       iptables -P INPUT ACCEPT
       #turn off NAT/masquerading, if any
       iptables -t nat -F POSTROUTING
                ;;
 
        "restart")
                echo -e ""
                echo -e "${red}  [ ${yellow} Restarting the firewall ${red} ] ${white}"
 
      # Stopping the firewall
      iptables -F INPUT
                iptables -P INPUT ACCEPT
                #turn off NAT/masquerading, if any
                iptables -t nat -F POSTROUTING
                echo -e "${red}   > > ${yellow} firewall stopped ${white}"
 
      # Starting the firewall
                iptables -P INPUT DROP
                iptables -A INPUT -i ! ${UPLINK} -j ACCEPT
                iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
                #enable public access to certain services
                for x in ${SERVICES}
                do
                        iptables -A INPUT -p tcp --dport ${x} -m state --state NEW -j  ACCEPT
                done
 
                iptables -A INPUT -p tcp -i ${UPLINK} -j REJECT --reject-with tcp-reset
                iptables -A INPUT -p udp -i ${UPLINK} -j REJECT --reject-with icmp-port-unreachable
 
                #explicitly disable ECN
                if [ -e /proc/sys/net/ipv4/tcp_ecn ]
                then
                        echo 0 > /proc/sys/net/ipv4/tcp_ecn
                fi
 
                #disable spoofing on all interfaces
                for x in ${INTERFACES}
                do
                        echo 1 > /proc/sys/net/ipv4/conf/${x}/rp_filter
                done
 
                if [ "$ROUTER" = "yes" ]
                then
                        #we're a router of some kind, enable IP forwarding
                        echo 1 > /proc/sys/net/ipv4/ip_forward
                        if [ "$NAT" = "dynamic" ]
                        then
                                #dynamic IP address, use masquerading
                                echo "Enabling masquerading (dynamic ip)..."
                                iptables -t nat -A POSTROUTING -o ${UPLINK} -j  MASQUERADE
                        elif [ "$NAT" != "" ]
                        then
                                #static IP, use SNAT
                                echo "Enabling SNAT (static ip)..."
                                iptables -t nat -A POSTROUTING -o ${UPLINK} -j SNAT  --to ${UPIP}
                        fi
                fi
                echo -e "${red}   > > ${yellow} firewall restarted ${white}"
                ;;
 
        "rules")
      echo -e ""
      echo -e "${red}  [ ${yellow} Firewall Rules ${red} ] ${white}"
                iptables -v -L INPUT
                ;;
 
        *)
                echo -e "`basename ${0}`: Stateful firewall script"
                echo -e "http://gentoo-wiki.com/HOWTO_Iptables_and_stateful_firewalls"
                echo -e ""
                echo -e "Usage: `basename ${0}` < start | stop | restart >"
                echo -e ""
                echo -e "  start      ->  Starts the firewall"
                echo -e "                 Example: \"`basename ${0}` start\""
                echo -e ""
                echo -e "  stop       ->  Stops the firewall"
                echo -e "                 Example: \"`basename ${0}` stop\""
                echo -e ""
                echo -e "  restart    ->  Restarts the firewall."
                echo -e "                 Example: \"`basename ${0}` restart\""
                echo -e ""
                echo -e "  rules       -> View the rules"
                echo -e "                 Example: \"`basename ${0}` rules\""
                echo -e ""
                ;;
esac
 
exit 0
EOF

rc-update add firewall default
User avatar
goodnewz
Young Hen
 
Posts: 28
Joined: Tue May 01, 2007 22:14


Return to Software in General

Who is online

Users browsing this forum: No registered users and 2 guests