Firewall Security / Gateway Routing

colabus · 09-09-2005, 02:36 AM

Howdy all..

I have my network setup with ppp0 frontend to net which server gateway/router to the other 2 boxes on net IPs (not NAT).

Anyhow I originally was using NAT and wrote firewall using IN to block data. I think now I need to write it using different rules, cause each the other machines are getting every connection attempt coming through.

My firewall goes something like this:

Code:

#!/bin/sh

iptables=/sbin/iptables
modprobe=/sbin/modprobe
mynetwork=A.B.C.144/29

# Flushing tables..
$iptables -F
$iptables -t nat -F

# MASQ rules for gateway

echo "1" > /proc/sys/net/ipv4/ip_forward

# Loading modules

$modprobe ip_conntrack_irc
$modprobe ip_nat_irc
$modprobe ip_conntrack_ftp
$modprobe ip_nat_ftp

# Functions

allowPorts () {
        case "$1" in
                permit)
                        $iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.146 --dport A -j ACCEPT
                        $iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.146 --dport B -j ACCEPT
                        $iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.146 --dport C -j ACCEPT
                        $iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.146 --dport 146 -j ACCEPT
                ;;

                forward)
                ;;
        esac
}
blockAll () {
        $iptables -A INPUT -i ppp0 -p all -j DROP
}

# Switch
case "$1" in
        start|restart|reload)
                # PERMIT SELECTED PORTS
                $iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.143 --dport 22 -j ACCEPT
                $iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.143 --dport 80 -j ACCEPT
                $iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.145 --dport 22 -j ACCEPT
                $iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.145 --dport 80 -j ACCEPT
                $iptables -A INPUT -i ppp0 -p tcp --destination A.B.C.146 --dport 113 -j ACCEPT
                allowPorts permit

                # ALLOW INCOMING BASED ON EXISTING
                $iptables -A INPUT -m state --state NEW -i ! ppp0 -j ACCEPT
                $iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

                # BLOCK REMAINING
                blockAll

                # ETHERNET PORT FORWARDING
                allowPorts forward

                echo "Firewall rules loaded successfully!"
                ;;

        stop|kill|drop)

                echo "Firewall rules unloaded successfully!"
                ;;

        paranoid|insane)
                # ALLOW INCOMING SSH
                $iptables -A INPUT -i ppp0 -p tcp --dport 22 -j ACCEPT

                # BLOCK REMAINING
                blockAll

                echo "Firewall rules loaded successfully! Only allowing SSH connections."
                ;;

        *)
                echo "Usage: /etc/init.d/firewall (start|stop|reload|restart|paranoid)"
                exit 1
                ;;

esac

exit 0

Sort of ignore the opened port access and A,B,Cs but you should get the idea.

143 is the gateway and I want only 22 and 80 open on it, as for remaining network I I want 22,80 open on 145 and the rest DROPPED.

I guess more than anything i'm after the command. I tried using -A FORWARD but that blocked outgoing traffic too..

Please, any help would be great!

Simon Bridge · 09-13-2005, 11:15 PM

The best way of opening only the few ports you want and leaving everything else closed off is to set policy DROP on all chains. Then explicitly open the ports you want.

Why did you stop using NAT?