is this iptables script correct???????????

[pollux0]

Can anyone tell me how this iptable script looks? Is it correct? Is it efficient? Is there anything in there that does not look right or should not be there? Is there anything i should add?

I am trying to setup a firewall/Ip Masq. for an internal network. The firewall needs to accept ports 1444 & 1433 form 222.222.222.20

thanks in advance'


#!/bin/sh

echo 0 > /proc/sys/net/ipv4/ip_forward

LAN_IP_NET='192.168.1.1/24'
LAN_NIC='eth1'
WAN_IP='222.22.222.22'
WAN_NIC='eth0'

iptables -t nat -F POSTROUTING
iptables -t nat -F PREROUTING
iptables -t nat -F OUTPUT
iptables -F
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT

# Start additional Rules
iptables -A INPUT -p tcp --source-port 1433 -s 222.222.222.20 -j ACCEPT
iptables -A INPUT -p tcp --source-port 1444 -s 222.222.222.20 -j ACCEPT
# End additional rules

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE
iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo 1 > /proc/sys/net/ipv4/ip_forward

 

[pollux0]

Anyone????

 

[Morsing]

Well, I've haven't used iptables that much yet but that looks weird???

Firstly, your line 'LAN_IP_NET='192.168.1.1/24' is incorrect. It should be 192.168.1.0/24 if you're trying to specify the network.

You specify no forward in your echo statement but then enables full forward later.

The next three lines makes no sense in the context since I don't know what hooks you have specified there.

Then you give access to two ports on the firewall itself. Again I don't know what they're used for, but so far you won't get anything through to your network.

You should also be more clear about wether you want forwarding or masquerading.

Don't know how much this helps you but it looks like a complete mess to me.

Cheers Henrik Morsing
IBM Certified AIX 4.3 Systems Administration

 

[dahven]

#!/bin/sh

# only issue once as it will override the first with the
# second
echo 1 > /proc/sys/net/ipv4/ip_forward

LAN_IP_NET='192.168.1.0/24'
LAN_NIC='eth1'
WAN_IP='222.22.222.22'
WAN_NIC='eth0'

iptables -t nat -F
iptables -F

## its better to drop as default then set the traffic you ## want to allow - and any defualt sould be set before the ## rest of the rules
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Start additional Rules
## you should group rules by their chains or by there
## functions not switch back and forth

## allow any traffic from Wan ip from ports 1433 and 1444
## in

iptables -A INPUT -p tcp --source-port 1433 -s 222.222.222.20 -j ACCEPT
iptables -A INPUT -p tcp --source-port 1444 -s 222.222.222.20 -j ACCEPT

# allow all traffic from esatblished connection in
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# forward all traffic from local network
# better way:
# iptables -A FORWARD -i $LAN_NIC -o $WAN_NIC -s
# $LAN_IP_NET -d 0/0 -ACCEPT

iptables -A FORWARD -j ACCEPT -i $LAN_NIC -s $LAN_IP_NET

# forward all establish/related traffic from anywhere to
# anywhere

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

## this is wrong
iptables -t nat -A POSTROUTING -s $LAN_IP_NET -j MASQUERADE


-- extra help: BOOK - LINUX Firewalls by Robert L.Ziegler (big help)