|
Setting up a Linux Transparent Firewall Jun 26 2002 http://bridge.sourceforge.net/docs/Firewalling%20for%20Free.pdf Download bridge-utils package Download kernel source 2.4.18 and extract (/usr/src/) or use Redhat kernel RPM's w/ patched code. Download netfilter (latest version that will work with 2.4.18) Download bridge/iptables kernel patch and patch (patch -p1 - bridge-nf-yadayada.diff) Compile kernel, enable experimental during config Enable network packet filtering and all subsequent options Enable 802.1d bridging and netfilter firewalling support Restart, extract and compile bridge-utils Setup interfaces/bridge/firewall (see /etc/rc.d/rc.inet1) /etc/rc.d/rc.inet1 (slackware) HOSTNAME=`cat /etc/HOSTNAME` /sbin/ifconfig lo 127.0.0.1 /sbin/route add -net 127.0.0.0 netmask 255.0.0.0 lo /usr/sbin/brctld /usr/sbin/brctl addbr brg0 /usr/sbin/brctl addif brg0 eth0 /usr/sbin/brctl addif brg0 eth1 /sbin/ifconfig eth0 0.0.0.0 promisc /sbin/ifconfig eth1 0.0.0.0 promisc /sbin/ifconfig brg0 200.200.59.216 promisc /sbin/route add default gw 200.200.59.1 /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /etc/rc.d/rc.firewall /etc/rc.d/rc.firewall (slackware) iptables -F # Flush all rules iptables -X # Delete user created chains # CHAIN CREATION # Create chain valid_traffic iptables -N valid_traffic iptables -A valid_traffic -m state --state INVALID -j DROP # Drop bad states iptables -A valid_traffic -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept related/established # Create chain for allow list iptables -N all_allow iptables -A all_allow -s 200.200.59.102 -j ACCEPT # Damon iptables -A all_allow -s 200.200.59.103 -j ACCEPT # Shyra iptables -A all_allow -s 200.200.59.100 -j ACCEPT # Chris iptables -A all_allow -s 200.200.59.226 -j ACCEPT # Steve iptables -A all_allow -s 200.200.59.106 -j ACCEPT # VOIP Gateway out iptables -A all_allow -d 200.200.59.106 -j ACCEPT # VOIP Gateway in # Create chain for all ICMP packets iptables -N icmp_packets iptables -A icmp_packets -p icmp --icmp-type 8/0 -s 200.200.59.0/24 -j ACCEPT # Allow echo req out # Create chain for all UDP packets iptables -N udp_packets iptables -A udp_packets -p udp -s 200.200.59.0/24 --dport 53 -j ACCEPT # DNS out iptables -A udp_packets -p udp -s 200.200.59.0/24 --dport 123 -j ACCEPT # NTP out iptables -A udp_packets -p udp -d 200.200.59.100 --dport 53 -j ACCEPT # DNS in iptables -A udp_packets -p udp -d 200.200.59.101 --dport 53 -j ACCEPT # (only allow to local DNS) # Create chain for TCP packets in iptables -N tcp_in iptables -A tcp_in -p tcp -d 200.200.59.0/24 --dport 113 -j ACCEPT # Identd in iptables -A tcp_in -p tcp -m multiport -d 200.200.59.101 --dport 80,443 -j ACCEPT # ORG Main web iptables -A tcp_in -p tcp -m multiport -d 200.200.59.104 --dport 80,443 -j ACCEPT # Server in iptables -A tcp_in -p tcp -d 200.200.59.215 --dport 80 -j ACCEPT # ORG IT Web in iptables -A tcp_in -p tcp -d 200.200.59.217 --dport 25 -j ACCEPT # SMTP Server iptables -A tcp_in -p tcp -d 200.200.59.217 --dport 110 -j ACCEPT # POP iptables -A tcp_in -p tcp -d 200.200.59.215 --dport 21 -j ACCEPT # FTP Server # Create chain for TCP packets out iptables -N tcp_out iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 80 -j ACCEPT # WWW out iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 443 -j ACCEPT # Secure WWW out iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 22 -j ACCEPT # SSH out iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 21 -j ACCEPT # FTP out iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 23 -j ACCEPT # Telnet out iptables -A tcp_out -p tcp -s 200.200.59.0/24 --dport 5190 -j ACCEPT # AIM out iptables -A tcp_out -p tcp -s 200.200.59.217 --dport 25 -j ACCEPT # SMTP out (only on mail server) # END CHAIN CREATION # BEGIN PACKET TRAVERSAL iptables -t mangle -A PREROUTING -i eth1 -s 200.200.59.0/24 -j ACCEPT # Drop spoofed packets iptables -t mangle -A PREROUTING -i eth0 ! -s 200.200.59.0/24 -j ACCEPT iptables -A FORWARD -j valid_traffic # Pass all boxes to valid_traffic (check state) iptables -A FORWARD -j all_allow # Check IP allow list iptables -A FORWARD -p icmp -j icmp_packets # Send to ICMP packets chain if ICMP packet iptables -A FORWARD -p udp -j udp_packets # Send to UDP packets chain if UDP packet iptables -A FORWARD -p tcp -d 200.200.59.0/24 -j tcp_in # Pass incoming TCP to tcp_in chain iptables -A FORWARD -p tcp -s 200.200.59.0/24 -j tcp_out # Pass outgoing TCP to tcp_out chain iptables -A FORWARD -p tcp --sport 1024:2000 --dport 1024:2000 -j ACCEPT # Allow carbon copy in/out iptables -A FORWARD -p udp --sport 1024:2000 --dport 1024:2000 -j ACCEPT # (Annoying exception) iptables -A FORWARD -j DROP # Drop anything that didn't match # END PACKET TRAVERSAL