TUCoPS :: Linux :: Discontinued :: lnxfiw.txt

Setting Up a Linux Transparent Firewall FIW:

Setting up a Linux Transparent Firewall
Jun 26 2002


Download bridge-utils package

Download kernel source 2.4.18 and extract (/usr/src/) or use Redhat kernel RPM's w/ patched code.

Download netfilter (latest version that will work with 2.4.18)

Download bridge/iptables kernel patch and patch (patch -p1 - bridge-nf-yadayada.diff)

Compile kernel, enable experimental during config

Enable network packet filtering and all subsequent options

Enable 802.1d bridging and netfilter firewalling support

Restart, extract and compile bridge-utils

Setup interfaces/bridge/firewall (see /etc/rc.d/rc.inet1)

/etc/rc.d/rc.inet1 (slackware)


/sbin/ifconfig lo

/sbin/route add -net netmask lo


/usr/sbin/brctl addbr brg0

/usr/sbin/brctl addif brg0 eth0

/usr/sbin/brctl addif brg0 eth1

/sbin/ifconfig eth0 promisc

/sbin/ifconfig eth1 promisc

/sbin/ifconfig brg0 promisc

/sbin/route add default gw

/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_conntrack_irc


/etc/rc.d/rc.firewall (slackware)

iptables -F # Flush all rules

iptables -X # Delete user created chains


# Create chain valid_traffic

iptables -N valid_traffic

iptables -A valid_traffic -m state --state INVALID -j DROP # Drop bad states

iptables -A valid_traffic -m state --state RELATED,ESTABLISHED -j ACCEPT # Accept related/established

# Create chain for allow list

iptables -N all_allow

iptables -A all_allow -s -j ACCEPT # Damon

iptables -A all_allow -s -j ACCEPT # Shyra

iptables -A all_allow -s -j ACCEPT # Chris

iptables -A all_allow -s -j ACCEPT # Steve

iptables -A all_allow -s -j ACCEPT # VOIP Gateway out

iptables -A all_allow -d -j ACCEPT # VOIP Gateway in

# Create chain for all ICMP packets

iptables -N icmp_packets

iptables -A icmp_packets -p icmp --icmp-type 8/0 -s -j ACCEPT # Allow echo req out

# Create chain for all UDP packets

iptables -N udp_packets

iptables -A udp_packets -p udp -s --dport 53 -j ACCEPT # DNS out

iptables -A udp_packets -p udp -s --dport 123 -j ACCEPT # NTP out

iptables -A udp_packets -p udp -d --dport 53 -j ACCEPT # DNS in

iptables -A udp_packets -p udp -d --dport 53 -j ACCEPT # (only allow to local DNS)

# Create chain for TCP packets in

iptables -N tcp_in

iptables -A tcp_in -p tcp -d --dport 113 -j ACCEPT # Identd in

iptables -A tcp_in -p tcp -m multiport -d --dport 80,443 -j ACCEPT # ORG Main web

iptables -A tcp_in -p tcp -m multiport -d --dport 80,443 -j ACCEPT # Server in

iptables -A tcp_in -p tcp -d --dport 80 -j ACCEPT # ORG IT Web in

iptables -A tcp_in -p tcp -d --dport 25 -j ACCEPT # SMTP Server

iptables -A tcp_in -p tcp -d --dport 110 -j ACCEPT # POP

iptables -A tcp_in -p tcp -d --dport 21 -j ACCEPT # FTP Server

# Create chain for TCP packets out

iptables -N tcp_out

iptables -A tcp_out -p tcp -s --dport 80 -j ACCEPT # WWW out

iptables -A tcp_out -p tcp -s --dport 443 -j ACCEPT # Secure WWW out

iptables -A tcp_out -p tcp -s --dport 22 -j ACCEPT # SSH out

iptables -A tcp_out -p tcp -s --dport 21 -j ACCEPT # FTP out

iptables -A tcp_out -p tcp -s --dport 23 -j ACCEPT # Telnet out

iptables -A tcp_out -p tcp -s --dport 5190 -j ACCEPT # AIM out

iptables -A tcp_out -p tcp -s --dport 25 -j ACCEPT # SMTP out (only on mail server)



iptables -t mangle -A PREROUTING -i eth1 -s -j ACCEPT # Drop spoofed packets

iptables -t mangle -A PREROUTING -i eth0 ! -s -j ACCEPT

iptables -A FORWARD -j valid_traffic # Pass all boxes to valid_traffic (check state)

iptables -A FORWARD -j all_allow # Check IP allow list

iptables -A FORWARD -p icmp -j icmp_packets # Send to ICMP packets chain if ICMP packet

iptables -A FORWARD -p udp -j udp_packets # Send to UDP packets chain if UDP packet

iptables -A FORWARD -p tcp -d -j tcp_in # Pass incoming TCP to tcp_in chain

iptables -A FORWARD -p tcp -s -j tcp_out # Pass outgoing TCP to tcp_out chain

iptables -A FORWARD -p tcp --sport 1024:2000 --dport 1024:2000 -j ACCEPT # Allow carbon copy in/out

iptables -A FORWARD -p udp --sport 1024:2000 --dport 1024:2000 -j ACCEPT # (Annoying exception)

iptables -A FORWARD -j DROP # Drop anything that didn't match


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH