[Nottingham] Broadband - where does the cable modem need to go?

Duncan John Fyfe nottingham at mailman.lug.org.uk
Fri Mar 14 22:48:00 2003


On Thu, 13 Mar 2003, David Luff wrote:


> These iptable things seem very complicated... :-(
>

ok, I'll bite.
Here is the iptables script from my firewall.  It is a hand crafted (fouled ?)
job.
I've changed a few numbers to N's to protect the guilty, so fill them in
as required.  Not all are necessary some are there because this is a handy place to store them should I need them.  I've also retained a few bits of cruft from other folks scripts which I don't need.

It should give you something you can build on just don't assume it is perfect.
Enjoy.

Have fun,
Duncan


<cut here>
#!/bin/sh

INET_IFACE="eth0"
LAN_IFACE="eth1"

LAN_IP=192.168.1.1
LAN_IP_RANGE=192.168.1.0/24
LAN_BROADCAST_ADDRESS=192.168.1.255

# NTL CABLE MODEM
NTL_MODEM_IP=NN.NN.NN.NN
NTL_MODEM_MAC=NN:NN:NN:NN:NN:NN

# DHCP assumed if INET_IFACE != ppp0

DHCP_SERVER="62.254.0.21"
PPPOE_PMTU="no"

HOSTNAME=`hostname`

LO_IFACE="lo"
LO_IP="127.0.0.1"

IPTABLES='/sbin/iptables'

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE

#
# Extra modules which may be of use
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# THE RULES
#

# FLUSH ALL TABLES ANS CHAINS

$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -X


# FILTER TABLE

# POLICIES

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
#  Logging Chains
#

$IPTABLES -N DLOG
$IPTABLES -A DLOG -j LOG --log-prefix="drop: " --log-tcp-options --log-ip-options
$IPTABLES -A DLOG -j DROP

$IPTABLES -N RLOG
$IPTABLES -A RLOG -j LOG --log-prefix="reject: " --log-tcp-options --log-ip-options
$IPTABLES -A RLOG -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A RLOG -j REJECT

#########
#  TCP  #
#########

# BAD_TCP_PACKETS

$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -i $INET_IFACE -m state --state NEW,INVALID -j RLOG
$IPTABLES -A bad_tcp_packets -m state --state INVALID -j RLOG

# TCP_ALLOWED

$IPTABLES -N tcp_allowed
$IPTABLES -A tcp_allowed -p TCP --syn -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_allowed -p TCP -j DLOG

# TCP_PACKETS

$IPTABLES -N tcp_packets
$IPTABLES -A tcp_packets -i $LAN_IFACE -p TCP --sport 53 -j tcp_allowed
$IPTABLES -A tcp_packets -i $LAN_IFACE -p TCP --sport 68 --dport 67 -j tcp_allowed
$IPTABLES -A tcp_packets -i $INET_IFACE -p TCP --sport 68 --dport 67 -j RLOG
[ $INET_IFACE != "ppp0" ] &&  $IPTABLES -A tcp_packets -i $INET_IFACE -p TCP -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j REJECT
$IPTABLES -A tcp_packets -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE --dport 22 -j tcp_allowed
$IPTABLES -A tcp_packets -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE --dport 80 -j tcp_allowed
$IPTABLES -A tcp_packets -p TCP -i $LAN_IFACE -s $LAN_IP_RANGE --dport 113 -j tcp_allowed

#########
#  UDP  #
#########


# DHCLIENT sport=67 dport=68
# DHCPD    sport=68 dport=67
# UDP_PACKETS

$IPTABLES -N udp_packets
# Protect logs from Microsoft inspired overload
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE --destination-port 135:139 -j DROP
$IPTABLES -A udp_packets -p UDP --src 10.145.167.254 -j REJECT
$IPTABLES -A udp_packets -i $LAN_IFACE -p UDP --sport 53 -j ACCEPT
$IPTABLES -A udp_packets -i $LAN_IFACE -p UDP --sport 68 --dport 67 -j ACCEPT
$IPTABLES -A udp_packets -i $INET_IFACE -p UDP --sport 68 --dport 67 -j REJECT
[ $INET_IFACE != "ppp0" ] &&  $IPTABLES -A udp_packets -i $INET_IFACE -p UDP -s $DHCP_SERVER --sport 67 --dport 68 -j ACCEPT

##########
#  ICMP  #
##########

$IPTABLES -N icmp_packets
#$IPTABLES -A icmp_packets -p ICMP -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

##########
#  SELF  #
##########

$IPTABLES -N self
$IPTABLES -A self -s $LO_IP -d $LO_IP -i $LO_IFACE -j ACCEPT
$IPTABLES -A self -s $LO_IP -d $HOSTNAME -i $LO_IFACE -j ACCEPT
$IPTABLES -A self -s $HOSTNAME -d $HOSTNAME -i $LO_IFACE -j ACCEPT
$IPTABLES -A self -s $HOSTNAME -d $LO_IP -i $LO_IFACE -j ACCEPT
$IPTABLES -A self -j RETURN


###################
##  INPUT CHAIN  ##
###################

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -j self

#LAN
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT
# Drop multicasts
$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j RLOG

$IPTABLES -A INPUT -p tcp -j tcp_packets
$IPTABLES -A INPUT -p udp -j udp_packets
$IPTABLES -A INPUT -p icmp -j icmp_packets
$IPTABLES -A INPUT -j LOG --log-prefix="IPT Falling off INPUT: " --log-tcp-options --log-ip-options

#
# Log weird packets that don't match the above.
#

#####################
##  FORWARD CHAIN  ##
#####################

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p ALL -j self
$IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A FORWARD -p ALL -i $LAN_IFACE -d $LAN_BROADCAST_ADDRESS -j ACCEPT
$IPTABLES -A FORWARD -p tcp -j tcp_packets
$IPTABLES -A FORWARD -p udp -j udp_packets
$IPTABLES -A FORWARD -p icmp -j icmp_packets
$IPTABLES -A FORWARD -j LOG --log-prefix="IPT Falling off FORWARD: " --log-tcp-options --log-ip-options

####################
##  OUTPUT CHAIN  ##
####################

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT

$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -d $DHCP_SERVER -j ACCEPT
$IPTABLES -A OUTPUT -o $INET_IFACE -p UDP --dport 53 -j ACCEPT

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j DROP

$IPTABLES -A OUTPUT -j LOG --log-prefix="IPT Falling off OUTPUT: " --log-tcp-options --log-ip-options

##################
#   POSTROUTING  #
##################

if [ $PPPOE_PMTU == "yes" ] ; then
	$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
fi

##################
#  MASQUERADING  #
##################

$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

echo "1" > /proc/sys/net/ipv4/ip_forward

# Other proc options
#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr
</cut here>