Simple Firewall for a single interface box running SSH on 50022, HTTP and FTP
# Generated by iptables-save v1.4.2 on Mon May 28 14:48:55 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [113711:279050685]
:LOGGING - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50022 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 20:21 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 20:21 -j ACCEPT
-A INPUT -p udp -m udp --dport 20:21 -j ACCEPT
-A INPUT -p udp -m udp --sport 20:21 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 25 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --sport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -j LOGGING
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --set --name DEFAULT --rsource
-A INPUT -i eth0 -p tcp -m tcp --dport 80 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 --name DEFAULT --rsource -j DROP
-A LOGGING -j DROP
-A LOGGING -m limit --limit 2/min -j LOG --log-prefix "IPTables Packet Dropped: " --log-level 7
COMMIT
# Completed on Mon May 28 14:48:55 2012
http://www.cyberciti.biz/faq/iptables-connection-limits-howto/
Drop IP for PPP interface (must specify)
tcpdump -tnli ppp2 not port 50022
iptables -A INPUT -p tcp -i ppp2 -s 88.208.0.0/16 -j DROP
Rate limiting HTTP
iptables -A INPUT -p tcp --dport 80 -i ppp2 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 80 -i ppp2 -m state --state NEW -m recent --update --seconds 60 --hitcount 10 -j DROP
Rate Limiting SSH
-A RH-Firewall-1-INPUT -m state --state NEW -m recent -p tcp --dport 22 --set
-A RH-Firewall-1-INPUT -m state --state NEW -m recent -p tcp --dport 22 --update --seconds 60 --hitcount 4 -j DROP
Drop a single internal IP
iptables -A INPUT -s 192.168.20.163 -j DROP
Drop a range
iptables -A INPUT -p tcp --destination-port 22 -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP
Stop a range from accessing the internet
iptables -A FORWARD -p tcp --destination-port 80 -m iprange --src-range 192.168.0.100-192.168.0.223 -j DROP
A nice firewall to allow ssh from SA only
http://www.ipdeny.com/ipblocks/data/countries/za.zone (use whatsmyip.org from adsl lines)
It is running with fail2ban and rate limting where you need to use port 22 for some reason.
# Generated by iptables-save v1.4.7 on Mon Mar 19 15:01:10 2012
*filter
:INPUT DROP [1:44]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [43:7196]
:fail2ban-SSH - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -j fail2ban-SSH
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50022 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -s 196.14.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s 41.185.0.0/16 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m state --state NEW -m recent --set --name DEFAULT --rsource -m tcp --dport 22
-A INPUT -p tcp -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --name DEFAULT --rsource -m tcp --dport 22 -j DROP
-A fail2ban-SSH -j RETURN
COMMIT
# Completed on Mon Mar 19 15:01:10 2012
Set up a simple firewall
# iptables -P INPUT ACCEPT # iptables -F
# iptables -A INPUT -i lo -j ACCEPT # iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A INPUT -p icmp -j ACCEPT
# iptables -A INPUT -p tcp --dport 50022 -j ACCEPT
# iptables -A INPUT -p udp --sport 53 -j ACCEPT (otherwise you will not be able to perform lookups)
# iptables -P INPUT DROP # iptables -P FORWARD DROP # iptables -P OUTPUT ACCEPT # iptables -L -v
# iptables-save > /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Tue Mar 13 11:36:16 2012
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [3:348]
-A INPUT -i lo -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 50022 -j ACCEPT
-A INPUT -p udp -m udp --sport 53 -j ACCEPT
COMMIT
# Completed on Tue Mar 13 11:36:16 2012
Simple NAT
Enable forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
vi /etc/sysctl.conf
grep forwa /etc/sysctl.conf
sysctl -p /etc/sysctl.conf
cat /proc/sys/net/ipv4/ip_forward
/etc/init.d/network restart
cat /proc/sys/net/ipv4/ip_forward
iptables -t nat -A PREROUTING -p tcp -s 0/0 -d 32.64.128.200 --dport 8080 -j DNAT --to 216.239.59.105:80
iptables -t nat -A POSTROUTING -o eth0 -d 216.239.59.105 -j SNAT --to-source 32.64.128.200
iptabeles-save > /etc/sysconfig/iptables
The nat section should look something like this:
*nat
:PREROUTING ACCEPT [4987:342361]
:POSTROUTING ACCEPT [9154:582298]
:OUTPUT ACCEPT [15450:961745]
-A PREROUTING -d 77.67.63.213 -p tcp -m tcp --dport 5678 -j DNAT --to-destination 192.168.1.101:80
-A PREROUTING -d 77.67.63.213 -p tcp -m tcp --dport 3306 -j DNAT --to-destination 192.168.1.101:3306
-A POSTROUTING -d 192.168.1.101 -o eth0 -j SNAT --to-source 77.67.63.213
-A POSTROUTING -d 192.168.1.101 -o eth0 -j SNAT --to-source 77.67.63.213
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
Simple Gateway
cat /proc/sys/net/ipv4/ip_forward
1
To make permanent see above (Simple NAT)
Iptables:
-A FORWARD -i eth0 -j ACCEPT
where eth0 is internal nic
*nat
:PREROUTING ACCEPT [209:15828]
:POSTROUTING ACCEPT [47:3576]
:OUTPUT ACCEPT [53:4036]
-A POSTROUTING -o eth1 -j MASQUERADE
COMMIT
Or from cmd line
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT