Skip to main content

Thread: [HOWTO] Setup a Network Gateway using IPTABLES


this simple tutorial average linux user setup network gateway home or business.

what need
- wireless router (or switch)
- computer 2 (2) nics (network interface cards)

there 3 main pieces network gateway:
  1. firewall script
  2. init.d script
  3. rc.d symbolic links


here firewall script: /usr/local/sbin/fw
code:
#!/bin/sh  path=/usr/sbin:/sbin:/bin:/usr/bin  iptables=/sbin/iptables    # network gateway firewall script  #  # configure variables below accordingly.  # outside interface  pub_iface="eth0"  pub_tcp_ports="22 80 443"  pub_udp_ports=""    # inside interface  int_iface="eth1"  int_tcp_ports="21 22 80 443 3128"  int_udp_ports=""    # default policy : accept drop or reject  policy="drop"    # networks we're going masq outside interface  local_networks="10.0.1.0/24"    # network interfaces  outsideif="$pub_iface"       # aka pub_iface  insideif="$int_iface"        # aka int_iface  loopback="lo"    # leave alone unless want add  # inside , outside ip addresses manually  insideip=`/sbin/ifconfig $insideif | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`  outsideip=`/sbin/ifconfig $outsideif | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`  everyone="0.0.0.0/0"  #########################################################    # custom rules  # add custom networking rules below!  custom_rules() {  # port forwarding example    # game called company of heroes.  # can delete of if want  #coh_ports="6112,9100,45780,1025"  #${iptables} -t nat -a prerouting -i $outsideif -p tcp -m multiport --dport $coh_ports -j dnat --to-destination 10.0.1.15  #${iptables} -t nat -a prerouting -i $outsideif -p udp -m multiport --dport $coh_ports -j dnat --to-destination 10.0.1.15  #${iptables} -a input -i $outsideif -p tcp -m multiport --dport $coh_ports -j accept  #${iptables} -a input -i $outsideif -p udp -m multiport --dport $coh_ports -j accept  #${iptables} -a forward -i $outsideif -o $insideif -p tcp -m multiport --dport $coh_ports -j accept  #${iptables} -a forward -i $outsideif -o $insideif -p udp -m multiport --dport $coh_ports -j accept    # allow dhcp broadcasts inside  ${iptables} -a input -i $insideif -p udp -m multiport --dport 67:68 -j accept  ${iptables} -a input -i $insideif -p tcp -m multiport --dport 67:68 -j accept    # ignore netbios because it's annoying!  ${iptables} -a input -p tcp -m multiport --dport 137:139 -j reject  ${iptables} -a input -p udp -m multiport --dport 137:139 -j reject    # ignore snmp  ${iptables} -a input -i $insideif -p tcp --dport 161 -j reject  ${iptables} -a input -i $insideif -p udp --dport 161 -j reject    # go around squid proxy weatherdirect  ${iptables} -t nat -i prerouting -i $insideif -p tcp -s 10.0.1.7 --dport 80 -j accept  ${iptables} -i forward -i $insideif -o $outsideif -p tcp -s 10.0.1.7 --dport 80 -j accept    # redirect outbound http requests squid3 web proxy!  ${iptables} -t nat -i prerouting -i $insideif -p tcp --dport 80 -j redirect --to-port 3128  ${iptables} -t nat -i prerouting -i $insideif -p tcp --dport 8080 -j redirect --to-port 3128  }  # end custom rules    # ruleset masq/nat'd subnets  #  # following rules should list connections  # allowed inside subnets internet.    masq_rules() {  subnet=$1    # allow inside out  ${iptables} -a input -i $insideif -s $subnet -p tcp -j accept  ${iptables} -a input -i $insideif -s $subnet -p udp -j accept  ${iptables} -a forward -i $insideif -o $outsideif -s $subnet -p tcp -j accept  ${iptables} -a forward -i $insideif -o $outsideif -s $subnet -p udp -j accept  }  # end masq rules    #  # leave stuff below alone unless know you're doing!  #  start_fw()  {  # clear current ruleset  clear_rules    # load modules  load_modules    # default policy drop  ${iptables} -p input $default_policy  ${iptables} -p output accept  ${iptables} -p forward $default_policy    # accept loopback connections  ${iptables} -a input  -i $loopback -j accept  ${iptables} -a output -o $loopback -j accept    # accept icmp (ping)  ${iptables} -a input  -p icmp -j accept  ${iptables} -a output -p icmp -j accept  ${iptables} -a forward -i $insideif -o $outsideif -p icmp -j accept    # create log chain  ${iptables} -n drop_and_log  ${iptables} -a drop_and_log -j log --log-prefix "drop "  ${iptables} -a drop_and_log -j reject    # enable ip forwarding  echo 1 > /proc/sys/net/ipv4/ip_forward    # public tcp ports  port in $pub_tcp_ports ;  ${iptables} -a input   -i $outsideif -d $outsideip -p tcp --dport $port -j accept  done  # public udp ports  port in $pub_udp_ports ;  ${iptables} -a input   -i $outsideif -d $outsideip -p udp --dport $port -j accept  done  # internal tcp ports  port in $int_tcp_ports ;  ${iptables} -a input   -i $insideif -d $insideip -p tcp --dport $port -j accept  done  # internal udp ports  port in $int_udp_ports ;  ${iptables} -a input   -i $insideif -d $insideip -p udp --dport $port -j accept  done    # enable masquerade inside networks!  networkip in $local_networks ;  # nat should 1 way, deny traffic  # public interfaces addressed masq'ed networks  ${iptables} -a input -i $outsideif -d $networkip -j drop_and_log    # block spoofed addresses outside  ${iptables} -a input -s $networkip -i $outsideif -j drop_and_log    # setup nat rule masq  ${iptables} -t nat -a postrouting -s $networkip -o $outsideif -j masquerade    # allow following rules each inside subnet  masq_rules $networkip    ########################################################  # standard security rule-sets    # deny outside interface claiming local machines spoofing ip  ${iptables} -a input -i $outsideif -s $networkip -d $everyone -j drop_and_log    # inside interface = outside ip going local nets okay  ${iptables} -a output -o $insideif -s $outsideip -d $networkip -j accept    # inside interface = inside ip going local nets okay  ${iptables} -a output -o $insideif -s $insideip -d $networkip -j accept    # outside interface = (who isn't allowed) trying go local nets blocked  ${iptables} -a output -o $outsideif -s $everyone -d $networkip -j drop_and_log  done    # final rules input output , forward chains    # allow established & related connections in masq  ${iptables} -a input -i $outsideif -s $everyone -d $outsideip -m state --state established,related -j accept    # allow connections out , existing/related in.  ${iptables} -a forward -i $outsideif -o $insideif -m state --state established,related -j accept  ${iptables} -a forward -i $insideif  -o $outsideif -j accept    # load custom rules have above  custom_rules    ########################################################  # input output forward : drop else    # catch rule, other forwarding denied , logged.  ${iptables} -a input   -s $everyone -d $everyone -j drop_and_log  ${iptables} -a output  -s $everyone -d $everyone -j accept  ${iptables} -a forward -s $everyone -d $everyone -j drop_and_log  }    stop_fw()  {  # clear rules  clear_rules    # set default policy accept  ${iptables} -p input accept  ${iptables} -p output accept  ${iptables} -p forward accept  }    restart_fw()  {  stop_fw  start_fw  }    load_modules()  {  /sbin/modprobe ip_tables  /sbin/modprobe ip_conntrack  /sbin/modprobe ip_conntrack_ftp  /sbin/modprobe ip_conntrack_irc  /sbin/modprobe iptable_nat  /sbin/modprobe ip_nat_ftp  /sbin/modprobe ip_nat_irc  }    clear_rules()  {  # clear existing rules  ${iptables} -f input  ${iptables} -f output  ${iptables} -f forward  ${iptables} -f -t nat    if [ "`${iptables} -l -n | grep drop_and_log`" ];  ${iptables} -f drop_and_log  ${iptables} -x drop_and_log  fi    # reset counters  ${iptables} -z  }    case "$1" in  'start')  echo -n "* starting firewall..."  start_fw  echo "done"  ;;    'stop')  echo -n "* stopping firewall..."  stop_fw  echo "done"  ;;    'restart')  echo -n "* restarting firewall..."  restart_fw  echo "done"  ;;  esac
here init.d script: /etc/init.d/fw
code:
#!/bin/sh    fw=/usr/local/sbin/fw  lockfile=/var/lock/fw    lockfile_on()  {    [ ! -d /var/lock ] && mkdir -m 0755 /var/lock    mkdir -m 0700 $lockfile 2>/dev/null    if [ $? -ne 0 ];      echo "* error: firewall being reset or lock stuck."      echo "         un-stick, remove directory $lockfile"      exit 1    fi  }    lockfile_off()  {    rmdir $lockfile 2>/dev/null  }    case "$1" in    'start')     lockfile_on     ${fw} start     lockfile_off     ;;    'stop')     lockfile_on     ${fw} stop     lockfile_off     ;;     'restart')     lockfile_on     ${fw} restart     lockfile_off     ;;     'help')     echo "usage: $0 [start|stop|restart]"     exit 0     ;;  esac
here commands create soft symbolic links:
code:
ln -s /etc/init.d/fw /etc/rc0.d/k30fw  ln -s /etc/init.d/fw /etc/rc1.d/k30fw  ln -s /etc/init.d/fw /etc/rc2.d/s30fw  ln -s /etc/init.d/fw /etc/rc3.d/s30fw  ln -s /etc/init.d/fw /etc/rc4.d/s30fw  ln -s /etc/init.d/fw /etc/rc5.d/s30fw  ln -s /etc/init.d/fw /etc/rc6.d/k30fw
also, if want run dhcp on lan, make sure disable on router. using dhcp3-server package run dhcp on network.

here how configuration file looks: /etc/dhcp3/dhcpd.conf

code:
option domain-name-servers 205.152.37.23, 205.152.132.23;    default-lease-time 84500;  max-lease-time 120000;  log-facility local7;    # local lan use 10.0.1.0/24 subnet  subnet 10.0.1.0 netmask 255.255.255.0 {    option routers 10.0.1.10;              # inside ip of network gateway/linux server    range 10.0.1.11 10.0.1.150;  }    # assign static addresses on local area network    host desktop {    hardware ethernet 00:21:29:65:18:98;    fixed-address 10.0.1.15;  }    host netbook {    hardware ethernet 00:24:2b:7c:8d:d2;    fixed-address 10.0.1.26;  }
i have more detailed tutorial posted here. when more time, i'll clean post once people show interest in it!

feel free post comments or questions. i'd glad whoever can. thanks!



Forum The Ubuntu Forum Community Ubuntu Specialised Support Security [HOWTO] Setup a Network Gateway using IPTABLES


Ubuntu

Comments

Popular posts from this blog

VIDIOC_S_FMT error 16, Device or resource busy - Raspberry Pi Forums

using a laptop skeleton to build a pi laptop - Raspberry Pi Forums

Smoothing Capacitor value?