SuperHornet
02-25-2002, 11:05 PM
Hello,
I have just setup and super simple firewall with zero advance security, running MASQ and NAT with IP Tables on KERN 2.4.x for my DSL line.
I got the rc.firewall script from a HOW-TO
I have been trying to close port 80 on my eth0 (public side or $EXTIF) but leave port 80 open on eth1 (LAN side or $INTIF).
Here is the real meat of the script that im having problems with.
echo " Dropping Bad TCP Flags."
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPTABLES -A badflags -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
echo " Blocking Port 80 on public side."
$IPTABLES -A INPUT -i $EXTIF -s 0/0 -d 0/0 -p tcp --dport 80 -j DROP
echo " Blocking NetBIOS."
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j DROP
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT MASQUERADE functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Im not sure what I am doing wrong, all the doc's I find show how to open ports but not close them in the way I need for them to be.
Maybe I have them in the wrong order? Anyway before I give up and put in a winbox firewall I thought I might ask around and see if someone can shed some light on my ignorance.
TY in advance.
I have just setup and super simple firewall with zero advance security, running MASQ and NAT with IP Tables on KERN 2.4.x for my DSL line.
I got the rc.firewall script from a HOW-TO
I have been trying to close port 80 on my eth0 (public side or $EXTIF) but leave port 80 open on eth1 (LAN side or $INTIF).
Here is the real meat of the script that im having problems with.
echo " Dropping Bad TCP Flags."
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 15/minute -j LOG --log-prefix Badflags:
$IPTABLES -A badflags -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
echo " Blocking Port 80 on public side."
$IPTABLES -A INPUT -i $EXTIF -s 0/0 -d 0/0 -p tcp --dport 80 -j DROP
echo " Blocking NetBIOS."
$IPTABLES -A INPUT -p udp --sport 137 --dport 137 -j DROP
echo " FWD: Allow all connections OUT and only existing and related ones IN"
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -A FORWARD -j LOG
echo " Enabling SNAT MASQUERADE functionality on $EXTIF"
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
Im not sure what I am doing wrong, all the doc's I find show how to open ports but not close them in the way I need for them to be.
Maybe I have them in the wrong order? Anyway before I give up and put in a winbox firewall I thought I might ask around and see if someone can shed some light on my ignorance.
TY in advance.