We've discussed the fundamentals of firewall configuration. Let's now look at an easily customizable firewall configuration. In this example, the network 172.16.1.0/24 is treated as if it were a publicly routable network, but it is actually a private, non-routable network. We are using such a non-routable network in this example because we have to use some network, and we don't want to put a real publicly routable network number here. The commands shown would work for a real class C publicly routable network.
#!/bin/bash ########################################################################## # This sample configuration is for a single host firewall configuration # with no services supported by the firewall host itself. ########################################################################## # # USER CONFIGURABLE SECTION (Lists are comma-separated) # # OURNET Internal network address space # OURBCAST Internal network broadcast address # OURDEV Internal network interface name # # ANYADDR External network address space # EXTDEV External network interface name # # TCPIN List of TCP ports to allow in (empty = all) # TCPOUT List of TCP ports to allow out (empty = all) # # UDPIN List of TCP ports to allow in (empty = all) # UDPOUT List of TCP ports to allow out (empty = all) # # LOGGING Set to 1 to turn logging on, else leave empty # ########################################################################### OURNET="172.29.16.0/24" OURBCAST="172.29.16.255" OURDEV="eth0" ANYADDR="0/0" EXTDEV="eth1" TCPIN="smtp,www" TCPOUT="smtp,www,ftp,ftp-data,irc" UDPIN="domain" UDPOUT="domain" LOGGING= ########################################################################### # # IMPLEMENTATION # ########################################################################### # # Install the modules # modprobe ip_tables modprobe ip_conntrack # Means we won't have to deal with fragments # # Drop all packets destined for this host received from outside. # iptables -A INPUT -i $EXTDEV -j DROP # # Remove all rules on the FORWARD chain of the filter table, and set th # policy for that chain to DROP. # iptables -F FORWARD # Delete rules iptables -P FORWARD DROP # Policy = DROP iptables -A FORWARD -s $OURNET -i $EXTDEV -j DROP # Anti-spoof iptables -A FORWARD -p icmp -i $EXTDEV -d $OURBCAST -j DROP # Anti-Smurf # # TCP - ESTABLISHED CONNECTIONS # # We will accept all TCP packets belonging to an existing connection # (i.e. having the ACK bit set) for the TCP ports we're allowing through. # This should catch more than 95 % of all valid TCP packets. # iptables -A FORWARD -d $OURNET -p tcp --tcp-flags SYN,ACK ACK -m multiport --dports $TCPIN -j ACCEPT iptables -A FORWARD -s $OURNET -p tcp --tcp-flags SYN,ACK ACK -m multiport --sports $TCPIN -j ACCEPT # # TCP - NEW INCOMING CONNECTIONS # # We will accept connection requests from the outside only on the # allowed TCP ports. # iptables -A FORWARD -i $EXTDEV -d $OURNET -p tcp --syn -m multiport --sports $TCPIN -j ACCEPT # # TCP - NEW OUTGOING CONNECTIONS # # We will accept all outgoing tcp connection requests on the allowed / # TCP ports. # iptables -A FORWARD -i $OURDEV -d $ANYADDR -p tcp --syn -m multiport --dports $TCPOUT -j ACCEPT # # UDP - INCOMING # # We will allow UDP packets in on the allowed ports and back. # iptables -A FORWARD -i $EXTDEV -d $OURNET -p udp -m multiport --dports $UDPIN -j ACCEPT iptables -A FORWARD -i $EXTDEV -s $OURNET -p udp -m multiport --sports $UDPIN -j ACCEPT # # UDP - OUTGOING # # We will allow UDP packets out to the allowed ports and back. # iptables -A FORWARD -i $OURDEV -d $ANYADDR -p udp -m multiport --dports $UDPOUT -j ACCEPT iptables -A FORWARD -i $OURDEV -s $ANYADDR -p udp -m multiport --sports $UDPOUT -j ACCEPT # # DEFAULT and LOGGING # # All remaining packets fall through to the default # rule and are dropped. They will be logged if you've # configured the LOGGING variable above. # if [ "$LOGGING" ] then iptables -A FORWARD -p tcp -j LOG # Log barred TCP iptables -A FORWARD -p udp -j LOG # Log barred UDP iptables -A FORWARD -p icmp -j LOG # Log barred ICMP fi
In many simple situations, to use the sample, all you have to do is edit the top section of the file labeled "USER CONFIGURABLE section" to specify which protocols and packets type you wish to allow in and out. For more complex configurations, you will need to edit the section at the bottom as well. Remember, this is a simple example, so scrutinize it very carefully to ensure it does what you want while implementing it.