Women at work

I have a PhD in electrical engineering and have been teaching and doing programming and IT for ... too many years. (specializing in networks and security) I am not going to disclose my age! I am one of very few women of my age who STAYED in the field, since it is super competitive macho field. But here I am! I use my engineering skills for everything I do. In this blog, I will share anything from technical to social comments on technology.

Tuesday, May 30, 2017

iptables firewall



EXAMPLES OF IPTABLES FIREWALLS

These are some home-made scripts for Unix iptables firewall.

The examples use shell scripting.
“ “ means the text inside is just text.
$VAR means that there is a variable called VAR and we want to see its current value.
Notice that Unix scripting is sensitive to spaces and there are NO spaces on either side of =. If you do accidentally put a space in, your code will not run.

Put this into a file myiptables.sh, make the file executable, and then run it.

# VERY SIMPLIFIED FIREWALL THAT ACCEPTS EVERYTHING BUT PINGS

# Server is on firewall, all IPs are public

PUB_INT=”eth0”
PRI_INT=”eth1”
PUB_IP = “1.1.1.1”
PUB_NET = “1.1.1.0/24”
LOCAL_IP=”2.2.2.2”
LOCAL_NET=”2.2.2.0/24”
BAD_IPs=”4.4.4.4  5.5.5.5  6.6.6.6”


echo 1 > /proc/sys/net/ipv4/ip_forward

#Defaults

iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

# Flush (-F) all specific rules

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat


#Drop pings

iptables -A INPUT -p icmp -s 0/0 -d 0/0 -j LOG --log-prefix 'PUBLIC PING'

iptables -A INPUT -p icmp -s 0/0 -d 0/0 -j DROP

# nobody can ping the server

#iptables -A INPUT -p icmp -s 0/0 -d $SERVER -j DROP  

#only outside cannot ping the server

#iptables -A INPUT -p icmp -s !($LOCAL_NET) -d $LOCAL_NET -j DROP

for arg in $BAD_IPs
do
   iptables -A INPUT -s $arg -d 0/0 -j DROP  

done


############################################

#Display the rules

iptables -L -v
iptables -t -nat -L -v



This is another firewall that it a little bit ore complicated.

#####FROM http://oceanpark.com/notes/firewall_example.html

# VERY SIMPLIFIED

PUB_INT=”eth0”
PRI_INT=”eth1”
PUB_IP = x.y.z.
PRI_IP=”192.168.0.1”
PRI_NET=”192.168.0.0/16”


echo 1 > /proc/sys/net/ipv4/ip_forward

#Defaults

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# Flush (-F) all specific rules

iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -F -t nat

# Forward all packets from eth1 (internal network) to eth0 (the internet).

iptables -A FORWARD -i $PRI_INT -o $PUB_INT -j ACCEPT

#
# Forward packets that are part of existing and related connections from eth0 to eth1.
#
iptables -A FORWARD -i $PUB_INT -o $PRI_INT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Permit packets in to firewall itself that are part of existing and related connections.
# SECURITY HOLE….
#iptables -A INPUT -i $PUB_INT -m state --state ESTABLISHED,RELATED -j ACCEPT


# Allow all inputs to firewall from the internal network and local interfaces
#
iptables -A INPUT -i $PRI_INT -s 0/0 -d 0/0 -j ACCEPT
iptables -A INPUT -i lo -s 0/0 -d 0/0 -j ACCEPT

# Let’s say you had SSH server:
#if the server is on the firewall:
#iptables -A INPUT -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT

#OR
# if the server is on a separate public computer
# iptables -A FORWARD -p tcp -s 0/0 -d 0/0 --destination-port 22 --syn -j ACCEPT

#OR

# if the server is on the private network
iptables -t nat -A PREROUTING -i $PUB_INT        \      
    -d $PUB_IP -j DNAT --to-destination $PRI_IP





posted by HumanRemodeling @ 7:50 PM

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home