20 Nov, 2004. Tested by SuSE 10.0

iptables-1.3.3-3

Iptables is used to set up, maintain, and inspect the IP firewall rules in the Linux kernel.

Configuration

Configuration for Masquerade(NAT), transparent proxy (local squid) and Firewall.
  • Make /usr/local/sbin/iptables.sh 
    #!/bin/sh
### IP Address, Configuration ###
MYHOST='192.168.0.5'            # Server Address
LAN='192.168.0.0/24'            # Internal Network Address
DMZ='202.0.0.0/28'              # DMZ Network Address
NTP1='210.173.160.57'           # NTP Server Address #
NTP2='210.173.160.27'           # NTP Server Address #
EX_ETH=eth1                     # External Interface
IN_ETH=eth0                     # Internal Interface
PROXY_PORT=8080                 # Proxy Server Port No

# Load ip_conntrack_ftp #
modprobe ip_conntrack_ftp

### iptables command path ###
IPTABLES='/usr/sbin/iptables'

### Stop IP forward ###
echo 0 > /proc/sys/net/ipv4/ip_forward
# Initialize all the chains by removing all the rules tied to them
$IPTABLES --flush
$IPTABLES -t nat --flush
$IPTABLES -t mangle --flush

# Delete user defined chains
$IPTABLES --delete-chain
$IPTABLES -t nat --delete-chain
$IPTABLES -t mangle --delete-chain
$IPTABLES -t filter -F > /dev/null 2>&1
$IPTABLES -t filter -X > /dev/null 2>&1
$IPTABLES -t nat -F > /dev/null 2>&1
$IPTABLES -t nat -X > /dev/null 2>&1
$IPTABLES -t mangle -F > /dev/null 2>&1
$IPTABLES -t mangle -X > /dev/null 2>&1
$IPTABLES -t filter -P INPUT ACCEPT > /dev/null 2>&1
$IPTABLES -t filter -P OUTPUT ACCEPT > /dev/null 2>&1
$IPTABLES -t filter -P FORWARD ACCEPT > /dev/null 2>&1
$IPTABLES -t nat -P PREROUTING ACCEPT > /dev/null 2>&1
$IPTABLES -t nat -P POSTROUTING ACCEPT > /dev/null 2>&1
$IPTABLES -t nat -P OUTPUT ACCEPT  > /dev/null 2>&1
$IPTABLES -t mangle -P POSTROUTING ACCEPT > /dev/null 2>&1
$IPTABLES -t mangle -P OUTPUT ACCEPT > /dev/null 2>&1
$IPTABLES -t mangle -P PREROUTING ACCEPT > /dev/null 2>&1
$IPTABLES -t mangle -P INPUT ACCEPT > /dev/null 2>&1
$IPTABLES -t mangle -P FORWARD ACCEPT > /dev/null 2>&1

### Drop all rules in default ###
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP

### Accept any to loopback address ###
$IPTABLES -A INPUT  -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
 
### Accept DNS from LAN ###
$IPTABLES -A INPUT  -p udp -s $LAN --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $LAN --sport 53 -j ACCEPT
$IPTABLES -A INPUT  -p tcp -m state --state NEW -s $LAN --dport 53 -j ACCEPT
### Accept DNS from DMZ ###
$IPTABLES -A INPUT  -p udp -s $DMZ --dport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $DMZ --sport 53 -j ACCEPT
$IPTABLES -A INPUT  -p tcp -m state --state NEW -s $DMZ --dport 53 -j ACCEPT
 
### Allow DNS to access external network ###
$IPTABLES -A OUTPUT -p udp --dport 53 -j ACCEPT
$IPTABLES -A INPUT  -p udp --sport 53 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state --state NEW --dport 53 -j ACCEPT
 
### Allow LAN to access NTP request ###
$IPTABLES -A INPUT  -p udp -s $LAN --dport 123 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $LAN --sport 123 -j ACCEPT
### Allow DMZ to access NTP request ###
$IPTABLES -A INPUT  -p udp -s $DMZ --dport 123 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $DMZ --sport 123 -j ACCEPT
### Allow NTP server to access external NTP servers ###
$IPTABLES -A OUTPUT -d $NTP1 -p udp --dport 123 -j ACCEPT
$IPTABLES -A INPUT  -s $NTP1 -p udp --sport 123 -j ACCEPT
$IPTABLES -A OUTPUT -d $NTP2 -p udp --dport 123 -j ACCEPT
$IPTABLES -A INPUT  -s $NTP2 -p udp --sport 123 -j ACCEPT
 
### Accept file sharing (NetBIOS) within LAN ###
$IPTABLES -A INPUT  -p udp -s $LAN --dport 137:139 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $LAN --sport 137:139 -j ACCEPT
$IPTABLES -A INPUT  -p tcp -m state --state NEW -s $LAN --dport 137:139 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state --state NEW -d $LAN --dport 137:139 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $LAN --sport 32772 -j ACCEPT
$IPTABLES -A INPUT  -p tcp -m state --state NEW -s $LAN --dport 32772 -j ACCEPT
 
### Accept SWAT(SWAT:901) from LAN ###
$IPTABLES -A INPUT -p tcp -m state --state NEW -s $LAN --dport 901 -j ACCEPT
 
### Accept Proxy (PROXY:8080) from LAN ###
$IPTABLES -A INPUT -p tcp -m state --state NEW -s $LAN --dport 8080 -j ACCEPT
 
### Accept SSH (22) from LAN ###
$IPTABLES -A INPUT  -p tcp -m state --state NEW -s $LAN --dport 22 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state --state NEW -d $LAN --dport 22 -j ACCEPT
 
### Accept Telnet(23) from LAN ###
$IPTABLES -A INPUT  -p udp -s $LAN --dport 23 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -d $LAN --sport 23 -j ACCEPT
$IPTABLES -A INPUT  -p tcp -m state --state NEW -s $LAN --dport 23 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state --state NEW -d $LAN --dport 23 -j ACCEPT
 
### Accept WWW (HTTP:80,HTTPS:443) ###
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
 
### Allow access to external WWW servers(HTTP:80,HTTPS:443) ###
$IPTABLES -A OUTPUT -p tcp -m state --state NEW --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state --state NEW --dport 443 -j ACCEPT
 
### Accept FTP (Active/Passive) ###
$IPTABLES -A INPUT  -p tcp -m state --state NEW --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state --state NEW --dport 21 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state --state NEW --sport 20 -j ACCEPT
$IPTABLES -A INPUT  -p tcp -m state --state NEW --sport 20 -j ACCEPT
$IPTABLES -A INPUT  -p tcp -m state --state NEW --dport 4000:4029 -j ACCEPT
 
### Accept MTA (SMTP:25/465) ###
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 465 -j ACCEPT
 
### Allow access to external MTA (SMTP:25,POP3:110) ###
$IPTABLES -A OUTPUT -p tcp -m state --state NEW --dport 25 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp -m state --state NEW --dport 110 -j ACCEPT
 
### Accept MTA (POP3:110,IMAP:143) ###
$IPTABLES -A INPUT -p tcp -m state --state NEW -s $LAN --dport 110 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW -s $LAN --dport 143 -j ACCEPT
 
### Accept DHCP request only from LAN ###
$IPTABLES -A INPUT -p udp -m state --state NEW --dport 67:68 --sport 67:68 -j ACCEPT
$IPTABLES -A OUTPUT -p udp -m state --state NEW --dport 67:68 --sport 67:68 -j ACCEPT
$IPTABLES -A FORWARD -p udp -m state --state NEW --dport 67:68 --sport 67:68 -j ACCEPT
 
### Accept VNC  ###
$IPTABLES -A INPUT  -p tcp -m state --state NEW --dport 5901:5903 -j ACCEPT
$IPTABLES -A INPUT  -p tcp -m state --state NEW --dport 5801:5803 -j ACCEPT

### Accept APC PowerChute Agent ###
$IPTABLES -A INPUT -p tcp -m state --state NEW -s $LAN --dport 2160:2161 -j ACCEPT
$IPTABLES -A INPUT  -p udp -s $LAN --dport 2160:2161 -j ACCEPT

### SNMP ###
$IPTABLES -A OUTPUT -p udp -m state --state NEW --dport 161:162 -j ACCEPT

### SYSLOG ###
$IPTABLES -A INPUT  -p udp -s $LAN --dport 514 -j ACCEPT
$IPTABLES -A INPUT  -p udp -s $DMZ --dport 514 -j ACCEPT

### NFS ###
$IPTABLES -A INPUT -p udp -m state --state NEW --dport 32765:32768 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 32765:32768 -j ACCEPT
$IPTABLES -A INPUT -p udp -m state --state NEW --dport 2049 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 2049 -j ACCEPT
$IPTABLES -A INPUT -p udp -m state --state NEW --dport 111 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW --dport 111 -j ACCEPT

### REJECT Ident(113) (DROP is slower than Reject) ###
$IPTABLES -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset
 
### PING ###
$IPTABLES -A INPUT  -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A OUTPUT -p icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT  -p icmp --icmp-type 0 -j ACCEPT
 
### Accept established packet ###
$IPTABLES -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
modprobe iptable_nat
echo 1 > /proc/sys/net/ipv4/ip_forward
 
### Allow IP Masquerading (NAT) ###
$IPTABLES -A POSTROUTING -t nat -o $EX_ETH -s $LAN -d 0/0 -j MASQUERADE
$IPTABLES -A FORWARD -t filter -o $EX_ETH -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -t filter -i $IN_ETH -m state --state ESTABLISHED,RELATED -j ACCEPT

# Transparent Proxy (FTP, HTTP)
$IPTABLES -t nat -A PREROUTING -i $IN_ETH \
       -p tcp --dport 80 -j REDIRECT --to-port $PROXY_PORT
$IPTABLES -t nat -A PREROUTING -i $IN_ETH \
       -p tcp --dport 20 -j REDIRECT --to-port $PROXY_PORT
  • Add this line to /etc/init.d/boot.local 
    ...
/usr/local/sbin/iptables.sh

    Proxy setting for transparent proxy

  • If you are using squid, you should give these in /etc/squid/squid.conf 
    httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on
  • Note: If you are using squid 3 (tested by squid-beta-3.0-236), those options are no longer exist. Use transparent option as below (19 Nov 2004 by SuSE 9.1), 
    http_port 8080 transparent
    • If you are using Delegate proxy server, nothing to be change

    Enable NFS Server

  • Edit /etc/sysconfig/nfs to fix port instead of the port assigned by rpc. 
    ...
# MOUNTD_PORT=""
MOUNTD_PORT="32767"
...
    Back
    Google
    Web www.grape-info.com