1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Firewall scripts in Thibor

Discussion in 'HyperWRT Firmware' started by Moosh, Apr 19, 2007.

  1. Moosh

    Moosh Network Guru Member

    Hi,

    I am just trying my first iptables scripts and loaded one based on James Stephens simple ruleset at

    http://www.sns.ias.edu/~jns/files/iptables_ruleset

    I left out

    iptables -F
    iptables -X
    iptables -Z

    and # Load appropriate modules.
    modprobe ip_tables
    modprobe ip_conntrack
    modprobe ip_conntrack_ftp

    and had to leave out, cause it would not work:

    # Make sure that IP forwarding is turned off. We only want this for a #multi-homed host.
    /bin/echo "0" > /proc/sys/net/ipv4/ip_forward

    I must have default DROP as I recently found Spytech and realtime spy on my PC, complete with keylogs and screenshots, so I am paranoid, to say the least.
    Can I simply add the ipt rules to the script and then be able to flush the original ipt rules? Main fear is locking myself out once I commit if I edit the ipt or firewall.sh file.

    Here's the root/usr/tmp/ipt

    :pREROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -I PREROUTING -i br0 -j MARK --set-mark 256
    COMMIT
    *nat
    :pREROUTING ACCEPT [0:0]
    :pOSTROUTING ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    -A PREROUTING -i vlan1 -d 192.168.0.0/24 -j DROP
    -A PREROUTING -p icmp -d x.x.x.x-j DNAT --to-destination 192.168.0.1
    -A PREROUTING -d x.x.x.x-j TRIGGER --trigger-type dnat
    -A POSTROUTING -o vlan1 -j MASQUERADE
    -A POSTROUTING -o br0 -s 192.168.0.0/24 -d 192.168.0.0/24 -j MASQUERADE
    COMMIT
    *filter
    :INPUT ACCEPT [0:0]
    :FORWARD ACCEPT [0:0]
    :OUTPUT ACCEPT [0:0]
    :logaccept - [0:0]
    :logdrop - [0:0]
    :logreject - [0:0]
    :trigger_out - [0:0]
    :lan2wan - [0:0]
    :grp_1 - [0:0]
    :advgrp_1 - [0:0]
    :grp_2 - [0:0]
    :advgrp_2 - [0:0]
    :grp_3 - [0:0]
    :advgrp_3 - [0:0]
    :grp_4 - [0:0]
    :advgrp_4 - [0:0]
    :grp_5 - [0:0]
    :advgrp_5 - [0:0]
    :grp_6 - [0:0]
    :advgrp_6 - [0:0]
    :grp_7 - [0:0]
    :advgrp_7 - [0:0]
    :grp_8 - [0:0]
    :advgrp_8 - [0:0]
    :grp_9 - [0:0]
    :advgrp_9 - [0:0]
    :grp_10 - [0:0]
    :advgrp_10 - [0:0]
    :grp_11 - [0:0]
    :advgrp_11 - [0:0]
    :grp_12 - [0:0]
    :advgrp_12 - [0:0]
    :grp_13 - [0:0]
    :advgrp_13 - [0:0]
    :grp_14 - [0:0]
    :advgrp_14 - [0:0]
    :grp_15 - [0:0]
    :advgrp_15 - [0:0]
    :grp_16 - [0:0]
    :advgrp_16 - [0:0]
    :grp_17 - [0:0]
    :advgrp_17 - [0:0]
    :grp_18 - [0:0]
    :advgrp_18 - [0:0]
    :grp_19 - [0:0]
    :advgrp_19 - [0:0]
    :grp_20 - [0:0]
    :advgrp_20 - [0:0]
    -A INPUT -m state --state INVALID -j DROP
    -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A INPUT -i lo -m state --state NEW -j ACCEPT
    -A INPUT -i br0 -m state --state NEW -j ACCEPT
    -A INPUT -p icmp -j logdrop
    -A INPUT -p igmp -j logdrop
    -A INPUT -j logdrop
    -A FORWARD -i br0 -o br0 -j ACCEPT
    -A FORWARD -m state --state INVALID -j DROP
    -A FORWARD -p tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1461: -j TCPMSS --set-mss 1460
    -A FORWARD -i vlan1 -o br0 -j TRIGGER --trigger-type in
    -A FORWARD -i br0 -j trigger_out
    -A FORWARD -i br0 -j lan2wan
    -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
    -A FORWARD -i br0 -m state --state NEW -j logaccept
    -A FORWARD -j logdrop
    -A logaccept -m state --state NEW -j LOG --log-prefix "ACCEPT " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logaccept -j ACCEPT
    -A logdrop -m state --state NEW -j LOG --log-prefix "DROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logdrop -j DROP
    -A logreject -j LOG --log-prefix "WEBDROP " --log-tcp-sequence --log-tcp-options --log-ip-options
    -A logreject -p tcp -m tcp -j REJECT --reject-with tcp-reset
    COMMIT

    How do they conflict with script? I also noticed the same files(root/usr/tmp) under root/tmp/....does it matter which one I edit with SCP(the firewall.sh that is) because there seems to be a maximum number of lines in the web firewall script page.

    Oh, the edits to the ruleset:

    changed the interface from eth0 to vlan1
    and added some stuff for NNTP and SSH and limiting SMTP(only I can till connect with another NNTP server). Basically I added:

    ptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    iptables -A OUTPUT -o br0 -p udp -d 192.168.0.100 --dport 514 -m state --state NEW,ESTABLISHED -j ACCEPT
    iptables -A INPUT -p tcp -s 192.168.0.100 --dport 22 -m state --state NEW -j logaccept
    iptables -A INPUT -p udp -s 192.168.1.1 --sport 67 -j logaccept
    iptables -A OUTPUT -p udp -d 192.168.1.1 --dport 67 --sport 68 -j logaccept
    iptables -A OUTPUT -o vlan1 -p udp -s 212.*.*.*--dport 123 -j logaccept
    iptables -A OUTPUT -o vlan1 -p tcp --dport 25 --dst 195.*.*.0/16 -m state --state NEW,ESTABLISHED -j logaccept
    iptables -A INPUT -i vlan1 -p tcp --sport 110 -m state --state ESTABLISHED -j logaccept
    iptables -A OUTPUT -o vlan1 -p tcp --dport 110 --dst 195.129.*0/16 -m state --state NEW,ESTABLISHED -j logaccept
    iptables -A INPUT -i vlan1 -p tcp --sport 119 -m state --state ESTABLISHED -j logaccept
    iptables -A OUTPUT -o vlan1 -p tcp --dport 119 --dst 140.*.*.*/16 -m state --state NEW,ESTABLISHED -j logaccept
    iptables -A INPUT -i vlan1 -p tcp --sport 119 -j logdrop
    iptables -A OUTPUT -o vlan1 -p tcp --dport 119 -j logdrop

    192.168.1.1 is my modem, router is 192.168.0.1...the modem passes the wan ip to the WRT. Logging is mainly for debugging.
    Lot of Qs, so if someone can point me in the direction of where I can learn from scratch, I'd be grateful. Just started to read Andreasson, but that's a lot to get through.
    Thanks,

    Jay
     

Share This Page