This is a continuation of articles “using iptables on your linux router“  and “how to setup your slackware linux box as a router“. This is the script that im pretty much finished with and how it works.

Hardware Setup

This is a basic diagram of my network setup. Crossover cables are denoted with ‘C’. This does not represent the actual spacing between items at all, for instance PC 2 is about 100ft away from the hub, the hub is right on top of the server.

Eth1 Network (192.168.10.0)
Very Un-trusted !
Only allow ports 80, and 22
PC1 can be allowed samba ports also

Eth2 Network(192.168.1.0)
Very trusted
All Packets are passed directly through

Firewall Script Flow Chart

This is a flow chart that explains how the firewall handles packets.

After making all this i realized that everything goes differently, packets go to see if its pc3 then to see if eth1 then they go to the firewall table to see if established/related, that is of course if they made it that far. If they were eth1 then they would have gone to net two. So please realize this above diagram is not exactly like my script, but very similar.

For simplicity I don’t include the “firewall” table which just accepts all local loopback and then goes to the trusted table. Really I should eliminate the “firewall” table, feel free to. The “NETTWO” table is dedicated to the unsecure network, It only allows port 80, 22 and PC1. PC1 is also pretty restricted. The table “NETTWO” hooks into the wifi router, which I am VERY weary of, I do further security on that router, its just a old Linksys wireless router. Its actually the router that I replaced my linux box with.

Anyway without further a due here is the actual script.

#!/bin/bash
 
RETVAL=0
external_int="eth0"
external_ip="`ifconfig $external_int | grep 'inet addr' | awk '{print $2}' | sed -e 's/.*://'`"
 
# start the firewall
start() {
 
	# set all default behaviour to accept
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD ACCEPT
 
	# create new chains for firewall and trusted filtering
	iptables -N FIREWALL
	iptables -N TRUSTED
	iptables -N NETTWO # temp? tables for subnetwork of wifi, luis and garage computer
 
	# Log chain
	iptables -N LOG_DROP
	iptables -A LOG_DROP -j LOG --log-prefix '[IPTABLES DROP] : '
	iptables -A LOG_DROP -j DROP
 
	# allow established and related incoming connetions only
	iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
	# Allow self communication
	iptables -A FIREWALL -i lo -j ACCEPT
	iptables -A FIREWALL -o lo -j ACCEPT
	# send all package to the trusted chain
	iptables -A FIREWALL -j TRUSTED
	# drop all other packets
	iptables -A FIREWALL -j LOG_DROP
 
	############################
	# Prerouting, to speed up things
	############################
 
	# give the ubuntu pc a green light to do whatever, compleatly trusted ! (to firewall only)
	# ubuntu pc is connected to eth2 and has static ip of 192.168.1.11
	iptables -A INPUT   -j ACCEPT -p all -s 192.168.1.11 -i eth2
	iptables -A OUTPUT  -j ACCEPT -p all -d 192.168.1.11 -o eth2
	# for the subnetwork that has luis and wifi we send it to its own table
	iptables -A INPUT -i eth1 -j NETTWO
	# send all input packets to the firewall chain
	iptables -A INPUT -j FIREWALL
 
	############################
	# Begin Forward Table and Inet sharing
	############################
 
	# forward all traffic coming from eth1 to eth 0 ( make all eth1's stuff go to the net)
	iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
	# forward only established or related connections from eth0 to eth1 ( so only stuff a local lanputer has started)
	iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
	# same as above but for eth2 (gigabit connection)
	iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
	iptables -A FORWARD -i eth0 -o eth2 -m state --state ESTABLISHED,RELATED -j ACCEPT
	# forward all sof2mp test stuff to this computer (take all connections to server)
	iptables -A FORWARD -i eth0 -o eth2 -p udp -m udp --dport 20100:20112 -j ACCEPT
	# broadcast the sof2 mp test server
	iptables -A FORWARD -i eth0 -o eth2 -p tcp -m tcp --dport 20100:20112 -j ACCEPT
	# any packets that get to this point are logged then dropped
	iptables -A FORWARD -j LOG_DROP
	# masquerade the ip's so they look like they are "all from one" machine
	iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
	# turn forwarding on "tell the kernel"
	echo 1 > /proc/sys/net/ipv4/ip_forward
 
	############################
	# network two routing table, for subnetwork with luis and wifi
	# only port 80 and 22 are allowed, the rest are logged/dropped
	############################
 
	iptables -A NETTWO -p tcp -m tcp --dport 80 -j ACCEPT
	iptables -A NETTWO -p tcp -m tcp --dport 22 -j ACCEPT
	#iptables -A NETTWO -m mac --mac-source "pc2's mac" -p tcp -m tcp --dport 137:139 -j ACCEPT
	#iptables -A NETTWO -m mac --mac-source "pc2's mac" -j ACCEPT
	iptables -A NETTWO -j LOG --log-prefix '[NETTWO DROP] : '
	iptables -A NETTWO -j DROP
 
	############################
	# Begin Trusted Table
	############################
 
	# Allow http, the eth+ defines "all" ethernet devices
	iptables -A TRUSTED -i eth+ -p tcp -m tcp --dport 80 -j ACCEPT
 
	# Allow http, the eth+ defines "all" ethernet devices
	iptables -A TRUSTED -i eth1 -p tcp -m tcp --dport 80 -j ACCEPT
 
	# Allow https
	iptables -A TRUSTED -o eth0 -p udp -m udp --dport 443 -j ACCEPT
	iptables -A TRUSTED -o eth0 -p tcp -m tcp --dport 443 -j ACCEPT
 
	# Allow SSH
	iptables -A TRUSTED -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT
 
	# sof II test
	iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 20100 -j ACCEPT
	iptables -A TRUSTED -i eth0 -p udp -m udp --dport 20100 -j ACCEPT
 
	# Nexuiz
	iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 26000 -j ACCEPT
	iptables -A TRUSTED -i eth0 -p udp -m udp --dport 26000 -j ACCEPT
 
	# teamspeak
	iptables -A TRUSTED -i eth0 -p tcp -m tcp --dport 8767  -j ACCEPT
	iptables -A TRUSTED -i eth0 -p udp -m udp --dport 8767 -j ACCEPT
 
	# allow samba server for print and files to local nics only
	iptables -A TRUSTED -i eth1 -p tcp -m tcp --dport 137:139 -j ACCEPT
	iptables -A TRUSTED -i eth2 -p tcp -m tcp --dport 137:139 -j ACCEPT
	iptables -A TRUSTED -i eth1 -p tcp -m tcp --dport 445 -j ACCEPT
	iptables -A TRUSTED -i eth2 -p tcp -m tcp --dport 445 -j ACCEPT
 
	# log and drop all packets going through the trusted chain that make it this far
	iptables -A TRUSTED -j LOG_DROP
 
	# end message
	echo "- Iptables Script ran, security enabled"
 
	RETVAL=0
}
# open everything and forward everything
dumb() {
	# set all default behaviour to accept
	iptables -P INPUT ACCEPT
	iptables -P OUTPUT ACCEPT
	iptables -P FORWARD ACCEPT
	# now forward everything
	# forward all traffic coming from eth2to eth 0 (all ubuntu's computer goes to net)
	iptables -A FORWARD -i eth1 -o eth2 -j ACCEPT
	# forward all traffic from eth0 to eth2, all traffic from net to ubuntu computer
	iptables -A FORWARD -i eth2 -o eth1 -j ACCEPT
	# same as above but for eth1 (local lan slow)
	iptables -A FORWARD -i eth2 -o eth0 -j ACCEPT
	iptables -A FORWARD -i eth0 -o eth2 -j ACCEPT
 
	iptables -t nat -A PREROUTING -p udp -i eth0 -d $external_ip --dport 20100:20112 -j DNAT --to-destination 192.168.1.11
	iptables -t nat -A PREROUTING -p tcp -i eth0 -d $external_ip --dport 20100:20112 -j DNAT --to-destination 192.168.1.11
 
	# masquerade the ip's so they look like they are "all from one" machine
	iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
	# turn forwarding on "tell the kernel"
	echo 1 > /proc/sys/net/ipv4/ip_forward
	echo "+ everything accepted, everything forwarded";
}
 
# stop the firewall (everything is open !)
stop() {
	# set the default policy
	iptables -P INPUT ACCEPT	# accept all incoming packets
	iptables -P FORWARD ACCEPT	# forward all packets to other puters (flood)
	iptables -P OUTPUT ACCEPT	# accept all outgoing packets and send them
 
	# set default policy for the NAT table
	iptables -t nat -P PREROUTING ACCEPT
	iptables -t nat -P POSTROUTING ACCEPT
	iptables -t nat -P OUTPUT ACCEPT
 
	# delete all old rules
	iptables -F 			# flush
	iptables -t nat -F		# flust nat table
 
	# delete all chains
	iptables -X
	iptables -t nat -X
 
	echo "+ All tables flushed"
	RETVAL=0
}
lockdown() {
	echo "locking down everything"
	iptables -t nat -P PREROUTING DROP
	iptables -t nat -P POSTROUTING DROP
	iptables -t nat -P OUTPUT DROP
	iptables -t nat -P PREROUTING DROP
	iptables -t nat -P POSTROUTING DROP
	iptables -t nat -P OUTPUT DROP
	echo "itz locked down"
}
# case statement to call the correct function, exept status which is in the case
case $1 in
   start)
     start
     ;;
   dumb)
	 stop
     dumb
     ;;
   stop)
     stop
     ;;
   restart)
     stop
     start
     ;;
   status)
     iptables -L
     iptables -t nat -L
     RETVAL=0
     ;;
   lockdown)
	stop
	lockdown
	;;
   *)
echo "Usage: Firewall (start|stop|restart|status)"
esac
 
exit

Thats pretty much it. I’m still kinda dumb when it comes to the forwarding part, so be careful of that part. Also when i allow pc2 to connect to samba ports i use its mac addres so replace “pc2 mac” with the mac address without quotes. Like this 00:00:00:00:00

Im dropping packets like there is no tommorrow. I’ve found that pc1 has something on it that is always sending packets to weird ports/ip’s they are all getting blocked.

Please comment if you know how i can improve this, or can point out any errors.

Another note, if you have email coming out from your server be sure to enable port 25, or whatever port you use. I just did that to mine.

This goes along with my other article on how to setup a router/gateway in slackware. After you have setup that router you will need to be able to open up ports. I found small quick fixes for this, but i didnt really make anything that i understood till a few days later and lots of reading. That is why i’m totally rewriting this article.

The best way to think of iptables/chains is kinda like chains (go figure) the packets go from link to link until they reach their destination or are dropped/rejected. One chain link can have several links atached to it so the packet could go out several different ways, lenghts of chain can be short or long.

Iptables in two paragraphs

So just for a example lets say we have a router that just accepts http or ssh traffic (which mine does). The chain would start at the first link, it would say “is it http?” if no, next link “is it ssh” if no next link. If there is no other link the “default policy” will take effect. The default policy can be drop or accept. So if we had a policy of accept the packet would get accepted if it was not a http or ssh packet, if we had a default drop policy it would get dropped. To avoid confusion we would have another link that would “drop” the packet if its not what we want.

There are 3 main sections of chain that you can mess with, INPUT, OUTPUT and FORWARD. The input chain/table is for packets coming in, the output for packets going out and the forward for packets getting forwarded. Really hard huh ? We are mostly concerned with packets coming in, the packets we send out should not be limited in most cases, and forwarding is its own thing.

An Example

The most basic configuration of my server allows only two ports open, I believe this to be secure, or at least better than the dozen that were open before I did this. The two ports that are open are ssh (22) and http (80). This way i can remote admin my server and allow my webserver to go through (which is on the same machine).

So that all has to do with packets coming in, lets add links to the INPUT table

# (link 1) Allow http, the eth+ defines "all" ethernet devices
iptables -A INPUT -i eth+ -p tcp -m tcp --dport 80 -j ACCEPT
# (link 2) Allow SSH
iptables -A INPUT -i eth+ -p tcp -m tcp --dport 22 -j ACCEPT
# (link 3) throw everything else away
iptables -A INPUT -j DROP

The comments are preceded by # so they are just saying whats going on. Basically we added three links “-A” for “append”. Ill leave the rest of the syntax up to you to figure out, but this is the main syntax that is used in most of the statements for iptables, these are very common lines.

The first link checks all eth nics (eg. eth+) and if they are passing port 80 data (http) we Accept it. Same goes for link two, except we are using port 22. Then link three just drops everything, this makes it like “stealth” mode, they cant figure out if its closed or open. Our server returns no response on “drop” if you want to report the port as closed use “REJECT”.

You should note that ORDER MATTERS, if we were to put the drop link in first it would drop all packets first. So add all the ports you want to allow before you put your Drop portion.

Another Example

I’ve just done this to my home network. Since i have wifi and my bro-in law hooked up to my subnetwork 192.168.10.0 im very weary of that connection. I’m almost positive that my bro in law has spyware or something that is trying to communicate with god knows what at all hours of the day. I know this by looking at the log files.

This subnetwork is hooked up to eth1, so simple enough only traffic on port 80 is allowed on that interface. To accomplish this i send all the traffic from that port to its own chain. The chain is very short it just allows port 80 and logs/drops everything else.

    iptables -N NETTWO  # create table
    iptables -A NETTWO -p tcp -m tcp --dport 80 -j ACCEPT    # is it port 80 ?
    iptables -A NETTWO -j LOG --log-prefix '[NETTWO DROP] : '   #if no log/drop
    iptables -A NETTWO -j DROP

and then add it as one of the first lines of your input table for eth1. So if anything is coming to/from eth1 we send it to this table. That way if you have another table with more complicated checking for tons of ports it does not have to check all of them before dumping the stuff on odd ports.

#first line of my input table, if eth1 jmp nettwo
 
iptables -i eth1 -j NETTWO

I know this works well because i was editing the script in windows over the samba share on the wifi. When i clicked back over to copy my code for the page it was froze because i closed the samba ports.

Also this provides a nice way to see all the stuff being dropped by differnet parts of the network, because looking through the log files is very difficult.

Links to other links of chain

A great way of doing this is to have a list/links/chain that you make yourself, then you can add that like a link into the input chain. For instance I made a “TRUSTED” chain/table and append all the ports i want to accept into it. Then my “input” table first sends the packet to the “trusted” table and then drops it. But, first i also do a little preliminary checking and send it to another table called firewall. So its INPUT -> FIREWALL -> TRUSTED -> DROP

# create two chains, one for fw other is trusted (for clean script?)
iptables -N FIREWALL
iptables -N TRUSTED
# allow established and related incoming connections only
iptables -A FIREWALL -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# Allow self communication
iptables -A FIREWALL -i lo -j ACCEPT
iptables -A FIREWALL -o lo -j ACCEPT
# send all package to the trusted chain
iptables -A FIREWALL -j TRUSTED
# drop all other packets
iptables -A FIREWALL -j DROP

The -N makes a new table, then i use state matching “-m” to see if its a established or related packet, then i automatically accept local loopback, from there i append the trusted chain then append the drop link. So, basically instead of having one long chain we have one chain link that connects to several chains, but they are all pretty short. I’m sure this helps speed up things a lot. Like for instance if you know 90% of your packets are going to one machine you can filter them out in your first link before your server even starts to think about it. Thats what the “established, related” does, I’ve we’ve already established a link to a webpage or game server there is no need to check every single packet after that, its the “new” connections that we want to worry about.

All the stuff we want to keep out we append to the firewall table before the appending of the “trusted” table. This way we see if its somone we dont like, if so we drop them if not we see if its somone we do like if so let them pass if not drop them. Pretty simple stuff, but it takes a while to get used to the syntax and such.

There is no one script for everyone

This stuff is unique to every machine, if you dont wanna learn iptables get firestarter, firewallbuilder, guarddog or any of the other gui tools out there. I only tried one, and it was just as complicated as learning this, except when you learn iptables it allows you to do everything you want. But there is no copy/paste script that you can use (that i know of) belive me i tried a lot of them, they didnt work for me and i had no idea what i was doing. If you want good security thats in your hands read the material and practice with your iptables. You can use webpages like this one to see which ports you have open, close them open them and such and make sure you have iptables down.

I got most of this information from a really good tutorial i found, you might wanna check it out. http://ubuntuforums.org/showthread.php?t=159661&highlight=iptables

I barley feel comfortable with my iptables now, and i can write it from scratch. Until you get to the point where you KNOW what is going on and can write your iptables syntax, I would not feel secure.

Checking IPTABLES -L (use “iptables -L -v” instead)

This was confusing me forever, you type “iptables -L” and it shows you the rules but all the source and destination are anywhere anywhere. So, it looks like everything is going trough. What we need is a better way of seeing whats going on. If you want the best way to see whats going on try tcpdump, but for our purposes the command “iptables -L -v” works great. That “-v” part makes it print out alot more detail. The most useful part of that command is that it shows you how many packets it has sent to each part, so you can easily test ports and see where everything is going. For example, check it then go do something on that port and then check it again, if the number of packets through that port has not changed something is wrong, or right

Other Stuff

There is of course much more to it than this, there is the “forwarding” part. How do you want to handle the forwarding of your internet access to the machines on your local lan. That part is still pretty fuzzy for me, the main thing im wondering is do i need to filter out stuff for the forwarding part or is that already handled by the input part. Im pretty sure the input table filters stuff before it even gets to your forwarding table, but you might want to check up on that. Anyway this is what i do to forward to all my other machines, straight simple,

# enable port forwarding
iptables -A FORWARD -j ACCEPT
# hide computers behind the firewall
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

I was messing with that for a while trying to get it to just forward stuff on port 80 but i think the filtering stuff does not work the same in the forward table. I recommend having a basic firewall on the other systems on your lan to ensure safety.

Script ?

The best thing about all this is you can make it into one big script. I made mine into a executable in my /etc/rc.d/ folder i can access it like most of the other executables in that folder with ./firewall start or ./firewall restart and such. For instance when I know ill be playing games or hosting a server i can have special functions inside the script just for that like ./firewall gamenight or something. You could even use this to turn on/off interenet connections like if you have kids or something and you want your inet to turn off at a certain time you can just call the script ./firewall stop or ./firewall start at certain times. The possiblilites are endless, as they should be with linux. Here is the core of my bash script so you can make your own

# case statement to call the correct function, exept status which is in the case
case $1 in
   start)
     start
     ;;
   stop)
     stop
     ;;
   restart)
     stop
     start
     ;;
   status)
     iptables -L
     iptables -t nat -L
     RETVAL=0
     ;;
   lockdown)
	stop
	lockdown
	;;
   *)
echo "Usage: Firewall (start|stop|restart|status)"
esac
 
exit

Then above that you just need to make your fucntions like this is my “stop” function, you should note it calls the stop function before it resets. This pretty much opens my firewall up and enables forwarding. It illustrates the use of functions in bash, this should be above the code i have above, just like in C you cant call functions unless they are above the thing that is calling them.

# stop the firewall (everything is open !)
stop() {
	echo "Remvoing all Iptables rules: "
	echo "Everything on the network will be open !!!"
 
	# set the default policy
	iptables -P INPUT ACCEPT	# accept all incoming packets
	iptables -P FORWARD ACCEPT	# forward all packets to other puters (flood)
	iptables -P OUTPUT ACCEPT	# accept all outgoing packets and send them
 
	# set default policy for the NAT table
	iptables -t nat -P PREROUTING ACCEPT
	iptables -t nat -P POSTROUTING ACCEPT
	iptables -t nat -P OUTPUT ACCEPT
 
	# delete all old rules
	iptables -F 			# flush
	iptables -t nat -F		# flust nat table
 
	# delete all chains
	iptables -X
	iptables -t nat -X
 
	# setup port forwarding
	echo "Enabling forwarding from eth0 to everyone"
	iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
	echo "All tables flushed, all connections accepted/forwarded"
	RETVAL=0
}

If your interested in more of that look at this tutorial, almost everything in this article was adapted from that tutorial and the advanced one linked to on that page.

Helpful links

http://www.speedguide.net/analyzer.php? (Analize your internet connection)

https://www.grc.com/x/ne.dll?bh0bkyd2 (tests what ports are open on your computer)

http://www.speedtest.net/ ( a fast internet speed tester)

http://linux.die.net/man/8/iptables (excellent quick reference, when you already know how)