iptables
Sponsored Links
Sponsored Links
Secleted [ 0 ] software to compare
Results 1 - 15 of about 215
iptables 1.3.8
iptables is a Linux kernel packet control tool. more>>
iptables and netfilter are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network addresss [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.
iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists out of a number of classifiers (iptables matches) and one connected action (iptables target).
netfilter, iptables and the connection tracking as well as the NAT subsystem together build the whole framework.
Main features:
- stateless packet filtering (IPv4 and IPv6)
- stateful packet filtering (IPv4)
- all kinds of network address and port translation (NAT/NAPT)
- flexible and extensible infrastructure
- multiple layers of APIs for 3rd party extensions
- large number of plugins/modules kept in patch-o-matic repository
<<lessiptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists out of a number of classifiers (iptables matches) and one connected action (iptables target).
netfilter, iptables and the connection tracking as well as the NAT subsystem together build the whole framework.
Main features:
- stateless packet filtering (IPv4 and IPv6)
- stateful packet filtering (IPv4)
- all kinds of network address and port translation (NAT/NAPT)
- flexible and extensible infrastructure
- multiple layers of APIs for 3rd party extensions
- large number of plugins/modules kept in patch-o-matic repository
Download (0.17MB)
Added: 2007-06-26 License: GPL (GNU General Public License) Price:
851 downloads
Gtk-IPTables 0.5.0
Gtk-IPTables is a GTK-based frontend for iptables written in C. more>>
Gtk-IPTables is a GTK-based frontend for iptables written in C. You can create rules for all chains for Filter, NAT, and Mangle tables.
To install read the INSTALL file.
To run it just type gtkiptables
In order to compile you must have Gtk-dev which contains the headers files
and static libraries. You also need the Gtk set of widgets that cames with
almost every distro. We are talking of version 1.2.10 for both.
Gtk packages: www.gtk.org
<<lessTo install read the INSTALL file.
To run it just type gtkiptables
In order to compile you must have Gtk-dev which contains the headers files
and static libraries. You also need the Gtk set of widgets that cames with
almost every distro. We are talking of version 1.2.10 for both.
Gtk packages: www.gtk.org
Download (0.018MB)
Added: 2006-12-17 License: GPL (GNU General Public License) Price:
1046 downloads
iptables-p2p 0.3.0a
iptables-p2p is an iptables match module capable of matching various peer-to-peer networks. more>>
iptables-p2p is an iptables match module capable of matching various peer-to-peer networks. It works by examining the application-layer protocol.
This is how you install iptables-p2p:
1. Copy the iptables headers to an appropriate place (/usr/include) or install the iptables-dev package if your distro has one. (see Installing iptables headers)
2. Run make in order to compile iptables-p2p.
3. Insert the kernel/ipt_p2p.o module directly using insmod or copy it into your modules directory. If you are using a 2.6 kernel, the module is named kernel/ipt_p2p.ko.
4. Insert the iptables library libipt_p2p.so into the iptables lib directory (usually /lib/iptables).
Enhancements:
- 0.3.0a
- Fixed iptables-save/iptables-restore
- Fixed module versioning support
<<lessThis is how you install iptables-p2p:
1. Copy the iptables headers to an appropriate place (/usr/include) or install the iptables-dev package if your distro has one. (see Installing iptables headers)
2. Run make in order to compile iptables-p2p.
3. Insert the kernel/ipt_p2p.o module directly using insmod or copy it into your modules directory. If you are using a 2.6 kernel, the module is named kernel/ipt_p2p.ko.
4. Insert the iptables library libipt_p2p.so into the iptables lib directory (usually /lib/iptables).
Enhancements:
- 0.3.0a
- Fixed iptables-save/iptables-restore
- Fixed module versioning support
Download (0.016MB)
Added: 2006-07-10 License: GPL (GNU General Public License) Price:
1209 downloads
IpTables Rope 20051223
ROPE is a match module for Linux IpTables that allows packets to be matched. more>>
ROPE is a "match module" for Linux IpTables that allows packets to be matched using highly flexible rules, written in a simple purpose-designed scripting language. It was written initially to provide support for the next phase of the P2PWall project for controlling various styles of peer-to-peer application traffic, but is much broader than this in its possible uses. See the Basics page for a tutorial-style overview.
The match modules of iptables allow rules to take actions depending on whether packets match certain criteria or not. The standard distribution of netfilter / IpTables provides a range of useful modules of this type. These typically allow protocol types (TCP or UDP), source and destination addresses and ports etc to be checked.
There is also a set of interesting "extras" than can be compiled into the kernel to provide some extended packet matching features. One such example is the "string" module that allows packets to be matched on the basis of the existance (or otherwise) of specified strings anywhere in the data payload portion of the packets. There are a number of other hidden treasures that can be used to significantly extend the features of the system.
In order to use ROPE to build a match rule, you first need to write the ROPE scriptlet that encodes your match criteria. As an example, we could look for the "Content-length" header of an HTTP download and check that the length does not exceed 1000000 bytes using the following script..
This script has the following steps in order to make it work:
1. Searches the data payload of the packet for the string "Content-length: ", but ignores letter case as it searches.
2. If the string is not found, the script stops and returns a "not matched" status to netfilter.
3. If the string is found, the script takes the digits that follow it, and stores them as a string in the register $n.
4. The string in $n is converted to an integer and compared against the number 1000000. If $n is large than 1000000 then the script terminates and returns a "matched" status to IpTables.
5. Otherwise, the script terminates with a "not matched" status.
The language in which scripts like this are written is based on the idea of ReversePolish notation but extended to handle the concept of AnchorBrackets. The language is documented in detail in LanguageReference.
<<lessThe match modules of iptables allow rules to take actions depending on whether packets match certain criteria or not. The standard distribution of netfilter / IpTables provides a range of useful modules of this type. These typically allow protocol types (TCP or UDP), source and destination addresses and ports etc to be checked.
There is also a set of interesting "extras" than can be compiled into the kernel to provide some extended packet matching features. One such example is the "string" module that allows packets to be matched on the basis of the existance (or otherwise) of specified strings anywhere in the data payload portion of the packets. There are a number of other hidden treasures that can be used to significantly extend the features of the system.
In order to use ROPE to build a match rule, you first need to write the ROPE scriptlet that encodes your match criteria. As an example, we could look for the "Content-length" header of an HTTP download and check that the length does not exceed 1000000 bytes using the following script..
This script has the following steps in order to make it work:
1. Searches the data payload of the packet for the string "Content-length: ", but ignores letter case as it searches.
2. If the string is not found, the script stops and returns a "not matched" status to netfilter.
3. If the string is found, the script takes the digits that follow it, and stores them as a string in the register $n.
4. The string in $n is converted to an integer and compared against the number 1000000. If $n is large than 1000000 then the script terminates and returns a "matched" status to IpTables.
5. Otherwise, the script terminates with a "not matched" status.
The language in which scripts like this are written is based on the idea of ReversePolish notation but extended to handle the concept of AnchorBrackets. The language is documented in detail in LanguageReference.
Download (0.060MB)
Added: 2006-07-11 License: GPL (GNU General Public License) Price:
1201 downloads
IPTables-tutorial 1.2.2
IPTables-tutorials aim is to explain iptables in a complete and simple way. more>>
IPTables-tutorials aim is to explain iptables in a complete and simple way. The iptables-tutorial is currently rather stable, and contains information on all the currently available matches and targets (in kernel), as well as a couple of complete example scripts and explanations. It contains a complete section on iptables syntax, as well as other interesting commands such as iptables-save and iptables-restore.
The tutorial has recently been under heavy scrutiny and updating, as can be seen in this, the latest version of the tutorial. It is now also available in bookform from Lulu.com. If you feel like contributing or donating to the author of this tutorial, please do buy the book! Thank you!
If you need help, you are better off by asking the netfilter mailing list which you can reach at netfilter at lists.netfilter.org. For more information on this, visit the netfilter mailinglist page. You may also contact the linuxsecurity mailing list at security-discuss AT linuxsecurity dotcom. Both are fairly large, and should be able to help you much much better than I can.
<<lessThe tutorial has recently been under heavy scrutiny and updating, as can be seen in this, the latest version of the tutorial. It is now also available in bookform from Lulu.com. If you feel like contributing or donating to the author of this tutorial, please do buy the book! Thank you!
If you need help, you are better off by asking the netfilter mailing list which you can reach at netfilter at lists.netfilter.org. For more information on this, visit the netfilter mailinglist page. You may also contact the linuxsecurity mailing list at security-discuss AT linuxsecurity dotcom. Both are fairly large, and should be able to help you much much better than I can.
Download (9.0MB)
Added: 2006-11-22 License: (FDL) GNU Free Documentation License Price:
669 downloads
IPTables log analizer 0.4
IPTables log analizer displays Linux 2.4 iptables logs in a nice HTML page. more>>
IPTables log analizer displays Linux 2.4 iptables logs (rejected, acepted, masqueraded packets...) in a nice HTML page (it support rough netfilter logs but also Shorewall and Suse Firewall logs).
This page shall be easy to read and understand to reduce the manual analysis time.
This page containts statistics on packets and links to more detailled information on a given host, port, domain and so on.
To convice you, here is a typical syslog entry for iptables :
[IPTABLES DROP] : IN=ppp0 OUT= MAC= SRC=172.186.2.157 DST=193.253.186.217 LEN=36 TOS=0x00 PREC=0x00 TTL=115 ID=4775 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=3663
How does it work ?
A small deamon is launched by a user which can read iptables logs files. Each time a new packet is logged, the daemon insert a new row in the database.
The statistics and so on are elaborated by the PHP page itself.
<<lessThis page shall be easy to read and understand to reduce the manual analysis time.
This page containts statistics on packets and links to more detailled information on a given host, port, domain and so on.
To convice you, here is a typical syslog entry for iptables :
[IPTABLES DROP] : IN=ppp0 OUT= MAC= SRC=172.186.2.157 DST=193.253.186.217 LEN=36 TOS=0x00 PREC=0x00 TTL=115 ID=4775 PROTO=ICMP TYPE=8 CODE=0 ID=512 SEQ=3663
How does it work ?
A small deamon is launched by a user which can read iptables logs files. Each time a new packet is logged, the daemon insert a new row in the database.
The statistics and so on are elaborated by the PHP page itself.
Download (0.30MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
985 downloads
Technions IPTables Script
Technions IPTables Script is a simple script for setting IPTABLES rules. more>>
Technions IPTables Script is a simple script for setting IPTABLES rules.
<<less Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
998 downloads
PFG for IPTables 0.02 Beta
PFG for IPTables is a PHP Firewall Generator. more>>
PFG for IPTables is a PHP Firewall Generator.
Main features:
Main Configuration
- Server IP adress
- External Network Interface
- Internal Network Interface
- Enable Forwarding and MasqON
Deny followning ICMP types
- Echo RequestsON
- Destination UnreachableON
- Timestamp ReplyON
- Adress Mask ReplyON
- Adress Mask RequestON
- Host UnreachableON
- Host RedirectON
- Timestamp requestON
- Source QuenchON
Accept services
- FTPON
- SSHON
- SMTPON
- IMAPON
- POPON
- HTTPON
- HTTPSON
- MYSQLON
- DNSON
P2P
- Direct ConnectON
- BeershareON
- NapsterON
- WinMXON
UDP Protocol
- Open UDP for all portsON
- Only open upp for these ports
Allow other TCP ports
PortForwarding
Blocking IPs and URLs
- Blocking connections from internal ips (seperate each ip adress with blankspace)
- Blocking access to sites on the internet
Add IPs you want to allow anything from
<<lessMain features:
Main Configuration
- Server IP adress
- External Network Interface
- Internal Network Interface
- Enable Forwarding and MasqON
Deny followning ICMP types
- Echo RequestsON
- Destination UnreachableON
- Timestamp ReplyON
- Adress Mask ReplyON
- Adress Mask RequestON
- Host UnreachableON
- Host RedirectON
- Timestamp requestON
- Source QuenchON
Accept services
- FTPON
- SSHON
- SMTPON
- IMAPON
- POPON
- HTTPON
- HTTPSON
- MYSQLON
- DNSON
P2P
- Direct ConnectON
- BeershareON
- NapsterON
- WinMXON
UDP Protocol
- Open UDP for all portsON
- Only open upp for these ports
Allow other TCP ports
PortForwarding
Blocking IPs and URLs
- Blocking connections from internal ips (seperate each ip adress with blankspace)
- Blocking access to sites on the internet
Add IPs you want to allow anything from
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
983 downloads
IPTables::IPv4::IPQueue 1.25
IPTables::IPv4::IPQueue is a Perl extension for libipq. more>>
IPTables::IPv4::IPQueue is a Perl extension for libipq.
SYNOPSIS
use IPTables::IPv4::IPQueue qw(:constants);
$queue = new IPTables::IPv4::IPQueue();
$msg = $queue->get_message();
$queue->set_verdict($msg->packet_id(), NF_ACCEPT)
$queue->set_mode(IPQ_COPY_PACKET, 2048);
IPTables::IPv4::IPQueue->errstr;
undef $queue;
Perlipq (IPTables::IPv4::IPQueue) is a Perl extension for iptables userspace packet queuing via libipq.
Packets may be selected from the stack via the iptables QUEUE target and passed to userspace. Perlipq allows these packets to be manipulated in Perl and passed back to the stack.
More information on userspace packet queueing may be found in libipq(3).
<<lessSYNOPSIS
use IPTables::IPv4::IPQueue qw(:constants);
$queue = new IPTables::IPv4::IPQueue();
$msg = $queue->get_message();
$queue->set_verdict($msg->packet_id(), NF_ACCEPT)
$queue->set_mode(IPQ_COPY_PACKET, 2048);
IPTables::IPv4::IPQueue->errstr;
undef $queue;
Perlipq (IPTables::IPv4::IPQueue) is a Perl extension for iptables userspace packet queuing via libipq.
Packets may be selected from the stack via the iptables QUEUE target and passed to userspace. Perlipq allows these packets to be manipulated in Perl and passed back to the stack.
More information on userspace packet queueing may be found in libipq(3).
Download (0.014MB)
Added: 2007-04-17 License: Perl Artistic License Price:
925 downloads
iptables firewall script 0.5
iptables firewall script is an Linux firewall based on the iptables software. more>>
iptables firewall script is an Linux firewall based on the iptables software.
Sample:
######## START FUNCTIONS #########
scripthelp () {
cat /dev/null 2>&1
Every 5 minutes
*/5 * * * * /path/to/this/script restart > /dev/null 2>&1
refresh
-------
Dumps current rules and reloads them.
stop
----
Dumps current rules and halts firewall.
---------------------------------------------------------
Usage: $0 [start|restart|refresh|stop]
SCRIPTHELP
}
fireme () {
if [ -z "`lsmod|grep iptable_filter`" ];
then
modprobe iptable_filter
fi
#######################################
#---------- Start predefined target rulesets ----------#
#######################################
# On the fly
$PROG -N ONTHEFLY
$PROG -A ONTHEFLY -j LOG --log-level 5 --log-prefix "TL0G_ONTHEFLY: "
$PROG -A ONTHEFLY -j DROP
# DENIED PORTS Privileged (1-1023) Target Ruleset
$PROG -N DENIED_PORT_PRIV
$PROG -A DENIED_PORT_PRIV -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_PRIV -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_PRIV: "
$PROG -A DENIED_PORT_PRIV -j DROP
# DENIED PORTS Unprivileged TCP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_TCP
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_UNPRIV_TCP -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_T-UNPRIV: "
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state NEW,INVALID -j DROP
# DENIED PORTS Unprivileged UDP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_UDP
$PROG -A DENIED_PORT_UNPRIV_UDP -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_U-UNPRIV: "
$PROG -A DENIED_PORT_UNPRIV_UDP -j DROP
#######################################
#---------- End predefined target rulesets ----------#
######################################
# Services
$PROG -A INPUT -p tcp --dport 0:112 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 0:112 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p tcp --dport 114:1023 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 114:1023 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
# NFS
$PROG -A INPUT -p tcp --dport 2049 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 2049 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# X11
$PROG -A INPUT -p tcp --dport 6000:6005 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 6000:6005 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# Netbus
$PROG -A INPUT -p tcp --dport 12345:12346 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 12345:12346 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# Deny all else on TCP unless initiated from local machine/network.
# This rule covers NFS, X11, and Netbus listed above, its a catch-all for any TCP
# ports you may have services running on, but dont know what ports they use.
# Prevents an accidental crack attempt via TCP services.
# If you wish to allow any services, or alter the existing rules, they must be
# added BEFORE the rule below.
$PROG -A INPUT -p tcp --dport 1024:65535 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
echo "[ [32;01mOK [0m]"
echo "rc.firewall loaded with IP: $IP and interface: $IFACE."
}
########################### END FUNCTIONS ##########################
##############################################
#----------------- START CONFIGURATION SECTION --------------------#
##############################################
# Set path to iptables program
PROG=/path/to/iptables
# Set interface type, ie; eth0, ppp0
IFACE=""
###############################################
#------------------ END CONFIGURATION SECTION ---------------------#
##############################################
# Test to make sure configuration variables are set, die if not.
if [ ! -x "$PROG" ] || [ -z "$IFACE" ];
then
echo "$PROG is not executable, or interface is not set, exiting."
exit 0
else
# Get current IP address
IP=`ifconfig $IFACE| grep inet| cut -f2 -d:| cut -f1 -d" "`
# Get old IP from last firewall load (if any).
# The purpose of getting OLDIP is so you can use this script in a cron
# job to update the firewall with the current IP, great for dialups
# and other dynamic connections.
# Examples:
# Check every 15 minutes:
# */15 * * * * /path/to/this/script restart > /dev/null 2>&1
# Check every 5 minutes:
# */5 * * * * /path/to/this/script restart > /dev/null 2>&1
OLDIP=`$PROG -n -L INPUT| grep 6005|grep udp| cut -b55-|cut -f1 -d u`
case $1 in
start)
if [ -z "$OLDIP" ];
then
echo -n "Starting firewall..."
fireme
elif [ $IP = $OLDIP ];
then
echo "FIREWALL IS UPDATED."
fi
;;
restart)
echo -n "Restarting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ];
then
fireme
elif [ $IP = $OLDIP ];
then
echo "FIREWALL IS UPDATED."
else
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
fireme
fi
;;
refresh)
echo -n "Resetting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ];
then
fireme
else
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
fireme
fi
;;
stop)
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
echo "Firewall stopped...[ [32;01mOK [0m]"
;;
*)
echo
scripthelp
;;
esac
fi
<<lessSample:
######## START FUNCTIONS #########
scripthelp () {
cat /dev/null 2>&1
Every 5 minutes
*/5 * * * * /path/to/this/script restart > /dev/null 2>&1
refresh
-------
Dumps current rules and reloads them.
stop
----
Dumps current rules and halts firewall.
---------------------------------------------------------
Usage: $0 [start|restart|refresh|stop]
SCRIPTHELP
}
fireme () {
if [ -z "`lsmod|grep iptable_filter`" ];
then
modprobe iptable_filter
fi
#######################################
#---------- Start predefined target rulesets ----------#
#######################################
# On the fly
$PROG -N ONTHEFLY
$PROG -A ONTHEFLY -j LOG --log-level 5 --log-prefix "TL0G_ONTHEFLY: "
$PROG -A ONTHEFLY -j DROP
# DENIED PORTS Privileged (1-1023) Target Ruleset
$PROG -N DENIED_PORT_PRIV
$PROG -A DENIED_PORT_PRIV -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_PRIV -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_PRIV: "
$PROG -A DENIED_PORT_PRIV -j DROP
# DENIED PORTS Unprivileged TCP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_TCP
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state RELATED,ESTABLISHED -j ACCEPT
$PROG -A DENIED_PORT_UNPRIV_TCP -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_T-UNPRIV: "
$PROG -A DENIED_PORT_UNPRIV_TCP -m state --state NEW,INVALID -j DROP
# DENIED PORTS Unprivileged UDP (1024+) Target Ruleset
$PROG -N DENIED_PORT_UNPRIV_UDP
$PROG -A DENIED_PORT_UNPRIV_UDP -j LOG --log-level 5 --log-prefix "TL0G_DENIED_PORT_U-UNPRIV: "
$PROG -A DENIED_PORT_UNPRIV_UDP -j DROP
#######################################
#---------- End predefined target rulesets ----------#
######################################
# Services
$PROG -A INPUT -p tcp --dport 0:112 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 0:112 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p tcp --dport 114:1023 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
$PROG -A INPUT -p udp --dport 114:1023 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_PRIV
# NFS
$PROG -A INPUT -p tcp --dport 2049 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 2049 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# X11
$PROG -A INPUT -p tcp --dport 6000:6005 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 6000:6005 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# Netbus
$PROG -A INPUT -p tcp --dport 12345:12346 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
$PROG -A INPUT -p udp --dport 12345:12346 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_UDP
# Deny all else on TCP unless initiated from local machine/network.
# This rule covers NFS, X11, and Netbus listed above, its a catch-all for any TCP
# ports you may have services running on, but dont know what ports they use.
# Prevents an accidental crack attempt via TCP services.
# If you wish to allow any services, or alter the existing rules, they must be
# added BEFORE the rule below.
$PROG -A INPUT -p tcp --dport 1024:65535 -s 0/0 -d $IP -i $IFACE -j DENIED_PORT_UNPRIV_TCP
echo "[ [32;01mOK [0m]"
echo "rc.firewall loaded with IP: $IP and interface: $IFACE."
}
########################### END FUNCTIONS ##########################
##############################################
#----------------- START CONFIGURATION SECTION --------------------#
##############################################
# Set path to iptables program
PROG=/path/to/iptables
# Set interface type, ie; eth0, ppp0
IFACE=""
###############################################
#------------------ END CONFIGURATION SECTION ---------------------#
##############################################
# Test to make sure configuration variables are set, die if not.
if [ ! -x "$PROG" ] || [ -z "$IFACE" ];
then
echo "$PROG is not executable, or interface is not set, exiting."
exit 0
else
# Get current IP address
IP=`ifconfig $IFACE| grep inet| cut -f2 -d:| cut -f1 -d" "`
# Get old IP from last firewall load (if any).
# The purpose of getting OLDIP is so you can use this script in a cron
# job to update the firewall with the current IP, great for dialups
# and other dynamic connections.
# Examples:
# Check every 15 minutes:
# */15 * * * * /path/to/this/script restart > /dev/null 2>&1
# Check every 5 minutes:
# */5 * * * * /path/to/this/script restart > /dev/null 2>&1
OLDIP=`$PROG -n -L INPUT| grep 6005|grep udp| cut -b55-|cut -f1 -d u`
case $1 in
start)
if [ -z "$OLDIP" ];
then
echo -n "Starting firewall..."
fireme
elif [ $IP = $OLDIP ];
then
echo "FIREWALL IS UPDATED."
fi
;;
restart)
echo -n "Restarting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ];
then
fireme
elif [ $IP = $OLDIP ];
then
echo "FIREWALL IS UPDATED."
else
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
fireme
fi
;;
refresh)
echo -n "Resetting firewall..."
if [ -z "`$PROG -n -L INPUT| grep 6005`" ];
then
fireme
else
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
fireme
fi
;;
stop)
for i in DENIED_PORT_PRIV DENIED_PORT_UNPRIV_TCP DENIED_PORT_UNPRIV_UDP ONTHEFLY
do
$PROG -F $i
$PROG -F INPUT
$PROG -F FORWARD
$PROG -X $i
done
echo "Firewall stopped...[ [32;01mOK [0m]"
;;
*)
echo
scripthelp
;;
esac
fi
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
986 downloads
Other version of iptables firewall script
Obsid - IPTables Firewall Script contains two example firewall scripts rc.firewall.iptables. IPTablesLicense:GPL (GNU General Public License)
Firebred iptables Script 0.9
Firebred iptables Script is a firewall designed if you want to share your internet connection between a lan of computers. more>>
Firebred iptables Script is a firewall designed if you want to share your internet connection between a lan of computers, all you need is a 2.4.x kernel, bash and iptables.
Main features:
- Easily specify allowed inbound ports for UDP and TCP
- Allow in traffic for pptp (microsoft vpn)
- Set up a transparent proxy along with squid or wwwoffle
Install
Simply set it up like your other init scripts, it does however need to be run after your dns starts and is connected to the outside world
<<lessMain features:
- Easily specify allowed inbound ports for UDP and TCP
- Allow in traffic for pptp (microsoft vpn)
- Set up a transparent proxy along with squid or wwwoffle
Install
Simply set it up like your other init scripts, it does however need to be run after your dns starts and is connected to the outside world
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
984 downloads
Simple IPTABLES firewall 0.6
Simple IPTABLES firewall is a very simple firewall constructed with basic iptables commands. more>>
Simple IPTABLES firewall is a very simple firewall constructed with basic iptables commands. It is meant to be a guideline only, since any firewall is specific to the services the host offers, and the services the administrator permits local users to use.
NOTE: As is, the script only allows ident (port 113) requests, ftp only works in PASV mode from the client side, IRC DCC sends and chats initiated from behind the firewall are blocked, but incoming DCC requests work (hint: to DCC chat from behind this firewall, use /ctcp nick chat). ICQ is also broken in a few ways, although you can send messages.
This is a self contained script, and it assumes kernel support, and modules.
<<lessNOTE: As is, the script only allows ident (port 113) requests, ftp only works in PASV mode from the client side, IRC DCC sends and chats initiated from behind the firewall are blocked, but incoming DCC requests work (hint: to DCC chat from behind this firewall, use /ctcp nick chat). ICQ is also broken in a few ways, although you can send messages.
This is a self contained script, and it assumes kernel support, and modules.
Download (0.003MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
1023 downloads
NAT iptables firewall script
NAT iptables firewall script is an iptables firewall script. more>>
NAT iptables firewall script is an iptables firewall script.
This script is meant to be run once per boot the rules will be double added if you try to run it twice if you need to add another rule during runtime, change the -A to a -I to add it to the top of the list of rules if you use -A it will go at the end after the reject rule.
Sample:
# interface definitions
BAD_IFACE=eth0
DMZ_IFACE=eth1
DMZ_ADDR=x.x.x.96/28
GOOD_IFACE=eth2
GOOD_ADDR=192.168.1.0/24
MASQ_SERVER=x.x.x.98
FTP_SERVER=x.x.x.100
MAIL_SERVER=x.x.x.99
MAIL_SERVER_INTERNAL=192.168.1.3
# testing
#set -x
ip route del x.x.x.96/28 dev $BAD_IFACE
ip route del x.x.x.96/28 dev $DMZ_IFACE
ip route add x.x.x.97 dev $BAD_IFACE
ip route add x.x.x.96/28 dev $DMZ_IFACE
# we need proxy arp for the dmz network
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
# turn on ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# turn on antispoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# flush all rules in the filter table
#iptables -F
# flush built in rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
# deny everything for now
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
# make the chains to define packet directions
# bad is the internet, dmz is our dmz, good is our masqed network
iptables -N good-dmz
iptables -N bad-dmz
iptables -N good-bad
iptables -N dmz-good
iptables -N dmz-bad
iptables -N bad-good
iptables -N icmp-acc
# accept related packets
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# internal client masqing
iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
# mail server masqing
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443
# to allow the above to work you need something like
# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
# set which addresses jump to which chains
iptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmz
iptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good
iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz
iptables -A FORWARD -o $GOOD_IFACE -j bad-good
# drop anything that doesnt fit these
iptables -A FORWARD -j LOG --log-prefix "chain-jump "
iptables -A FORWARD -j DROP
# icmp acceptance
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "
iptables -A icmp-acc -j DROP
# from internal to dmz
iptables -A good-dmz -p tcp --dport smtp -j ACCEPT
iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT
iptables -A good-dmz -p udp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport www -j ACCEPT
iptables -A good-dmz -p tcp --dport https -j ACCEPT
iptables -A good-dmz -p tcp --dport ssh -j ACCEPT
iptables -A good-dmz -p tcp --dport telnet -j ACCEPT
iptables -A good-dmz -p tcp --dport auth -j ACCEPT
iptables -A good-dmz -p tcp --dport ftp -j ACCEPT
iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT
iptables -A good-dmz -p icmp -j icmp-acc
iptables -A good-dmz -j LOG --log-prefix "good-dmz "
iptables -A good-dmz -j DROP
# from external to dmz
iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT
iptables -A bad-dmz -p udp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport www -j ACCEPT
iptables -A bad-dmz -p tcp --dport https -j ACCEPT
iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT
iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT
iptables -A bad-dmz -p icmp -j icmp-acc
iptables -A bad-dmz -j LOG --log-prefix "bad-dmz "
iptables -A bad-dmz -j DROP
# from internal to external
iptables -A good-bad -j ACCEPT
# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
#iptables -A good-bad -p tcp -j MASQ
#iptables -A good-bad -p udp -j MASQ
#iptables -A good-bad -p icmp -j MASQ
#ipchains -A good-bad -p tcp --dport www -j MASQ
#ipchains -A good-bad -p tcp --dport ssh -j MASQ
#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
#ipchains -A good-bad -p tcp --dport ftp -j MASQ
#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
#ipchains -A good-bad -j REJECT -l
# from dmz to internal
# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPT
iptables -A dmz-good -p tcp --dport smtp -j ACCEPT
iptables -A dmz-good -p tcp --sport smtp -j ACCEPT
iptables -A dmz-good -p udp --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT
iptables -A dmz-good -p icmp -j icmp-acc
iptables -A dmz-good -j LOG --log-prefix "dmz-good "
iptables -A dmz-good -j DROP
# from dmz to external
iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT
iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT
iptables -A dmz-bad -p udp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport www -j ACCEPT
iptables -A dmz-bad -p tcp --dport https -j ACCEPT
iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT
iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT
iptables -A dmz-bad -p tcp --dport whois -j ACCEPT
iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT
iptables -A dmz-bad -p udp --dport ntp -j ACCEPT
# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
iptables -A dmz-bad -p icmp -j icmp-acc
iptables -A dmz-bad -j LOG --log-prefix "dmz-bad "
iptables -A dmz-bad -j DROP
# from external to internal
iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -j LOG --log-prefix "bad-good "
iptables -A bad-good -j REJECT
# rules for this machine itself
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if
# set up the jumps to each chain
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $GOOD_IFACE -j good-if
# external iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -j ACCEPT
#ipchains -A bad-if -i ! ppp0 -j DENY -l
#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
#ipchains -A bad-if -j icmp-acc
#ipchains -A bad-if -j DENY
# dmz iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A dmz-if -j ACCEPT
# internal iface
iptables -A good-if -p tcp --dport ssh -j ACCEPT
iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT
iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT
iptables -A good-if -j icmp-acc
iptables -A good-if -j DROP
# remove the complete blocks
iptables -D INPUT 1
iptables -D FORWARD 1
iptables -D OUTPUT 1
<<lessThis script is meant to be run once per boot the rules will be double added if you try to run it twice if you need to add another rule during runtime, change the -A to a -I to add it to the top of the list of rules if you use -A it will go at the end after the reject rule.
Sample:
# interface definitions
BAD_IFACE=eth0
DMZ_IFACE=eth1
DMZ_ADDR=x.x.x.96/28
GOOD_IFACE=eth2
GOOD_ADDR=192.168.1.0/24
MASQ_SERVER=x.x.x.98
FTP_SERVER=x.x.x.100
MAIL_SERVER=x.x.x.99
MAIL_SERVER_INTERNAL=192.168.1.3
# testing
#set -x
ip route del x.x.x.96/28 dev $BAD_IFACE
ip route del x.x.x.96/28 dev $DMZ_IFACE
ip route add x.x.x.97 dev $BAD_IFACE
ip route add x.x.x.96/28 dev $DMZ_IFACE
# we need proxy arp for the dmz network
echo 1 > /proc/sys/net/ipv4/conf/eth0/proxy_arp
echo 1 > /proc/sys/net/ipv4/conf/eth1/proxy_arp
# turn on ip forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# turn on antispoofing protection
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f; done
# flush all rules in the filter table
#iptables -F
# flush built in rules
iptables -F INPUT
iptables -F OUTPUT
iptables -F FORWARD
# deny everything for now
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
# make the chains to define packet directions
# bad is the internet, dmz is our dmz, good is our masqed network
iptables -N good-dmz
iptables -N bad-dmz
iptables -N good-bad
iptables -N dmz-good
iptables -N dmz-bad
iptables -N bad-good
iptables -N icmp-acc
# accept related packets
iptables -A FORWARD -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
# internal client masqing
iptables -t nat -A POSTROUTING -s $GOOD_ADDR -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
# mail server masqing
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport smtp -j DNAT --to $MAIL_SERVER_INTERNAL:25
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport http -j DNAT --to $MAIL_SERVER_INTERNAL:80
iptables -t nat -A PREROUTING -p tcp -d $MAIL_SERVER --dport https -j DNAT --to $MAIL_SERVER_INTERNAL:443
# to allow the above to work you need something like
# iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
# set which addresses jump to which chains
iptables -A FORWARD -s $GOOD_ADDR -o $DMZ_IFACE -j good-dmz
iptables -A FORWARD -s $GOOD_ADDR -o $BAD_IFACE -j good-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $BAD_IFACE -j dmz-bad
iptables -A FORWARD -s $DMZ_ADDR -i $DMZ_IFACE -o $GOOD_IFACE -j dmz-good
iptables -A FORWARD -o $DMZ_IFACE -j bad-dmz
iptables -A FORWARD -o $GOOD_IFACE -j bad-good
# drop anything that doesnt fit these
iptables -A FORWARD -j LOG --log-prefix "chain-jump "
iptables -A FORWARD -j DROP
# icmp acceptance
iptables -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-request -j ACCEPT
iptables -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
# iptables -A icmp-acc -j LOG --log-prefix "icmp-acc "
iptables -A icmp-acc -j DROP
# from internal to dmz
iptables -A good-dmz -p tcp --dport smtp -j ACCEPT
iptables -A good-dmz -p tcp --dport pop3 -j ACCEPT
iptables -A good-dmz -p udp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport domain -j ACCEPT
iptables -A good-dmz -p tcp --dport www -j ACCEPT
iptables -A good-dmz -p tcp --dport https -j ACCEPT
iptables -A good-dmz -p tcp --dport ssh -j ACCEPT
iptables -A good-dmz -p tcp --dport telnet -j ACCEPT
iptables -A good-dmz -p tcp --dport auth -j ACCEPT
iptables -A good-dmz -p tcp --dport ftp -j ACCEPT
iptables -A good-dmz -p tcp --dport 1521 -j ACCEPT
iptables -A good-dmz -p icmp -j icmp-acc
iptables -A good-dmz -j LOG --log-prefix "good-dmz "
iptables -A good-dmz -j DROP
# from external to dmz
iptables -A bad-dmz -p tcp --dport smtp -j ACCEPT
iptables -A bad-dmz -p udp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport domain -j ACCEPT
iptables -A bad-dmz -p tcp --dport www -j ACCEPT
iptables -A bad-dmz -p tcp --dport https -j ACCEPT
iptables -A bad-dmz -p tcp --dport ssh -j ACCEPT
iptables -A bad-dmz -p tcp -d $FTP_SERVER --dport ftp -j ACCEPT
iptables -A bad-dmz -p icmp -j icmp-acc
iptables -A bad-dmz -j LOG --log-prefix "bad-dmz "
iptables -A bad-dmz -j DROP
# from internal to external
iptables -A good-bad -j ACCEPT
# iptables -t nat -A POSTROUTING -o $BAD_IFACE -j SNAT --to $MASQ_SERVER
#iptables -A good-bad -p tcp -j MASQ
#iptables -A good-bad -p udp -j MASQ
#iptables -A good-bad -p icmp -j MASQ
#ipchains -A good-bad -p tcp --dport www -j MASQ
#ipchains -A good-bad -p tcp --dport ssh -j MASQ
#ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
#ipchains -A good-bad -p tcp --dport ftp -j MASQ
#ipchains -A good-bad -p icmp --icmp-type ping -j MASQ
#ipchains -A good-bad -j REJECT -l
# from dmz to internal
# iptables -A dmz-good -p tcp ! --syn --sport smtp -j ACCEPT
iptables -A dmz-good -p tcp --dport smtp -j ACCEPT
iptables -A dmz-good -p tcp --sport smtp -j ACCEPT
iptables -A dmz-good -p udp --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport domain -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport www -j ACCEPT
iptables -A dmz-good -p tcp ! --syn --sport ssh -j ACCEPT
iptables -A dmz-good -p tcp -d 192.168.1.34 --dport smtp -j ACCEPT
iptables -A dmz-good -p icmp -j icmp-acc
iptables -A dmz-good -j LOG --log-prefix "dmz-good "
iptables -A dmz-good -j DROP
# from dmz to external
iptables -A dmz-bad -p tcp --dport smtp -j ACCEPT
iptables -A dmz-bad -p tcp --sport smtp -j ACCEPT
iptables -A dmz-bad -p udp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport domain -j ACCEPT
iptables -A dmz-bad -p tcp --dport www -j ACCEPT
iptables -A dmz-bad -p tcp --dport https -j ACCEPT
iptables -A dmz-bad -p tcp --dport ssh -j ACCEPT
iptables -A dmz-bad -p tcp --dport ftp -j ACCEPT
iptables -A dmz-bad -p tcp --dport whois -j ACCEPT
iptables -A dmz-bad -p tcp --dport telnet -j ACCEPT
iptables -A dmz-bad -p udp --dport ntp -j ACCEPT
# ipchains -A good-bad -p udp --dport 33434:33500 -j MASQ
iptables -A dmz-bad -p icmp -j icmp-acc
iptables -A dmz-bad -j LOG --log-prefix "dmz-bad "
iptables -A dmz-bad -j DROP
# from external to internal
iptables -A bad-good -p tcp --dport smtp -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport http -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -p tcp --dport https -d $MAIL_SERVER_INTERNAL -j ACCEPT
iptables -A bad-good -j LOG --log-prefix "bad-good "
iptables -A bad-good -j REJECT
# rules for this machine itself
iptables -N bad-if
iptables -N dmz-if
iptables -N good-if
# set up the jumps to each chain
iptables -A INPUT -i $BAD_IFACE -j bad-if
iptables -A INPUT -i $DMZ_IFACE -j dmz-if
iptables -A INPUT -i $GOOD_IFACE -j good-if
# external iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A bad-if -j ACCEPT
#ipchains -A bad-if -i ! ppp0 -j DENY -l
#ipchains -A bad-if -p TCP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p UDP --dport 61000:65095 -j ACCEPT
#ipchains -A bad-if -p ICMP --icmp-type pong -j ACCEPT
#ipchains -A bad-if -j icmp-acc
#ipchains -A bad-if -j DENY
# dmz iface
iptables -A bad-if -p icmp -j icmp-acc
iptables -A dmz-if -j ACCEPT
# internal iface
iptables -A good-if -p tcp --dport ssh -j ACCEPT
iptables -A good-if -p ICMP --icmp-type ping -j ACCEPT
iptables -A good-if -p ICMP --icmp-type pong -j ACCEPT
iptables -A good-if -j icmp-acc
iptables -A good-if -j DROP
# remove the complete blocks
iptables -D INPUT 1
iptables -D FORWARD 1
iptables -D OUTPUT 1
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
603 downloads
IPTABLES masquerading firewall
IPTABLES masquerading firewall is a self contained script that enables and sets basic masquerading at boot time. more>>
IPTABLES masquerading firewall is a self contained script that enables and sets basic masquerading (assuming kernel kernel support already exists) at boot time. You may use this example, or modify existing init scripts to include the code.
Under Linux kernel 2.4.x, packet mangling has considerably changed. This includes the masquerading, firewalling, and port forwarding features. This document assumes youre using modules, if youre not, disregard the code in the following script that tests for the loaded module.
#!/bin/sh
# YOU MUST SET THE FOLLOWING THREE VARIABLES
# Set the full path to iptables
PROG=/path/to/iptables
# Set network interface to masquerade on. This will be the interface
# thats connected to the Internet. Possibilities include ppp0, eth0,
# eth1, etc.
IFACE=eth0
# Set machine or network to masquerade. This can be set as hostname, IP address,
# or network mask, examples:
# Hostname your_hostname
# IP address 192.168.1.2
# Net mask 192.168.1.0/24 This masquerades ALL machines on 192.168.1.x
INTNET=192.168.1.2
# Enable IP Masquerading in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
# Test if iptable_nat module is loaded, its boot time, not likely :)
if [ -z "`lsmod|grep iptable_nat`" ];
then
modprobe iptable_nat
fi
# Test if existing MASQ rules exist, its boot time, not likely :)
if [ -z "`$PROG -L -t nat|grep MASQUERADE`" ];
then
$PROG -t nat -A POSTROUTING -o $IFACE -s $INTNET -j MASQUERADE
fi
<<lessUnder Linux kernel 2.4.x, packet mangling has considerably changed. This includes the masquerading, firewalling, and port forwarding features. This document assumes youre using modules, if youre not, disregard the code in the following script that tests for the loaded module.
#!/bin/sh
# YOU MUST SET THE FOLLOWING THREE VARIABLES
# Set the full path to iptables
PROG=/path/to/iptables
# Set network interface to masquerade on. This will be the interface
# thats connected to the Internet. Possibilities include ppp0, eth0,
# eth1, etc.
IFACE=eth0
# Set machine or network to masquerade. This can be set as hostname, IP address,
# or network mask, examples:
# Hostname your_hostname
# IP address 192.168.1.2
# Net mask 192.168.1.0/24 This masquerades ALL machines on 192.168.1.x
INTNET=192.168.1.2
# Enable IP Masquerading in the kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
# Test if iptable_nat module is loaded, its boot time, not likely :)
if [ -z "`lsmod|grep iptable_nat`" ];
then
modprobe iptable_nat
fi
# Test if existing MASQ rules exist, its boot time, not likely :)
if [ -z "`$PROG -L -t nat|grep MASQUERADE`" ];
then
$PROG -t nat -A POSTROUTING -o $IFACE -s $INTNET -j MASQUERADE
fi
Download (MB)
Added: 2007-02-13 License: GPL (GNU General Public License) Price:
987 downloads
Set up iptables NAT rules 1.2b2
Set up iptables NAT rules is an example IPTables 1.2.1 script for a multi-homed firewall. more>>
Set up iptables NAT rules is an example IPTables 1.2.1 script for a multi-homed firewall.
Please feel free to send me any comments or suggestions.
Current versions and documentation are available at http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/
Sample:
## Variables ##
IPTABLES="/usr/local/sbin/iptables" ## Default IPTables >= v. 1.2.0
#IPTABLES="/usr/local/bin/iptables" ## Default IPTables<<less
Please feel free to send me any comments or suggestions.
Current versions and documentation are available at http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/
Sample:
## Variables ##
IPTABLES="/usr/local/sbin/iptables" ## Default IPTables >= v. 1.2.0
#IPTABLES="/usr/local/bin/iptables" ## Default IPTables<<less
Download (MB)
Added: 2007-02-14 License: GPL (GNU General Public License) Price:
989 downloads
Secleted [ 0 ] software to compare
Copyright Notice:
Software piracy is theft, Using crack, password, serial numbers, registration codes, key generators is illegal and prevent future software development. The above iptables search only lists software in full, demo and trial versions for free download. Download links are directly from our mirror sites or publisher sites, torrent files or links from rapidshare.com, yousendit.com or megaupload.com are not allowed
