Linux: a home firewall


A simple home firewall extracted from this web (in spanish) adapted to my needs:

/etc/firewall.sh

#!/bin/bash
#Source: http://www.ubuntu-es.org/node/422#.UTuvqFFVEy4

IPTABLES=`which iptables`

#-s to specify a source address
#-d to specify a destination address
#-p to specifiy a protocol
#-i to specify an input interface
#-o to specify an output interface
#-j to specify the action to execute over the packet
#–sport source port
#–dport destination port

#Delete all rules
$IPTABLES -F

#######################################
#Everything closed by default.
#Only established own connections can
#pass in/out
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

#######################################
#Other
#No ping
/bin/echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_all

#No answer to broadcast packages
/bin/echo “1” > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#Avoid spoofing (source packet address comes from the right interface)
for interface in /proc/sys/net/ipv4/conf/*/rp_filter; do
/bin/echo “1” > ${interface}
done

#No redirected ICMPs
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
/bin/echo “0” > ${interface}
done

#No martian log
/bin/echo “1” > /proc/sys/net/ipv4/conf/all/log_martians

#######################################
#NAT & PortForwarding
#More info at: http://www.revsys.com/writings/quicktips/nat.html
#deactivated by default
/bin/echo “0” > /proc/sys/net/ipv4/ip_forward
#comment out to activate
#/bin/echo “1” > /proc/sys/net/ipv4/ip_forward
#Example to share ppp connection (internet) with eth0 (internal network)
#Forwarding from  eth0 (LAN) to ppp0 (internet)
#$IPTABLES -t nat -A POSTROUTING -o ppp0 -j MASQUERADE
#$IPTABLES -A FORWARD -i ppp0 -o eth0 -m state –state RELATED,ESTABLISHED -j ACCEPT
#$IPTABLES -A FORWARD -i eth0 -o ppp0 -j ACCEPT

#http://web.mit.edu/rhel-doc/4/RH-DOCS/rhel-sg-es-4/s1-firewall-ipt-fwd.html
#Example to open an internal network port to the internet
#$IPTABLES -t nat -A PREROUTING -i ppp0 -p tcp –dport 80 -j DNAT –to 192.168.1.100:80
#$IPTABLES -A FORWARD -i ppp0 -p tcp –dport 80 -d 192.168.0.100 -j ACCEPT

#######################################
#Port rules (this host)

#Allow HTTP
#$IPTABLES -A INPUT -m state –state NEW -p TCP –dport 80 -j ACCEPT

#Allow SSH
#$IPTABLES -A INPUT -s 172.26.0.3 -p TCP –dport 22 -j ACCEPT
#$IPTABLES -A INPUT -s 172.26.0.4 -p TCP –dport 22 -j ACCEPT
#$IPTABLES -A INPUT -s 172.26.0.5 -p TCP –dport 22 -j ACCEPT

#$IPTABLES -A INPUT -p TCP –dport 22 -j ACCEPT

#Allow DNS
#$IPTABLES -A INPUT -p UDP –dport 53 -j ACCEPT
#$IPTABLES -A INPUT -p TCP –dport 53 -j ACCEPT

#Allow FTP
#$IPTABLES -A INPUT -p TCP –dport 21 -j ACCEPT

#Allow POP3
#$IPTABLES -A INPUT -p TCP –dport 110 -j ACCEPT

# Permitimos uso de smtp
#$IPTABLES -A INPUT -p TCP –dport 25 -j ACCEPT

#Allow IMAP
#$IPTABLES -A INPUT -p TCP –dport 143 -j ACCEPT
#$IPTABLES -A INPUT -p UDP –dport 143 -j ACCEPT

#Allow all traffic in LAN
$IPTABLES -A INPUT -s 192.168.0.0/24 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.1.0/24 -j ACCEPT
$IPTABLES -A INPUT -s 192.168.2.0/24 -j ACCEPT

#Allow everything from localhost
#Dejamos a localhost, para mysql, etc..
$IPTABLES -A INPUT -i lo -j ACCEPT

#Allow TORRENT ports
$IPTABLES -A INPUT -p tcp –destination-port 51413:51416 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –source-port 51413:51416 -j ACCEPT

#Allow aMule P2P
$IPTABLES -A INPUT -p tcp –destination-port 54662:54672 -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –source-port 54662:54672 -j ACCEPT
$IPTABLES -A INPUT -p udp –destination-port 54662:54672 -j ACCEPT
$IPTABLES -A OUTPUT -p udp –source-port 54662:54672 -j ACCEPT

#$IPTABLES -A INPUT -p tcp –destination-port 56662:56672 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp –source-port 56662:56672 -j ACCEPT
#$IPTABLES -A INPUT -p udp –destination-port 56662:56672 -j ACCEPT
#$IPTABLES -A OUTPUT -p udp –source-port 56662:56672 -j ACCEPT

#$IPTABLES -A INPUT -p tcp –destination-port 57662:57672 -j ACCEPT
#$IPTABLES -A OUTPUT -p tcp –source-port 57662:57672 -j ACCEPT
#$IPTABLES -A INPUT -p udp –destination-port 57662:57672 -j ACCEPT
#$IPTABLES -A OUTPUT -p udp –source-port 57662:57672 -j ACCEPT

To configure this script as a service, to be executed automatically in ubuntu/debian:

ln -s /etc/firewall.sh /etc/init.d

update-rc firewall.sh defaults

 

About jjjesss

I'm a guy interested in technology, bsd fan and concerned about the world around.
This entry was posted in Linux. Bookmark the permalink.

One Response to Linux: a home firewall

  1. Pingback: Linux: share 3g connection with the internal network | nix/bsd

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s