Re: [SLUG] iptables

From: Derek Glidden (dglidden@illusionary.com)
Date: Mon Apr 30 2001 - 15:04:14 EDT

Douglas W Koobs wrote:
>
> Thanks!! The -m multiport did the trick, the script is mush shorter now:)
> I commented out the line for -p udp on port 80, and can still surf, too.
> Jeez, how did I get along without SLUG? More questions on the way...
>
> Doug

I noticed in your last email that you haven't set up NAT rules yet? How
are your inside boxes getting out? I hope you're not using routable
addresses behind your firewall! Also, simply saying "Allow port 80" has
the probably unintended side effect of allowing port 80 *into* your
network from the outside, which you probably don't want.

Here is an excerpt of the importants parts of the script I use at home
that sets up my iptables for me with commentary:

Note that my firewall uses "eth0" as the "inside" port and "eth1" as the
"outside" port.

---- >8 snip -----

#!/bin/sh

## Disable routing while we update tables
echo 0 > /proc/sys/net/ipv4/ip_forward

## Flush all existing rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X

## Set up IP Masquerading for internal network
iptables -t nat -A POSTROUTING -o eth1 -s 192.168.1.0/24 -j MASQUERADE

## Setup INPUT rules - allow anything from inside network, and loopback.
## Only allow DHCP, ICMP and SSH into box from outside.
## Allow established sessions to return packets.
## Log new sessions from outside.
iptables -A INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT
iptables -A INPUT -i lo -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state NEW -j LOG --log-level info
--log-prefix "NEW INPUT: "
iptables -A INPUT -i eth1 -p icmp -j ACCEPT
iptables -A INPUT -i eth1 -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth1 -j LOG --log-prefix "DROP INPUT: "
iptables -A INPUT -i eth1 -j DROP

## Allow traffic from inside network to go out unrestricted except for
## web traffic which only comes from my junkbuster proxy IP.
## Log new sessions so I can keep track of what's going out.
iptables -A FORWARD -i eth0 -s ! 192.168.1.4 -p tcp --dport 80 -j LOG
--log-prefix "DROP FORWARD: "
iptables -A FORWARD -i eth0 -s ! 192.168.1.4 -p tcp --dport 80 -j DROP
iptables -A FORWARD -i eth0 -s ! 192.168.1.4 -p tcp --dport 443 -j LOG
--log-prefix "DROP FORWARD: "
iptables -A FORWARD -i eth0 -s ! 192.168.1.4 -d ! 216.139.201.102 -p tcp
--dport 443 -j DROP
iptables -A FORWARD -m state --state NEW -j LOG --log-level info
--log-prefix "NEW FORWARD: "
iptables -A FORWARD -i eth0 -s 192.168.10.0/24 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "DROP FORWARD: "
iptables -A FORWARD -j DROP

## Reenable routing now we're done changing things
echo 1 > /proc/sys/net/ipv4/ip_forward 

-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
#!/usr/bin/perl -w
$_='while(read+STDIN,$_,2048){$a=29;$b=73;$c=142;$t=255;@t=map
{$_%16or$t^=$c^=($m=(11,10,116,100,11,122,20,100)[$_/16%8])&110;
$t^=(72,@z=(64,72,$a^=12*($_%16-2?0:$m&17)),$b^=$_%64?12:0,@z)
[$_%8]}(16..271);if((@a=unx"C*",$_)[20]&48){$h=5;$_=unxb24,join
"",@b=map{xB8,unxb8,chr($_^$a[--$h+84])}@ARGV;s/...$/1$&/;$d=
unxV,xb25,$_;$e=256|(ord$b[4])<<9|ord$b[3];$d=$d>>8^($f=$t&($d
>>12^$d>>4^$d^$d/8))<<17,$e=$e>>8^($t&($g=($q=$e>>14&7^$e)^$q*
8^$q<<6))<<9,$_=$t[$_]^(($h>>=8)+=$f+(~$g&$t))for@a[128..$#a]}
print+x"C*",@a}';s/x/pack+/g;eval 

usage: qrpff 153 2 8 105 225 < /mnt/dvd/VOB_FILENAME \
    | extract_mpeg2 | mpeg2dec - 

http://www.eff.org/                    http://www.opendvd.org/ 
         http://www.cs.cmu.edu/~dst/DeCSS/Gallery/

This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:01:33 EDT