h1

How To:LAN Firewall with IPTables (II)

June 20, 2007

Continuing the last post, we’re going to begin the IPTables script to do our basic home firewall.

I suppose that you know the basic rules of BASH scripting, but if dont, i recommend to read this link.

The first step, consists in create the network variables, which store the information (The IP) about a host of the network. This is an example:

## !/bin/bash
## Basic IPTables firewall script
## By CaZa
## jun, 20, 2007
## alberto1337[at]gmail[dot]com

###################################
## Host and interfaces variables ##
###################################
#The card connected to the DSL/cable Router
WAN=”eth1″
#The card connected to the switch
LAN=”eth0″
#client hosts of our network
host1=”192.168.0.10″
host2=”192.168.0.5″

We can define variables for each one computer of our network or interfaces, this isn’t necessary, but its very recommended. Before this, its very important reset the current IPTables rules. To “flash”, put this in the script:

iptables -F #delete all chain rules
iptables -X #Delete all user defined rules
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z

 

The next step, is probably the most important of our script. Here, we set the default policy of the firewall. There are two options:

  1. Restrictive policy (All deny, except those services we need)
  2. Permissive policy (All allow, except those services we conside)

The first, its most secure, but its more complex than the first. I’ve always use the first, and its the policy i’ll use to do this script.

To do this, type:

#Set the default I/O and forward policies

IPTABLES -P INPUT DROP
IPTABLES -P OUTPUT DROP
IPTABLES -P FORWARD DROP

If we execute the script in this moment, all the connections that try to join in, will be refused. In the next step we will open the necessary ports to use basic services, like http, ftp, etc.

After this, we must put a chain to forward the incoming packets from the LAN to internet and the second line its necessay to NAT
#The [IP]/24 in the IP its to define the Subnet mask.

iptables -t nat -A POSTROUTING -s 192.168.0.0/24 -j MASQUERADE
echo 1 > /proc/sys/net/ipv4/ip_forward

Finally, we can apply now the rules for services we want 🙂 .

#This allows traffic at the port 80 (For example if you have apache on the server u need it) and forward web traffic to the LAN
iptables -A INPUT -p tcp -m tcp –dport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -m tcp –sport 80 -j ACCEPT
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -m tcp –dport 80 -j ACCEPT

#Allows FTP traffic
iptables -A FORWARD -s 192.168.0.0/24 -p tcp -m tcp –sport 21 -j ACCEPT
iptables -A FORWARD -d 192.168.0.0/24 -p tcp -m tcp –dport 21 -j ACCEPT

This is a very basic example of a “DROP policy” firewall, but i think its enough to do a good firewall between our LAN and Internet 🙂 .

I’ll comment in other articles other IPTables commands to create our own rules and some more things. But, if you need more information NOW, look this webpages: [IPTables tutorial] and [doc_IPTables by Pello]

See you!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: