Script for a multi-homed firewall Script for a multi-homed firewall is an example IPTables 1.2.1 script for a dual-homed firewall.
Download

Script for a multi-homed firewall Ranking & Summary

Script for a multi-homed firewall Tags

iptables iptables firewall masquerading firewall multi-homed firewall multi-homed masquerading

Script for a multi-homed firewall Description

Script for a multi-homed firewall is an example IPTables 1.2.1 script for a dual-homed firewall. Script for a multi-homed firewall is an example IPTables 1.2.1 script for a dual-homed firewall.This script has not yet been tested thoroughly on a dual-homed firewall. If you find any problems, please drop me an email.Current versions and documentation are available at http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/## User-defined Chains ##Chain KEEP_STATE The KEEP_STATE chain holds a few rules for generic stateful packet filtering. This chain is called from many of the INPUT/OUTPUT chains to DROP "INVALID" and perhaps "UNCLEAN" packets and allow other packets from "RELATED" or "ESTABLISHED" connections.CHECK_FLAGS The CHECK_FLAGS chain contains a few rules to filter based on TCP flags. These rules do indeed filter mainly bogus/malicious traffic(scans, etc). It would be a good idea to keep an eye on what these rules send to the logs. Null scans are also logged and dropped, in the mangle table.DENY_PORTS The DENY_PORTS chains contains a few rules to DROP and/or LOG packets based on the source and/or destination port number of the packet.Packets destined to/from the following ports are dropped by default in the script. These are just some examples of some commonly used ports that certain daemons/trojans/DDoS agents may utilize. ## TCP ## 137:139 SMB 2049 NFS 6000:6063 X 20034 Netbus 2 Pro 12345:12346 Netbus 27374 SubSeven 27665,27444,31335 Trinoo 10498,12754 Mstream ## UDP ## 2049 NFS 31337 BO2k 27444,31335 Trinoo 10498 mstreamThese are just examples to stare at. They guarantee no real protection against the associated trojans.For more common port numbers check out:http://www.sans.org/newlook/resources/IDFAQ/oddports.htmALLOW_PORTS The ALLOW_PORTS chain simply ACCEPTs packets based on port number. If you have a default FORWARD policy of DROP, then you would need to utilize a chain like this if you are DNATing/routing connections behind the firewall or perhaps running services on(!!!) the firewall.ALLOW_ICMP The ALLOW_ICMP chains simply allows packets based on ICMP type. Currently the firewall allows the flow of the following ICMP types: Echo Reply (pong) Destination Unreachable Echo Request (ping) TTL Exceeded (traceroute)SRC_EGRESS && DST_EGRESS The SRC_EGRESS and DST_EGRESS chains filter packets that have a source or destination IP address matching an array of private or reserved subnets.TOS_OUTPUT The TOS_OUTPUT chain exists in the mangle table and mangles the TOS(Type of Service) field in the IP header of locally generated, outgoing packets.TOS_PREROUTING The TOS_PREROUTING chain exists in the mangle table and mangles the TOS(Type of Service) field in the IP header of packets being routed through the firewall.The following user-defined chains are pretty obvious. The firewall script is designed to have a user-defined INPUT and OUTPUT chain for every available interface. From these user-defined chains are called the user-defined chainsmentioned above, which I call "Special Chains". The chains below are then called by the built-in INPUT/OUTPUT/FORWARD chains. This isn't really the rule, of course, alot of the user-defined chains mentioned above are called directly from the built-in INPUT/OUTPUT/FORWARD chains. This is done to assure proper flow of the packets through the filters.EXTERNAL_INPUTINTERNAL_INPUTDMZ_INPUTLO_INPUTEXTERNAL_OUTPUTINTERNAL_OUTPUTDMZ_OUTPUTLO_OUTPUT

Script for a multi-homed firewall Related Software