ubuntu.serversignature.com

June 24, 2010

iptables firewall for your gateway

Filed under: firewall — Tags: firewall, iptables — kiran @ 6:23 am

#!/bin/sh #Author admin@serversignature.com #Iptables firewall for your gateway.


PATH=/usr/sbin:/sbin:/bin:/usr/bin
#Variables

IPT="/sbin/iptables"

LAN="eth0"

INTERNET="ppp0"

NETWORK="192.168.1.0/24"
echo "Starting Firewall"

echo "-------"

echo "Deleting all existing rules and starting firewall"
#delete all existing rules.

$IPT -F

$IPT -t nat -F

$IPT -t mangle -F

$IPT -X
#Always accept loopback traffic

$IPT -A INPUT -i lo -j ACCEPT

$IPT -A OUTPUT -o lo -j ACCEPT
#All TCP sessions should begin with SYN

#$IPT -A INPUT -p tcp ! --syn -m state --state NEW -s $NETWORK -j DROP
#Allow input to LAN interface

$IPT  -A INPUT -m state --state NEW -i $LAN -j ACCEPT
#INTERNET INTERFACE

#iptables -A INPUT -m state --state NEW -i ppp0 -j ACCEPT

#iptables -A FORWARD -i ppp0 -p tcp --dport 80 -j ACCEPT

#iptables -t nat -A PREROUTING -p tcp -i ppp0 -d 117.254.134.246 --dport 80 -j DNAT --to 192.168.1.2:80
#Allow outgoing connections from the LAN side.

iptables -A FORWARD -i $LAN -o $INTERNET -j ACCEPT

iptables -A FORWARD -i $LAN -o $INTERNET -m state --state ESTABLISHED,RELATED -j ACCEPT
#Masquerade.

iptables -t nat -A POSTROUTING -o $INTERNET -j MASQUERADE
# Accept inbound TCP packets

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
#$IPT -A INPUT -p tcp --dport 21 -m state --state NEW -s $NETWORK -j ACCEPT

#$IPT -A INPUT -p tcp --dport 22 -m state --state NEW -s $NETWORK -j ACCEPT

#$IPT -A INPUT -p tcp --dport 25 -m state --state NEW -s $NETWORK -j ACCEPT

#$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s $NETWORK -j ACCEPT

#$IPT -A INPUT -p tcp --dport 80 -m state --state NEW -s $NETWORK -j ACCEPT

#$IPT -A INPUT -p tcp --dport 110 -m state --state NEW -s $NETWORK -j ACCEPT
# Accept inbound UDP packets

#$IPT -A INPUT -p udp -m udp --dport 123 -s $NETWORK -j ACCEPT

#$IPT -A INPUT -p udp -m udp --dport 67 -s $NETWORK -j ACCEPT

#$IPT -A INPUT -p udp -m udp --dport 53 -s $NETWORK -j ACCEPT
# Allow inbound access to Samba shares

#$IPT -A INPUT -p udp -m udp --dport 137 -s $NETWORK -j ACCEPT

#$IPT -A INPUT -p udp -m udp --dport 138 -s $NETWORK -j ACCEPT

#$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 139 -s $NETWORK -j ACCEPT

#$IPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 445 -s $NETWORK -j ACCEPT
# Accept inbound ICMP messages

$IPT -A INPUT -p ICMP --icmp-type 8 -s $NETWORK -j ACCEPT

$IPT -A INPUT -p ICMP --icmp-type 11 -s $NETWORK -j ACCEPT
# Allow established connections, and those not coming from the outside

#$IPT -A INPUT -m state --state NEW -i ! $INTERNET -j ACCEPT
#Pre-routing chain: NATs packets when the destination address of the packet needs to be changed.

#Post-routing chain: NATs packets when the source address of the packet needs to be changed
# Don't forward from the outside to the inside.

#iptables -A FORWARD -i eth1 -o eth1 -j REJECT

#iptables -A FORWARD -i eth0 -o ppp0 -j REJECT
#Forward chain: Filters packets to servers protected by the firewall.

#Input chain: Filters packets destined for the firewall.

#Output chain: Filters packets originating from the firewall.
# Enable routing.

echo 1 > /proc/sys/net/ipv4/ip_forward

echo 1 >/proc/sys/net/ipv4/tcp_syncookies

echo 1 >/proc/sys/net/ipv4/conf/all/rp_filter

#Drop all other connection attempts. Only connections defined above are allowed. echo "-------" echo "Firewall is up and running now" echo "The rules are as show below" iptables -L -n iptables -t nat -L iptables -t mangle -L

Comments Off

The Linux Kernel

Filed under: Kernel — Tags: Kernel, Linux — kiran @ 5:16 am

The Kernel

When the kernel loads, it immediately initializes and configures the computer’s memory. Next it configures the various hardware attached to the system, including all processors and I/O subsystems, as well as any storage devices. It then looks for the compressed initrd image in a predetermined location in memory, decompresses it, mounts it, and loads all necessary drivers. Next it initializes file system-related virtual devices, such as LVM or software RAID before unmounting the initrd disk image and freeing up all the memory it once occupied.

After the kernel has initialized all the devices on the system, it creates a root device, mounts the root partition read-only, and frees unused memory.

At this point, with the kernel loaded into memory and operational. However, with no user applications to give the user the ability to provide meaningful input to the system, not much can be done with it.

To set up the user environment, the kernel starts the /sbin/init command.

Comments Off

June 21, 2010

Firehol Configuration

Filed under: network — Tags: firehol — kiran @ 4:52 pm

The whole routing schema could be rewritten as:


	version 5
# The network of our eth0 LAN.

home_ips="195.97.5.192/28"
interface eth0 home src "${home_ips}"

policy reject

server "dns ftp samba squid dhcp http ssh icmp"	accept

                   client "samba icmp"				accept
interface ppp+ internet src not "${home_ips} ${UNROUTABLE_IPS}"

protection strong 10/sec 10

server "smtp http ftp"	accept
server ident reject with tcp-reset
client all		accept
router internet2home inface ppp+ outface eth0

masquerade reverse

client all	accept

server ident	reject with tcp-reset

Comments Off

ip route show ip addr show

Filed under: network — kiran @ 4:26 pm

To find the IPs of your network interfaces use ip addr show and to find the IP networks behind each interface use ip route show.
root@laptop:~# ip addr show 1: lo: mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:1e:8c:b0:0d:e2 brd ff:ff:ff:ff:ff:ff inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0 inet6 fe80::21e:8cff:feb0:de2/64 scope link valid_lft forever preferred_lft forever 3: ppp0: mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3 link/ppp inet 117.254.129.119 peer 192.168.52.12/32 scope global ppp0

root@laptop:~# ip route show 192.168.52.12 dev ppp0 proto kernel scope link src 117.114.119.119 192.168.1.0/24 dev eth0 proto kernel scope link src 192.168.1.1 169.254.0.0/16 dev eth0 scope link metric 1000 default dev ppp0 scope link root@laptop:~#

Comments Off

Identify your network

Filed under: network — kiran @ 10:24 am

To identify your network interfaces use the ip link show command.

The example bellow shows my home router ip link show output.

root@laptop:~# ip link show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000 link/ether 00:1e:8c:b0:0d:e2 brd ff:ff:ff:ff:ff:ff 3: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 3 link/ppp

Comments Off