[nflug] Firewall Tool

Christopher Hawkins chawkins at bplinux.com
Tue Nov 27 13:00:24 EST 2007 

Funny you should ask - I just set up a linux NAT router yesterday and used
this little script. I didn't write it, but found it online and made some
changes to suit what I needed. I chose to do it this way because you can
define almost any scenario you want in there, and then you can turn it on,
off, whatever, just by "./firewall.sh start". Or if you wanted more
flexibility, you could pre-define a few different setups (like a nat setup,
or an allow http & ssh only setup), and then just start / stop them very
easily. Also it should be easy to keep this one in sync across multiple
machines, being just one file... I'm partial to scripts, though. They are
the swiss army knives of Linux!

Chris

#!/bin/bash

  ipt=/sbin/iptables
  extip=192.168.2.243    # eth0 in this example 
  lan=10.174.254.197/24  # eth1 "   "

  # start firewall
  start_firewall() 
	{
    echo "Enabling IP forwarding."
    echo 1 > /proc/sys/net/ipv4/ip_forward

    echo "Enabling iptables firewall."
    # default policies
    $ipt -P INPUT DROP
    $ipt -P FORWARD DROP

    # NAT
    $ipt -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $extip

    # INPUT chain
    $ipt -A INPUT -i lo -j ACCEPT
    $ipt -A INPUT -i eth1 -s $lan -j ACCEPT
    $ipt -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
    $ipt -A INPUT -p tcp --destination-port 22 -j ACCEPT

    # FORWARD chain
    $ipt -A FORWARD -i eth1 -s $lan -j ACCEPT
    $ipt -A FORWARD -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
  }

  # stop firewall
  stop_firewall() 
	{
    $ipt -P INPUT DROP
    $ipt -P OUTPUT DROP
    $ipt -P FORWARD DROP
    # allow internal traffic
    $ipt -A INPUT -i eth1 -j ACCEPT
    $ipt -A OUTPUT -o eth1 -j ACCEPT
  }

  # flushing, removing and zeroing tables
  reset_firewall()
	{
    chains=`cat /proc/net/ip_tables_names`
    for i in $chains; do
      $debug $ipt -t $i -F
      $debug $ipt -t $i -X
      $debug $ipt -t $i -Z
    done
  }

  case "$1" in
    start|restart|reload)
      reset_firewall
      start_firewall
      ;;
    stop)
      reset_firewall
      stop_firewall
      ;;
    *)
      echo "Usage: $0 {start|stop|restart|reload}"
      exit 1
      ;;
  esac
  exit 0
 

-----Original Message-----
From: nflug-bounces at nflug.org [mailto:nflug-bounces at nflug.org] On Behalf Of
Michael James
Sent: Tuesday, November 27, 2007 12:20 PM
To: nflug at nflug.org
Subject: [nflug] Firewall Tool

I was wondering if anyone could suggest a good non-gui tool for configuring
the firewall (iptables) under linux.  I am managing a remote host for web
traffic and need to lock down all ports except the necessary ones.  It needs
to be simple enough to either allow the config to be copied to other
machines, or be recreated within a small amount of time.  I've looked at
webmin with shorewall as one option, but thought there might be others.

Thanks for the help!

Michael R. James

--
"Box said, "Requires Windows 98 or better....
so I loaded Linux!  :-)"

Michael R. James
jamesm at thundertux.org
_______________________________________________
nflug mailing list
nflug at nflug.org
http://www.nflug.org/mailman/listinfo/nflug

More information about the nflug mailing list