Iptables Lab

My host is running Fedora Core 10, I used Virtual Box to create 3 virtual machines with Fedora 9. I’ve found a very nice link at:
http://www.virtualbox.org/wiki/Advanced_Networking_Linux

Then I create the following network topology:

firewall

Then I modified the firewall script Professor Raymond gave us, to allow access from the virtual machines to the Internet.

#!/bin/sh
#
#############################################################################
#
# File: iptables.sh
#
# Purpose: To build a basic iptables policy with default log and drop rules.
#          This script was written for the book “Linux Firewalls: Attack
#          Detection and Response” published by No Starch Press.
#
# Copyright (C) 2006-2007 Michael Rash (mbr@cipherdyne.org)
#
# License (GNU Public License):
#
#   This program is distributed in the hope that it will be useful,
#   but WITHOUT ANY WARRANTY; without even the implied warranty of
#   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
#   GNU General Public License for more details.
#
#   You should have received a copy of the GNU General Public License
#   along with this program; if not, write to the Free Software
#   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307
#   USA
#
#
#############################################################################
#
# $Id: iptables.sh 1406 2008-04-14 01:48:04Z mbr $
#

IPTABLES=/sbin/iptables
MODPROBE=/sbin/modprobe
INT_NET=192.168.100.0/24

### flush existing rules and set chain policy setting to DROP
echo “[+] Flushing existing iptables rules…”
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

### load connection-tracking modules
#
$MODPROBE ip_conntrack
$MODPROBE iptable_nat
$MODPROBE ip_conntrack_ftp
$MODPROBE ip_nat_ftp

###### INPUT chain ######
#
echo “[+] Setting up INPUT chain…”

### state tracking rules
$IPTABLES -A INPUT -m state –state INVALID -j LOG –log-prefix “DROP INVALID ” –log-ip-options –log-tcp-options
$IPTABLES -A INPUT -m state –state INVALID -j DROP
$IPTABLES -A INPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules
$IPTABLES -A INPUT -i wlan0 -s ! $INT_NET -j LOG –log-prefix “SPOOFED PKT ”
$IPTABLES -A INPUT -i wlan0 -s ! $INT_NET -j DROP

### ACCEPT rules
$IPTABLES -A INPUT -i wlan0 -p tcp -s $INT_NET –dport 22 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A INPUT -p icmp –icmp-type echo-request -j ACCEPT

### default INPUT LOG rule
$IPTABLES -A INPUT -i ! lo -j LOG –log-prefix “DROP ” –log-ip-options –log-tcp-options

###### OUTPUT chain ######
#
echo “[+] Setting up OUTPUT chain…”

### state tracking rules
$IPTABLES -A OUTPUT -m state –state INVALID -j LOG –log-prefix “DROP INVALID ” –log-ip-options –log-tcp-options
$IPTABLES -A OUTPUT -m state –state INVALID -j DROP
$IPTABLES -A OUTPUT -m state –state ESTABLISHED,RELATED -j ACCEPT

### ACCEPT rules for allowing connections out
$IPTABLES -A OUTPUT -p tcp –dport 21 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 22 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 25 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 43 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 80 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 443 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 4321 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p tcp –dport 53 -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p udp –dport 53 -m state –state NEW -j ACCEPT
$IPTABLES -A OUTPUT -p icmp –icmp-type echo-request -j ACCEPT

### default OUTPUT LOG rule
$IPTABLES -A OUTPUT -o ! lo -j LOG –log-prefix “DROP ” –log-ip-options –log-tcp-options

###### FORWARD chain ######
#
echo “[+] Setting up FORWARD chain…”

### state tracking rules
$IPTABLES -A FORWARD -m state –state INVALID -j LOG –log-prefix “DROP INVALID ” –log-ip-options –log-tcp-options
$IPTABLES -A FORWARD -m state –state INVALID -j DROP
$IPTABLES -A FORWARD -m state –state ESTABLISHED,RELATED -j ACCEPT

### anti-spoofing rules
$IPTABLES -A FORWARD -i wlan0 -s ! $INT_NET -j LOG –log-prefix “SPOOFED PKT ”
$IPTABLES -A FORWARD -i wlan0 -s ! $INT_NET -j DROP

### ACCEPT rules
$IPTABLES -A FORWARD -p tcp -i wlan0 -s $INT_NET –dport 21 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i wlan0 -s $INT_NET –dport 22 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i wlan0 -s $INT_NET –dport 25 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i wlan0 -s $INT_NET –dport 43 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp –dport 80  –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp –dport 443 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp -i wlan0 -s $INT_NET –dport 4321 –syn -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p tcp –dport 22 -m state –state NEW -j ACCEPT # Enable ssh to outside
$IPTABLES -A FORWARD -p tcp –dport 53 -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p udp –dport 53 -m state –state NEW -j ACCEPT
$IPTABLES -A FORWARD -p icmp –icmp-type echo-request -j ACCEPT

### default LOG rule
$IPTABLES -A FORWARD -i ! lo -j LOG –log-prefix “DROP ” –log-ip-options –log-tcp-options

###### NAT rules ######
#
echo “[+] Setting up NAT rules…”
#$IPTABLES -t nat -A PREROUTING -p tcp –dport 80 -i eth0 -j DNAT –to 192.168.10.3:80
#$IPTABLES -t nat -A PREROUTING -p tcp –dport 443 -i eth0 -j DNAT –to 192.168.10.3:443
#$IPTABLES -t nat -A PREROUTING -p udp –dport 53 -i eth0 -j DNAT –to 192.168.10.4:53
#$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o eth0 -j MASQUERADE

$IPTABLES -t nat -A PREROUTING -p udp –dport 53 -i br0 -j DNAT –to 192.168.0.1:53 # Set up access to the dns server
$IPTABLES -t nat -A POSTROUTING -s $INT_NET -o wlan0 -j MASQUERADE

###### forwarding ######
#
echo “[+] Enabling IP forwarding…”
echo 1 > /proc/sys/net/ipv4/ip_forward

exit
### EOF ###

Advertisements

2 Responses to “Iptables Lab”

  1. site Says:

    I have got 1 idea for your web page. It looks like there are a few cascading stylesheet problems when launching a selection of webpages within google chrome as well as safari. It is operating okay in internet explorer. Perhaps you can double check that.

  2. pebble tile Says:

    I was just searching for this info for some time.
    After six hours of continuous Googleing, finally I got it
    in your website. I wonder what is the lack of Google
    strategy that do not rank this type of informative web
    sites in top of the list. Normally the top websites are
    full of garbage.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: