[PLUG] Wireless gateway firewall wrong.

plug_0 at robinson-west.com plug_0 at robinson-west.com
Mon May 16 00:12:59 UTC 2005 

The following is my firewall on my wireless router that doesn't
properly forward port 80,443 traffic.  I tried to send it as an
rc.local attachment before, but the attachment got stripped.


#!/bin/sh
#
# /etc/rc.d/rc.local:  Local system initialization script.
#
# Put any local setup commands in here:

/etc/rc.d/rc.wireless wlan0
/sbin/ifconfig wlan0 10.0.0.1
/sbin/iwconfig wlan0 mode ad-hoc

iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
###############################################################



  OUT_INT_1="wlan0"
   IN_INT_1="eth0"
  PRIVPORTS="0:1023"
UNPRIVPORTS="1024:65535"

   OUT_ADDR_1="10.0.0.1"
  REMOTE_ADDR="10.0.0.2"
REMOTE_ADDR_2="10.0.0.3"

 SSH_LOCAL_PORTS="1022:65535"
SSH_REMOTE_PORTS="513:65535"

WIFI2="10.0.0.0/8"



iptables -F
iptables -F -t nat
iptables -F -t mangle
iptables -X
iptables -P FORWARD DROP 



###############################################################
#echo "ICMP packets section."

iptables -N icmpi
iptables -N icmpo



iptables -A icmpi --in-interface $OUT_INT_1 -p icmp \
         --icmp-type echo-reply \
         -j ACCEPT

iptables -A icmpi --in-interface $OUT_INT_1 -p icmp \
         --icmp-type destination-unreachable -d $OUT_ADDR_1 \
         -j ACCEPT

iptables -A icmpi --in-interface $OUT_INT_1 -p icmp \
         --icmp-type source-quench -d $OUT_ADDR_1 \
         -j ACCEPT

iptables -A icmpi --in-interface $OUT_INT_1 -p icmp \
         --icmp-type time-exceeded -d $OUT_ADDR_1 \
         -j ACCEPT

iptables -A icmpi --in-interface $OUT_INT_1 -p icmp \
         --icmp-type parameter-problem -d $OUT_ADDR_1 \
         -j ACCEPT



iptables -A icmpo --out-interface $OUT_INT_1 -p icmp \
         -s $OUT_ADDR_1 --icmp-type fragmentation-needed \
         -j ACCEPT


iptables -A icmpo --out-interface $OUT_INT_1 -p icmp \
         -s $OUT_ADDR_1 --icmp-type source-quench \
         -j ACCEPT

iptables -A icmpo --out-interface $OUT_INT_1 -p icmp \
         -s $OUT_ADDR_1 --icmp-type parameter-problem \
         -j ACCEPT

iptables -A icmpo --out-interface $OUT_INT_1 -p icmp \
         --icmp-type echo-request \
         -j ACCEPT



iptables -A INPUT -j icmpi
iptables -A OUTPUT -j icmpo
###############################################################



###############################################################
#echo "Stateful rules."

#
# Kill malformed XMAS packets.
#

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

#
# Kill malformed NULL packets.
#

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

iptables -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

###############################################################



###############################################################
# Allow local traffic.

iptables -A INPUT --in-interface lo -j ACCEPT
iptables -A OUTPUT --out-interface lo -j ACCEPT
iptables -A INPUT --in-interface $IN_INT_1 -j ACCEPT
iptables -A OUTPUT --out-interface $IN_INT_1 -j ACCEPT

# End of allow local traffic.
###############################################################



###############################################################
# Allow remote ssh.

iptables -A INPUT --in-interface $OUT_INT_1 -p tcp \
         --source-port $SSH_REMOTE_PORTS \
         -d $OUT_ADDR_1 --destination-port 22 -j ACCEPT

iptables -A OUTPUT --out-interface $OUT_INT_1 -p tcp ! --syn \
         -s $OUT_ADDR_1 --source-port 22 \
         --destination-port $SSH_REMOTE_PORTS -j ACCEPT

iptables -A INPUT --in-interface $OUT_INT_1 -p tcp ! --syn \
         --source-port 22 -d $OUT_ADDR_1 \
         --destination-port $SSH_LOCAL_PORTS \
         -j ACCEPT

iptables -A OUTPUT --out-interface $OUT_INT_1 -p tcp \
         -s $OUT_ADDR_1 --source-port $SSH_LOCAL_PORTS \
         --destination-port 22 -j ACCEPT

# End of Allow remote ssh.
###############################################################



###############################################################
# Allow web browsing.

iptables -A INPUT --in-interface $OUT_INT_1 -p tcp ! --syn \
         --source-port 443 \
         -d $OUT_ADDR_1 --destination-port $UNPRIVPORTS \
         -j ACCEPT

iptables -A OUTPUT --out-interface $OUT_INT_1 -p tcp \
         -s $OUT_ADDR_1 --source-port $UNPRIVPORTS \
         --destination-port 443 -j ACCEPT

iptables -A INPUT --in-interface $OUT_INT_1 -p tcp ! --syn \
         --source-port 80 \
         -d $OUT_ADDR_1 --destination-port $UNPRIVPORTS \
         -j ACCEPT

iptables -A OUTPUT --out-interface $OUT_INT_1 -p tcp \
         -s $OUT_ADDR_1 --source-port $UNPRIVPORTS \
         --destination-port 80 -j ACCEPT

# End of allow web browsing.
###############################################################



###############################################################
# Allow DNS Server.

iptables -A INPUT --in-interface $OUT_INT_1 -p udp \
         --source-port $UNPRIVPORTS \
         -d $OUT_ADDR_1 --destination-port 53 -j ACCEPT

iptables -A OUTPUT --out-interface $OUT_INT_1 -p udp \
         -s $OUT_ADDR_1 --source-port 53 \
         --destination-port $UNPRIVPORTS -j ACCEPT

iptables -A INPUT --in-interface $OUT_INT_1 -p udp \
         --source-port 53 \
         -d $OUT_ADDR_1 --destination-port 53 -j ACCEPT

iptables -A OUTPUT --out-interface $OUT_INT_1 -p udp \
         -s $OUT_ADDR_1 --source-port 53 \
         --destination-port 53 -j ACCEPT

# End of Allow DNS Server.
###############################################################



###############################################################
# Allow DNS Client.

iptables -A INPUT --in-interface $OUT_INT_1 -p udp \
         --source-port 53 \
         -d $OUT_ADDR_1 --destination-port $UNPRIVPORTS \
         -j ACCEPT

iptables -A OUTPUT --out-interface $OUT_INT_1 -p udp \
         -s $OUT_ADDR_1 --source-port $UNPRIVPORTS \
         --destination-port 53 -j ACCEPT

iptables -A INPUT --in-interface $OUT_INT_1 -p tcp ! --syn \
         --source-port 53 \
         -d $OUT_ADDR_1 --destination-port $UNPRIVPORTS \
         -j ACCEPT

iptables -A OUTPUT --out-interface $OUT_INT_1 -p tcp \
         -s $OUT_ADDR_1 --source-port $UNPRIVPORTS \
         --destination-port 53 -j ACCEPT

# End of Allow DNS Client.
###############################################################



###############################################################
# Masquerade

#echo "Allow associated packets from outbound connections"
#echo "back in."

iptables -A FORWARD -i $IN_INT_1 -o $OUT_INT_1 -m state \
         --state ESTABLISHED,RELATED -d $REMOTE_ADDR \
         -j ACCEPT

iptables -A FORWARD -i $IN_INT_1 -o $OUT_INT_1 -m state \
         --state ESTABLISHED,RELATED -d $REMOTE_ADDR_2 \
         -j ACCEPT



iptables -A FORWARD -m state --state NEW,ESTABLISHED \
         --in-interface $OUT_INT_1 \
         --out-interface $IN_INT_1 \
         -s $REMOTE_ADDR -j ACCEPT

iptables -A FORWARD -m state --state NEW,ESTABLISHED \
         --in-interface $OUT_INT_1 \
         --out-interface $IN_INT_1 \
         -s $REMOTE_ADDR_2 -j ACCEPT



iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE

###############################################################



#ip route flush table 2 2>/dev/null
#
#ip rule add fwmark 3 table 2
#
#ip route add default via 192.168.4.2 dev eth0 table 2
#
#iptables -A PREROUTING -t mangle -s 10.0.0.2 -j MARK --set-mark 3 \
#         -p tcp --dport 80
#
#iptables -A PREROUTING -t mangle -s 10.0.0.3 -j MARK --set-mark 3 \
#         -p tcp --dport 80
#
#iptables -A PREROUTING -t mangle -s 10.0.0.2 -j MARK --set-mark 3 \
#         -p tcp --dport 443
#
#iptables -A PREROUTING -t mangle -s 10.0.0.3 -j MARK --set-mark 3 \
#         -p tcp --dport 443

iptables -P INPUT DROP
iptables -P OUTPUT DROP


Michael C. Robinson

More information about the PLUG mailing list