Lesson 10

Date: 4/2/2014
Basics of Linux Security
Linux for Engineering and IT Applications


NAT iptables script

#!/bin/sh
IPT=/sbin/iptables

# Internet Interface
INET_IFACE="eth0"
INET_ADDRESS="128.6.2.9"
INET_GW="128.6.2.1"

# Local Interface Information
LOCAL_IFACE="eth1"
LOCAL_IP="192.168.5.240"
LOCAL_NET="192.168.5.0/24"

# Flush the tables 
$IPT -F INPUT
$IPT -F OUTPUT 
$IPT -F FORWARD 
$IPT -F -t nat 

# Define default policy to DROP packets
$IPT -P INPUT   DROP
$IPT -P OUTPUT  DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

# Delete the optional user-defined chains specified
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

# Allow ICMP types ('echo request/reply' and 'time exceeded') traffic 
$IPT -A INPUT -i $INET_IFACE -p icmp  --icmp-type 0 -j ACCEPT
$IPT -A INPUT -i $INET_IFACE -p icmp  --icmp-type 8 -j ACCEPT
$IPT -A INPUT -i $INET_IFACE -p icmp  --icmp-type 11 -j ACCEPT
$IPT -A OUTPUT  -p icmp --icmp-type 0 -j ACCEPT
$IPT -A OUTPUT  -p icmp --icmp-type 8 -j ACCEPT
$IPT -A OUTPUT  -p icmp --icmp-type 11 -j ACCEPT

# Permit DNS traffic
$IPT -A INPUT -i $INET_IFACE -p udp --dport 53 -j ACCEPT
$IPT -A OUTPUT -p udp --sport 53 -j ACCEPT

# Accept network return traffic from the internet:
$IPT -A INPUT -i $INET_IFACE -m state -p tcp --dport 1024:65535 --state ESTABLISHED,RELATED  -j ACCEPT 
$IPT -A OUTPUT -m state -p tcp --sport 1024:65535 ! --state INVALID  -j ACCEPT


# Accept SSH traffic from the internet
$IPT -A INPUT -i $INET_IFACE  -m state -p tcp -s 128.6.0.0/16 --dport 22 ! --state INVALID -j ACCEPT
$IPT -A OUTPUT -m state -p tcp --sport 22 --state ESTABLISHED,RELATED -j ACCEPT

# Accept all local (loopback) traffic on the lo interface
$IPT -A INPUT -s 127.0.0.1 -i lo -j ACCEPT
$IPT -A OUTPUT -d 127.0.0.1 -o lo -j ACCEPT

# Accept private subnet traffic on LOCAL_IFACE 
$IPT -A INPUT -s $LOCAL_NET -i $LOCAL_IFACE -j ACCEPT
$IPT -A OUTPUT -d $LOCAL_NET -o $LOCAL_IFACE -j ACCEPT

# Allow forwarding packets:
$IPT -A FORWARD -p ALL -i $LOCAL_IFACE -j ACCEPT
$IPT -A FORWARD -i $INET_IFACE -m state --state ESTABLISHED,RELATED -j ACCEPT

# Packet masquerading
$IPT -t nat -A POSTROUTING -o $INET_IFACE -j SNAT --to-source $INET_ADDRESS

# Log all other traffic
$IPT -A INPUT -j LOG
$IPT -A OUTPUT -j LOG



Take me to the Course Website