Firewall script for NAT server to protect the smtp

Sat Dec 13 05:15:48 UTC 2003

Well I put my server behind a SmoothWall2.0 with a NAT address, (any I
portforward the needed ports)
but I still find I have to protect the SMTP 25 with this script.

This statement in the script gives a chain/target/match error.
/sbin/iptables -A INPUT -m state -p tcp --state ESTABLISHED,RELATED -j
ACCEPT

What is wrong with the above statement?

[root-v+aXH1h/sVw at public.gmane.org scripts]# more firewall

 #!/bin/sh
echo "FSNAT (Firewall for Server with NAT Address) starting..."

# ****************************************
# Flushing all chains and reset iptables
# ****************************************

/sbin/iptables -F
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD

/sbin/iptables -X
/sbin/iptables -Z

# **********************************************
# DEFAULT POLICIES
#***********************************************

echo DROP INPUT chain
/sbin/iptables -P INPUT DROP

echo DROP OUTPUT chain
/sbin/iptables -P OUTPUT DROP

echo ACCEPT FORWARD chain
/sbin/iptables -P FORWARD ACCEPT

# **********************************************
# drop these nutbars
# *********************************************

echo Drop that spammer  bitch from China 218.70.8.186
/sbin/iptables -A INPUT -s 218.70.8.186/24 -j DROP
/sbin/iptables -A INPUT -s 218.70.0.0/24   -j DROP

# ***********************************************
# allow this traffic
# ***********************************************

echo accept packets from an already established TCP connection
/sbin/iptables -A INPUT -m state -p tcp --state ESTABLISHED,RELATED -j
ACCEPT

echo allow everything on eth1 network
/sbin/iptables -A INPUT   -i eth1 -j ACCEPT
/sbin/iptables -A OUTPUT  -o eth1 -j ACCEPT
/sbin/iptables -A FORWARD -i eth1 -j ACCEPT

echo allow everything on the loopback interface
/sbin/iptables -A INPUT   -i lo -j ACCEPT
/sbin/iptables -A OUTPUT  -o lo -j ACCEPT
/sbin/iptables -A FORWARD -i lo -j ACCEPT

# ****************************************************************
# ACCEPT THESE PACKETS
# ****************************************************************

echo allow INPUT eth1 only for ports 22 25 53 80 110 143 993
/sbin/iptables -A INPUT -p tcp -i eth1 --sport 22  -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 --sport 25  -j ACCEPT

/sbin/iptables -A INPUT -p tcp -i eth1 --sport 53  -j ACCEPT
/sbin/iptables -A INPUT -p udp -i eth1 --sport 53  -j ACCEPT

/sbin/iptables -A INPUT -p tcp -i eth1 --sport 80  -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 --sport 110 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 --sport 113 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 --sport 143 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 --sport 443 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i eth1 --sport 993 -j ACCEPT

# ***************************************************************
# eth1 OUTPUT
# ***************************************************************

echo allow outgoing eth1 traffic only for ports 22 25 53 80 110 143 993
/sbin/iptables -A OUTPUT -p tcp -o eth1 --dport 22  -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -o eth1 --dport 25  -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp -o eth1 --dport 53  -j ACCEPT
/sbin/iptables -A OUTPUT -p udp -o eth1 --dport 53  -j ACCEPT

/sbin/iptables -A OUTPUT -p tcp -o eth1 --dport 80  -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -o eth1 --dport 110 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -o eth1 --dport 113 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -o eth1 --dport 143 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -o eth1 --dport 443 -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp -o eth1 --dport 993 -j ACCEPT

# **********************************************************
# eth1 FORWARD incoming
# default policy listed at top is ACCEPT. (this is a router)
# **********************************************************

# **********************************************************
# eth1 FORWARD outgoing
# default policy listed at top is ACCEPT. (this is a router)
# **********************************************************

# *****************************************************
# Loading Iptable modules (enable if not kernel builtin)
# *****************************************************

# /sbin/modprobe ip_tables
# /sbin/modprobe ip_conntrack   #Added this module
# /sbin/modprobe ip_nat_ftp
# /sbin/modprobe ip_conntrack_ftp

# *****************************************
# Disabled rules
# *****************************************

# echo Catchall In case a packet made it here, drop all other traffic.
# /sbin/iptables -A FORWARD -j DROP

# echo Drop any incoming SMTP packets
# /sbin/iptables -A INPUT -p tcp -i ppp0 -s 0/0 --dport 25 -j DROP

[root-v+aXH1h/sVw at public.gmane.org scripts]#
---------------------------------------------------------------
teddy mills
http://www.vger.ca
VGER directives...To collect...all that is collectable. To sell...all that
is saleable.To merchandise...all that is merchandisable.

Family Guys, Quagmire
"allllllllllllllllllllllllllllllll right"

--
The Toronto Linux Users Group.      Meetings: http://tlug.ss.org
TLUG requests: Linux topics, No HTML, wrap text below 80 columns
How to UNSUBSCRIBE: http://tlug.ss.org/subscribe.shtml