IPTABLES

=**Linux Iptable Overview**=

The Tart European Division has implemented an internal firewall through iptables. The script that runs at startup is listed below:

echo "Script running, please wait while your system is configured..."
 * 1) !/bin/sh

IPTABLES=/sbin/iptables MODPROBE=/sbin/modprobe INT_NET=10.10.11.0/24 echo "Flushing Current Configuration..."
 * 1) Variables

$IPTABLES -F $IPTABLES -F -t nat $IPTABLES -X $IPTABLES -P INPUT DROP $IPTABLES -P OUTPUT DROP $IPTABLES -P FORWARD DROP echo "Flushing Current Configuration...[OK]" echo "Loading Required Modules..."
 * 1) Flush Existing IPTables Crap

$MODPROBE iptable_nat $MODPROBE ip_conntrack_ftp $MODPROBE ip_nat_ftp $MODPROBE ip_gre echo "Loading Required Modules...[OK]" echo "Configuring Filters for Incoming Traffic..."
 * 1) Load Iptables Required Modules
 * 2) $MODPROBE ip_conntrack

$IPTABLES -A INPUT -m state --state INVALID -j DROP $IPTABLES -A INPUT -p udp --dport 1194 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -p 47 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options --log-tcp-options $IPTABLES -A INPUT -s $INT_NET -p tcp --dport 88 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s $INT_NET -p udp --dport 88 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s $INT_NET -p udp --dport 138 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s $INT_NET -p udp --dport 137 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s $INT_NET -p udp --dport 5353 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s $INT_NET -p udp --dport 1812 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s $INT_NET -p udp --dport 1723 -m state --state NEW -j ACCEPT $IPTABLES -A INPUT -s $INT_NET -p udp --dport 1813 -m state --state NEW -j ACCEPT
 * 1) Filter Incoming Connections

$IPTABLES -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A OUTPUT -m state --state NEW -j ACCEPT $IPTABLES -A OUTPUT -i ! lo -j LOG --log-prefix "DROP " --log-ip-options –log-tcp-options
 * 1) Output Chain

$IPTABLES -A OUTPUT -p icmp --icmp-type echo-request -j ACCEPT $IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT $IPTABLES -A FORWARD -p icmp --icmp-type echo-request -j ACCEPT
 * 1) Allow Ping

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT $IPTABLES -A FORWARD -p tcp -i eth1 --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -i eth1 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p udp -i eth1 --dport 53 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -i eth1 --dport 80 -m state --state NEW -j ACCEPT $IPTABLES -A FORWARD -p tcp -i eth1 --dport 443 -m state --state NEW -j ACCEPT $IPTABLES -t nat -A POSTROUTING -s $INT_NET -o eth0 -j MASQUERADE $IPTABLES -t nat -A POSTROUTING -s 10.10.12.0/24 -o eth0 -j MASQUERADE $IPTABLES -A FORWARD -i ! lo -j LOG --log-prefix "DROP " --log-ip-options –log-tcp-options
 * 1) Forward Chain

echo 1 > /proc/sys/net/ipv4/ip_forward echo "Configuring HTTP Forwarding...[OK]" echo "Configuration Complete"
 * 1) Pre Routing
 * 2) $IPTABLES -t nat -A PREROUTING -p udp --dport 25 -i eth0 -j DNAT --to 192.168.1.103:25