IP Forwading :
Choose one of the following to allow the Linux kernel to forward IP packets:
Immediately allow the forwarding of packets. The configuration is not preserved on reboot but sets a flag in the kernel itself.
echo 1 > /proc/sys/net/ipv4/ip_forward
Another method is to alter the Linux kernel config file: /etc/sysctl.conf
Set the following value:
net.ipv4.ip_forward = 1
This will configure the system to allow forwarding of packets upon system boot. It is stored in this configuration file and thus read and set upon system boot. If set to "0" then there will be no forwarding of packets.
An alternate method is to alter the network script: /etc/sysconfig/network
FORWARD_IPV4=true
Change the default "false" to "true".
All the above methods will result in a proc file value of "1" to allow TCP packet forwarding. Options 2 and 3 set boot configurations in a configuration file and will not take effect until system boot.
Test the current setting of the kernel: cat /proc/sys/net/ipv4/ip_forward
IP Firewall Scripts
This script configures firewall rules for a Linux computer with two ethernet ports. One port connects the computer to the internet with an external address of XXX.XXX.XXX.XXX. The other ethernet port connects the computer to an internal network of 192.168.0.0 . This script is more complex but preferred to the previous scripts because of the extra security that the extra firewall rules offer. The script does work with a system running portsentry. For more on portsentry see the YoLinux Internet Security: portsentry Tutorial.
Internet external network interface: eth0
Internal private network interface: eth1
Local loopback virtual interface: lo
Step 1: Make file with touch command # touch firewall Copy and past the following script
#!/bin/bash -x
#Flushing firewall#
iptables --flush
iptables --flush INPUT
iptables --flush OUTPUT
iptables --flush FORWARD
iptables --table nat --flush
iptables --delete-chain
iptables --table nat --delete-chain
iptables --table mangle --delete-chain
#Accepting Tables#
iptables --policy INPUT ACCEPT
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
#Setting up Default policies #
iptables --policy INPUT DROP
iptables --policy OUTPUT ACCEPT
iptables --policy FORWARD ACCEPT
iptables -A INPUT -p ALL -i eth0 -j ACCEPT
iptables -A OUTPUT -p ALL -o eth0 -j ACCEPT
#Loop Back Unlimited Access for INPUT chain and OUTPUT chain#
iptables --append INPUT --in-interface lo -j ACCEPT
iptables --append OUTPUT --out-interface lo -j ACCEPT
iptables --append INPUT -d 127.0.0.1/8 -j DROP
iptables -A FORWARD -p ALL -j ACCEPT
#Using connection states#
iptables --append INPUT --match state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables --append OUTPUT --match state --state ESTABLISHED,RELATED -j ACCEPT
iptables --append FORWARD --match state --state ESTABLISHED,RELATED -j ACCEPT
#Accepting DNS Queries
iptables -A INPUT -p udp --dport 53 -i eth1 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t nat -A PREROUTING -p tcp --dport 135 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 445 -j DROP
iptables -t nat -A PREROUTING -p tcp --dport 139 -j DROP
iptables -I FORWARD -p tcp --dport 445 -j DROP
iptables -I FORWARD -p tcp --dport 139 -j DROP
iptables -I FORWARD -p tcp --dport 135 -j DROP
#DHCP
iptables -A INPUT -p tcp --sport 546 -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp --dport 547 -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --sport 546 -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 547 -i eth1 -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#Rules to protecting dedicated DNS Server#
iptables -A INPUT -p udp -s 0/0 --sport 24:65535 --dport 53 -d 192.168.0.254 -m state --state NEW,ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p udp -s 192.168.0.254 --dport 24:65535 --sport 53 -d 0/0 -m state --state ESTABLISHED -j ACCEPT
#WEB REQUESTS
iptables -A INPUT -p tcp -s 0/0 --sport 80 -d 192.168.0.254 -m state --state NEW,ESTABLISHED -j ACCEPT
#PORT 80 REDIRECTION TO SQUID
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080
#MASQUERADE
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
iptables -A FORWARD -i eth1 -j ACCEPT
#SSH
iptables -A INPUT -p tcp --dport 22 -j ACCEPT #Allowing ssh to a network.#
#SMTP
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
iptables -A FORWARD -p tcp --dport 25 -j ACCEPT
#Limiting SYN,FIN
iptables --append INPUT --protocol tcp --tcp-flags SYN,ACK,FIN,RST RST --match limit --limit 1/s -j ACCEPT
#
iptables --append FORWARD --protocol tcp --tcp-flags SYN,ACK,FIN,RST SYN -j DROP
iptables --append FORWARD --protocol tcp --tcp-flags SYN,ACK,FIN,RST SYN,ACK -j DROP
iptables --append FORWARD --protocol tcp --tcp-flags SYN,ACK,FIN,RST ACK -j DROP
#ICMP#FROM ANY TO ANY
iptables --append INPUT --in-interface eth1 -p icmp --icmp-type 8 --match limit --limit 10/s --limit-burst 10 -j ACCEPT
iptables --append OUTPUT --out-interface eth1 --protocol icmp --icmp-typ 0 -j ACCEPT
#Kernel Modules
echo "1" > /proc/sys/net/ipv4/ip_forward #To enable or disable ip forwarding if useing linux as router then enable it
echo "1" > /proc/sys/net/ipv4/tcp_syncookies # Enable TCP SYN cookie protection from SYN floods, DoS attachks
echo 8388608 > /proc/sys/net/core/wmem_max
echo 8388608 > /proc/sys/net/core/rmem_max
echo "4096 87380 4194304" > /proc/sys/net/ipv4/tcp_rmem
echo "4096 65536 4194304" > /proc/sys/net/ipv4/tcp_wmem
Step 2: Make it executable by using this command chmod 777 firewall (File Name whitch you creat)
Step3. Run in this file in startup add this file address in rc.local
#!/bin/sh
#
# This script will be executed *after* all the other init scripts.
# You can put your own initialization stuff in here if you don't
# want to do the full Sys V style init stuff.
/./firewall
touch /var/lock/subsys/local
