0

My iptables script is getting bloated, redundant, and there's code duplication everywhere, how can I clean it up?

Use shell script functions?
Develop it in a different language, like python?

3
Contributors
6
Replies
7
Views
9 Years
Discussion Span
Last Post by Comatose
0

My iptables script is getting bloated, redundant, and there's code duplication everywhere, how can I clean it up?

Can you paste some examples of this "bloating" and "code duplication"? If there's duplicate rules defined in different areas, it shouldn't be too difficult to spot them and help you get them cleaned up.

Use shell script functions?
Develop it in a different language, like python?

Develop *what* in a different language? Something to clean it up, or are you meaning using python for iptables?

0

See those Protect chains? I have many of them and need to create a function for them. It would save me 4*16 lines of code.

#!/bin/sh

#
# reset the default policies in the filter table.
#
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

#
# reset the default policies in the nat table.
#
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT

#
# reset the default policies in the mangle table.
#
iptables -t mangle -P PREROUTING ACCEPT
iptables -t mangle -P POSTROUTING ACCEPT
iptables -t mangle -P INPUT ACCEPT
iptables -t mangle -P OUTPUT ACCEPT
iptables -t mangle -P FORWARD ACCEPT

#
# flush all the rules in the filter and nat tables.
#
iptables -F
iptables -t nat -F
iptables -t mangle -F

#
# erase all chains that's not default in filter and nat table.
#
iptables -X
iptables -t nat -X
iptables -t mangle -X

#######################################################################
# Variable Declaration
#######################################################################

#IPs
SERVER_IP="10.6.7.0"
LAN_IP="10.11.12.1"
VPN_IP="10.8.0.1"
JOHN_IP="10.11.12.254"

#Subnets
USER_SUBNET="10.11.12.0/24"
ANON_USER="10.8.0.0/24"
ANON_USER_PUSH="10.8.1.0/24"
SHWICK_USER="10.8.2.0/24"
SHWICK_USER_PUSH="10.8.3.0/24"

#Interfaces
VPN="tun1"
INTERNET="eth0"
LAN="eth1"

#Ports
BITTORRENT_PORT="1720"

FTP_PASV_RANGE="55000:55100"
DEFAULT_FTP_PORT="21"
DEFAULT_SSH_PORT="22"
DEFAULT_BIND_PORT="53"
DEFAULT_NETBIOS_NAME_PORT="137"
DEFAULT_NETBIOS_DATAGRAM_PORT="138"
DEFAULT_NETBIOS_SESSION_PORT="139"
DEFAULT_MS_DIRECTORY_PORT="445"
DEFAULT_VNC_PORT="5900"
DEFAULT_VPN_PORT="1194"
DEFAULT_L4D_PORT="27203"
DEFAULT_SQUID_PORT="3128"
DEFAULT_HTTPS_PORT="443"

INTERNET_SSH_PORT=$DEFAULT_SSH_PORT
INTERNET_L4D_PORT=$DEFAULT_L4D_PORT
INTERNET_SQUID_PORT=$DEFAULT_HTTPS_PORT

LAN_SSH_PORT=$DEFAULT_SSH_PORT
LAN_FTP_PORT=$DEFAULT_FTP_PORT
LAN_BIND_PORT=$DEFAULT_BIND_PORT
LAN_NETBIOS_NAME_PORT=$DEFAULT_NETBIOS_NAME_PORT
LAN_NETBIOS_DATAGRAM_PORT=$DEFAULT_NETBIOS_DATAGRAM_PORT
LAN_NETBIOS_SESSION_PORT=$DEFAULT_NETBIOS_SESSION_PORT
LAN_MS_DIRECTORY_PORT=$DEFAULT_MS_DIRECTORY_PORT
LAN_VNC_PORT=$DEFAULT_VNC_PORT
LAN_VPN_PORT=$DEFAULT_VPN_PORT
LAN_L4D_PORT=$DEFAULT_L4D_PORT
LAN_SQUID_PORT=$DEFAULT_HTTPS_PORT

VPN_SSH_PORT=$DEFAULT_SSH_PORT
VPN_FTP_PORT=$DEFAULT_FTP_PORT
VPN_BIND_PORT=$DEFAULT_BIND_PORT
VPN_NETBIOS_NAME_PORT=$DEFAULT_NETBIOS_NAME_PORT
VPN_NETBIOS_DATAGRAM_PORT=$DEFAULT_NETBIOS_DATAGRAM_PORT
VPN_NETBIOS_SESSION_PORT=$DEFAULT_NETBIOS_SESSION_PORT
VPN_MS_DIRECTORY_PORT=$DEFAULT_MS_DIRECTORY_PORT
VPN_VNC_PORT=$DEFAULT_VNC_PORT
VPN_VPN_PORT=$DEFAULT_VPN_PORT

SERVER_SSH_PORT=$DEFAULT_SSH_PORT
SERVER_FTP_PORT=$DEFAULT_FTP_PORT
SERVER_BIND_PORT=$DEFAULT_BIND_PORT
SERVER_NETBIOS_NAME_PORT=$DEFAULT_NETBIOS_NAME_PORT
SERVER_NETBIOS_DATAGRAM_PORT=$DEFAULT_NETBIOS_DATAGRAM_PORT
SERVER_NETBIOS_SESSION_PORT=$DEFAULT_NETBIOS_SESSION_PORT
SERVER_MS_DIRECTORY_PORT=$DEFAULT_MS_DIRECTORY_PORT
SERVER_VNC_PORT=$DEFAULT_VNC_PORT
SERVER_VPN_PORT=$DEFAULT_VPN_PORT
SERVER_L4D_PORT=$DEFAULT_L4D_PORT
SERVER_SQUID_PORT=$DEFAULT_SQUID_PORT

#######################################################################
# INPUT
#######################################################################
[B]
# Create INTERNET_SSH_PROTECT chain to throttle SSH port
# Drop the packet if it was from an IP that connected at least once in the past 60 seconds
# Allow the packet while there are tokens left in the queue of size 10 that recharges at a rate of 20/minute (1/3s)
iptables -N INTERNET_SSH_PROTECT
iptables -A INTERNET_SSH_PROTECT -m recent --set --name INTERNET_SSH
iptables -A INTERNET_SSH_PROTECT -m recent --update --seconds 60 --hitcount 2 --name INTERNET_SSH -j DROP
iptables -A INTERNET_SSH_PROTECT -m limit --limit 20/minute --limit-burst 10 -j ACCEPT
iptables -A INTERNET_SSH_PROTECT -j DROP

# Create LAN_ICMP_PROTECT chain to throttle ICMP
# Drop the packet if it was from an IP that connected at least twice in the past second
# Allow the packet while there are tokens left in the queue of size 10 that recharges at a rate of 6/s
iptables -N LAN_ICMP_PROTECT
iptables -A LAN_ICMP_PROTECT -m recent --set --name LAN_ICMP
iptables -A LAN_ICMP_PROTECT -m recent --update --seconds 1 --hitcount 3 --name LAN_ICMP -j DROP
iptables -A LAN_ICMP_PROTECT -m limit --limit 6/s --limit-burst 10 -j ACCEPT
iptables -A LAN_ICMP_PROTECT -j DROP

# Create LAN_SSH_PROTECT chain to throttle SSH port
# Drop the packet if it was from an IP that connected at least once in the past 60 seconds
# Allow the packet while there are tokens left in the queue of size 10 that recharges at a rate of 20/minute (1/3s)
iptables -N LAN_SSH_PROTECT
iptables -A LAN_SSH_PROTECT -m recent --set --name LAN_SSH
iptables -A LAN_SSH_PROTECT -m recent --update --seconds 60 --hitcount 2 --name LAN_SSH -j DROP
iptables -A LAN_SSH_PROTECT -m limit --limit 20/minute --limit-burst 10 -j ACCEPT
iptables -A LAN_SSH_PROTECT -j DROP

# Create LAN_FTP_PROTECT chain to throttle FTP port
# Drop the packet if it was from an IP that connected at least 60 times in the past 30 seconds
# This chain is used for initial ftp connection on port 21 and the PASV port range
# Allow the packet while there are tokens left in the queue of size 100 that recharges at a rate of 100/minute
iptables -N LAN_FTP_PROTECT
iptables -A LAN_FTP_PROTECT -m recent --set --name LAN_FTP
iptables -A LAN_FTP_PROTECT -m recent --update --seconds 30 --hitcount 60 --name LAN_FTP -j DROP
iptables -A LAN_FTP_PROTECT -m limit --limit 200/minute --limit-burst 200 -j ACCEPT
iptables -A LAN_FTP_PROTECT -j DROP 

# Create LAN_NETBIOS_NAME_PROTECT chain to throttle NetBIOS Name Service connections
# Drop the packet if it was from an IP that connected at least 10 times in the past second
# Allow the packet while there are tokens left in the queue of size 60 that recharges at a rate of 20/s
iptables -N LAN_NETBIOS_NAME_PROTECT
iptables -A LAN_NETBIOS_NAME_PROTECT -m recent --set --name LAN_NB_NAME
iptables -A LAN_NETBIOS_NAME_PROTECT -m recent --update --seconds 1 --hitcount 11 --name LAN_NB_NAME -j DROP
iptables -A LAN_NETBIOS_NAME_PROTECT -m limit --limit 20/s --limit-burst 60 -j ACCEPT
iptables -A LAN_NETBIOS_NAME_PROTECT -j DROP

# Create LAN_NETBIOS_DATAGRAM_PROTECT chain to throttle NetBIOS Datagram Service connections
# Drop the packet if it was from an IP that connected at least 10 times in the past second
# Allow the packet while there are tokens left in the queue of size 60 that recharges at a rate of 20/s
iptables -N LAN_NETBIOS_DATAGRAM_PROTECT
iptables -A LAN_NETBIOS_DATAGRAM_PROTECT -m recent --set --name LAN_NB_DATA
iptables -A LAN_NETBIOS_DATAGRAM_PROTECT -m recent --update --seconds 1 --hitcount 11 --name LAN_NB_DATA -j DROP
iptables -A LAN_NETBIOS_DATAGRAM_PROTECT -m limit --limit 20/s --limit-burst 60 -j ACCEPT
iptables -A LAN_NETBIOS_DATAGRAM_PROTECT -j DROP

# Create LAN_NETBIOS_SESSION_PROTECT chain to throttle NetBIOS Session Service connections
# Drop the packet if it was from an IP that connected at least five times in the past 30 seconds
# Allow the packet while there are tokens left in the queue of size 100 that recharges at a rate of 100/minute
iptables -N LAN_NETBIOS_SESSION_PROTECT
iptables -A LAN_NETBIOS_SESSION_PROTECT -m recent --set --name LAN_NB_SESS
iptables -A LAN_NETBIOS_SESSION_PROTECT -m recent --update --seconds 30 --hitcount 6 --name LAN_NB_SESS -j DROP
iptables -A LAN_NETBIOS_SESSION_PROTECT -m limit --limit 100/minute --limit-burst 100 -j ACCEPT
iptables -A LAN_NETBIOS_SESSION_PROTECT -j DROP

# Create LAN_MS_DIRECTORY_PROTECT chain to throttle Microsoft Directory Service connections
# Drop the packet if it was from an IP that connected at least five times in the past 30 seconds
# Allow the packet while there are tokens left in the queue of size 100 that recharges at a rate of 100/minute
iptables -N LAN_MS_DIRECTORY_PROTECT
iptables -A LAN_MS_DIRECTORY_PROTECT -m recent --set --name LAN_MS_DIR
iptables -A LAN_MS_DIRECTORY_PROTECT -m recent --update --seconds 30 --hitcount 6 --name LAN_MS_DIR -j DROP
iptables -A LAN_MS_DIRECTORY_PROTECT -m limit --limit 100/minute --limit-burst 100 -j ACCEPT
iptables -A LAN_MS_DIRECTORY_PROTECT -j DROP

# Create LAN_BIND_PROTECT chain to throttle DNS requests
# Drop the packet if it was from an IP that connected at least five times in the past second
# It seems that each packet is treated as a new connection, and two packets are sent per DNS request.
# This means that 10 new connections will be allowed per second per IP.
# Allow the packet while there are tokens left in the queue of size 40 that recharges at a rate of 20/s
iptables -N LAN_BIND_PROTECT
iptables -A LAN_BIND_PROTECT -m recent --set --name LAN_BIND_DNS
iptables -A LAN_BIND_PROTECT -m recent --update --seconds 1 --hitcount 11 --name LAN_BIND_DNS -j DROP
iptables -A LAN_BIND_PROTECT -m limit --limit 20/s --limit-burst 40 -j ACCEPT
iptables -A LAN_BIND_PROTECT -j DROP

# Create LAN_VNC_PROTECT chain to throttle VNC port
# Drop the packet if it was from an IP that connected at least once in the past 60 seconds
# Allow the packet while there are tokens left in the queue of size 10 that recharges at a rate of 20/minute (1/3s)
iptables -N LAN_VNC_PROTECT
iptables -A LAN_VNC_PROTECT -m recent --set --name LAN_VNC
iptables -A LAN_VNC_PROTECT -m recent --update --seconds 60 --hitcount 2 --name LAN_VNC -j DROP
iptables -A LAN_VNC_PROTECT -m limit --limit 20/minute --limit-burst 10 -j ACCEPT
iptables -A LAN_VNC_PROTECT -j DROP

# Create LAN_SQUID_PROTECT chain to throttle SQUID port
# Drop the packet if it was from an IP that connected at least once in the past 60 seconds
# Allow the packet while there are tokens left in the queue of size 10 that recharges at a rate of 20/minute (1/3s)
iptables -N LAN_SQUID_PROTECT
iptables -A LAN_SQUID_PROTECT -m recent --set --name LAN_SQUID
iptables -A LAN_SQUID_PROTECT -m recent --update --seconds 60 --hitcount 2 --name LAN_SQUID -j DROP
iptables -A LAN_SQUID_PROTECT -m limit --limit 20/minute --limit-burst 10 -j ACCEPT
iptables -A LAN_SQUID_PROTECT -j DROP

# Create VPN_FTP_PROTECT chain to throttle FTP port
# Drop the packet if it was from an IP that connected at least twice past 30 seconds
# This chain is used for initial ftp connection on port 21 and the PASV port range
# Allow the packet while there are tokens left in the queue of size 20 that recharges at a rate of 20/minute
iptables -N VPN_FTP_PROTECT
iptables -A VPN_FTP_PROTECT -m recent --set --name VPN_FTP
iptables -A VPN_FTP_PROTECT -m recent --update --seconds 30 --hitcount 60 --name VPN_FTP -j DROP
iptables -A VPN_FTP_PROTECT -m limit --limit 200/minute --limit-burst 200 -j ACCEPT
iptables -A VPN_FTP_PROTECT -j DROP

# Create VPN_ICMP_PROTECT chain to throttle ICMP
# Drop the packet if it was from an IP that connected at least twice in the past second
# Allow the packet while there are tokens left in the queue of size 10 that recharges at a rate of 6/s
iptables -N VPN_ICMP_PROTECT
iptables -A VPN_ICMP_PROTECT -m recent --set --name VPN_ICMP
iptables -A VPN_ICMP_PROTECT -m recent --update --seconds 1 --hitcount 3 --name VPN_ICMP -j DROP
iptables -A VPN_ICMP_PROTECT -m limit --limit 6/s --limit-burst 10 -j ACCEPT
iptables -A VPN_ICMP_PROTECT -j DROP

# Create VPN_BIND_PROTECT chain to throttle DNS requests
# Drop the packet if it was from an IP that connected at least five times in the past second
# It seems that each packet is treated as a new connection, and two packets are sent per DNS request.
# This means that 10 new connections will be allowed per second per IP.
# Allow the packet while there are tokens left in the queue of size 40 that recharges at a rate of 20/s
iptables -N VPN_BIND_PROTECT
iptables -A VPN_BIND_PROTECT -m recent --set --name VPN_BIND_DNS
iptables -A VPN_BIND_PROTECT -m recent --update --seconds 1 --hitcount 11 --name VPN_BIND_DNS -j DROP
iptables -A VPN_BIND_PROTECT -m limit --limit 20/s --limit-burst 40 -j ACCEPT
iptables -A VPN_BIND_PROTECT -j DROP

# Create VPN_VNC_PROTECT chain to throttle VNC port
# Drop the packet if it was from an IP that connected at least once in the past 60 seconds
# Allow the packet while there are tokens left in the queue of size 10 that recharges at a rate of 20/minute (1/3s)
iptables -N VPN_VNC_PROTECT
iptables -A VPN_VNC_PROTECT -m recent --set --name VPN_VNC
iptables -A VPN_VNC_PROTECT -m recent --update --seconds 60 --hitcount 2 --name VPN_VNC -j DROP
iptables -A VPN_VNC_PROTECT -m limit --limit 20/minute --limit-burst 10 -j ACCEPT
iptables -A VPN_VNC_PROTECT -j DROP

# Create VPN_SSH_PROTECT chain to throttle SSH port
# Drop the packet if it was from an IP that connected at least once in the past 60 seconds
# Allow the packet while there are tokens left in the queue of size 10 that recharges at a rate of 20/minute (1/3s)
iptables -N VPN_SSH_PROTECT
iptables -A VPN_SSH_PROTECT -m recent --set --name VPN_SSH
iptables -A VPN_SSH_PROTECT -m recent --update --seconds 60 --hitcount 2 --name VPN_SSH -j DROP
iptables -A VPN_SSH_PROTECT -m limit --limit 20/minute --limit-burst 10 -j ACCEPT
iptables -A VPN_SSH_PROTECT -j DROP
[/B]
# LAN_INPUT_UDP handles udp traffic and jumps packets to protection chains.
iptables -N LAN_INPUT_UDP
iptables -A LAN_INPUT_UDP -p udp --dport $SERVER_L4D_PORT -j ACCEPT
iptables -A LAN_INPUT_UDP -p udp --dport $SERVER_BIND_PORT -j LAN_BIND_PROTECT
iptables -A LAN_INPUT_UDP -j DROP

# LAN_INPUT_TCP handles tcp traffic and jumps packets to protection chains.
iptables -N LAN_INPUT_TCP
iptables -A LAN_INPUT_TCP -p tcp --dport $SERVER_L4D_PORT -j ACCEPT
iptables -A LAN_INPUT_TCP -p tcp --dport $SERVER_SSH_PORT -j LAN_SSH_PROTECT
iptables -A LAN_INPUT_TCP -p tcp --dport $SERVER_FTP_PORT -j LAN_FTP_PROTECT
iptables -A LAN_INPUT_TCP -p tcp --dport $FTP_PASV_RANGE -j LAN_FTP_PROTECT
iptables -A LAN_INPUT_TCP -p tcp --dport $SERVER_VNC_PORT -j LAN_VNC_PROTECT
iptables -A LAN_INPUT_TCP -p tcp --dport $SERVER_SQUID_PORT -j LAN_SQUID_PROTECT
iptables -A LAN_INPUT_TCP -j DROP

# LAN_INPUT_SERVER jumps packets to udp or tcp chains.
iptables -N LAN_INPUT_SERVER
iptables -A LAN_INPUT_SERVER -p tcp -j LAN_INPUT_TCP
iptables -A LAN_INPUT_SERVER -p udp -j LAN_INPUT_UDP
iptables -A LAN_INPUT_SERVER -j DROP

# LAN_INPUT handles packets coming from the LAN.  Jumpts packets
# to protection chains or drops them.  If packets are not from the
# USER_SUBNET drop them.  Samba listens on eth1 still, so it doesn't need
# to have $SERVER_IP destination.  Drop packets without $SERVER_IP destination,
# or users could access the same ports on different local interfaces.
iptables -N LAN_INPUT
#iptables -A LAN_INPUT -p tcp --dport 80 -j LOG --log-level DEBUG --log-prefix "Connection attempt port 80: " 
#iptables -A LAN_INPUT -p udp --dport 80 -j LOG --log-level DEBUG --log-prefix "Connection attempt port 80: " 
iptables -A LAN_INPUT ! -s $USER_SUBNET -j DROP
iptables -A LAN_INPUT -p icmp -j LAN_ICMP_PROTECT
iptables -A LAN_INPUT -d $SERVER_IP -j LAN_INPUT_SERVER
iptables -A LAN_INPUT -p udp --dport $LAN_NETBIOS_NAME_PORT -j LAN_NETBIOS_NAME_PROTECT
iptables -A LAN_INPUT -p udp --dport $LAN_NETBIOS_DATAGRAM_PORT -j LAN_NETBIOS_DATAGRAM_PROTECT
iptables -A LAN_INPUT -p tcp --dport $LAN_NETBIOS_SESSION_PORT -j LAN_NETBIOS_SESSION_PROTECT
iptables -A LAN_INPUT -p tcp --dport $LAN_MS_DIRECTORY_PORT -j LAN_MS_DIRECTORY_PROTECT
iptables -A LAN_INPUT -j DROP

# INTERNET_INPUT_SERVER jumps packets to udp or tcp chains.
iptables -N INTERNET_INPUT_SERVER
#iptables -A INTERNET_INPUT_SERVER -p tcp --dport $SERVER_L4D_PORT -j ACCEPT
#iptables -A INTERNET_INPUT_SERVER -p udp --dport $SERVER_L4D_PORT -j ACCEPT
iptables -A INTERNET_INPUT_SERVER -p tcp --dport $SERVER_SSH_PORT -j INTERNET_SSH_PROTECT
iptables -A INTERNET_INPUT_SERVER -j DROP

# INTERNET_INPUT handles packets coming from the INTERNET.  Jumps
# packets to protection chains or drops them.
iptables -N INTERNET_INPUT
iptables -A INTERNET_INPUT -d $SERVER_IP -j INTERNET_INPUT_SERVER
iptables -A INTERNET_INPUT -j DROP

iptables -N VPN_INPUT_SERVER_ANON_PUSH
iptables -A VPN_INPUT_SERVER_ANON_PUSH -p tcp --dport $SERVER_FTP_PORT -j VPN_FTP_PROTECT
iptables -A VPN_INPUT_SERVER_ANON_PUSH -p tcp --dport $FTP_PASV_RANGE -j VPN_FTP_PROTECT
iptables -A VPN_INPUT_SERVER_ANON_PUSH -p udp --dport $SERVER_BIND_PORT -j VPN_BIND_PROTECT
iptables -A VPN_INPUT_SERVER_ANON_PUSH -j DROP

iptables -N VPN_INPUT_ANON_PUSH
iptables -A VPN_INPUT_ANON_PUSH -p icmp -j VPN_ICMP_PROTECT
iptables -A VPN_INPUT_ANON_PUSH -d $SERVER_IP -j VPN_INPUT_SERVER_ANON_PUSH
iptables -A VPN_INPUT_ANON_PUSH -j DROP

iptables -N VPN_INPUT_SERVER_ANON_USER
iptables -A VPN_INPUT_SERVER_ANON_USER -p tcp --dport $SERVER_FTP_PORT -j VPN_FTP_PROTECT
iptables -A VPN_INPUT_SERVER_ANON_USER -p tcp --dport $FTP_PASV_RANGE -j VPN_FTP_PROTECT
iptables -A VPN_INPUT_SERVER_ANON_USER -j DROP

# VPN_INPUT_ANON_USER restricts ANON_USER to only be able to access the
# SERVER_IP for requests to this server.
iptables -N VPN_INPUT_ANON_USER
iptables -A VPN_INPUT_ANON_USER -p icmp -j VPN_ICMP_PROTECT
iptables -A VPN_INPUT_ANON_USER -d $SERVER_IP -j VPN_INPUT_SERVER_ANON_USER
iptables -A VPN_INPUT_ANON_USER -j DROP

iptables -N VPN_INPUT_SERVER_SHWICK_PUSH
iptables -A VPN_INPUT_SERVER_SHWICK_PUSH -p tcp --dport $SERVER_FTP_PORT -j VPN_FTP_PROTECT
iptables -A VPN_INPUT_SERVER_SHWICK_PUSH -p tcp --dport $FTP_PASV_RANGE -j VPN_FTP_PROTECT
iptables -A VPN_INPUT_SERVER_SHWICK_PUSH -p tcp --dport $SERVER_SSH_PORT -j VPN_SSH_PROTECT
iptables -A VPN_INPUT_SERVER_SHWICK_PUSH -p tcp --dport $SERVER_VNC_PORT -j VPN_VNC_PROTECT
iptables -A VPN_INPUT_SERVER_SHWICK_PUSH -p udp --dport $SERVER_BIND_PORT -j VPN_BIND_PROTECT
iptables -A VPN_INPUT_SERVER_SHWICK_PUSH -j DROP

# VPN_INPUT_SHWICK_PUSH restricts SHWICK_PUSH to only be able to access the
# SERVER_IP for requests to this server.
iptables -N VPN_INPUT_SHWICK_PUSH
iptables -A VPN_INPUT_SHWICK_PUSH -p icmp -j VPN_ICMP_PROTECT
iptables -A VPN_INPUT_SHWICK_PUSH -d $SERVER_IP -j VPN_INPUT_SERVER_SHWICK_PUSH
iptables -A VPN_INPUT_SHWICK_PUSH -j DROP

iptables -N VPN_INPUT_SERVER_SHWICK_USER
iptables -A VPN_INPUT_SERVER_SHWICK_USER -p tcp --dport $SERVER_FTP_PORT -j VPN_FTP_PROTECT
iptables -A VPN_INPUT_SERVER_SHWICK_USER -p tcp --dport $FTP_PASV_RANGE -j VPN_FTP_PROTECT
iptables -A VPN_INPUT_SERVER_SHWICK_USER -p tcp --dport $SERVER_SSH_PORT -j VPN_SSH_PROTECT
iptables -A VPN_INPUT_SERVER_SHWICK_USER -p tcp --dport $SERVER_VNC_PORT -j VPN_VNC_PROTECT
iptables -A VPN_INPUT_SERVER_SHWICK_USER -p udp --dport $SERVER_BIND_PORT -j VPN_BIND_PROTECT
iptables -A VPN_INPUT_SERVER_SHWICK_USER -j DROP

# VPN_INPUT_SHWICK_USER restricts SHWICK_USER to only be able to access the
# SERVER_IP for requests to this server.
iptables -N VPN_INPUT_SHWICK_USER
iptables -A VPN_INPUT_SHWICK_USER -p icmp -j VPN_ICMP_PROTECT
iptables -A VPN_INPUT_SHWICK_USER -d $SERVER_IP -j VPN_INPUT_SERVER_SHWICK_USER
iptables -A VPN_INPUT_SHWICK_USER -j DROP

# VPN_INPUT checks the source ip against different user subnets and jumps
# the packets to the appropriate subnet.  This allows us to give different
# access to users based on their source ip.
iptables -N VPN_INPUT
iptables -A VPN_INPUT -s $ANON_USER -j VPN_INPUT_ANON_USER
iptables -A VPN_INPUT -s $ANON_USER_PUSH -j VPN_INPUT_ANON_PUSH
iptables -A VPN_INPUT -s $SHWICK_USER -j VPN_INPUT_SHWICK_USER
iptables -A VPN_INPUT -s $SHWICK_USER_PUSH -j VPN_INPUT_SHWICK_PUSH
iptables -A VPN_INPUT -j DROP

# NEW_INPUT handles packets in the NEW state.  Packets jump to chains
# based on their interface.  Also drops all malformed tcp packets.
iptables -N NEW_INPUT
iptables -A NEW_INPUT -p tcp ! --syn -j DROP
iptables -A NEW_INPUT -i $LAN -j LAN_INPUT
iptables -A NEW_INPUT -i $INTERNET -j INTERNET_INPUT
iptables -A NEW_INPUT -i $VPN -j VPN_INPUT
iptables -A NEW_INPUT -j DROP

# Allow all established and related traffic
# Allow unlimited traffic on loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -j NEW_INPUT
iptables -P INPUT DROP

#######################################################################
# FORWARDING
#######################################################################

# INTERNET_FORWARD forwards ports from the internet to machines on the LAN.
iptables -N INTERNET_FORWARD
iptables -A INTERNET_FORWARD -p tcp --dport $BITTORRENT_PORT -j ACCEPT
iptables -A INTERNET_FORWARD -p udp --dport $BITTORRENT_PORT -j ACCEPT
iptables -A INTERNET_FORWARD -j DROP

iptables -N VPN_FORWARD
iptables -A VPN_FORWARD -s $SHWICK_USER -j ACCEPT
iptables -A VPN_FORWARD -s $SHWICK_USER_PUSH -j ACCEPT
iptables -A VPN_FORWARD -s $ANON_USER_PUSH -d ! $USER_SUBNET -j ACCEPT
iptables -A VPN_FORWARD -j DROP

# NEW_FORWARD drops malformed tcp packets, forwards packets in the NEW state 
# to different interfaces, or just accepts them.
iptables -N NEW_FORWARD
iptables -A NEW_FORWARD -p tcp ! --syn -j DROP
iptables -A NEW_FORWARD -i $LAN -s $USER_SUBNET -j ACCEPT
iptables -A NEW_FORWARD -i $INTERNET -j INTERNET_FORWARD
iptables -A NEW_FORWARD -i $VPN -j VPN_FORWARD
iptables -A NEW_FORWARD -j DROP

# FORWARDING
# Allow all established and related traffic.  Packets in the NEW state jump
# to NEW_FORWARD.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -j NEW_FORWARD
iptables -P FORWARD DROP

#######################################################################
# PREROUTING
#######################################################################

# LOCAL_SERVERS DNATs to the virtual tun interface where all servers listen on
# If the packet is in this chain, it is allowed to access a port on this interface.
iptables -t nat -N LOCAL_SERVERS
iptables -t nat -A LOCAL_SERVERS -j DNAT --to $SERVER_IP

# LAN_PREROUTE_SERVER DNATs packets to the server interface.
iptables -t nat -N LAN_PREROUTE_SERVER
iptables -t nat -A LAN_PREROUTE_SERVER -p tcp --dport $LAN_L4D_PORT -j DNAT --to $SERVER_IP:$SERVER_L4D_PORT
iptables -t nat -A LAN_PREROUTE_SERVER -p udp --dport $LAN_L4D_PORT -j DNAT --to $SERVER_IP:$SERVER_L4D_PORT
iptables -t nat -A LAN_PREROUTE_SERVER -p tcp --dport $FTP_PASV_RANGE -j LOCAL_SERVERS
iptables -t nat -A LAN_PREROUTE_SERVER -p tcp --dport $LAN_FTP_PORT -j DNAT --to $SERVER_IP:$SERVER_FTP_PORT
iptables -t nat -A LAN_PREROUTE_SERVER -p tcp --dport $LAN_SSH_PORT -j DNAT --to $SERVER_IP:$SERVER_SSH_PORT
iptables -t nat -A LAN_PREROUTE_SERVER -p udp --dport $LAN_BIND_PORT -j DNAT --to $SERVER_IP:$SERVER_BIND_PORT
iptables -t nat -A LAN_PREROUTE_SERVER -p tcp --dport $LAN_VNC_PORT -j DNAT --to $SERVER_IP:$SERVER_VNC_PORT
iptables -t nat -A LAN_PREROUTE_SERVER -p tcp --dport $LAN_SQUID_PORT -j DNAT --to $SERVER_IP:$SERVER_SQUID_PORT

# LAN_PREROUTE allows servers on LAN by matching ports.
# Ports that don't jump to LOCAL_SERVERS aren't exposed to eth1.
# The request must be to the lan interface to get prerouted.
iptables -t nat -N LAN_PREROUTE
iptables -t nat -A LAN_PREROUTE -d $LAN_IP -j LAN_PREROUTE_SERVER 

# LAN_JOHN DNATs to John's machine on the LAN 
iptables -t nat -N LAN_JOHN
iptables -t nat -A LAN_JOHN -j DNAT --to $JOHN_IP

# INTERNET_PREROUTE is used for DNATing ports on INTERNET to machines on the LAN, as well
# as DNATing ports to servers on the tun virtual interfaces.
iptables -t nat -N INTERNET_PREROUTE
#iptables -t nat -A INTERNET_PREROUTE -p tcp --dport $INTERNET_L4D_PORT -j DNAT --to $SERVER_IP:$SERVER_L4D_PORT
#iptables -t nat -A INTERNET_PREROUTE -p udp --dport $INTERNET_L4D_PORT -j DNAT --to $SERVER_IP:$SERVER_L4D_PORT
#iptables -t nat -A INTERNET_PREROUTE -p tcp --dport $BITTORRENT_PORT -j LAN_JOHN
#iptables -t nat -A INTERNET_PREROUTE -p udp --dport $BITTORRENT_PORT -j LAN_JOHN
iptables -t nat -A INTERNET_PREROUTE -p tcp --dport $INTERNET_SSH_PORT -j DNAT --to $SERVER_IP:$SERVER_SSH_PORT

# VPN_PREROUTE_ANON_USER
iptables -t nat -N VPN_PREROUTE_ANON_USER
iptables -t nat -A VPN_PREROUTE_ANON_USER -p tcp --dport $VPN_FTP_PORT -j DNAT --to $SERVER_IP:$SERVER_FTP_PORT
iptables -t nat -A VPN_PREROUTE_ANON_USER -p tcp --dport $FTP_PASV_RANGE -j LOCAL_SERVERS

# VPN_PREROUTE_ANON_USER_PUSH
iptables -t nat -N VPN_PREROUTE_ANON_USER_PUSH
iptables -t nat -A VPN_PREROUTE_ANON_USER_PUSH -p tcp --dport $VPN_FTP_PORT -j DNAT --to $SERVER_IP:$SERVER_FTP_PORT
iptables -t nat -A VPN_PREROUTE_ANON_USER_PUSH -p tcp --dport $FTP_PASV_RANGE -j LOCAL_SERVERS
iptables -t nat -A VPN_PREROUTE_ANON_USER_PUSH -p udp --dport $VPN_BIND_PORT -j DNAT --to $SERVER_IP:$SERVER_BIND_PORT

iptables -t nat -N VPN_PREROUTE_SHWICK_USER
iptables -t nat -A VPN_PREROUTE_SHWICK_USER -p tcp --dport $FTP_PASV_RANGE -j LOCAL_SERVERS
iptables -t nat -A VPN_PREROUTE_SHWICK_USER -p tcp --dport $VPN_FTP_PORT -j DNAT --to $SERVER_IP:$SERVER_FTP_PORT
iptables -t nat -A VPN_PREROUTE_SHWICK_USER -p tcp --dport $VPN_SSH_PORT -j DNAT --to $SERVER_IP:$SERVER_SSH_PORT
iptables -t nat -A VPN_PREROUTE_SHWICK_USER -p udp --dport $VPN_BIND_PORT -j DNAT --to $SERVER_IP:$SERVER_BIND_PORT
iptables -t nat -A VPN_PREROUTE_SHWICK_USER -p tcp --dport $VPN_VNC_PORT -j DNAT --to $SERVER_IP:$SERVER_VNC_PORT

iptables -t nat -N VPN_PREROUTE_SHWICK_USER_PUSH
iptables -t nat -A VPN_PREROUTE_SHWICK_USER_PUSH -p tcp --dport $FTP_PASV_RANGE -j LOCAL_SERVERS
iptables -t nat -A VPN_PREROUTE_SHWICK_USER_PUSH -p tcp --dport $VPN_FTP_PORT -j DNAT --to $SERVER_IP:$SERVER_FTP_PORT
iptables -t nat -A VPN_PREROUTE_SHWICK_USER_PUSH -p tcp --dport $VPN_SSH_PORT -j DNAT --to $SERVER_IP:$SERVER_SSH_PORT
iptables -t nat -A VPN_PREROUTE_SHWICK_USER_PUSH -p udp --dport $VPN_BIND_PORT -j DNAT --to $SERVER_IP:$SERVER_BIND_PORT
iptables -t nat -A VPN_PREROUTE_SHWICK_USER_PUSH -p tcp --dport $VPN_VNC_PORT -j DNAT --to $SERVER_IP:$SERVER_VNC_PORT

# VPN_PREROUTE_SERVER DNATs packets to the server interface.
iptables -t nat -N VPN_PREROUTE_SERVER
iptables -t nat -A VPN_PREROUTE_SERVER -s $ANON_USER -j VPN_PREROUTE_ANON_USER
iptables -t nat -A VPN_PREROUTE_SERVER -s $ANON_USER_PUSH -j VPN_PREROUTE_ANON_USER_PUSH
iptables -t nat -A VPN_PREROUTE_SERVER -s $SHWICK_USER -j VPN_PREROUTE_SHWICK_USER
iptables -t nat -A VPN_PREROUTE_SERVER -s $SHWICK_USER_PUSH -j VPN_PREROUTE_SHWICK_USER

# VPN_PREROUTE verifies the request is on the lan interface before it's prerouted.
iptables -t nat -N VPN_PREROUTE
iptables -t nat -A VPN_PREROUTE -d $VPN_IP -j VPN_PREROUTE_SERVER

# PREROUTING
# Don't filter in the PREROUTING nat chain as it will be bypassed in certain cases.
# Used mainly for DNAT.
iptables -A PREROUTING -t nat -i $INTERNET -j INTERNET_PREROUTE
iptables -A PREROUTING -t nat -i $LAN -j LAN_PREROUTE
iptables -A PREROUTING -t nat -i $VPN -j VPN_PREROUTE

#######################################################################
# POSTROUTING
#######################################################################

# Setup MASQUERADING for nat
iptables -A POSTROUTING -t nat -j MASQUERADE
0

What did you use to generate that?

As far as creating functions, I'd suggest consulting the manpage for iptables. I haven't used iptables in about 10 years, and my *BSD boxen use pf, so I can't be of much help as far as cleanup goes.

As far as using Python (as you mentioned in your original post), my question is still "Use it for what?"

0

Didn't know about that, but then again, I haven't used iptables (or Linux, for that matter) in years. I'd say go for it and see what happens :)

0

I'm not sure how doing it in another language is going help... if you planning on pruning the entries, the list will be the same in Python or in Bash (or anything else for that matter).

I suppose you could do something nifty, like create an array of forward items, an array of drop items etc, and then loop through it, so that it is more code-like and less sequential.... but either way, running iptables -L will still yield the same result...

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.