Pages / Pagine

• contacts
• web site

English

• bsd
• dbms
• debian
• devel
• geek
• gtd
• graphics
• networking
• notes
• perl
• ruby
• security
• sneakers
• sysadmin
• techworld
• tools
• unix
• vim
• virtualization
• web
• windows
• xml

Italiano

• cinema
• distonie
• letture
• musica
• scatti
• scrivere

Archives / Archivi

• 2008
• 2007
• 2006

netfilter and custom chains

I've never had a good occasion to use custom chains with netfilter. The usual setups I had to prepare were simple enough to achieve the required results using the built-in chains.

Few days ago I had to configure another box to act as a firewall, so I decided to try out custom chains:

#===============================================================================
#
# CUSTOM CHAINS
#
#===============================================================================

# Chain for packets coming from the internet

$IPTABLES -N internet-allowed

$IPTABLES -A internet-allowed -p tcp -m state --state NEW --dport $SSH -j ACCEPT
$IPTABLES -A internet-allowed -p tcp -m state --state NEW --dport $MUNIN -s $MUNIN_MASTER -j ACCEPT

# Chain for packets coming from the wireless network

$IPTABLES -N wireless-allowed

$IPTABLES -A wireless-allowed -p tcp -m state --state NEW --dport $CHILLI -j ACCEPT
$IPTABLES -A wireless-allowed -p tcp -m state --state NEW -m multiport --destination-port $HTTP -j ACCEPT
$IPTABLES -A wireless-allowed -p udp --dport $DNS -j ACCEPT

# Chain for packets coming from the wireless network and forwarded to the
# internet

$IPTABLES -N wireless2internet

$IPTABLES -A wireless2internet -p tcp -m state --state NEW -m multiport --destination-port $HTTP -j ACCEPT

#===============================================================================
#
# INPUT CHAIN
#
#===============================================================================

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -i $LOIF  -j ACCEPT

$IPTABLES -A INPUT -i $EXTIF -j internet-allowed
$IPTABLES -A INPUT -i $EXTIF -j LOG --log-prefix "IN EXT REJ: "

$IPTABLES -A INPUT -i $INTIF -j LOG --log-prefix "IN INT REJ: "

$IPTABLES -A INPUT -i $TUNIF -j wireless-allowed
$IPTABLES -A INPUT -i $TUNIF -j LOG --log-prefix "IN TUN REJ: "

#===============================================================================
#
# FORWARD CHAIN
#
#===============================================================================

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -j LOG --log-prefix "FW EXT REJ: "

$IPTABLES -A FORWARD -i $INTIF -j LOG --log-prefix "FW INT REJ: "

$IPTABLES -A FORWARD -i $TUNIF -o $EXTIF -j wireless2internet
$IPTABLES -A FORWARD -i $TUNIF -j LOG --log-prefix "FW TUN REJ: "

Although they were not strictly needed, I think they are good to improve readability anyway, as you can see from the previous snippet of the firewall script.