This software is a script for a dual-homed firewall using IPTables version 1.2.1. It serves as an example script for setting up a multi-homed firewall.
This software review addresses a script for a multi-homed firewall that serves as an example of IPTables 1.2.1 script for a dual-homed firewall. The script has not been extensively tested on a dual-homed firewall, but the developer asks users to email them if they find any issues.
The script contains several user-defined chains that perform different filtering processes. The KEEP_STATE chain filters packets using stateful packet filtering techniques to DROP "INVALID" and "UNCLEAN" packets and allow other packets from "RELATED" or "ESTABLISHED" connections. The CHECK_FLAGS chain filters based on TCP flags, dropping and logging mainly bogus/malicious traffic. The DENY_PORTS chain contains rules to DROP and/or LOG packets based on the source and/or destination port number of the packet, with specific ports listed as examples.
The ALLOW_PORTS chain simply ACCEPTs packets based on port number, useful for DNATing/routing connections behind the firewall. The ALLOW_ICMP chain allows packets based on ICMP type, including Echo Reply (pong), Destination Unreachable, Echo Request (ping), and TTL Exceeded (traceroute). The SRC_EGRESS and DST_EGRESS chains filter packets that have a source or destination IP address matching an array of private or reserved subnets.
The script also includes TOS_OUTPUT and TOS_PREROUTING chains in the mangle table to manipulate the TOS(Type of Service) field in the IP header of locally generated, outgoing packets and packets being routed through the firewall, respectively.
The user-defined chains mentioned above are designed to have a user-defined INPUT and OUTPUT chain for every available interface. From these user-defined chains, "Special Chains" are called, including EXTERNAL_INPUT, INTERNAL_INPUT, DMZ_INPUT, LO_INPUT, EXTERNAL_OUTPUT, INTERNAL_OUTPUT, DMZ_OUTPUT, and LO_OUTPUT. These chains are called by the built-in INPUT/OUTPUT/FORWARD chains to ensure proper flow of packets through the filters.
Overall, this script is a useful example for dual-homed firewall configuration, but users should be aware of its limitations and adapt it accordingly for their specific needs.
The script contains several user-defined chains that perform different filtering processes. The KEEP_STATE chain filters packets using stateful packet filtering techniques to DROP "INVALID" and "UNCLEAN" packets and allow other packets from "RELATED" or "ESTABLISHED" connections. The CHECK_FLAGS chain filters based on TCP flags, dropping and logging mainly bogus/malicious traffic. The DENY_PORTS chain contains rules to DROP and/or LOG packets based on the source and/or destination port number of the packet, with specific ports listed as examples.
The ALLOW_PORTS chain simply ACCEPTs packets based on port number, useful for DNATing/routing connections behind the firewall. The ALLOW_ICMP chain allows packets based on ICMP type, including Echo Reply (pong), Destination Unreachable, Echo Request (ping), and TTL Exceeded (traceroute). The SRC_EGRESS and DST_EGRESS chains filter packets that have a source or destination IP address matching an array of private or reserved subnets.
The script also includes TOS_OUTPUT and TOS_PREROUTING chains in the mangle table to manipulate the TOS(Type of Service) field in the IP header of locally generated, outgoing packets and packets being routed through the firewall, respectively.
The user-defined chains mentioned above are designed to have a user-defined INPUT and OUTPUT chain for every available interface. From these user-defined chains, "Special Chains" are called, including EXTERNAL_INPUT, INTERNAL_INPUT, DMZ_INPUT, LO_INPUT, EXTERNAL_OUTPUT, INTERNAL_OUTPUT, DMZ_OUTPUT, and LO_OUTPUT. These chains are called by the built-in INPUT/OUTPUT/FORWARD chains to ensure proper flow of packets through the filters.
Overall, this script is a useful example for dual-homed firewall configuration, but users should be aware of its limitations and adapt it accordingly for their specific needs.
What's New
Version 1.2b2: N/A