Build DMZ server for windows sharing printer using iptables

[andipurwito]

I have no idea with my script below. I don’t know where the mismatch. I plan to build a DMZ Server for windows sharing printer with this script, but not work. However DMZ for web server is done successfully. Please help me!


FW_HOSTNAME="DMZ"
KDCAB="5"
NETMASK_LAMA="netmask 255.255.255.0"
GW_LAMA="192.168.128.1" #IP Address Modem VSAT

NAT_ADDRESS_LAN="192.168.128.254"
BUFFER="32767500" # BUFFER = 65535 * 500

#Network Data Center
ETH_DC="eth0"
NET_DC="192.168.128.0/24"

#Network Local Cabang
ETH_LOCAL="eth1"
NET_LOCAL="192.168.$KDCAB.0/24"

GOTOHELL="DROP"
ipt="iptables"
SPOK="–sport 1024:65535"
VIRUS_ALERT="0"

#*************************
# SETTING NETWORKING
#*************************
# Setting HOSTNAME
hostname $FW_HOSTNAME

#Setting DNS Address
echo "nameserver $FW_NAMESERVER" > /etc/resolv.conf

# Enabling IPV4 Forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# Static route
route del -net $NET_DC gw $GW_LAMA
route del -net default gw $GW_LAMA
route add -net $NET_DC gw $GW_LAMA
route add -net default gw $GW_LAMA

#Load module for FTP Connection tracking and NAT
modprobe ip_conntrack
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
modprobe iptable_nat

# Setting buffer
#DEFAULT = 65535 – Tergantung RAM size
echo $BUFFER > /proc/sys/net/ipv4/netfilter/ip_conntrack_max

# Drop ICMP echo-request messages sent to broadcast or multicast addresses
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

# Drop source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

# Enable TCP SYN cookie protection from SYN floods
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Don’t accept ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects

# Don’t send ICMP redirect messages
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects

# Enable source address spoofing protection
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter

# Log packets with impossible source addresses
echo $VIRUS_ALERT > /proc/sys/net/ipv4/conf/all/log_martians

#Initialization all the chains
$ipt –flush
$ipt -t nat –flush
$ipt -t mangle –flush

#Initialization the user defined chains
$ipt –delete-chain
$ipt -t nat –delete-chain
$ipt -t mangle –delete-chain

#Set policy
$ipt –policy INPUT DROP
$ipt –policy OUTPUT DROP
$ipt –policy FORWARD DROP
$ipt -t nat –policy POSTROUTING ACCEPT
$ipt -t nat –policy PREROUTING ACCEPT

#DMZ
$ipt -t nat -A PREROUTING -i $ETH_DC -p TCP –dport 80 -j DNAT –to-destination 192.168.5.10:80
$ipt -t nat -A PREROUTING -i $ETH_DC -p TCP –dport 137 -j DNAT –to-destination 192.168.5.22:137
$ipt -t nat -A PREROUTING -i $ETH_DC -p UDP –dport 137 -j DNAT –to-destination 192.168.5.22:137
$ipt -t nat -A PREROUTING -i $ETH_DC -p UDP –dport 138 -j DNAT –to-destination 192.168.5.22:138
$ipt -t nat -A PREROUTING -i $ETH_DC -p TCP –dport 139 -j DNAT –to-destination 192.168.5.22:139
$ipt -t nat -A PREROUTING -i $ETH_DC -p UDP –dport 139 -j DNAT –to-destination 192.168.5.22:139
$ipt -t nat -A PREROUTING -i $ETH_DC -p TCP –dport 445 -j DNAT –to-destination 192.168.5.22:445

#NAT untuk Local Area Network
$ipt -t nat -A POSTROUTING -o $ETH_DC -j SNAT –to-source $NAT_ADDRESS_LAN

#SSH ke FIREWALL dari DATACENTER
$ipt -A INPUT -p TCP -i $ETH_DC –dport ssh -j ACCEPT

#DMZ
$ipt -A INPUT -p TCP -m tcp $SPOK –dport 137 -j ACCEPT
$ipt -A INPUT -p UDP -m udp $SPOK –dport 137 -j ACCEPT
$ipt -A INPUT -p UDP -m udp $SPOK –dport 138 -j ACCEPT
$ipt -A INPUT -p TCP -m tcp $SPOK –dport 139 -j ACCEPT
$ipt -A INPUT -p UDP -m udp $SPOK –dport 139 -j ACCEPT
$ipt -A INPUT -p TCP -m tcp $SPOK –dport 445 -j ACCEPT
$ipt -A INPUT -p UDP -m udp $SPOK –dport 445 -j ACCEPT


#Allways allow unlimited traffic on the loopback interface
$ipt -A INPUT -p all -i lo -j ACCEPT
$ipt -A OUTPUT -p all -o lo -j ACCEPT

# Previously initiated and accepted exchanges bypass rule checking
$ipt -A INPUT -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT
$ipt -A OUTPUT -m state –state NEW,ESTABLISHED,RELATED -j ACCEPT

#Allowing PING test to this firewall and across between network
$ipt -A INPUT -p icmp -j ACCEPT
$ipt -A OUTPUT -p icmp -j ACCEPT
$ipt -A FORWARD -p icmp -j ACCEPT

#=================================
# APLIKASI PUBLIK/UMUM UTK SEMUA
#=================================
$ipt -N PUBLIK
$ipt -A FORWARD -j PUBLIK
#FTP Control Connection
$ipt -A PUBLIK -p TCP $SPOK –dport ftp -j ACCEPT
$ipt -A PUBLIK -p UDP $SPOK –dport ftp -j ACCEPT
#FTP Data Transfer
$ipt -A PUBLIK -p TCP $SPOK –dport ftp-data -j ACCEPT
$ipt -A PUBLIK -p UDP $SPOK –dport ftp-data -j ACCEPT

#SMTP
$ipt -A PUBLIK -p TCP $SPOK –dport smtp -j ACCEPT
$ipt -A PUBLIK -p TCP $SPOK –dport smtps -j ACCEPT
#IMAP
$ipt -A PUBLIK -p TCP $SPOK –dport imap -j ACCEPT
$ipt -A PUBLIK -p TCP $SPOK –dport imaps -j ACCEPT
#Web mail server
$ipt -A PUBLIK -p TCP $SPOK –dport 8080 -j ACCEPT
$ipt -A PUBLIK -p TCP $SPOK –dport 5432 -j ACCEPT
#POP3
$ipt -A PUBLIK -p TCP $SPOK –dport pop3 -j ACCEPT
$ipt -A PUBLIK -p TCP $SPOK –dport pop3s -j ACCEPT
#DNS/Domain/Name Server
$ipt -A PUBLIK -p UDP $SPOK –dport 53 -j ACCEPT
#Web access server
$ipt -A PUBLIK -p TCP $SPOK –dport http -j ACCEPT
$ipt -A PUBLIK -p TCP $SPOK –dport https -j ACCEPT
#Remote Desktop
$ipt -A PUBLIK -p TCP $SPOK –dport 3389 -j ACCEPT
#DMZ
$ipt -A PUBLIK -p TCP -m tcp $SPOK –dport 137 -j ACCEPT
$ipt -A PUBLIK -p UDP -m udp $SPOK –dport 137 -j ACCEPT
$ipt -A PUBLIK -p UDP -m udp $SPOK –dport 138 -j ACCEPT
$ipt -A PUBLIK -p TCP -m tcp $SPOK –dport 139 -j ACCEPT
$ipt -A PUBLIK -p UDP -m udp $SPOK –dport 139 -j ACCEPT
$ipt -A PUBLIK -p TCP -m tcp $SPOK –dport 445 -j ACCEPT
$ipt -A PUBLIK -p UDP -m udp $SPOK –dport 445 -j ACCEPT

#Allow previously ESTABLISHED FORWARD connection
$ipt -A FORWARD -p ALL -m state –state NEW,RELATED,ESTABLISHED -j ACCEPT

#Telnet & SSH keluar
$ipt -A OUTPUT -p TCP –dport telnet -m state –state NEW -j ACCEPT
$ipt -A OUTPUT -p TCP –dport ssh -m state –state NEW -j ACCEPT

#Allow previously connection
$ipt -A OUTPUT -s 127.0.0.1 -j ACCEPT
$ipt -A OUTPUT -p ALL -m state –state RELATED,ESTABLISHED -j ACCEPT