View previous topic :: View next topic |
Author |
Message |
zbled Apprentice
Joined: 18 Jun 2002 Posts: 216 Location: Bukowski's Piano Bar
|
Posted: Sat Dec 14, 2002 10:42 am Post subject: Iptables |
|
|
Hi erverybody,
I've build an iptables script and i thought it should work, at least because of a friend of mine, who's portscanned me and said, everything's blocked. But there has to be a little mistake. When i start the firewall, and close f.eg. the jabber port (5222) in it, jabber can connect anyway...
Could someone please have a look at it and help me out?
thanks in advance
martin
Code: |
#!/sbin/runscript
depend() {
need ntpd
}
start() {
ebegin "Loading iptables"
IPTABLES="/sbin/iptables"
modprobe ip_conntrack_ftp 1> /dev/null
modprobe ip_nat_ftp 1> /dev/null
IFACE='eth0'
ANY="0.0.0.0/0"
DNS1="195.34.133.10"
DNS2="195.34.133.11"
MYIP="212.186.153.74"
UNPRIVPORTS="1024:65535"
#dynamische Kernelparameter setzen
echo "0" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "1" > /proc/sys/net/ipv4/conf/$IFACE/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/$IFACE/accept_redirects
echo "1" > /proc/sys/net/ipv4/conf/$IFACE/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/$IFACE/bootp_relay
echo "1" > /proc/sys/net/ipv4/conf/$IFACE/log_martians
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#einträge in der filter tabelle löschen
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -t nat -X
#standardregeln löschen
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
#Standardregel: alles verbieten
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
#Vorerst alles verbieten
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A OUTPUT -j REJECT
$IPTABLES -A FORWARD -j REJECT
#ketten definieren
$IPTABLES -N local
$IPTABLES -N eingehend
$IPTABLES -N ausgehend
$IPTABLES -N icmp-acc
$IPTABLES -N check-flags
$IPTABLES -N delay-flags
#spoof
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/5"
$IPTABLES -A INPUT -i eth0 -s $CLASS_A -j LOG --log-prefix "spoof: "
$IPTABLES -A INPUT -i eth0 -s $CLASS_A -j REJECT
$IPTABLES -A INPUT -i eth0 -s $CLASS_B -j LOG --log-prefix "spoof: "
$IPTABLES -A INPUT -i eth0 -s $CLASS_B -j REJECT
$IPTABLES -A INPUT -i eth0 -s $CLASS_C -j LOG --log-prefix "spoof: "
$IPTABLES -A INPUT -i eth0 -s $CLASS_C -j REJECT
$IPTABLES -A INPUT -i eth0 -s $CLASS_D_MULTICAST -j LOG --log-prefix "spoof:
"
$IPTABLES -A INPUT -i eth0 -s $CLASS_D_MULTICAST -j REJECT
$IPTABLES -A INPUT -i eth0 -s $CLASS_E_RESERVED_NET -j LOG --log-prefix "spoo
f: "
$IPTABLES -A INPUT -i eth0 -s $CLASS_E_RESERVED_NET -j REJECT
#jumps
$IPTABLES -A INPUT -s "127.0.0.1" -i lo -d "127.0.0.1" -j local
$IPTABLES -A OUTPUT -d "127.0.0.1" -o lo -s "127.0.0.1" -j local
$IPTABLES -A INPUT -s $ANY -j check-flags
$IPTABLES -A INPUT -s $ANY -j delay-flags
$IPTABLES -A INPUT -s $ANY -j eingehend
$IPTABLES -A OUTPUT -d $ANY -j ausgehend
#alles löschen, was nicht zu den jumps passt
$IPTABLES -A FORWARD -j LOG --log-prefix "unmatched FORWARD "
$IPTABLES -A FORWARD -j REJECT
$IPTABLES -A OUTPUT -j LOG --log-prefix "unmatched OUTPUT "
$IPTABLES -A OUTPUT -j REJECT
$IPTABLES -A INPUT -j LOG --log-prefix "unmatched INPUT "
$IPTABLES -A INPUT -j REJECT
#icmp
$IPTABLES -A icmp-acc -p icmp --icmp-type echo-request -m limit --limit 2/s -
j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type source-quench -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type echo-reply -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type redirect -j ACCEPT
$IPTABLES -A icmp-acc -p icmp --icmp-type parameter-problem -j ACCEPT
$IPTABLES -A icmp-acc -j LOG --log-prefix "icmp-acc "
$IPTABLES -A icmp-acc -j REJECT
#lokale regel
$IPTABLES -A local -j ACCEPT
#eingehende regeln => filter
#===========================
$IPTABLES -A eingehend -m state --state INVALID -j REJECT
$IPTABLES -A eingehend -m state --state ESTABLISHED,RELATED -j ACCEPT
#icmp
$IPTABLES -A eingehend -p icmp -j icmp-acc
#ident verbieten
$IPTABLES -A eingehend -p tcp --dport 113 -j REJECT
#netbios
$IPTABLES -A eingehend -p tcp --dport 137:139 -j REJECT
$IPTABLES -A eingehend -p udp --dport 137:139 -j REJECT
#rsync
$IPTABLES -A eingehend -p tcp --dport 873 -j ACCEPT
#icq
$IPTABLES -A eingehend -p tcp --dport 4000:4100 -j ACCEPT
$IPTABLES -A eingehend -p udp --dport 5190 -j ACCEPT
$IPTABLES -A eingehend -p tcp --dport 5222 -j ACCEPT
#$IPTABLES -A eingehend -p tcp --dport 5050 -j ACCEPT
#portscaner abfangen und loggen
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit
5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS: "
$IPTABLES -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j REJECT
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute
-j LOG --log-level 1 --log-prefix "XMAS: "
$IPTABLES -A check-flags -p tcp --tcp-flags ALL ALL -j REJECT
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit
--limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH: "
$IPTABLES -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j REJECT
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN: "
$IPTABLES -A check-flags -p tcp --tcp-flags ALL NONE -j REJECT
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit
5/minute -j LOG --log-level 5 --log-prefix "SYN/RST: "
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j REJECT
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN: "
$IPTABLES -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j REJECT
#floodprotection
$IPTABLES -A delay-flags -m limit --limit 1/second -p tcp --tcp-flags ALL RST
-j ACCEPT
$IPTABLES -A delay-flags -m limit --limit 1/second -p tcp --tcp-flags ALL FIN
-j ACCEPT
$IPTABLES -A delay-flags -m limit --limit 1/second -p tcp --tcp-flags ALL SYN
-j ACCEPT
#rest verbieten
$IPTABLES -A eingehend -j LOG --log-prefix "verboten <= "
$IPTABLES -A eingehend -j REJECT
#ausgehende regel
#================
$IPTABLES -A ausgehend -m state --state INVALID -j REJECT
$IPTABLES -A ausgehend -m state --state RELATED,ESTABLISHED -j ACCEPT
# ping pong
$IPTABLES -A ausgehend -p icmp -j icmp-acc
# einige allgemeine services:
$IPTABLES -A ausgehend -p udp -d $DNS1 --dport 53 -j ACCEPT
$IPTABLES -A ausgehend -p udp -d $DNS2 --dport 53 -j ACCEPT
#remote services: ftp-data, ftp, smtp, pop3, http(s), ports > 1024
$IPTABLES -A ausgehend -p tcp --dport 20 -j ACCEPT
$IPTABLES -A ausgehend -p tcp --dport 21 -j ACCEPT
$IPTABLES -A ausgehend -p tcp --dport 22 -j ACCEPT
$IPTABLES -A ausgehend -p tcp --dport 23 -j ACCEPT
$IPTABLES -A ausgehend -p tcp --dport 25 -j ACCEPT
$IPTABLES -A ausgehend -p tcp --dport 110 -j ACCEPT
$IPTABLES -A ausgehend -p tcp --dport 80 -j ACCEPT
$IPTABLES -A ausgehend -p tcp --dport 119 -j ACCEPT
$IPTABLES -A ausgehend -p tcp --dport 443 -j ACCEPT
$IPTABLES -A ausgehend -p tcp --dport $UNPRIVPORTS -j ACCEPT
#icq
$IPTABLES -A ausgehend -p tcp --dport 4000:4100 -j ACCEPT
$IPTABLES -A ausgehend -p udp --dport 5190 -j ACCEPT
$IPTABLES -A ausgehend -p tcp --dport 5222 -j ACCEPT
#$IPTABLES -A ausgehend -p tcp --dport 5050 -j ACCEPT
#time => ntpd
$IPTABLES -A ausgehend -p udp --dport 123 -j ACCEPT
#ident :
$IPTABLES -A ausgehend -p tcp --dport 113 -j REJECT
#rsync
$IPTABLES -A ausgehend -p tcp --dport 873 -j ACCEPT
#rest verbieten
$IPTABLES -A ausgehend -j LOG --log-prefix "verboten => "
$IPTABLES -A ausgehend -j REJECT
#default regel löschen
$IPTABLES -D INPUT 1
$IPTABLES -D FORWARD 1
$IPTABLES -D OUTPUT 1
eend $? "Failed to start gShield"
}
stop() {
ebegin "Unloading iptables"
iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
eend $?
}
|
|
|
Back to top |
|
|
klieber Bodhisattva
Joined: 17 Apr 2002 Posts: 3657 Location: San Francisco, CA
|
Posted: Sat Dec 14, 2002 4:38 pm Post subject: Re: Iptables |
|
|
zbled wrote: | When i start the firewall, and close f.eg. the jabber port (5222) in it, jabber can connect anyway... |
Do you mean jabber can connect when you start it on your machine? If so, that's because of this line:
Code: | [snip]
$IPTABLES -A ausgehend -p tcp --dport $UNPRIVPORTS -j ACCEPT
[snip] |
If I'm reading the rest of your script right, you jump all outbound traffic to the 'ausgehend' chain. Then, because the rule above comes before your specific port 5222 rule, the traffic gets through. BTW, if I'm reading your script right, you don't need that line at all, because you have the following line:
Code: | $IPTABLES -A ausgehend -m state --state RELATED,ESTABLISHED -j ACCEPT |
You only need the $UNPRIVPORTS declaration if you're not using the stateful packet inspection capabilities of iptables, but you are. You should be able to dump that rule completely. (again, assuming I'm reading the rest of the script correctly)
hth
--kurt _________________ The problem with political jokes is that they get elected |
|
Back to top |
|
|
zbled Apprentice
Joined: 18 Jun 2002 Posts: 216 Location: Bukowski's Piano Bar
|
Posted: Sat Dec 14, 2002 9:56 pm Post subject: |
|
|
Thanks a lot, it works now ;-) |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|