View previous topic :: View next topic |
Author |
Message |
Spida Tux's lil' helper
Joined: 08 Feb 2003 Posts: 97 Location: Germany
|
Posted: Fri Jun 20, 2003 6:21 pm Post subject: Home DSL Router (or: My Firewall Script) |
|
|
I have put together a (IMO) nice and secure firewall-script and want to share it for use and discussion.
The Script is designed to run on a router between internal network, wlan and external network (Internet).
It is quite heavy on logging and shows a bunch of scans and access to ports of some windows trojans - anything that may hint to your box getting unwanted attention.
/etc/init.d/procparam
Code: |
#!/sbin/runscript
depend() {
before *
}
start() {
ebegin "Setting /proc options."
/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_all
/bin/echo "0" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
/bin/echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
for i in /proc/sys/net/ipv4/conf/*; do
/bin/echo "1" > $i/rp_filter
done
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
/bin/echo "0" > /proc/sys/net/ipv4/ip_forward
eend 0
}
|
/etc/conf.d/iptables
Code: |
FIREWALL="/etc/firewall.rules"
ENABLE_FORWARDING_IPv4="yes"
SAVE_RESTORE_OPTIONS="-c"
|
/etc/init.d/iptables
Code: |
#!/sbin/runscript
# Distributed under the terms of the GNU General Public License, v2 or later
#
# Firewall Script based on
# Gentoo Security Guide
# http://www.gentoo.org/doc/en/gentoo-security.xml
# with many usefull hints from
# http://www.linuxguruz.org/iptables/
#
# by Spida (at) gmx (dot) net
#
# Version History:
# 1.0 of 200306201700
# Initial Version
# 1.1 of 200306202200
# Fixed descriptions of possible options
# 1.2 of 200306292300
# Added more (commented out) debugging possibilities
#
#IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
#MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
#NET=$IP/$MASK
IPTABLES="/sbin/iptables"
IPTABLESSAVE="/sbin/iptables-save"
IPTABLESRESTORE="/sbin/iptables-restore"
DEV_INT="eth0"
IP_INT="192.168.0.1"
IP_INT_NET="192.168.0.0/24"
IP_INT_BCAST="192.168.0.255"
DEV_WLAN="eth2"
IP_WLAN="192.168.2.1"
IP_WLAN_NET="192.168.2.0/24"
IP_WLAN_BCAST="192.168.2.255"
DEV_INT2="eth0"
IP_INT2="123.123.123.65";
IP_INT2_NET="123.123.123.64/24"
IP_INT2_BCAST="123.123.123.127"
DEV_EXT="ppp0"
IP_EXT="`ifconfig | grep P-t-P | cut -d ":" -f 2 | cut -d " " -f 1`"
IP_BCAST="255.255.255.255"
ANY="0.0.0.0/0"
DEV_LOOP="lo"
IP_LOOP="127.0.0.1"
opts="${opts} showstatus panic save restore showoptions rules"
depend() {
need net procparam
use logger
}
rules() {
ebegin "Setting internal rules"
# default policies
einfo "Setting default rule to drop"
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
# default rule
einfo "Creating states chain"
$IPTABLES -N allow-existingconnection
$IPTABLES -F allow-existingconnection
$IPTABLES -A allow-existingconnection -p ALL -s $ANY -d $ANY -m state --state ESTABLISHED,RELATED -j ACCEPT
einfo "Creating fragments chain"
$IPTABLES -N disallow-fragments
$IPTABLES -F disallow-fragments
$IPTABLES -A disallow-fragments -f -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Fragments: "
$IPTABLES -A disallow-fragments -f -j DROP
einfo "Creating invalid detection chain"
$IPTABLES -N disallow-invalid
$IPTABLES -F disallow-invalid
$IPTABLES -A disallow-invalid -m state --state INVALID -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Invalid: "
$IPTABLES -A disallow-invalid -m state --state INVALID -j DROP
einfo "Creating spoofing detection chain"
$IPTABLES -N disallow-spoofing
$IPTABLES -F disallow-spoofing
$IPTABLES -A disallow-spoofing -p ALL -s $ANY -d $IP_BCAST -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Ext. Broadcast: "
$IPTABLES -A disallow-spoofing -p ALL -s $ANY -d $IP_BCAST -j DROP
einfo "Creating portscan detection chain (based on flags)"
$IPTABLES -N disallow-flagscan
$IPTABLES -F disallow-flagscan
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 6/minute -j LOG --log-level alert --log-prefix "FIREWALL: NMAP-XMAS:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL ALL -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS-PSH:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL NONE -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: NULL_SCAN:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 6/minute -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/RST:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 6/minute -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/FIN:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
einfo "Creating portscan detection chain (based on ports)"
$IPTABLES -N disallow-portscan
$IPTABLES -F disallow-portscan
$IPTABLES -A disallow-portscan -p tcp --dport 7 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "
$IPTABLES -A disallow-portscan -p tcp --dport 7 -j DROP
$IPTABLES -A disallow-portscan -p udp --dport 7 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "
$IPTABLES -A disallow-portscan -p udp --dport 7 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 11 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sysstat test: "
$IPTABLES -A disallow-portscan -p tcp --dport 11 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 15 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: netstat test: "
$IPTABLES -A disallow-portscan -p tcp --dport 15 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 19 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test: "
$IPTABLES -A disallow-portscan -p tcp --dport 19 -j DROP
$IPTABLES -A disallow-portscan -p udp --dport 19 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test: "
$IPTABLES -A disallow-portscan -p udp --dport 19 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 23 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: telnet test: "
$IPTABLES -A disallow-portscan -p tcp --dport 23 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 69 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: tftpd test: "
$IPTABLES -A disallow-portscan -p tcp --dport 69 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 79 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: finger test: "
$IPTABLES -A disallow-portscan -p tcp --dport 79 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 87 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: link test: "
$IPTABLES -A disallow-portscan -p tcp --dport 87 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 98 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: linuxconf test: "
$IPTABLES -A disallow-portscan -p tcp --dport 98 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 111 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sun-rpc test: "
$IPTABLES -A disallow-portscan -p tcp --dport 111 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 520 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: route test: "
$IPTABLES -A disallow-portscan -p tcp --dport 520 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 540 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: uucp test: "
$IPTABLES -A disallow-portscan -p tcp --dport 540 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 1080 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: socks test: "
$IPTABLES -A disallow-portscan -p tcp --dport 1080 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 1114 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sql test: "
$IPTABLES -A disallow-portscan -p tcp --dport 1114 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 2000 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: openwin test: "
$IPTABLES -A disallow-portscan -p tcp --dport 2000 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 10000 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: webmin test: "
$IPTABLES -A disallow-portscan -p tcp --dport 10000 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 6000:6063 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: X-Windows test: "
$IPTABLES -A disallow-portscan -p tcp --dport 6000:6063 -j DROP
$IPTABLES -A disallow-portscan -p udp --dport 33434:33523 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Traceroute: "
$IPTABLES -A disallow-portscan -p udp --dport 33434:33523 -j DROP
einfo "Creating trojan scan detection chain"
$IPTABLES -N disallow-trojanscan
$IPTABLES -F disallow-trojanscan
$IPTABLES -A disallow-trojanscan -p tcp --dport 6670 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Deepthroat scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 6670 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 1243 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 1243 -j DROP
$IPTABLES -A disallow-trojanscan -p udp --dport 1243 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p udp --dport 1243 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 6711:6713 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 6711:6713 -j DROP
$IPTABLES -A disallow-trojanscan -p udp --dport 6711:6713 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p udp --dport 6711:6713 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 27374 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 27374 -j DROP
$IPTABLES -A disallow-trojanscan -p udp --dport 27374 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p udp --dport 27374 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 12345:12346 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 20034 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 20034 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 31337:31338 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: BackOrifice scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 31337:31338 -j DROP
$IPTABLES -A disallow-trojanscan -p udp --dport 28431 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: HackAtak2000 scan: "
$IPTABLES -A disallow-trojanscan -p udp --dport 28431 -j DROP
einfo "Creating icmp chains"
$IPTABLES -N disallow-someicmp
$IPTABLES -F disallow-someicmp
$IPTABLES -A disallow-someicmp -p icmp -j LOG --log-prefix "FIREWALL: Bad ICMP traffic:"
$IPTABLES -A disallow-someicmp -p icmp -j DROP
$IPTABLES -N allow-someicmp
$IPTABLES -F allow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type source-quench -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type redirect -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-advertisement -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-solicitation -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type parameter-problem -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-request -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-reply -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-request -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-reply -j disallow-someicmp
einfo "Creating ping chain"
$IPTABLES -N allow-ping
$IPTABLES -F allow-ping
$IPTABLES -A allow-ping -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
einfo "Creating ftp chain"
$IPTABLES -N allow-ftp
$IPTABLES -F allow-ftp
$IPTABLES -A allow-ftp -p tcp --dport 20 -j ACCEPT
$IPTABLES -A allow-ftp -p tcp --dport 21 -j ACCEPT
einfo "Creating ssh chain"
$IPTABLES -N allow-ssh
$IPTABLES -F allow-ssh
# Flood protection
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -p tcp --dport 22 -j ACCEPT
einfo "Creating smtp chain"
$IPTABLES -N allow-smtp
$IPTABLES -F allow-smtp
$IPTABLES -A allow-smtp -p tcp --dport 25 -j ACCEPT
einfo "Creating dns chain"
$IPTABLES -N allow-dns
$IPTABLES -F allow-dns
$IPTABLES -A allow-dns -p tcp --dport 53 -j ACCEPT
$IPTABLES -A allow-dns -p udp --dport 53 -j ACCEPT
einfo "Creating dhcp chain"
$IPTABLES -N allow-dhcp
$IPTABLES -F allow-dhcp
$IPTABLES -A allow-dhcp -p udp --dport 67 -j ACCEPT
$IPTABLES -A allow-dhcp -p udp --dport 68 -j ACCEPT
einfo "Creating http/https chain"
$IPTABLES -N allow-www
$IPTABLES -F allow-www
$IPTABLES -A allow-www -p tcp --dport 80 -j ACCEPT
$IPTABLES -A allow-www -p tcp --dport 443 -j ACCEPT
$IPTABLES -A allow-www -p tcp --dport 8080 -j ACCEPT
einfo "Creating pop3 chain"
$IPTABLES -N allow-pop3
$IPTABLES -F allow-pop3
$IPTABLES -A allow-pop3 -p tcp --dport 110 -j ACCEPT
einfo "Creating ident chain"
$IPTABLES -N allow-ident
$IPTABLES -F allow-ident
$IPTABLES -A allow-ident -p tcp --dport 113 -j ACCEPT
einfo "Creating ident chain"
$IPTABLES -N disallow-ident
$IPTABLES -F disallow-ident
$IPTABLES -A disallow-ident -p tcp --dport 113 -j REJECT
einfo "Creating news chain"
$IPTABLES -N allow-news
$IPTABLES -F allow-news
$IPTABLES -A allow-news -p tcp --dport 119 -j ACCEPT
einfo "Creating ntp chain"
$IPTABLES -N allow-ntp
$IPTABLES -F allow-ntp
$IPTABLES -A allow-ntp -p udp --dport 123 -j ACCEPT
einfo "Creating smb chain"
$IPTABLES -N allow-smb
$IPTABLES -F allow-smb
$IPTABLES -A allow-smb -p tcp --dport 137 -j ACCEPT
$IPTABLES -A allow-smb -p tcp --dport 138 -j ACCEPT
$IPTABLES -A allow-smb -p tcp --dport 139 -j ACCEPT
einfo "Creating imap chain"
$IPTABLES -N allow-imap
$IPTABLES -F allow-imap
$IPTABLES -A allow-imap -p tcp --dport 143 -j ACCEPT
$IPTABLES -A allow-imap -p tcp --dport 993 -j ACCEPT
einfo "Creating ldap chain"
$IPTABLES -N allow-ldap
$IPTABLES -F allow-ldap
$IPTABLES -A allow-ldap -p tcp --dport 389 -j ACCEPT
einfo "Creating rsync chain"
$IPTABLES -N allow-rsync
$IPTABLES -F allow-rsync
$IPTABLES -A allow-rsync -p tcp --dport 873 -j ACCEPT
einfo "Creating cvs chain"
$IPTABLES -N allow-cvs
$IPTABLES -F allow-cvs
$IPTABLES -A allow-cvs -p tcp --dport 2401 -j ACCEPT
einfo "Creating icq chain"
$IPTABLES -N allow-icq
$IPTABLES -F allow-icq
$IPTABLES -A allow-icq -p tcp --dport 5190 -j ACCEPT
einfo "Creating irc chain"
$IPTABLES -N allow-irc
$IPTABLES -F allow-irc
$IPTABLES -A allow-irc -p tcp --dport 6660:6670 -j ACCEPT
einfo "Creating teamspeak chain"
$IPTABLES -N allow-teamspeak
$IPTABLES -F allow-teamspeak
$IPTABLES -A allow-teamspeak -p udp --dport 8767 -j ACCEPT
einfo "Creating cddb chain"
$IPTABLES -N allow-cddb
$IPTABLES -F allow-cddb
$IPTABLES -A allow-cddb -p tcp --dport 8880 -j ACCEPT
einfo "Creating pgp chain"
$IPTABLES -N allow-pgp
$IPTABLES -F allow-pgp
$IPTABLES -A allow-pgp -p tcp --dport 11371 -j ACCEPT
einfo "Creating squid chain"
$IPTABLES -N allow-squid
$IPTABLES -F allow-squid
$IPTABLES -A allow-squid -p tcp --dport 3128 -j ACCEPT
einfo "Applying general protection to input"
$IPTABLES -A INPUT -j disallow-fragments
$IPTABLES -A INPUT -j disallow-invalid
$IPTABLES -A INPUT -j disallow-flagscan
$IPTABLES -A INPUT -j disallow-portscan
$IPTABLES -A INPUT -j disallow-trojanscan
$IPTABLES -A INPUT -j allow-existingconnection
$IPTABLES -A INPUT -j allow-someicmp
einfo "Applying general protection to forward"
$IPTABLES -A FORWARD -j disallow-fragments
$IPTABLES -A FORWARD -j disallow-invalid
$IPTABLES -A FORWARD -j disallow-flagscan
$IPTABLES -A FORWARD -j disallow-portscan
$IPTABLES -A FORWARD -j disallow-trojanscan
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -A FORWARD -j allow-existingconnection
$IPTABLES -A FORWARD -j allow-someicmp
einfo "Applying general protection to output"
$IPTABLES -A OUTPUT -j disallow-fragments
$IPTABLES -A OUTPUT -j disallow-invalid
$IPTABLES -A OUTPUT -j disallow-flagscan
$IPTABLES -A OUTPUT -j disallow-portscan
$IPTABLES -A OUTPUT -j disallow-trojanscan
$IPTABLES -A OUTPUT -j allow-existingconnection
$IPTABLES -A OUTPUT -j allow-someicmp
einfo "Creating directional chains"
$IPTABLES -N external-to-fw
$IPTABLES -F external-to-fw
$IPTABLES -A INPUT -i $DEV_EXT -j external-to-fw
$IPTABLES -N fw-to-external
$IPTABLES -F fw-to-external
$IPTABLES -A OUTPUT -o $DEV_EXT -j fw-to-external
$IPTABLES -N internal-to-external
$IPTABLES -F internal-to-external
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -j internal-to-external
$IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j internal-to-external
$IPTABLES -N external-to-internal
$IPTABLES -F external-to-internal
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -j external-to-internal
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT2 -j external-to-internal
$IPTABLES -N internal-to-fw
$IPTABLES -F internal-to-fw
$IPTABLES -A INPUT -i $DEV_INT -j internal-to-fw
$IPTABLES -A INPUT -i $DEV_INT2 -j internal-to-fw
$IPTABLES -N fw-to-internal
$IPTABLES -F fw-to-internal
$IPTABLES -A OUTPUT -o $DEV_INT -j fw-to-internal
$IPTABLES -A OUTPUT -o $DEV_INT2 -j fw-to-internal
$IPTABLES -N external-to-wlan
$IPTABLES -F external-to-wlan
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_WLAN -j external-to-wlan
$IPTABLES -N wlan-to-external
$IPTABLES -F wlan-to-external
$IPTABLES -A FORWARD -i $DEV_WLAN -o $DEV_EXT -j wlan-to-external
$IPTABLES -N wlan-to-fw
$IPTABLES -F wlan-to-fw
$IPTABLES -A INPUT -i $DEV_WLAN -j wlan-to-fw
$IPTABLES -N fw-to-wlan
$IPTABLES -F fw-to-wlan
$IPTABLES -A OUTPUT -o $DEV_WLAN -j fw-to-wlan
$IPTABLES -N internal-to-wlan
$IPTABLES -F internal-to-wlan
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_WLAN -j internal-to-wlan
$IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_WLAN -j internal-to-wlan
$IPTABLES -N wlan-to-internal
$IPTABLES -F wlan-to-internal
$IPTABLES -A FORWARD -i $DEV_WLAN -o $DEV_INT -j wlan-to-internal
$IPTABLES -A FORWARD -i $DEV_WLAN -o $DEV_INT2 -j wlan-to-internal
# server on eth0:0
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_INT2 -j ACCEPT
# loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A FORWARD -j LOG --log-level info --log-prefix "FIREWALL: FORWARD: "
# $IPTABLES -A INPUT -j LOG --log-level info --log-prefix "FIREWALL: INPUT: "
# $IPTABLES -A OUTPUT -j LOG --log-level info --log-prefix "FIREWALL: OUTPUT: "
einfo "Applying rules to external-to-fw chain"
$IPTABLES -A external-to-fw -j disallow-spoofing
$IPTABLES -A external-to-fw -j disallow-ident
$IPTABLES -A external-to-fw -j allow-teamspeak
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A external-to-fw -j LOG --log-level info --log-prefix "FIREWALL: ext-to-fw: "
einfo "Applying rules to internal-to-external chain"
$IPTABLES -A internal-to-external -j allow-ping
$IPTABLES -A internal-to-external -j allow-ftp
$IPTABLES -A internal-to-external -j allow-ssh
$IPTABLES -A internal-to-external -j allow-smtp
$IPTABLES -A internal-to-external -j allow-dns
$IPTABLES -A internal-to-external -j allow-www
$IPTABLES -A internal-to-external -j allow-pop3
$IPTABLES -A internal-to-external -j allow-news
$IPTABLES -A internal-to-external -j allow-ntp
$IPTABLES -A internal-to-external -j allow-imap
$IPTABLES -A internal-to-external -j allow-ldap
$IPTABLES -A internal-to-external -j allow-rsync
$IPTABLES -A internal-to-external -j allow-cvs
$IPTABLES -A internal-to-external -j allow-squid
$IPTABLES -A internal-to-external -j allow-icq
$IPTABLES -A internal-to-external -j allow-irc
$IPTABLES -A internal-to-external -j allow-cddb
$IPTABLES -A internal-to-external -j allow-teamspeak
$IPTABLES -A internal-to-external -j allow-pgp
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A internal-to-external -j LOG --log-level info --log-prefix "FIREWALL: int-to-ext: "
einfo "Applying rules to wlan-to-external chain"
$IPTABLES -A wlan-to-external -j allow-ping
$IPTABLES -A wlan-to-external -j allow-ftp
$IPTABLES -A wlan-to-external -j allow-ssh
$IPTABLES -A wlan-to-external -j allow-smtp
$IPTABLES -A wlan-to-external -j allow-dns
$IPTABLES -A wlan-to-external -j allow-www
$IPTABLES -A wlan-to-external -j allow-pop3
$IPTABLES -A wlan-to-external -j allow-news
$IPTABLES -A wlan-to-external -j allow-ntp
$IPTABLES -A wlan-to-external -j allow-imap
$IPTABLES -A wlan-to-external -j allow-ldap
$IPTABLES -A wlan-to-external -j allow-rsync
$IPTABLES -A wlan-to-external -j allow-cvs
$IPTABLES -A wlan-to-external -j allow-squid
$IPTABLES -A wlan-to-external -j allow-icq
$IPTABLES -A wlan-to-external -j allow-irc
$IPTABLES -A wlan-to-external -j allow-cddb
$IPTABLES -A wlan-to-external -j allow-teamspeak
$IPTABLES -A wlan-to-external -j allow-pgp
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A wlan-to-external -j LOG --log-level info --log-prefix "FIREWALL: wlan-to-ext: "
einfo "Applying rules to internal-to-wlan chain"
$IPTABLES -A internal-to-wlan -j allow-ping
$IPTABLES -A internal-to-wlan -j allow-ftp
$IPTABLES -A internal-to-wlan -j allow-ssh
$IPTABLES -A internal-to-wlan -j allow-www
$IPTABLES -A internal-to-wlan -j allow-rsync
$IPTABLES -A internal-to-wlan -j allow-cvs
$IPTABLES -A internal-to-wlan -j allow-teamspeak
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A internal-to-wlan -j LOG --log-level info --log-prefix "FIREWALL: int-to-wlan: "
einfo "Applying rules to wlan-to-internal chain"
$IPTABLES -A wlan-to-internal -j allow-ping
$IPTABLES -A wlan-to-internal -j allow-ssh
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A wlan-to-internal -j LOG --log-level info --log-prefix "FIREWALL: wlan-to-int: "
einfo "Applying rules to internal-to-fw chain"
$IPTABLES -A internal-to-fw -j allow-ping
$IPTABLES -A internal-to-fw -j allow-ssh
$IPTABLES -A internal-to-fw -j allow-smtp
$IPTABLES -A internal-to-fw -j allow-dns
$IPTABLES -A internal-to-fw -j allow-dhcp
$IPTABLES -A internal-to-fw -j allow-pop3
$IPTABLES -A internal-to-fw -j allow-imap
$IPTABLES -A internal-to-fw -j allow-squid
$IPTABLES -A internal-to-fw -j allow-teamspeak
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A internal-to-fw -j LOG --log-level info --log-prefix "FIREWALL: int-to-fw: "
einfo "Applying rules to wlan-to-fw chain"
$IPTABLES -A wlan-to-fw -j allow-ping
$IPTABLES -A wlan-to-fw -j allow-ssh
$IPTABLES -A wlan-to-fw -j allow-dns
$IPTABLES -A wlan-to-fw -j allow-dhcp
$IPTABLES -A wlan-to-fw -j allow-squid
$IPTABLES -A wlan-to-fw -j allow-teamspeak
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A wlan-to-fw -j LOG --log-level info --log-prefix "FIREWALL: wlan-to-fw: "
einfo "Applying rules to fw-to-external chain"
$IPTABLES -A fw-to-external -j allow-ping
$IPTABLES -A fw-to-external -j allow-ftp
$IPTABLES -A fw-to-external -j allow-ssh
$IPTABLES -A fw-to-external -j allow-dns
$IPTABLES -A fw-to-external -j allow-www
$IPTABLES -A fw-to-external -j allow-ntp
$IPTABLES -A fw-to-external -j allow-rsync
$IPTABLES -A fw-to-external -j allow-cvs
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A fw-to-external -j LOG --log-level info --log-prefix "FIREWALL: fw-to-ext: "
einfo "Applying rules to fw-to-internal chain"
$IPTABLES -A fw-to-internal -j allow-ping
$IPTABLES -A fw-to-internal -j allow-ftp
$IPTABLES -A fw-to-internal -j allow-ssh
$IPTABLES -A fw-to-internal -j allow-smtp
$IPTABLES -A fw-to-internal -j allow-www
$IPTABLES -A fw-to-internal -j allow-pop3
$IPTABLES -A fw-to-internal -j allow-imap
$IPTABLES -A fw-to-internal -j allow-smb
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A fw-to-internal -j LOG --log-level info --log-prefix "FIREWALL: fw-to-int: "
einfo "Applying rules to fw-to-wlan chain"
$IPTABLES -A fw-to-wlan -j allow-ping
$IPTABLES -A fw-to-wlan -j allow-ftp
$IPTABLES -A fw-to-wlan -j allow-ssh
$IPTABLES -A fw-to-wlan -j allow-www
$IPTABLES -A fw-to-wlan -j allow-smb
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A fw-to-wlan -j LOG --log-level info --log-prefix "FIREWALL: fw-to-wlan: "
einfo "Applying rules to external-to-internal chain"
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A external-to-internal -j LOG --log-level info --log-prefix "FIREWALL: ext-to-int: "
$IPTABLES -A external-to-internal -j DROP
einfo "Applying rules to external-to-wlan chain"
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A external-to-wlan -j LOG --log-level info --log-prefix "FIREWALL: ext-to-wlan: "
$IPTABLES -A external-to-wlan -j DROP
einfo "Masquerading external Connections"
$IPTABLES -t nat -A POSTROUTING -o $DEV_EXT -j MASQUERADE
eend $?
}
start() {
stop
ebegin "Starting firewall"
# if [ -e "${FIREWALL}" ]; then
# einfo "Restoring iptables ruleset"
# restore
# else
# einfo "${FIREWALL} does not exists. Using default rules."
rules
# fi
if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then
einfo "Enabling forwarding for ipv4"
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
fi
eend $?
}
stop() {
ebegin "Stopping firewall"
# set sane defaults that disable forwarding
if [ -f /proc/sys/net/ipv4/conf/all/forwarding ] ; then
echo "0" > /proc/sys/net/ipv4/conf/all/forwarding
fi
for a in `cat /proc/net/ip_tables_names`; do
$IPTABLES -F -t $a
$IPTABLES -X -t $a
if [ $a == nat ]; then
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
elif [ $a == mangle ]; then
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
elif [ $a == filter ]; then
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
fi
done
# Flush Built-in Rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
# Attempt to Flush All Rules in Filter Table
$IPTABLES -F
eend $?
}
showstatus() {
ebegin "Status"
$IPTABLES -L -n -v --line-numbers
einfo "NAT status"
$IPTABLES -L -n -v --line-numbers -t nat
eend $?
}
panic() {
ebegin "Setting panic rules"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
eend $?
}
save() {
ebegin "Saving iptables state"
$IPTABLESSAVE $SAVE_RESTORE_OPTIONS > $FIREWALL
eend $?
}
restore() {
ebegin "Restoring Firewall rules"
$IPTABLESRESTORE < $FIREWALL
eend $?
}
restart() {
svc_stop; svc_start
}
showoptions() {
echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"
echo "start) will restore setting if exists else force rules"
echo "stop) delete all rules and set all to accept"
echo "rules) force settings of new rules"
echo "save) will store settings in ${FIREWALL}"
echo "restore) will restore settings from ${FIREWALL}"
echo "showstatus) Shows the status"
}
|
Last edited by Spida on Mon Jun 30, 2003 9:14 pm; edited 2 times in total |
|
Back to top |
|
|
uzik Apprentice
Joined: 17 Apr 2003 Posts: 257
|
Posted: Fri Jun 20, 2003 8:48 pm Post subject: |
|
|
As one poster here said "There's a lot of background radiation".
You'll get a lot of logs from this.
It seems fairly complete to me.
I would personally tighten it up by only allowing SSH from sources
where YOU might be. Don't allow it from any source. The same
for other services. |
|
Back to top |
|
|
Spida Tux's lil' helper
Joined: 08 Feb 2003 Posts: 97 Location: Germany
|
|
Back to top |
|
|
Diggs Apprentice
Joined: 07 Oct 2003 Posts: 239 Location: LoSt In NeT SpAcE
|
Posted: Sat Feb 07, 2004 3:59 am Post subject: |
|
|
I'm sorry, I don't have wlan but only:
internet -- eth0 -- box gentoo -- eth1 -- lan
Box is connected to internet via adsl [ppp+].
I changed the original /etc/init.d/iptables in:
Code: |
#!/sbin/runscript
# Distributed under the terms of the GNU General Public License, v2 or later
#
# Firewall Script based on
# Gentoo Security Guide
# http://www.gentoo.org/doc/en/gentoo-security.xml
# with many usefull hints from
# http://www.linuxguruz.org/iptables/
#
# by Spida (at) gmx (dot) net
#
# Version History:
# 1.0 of 200306201700
# Initial Version
# 1.1 of 200306202200
# Fixed descriptions of possible options
# 1.2 of 200306292300
# Added more (commented out) debugging possibilities
# 1.3 of 200307151000
# Added distcc, cut rigths for wlan
#
#IP=`/sbin/ifconfig $IF | grep inet | cut -d : -f 2 | cut -d \ -f 1`
#MASK=`/sbin/ifconfig $IF | grep Mas | cut -d : -f 4`
#NET=$IP/$MASK
FIREWALL=/etc/firewall.rules
IPTABLES="/sbin/iptables"
IPTABLESSAVE="/sbin/iptables-save"
IPTABLESRESTORE="/sbin/iptables-restore"
DEV_INT="eth0"
IP_INT="192.168.0.1"
IP_INT_NET="192.168.0.0/24"
IP_INT_BCAST="192.168.0.255"
DEV_INT2="eth1"
IP_INT2="192.168.1.1";
IP_INT2_NET="192.168.1.1/24"
IP_INT2_BCAST="192.168.1.255"
DEV_EXT="ppp0"
IP_EXT="`ifconfig | grep P-t-P | cut -d ":" -f 2 | cut -d " " -f 1`"
IP_BCAST="255.255.255.255"
ANY="0.0.0.0/0"
DEV_LOOP="lo"
IP_LOOP="127.0.0.1"
opts="${opts} showstatus panic save restore showoptions rules"
depend() {
need net procparam
use logger
}
rules() {
ebegin "Setting internal rules"
# default policies
einfo "Setting default rule to drop"
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
# default rule
einfo "Creating states chain"
$IPTABLES -N allow-existingconnection
$IPTABLES -F allow-existingconnection
$IPTABLES -A allow-existingconnection -p ALL -s $ANY -d $ANY -m state --state ESTABLISHED,RELATED -j ACCEPT
einfo "Creating fragments chain"
$IPTABLES -N disallow-fragments
$IPTABLES -F disallow-fragments
$IPTABLES -A disallow-fragments -f -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Fragments: "
$IPTABLES -A disallow-fragments -f -j DROP
einfo "Creating invalid detection chain"
$IPTABLES -N disallow-invalid
$IPTABLES -F disallow-invalid
$IPTABLES -A disallow-invalid -m state --state INVALID -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Invalid: "
$IPTABLES -A disallow-invalid -m state --state INVALID -j DROP
einfo "Creating spoofing detection chain"
$IPTABLES -N disallow-spoofing
$IPTABLES -F disallow-spoofing
$IPTABLES -A disallow-spoofing -p ALL -s $ANY -d $IP_BCAST -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Ext. Broadcast: "
$IPTABLES -A disallow-spoofing -p ALL -s $ANY -d $IP_BCAST -j DROP
einfo "Creating portscan detection chain (based on flags)"
$IPTABLES -N disallow-flagscan
$IPTABLES -F disallow-flagscan
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 6/minute -j LOG --log-level alert --log-prefix "FIREWALL: NMAP-XMAS:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL ALL -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: XMAS-PSH:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL NONE -m limit --limit 6/minute -j LOG --log-level 1 --log-prefix "FIREWALL: NULL_SCAN:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 6/minute -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/RST:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 6/minute -j LOG --log-level 5 --log-prefix "FIREWALL: SYN/FIN:"
$IPTABLES -A disallow-flagscan -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
einfo "Creating portscan detection chain (based on ports)"
$IPTABLES -N disallow-portscan
$IPTABLES -F disallow-portscan
$IPTABLES -A disallow-portscan -p tcp --dport 7 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "
$IPTABLES -A disallow-portscan -p tcp --dport 7 -j DROP
$IPTABLES -A disallow-portscan -p udp --dport 7 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: echo test: "
$IPTABLES -A disallow-portscan -p udp --dport 7 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 11 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sysstat test: "
$IPTABLES -A disallow-portscan -p tcp --dport 11 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 15 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: netstat test: "
$IPTABLES -A disallow-portscan -p tcp --dport 15 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 19 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test: "
$IPTABLES -A disallow-portscan -p tcp --dport 19 -j DROP
$IPTABLES -A disallow-portscan -p udp --dport 19 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: chargen test: "
$IPTABLES -A disallow-portscan -p udp --dport 19 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 23 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: telnet test: "
$IPTABLES -A disallow-portscan -p tcp --dport 23 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 69 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: tftpd test: "
$IPTABLES -A disallow-portscan -p tcp --dport 69 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 79 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: finger test: "
$IPTABLES -A disallow-portscan -p tcp --dport 79 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 87 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: link test: "
$IPTABLES -A disallow-portscan -p tcp --dport 87 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 98 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: linuxconf test: "
$IPTABLES -A disallow-portscan -p tcp --dport 98 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 111 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sun-rpc test: "
$IPTABLES -A disallow-portscan -p tcp --dport 111 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 520 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: route test: "
$IPTABLES -A disallow-portscan -p tcp --dport 520 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 540 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: uucp test: "
$IPTABLES -A disallow-portscan -p tcp --dport 540 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 1080 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: socks test: "
$IPTABLES -A disallow-portscan -p tcp --dport 1080 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 1114 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: sql test: "
$IPTABLES -A disallow-portscan -p tcp --dport 1114 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 2000 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: openwin test: "
$IPTABLES -A disallow-portscan -p tcp --dport 2000 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 10000 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: webmin test: "
$IPTABLES -A disallow-portscan -p tcp --dport 10000 -j DROP
$IPTABLES -A disallow-portscan -p tcp --dport 6000:6063 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: X-Windows test: "
$IPTABLES -A disallow-portscan -p tcp --dport 6000:6063 -j DROP
$IPTABLES -A disallow-portscan -p udp --dport 33434:33523 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Traceroute: "
$IPTABLES -A disallow-portscan -p udp --dport 33434:33523 -j DROP
einfo "Creating trojan scan detection chain"
$IPTABLES -N disallow-trojanscan
$IPTABLES -F disallow-trojanscan
$IPTABLES -A disallow-trojanscan -p tcp --dport 6670 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Deepthroat scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 6670 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 1243 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 1243 -j DROP
$IPTABLES -A disallow-trojanscan -p udp --dport 1243 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p udp --dport 1243 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 6711:6713 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 6711:6713 -j DROP
$IPTABLES -A disallow-trojanscan -p udp --dport 6711:6713 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p udp --dport 6711:6713 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 27374 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 27374 -j DROP
$IPTABLES -A disallow-trojanscan -p udp --dport 27374 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Subseven scan: "
$IPTABLES -A disallow-trojanscan -p udp --dport 27374 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 12345:12346 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 12345:12346 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 20034 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: Netbus scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 20034 -j DROP
$IPTABLES -A disallow-trojanscan -p tcp --dport 31337:31338 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: BackOrifice scan: "
$IPTABLES -A disallow-trojanscan -p tcp --dport 31337:31338 -j DROP
$IPTABLES -A disallow-trojanscan -p udp --dport 28431 -m limit --limit 6/minute -j LOG --log-level info --log-prefix "FIREWALL: HackAtak2000 scan: "
$IPTABLES -A disallow-trojanscan -p udp --dport 28431 -j DROP
einfo "Creating icmp chains"
$IPTABLES -N disallow-someicmp
$IPTABLES -F disallow-someicmp
$IPTABLES -A disallow-someicmp -p icmp -j LOG --log-prefix "FIREWALL: Bad ICMP traffic:"
$IPTABLES -A disallow-someicmp -p icmp -j DROP
$IPTABLES -N allow-someicmp
$IPTABLES -F allow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type time-exceeded -j ACCEPT
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type destination-unreachable -j ACCEPT
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type source-quench -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type redirect -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-advertisement -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type router-solicitation -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type parameter-problem -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-request -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type timestamp-reply -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-request -j disallow-someicmp
$IPTABLES -A allow-someicmp -m state --state NEW -p icmp --icmp-type address-mask-reply -j disallow-someicmp
einfo "Creating ping chain"
$IPTABLES -N allow-ping
$IPTABLES -F allow-ping
$IPTABLES -A allow-ping -m state --state NEW -p icmp --icmp-type echo-request -j ACCEPT
einfo "Creating ftp chain"
$IPTABLES -N allow-ftp
$IPTABLES -F allow-ftp
$IPTABLES -A allow-ftp -p tcp --dport 20 -j ACCEPT
$IPTABLES -A allow-ftp -p tcp --dport 21 -j ACCEPT
einfo "Creating ssh chain"
$IPTABLES -N allow-ssh
$IPTABLES -F allow-ssh
# Flood protection
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL RST --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL FIN --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -m limit --limit 1/second -p tcp --tcp-flags ALL SYN --dport 22 -j ACCEPT
$IPTABLES -A allow-ssh -p tcp --dport 22 -j ACCEPT
einfo "Creating smtp chain"
$IPTABLES -N allow-smtp
$IPTABLES -F allow-smtp
$IPTABLES -A allow-smtp -p tcp --dport 25 -j ACCEPT
einfo "Creating dns chain"
$IPTABLES -N allow-dns
$IPTABLES -F allow-dns
$IPTABLES -A allow-dns -p tcp --dport 53 -j ACCEPT
$IPTABLES -A allow-dns -p udp --dport 53 -j ACCEPT
einfo "Creating dhcp chain"
$IPTABLES -N allow-dhcp
$IPTABLES -F allow-dhcp
$IPTABLES -A allow-dhcp -p udp --dport 67 -j ACCEPT
$IPTABLES -A allow-dhcp -p udp --dport 68 -j ACCEPT
einfo "Creating http/https chain"
$IPTABLES -N allow-www
$IPTABLES -F allow-www
$IPTABLES -A allow-www -p tcp --dport 80 -j ACCEPT
$IPTABLES -A allow-www -p tcp --dport 443 -j ACCEPT
$IPTABLES -A allow-www -p tcp --dport 8080 -j ACCEPT
einfo "Creating pop3 chain"
$IPTABLES -N allow-pop3
$IPTABLES -F allow-pop3
$IPTABLES -A allow-pop3 -p tcp --dport 110 -j ACCEPT
einfo "Creating ident chain"
$IPTABLES -N allow-ident
$IPTABLES -F allow-ident
$IPTABLES -A allow-ident -p tcp --dport 113 -j ACCEPT
einfo "Creating ident chain"
$IPTABLES -N disallow-ident
$IPTABLES -F disallow-ident
$IPTABLES -A disallow-ident -p tcp --dport 113 -j REJECT
einfo "Creating news chain"
$IPTABLES -N allow-news
$IPTABLES -F allow-news
$IPTABLES -A allow-news -p tcp --dport 119 -j ACCEPT
einfo "Creating ntp chain"
$IPTABLES -N allow-ntp
$IPTABLES -F allow-ntp
$IPTABLES -A allow-ntp -p udp --dport 123 -j ACCEPT
einfo "Creating smb chain"
$IPTABLES -N allow-smb
$IPTABLES -F allow-smb
$IPTABLES -A allow-smb -p tcp --dport 137 -j ACCEPT
$IPTABLES -A allow-smb -p tcp --dport 138 -j ACCEPT
$IPTABLES -A allow-smb -p tcp --dport 139 -j ACCEPT
einfo "Creating imap chain"
$IPTABLES -N allow-imap
$IPTABLES -F allow-imap
$IPTABLES -A allow-imap -p tcp --dport 143 -j ACCEPT
$IPTABLES -A allow-imap -p tcp --dport 993 -j ACCEPT
einfo "Creating ldap chain"
$IPTABLES -N allow-ldap
$IPTABLES -F allow-ldap
$IPTABLES -A allow-ldap -p tcp --dport 389 -j ACCEPT
einfo "Creating rsync chain"
$IPTABLES -N allow-rsync
$IPTABLES -F allow-rsync
$IPTABLES -A allow-rsync -p tcp --dport 873 -j ACCEPT
einfo "Creating cvs chain"
$IPTABLES -N allow-cvs
$IPTABLES -F allow-cvs
$IPTABLES -A allow-cvs -p tcp --dport 2401 -j ACCEPT
einfo "Creating icq chain"
$IPTABLES -N allow-icq
$IPTABLES -F allow-icq
$IPTABLES -A allow-icq -p tcp --dport 5190 -j ACCEPT
einfo "Creating irc chain"
$IPTABLES -N allow-irc
$IPTABLES -F allow-irc
$IPTABLES -A allow-irc -p tcp --dport 6660:6670 -j ACCEPT
einfo "Creating teamspeak chain"
$IPTABLES -N allow-teamspeak
$IPTABLES -F allow-teamspeak
$IPTABLES -A allow-teamspeak -p udp --dport 8767 -j ACCEPT
einfo "Creating cddb chain"
$IPTABLES -N allow-cddb
$IPTABLES -F allow-cddb
$IPTABLES -A allow-cddb -p tcp --dport 8880 -j ACCEPT
einfo "Creating pgp chain"
$IPTABLES -N allow-pgp
$IPTABLES -F allow-pgp
$IPTABLES -A allow-pgp -p tcp --dport 11371 -j ACCEPT
einfo "Creating squid chain"
$IPTABLES -N allow-squid
$IPTABLES -F allow-squid
$IPTABLES -A allow-squid -p tcp --dport 3128 -j ACCEPT
einfo "Creating distcc chain"
$IPTABLES -N allow-distcc
$IPTABLES -F allow-distcc
$IPTABLES -A allow-distcc -p tcp --dport 3632 -j ACCEPT
einfo "Applying general protection to input"
$IPTABLES -A INPUT -j disallow-fragments
$IPTABLES -A INPUT -j disallow-invalid
$IPTABLES -A INPUT -j disallow-flagscan
$IPTABLES -A INPUT -j disallow-portscan
$IPTABLES -A INPUT -j disallow-trojanscan
$IPTABLES -A INPUT -j allow-existingconnection
$IPTABLES -A INPUT -j allow-someicmp
einfo "Applying general protection to forward"
$IPTABLES -A FORWARD -j disallow-fragments
$IPTABLES -A FORWARD -j disallow-invalid
$IPTABLES -A FORWARD -j disallow-flagscan
$IPTABLES -A FORWARD -j disallow-portscan
$IPTABLES -A FORWARD -j disallow-trojanscan
$IPTABLES -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
$IPTABLES -A FORWARD -j allow-existingconnection
$IPTABLES -A FORWARD -j allow-someicmp
einfo "Applying general protection to output"
$IPTABLES -A OUTPUT -j disallow-fragments
$IPTABLES -A OUTPUT -j disallow-invalid
$IPTABLES -A OUTPUT -j disallow-flagscan
$IPTABLES -A OUTPUT -j disallow-portscan
$IPTABLES -A OUTPUT -j disallow-trojanscan
$IPTABLES -A OUTPUT -j allow-existingconnection
$IPTABLES -A OUTPUT -j allow-someicmp
einfo "Creating directional chains"
$IPTABLES -N external-to-fw
$IPTABLES -F external-to-fw
$IPTABLES -A INPUT -i $DEV_EXT -j external-to-fw
$IPTABLES -N fw-to-external
$IPTABLES -F fw-to-external
$IPTABLES -A OUTPUT -o $DEV_EXT -j fw-to-external
$IPTABLES -N internal-to-external
$IPTABLES -F internal-to-external
$IPTABLES -A FORWARD -i $DEV_INT -o $DEV_EXT -j internal-to-external
$IPTABLES -A FORWARD -i $DEV_INT2 -o $DEV_EXT -j internal-to-external
$IPTABLES -N external-to-internal
$IPTABLES -F external-to-internal
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT -j external-to-internal
$IPTABLES -A FORWARD -i $DEV_EXT -o $DEV_INT2 -j external-to-internal
$IPTABLES -N internal-to-fw
$IPTABLES -F internal-to-fw
$IPTABLES -A INPUT -i $DEV_INT -j internal-to-fw
$IPTABLES -A INPUT -i $DEV_INT2 -j internal-to-fw
$IPTABLES -N fw-to-internal
$IPTABLES -F fw-to-internal
$IPTABLES -A OUTPUT -o $DEV_INT -j fw-to-internal
$IPTABLES -A OUTPUT -o $DEV_INT2 -j fw-to-internal
# loopback
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A FORWARD -j LOG --log-level info --log-prefix "FIREWALL: FORWARD: "
# $IPTABLES -A INPUT -j LOG --log-level info --log-prefix "FIREWALL: INPUT: "
# $IPTABLES -A OUTPUT -j LOG --log-level info --log-prefix "FIREWALL: OUTPUT: "
einfo "Applying rules to external-to-fw chain"
$IPTABLES -A external-to-fw -j disallow-spoofing
$IPTABLES -A external-to-fw -j disallow-ident
$IPTABLES -A external-to-fw -j allow-teamspeak
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A external-to-fw -j LOG --log-level info --log-prefix "FIREWALL: ext-to-fw: "
einfo "Applying rules to internal-to-external chain"
$IPTABLES -A internal-to-external -j allow-ping
$IPTABLES -A internal-to-external -j allow-ftp
$IPTABLES -A internal-to-external -j allow-ssh
$IPTABLES -A internal-to-external -j allow-smtp
$IPTABLES -A internal-to-external -j allow-dns
$IPTABLES -A internal-to-external -j allow-www
$IPTABLES -A internal-to-external -j allow-pop3
$IPTABLES -A internal-to-external -j allow-news
$IPTABLES -A internal-to-external -j allow-ntp
$IPTABLES -A internal-to-external -j allow-imap
$IPTABLES -A internal-to-external -j allow-rsync
$IPTABLES -A internal-to-external -j allow-cvs
$IPTABLES -A internal-to-external -j allow-icq
$IPTABLES -A internal-to-external -j allow-irc
$IPTABLES -A internal-to-external -j allow-cddb
$IPTABLES -A internal-to-external -j allow-teamspeak
$IPTABLES -A internal-to-external -j allow-pgp
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A internal-to-external -j LOG --log-level info --log-prefix "FIREWALL: int-to-ext: "
einfo "Applying rules to fw-to-external chain"
$IPTABLES -A fw-to-external -j allow-ping
$IPTABLES -A fw-to-external -j allow-ftp
$IPTABLES -A fw-to-external -j allow-ssh
$IPTABLES -A fw-to-external -j allow-dns
$IPTABLES -A fw-to-external -j allow-www
$IPTABLES -A fw-to-external -j allow-ntp
$IPTABLES -A fw-to-external -j allow-rsync
$IPTABLES -A fw-to-external -j allow-cvs
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A fw-to-external -j LOG --log-level info --log-prefix "FIREWALL: fw-to-ext: "
einfo "Applying rules to fw-to-internal chain"
$IPTABLES -A fw-to-internal -j allow-ping
$IPTABLES -A fw-to-internal -j allow-ftp
$IPTABLES -A fw-to-internal -j allow-ssh
$IPTABLES -A fw-to-internal -j allow-smtp
$IPTABLES -A fw-to-internal -j allow-www
$IPTABLES -A fw-to-internal -j allow-pop3
$IPTABLES -A fw-to-internal -j allow-imap
$IPTABLES -A fw-to-internal -j allow-smb
$IPTABLES -A fw-to-internal -j allow-distcc
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A fw-to-internal -j LOG --log-level info --log-prefix "FIREWALL: fw-to-int: "
einfo "Applying rules to external-to-internal chain"
# Use that for heavy debugging. Every dropped packet will be logged
# $IPTABLES -A external-to-internal -j LOG --log-level info --log-prefix "FIREWALL: ext-to-int: "
$IPTABLES -A external-to-internal -j DROP
einfo "Masquerading external Connections"
$IPTABLES -t nat -A POSTROUTING -o $DEV_EXT -j MASQUERADE
eend $?
}
start() {
stop
ebegin "Starting firewall"
# if [ -e "${FIREWALL}" ]; then
# einfo "Restoring iptables ruleset"
# restore
# else
# einfo "${FIREWALL} does not exists. Using default rules."
rules
# fi
if [ "${ENABLE_FORWARDING_IPv4}" = "yes" ] ; then
einfo "Enabling forwarding for ipv4"
echo "1" > /proc/sys/net/ipv4/conf/all/forwarding
fi
eend $?
}
stop() {
ebegin "Stopping firewall"
# set sane defaults that disable forwarding
if [ -f /proc/sys/net/ipv4/conf/all/forwarding ] ; then
echo "0" > /proc/sys/net/ipv4/conf/all/forwarding
fi
for a in `cat /proc/net/ip_tables_names`; do
$IPTABLES -F -t $a
$IPTABLES -X -t $a
if [ $a == nat ]; then
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
elif [ $a == mangle ]; then
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
elif [ $a == filter ]; then
$IPTABLES -t filter -P INPUT ACCEPT
$IPTABLES -t filter -P FORWARD ACCEPT
$IPTABLES -t filter -P OUTPUT ACCEPT
fi
done
# Flush Built-in Rules
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
# Attempt to Flush All Rules in Filter Table
$IPTABLES -F
eend $?
}
showstatus() {
ebegin "Status"
$IPTABLES -L -n -v --line-numbers
einfo "NAT status"
$IPTABLES -L -n -v --line-numbers -t nat
eend $?
}
panic() {
ebegin "Setting panic rules"
$IPTABLES -F
$IPTABLES -X
$IPTABLES -t nat -F
$IPTABLES -P FORWARD DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
eend $?
}
save() {
ebegin "Saving iptables state"
$IPTABLESSAVE $SAVE_RESTORE_OPTIONS > $FIREWALL
eend $?
}
restore() {
ebegin "Restoring Firewall rules"
$IPTABLESRESTORE < $FIREWALL
eend $?
}
restart() {
svc_stop; svc_start
}
showoptions() {
echo "Usage: $0 {start|save|restore|panic|stop|restart|showstatus}"
echo "start) will restore setting if exists else force rules"
echo "stop) delete all rules and set all to accept"
echo "rules) force settings of new rules"
echo "save) will store settings in ${FIREWALL}"
echo "restore) will restore settings from ${FIREWALL}"
echo "showstatus) Shows the status"
}
|
It Goes well for me this is the output:
Code: |
gateway init.d # /etc/init.d/iptables start
* Stopping firewall... [ ok ]
* Starting firewall...
* Setting internal rules...
* Setting default rule to drop
* Creating states chain
* Creating fragments chain
* Creating invalid detection chain
* Creating spoofing detection chain
* Creating portscan detection chain (based on flags)
* Creating portscan detection chain (based on ports)
* Creating trojan scan detection chain
* Creating icmp chains
* Creating ping chain
* Creating ftp chain
* Creating ssh chain
* Creating smtp chain
* Creating dns chain
* Creating dhcp chain
* Creating http/https chain
* Creating pop3 chain
* Creating ident chain
* Creating ident chain
* Creating news chain
* Creating ntp chain
* Creating smb chain
* Creating imap chain
* Creating ldap chain
* Creating rsync chain
* Creating cvs chain
* Creating icq chain
* Creating irc chain
* Creating teamspeak chain
* Creating cddb chain
* Creating pgp chain
* Creating squid chain
* Creating distcc chain
* Applying general protection to input
* Applying general protection to forward
* Applying general protection to output
* Creating directional chains
* Applying rules to external-to-fw chain
* Applying rules to internal-to-external chain
* Applying rules to fw-to-external chain
* Applying rules to fw-to-internal chain
* Applying rules to external-to-internal chain
* Masquerading external Connections [ ok ]
* Enabling forwarding for ipv4 [ ok ]
gateway init.d #
|
_________________ IRCNET NICK: diggs on IRCNET
http://leonardo.netsons.org/
Gioca a Tremulous! Player [!!!] Diggs [ITA] |
|
Back to top |
|
|
Martijn Lettenmeijer n00b
Joined: 27 Aug 2004 Posts: 1 Location: Netherlands
|
Posted: Fri Aug 27, 2004 10:01 am Post subject: |
|
|
This probably is a very stupid question, but I've tried to use the iptables file you guys posted above, I've simply overwritten the original iptables file, but when I do /sbin/depscan.sh, it fails, giving a syntax error near a specified line, and i can't start the iptables either when i type /etc/init.d/iptables start it says "bad intrepreter: No such file or directory".
I'm using kernel 2.6.8-rc1 gentoo-dev-sources and iptables v1.2.11
Hope you guys can tell me what the hell i'm doin' wrong cause I spend all morning in trying everything I know.
*FIXED THE PROBLEM* it was dos-format, dos2unix fixed it _________________ Spannend he |
|
Back to top |
|
|
]Trix[ Apprentice
Joined: 27 Feb 2003 Posts: 184
|
Posted: Wed Dec 15, 2004 2:07 am Post subject: |
|
|
HELP
$IPTABLES -t nat -A PREROUTING -d $PUBLICIP -p tcp --dport 9176 -j DNAT --to-destination $WORKSTATION
$IPTABLES -t nat -A PREROUTING -d $PUBLICIP -p udp --dport 9176 -j DNAT --to-destination $WORKSTATION
$IPTABLES -A FORWARD -o $INTIF -d $WORKSTATION -p tcp --dport 9176 -j ACCEPT
$IPTABLES -A FORWARD -o $INTIF -d $WORKSTATION -p udp --dport 9176 -j ACCEPT
How would you put this in the firewall script so that it would be in the same style as the whole script? |
|
Back to top |
|
|
dnebinger n00b
Joined: 09 Sep 2005 Posts: 2
|
Posted: Fri Sep 09, 2005 2:23 pm Post subject: Issues with the script... |
|
|
Spida, it is quite modular and quite thorough. It represents a great job at developing a general set of rules.
But I would raise the following issues:
1. FTP support: You've allowed for the active ftp protocols on ports 20 & 21, but what about passive? This traffic will usually be on the higher ports (typically a range specified in the configuration for the ftp daemon). I do believe that if the ftp daemon tries to open a passive connection outbound it's going to get knocked off at the knees.
2. Measure the checks: The more checks that a packet goes through, the longer it will take to travel through the iptables stack. Your script has a lot of checks in it. Consider a pgp packet as it traverses all of the chains etc. that you've specified. You're probably looking at 30+ checks at least (although I haven't counted each individual check, but I'm confident it is quite a large number). That's a significant number of hops and means the packet is going to be hanging around on the box a lot longer than what it really should.
3. No detail on why the checks are ordered in the way they are (is there an order?): As #2 indicates, the increased number of checks that a packet needs to be pushed through means it will hang around on the box longer. Therefore they should be ordered to give priority to either a) heavily used ports or b) ports you want to have processed sooner rather than later.
4. No reason for accepting specific outbound traffic: I tend to prefer allowing all outbound traffic and filter on those ports that shouldn't be going outbound (i.e. dhcp responses, dns responses, ipp packets, windows networking stuff, known trojan/virus ports). It greatly reduces the number of checks outbound traffic needs to go through.
Obviously to improve the throughput you'd have to alter the script to use multiple ports on accept lines. Once you start doing that, though, you lose the modularity that you've built into the script.
The point that needs to be made is that there is no 'one iptables script fits all'. Each site, each box for that matter, has it's own set of services and it's own usage criteria. To that end the iptables rules will (should) always vary from box to box, whether it is a server, a desktop, a gateway, or some combination of the three.
New users looking to get their boxen online grab scripts like this thinking they are going to secure it for them, yet they don't understand the nuances of the individual rules nor how they are grouped. How many folks that grab the script are going to know what the teamspeak or pgp ports are for and whether they need them or not? How many are going to know that they've exposed their system to incoming teamspeak packets, whether they have teamspeak or not? |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|