View previous topic :: View next topic |
Author |
Message |
tomaw Guru
Joined: 26 Mar 2003 Posts: 429 Location: UK
|
Posted: Sat May 29, 2004 1:12 pm Post subject: |
|
|
OK, after playing around for a while I have the following. It doesn't include transparent proxy though, as I decided I probably don't want it anyway:
Main Changes:
Allowed a list of loopback services so local provoxy, shh and spamd will work.
Does anyone see any security problems with what I've done?
Code: | # External interface
EXTIF=eth0
# Internal interface
INTIF1=wlan0
# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
# Text tools variables
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'
# Last but not least, the users
PALM=192.168.0.2
# Deny than accept: this keeps holes from opening up
# while we close ports and such
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
$IPT -t $i -F
done
for i in $CHAINS;
do
$IPT -t $i -X
done
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/ip_forward
# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
# Setting up environment variables for internal interface one
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl 2> /dev/null
$IPT -A DROPl -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl -j DROP
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT
# Now we are going to accpet all traffic from our loopback device
# if the IP matches any of our interfaces.
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP1 -j ACCEPT
# Blocking Broadcasts
$IPT -A INPUT -i $EXTIF -d $EXTBC -j DROPl
$IPT -A INPUT -i $INTIF1 -d $INTBC1 -j DROPl
$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl
$IPT -A OUTPUT -o $INTIF1 -d $INTBC1 -j DROPl
$IPT -A FORWARD -o $EXTIF -d $EXTBC -j DROPl
$IPT -A FORWARD -o $INTIF1 -d $INTBC1 -j DROPl
# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into our external interface does not originate from our isp assigned
# ip address, drop it like a hot potato
$IPT -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl
# Now we will block internal addresses originating from anything butour
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need # to ensure that they either have the same ip or that you add a line explicitly
# that IP as well
# Interface one/internal net one
$IPT -A INPUT -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A OUTPUT -o $INTIF1 -d ! $INTNET1 -j DROPl
$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl
# An additional Egress check
$IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl
# Block outbound ICMP (except for PING)
$IPT -A OUTPUT -o $EXTIF -p icmp \
--icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp \
--icmp-type ! 8 -j DROPl
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
# TCP ports:
# 98 is Linuxconf
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
# [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
echo -n "FW: Blocking attacks to TCP port"
for i in $TCPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p tcp --dport $i -j DROPl
$IPT -A OUTPUT -p tcp --dport $i -j DROPl
$IPT -A FORWARD -p tcp --dport $i -j DROPl
done
echo ""
echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p udp --dport $i -j DROPl
$IPT -A OUTPUT -p udp --dport $i -j DROPl
$IPT -A FORWARD -p udp --dport $i -j DROPl
done
echo ""
# Opening up ftp connection tracking
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
echo "Inserting module $i"
modprobe $i
done
# Defining some common chat clients. Remove these from your accepted list for better security.
IRC='ircd'
MSN=1863
ICQ=5190
NFS='sunrpc'
PORTAGE='rsync'
RDP=3389
YAHOO='3477 5050'
JABBER=5222
OpenPGP_HTTP_Keyserver=11371
PRIVOXY=8118
SPAMD=783
# All services ports are read from /etc/services
TCPSERV="domain ssh http https ftp ftp-data mail pop3 time $PORTAGE $IRC $MSN $OpenPGP_HTTP_Keyserver $RDP $JABBER $YAHOO"
UDPSERV="domain time"
LOTCP="ssh $PRIVOXY $SPAMD"
echo -n "FW: Allowing inside systems to use service (TCP):"
for i in $TCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP \
--dport $i --syn -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
--dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing inside systems to use service (UDP):"
for i in $UDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP \
--dport $i -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 \
--dport $i -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing loopback access for:"
for i in $LOTCP;
do
echo -n "$i "
$IPT -A OUTPUT -o lo -p tcp --dport $i -m state --state NEW -j ACCEPT
done
echo ""
# Allow to ping out
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP \
--icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 \
--icmp-type 8 -m state --state NEW -j ACCEPT
# Allow firewall to ping internal systems
$IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 \
--icmp-type 8 -m state --state NEW -j ACCEPT
# External access to SSH server here
$IPT -A INPUT -i $EXTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
#$IPT -t nat -A PREROUTING -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT
$IPT -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# block and log what me may have forgot
$IPT -A INPUT -j DROPl
$IPT -A OUTPUT -j REJECTl
$IPT -A FORWARD -j DROPl
|
_________________ Tom Wesley |
|
Back to top |
|
|
Lepaca Kliffoth l33t
Joined: 28 Apr 2004 Posts: 737 Location: Florence, Italy
|
Posted: Sat Jun 12, 2004 1:20 pm Post subject: |
|
|
Up and working. Thanks! _________________ It isn't enough to win - everyone else must lose, and you also have to rub it in their face (maybe chop off an arm too for good measure).
Animebox! |
|
Back to top |
|
|
stahlsau Guru
Joined: 09 Jan 2004 Posts: 584 Location: WildWestwoods
|
Posted: Sat Jun 12, 2004 7:17 pm Post subject: |
|
|
many thanx for your work, it´s really inspiring!
Again, i learned lots of thing, cause i never had the ambition to do a firewall-script on my own, but with this help it´s fun |
|
Back to top |
|
|
omné Guru
Joined: 23 Feb 2003 Posts: 355 Location: Paris / France
|
Posted: Sat Jul 03, 2004 2:11 pm Post subject: |
|
|
Hello, I'm totally newby about server and all this things.
Thank's a lot.
I use the script, and everithing seems to work well but I can't ssh in any way.
Nither from server to my computer nore in the other way.
I setup ssh from this howto : http://gentoo-wiki.com/HOWTO_setup_a_home-server#Configuring_ssh
My config :
...-------
..| net |
...--------
.......|
.....MYIP (eth0)
.......|
....--------------------
...| server |
....---------------------
......|.....................|
...192.168.1.1...192.168.2.1
....(eth1)............(eth2)
......|.....................|
......|.....................|
...192.168.1.10....192.168.2.10
......|.....................|
..------------........-------------------
.|My comp|........| Friends laptop|
..-----------.........-------------------
How can I ssh from net to server, from My comp to server ?
Can this script deal with dnsmasq, explain here : http://gentoo-wiki.com/HOWTO_setup_a_home-server#Using_dnsmasqserver ?
For friend to just connect there laptop.
Again thank's
Némo.
[EDIT]
Solve my problem, it was just that I had to coment the
Code: | #EXTBC="255.255.255.255" |
Now triing to get my mldonkey and jabber working |
|
Back to top |
|
|
ragdon n00b
Joined: 18 Apr 2004 Posts: 18
|
Posted: Thu Aug 05, 2004 12:05 pm Post subject: samba |
|
|
Hi,
I've used your script, but cannot see my samba drive on a networked PC. by using another firewall script (jay's i think) I can. Will part three discuss howto allow samba drives to be seen?
I've tried allowing TCP and UDP access to ports 137:139 but it doesn't seem to work.
cheers,
Roger |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Thu Aug 05, 2004 11:06 pm Post subject: |
|
|
Damn, I've let this lie for quite a while but so many people are still referrring to it I need to update it this weekend.
With Samba, it would be a matter of opening up the proper port. A quick google search says these are 138 and 139. _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
raistlinr n00b
Joined: 08 Aug 2004 Posts: 2 Location: colorado
|
Posted: Sun Aug 08, 2004 7:15 am Post subject: |
|
|
hello all. this is actually my first post on these forums. I was actually searching on how to compile the kernel with iptables-capability, and I found this and part I. I was intrigued and just kept on reading. Someone had asked some question about DHCP assigned ip address for the external, and I though I would post the firewall I have used. The guy who helped me write it wrote it for fedora core 2, but you should be able to change the saving method, adn the rest still works fine. (unless some wierd rule changed has happened). I think it is pretty well commented.
edit:by the way I use all kinds of internal servers such as samba with this setup, never had a problem. And I am using the machine this is on as a firewall/router
#!/bin/sh
#
# Save this to /root/iptables-gw
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
#
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-gw') to change the rulesets, rather than
# modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT=iptables
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth0
INSIDE=eth1
INSIDE_IP=192.168.0.1
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP
$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP
$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# Don't leak SMB traffic onto the Internet. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
#
# Examples of allowing inbound for the port forwarding examples above.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the IP to be that of the INSIDE interface
# of the firewall.
#
$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled |
|
Back to top |
|
|
59729 Apprentice
Joined: 21 Jun 2004 Posts: 279
|
Posted: Mon Aug 09, 2004 8:50 am Post subject: |
|
|
A question, if all DEFAULT ?POLICIE'S/POLICYS? is set to 'DROP' why have all those REJECT/DROP rules... arent they redundant? |
|
Back to top |
|
|
raistlinr n00b
Joined: 08 Aug 2004 Posts: 2 Location: colorado
|
Posted: Mon Aug 09, 2004 5:02 pm Post subject: |
|
|
lappen wrote: | A question, if all DEFAULT ?POLICIE'S/POLICYS? is set to 'DROP' why have all those REJECT/DROP rules... arent they redundant? |
indeed they are. HTe only reason I do both is so that if I forget to firewall something important, I don't get fried. I suppose the rest of it is just an exercise in how to build a firewall. Either way, it seems to be fairly common practice, tallking to the CS guys who run the labs at CU. Here are a couple more examples of people doing it as well:
http://www.faqs.org/docs/iptables/examplecode.html
http://www.linux-sec.net/Wireless/Install-HOWTO/other-config-files/rc.firewall
I am also told it is a way to keep track in your mind what you want to allow and what you don't after setting the defaults. better safe than sorry |
|
Back to top |
|
|
[smeagol] Apprentice
Joined: 24 Oct 2002 Posts: 152
|
Posted: Tue Aug 10, 2004 6:57 am Post subject: |
|
|
Does anyone know what specifically it takes to get this script working with DHCP?
When I set
Code: |
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
|
nothing works. However, once I change it to ACCEPT, things work fine.
When I have it set to drop, it seems that I can access the dhcp server(on my router) and get assigned an ip, but then the router itself can't seem to get anything from the dhcp server at the ISP.
this is the code I am using to open up output ports
Code: |
echo -n "FW: Allowing inside system to use service"
for i in $TCPSERVOUT
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
for i in $UDPSERVOUT
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i --syn -m state -state NEW -j ACCEPTd$
echo ""
|
Where $TCPSERVOUT and $UDPSERVOUT would have the ports to output to, mine are:
Code: | TCPSERVOUT="mysql bootps domain ssh www https mail ftp ftp-data imaps imap3 time $DHCP"
UDPSERVOUT="bootps domain time $YAHOO $DHCP"
|
I defined $DHCP as 67
[/code] _________________ In God We Trust, All Others We monitor. |
|
Back to top |
|
|
john82382 n00b
Joined: 13 Aug 2004 Posts: 6
|
Posted: Fri Aug 13, 2004 2:55 pm Post subject: |
|
|
raistlinr wrote: | lappen wrote: | A question, if all DEFAULT ?POLICIE'S/POLICYS? is set to 'DROP' why have all those REJECT/DROP rules... arent they redundant? |
indeed they are. HTe only reason I do both is so that if I forget to firewall something important, I don't get fried. I suppose the rest of it is just an exercise in how to build a firewall. Either way, it seems to be fairly common practice, tallking to the CS guys who run the labs at CU. Here are a couple more examples of people doing it as well:
http://www.faqs.org/docs/iptables/examplecode.html
http://www.linux-sec.net/Wireless/Install-HOWTO/other-config-files/rc.firewall
I am also told it is a way to keep track in your mind what you want to allow and what you don't after setting the defaults. better safe than sorry |
Also, isn't it good for logging and analysis to have what is dropped or rejected be separated into different categories? |
|
Back to top |
|
|
neurolabs n00b
Joined: 16 Apr 2003 Posts: 13
|
Posted: Mon Aug 16, 2004 1:06 am Post subject: |
|
|
nice guide, it helped me improve my setup...
I have extended the script to allow (internal and external) services on the firewall, p2p clients, cleaned it up a bit and made it more flexible.
Since I don't want to post the script inline and don't want to maintain it on a server I'll pm the author so he can integrate my changes. If anyone can't wait, feel free to pm me...
[edit]
I discovered a mistake in the script. These lines:
Quote: |
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
should look like this:
Quote: |
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
|
else the script won't run non interactively e.g from /etc/ppp/ip-up
also you should probably use these lines for generation of network information, since they work on localized machines as well:
Quote: |
# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
# Setting up environment variables for internal interface
INTIP="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
INTBC="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"
INTMSK="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
INTNET="$INTIP/$INTMSK"
echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"
|
[/edit] |
|
Back to top |
|
|
imrambi Tux's lil' helper
Joined: 12 Feb 2004 Posts: 116
|
Posted: Wed Aug 18, 2004 2:26 pm Post subject: |
|
|
Hey krunk, sorry but this is month 8. Anywho, I just started using your post to set up my firewall. Going from a linksys to a gentoo server/router. Part I was a great help, and once I tighted security, my change will occur. |
|
Back to top |
|
|
cato` Guru
Joined: 03 Jun 2002 Posts: 430 Location: Norway, Trondheim
|
Posted: Sun Aug 22, 2004 3:44 pm Post subject: |
|
|
[smeagol] wrote: | Does anyone know what specifically it takes to get this script working with DHCP?
When I set
Code: |
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP
|
nothing works. However, once I change it to ACCEPT, things work fine.
When I have it set to drop, it seems that I can access the dhcp server(on my router) and get assigned an ip, but then the router itself can't seem to get anything from the dhcp server at the ISP.
this is the code I am using to open up output ports
Code: |
echo -n "FW: Allowing inside system to use service"
for i in $TCPSERVOUT
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
for i in $UDPSERVOUT
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i --syn -m state -state NEW -j ACCEPTd$
echo ""
|
Where $TCPSERVOUT and $UDPSERVOUT would have the ports to output to, mine are:
Code: | TCPSERVOUT="mysql bootps domain ssh www https mail ftp ftp-data imaps imap3 time $DHCP"
UDPSERVOUT="bootps domain time $YAHOO $DHCP"
|
I defined $DHCP as 67
[/code] |
I have exactly the same problem, anyone able to help us out? _________________ Don't mess with the Penguin. |
|
Back to top |
|
|
[smeagol] Apprentice
Joined: 24 Oct 2002 Posts: 152
|
Posted: Mon Aug 23, 2004 3:22 am Post subject: |
|
|
Well, I think I made a typo somewhere in there. Here's a copy of my working iptables
Code: |
####
#Std Vars
####
EXTIF=eth0
INTIF1=eth1
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'
####
#Hostnames
####
C20='10.0.0.20'
C12='10.0.0.12'
C17='10.0.0.17'
C32='10.0.0.32'
####
#Deny EVERYTHING
####
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
####
#Flush Existing Chains
####
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
$IPT -t $i -F
done
for i in $CHAINS;
do
$IPT -t $i -X
done
####
#/proc Settings
####
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1> /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/ip_forward
####
#Interface Variables
####
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
####
#Logging
####
$IPT -N DROPl 2> /dev/null
$IPT -A DROPl -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl -j DROP
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT
####
#Lax Loopback Filters
####
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP1 -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $LPDIP -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -d $INTIP1 -j ACCEPT
$IPT -A OUTPUT -o $EXTIF -d $EXTIP -j ACCEPT
####
#Blocking Broadcasts Both In and Out
####
$IPT -A INPUT -i $EXTIF -d $EXTBC -j DROPl
$IPT -A INPUT -i $INTIF1 -d $INTBC1 -j DROPl
$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl
$IPT -A OUTPUT -o $INTIF1 -d $INTBC1 -j DROPl
$IPT -A FORWARD -o $EXTIF -d $EXTBC -j DROPl
$IPT -A FORWARD -o $INTIF1 -d $INTBC1 -j DROPl
# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into our external interface does not originate from our isp assigned
# ip address, drop it like a hot potato
$IPT -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl
# Now we will block internal addresses originating from anything butour
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need # to ensure that they either have the same ip or that you add a line explicitly
# that IP as well
# Interface one/internal net one
$IPT -A INPUT -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A OUTPUT -o $INTIF1 -d ! $INTNET1 -j DROPl
$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl
# An additional Egress check
$IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl
# Block outbound ICMP (except for PING)
$IPT -A OUTPUT -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl
####
#Blocking Bad Ports
####
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
# TCP ports:
# 98 is Linuxconf
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
# [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
for i in $TCPBLOCK;
do
$IPT -A INPUT -p tcp --dport $i -j DROPl
$IPT -A OUTPUT -p tcp --dport $i -j DROPl
$IPT -A FORWARD -p tcp --dport $i -j DROPl
done
for i in $UDPBLOCK;
do
$IPT -A INPUT -p udp --dport $i -j DROPl
$IPT -A OUTPUT -p udp --dport $i -j DROPl
$IPT -A FORWARD -p udp --dport $i -j DROPl
done
################################
# Outside Server Filtering crap#
################################
$IPT -N INETIN
$IPT -F INETIN
$IPT -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/second --limit-burst 5 -j ACCEPT
$IPT -t filter -A INETIN -p icmp -j DROPl
$IPT -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT
#ODD TCP occurences
$IPT -t filter -N ODDTCP
$IPT -t filter -A INETIN -p tcp --tcp-flags SYN,FIN SYN,FIN -j ODDTCP
$IPT -t filter -A INETIN -p tcp --tcp-flags SYN,RST SYN,RST -j ODDTCP
$IPT -t filter -A INETIN -p tcp --tcp-flags SYN,URG SYN,URG -j ODDTCP
$IPT -t filter -A INETIN -p tcp --tcp-flags SYN,URG SYN,URG -j ODDTCP
$IPT -t filter -A ODDTCP -p tcp -m state --state ESTABLISHED -j LOG --log-prefix "ODDTCP" --log-level 1
$IPT -t filter -A ODDTCP -p tcp -m state --state ESTABLISHED -j RETURN
$IPT -t filter -A ODDTCP -j DROP
$IPT -t filter -A INETIN -m state --state INVALID -j DROP
#######################
# Port Scan Filtering #
#######################
$IPT -N check-flags
$IPT -F check-flags
$IPT -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:"
$IPT -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
$IPT -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
$IPT -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
$IPT -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
$IPT -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
$IPT -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
####
#Allowing and Blocking Services
####
source /etc/firewall/firewall.services
for i in $EXTTCPINPUT;
do
$IPT -t filter -A INETIN -p tcp --dport $i -j ACCEPT
done
for i in $EXTUDPINPUT;
do
$IPT -t filter -A INETIN -p udp --dport $i -j ACCEPT
done
for i in $EXTTCPFORWARD;
do
$IPT -A FORWARD -p tcp --dport $i -j ACCEPT
done
for i in $EXTUDPFORWARD;
do
$IPT -A FORWARD -p udp --dport $i -j ACCEPT
done
for i in $EXTTCPOUTPUT;
do
$IPT -A OUTPUT -p tcp --dport $i -j ACCEPT
done
for i in $EXTUDPOUTPUT;
do
$IPT -A OUTPUT -p udp --dport $i -j ACCEPT
done
for i in $INTTCPSERV;
do
$IPT -A INPUT -s $INTNET1 -p tcp --dport $i -j ACCEPT
$IPT -A OUTPUT -d $INTNET1 -p tcp --dport $i -j ACCEPT
done
for i in $INTUDPSERV;
do
$IPT -A INPUT -s $INTNET1 -p udp --dport $i -j ACCEPT
$IPT -A OUTPUT -d $INTNET1 -p udp --dport $i -j ACCEPT
done
#allowing outbound connections
$IPT -t filter -A INETIN -m state --state ESTABLISHED -j ACCEPT
#$IPT -t filter -A INETIN -p tcp --dport 1024:65535 -m state --state RELATED -j TCPACCEPT
#$IPT -t filter -A INETIN -p udp --dport 1024:65535 -m state --state RELATED -j UDPACCEPT
####
#Pings
####
# Allow to ping out
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
# allow others to ping in
$IPT -A INPUT -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow firewall to ping internal systems
$IPT -A OUTPUT -o $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
####
#SSH always on
####
$IPT -A INPUT -i $INTIF1 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT
####
#NAT
####
$IPT -t nat -A PREROUTING -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT
####
#Auth Always On ???
####
$IPT -A INPUT -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
####
#If already established, accept
####
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
####
#Block and Log Everything Else
####
$IPT -A INPUT -j INETIN
$IPT -A INPUT -j check-flags
$IPT -A INPUT -j DROPl
$IPT -A OUTPUT -j REJECTl
$IPT -A OUTPUT -j check-flags
$IPT -A FORWARD -j DROPl
$IPT -A FORWARD -j check-flags
$IPT -A FORWARD -j INETIN
|
and the file that file includes
Code: |
IRC='ircd'
AIM='5190 2996'
OpenPGP_HTTP_Keyserver=11371
SPAMD=783
CLAMAV=3310
DHCP=67
CVS=2401
WHOIS=43
YAHOO='5000 5001 5050'
AMAVIS=10024
TCPSERV="domain ssh www https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver"
UDPSERV="domain time ldap ldaps"
#EXTSERVTCP="ssh http https ftp mail pop3 pop3s imap3 imaps time rsync $AIM ldap ldaps"
EXTTCPINPUT="ftp mail imaps http https"
EXTUDPINPUT=""
EXTTCPFORWARD="domain ssh time www http https ftp mail imap3 imaps time rsync $YAHOO $WHOIS $AIM $CVS $IRC"
EXTUDPFORWARD="domain time $WHOIS $AIM $IRC $YAHOO"
EXTTCPOUTPUT="$EXTTCPFORWARD"
EXTUDPOUTPUT="$EXTUDPFORWARD"
INTTCPSERV="www https ftp mysql time rsync ssh $SPAMD $CLAMAV $AMAVIS"
INTUDPSERV="$DHCP $AMAVIS" |
_________________ In God We Trust, All Others We monitor. |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Tue Aug 24, 2004 12:51 pm Post subject: |
|
|
Hello, neurolabs did some housecleaning on my original script and changed the ip/broadcasting to awk for greater portability on other platforms. You'll also notice a P2P section based on uid, so make sure you put the apropriate username in there.
Code: |
#!/bin/sh
#
# ********** VARIABLE DEFINITIONS **********
#
# External interface
EXTIF="ppp0"
# Internal interface
INTIF="eth1"
# Loop device/localhost
LPDIF="lo"
LPDIP="127.0.0.1"
LPDMSK="255.0.0.0"
LPDNET="$LPDIP/$LPDMSK"
# Text tools variables
IPT="/sbin/iptables"
IFC="/sbin/ifconfig"
G="/bin/grep"
SED="/bin/sed"
AWK="/bin/awk"
# Setting up external interface environment variables
# The following doesn't play nice with localization
#EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
# This one does AFAIK
EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTBC="255.255.255.255"
# same problem here with localization
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
# Due to absence of EXTBC I manually set it to 255.255.255.255
# this (hopefully) will serve the same purpose
# Setting up environment variables for internal interface
INTIP="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
#INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"
#INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
#INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET="$INTIP/$INTMSK"
echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"
# Last but not least, the users for owner matching
P2PUSER="ole"
# ********** INITIALIZATION **********
#
# Deny then accept: this keeps holes from opening up
# while we close ports and such
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
#IPT -P INPUT ACCEPT
#IPT -P OUTPUT ACCEPT
#IPT -P FORWARD ACCEPT
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
$IPT -t $i -F
done
for i in $CHAINS;
do
$IPT -t $i -X
done
# enable syncookies & ignore icmp broadcasts
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
# Log Martians
for i in /proc/sys/net/ipv4/conf/*/log_martians ; do
echo 1 > $i
done
# activate forwarding & dynamic address
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
# Loading necessary kernel modules
# example: MODULES="ip_nat_ftp ip_conntrack_ftp"
MODULES="ipt_owner"
for i in $MODULES;
do
echo "Inserting module $i"
modprobe $i
done
# ********** LOGGING CHAINS **********
#
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl 2> /dev/null
$IPT -A DROPl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP BLOCKED:'
$IPT -A DROPl -j DROP
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT BLOCKED:'
$IPT -A REJECTl -j REJECT
$IPT -N DROP2 2> /dev/null
$IPT -A DROP2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP UNKNOWN:'
$IPT -A DROP2 -j DROP
$IPT -N REJECT2 2> /dev/null
$IPT -A REJECT2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT UNKNOWN:'
$IPT -A REJECT2 -j REJECT
# For testing, a logging ACCEPT chain
$IPT -N ACCEPTl 2> /dev/null
$IPT -A ACCEPTl -m limit --limit 10/second --limit-burst 50 -j LOG --log-prefix 'FIREWALL ACCEPT:'
$IPT -A ACCEPTl -j ACCEPT
# ********** SANE COMMON RULES **********
#
# Now we are going to accept all traffic from or to our loopback device
# if the IP matches any of our interfaces.
$IPT -A INPUT -i $LPDIF -s $LPDIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $EXTIP -j ACCEPT
$IPT -A INPUT -i $LPDIF -s $INTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $LPDIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $EXTIP -j ACCEPT
$IPT -A OUTPUT -o $LPDIF -d $INTIP -j ACCEPT
# Blocking Broadcasts
$IPT -A INPUT -i $EXTIF -d $EXTBC -j DROPl
$IPT -A INPUT -i $INTIF -d $INTBC -j DROPl
$IPT -A OUTPUT -o $EXTIF -d $EXTBC -j DROPl
$IPT -A OUTPUT -o $INTIF -d $INTBC -j DROPl
$IPT -A FORWARD -o $EXTIF -d $EXTBC -j DROPl
$IPT -A FORWARD -o $INTIF -d $INTBC -j DROPl
# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into our external interface does not our isp assigned
# ip address, drop it like a hot potato
$IPT -A INPUT -i $EXTIF -d ! $EXTIP -j DROPl
# Now we will block internal addresses originating from anything but our
# predefined interface.....just remember that if you jack your
# laptop or another pc into one of these NIC's directly, you'll need
# to ensure that they either have the same ip or that you add a line explicitly
# that IP as well
# Interface one/internal net one
$IPT -A INPUT -i $INTIF -s ! $INTNET -j DROPl
$IPT -A OUTPUT -o $INTIF -d ! $INTNET -j DROPl
$IPT -A FORWARD -i $INTIF -s ! $INTNET -j DROPl
$IPT -A FORWARD -o $INTIF -d ! $INTNET -j DROPl
# An additional Egress check
$IPT -A OUTPUT -o $EXTIF -s ! $EXTNET -j DROPl
# Block outbound ICMP (except for PING)
$IPT -A OUTPUT -o $EXTIF -p icmp \
--icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp \
--icmp-type ! 8 -j DROPl
# Allow to ping out
$IPT -A OUTPUT -o $EXTIF -p icmp -s $EXTIP \
--icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p icmp -s $INTNET \
--icmp-type 8 -m state --state NEW -j ACCEPT
# Allow internal network to ping internal systems
$IPT -A OUTPUT -o $INTIF -p icmp -s $INTNET \
--icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A INPUT -i $INTIF -p icmp -s $INTNET \
--icmp-type 8 -m state --state NEW -j ACCEPT
# ********** BLOCKING THE EVIL PORTS **********
#
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 135 is DCOM RPC
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346 (gnutella - removed)
# Common Trojans 12345 65535
INTCOMBLOCK="0:1 13 98 111 135 161:162 1214 1999 2049 3049 4329 3128 8000 8008 8080 12345 65535"
EXTCOMBLOCK="137:139 445"
# TCP ports:
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
# [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
INTTCPBLOCK="$INTCOMBLOCK 512:515 1080 6000:6009 6112"
EXTTCPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 512:515 1080 6000:6009 6112"
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
INTUDPBLOCK="$INTCOMBLOCK 161:162 520 517:518 1427 9000"
EXTUDPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 161:162 520 123 517:518 1427 9000"
echo -n "FW: Blocking internal attacks to TCP port: "
for i in $INTTCPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p tcp -s $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p tcp -s $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p tcp -s $INTNET --dport $i -j DROPl
done
echo ""
echo -n "FW: Blocking external attacks to TCP port: "
for i in $EXTTCPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p tcp -s ! $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p tcp -s ! $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p tcp -s ! $INTNET --dport $i -j DROPl
done
echo ""
echo -n "FW: Blocking internal attacks to UDP port: "
for i in $INTUDPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p udp -s $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p udp -s $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p udp -s $INTNET --dport $i -j DROPl
done
echo ""
echo -n "FW: Blocking external attacks to UDP port: "
for i in $EXTUDPBLOCK;
do
echo -n "$i "
$IPT -A INPUT -p udp -s ! $INTNET --dport $i -j DROPl
$IPT -A OUTPUT -p udp -s ! $INTNET --dport $i -j DROPl
$IPT -A FORWARD -p udp -s ! $INTNET --dport $i -j DROPl
done
echo ""
# ********** ALLOWING INSIDE TO OUTSIDE SERVICES **********
#
# This is where things go you want to use from your network on the internet
#
# Defining some common chat clients. Remove these from your accepted list for better security.
IRC='ircd'
MSN=1863
ICQ=5190
NFS='sunrpc'
# We have to sync!!
PORTAGE='rsync'
OpenPGP_HTTP_Keyserver=11371
# All services ports are read from /etc/services
TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE $IRC $OpenPGP_HTTP_Keyserver"
UDPSERV="domain time"
echo -n "FW: Allowing inside systems to use services: "
for i in $TCPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP \
--dport $i --syn -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p tcp -s $INTNET \
--dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing inside systems to use services: "
for i in $UDPSERV;
do
echo -n "$i "
$IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP \
--dport $i -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF -p udp -s $INTNET \
--dport $i -m state --state NEW -j ACCEPT
done
echo ""
# ********** ALLOWING SERVICES ON FIREWALL **********
#
# DAEMONS on firewall which should be accessible to inside/outside.
# it is presumed that DAEMONS advertised to the outside can also
# be advertised safely to the inside
#
# This is generally NOT A GOOD IDEA (as told by "security experts")
# since if some service on this machine gets hacked, the firewall is
# compromised as well, but what the heck ;) it's only a home network
#
# 50369 is my p2p port
# microsoft-ds is for samba
# 5901 is vnc
# domain is nameserver
# ntp is for timeserving
#EXTTCPDAEMONS="ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2"
EXTTCPDAEMONS="ssh auth 50369"
INTTCPDAEMONS="$EXTTCPDAEMONS microsoft-ds 5901"
EXTUDPDAEMONS=""
INTUDPDAEMONS="$EXTUDPDAEMONS domain ntp"
echo -n "FW: Allowing external systems to use tcp services on localhost: "
for i in $EXTTCPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP \
--dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing internal systems to use tcp services on localhost: "
for i in $INTTCPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $INTIF -p tcp -d $INTIP \
--dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing external systems to use udp services on localhost: "
for i in $EXTUDPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $EXTIF -p udp -d $EXTIP \
--dport $i -m state --state NEW -j ACCEPT
done
echo ""
echo -n "FW: Allowing internal systems to use udp services on localhost: "
for i in $INTUDPDAEMONS;
do
echo -n "$i "
$IPT -A INPUT -i $INTIF -p udp -d $INTIP \
--dport $i -m state --state NEW -j ACCEPT
done
echo ""
# ********** ALLOWING P2P FROM FIREWALL **********
#
# Even worse idea :)
#
# Allowing all packages generated by processes owned by the P2PUSER out
$IPT -A OUTPUT -o $EXTIF -d ! $INTNET -m owner --uid-owner $P2PUSER -j ACCEPT
# ********** FINALIZING NAT & FIREWALL **********
#
# Setup NAT
$IPT -t nat -A PREROUTING -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE
$IPT -t nat -A POSTROUTING -j ACCEPT
$IPT -t nat -A OUTPUT -j ACCEPT
# allow existing connections
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
# block and log what me may have forgot
$IPT -A INPUT -j DROP2
$IPT -A OUTPUT -j REJECT2
$IPT -A FORWARD -j DROP2
|
I also like the dual logging chains for explicitly blocked and ambiguously blocked packets. It helps a lot when pouring over logs to determine new rules.
Cheers! _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation
Last edited by krunk on Sat Oct 02, 2004 3:59 pm; edited 1 time in total |
|
Back to top |
|
|
JanErik Guru
Joined: 28 Oct 2002 Posts: 488 Location: Finland
|
Posted: Sun Sep 12, 2004 7:37 pm Post subject: |
|
|
Hmm... a little question, I am a true Iptables-newbie.
I am thinking of using this to allow an extra machine to get Internet access through my main workstation (which has to NICs and one of them is connected to the Internet). It only needs to send results to folding@home and sync portage once in a while.
Will this filter act as a firewall locally on my main workstation aswell? Just as if I had a personal firewall like ZoneAlarm installed under Windoze? Or is it more like a routing firewall that isn't supposed to have any local processes accessing the Internet? |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Mon Sep 13, 2004 3:19 am Post subject: |
|
|
It's a full fledged stateful firewall. It can be as restrictive or lenient as you'd like.
Think of how the flow of traffic goes:
client------>server---->internet
internet----->server---->client
All traffic coming into and out of the client must pass through the server. Therefore, when youfirewall the server you firewall your whole network that is behind the server. _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation |
|
Back to top |
|
|
JanErik Guru
Joined: 28 Oct 2002 Posts: 488 Location: Finland
|
Posted: Mon Sep 13, 2004 7:19 am Post subject: |
|
|
Well, but when the server is also the client? |
|
Back to top |
|
|
c0ol n00b
Joined: 27 Jul 2004 Posts: 5
|
Posted: Tue Sep 14, 2004 11:42 pm Post subject: |
|
|
WoW....
This is a very complete HowTo. It helped me chunk my linksys POS wireless router in favor of using my gentoo box as a DHCPD/wifi AP/router. THANKS! |
|
Back to top |
|
|
JanErik Guru
Joined: 28 Oct 2002 Posts: 488 Location: Finland
|
Posted: Thu Sep 16, 2004 5:49 pm Post subject: |
|
|
I'm getting this error message, and notwork.
I also got the syncookie error, but that shouldn't be related to this.
Removed all the rules containing INTIF2 since I only have one internal interface.
Linebreak errors from pasting from forum?
Code: | FW: Allowing inside systems to use service:domain iptables: No
chain/target/match by that name
iptables: No chain/target/match by that name
ssh iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
http iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
https iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
ftp iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
ftp-data iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
mail iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
pop3 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
pop3s iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
imap3 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
imaps iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
imap2 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
time iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
rsync iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
\ iptables v1.2.11: invalid TCP port/service `\' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: invalid TCP port/service `\' specified
Try `iptables -h' or 'iptables --help' for more information.
ircd iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
1863 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
5190 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
11371 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
FW: Allowing inside systems to use service:domain iptables: No
chain/target/match by that name
iptables: No chain/target/match by that name
time iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
|
|
|
Back to top |
|
|
JanErik Guru
Joined: 28 Oct 2002 Posts: 488 Location: Finland
|
Posted: Fri Sep 17, 2004 10:10 am Post subject: |
|
|
OK, now it works, I had forgot to compile in some stuff in the netfilter configuration.
But one thing... I want to be able to ssh from the firewall machine (which is my primary workstation) to the machine on the inside. It works with the configuration from the Gentoo router guide, but not with this. How do I add a rule for that?
And, I might add, I am able to ssh out from the firewall, aswell as ssh in from the Internet.
Both of the machines are running folding@home, will it be able to get work and send results? |
|
Back to top |
|
|
C.M Tux's lil' helper
Joined: 14 Mar 2003 Posts: 132 Location: Göteborg - Sweden
|
Posted: Sun Sep 19, 2004 3:39 pm Post subject: |
|
|
Great howtos! I'm trying to figure out if I should use dhcpd + dnsmasq or just dnsmasq? Does anyone have a hint? Right now I just followed the Home Router Guide, wich uses both. Another tutorial, http://gentoo-wiki.com/HOWTO_setup_a_home-server was equally confusing on that topic. At least the net works now..
Thanks to everyone who know enough to make these tutorials though! |
|
Back to top |
|
|
kannX Tux's lil' helper
Joined: 21 Jul 2002 Posts: 76
|
Posted: Tue Sep 21, 2004 7:47 am Post subject: |
|
|
tomaw wrote: | OK, after playing around for a while I have the following. It doesn't include transparent proxy though, as I decided I probably don't want it anyway:
|
Adding a transparent proxy is quite simple (in the case squid is running on the same machine):
Code: |
$IPT -t nat -A PREROUTING -i $INTIF1 -s $INTNET1 -p tcp --dport 80 -j REDIRECT --to-port 3128
|
edit: removed INPUT-rule - doesn't make sense
Last edited by kannX on Wed Sep 22, 2004 5:57 pm; edited 1 time in total |
|
Back to top |
|
|
krunk Guru
Joined: 27 Jul 2003 Posts: 316
|
Posted: Tue Sep 21, 2004 1:17 pm Post subject: |
|
|
***edited**** _________________ G4 1ghz iBook
PowerMac G3 (B&W) [Powered by Gentoo and Gentoo alone ]
Dual G5
iPod 3rd generation
Last edited by krunk on Wed Sep 22, 2004 12:17 am; edited 1 time in total |
|
Back to top |
|
|
|
|
You cannot post new topics in this forum You cannot reply to topics in this forum You cannot edit your posts in this forum You cannot delete your posts in this forum You cannot vote in polls in this forum
|
|