| View previous topic :: View next topic |
| Author |
Message |
StrautC
n00b
Joined: 07 Sep 2002
Posts: 15
|
 Posted: Sat Sep 21, 2002 1:22 pm Post subject: Please look over this firewall config |
 |
|
I'm using the following iptables config on my campus network. I want this firewalled machine to be able to initiate any connections I choose, but deny any connections initiated by other machines except for those coming from two specific MAC addresses, in which case they will be granted full access. My NFS server (the machine using this firewall config) will be exporting some parts of my filesystem to the world and I will be using the firewall to control access to it (i.e. deny all but the two machines below). This will enable the two machines to get any IP address from the DHCP server and still retain permissions to talk to my NFS server.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m mac --mac (MAC ADDRESS HERE) -j ACCEPT
-A INPUT -m mac --mac (MAC ADDRESS HERE) -j ACCEPT
-A INPUT -i eth0 -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -i eth0 -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
The default action is to deny all INPUT.
It seems to work rather well in every respect. See any gaping holes in this setup? This is my first attempt at firewalling, so I'm not 100% sure about this thing. Thanks! |
|
| Back to top |
|
 |
StrautC
n00b
Joined: 07 Sep 2002
Posts: 15
|
| Posted: Sun Sep 22, 2002 3:18 pm Post subject: |
|
|
^ bump  ^ |
|
| Back to top |
|
|
brain
Apprentice
Joined: 16 May 2002
Posts: 229
Location: Farmington Hills, MI
|
| Posted: Sun Sep 22, 2002 3:48 pm Post subject: |
|
|
Below is a firewall script that I wrote from scratch last year. It's set up for a internal 192.168.1.x LAN for desktop PC use, and a 192.168.2.x VLAN for a DMZ. I've got portforwarding going from the public interface to a few servers on the DMZ and everything allowed to go out. Seemed very secure, and everytime I found someone playing with my webserver, I just added them to the Blacklist in the script
This could help if you're trying to do something and can't figure out how to phrase it in IPTABLES:
| Code: | #!/bin/bash
####################################################
##
## Firewalling IPTABLES ruleset for fw.briandowney.net
## created by Brian Downey on 11-04-01.
##
####################################################
IPT="/usr/sbin/iptables"
SQUID="192.168.1.2:3128"
INETADDR="65.31.64.238"
#### Turn off source routing (spoofing)
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
#### Turn on IP Forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
#### Load modules
depmod -a
modprobe ip_tables
#########################################################
################ Begin Rulesets ########################
#########################################################
#########################################################
# PREROUTING TABLE
#########################################################
#### Flush old rules, delete the firewall chain if it exists
$IPT -F INPUT
$IPT -F FORWARD
$IPT -F OUTPUT
$IPT -F -t nat
$IPT -F firewall
$IPT -X
#### Set up the firewall-log chain
$IPT -N firewall
$IPT -A firewall -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "Firewalled *NEW NOT SYN*:"
$IPT -A firewall -p tcp --syn -m state --state NEW -j LOG --log-level info --log-prefix "Firewalled (TCP):"
$IPT -A firewall -p udp -j LOG --log-level info --log-prefix "Firewalled (UDP):"
$IPT -A firewall -p icmp -j LOG --log-level info --log-prefix "Firewalled (ICMP):"
$IPT -A firewall -j DROP
#### Setup Masquerading
$IPT -A POSTROUTING -t nat -s 192.168.1.0/24 -j MASQUERADE
$IPT -A POSTROUTING -t nat -s 192.168.2.0/24 -j MASQUERADE
#### Forward internal web traffic to Squid & special-case internal traffic
$IPT -t nat -A PREROUTING -i eth1 -s 192.168.1.0/24 -d $INETADDR -p tcp --dport 80 -j DNAT --to-destination 192.168.2.5:80
$IPT -t nat -A PREROUTING -i eth1 -s 192.168.1.0/24 -d $INETADDR -p tcp --dport 443 -j DNAT --to-destination 192.168.2.5:443
#### Forward & NAT external internet HTTP/FTP/SSH/EMAIL traffic to webserver.
#### See additional rules below to allow traffic into firewall IP STACK
# Rules for interweb server.
$IPT -t nat -A PREROUTING -i eth0 -s 0/0 -p tcp --dport 80 -j DNAT --to-destination 192.168.2.5:80
$IPT -t nat -A PREROUTING -i eth0 -s 0/0 -p tcp --dport 21 -j DNAT --to-destination 192.168.2.5:21
$IPT -t nat -A PREROUTING -i eth0 -s 0/0 -p tcp --dport 22 -j DNAT --to-destination 192.168.2.5:22
$IPT -t nat -A PREROUTING -i eth0 -s 0/0 -p tcp --dport 25 -j DNAT --to-destination 192.168.2.5:25
$IPT -t nat -A PREROUTING -i eth0 -s 0/0 -p tcp --dport 443 -j DNAT --to-destination 192.168.2.5:443
# End rules
########################################################
# FORWARDING TABLE
########################################################
$IPT -P FORWARD DROP
#### Anti-Nimda/Skript Kiddie rules -- add offending IPs
$IPT -A FORWARD -i eth0 -s 65.29.144.6 -j firewall
$IPT -A FORWARD -i eth0 -s 65.29.0.33 -j firewall
$IPT -A FORWARD -i eth0 -s 65.29.197.60 -j firewall
$IPT -A FORWARD -i eth0 -s 65.29.175.71 -j firewall
$IPT -A FORWARD -i eth0 -s 65.174.52.147 -j firewall
$IPT -A FORWARD -i eth0 -s 65.29.106.200 -j firewall
$IPT -A FORWARD -i eth0 -s 65.6.246.208 -j firewall
$IPT -A FORWARD -i eth0 -s 65.29.240.172 -j firewall
$IPT -A FORWARD -i eth0 -s 65.80.221.119 -j firewall
$IPT -A FORWARD -i eth0 -s 65.29.109.82 -j firewall
$IPT -A FORWARD -i eth0 -p tcp ! --syn -m state --state NEW -j firewall
###### RULES TO ALLOW FORWARDING TRAFFIC THROUGH FIREWALL
#
# Allow web traffic into firewall (see related PREROUTING rule)
$IPT -A FORWARD -i eth0 -p tcp --destination-port 80 -j ACCEPT
$IPT -A FORWARD -i eth0 -p tcp --destination-port 443 -j ACCEPT
# Allow ftp traffic into firewall (see related PREROUTING rule)
$IPT -A FORWARD -i eth0 -p tcp --destination-port 21 -j ACCEPT
# Allow SSH traffic into firewall (see related PREROUTING rule)
$IPT -A FORWARD -i eth0 -p tcp --destination-port 22 -j ACCEPT
$IPT -A FORWARD -i eth0 -p tcp --destination-port 24 -j ACCEPT
# Allow EMAIL traffic into firewall
$IPT -A FORWARD -i eth0 -p tcp --destination-port 25 -j ACCEPT
#
###### END RULES
#### Firewall new DMZ traffic to internal network.
$IPT -A FORWARD -m state --state NEW -i eth2 -s 192.168.2.0/24 -o eth1 -d 192.168.1.0/24 -j firewall
$IPT -A FORWARD -i eth1 -s 192.168.1.0/24 -j ACCEPT
$IPT -A FORWARD -i eth2 -s 192.168.2.0/24 -o eth0 -d 0/0 -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -j firewall
#########################################################
# INPUT TABLE
#########################################################
$IPT -P INPUT DROP
$IPT -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j firewall
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth1 -s 192.168.1.0/24 -d 0/0 -j ACCEPT
$IPT -A INPUT -i eth2 -s 192.168.2.0/24 -d 0/0 -j ACCEPT
#### Accept RIP requests from TW...this shortens the logs
$IPT -A INPUT -i eth0 -p udp --destination-port 520 -j ACCEPT
#### Accept SSH locally.
$IPT -A INPUT -p tcp --destination-port 23 -j ACCEPT
$IPT -A INPUT -j firewall
|
_________________
--brain |
|
| Back to top |
|
|
klieber
Bodhisattva
Joined: 17 Apr 2002
Posts: 3657
Location: San Francisco, CA
|
| Posted: Sun Sep 22, 2002 11:53 pm Post subject: Re: Please look over this firewall config |
|
|
| StrautC wrote: | -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT |
Pretty sure these two rules aren't necessary.
| StrautC wrote: | | The default action is to deny all INPUT. |
That rule isn't listed anywhere above -- do you have other rules that aren't listed as well? Hard to tell how secure a script is if we only see part of it. Othewise, the script looks pretty solid. Might want to put in some logging controls to limit log flooding.
--kurt
_________________
The problem with political jokes is that they get elected |
|
| Back to top |
|
|
StrautC
n00b
Joined: 07 Sep 2002
Posts: 15
|
| Posted: Mon Sep 23, 2002 1:31 am Post subject: Re: Please look over this firewall config |
|
|
| klieber wrote: | | StrautC wrote: | -A INPUT -s 127.0.0.1 -d 127.0.0.1 -i lo -j ACCEPT
-A OUTPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT |
Pretty sure these two rules aren't necessary.
| StrautC wrote: | | The default action is to deny all INPUT. |
That rule isn't listed anywhere above -- do you have other rules that aren't listed as well? Hard to tell how secure a script is if we only see part of it. Othewise, the script looks pretty solid. Might want to put in some logging controls to limit log flooding.
--kurt |
Actually I found that those two rules are necessary for a some of my local network services to run properly, particularly NFS (rquotad, nfsd). Actually, I know that at least one of the two are necessary - I added them both at the same time, so I'm not sure if one (or both) are responsible for NFS magically working again. Forgot to paste the rule that sets default INPUT behavior to deny, but it's there and working on my machine. Any suggestions for the logging controls?
Thanks for the input guys!  |
|
| Back to top |
|
|
|
Networking & Security
