HOWTO: Iptables for newbies. PART II: Securing your Network

[tomaw]

OK, after playing around for a while I have the following. It doesn't include transparent proxy though, as I decided I probably don't want it anyway:

Main Changes:
Allowed a list of loopback services so local provoxy, shh and spamd will work.

Does anyone see any security problems with what I've done?

Code: Select all

# External interface
EXTIF=eth0
# Internal interface
INTIF1=wlan0

# Loop device/localhost
LPDIF=lo
LPDIP=127.0.0.1
LPDMSK=255.0.0.0
LPDNET="$LPDIP/$LPDMSK"

# Text tools variables
IPT='/sbin/iptables'
IFC='/sbin/ifconfig'
G='/bin/grep'
SED='/bin/sed'
                                                                               
# Last but not least, the users
PALM=192.168.0.2
                                                                               
# Deny than accept: this keeps holes from opening up
# while we close ports and such
                                                                               
$IPT        -P INPUT       DROP
$IPT        -P OUTPUT      DROP
$IPT        -P FORWARD     DROP
                                                                               
# Flush all existing chains and erase personal chains
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null`
for i in $CHAINS;
do
    $IPT -t $i -F
done
                                                                               
for i in $CHAINS;
do
    $IPT -t $i -X
done
                                                                               
#echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
                                                                               
# Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
        echo 1 > $f
done
# Disable IP source routing and ICMP redirects
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
        echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
        echo 0 > $f
done
                                                                               
echo 1 > /proc/sys/net/ipv4/ip_forward
                                                                               
                                                                               
# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"
                                                                               
# Setting up environment variables for internal interface one
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`"
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`"
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`"
INTNET1="$INTIP1/$INTMSK1"
echo "INTIP1=$INTIP1 INTBC1=$INTBC1 INTMSK1=$INTMSK1 INTNET1=$INTNET1"
                                                                               
# We are now going to create a few custom chains that will result in
# logging of dropped packets. This will enable us to avoid having to
# enter a log command prior to every drop we wish to log. The
# first will be first log drops the other will log rejects.
                                                                               
# Do not complain if chain already exists (so restart is clean)
$IPT -N DROPl   2> /dev/null
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:'
$IPT -A DROPl   -j DROP
                                                                               
$IPT -N REJECTl 2> /dev/null
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:'
$IPT -A REJECTl -j REJECT
                                                                               
# Now we are going to accpet all traffic from our loopback device
# if the IP matches any of our interfaces.
                                                                               
$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT
$IPT -A INPUT   -i $LPDIF -s   $INTIP1  -j ACCEPT
                                                                               
# Blocking Broadcasts
$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl
$IPT -A INPUT   -i $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl
$IPT -A OUTPUT  -o $INTIF1 -d   $INTBC1  -j DROPl
$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl
$IPT -A FORWARD -o $INTIF1 -d   $INTBC1  -j DROPl
                                                                               
# Block WAN access to internal network
# This also stops nefarious crackers from using our network as a
# launching point to attack other people
# iptables translation:
# "if input going into  our external interface does not originate from our isp assigned
# ip address, drop it like a hot potato
                                                                               
$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl
                                                                               
# Now we will block internal addresses originating from anything butour
# two predefined interfaces.....just remember that if you jack your
# your laptop or another pc into one of these NIC's directly, you'll need # to ensure that they either have the same ip or that you add a line explicitly
# that IP as well                                                                               
# Interface one/internal net one
$IPT -A INPUT   -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A OUTPUT  -o $INTIF1 -d ! $INTNET1 -j DROPl
$IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl
$IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl
                                                                               
# An additional Egress check
                                                                               
$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl
                                                                               
# Block outbound ICMP (except for PING)
                                                                               
$IPT -A OUTPUT  -o $EXTIF -p icmp \
  --icmp-type ! 8 -j DROPl
$IPT -A FORWARD -o $EXTIF -p icmp \
    --icmp-type ! 8 -j DROPl
                                                                               
# COMmon ports:
# 0 is tcpmux; SGI had vulnerability, 1 is common attack
# 13 is daytime
# 98 is Linuxconf
# 111 is sunrpc (portmap)
# 137:139, 445 is Microsoft
# SNMP: 161,2
# Squid flotilla: 3128, 8000, 8008, 8080
# 1214 is Morpheus or KaZaA
# 2049 is NFS
# 3049 is very virulent Linux Trojan, mistakable for NFS
# Common attacks: 1999, 4329, 6346
# Common Trojans 12345 65535
COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"
                                                                               
# TCP ports:
# 98 is Linuxconf
# 512-5!5 is rexec, rlogin, rsh, printer(lpd)
#   [very serious vulnerabilities; attacks continue daily]
# 1080 is Socks proxy server
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
# Block 6112 (Sun's/HP's CDE)
TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"
                                                                               
# UDP ports:
# 161:162 is SNMP
# 520=RIP, 9000 is Sangoma
# 517:518 are talk and ntalk (more annoying than anything)
UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"
                                                                               
echo -n "FW: Blocking attacks to TCP port"
for i in $TCPBLOCK;
do
echo -n "$i "
  $IPT -A INPUT   -p tcp --dport $i  -j DROPl
  $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
  $IPT -A FORWARD -p tcp --dport $i  -j DROPl
done
echo ""
                                                                               
echo -n "FW: Blocking attacks to UDP port "
for i in $UDPBLOCK;
do
  echo -n "$i "
    $IPT -A INPUT   -p udp --dport $i  -j DROPl
    $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
    $IPT -A FORWARD -p udp --dport $i  -j DROPl
done
echo ""

# Opening up ftp connection tracking
MODULES="ip_nat_ftp ip_conntrack_ftp"
for i in $MODULES;
do
  echo "Inserting module $i"
  modprobe $i
done
                                                                           
# Defining some common chat clients. Remove these from your accepted list for better security.
IRC='ircd'
MSN=1863
ICQ=5190
NFS='sunrpc'
PORTAGE='rsync'
RDP=3389
YAHOO='3477 5050'
JABBER=5222
OpenPGP_HTTP_Keyserver=11371
PRIVOXY=8118
SPAMD=783
                                                                               
# All services ports are read from /etc/services
                                                                               
TCPSERV="domain ssh http https ftp ftp-data mail pop3 time $PORTAGE $IRC $MSN $OpenPGP_HTTP_Keyserver $RDP $JABBER $YAHOO"
UDPSERV="domain time"
LOTCP="ssh $PRIVOXY $SPAMD"
echo -n "FW: Allowing inside systems to use service (TCP):"
for i in $TCPSERV;
do
   echo -n "$i "
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \
    --dport $i --syn -m state --state NEW -j ACCEPT
   $IPT -A FORWARD -i $INTIF1 -p tcp -s $INTNET1 \
    --dport $i --syn -m state --state NEW -j ACCEPT
                                                                               
done
echo ""
                                                                               
echo -n "FW: Allowing inside systems to use service (UDP):"
for i in $UDPSERV;
do
    echo -n "$i "
    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  \
        --dport $i -m state --state NEW -j ACCEPT
    $IPT -A FORWARD -i $INTIF1 -p udp -s $INTNET1 \
        --dport $i -m state --state NEW -j ACCEPT
done
echo ""

echo -n "FW: Allowing loopback access for:"
for i in $LOTCP;
do
    echo -n "$i "
    $IPT -A OUTPUT -o lo -p tcp --dport $i -m state --state NEW -j ACCEPT
done
echo ""

# Allow to ping out
$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  \
    --icmp-type 8 -m state --state NEW -j ACCEPT
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 \
    --icmp-type 8 -m state --state NEW -j ACCEPT
                                                                               
# Allow firewall to ping internal systems
$IPT -A OUTPUT  -o $INTIF1 -p icmp -s $INTNET1 \
    --icmp-type 8 -m state --state NEW -j ACCEPT

# External access to SSH server here
$IPT -A INPUT   -i $EXTIF -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT

#$IPT -t nat -A PREROUTING                       -j ACCEPT
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE
$IPT -t nat -A POSTROUTING                      -j ACCEPT
$IPT -t nat -A OUTPUT                           -j ACCEPT
                                                                               
$IPT -A INPUT   -p tcp --dport auth --syn -m state --state NEW -j ACCEPT
                                                                               
$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# block and log what me may have forgot
$IPT -A INPUT             -j DROPl
$IPT -A OUTPUT            -j REJECTl
$IPT -A FORWARD           -j DROPl 

[Lepaca Kliffoth]

Up and working. Thanks!

[stahlsau]

many thanx for your work, it´s really inspiring!
Again, i learned lots of thing, cause i never had the ambition to do a firewall-script on my own, but with this help it´s fun

[omné]

Hello, I'm totally newby about server and all this things.
Thank's a lot.
I use the script, and everithing seems to work well but I can't ssh in any way.
Nither from server to my computer nore in the other way.
I setup ssh from this howto : http://gentoo-wiki.com/HOWTO_setup_a_ho ... guring_ssh

My config :
...-------
..| net |
...--------
.......|
.....MYIP (eth0)
.......|
....--------------------
...| server |
....---------------------
......|.....................|
...192.168.1.1...192.168.2.1
....(eth1)............(eth2)
......|.....................|
......|.....................|
...192.168.1.10....192.168.2.10
......|.....................|
..------------........-------------------
.|My comp|........| Friends laptop|
..-----------.........-------------------

How can I ssh from net to server, from My comp to server ?

Can this script deal with dnsmasq, explain here : http://gentoo-wiki.com/HOWTO_setup_a_ho ... masqserver ?
For friend to just connect there laptop.

Again thank's

Némo.

[EDIT]
Solve my problem, it was just that I had to coment the

Code: Select all

#EXTBC="255.255.255.255"

Now triing to get my mldonkey and jabber working

[ragdon]

Hi,
I've used your script, but cannot see my samba drive on a networked PC. by using another firewall script (jay's i think) I can. Will part three discuss howto allow samba drives to be seen?

I've tried allowing TCP and UDP access to ports 137:139 but it doesn't seem to work.

cheers,
Roger

[krunk]

Damn, I've let this lie for quite a while but so many people are still referrring to it I need to update it this weekend.

With Samba, it would be a matter of opening up the proper port. A quick google search says these are 138 and 139.

[raistlinr]

hello all. this is actually my first post on these forums. I was actually searching on how to compile the kernel with iptables-capability, and I found this and part I. I was intrigued and just kept on reading. Someone had asked some question about DHCP assigned ip address for the external, and I though I would post the firewall I have used. The guy who helped me write it wrote it for fedora core 2, but you should be able to change the saving method, adn the rest still works fine. (unless some wierd rule changed has happened). I think it is pretty well commented.

edit:by the way I use all kinds of internal servers such as samba with this setup, never had a problem. And I am using the machine this is on as a firewall/router

#!/bin/sh
#
# Save this to /root/iptables-gw
#
# For a system to function as a firewall the kernel has to be told to forward
# packets between interfaces, i.e., it needs to be a router. Since you'll save
# the running config with 'iptables save' for RedHat to reinstate at the next
# boot IP fordarding must be enabled by other than this script for production
# use. That's best done by editing /etc/sysctl.conf and setting:
#
# net.ipv4.ip_forward = 1
#
# Since that file will only be read at boot, you can uncomment the following
# line to enable forwarding on the fly for initial testing. Just remember that
# the saved iptables data won't include the command.
#
echo 1 > /proc/sys/net/ipv4/ip_forward
#
# Once the rule sets are to your liking you can easily arrange to have them
# installed at boot on a Redhat box (7.1 or later). Save the rules with:
#
# service iptables save
#
# which saves the running ruleset to /etc/sysconfig/iptables. When
# /etc/init.d/iptables executes it will see the file and restore the rules.
#
# I find it easier to modify this file and run it (make sure it is executable
# with 'chmod +x iptables-gw') to change the rulesets, rather than
# modifying the running rules. That way I have a readable record
# of the firewall configuration.
#
# Set an absolute path to IPTABLES and define the interfaces.
#
IPT=iptables
#
# OUTSIDE is the outside or untrusted interface that connects to the Internet
# and INSIDE is, well that ought to be obvious.
#
OUTSIDE=eth0
INSIDE=eth1
INSIDE_IP=192.168.0.1
#
# Clear out any existing firewall rules, and any chains that might have
# been created. Then set the default policies.
#
$IPT -F
$IPT -F INPUT
$IPT -F OUTPUT
$IPT -F FORWARD
$IPT -F -t mangle
$IPT -F -t nat
$IPT -X
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
#
# Begin setting up the rulesets. First define some rule chains to handle
# exception conditions. These chains will receive packets that we aren't
# willing to pass. Limiters on logging are used so as to not to swamp the
# firewall in a DOS scenario.
#
# silent - Just dop the packet
# tcpflags - Log packets with bad flags, most likely an attack
# firewalled - Log packets that that we refuse, possibly from an attack
#
$IPT -N silent
$IPT -A silent -j DROP

$IPT -N tcpflags
$IPT -A tcpflags -m limit --limit 15/minute -j LOG --log-prefix TCPflags:
$IPT -A tcpflags -j DROP

$IPT -N firewalled
$IPT -A firewalled -m limit --limit 15/minute -j LOG --log-prefix Firewalled:
$IPT -A firewalled -j DROP
#
# Use NPAT if you have a dynamic IP. Otherwise comment out the following
# line and use the Source NAT below.
#
$IPT -t nat -A POSTROUTING -o $OUTSIDE -j MASQUERADE
#
# Use Source NAT if to do the NPAT you have a static IP or netblock.
# Remember to change the IP to be that of your OUTSIDE NIC.
#
#$IPT -t nat -A POSTROUTING -o $OUTSIDE -j SNAT --to 1.2.3.4
#
# These are all TCP flag combinations that should never, ever, occur in the
# wild. All of these are illegal combinations that are used to attack a box
# in various ways.
#
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL ALL -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j tcpflags
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j tcpflags
#
# Allow selected ICMP types and drop the rest.
#
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp -j firewalled
#
# Don't leak SMB traffic onto the Internet. We've slipped the surly bonds of windows
# and are dancing on the silvery wings of Linux.
#
$IPT -A FORWARD -p udp --dport 137 -j silent
$IPT -A FORWARD -p udp --dport 138 -j silent
$IPT -A FORWARD -p udp --dport 139 -j silent
$IPT -A FORWARD -p udp --dport 445 -j silent
#
# If you want to be able to connect via SSH from the Internet
# uncomment the next line.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 22 -j ACCEPT
#
# Examples of Port forwarding.
#
# The first forwards HTTP traffic to 10.0.0.10
# The second forwards SSH to 10.0.0.10
# The third forwards a block of tcp and udp ports (2300-2400) to 10.0.0.10
#
# Remember that if you intend to forward something that you'll also
# have to add a rule to permit the inbound traffic.
#
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 80 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 22 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p tcp --dport 2300:2400 -j DNAT --to 10.0.0.10
#$IPT -t nat -A PREROUTING -i $OUTSIDE -p udp --dport 2300:2400 -j DNAT --to 10.0.0.10
#
# Examples of allowing inbound for the port forwarding examples above.
#
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 80 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p tcp --dport 2300:2400 -j ACCEPT
#$IPT -A INPUT -i $OUTSIDE -d 0/0 -p udp --dport 2300:2400 -j ACCEPT
#
# The loopback interface is inheritly trustworthy. Don't disable it or
# a number of things on the firewall will break.
#
$IPT -A INPUT -i lo -j ACCEPT
#
# Uncomment the following if the inside machines are trustworthy and
# there are services on the firewall, like DNS, web, etc., that they need to
# access. And remember to change the IP to be that of the INSIDE interface
# of the firewall.
#
$IPT -A INPUT -i $INSIDE -d $INSIDE_IP -j ACCEPT
#
# If you are running a DHCP server on the firewall uncomment the next line
#
$IPT -A INPUT -i $INSIDE -d 255.255.255.255 -j ACCEPT
#
# Allow packets that are part of an established connection to pass
# through the firewall. This is required for normal Internet activity
# by inside clients.
#
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#
# Anything that hasn't already matched gets logged and then dropped.
#
$IPT -A INPUT -j firewalled

[59729]

A question, if all DEFAULT ?POLICIE'S/POLICYS? is set to 'DROP' why have all those REJECT/DROP rules... arent they redundant?

[raistlinr]

A question, if all DEFAULT ?POLICIE'S/POLICYS? is set to 'DROP' why have all those REJECT/DROP rules... arent they redundant?

indeed they are. HTe only reason I do both is so that if I forget to firewall something important, I don't get fried. I suppose the rest of it is just an exercise in how to build a firewall. Either way, it seems to be fairly common practice, tallking to the CS guys who run the labs at CU. Here are a couple more examples of people doing it as well:

http://www.faqs.org/docs/iptables/examplecode.html
http://www.linux-sec.net/Wireless/Insta ... c.firewall

I am also told it is a way to keep track in your mind what you want to allow and what you don't after setting the defaults. better safe than sorry

[[smeagol]]

Does anyone know what specifically it takes to get this script working with DHCP?

When I set

Code: Select all

iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP

nothing works. However, once I change it to ACCEPT, things work fine.

When I have it set to drop, it seems that I can access the dhcp server(on my router) and get assigned an ip, but then the router itself can't seem to get anything from the dhcp server at the ISP.

this is the code I am using to open up output ports

Code: Select all

echo -n "FW: Allowing inside system to use service"
for i in $TCPSERVOUT
do
        echo -n "$i "
        $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
        $IPT -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

for i in $UDPSERVOUT
do
        echo -n "$i "
        $IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
        $IPT -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i --syn -m state -state NEW -j ACCEPTd$
echo ""

Where $TCPSERVOUT and $UDPSERVOUT would have the ports to output to, mine are:

Code: Select all

TCPSERVOUT="mysql bootps domain ssh www https mail ftp ftp-data imaps imap3 time $DHCP"
UDPSERVOUT="bootps domain time $YAHOO $DHCP"

I defined $DHCP as 67
[/code]

[john82382]

A question, if all DEFAULT ?POLICIE'S/POLICYS? is set to 'DROP' why have all those REJECT/DROP rules... arent they redundant?

indeed they are. HTe only reason I do both is so that if I forget to firewall something important, I don't get fried. I suppose the rest of it is just an exercise in how to build a firewall. Either way, it seems to be fairly common practice, tallking to the CS guys who run the labs at CU. Here are a couple more examples of people doing it as well:

http://www.faqs.org/docs/iptables/examplecode.html
http://www.linux-sec.net/Wireless/Insta ... c.firewall

I am also told it is a way to keep track in your mind what you want to allow and what you don't after setting the defaults. better safe than sorry

Also, isn't it good for logging and analysis to have what is dropped or rejected be separated into different categories?

[neurolabs]

nice guide, it helped me improve my setup...

I have extended the script to allow (internal and external) services on the firewall, p2p clients, cleaned it up a bit and made it more flexible.
Since I don't want to post the script inline and don't want to maintain it on a server I'll pm the author so he can integrate my changes. If anyone can't wait, feel free to pm me...

[edit]
I discovered a mistake in the script. These lines:

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

should look like this:

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

else the script won't run non interactively e.g from /etc/ppp/ip-up

also you should probably use these lines for generation of network information, since they work on localized machines as well:

# Setting up external interface environment variables
EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
EXTBC="255.255.255.255"
EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
EXTNET="$EXTIP/$EXTMSK"
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET"

# Setting up environment variables for internal interface
INTIP="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`"
INTBC="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`"
INTMSK="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`"
INTNET="$INTIP/$INTMSK"
echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET"

[/edit]

[imrambi]

Hey krunk, sorry but this is month 8. Anywho, I just started using your post to set up my firewall. Going from a linksys to a gentoo server/router. Part I was a great help, and once I tighted security, my change will occur.

[cato`]

Does anyone know what specifically it takes to get this script working with DHCP?

When I set

Code: Select all

iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
iptables -A OUTPUT -j DROP

nothing works. However, once I change it to ACCEPT, things work fine.

When I have it set to drop, it seems that I can access the dhcp server(on my router) and get assigned an ip, but then the router itself can't seem to get anything from the dhcp server at the ISP.

this is the code I am using to open up output ports

Code: Select all

echo -n "FW: Allowing inside system to use service"
for i in $TCPSERVOUT
do
        echo -n "$i "
        $IPT -A OUTPUT -o $EXTIF -p tcp -s $EXTIP --dport $i --syn -m state --state NEW -j ACCEPT
        $IPT -A FORWARD -i $INTIF -p tcp -s $INTNET --dport $i --syn -m state --state NEW -j ACCEPT
done
echo ""

for i in $UDPSERVOUT
do
        echo -n "$i "
        $IPT -A OUTPUT -o $EXTIF -p udp -s $EXTIP --dport $i -m state --state NEW -j ACCEPT
        $IPT -A FORWARD -i $INTIF -p udp -s $INTNET --dport $i --syn -m state -state NEW -j ACCEPTd$
echo ""

Where $TCPSERVOUT and $UDPSERVOUT would have the ports to output to, mine are:

Code: Select all

TCPSERVOUT="mysql bootps domain ssh www https mail ftp ftp-data imaps imap3 time $DHCP"
UDPSERVOUT="bootps domain time $YAHOO $DHCP"

I defined $DHCP as 67
[/code]

I have exactly the same problem, anyone able to help us out?

[[smeagol]]

Well, I think I made a typo somewhere in there. Here's a copy of my working iptables

Code: Select all

####
#Std Vars
####

EXTIF=eth0 
INTIF1=eth1
LPDIF=lo 
LPDIP=127.0.0.1 
LPDMSK=255.0.0.0 
LPDNET="$LPDIP/$LPDMSK" 

IPT='/sbin/iptables' 
IFC='/sbin/ifconfig' 
G='/bin/grep' 
SED='/bin/sed' 

####
#Hostnames
####

C20='10.0.0.20'
C12='10.0.0.12'
C17='10.0.0.17'
C32='10.0.0.32'                                                                                 

####
#Deny EVERYTHING
####
                                                                                 
$IPT        -P INPUT       DROP 
$IPT        -P OUTPUT      DROP 
$IPT        -P FORWARD     DROP 
                                                                                 
####
#Flush Existing Chains
####

CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` 
for i in $CHAINS; 
do 
    $IPT -t $i -F 
done 

for i in $CHAINS; 
do 
    $IPT -t $i -X 
done 

####
#/proc Settings
####

echo 1 > /proc/sys/net/ipv4/tcp_syncookies 
echo 0 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

# Source Address Verification 
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do 
        echo 1 > $f 
done 
# Disable IP source routing and ICMP redirects 
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do 
        echo 0 > $f 
done 
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do 
        echo 0 > $f 
done 
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
echo 1> /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo 1 > /proc/sys/net/ipv4/ip_forward 

####
#Interface Variables
####

EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`" 
EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`" 
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`" 
EXTNET="$EXTIP/$EXTMSK" 
                                                                                 
INTIP1="`$IFC $INTIF1|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`" 
INTBC1="`$IFC $INTIF1|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`" 
INTMSK1="`$IFC $INTIF1|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`" 
INTNET1="$INTIP1/$INTMSK1" 

####
#Logging
####

$IPT -N DROPl   2> /dev/null 
$IPT -A DROPl   -j LOG --log-prefix 'DROPl:' 
$IPT -A DROPl   -j DROP 

$IPT -N REJECTl 2> /dev/null 
$IPT -A REJECTl -j LOG --log-prefix 'REJECTl:' 
$IPT -A REJECTl -j REJECT 

####
#Lax Loopback Filters
####
                                                                                 
$IPT -A INPUT   -i $LPDIF -s $LPDIP  -j ACCEPT 
$IPT -A INPUT   -i $LPDIF -s $EXTIP  -j ACCEPT 
$IPT -A INPUT   -i $LPDIF -s $INTIP1 -j ACCEPT 

$IPT -A OUTPUT -o $LPDIF  -d $LPDIP  -j ACCEPT
$IPT -A OUTPUT -o $INTIF1 -d $INTIP1 -j ACCEPT
$IPT -A OUTPUT -o $EXTIF  -d $EXTIP  -j ACCEPT                                                                                 

####
#Blocking Broadcasts Both In and Out
####

$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl 
$IPT -A INPUT   -i $INTIF1 -d   $INTBC1  -j DROPl 
$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl 
$IPT -A OUTPUT  -o $INTIF1 -d   $INTBC1  -j DROPl 
$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl 
$IPT -A FORWARD -o $INTIF1 -d   $INTBC1  -j DROPl 
                                                                                 
 # Block WAN access to internal network 
 # This also stops nefarious crackers from using our network as a 
 # launching point to attack other people 
 # iptables translation: 
 # "if input going into  our external interface does not originate from our isp assigned 
 # ip address, drop it like a hot potato 
                                                                                 
 $IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl 
                                                                                 
 # Now we will block internal addresses originating from anything butour 
 # two predefined interfaces.....just remember that if you jack your 
 # your laptop or another pc into one of these NIC's directly, you'll need # to ensure that they either have the same ip or that you add a line explicitly 
 # that IP as well                                                                                
 # Interface one/internal net one 
 $IPT -A INPUT   -i $INTIF1 -s ! $INTNET1 -j DROPl 
 $IPT -A OUTPUT  -o $INTIF1 -d ! $INTNET1 -j DROPl 
 $IPT -A FORWARD -i $INTIF1 -s ! $INTNET1 -j DROPl 
 $IPT -A FORWARD -o $INTIF1 -d ! $INTNET1 -j DROPl 
                                                                                 
# An additional Egress check 
$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl 
                                                                                 
# Block outbound ICMP (except for PING) 
$IPT -A OUTPUT  -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl 
$IPT -A FORWARD -o $EXTIF -p icmp --icmp-type ! 8 -j DROPl 

####
#Blocking Bad Ports
####

 # COMmon ports:
 # 0 is tcpmux; SGI had vulnerability, 1 is common attack
 # 13 is daytime
 # 98 is Linuxconf
 # 111 is sunrpc (portmap)
 # 137:139, 445 is Microsoft
 # SNMP: 161,2
 # Squid flotilla: 3128, 8000, 8008, 8080
 # 1214 is Morpheus or KaZaA
 # 2049 is NFS
 # 3049 is very virulent Linux Trojan, mistakable for NFS
 # Common attacks: 1999, 4329, 6346
 # Common Trojans 12345 65535
 COMBLOCK="0:1 13 98 111 137:139 161:162 445 1214 1999 2049 3049 4329 6346 3128 8000 8008 8080 12345 65535"

 # TCP ports:
 # 98 is Linuxconf
 # 512-5!5 is rexec, rlogin, rsh, printer(lpd)
 #   [very serious vulnerabilities; attacks continue daily]
 # 1080 is Socks proxy server
 # 6000 is X (NOTE X over SSH is secure and runs on TCP 22)
 # Block 6112 (Sun's/HP's CDE)
 TCPBLOCK="$COMBLOCK 98 512:515 1080 6000:6009 6112"

 # UDP ports:
 # 161:162 is SNMP
 # 520=RIP, 9000 is Sangoma
 # 517:518 are talk and ntalk (more annoying than anything)
 UDPBLOCK="$COMBLOCK 161:162 520 123 517:518 1427 9000"

 for i in $TCPBLOCK;
 do
   $IPT -A INPUT   -p tcp --dport $i  -j DROPl
   $IPT -A OUTPUT  -p tcp --dport $i  -j DROPl
   $IPT -A FORWARD -p tcp --dport $i  -j DROPl
 done
 for i in $UDPBLOCK;
 do
     $IPT -A INPUT   -p udp --dport $i  -j DROPl
     $IPT -A OUTPUT  -p udp --dport $i  -j DROPl
     $IPT -A FORWARD -p udp --dport $i  -j DROPl
 done
################################
# Outside Server Filtering crap#
################################
$IPT -N INETIN
$IPT -F INETIN
$IPT -t filter -A INETIN -p icmp --icmp-type echo-request -m limit --limit 1/second --limit-burst 5 -j ACCEPT
$IPT -t filter -A INETIN -p icmp -j DROPl
$IPT -t filter -A INETIN -p icmp --icmp-type ! echo-request -j ACCEPT

#ODD TCP occurences
$IPT -t filter -N ODDTCP
$IPT -t filter -A INETIN -p tcp --tcp-flags SYN,FIN SYN,FIN -j ODDTCP
$IPT -t filter -A INETIN -p tcp --tcp-flags SYN,RST SYN,RST -j ODDTCP
$IPT -t filter -A INETIN -p tcp --tcp-flags SYN,URG SYN,URG -j ODDTCP
$IPT -t filter -A INETIN -p tcp --tcp-flags SYN,URG SYN,URG -j ODDTCP
$IPT -t filter -A ODDTCP -p tcp -m state --state ESTABLISHED -j LOG --log-prefix "ODDTCP" --log-level 1
$IPT -t filter -A ODDTCP -p tcp -m state --state ESTABLISHED -j RETURN
$IPT -t filter -A ODDTCP -j DROP

$IPT -t filter -A INETIN -m state --state INVALID -j DROP

#######################
# Port Scan Filtering #
#######################
  $IPT -N check-flags
  $IPT -F check-flags
  $IPT -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 5/minute -j LOG --log-level alert --log-prefix "NMAP-XMAS:" 
  $IPT -A check-flags -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
  $IPT -A check-flags -p tcp --tcp-flags ALL ALL -m limit --limit  5/minute -j LOG --log-level 1 --log-prefix "XMAS:"
  $IPT -A check-flags -p tcp --tcp-flags ALL ALL -j DROP
  $IPT -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG  -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "XMAS-PSH:"
  $IPT -A check-flags -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
  $IPT -A check-flags -p tcp --tcp-flags ALL NONE -m limit --limit 5/minute -j LOG --log-level 1 --log-prefix "NULL_SCAN:"
  $IPT -A check-flags -p tcp --tcp-flags ALL NONE -j DROP
  $IPT -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/RST:"
  $IPT -A check-flags -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
  $IPT -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 5/minute -j LOG --log-level 5 --log-prefix "SYN/FIN:"
  $IPT -A check-flags -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
####
#Allowing and Blocking Services
####

source /etc/firewall/firewall.services
for i in $EXTTCPINPUT;
do
	$IPT -t filter -A INETIN -p tcp --dport $i -j ACCEPT
done
for i in $EXTUDPINPUT;
do
	$IPT -t filter -A INETIN -p udp --dport $i -j ACCEPT
done
for i in $EXTTCPFORWARD;
do
	$IPT -A FORWARD -p tcp --dport $i -j ACCEPT
done
for i in $EXTUDPFORWARD;
do
	$IPT -A FORWARD -p udp --dport $i -j ACCEPT
done
for i in $EXTTCPOUTPUT;
do
	$IPT -A OUTPUT -p tcp --dport $i -j ACCEPT
done
for i in $EXTUDPOUTPUT;
do
	$IPT -A OUTPUT -p udp --dport $i -j ACCEPT
done
for i in $INTTCPSERV;
do
	$IPT -A INPUT	-s $INTNET1 -p tcp --dport $i -j ACCEPT
        $IPT -A OUTPUT  -d $INTNET1 -p tcp --dport $i -j ACCEPT
done
for i in $INTUDPSERV;
do
	$IPT -A INPUT   -s $INTNET1 -p udp --dport $i -j ACCEPT
        $IPT -A OUTPUT  -d $INTNET1 -p udp --dport $i -j ACCEPT
done

#allowing outbound connections
$IPT -t filter -A INETIN -m state --state ESTABLISHED -j ACCEPT
#$IPT -t filter -A INETIN -p tcp --dport 1024:65535 -m state --state RELATED -j TCPACCEPT
#$IPT -t filter -A INETIN -p udp --dport 1024:65535 -m state --state RELATED -j UDPACCEPT

####
#Pings
####

# Allow to ping out 
$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP --icmp-type 8 -m state --state NEW -j ACCEPT 
$IPT -A FORWARD -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT 
# allow others to ping in
$IPT -A INPUT   -i $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT
# Allow firewall to ping internal systems 
$IPT -A OUTPUT  -o $INTIF1 -p icmp -s $INTNET1 --icmp-type 8 -m state --state NEW -j ACCEPT 

####
#SSH always on
####

$IPT -A INPUT   -i $INTIF1 -p tcp --dport 22 --syn -m state --state NEW -j ACCEPT 

####
#NAT
####

$IPT -t nat -A PREROUTING                       -j ACCEPT 
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET1 -j MASQUERADE 
$IPT -t nat -A POSTROUTING                      -j ACCEPT 
$IPT -t nat -A OUTPUT                           -j ACCEPT 

####
#Auth Always On ???
####

$IPT -A INPUT   -p tcp --dport auth --syn -m state --state NEW -j ACCEPT 

####
#If already established, accept
####

$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 

####
#Block and Log Everything Else
####
$IPT -A INPUT		  -j INETIN
$IPT -A INPUT		  -j check-flags
$IPT -A INPUT             -j DROPl 
$IPT -A OUTPUT            -j REJECTl 
$IPT -A OUTPUT 	          -j check-flags
$IPT -A FORWARD           -j DROPl
$IPT -A FORWARD		  -j check-flags 
$IPT -A FORWARD		  -j INETIN

and the file that file includes

Code: Select all

IRC='ircd'
AIM='5190 2996'
OpenPGP_HTTP_Keyserver=11371
SPAMD=783
CLAMAV=3310
DHCP=67
CVS=2401
WHOIS=43
YAHOO='5000 5001 5050'
AMAVIS=10024
TCPSERV="domain ssh www https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE $IRC $MSN $ICQ $OpenPGP_HTTP_Keyserver"
UDPSERV="domain time ldap ldaps"

#EXTSERVTCP="ssh http https ftp mail pop3 pop3s imap3 imaps time rsync $AIM ldap ldaps"
EXTTCPINPUT="ftp mail imaps http https"
EXTUDPINPUT=""
EXTTCPFORWARD="domain ssh time www http https ftp mail imap3 imaps time rsync $YAHOO $WHOIS $AIM $CVS $IRC"
EXTUDPFORWARD="domain time $WHOIS $AIM $IRC $YAHOO"
EXTTCPOUTPUT="$EXTTCPFORWARD"
EXTUDPOUTPUT="$EXTUDPFORWARD"
INTTCPSERV="www https ftp mysql time rsync ssh $SPAMD $CLAMAV $AMAVIS"
INTUDPSERV="$DHCP $AMAVIS"

[krunk]

Hello, neurolabs did some housecleaning on my original script and changed the ip/broadcasting to awk for greater portability on other platforms. You'll also notice a P2P section based on uid, so make sure you put the apropriate username in there.

Code: Select all

#!/bin/sh 
# 





# ********** VARIABLE DEFINITIONS ********** 
# 
# External interface 
EXTIF="ppp0" 
# Internal interface 
INTIF="eth1" 

# Loop device/localhost 
LPDIF="lo" 
LPDIP="127.0.0.1" 
LPDMSK="255.0.0.0" 
LPDNET="$LPDIP/$LPDMSK" 

# Text tools variables 
IPT="/sbin/iptables" 
IFC="/sbin/ifconfig" 
G="/bin/grep" 
SED="/bin/sed" 
AWK="/bin/awk" 

# Setting up external interface environment variables 
# The following doesn't play nice with localization 
#EXTIP="`$IFC $EXTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`" 
# This one does AFAIK 
EXTIP="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`" 
#EXTBC="`$IFC $EXTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`" 
EXTBC="255.255.255.255" 
# same problem here with localization 
EXTMSK="`$IFC $EXTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`" 
EXTMSK="`$IFC $EXTIF|$AWK /$EXTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`" 
EXTNET="$EXTIP/$EXTMSK" 
echo "EXTIP=$EXTIP EXTBC=$EXTBC EXTMSK=$EXTMSK EXTNET=$EXTNET" 
# Due to absence of EXTBC I manually set it to 255.255.255.255 
# this (hopefully) will serve the same purpose 

# Setting up environment variables for internal interface 
INTIP="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[2],a," ");print a[1];exit}'`" 
#INTIP="`$IFC $INTIF|$G addr:|$SED 's/.*addr:\([^ ]*\) .*/\1/'`" 
INTBC="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[3],a," ");print a[1];exit}'`" 
#INTBC="`$IFC $INTIF|$G Bcast:|$SED 's/.*Bcast:\([^ ]*\) .*/\1/'`" 
INTMSK="`$IFC $INTIF|$AWK /$INTIF/'{next}//{split($0,a,":");split(a[4],a," ");print a[1];exit}'`" 
#INTMSK="`$IFC $INTIF|$G Mask:|$SED 's/.*Mask:\([^ ]*\)/\1/'`" 
INTNET="$INTIP/$INTMSK" 
echo "INTIP=$INTIP INTBC=$INTBC INTMSK=$INTMSK INTNET=$INTNET" 

# Last but not least, the users for owner matching 
P2PUSER="ole" 





# ********** INITIALIZATION ********** 
# 
# Deny then accept: this keeps holes from opening up 
# while we close ports and such 
$IPT        -P INPUT       DROP 
$IPT        -P OUTPUT      DROP 
$IPT        -P FORWARD     DROP 

#IPT        -P INPUT       ACCEPT 
#IPT        -P OUTPUT      ACCEPT 
#IPT        -P FORWARD     ACCEPT 

# Flush all existing chains and erase personal chains 
CHAINS=`cat /proc/net/ip_tables_names 2>/dev/null` 
for i in $CHAINS; 
do 
    $IPT -t $i -F 
done 
for i in $CHAINS; 
do 
    $IPT -t $i -X 
done 

# enable syncookies & ignore icmp broadcasts 
echo 1 > /proc/sys/net/ipv4/tcp_syncookies 
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts 

# Source Address Verification 
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do 
        echo 1 > $f 
done 
# Disable IP source routing and ICMP redirects 
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do 
        echo 0 > $f 
done 
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do 
        echo 0 > $f 
done 
# Log Martians 
for i in /proc/sys/net/ipv4/conf/*/log_martians ; do 
        echo 1 > $i 
done 

# activate forwarding & dynamic address 
echo 1 > /proc/sys/net/ipv4/ip_forward 
echo 1 > /proc/sys/net/ipv4/ip_dynaddr 

# Loading necessary kernel modules 
# example: MODULES="ip_nat_ftp ip_conntrack_ftp" 
MODULES="ipt_owner" 
for i in $MODULES; 
do 
  echo "Inserting module $i" 
  modprobe $i 
done 





# ********** LOGGING CHAINS ********** 
# 
# We are now going to create a few custom chains that will result in 
# logging of dropped packets. This will enable us to avoid having to 
# enter a log command prior to every drop we wish to log. The 
# first will be first log drops the other will log rejects. 

# Do not complain if chain already exists (so restart is clean) 
$IPT -N DROPl   2> /dev/null 
$IPT -A DROPl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP BLOCKED:' 
$IPT -A DROPl   -j DROP 

$IPT -N REJECTl 2> /dev/null 
$IPT -A REJECTl -m limit --limit 3/minute --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT BLOCKED:' 
$IPT -A REJECTl -j REJECT 

$IPT -N DROP2   2> /dev/null 
$IPT -A DROP2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL DROP UNKNOWN:' 
$IPT -A DROP2   -j DROP 

$IPT -N REJECT2 2> /dev/null 
$IPT -A REJECT2 -m limit --limit 3/second --limit-burst 10 -j LOG --log-prefix 'FIREWALL REJECT UNKNOWN:' 
$IPT -A REJECT2 -j REJECT 

# For testing, a logging ACCEPT chain 
$IPT -N ACCEPTl   2> /dev/null 
$IPT -A ACCEPTl -m limit --limit 10/second --limit-burst 50 -j LOG --log-prefix 'FIREWALL ACCEPT:' 
$IPT -A ACCEPTl   -j ACCEPT 





# ********** SANE COMMON RULES ********** 
# 
# Now we are going to accept all traffic from or to our loopback device 
# if the IP matches any of our interfaces. 
$IPT -A INPUT   -i $LPDIF -s   $LPDIP  -j ACCEPT 
$IPT -A INPUT   -i $LPDIF -s   $EXTIP  -j ACCEPT 
$IPT -A INPUT   -i $LPDIF -s   $INTIP  -j ACCEPT 
$IPT -A OUTPUT   -o $LPDIF -d   $LPDIP  -j ACCEPT 
$IPT -A OUTPUT   -o $LPDIF -d   $EXTIP  -j ACCEPT 
$IPT -A OUTPUT   -o $LPDIF -d   $INTIP  -j ACCEPT 

# Blocking Broadcasts 
$IPT -A INPUT   -i $EXTIF -d   $EXTBC  -j DROPl 
$IPT -A INPUT   -i $INTIF -d   $INTBC  -j DROPl 
$IPT -A OUTPUT  -o $EXTIF -d   $EXTBC  -j DROPl 
$IPT -A OUTPUT  -o $INTIF -d   $INTBC  -j DROPl 
$IPT -A FORWARD -o $EXTIF -d   $EXTBC  -j DROPl 
$IPT -A FORWARD -o $INTIF -d   $INTBC  -j DROPl 

# Block WAN access to internal network 
# This also stops nefarious crackers from using our network as a 
# launching point to attack other people 
# iptables translation: 
# "if input going into  our external interface does not  our isp assigned 
# ip address, drop it like a hot potato 
$IPT -A INPUT   -i $EXTIF -d ! $EXTIP  -j DROPl 

# Now we will block internal addresses originating from anything but our 
# predefined interface.....just remember that if you jack your 
# laptop or another pc into one of these NIC's directly, you'll need 
# to ensure that they either have the same ip or that you add a line explicitly 
# that IP as well 
# Interface one/internal net one 
$IPT -A INPUT   -i $INTIF -s ! $INTNET -j DROPl 
$IPT -A OUTPUT  -o $INTIF -d ! $INTNET -j DROPl 
$IPT -A FORWARD -i $INTIF -s ! $INTNET -j DROPl 
$IPT -A FORWARD -o $INTIF -d ! $INTNET -j DROPl 

# An additional Egress check 
$IPT -A OUTPUT  -o $EXTIF -s ! $EXTNET -j DROPl 

# Block outbound ICMP (except for PING) 

$IPT -A OUTPUT  -o $EXTIF -p icmp \ 
  --icmp-type ! 8 -j DROPl 
$IPT -A FORWARD -o $EXTIF -p icmp \ 
    --icmp-type ! 8 -j DROPl 

# Allow to ping out 
$IPT -A OUTPUT  -o $EXTIF -p icmp -s $EXTIP  \ 
    --icmp-type 8 -m state --state NEW -j ACCEPT 
$IPT -A FORWARD -i $INTIF -p icmp -s $INTNET \ 
    --icmp-type 8 -m state --state NEW -j ACCEPT 

# Allow internal network to ping internal systems 
$IPT -A OUTPUT  -o $INTIF -p icmp -s $INTNET \ 
    --icmp-type 8 -m state --state NEW -j ACCEPT 
$IPT -A INPUT   -i $INTIF -p icmp -s $INTNET \ 
    --icmp-type 8 -m state --state NEW -j ACCEPT 





# ********** BLOCKING THE EVIL PORTS ********** 
# 
# COMmon ports: 
# 0 is tcpmux; SGI had vulnerability, 1 is common attack 
# 13 is daytime 
# 98 is Linuxconf 
# 111 is sunrpc (portmap) 
# 135 is DCOM RPC 
# 137:139, 445 is Microsoft 
# SNMP: 161,2 
# Squid flotilla: 3128, 8000, 8008, 8080 
# 1214 is Morpheus or KaZaA 
# 2049 is NFS 
# 3049 is very virulent Linux Trojan, mistakable for NFS 
# Common attacks: 1999, 4329, 6346 (gnutella - removed) 
# Common Trojans 12345 65535 
INTCOMBLOCK="0:1 13 98 111 135 161:162 1214 1999 2049 3049 4329 3128 8000 8008 8080 12345 65535" 
EXTCOMBLOCK="137:139 445" 

# TCP ports: 
# 512-5!5 is rexec, rlogin, rsh, printer(lpd) 
#   [very serious vulnerabilities; attacks continue daily] 
# 1080 is Socks proxy server 
# 6000 is X (NOTE X over SSH is secure and runs on TCP 22) 
# Block 6112 (Sun's/HP's CDE) 
INTTCPBLOCK="$INTCOMBLOCK 512:515 1080 6000:6009 6112" 
EXTTCPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 512:515 1080 6000:6009 6112" 

# UDP ports: 
# 161:162 is SNMP 
# 520=RIP, 9000 is Sangoma 
# 517:518 are talk and ntalk (more annoying than anything) 
INTUDPBLOCK="$INTCOMBLOCK 161:162 520 517:518 1427 9000" 
EXTUDPBLOCK="$INTCOMBLOCK $EXTCOMBLOCK 161:162 520 123 517:518 1427 9000" 


echo -n "FW: Blocking internal attacks to TCP port: " 
for i in $INTTCPBLOCK; 
do 
echo -n "$i " 
  $IPT -A INPUT   -p tcp -s $INTNET --dport $i  -j DROPl 
  $IPT -A OUTPUT  -p tcp -s $INTNET --dport $i  -j DROPl 
  $IPT -A FORWARD -p tcp -s $INTNET --dport $i  -j DROPl 
done 
echo "" 

echo -n "FW: Blocking external attacks to TCP port: " 
for i in $EXTTCPBLOCK; 
do 
echo -n "$i " 
  $IPT -A INPUT   -p tcp -s ! $INTNET --dport $i  -j DROPl 
  $IPT -A OUTPUT  -p tcp -s ! $INTNET --dport $i  -j DROPl 
  $IPT -A FORWARD -p tcp -s ! $INTNET --dport $i  -j DROPl 
done 
echo "" 

echo -n "FW: Blocking internal attacks to UDP port: " 
for i in $INTUDPBLOCK; 
do 
  echo -n "$i " 
    $IPT -A INPUT   -p udp -s $INTNET --dport $i  -j DROPl 
    $IPT -A OUTPUT  -p udp -s $INTNET --dport $i  -j DROPl 
    $IPT -A FORWARD -p udp -s $INTNET --dport $i  -j DROPl 
done 
echo "" 

echo -n "FW: Blocking external attacks to UDP port: " 
for i in $EXTUDPBLOCK; 
do 
  echo -n "$i " 
    $IPT -A INPUT   -p udp -s ! $INTNET --dport $i  -j DROPl 
    $IPT -A OUTPUT  -p udp -s ! $INTNET --dport $i  -j DROPl 
    $IPT -A FORWARD -p udp -s ! $INTNET --dport $i  -j DROPl 
done 
echo "" 





# ********** ALLOWING INSIDE TO OUTSIDE SERVICES ********** 
# 
# This is where things go you want to use from your network on the internet 
# 
# Defining some common chat clients. Remove these from your accepted list for better security. 
IRC='ircd' 
MSN=1863 
ICQ=5190 
NFS='sunrpc' 
# We have to sync!! 
PORTAGE='rsync' 
OpenPGP_HTTP_Keyserver=11371 

# All services ports are read from /etc/services 

TCPSERV="domain ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2 time $PORTAGE $IRC $OpenPGP_HTTP_Keyserver" 
UDPSERV="domain time" 

echo -n "FW: Allowing inside systems to use services: " 
for i in $TCPSERV; 
do 
   echo -n "$i " 
   $IPT -A OUTPUT  -o $EXTIF -p tcp -s $EXTIP  \ 
    --dport $i --syn -m state --state NEW -j ACCEPT 
   $IPT -A FORWARD -i $INTIF -p tcp -s $INTNET \ 
    --dport $i --syn -m state --state NEW -j ACCEPT 

done 
echo "" 

echo -n "FW: Allowing inside systems to use services: " 
for i in $UDPSERV; 
do 
    echo -n "$i " 
    $IPT -A OUTPUT  -o $EXTIF -p udp -s $EXTIP  \ 
        --dport $i -m state --state NEW -j ACCEPT 
    $IPT -A FORWARD -i $INTIF -p udp -s $INTNET \ 
        --dport $i -m state --state NEW -j ACCEPT 
done 
echo "" 





# ********** ALLOWING SERVICES ON FIREWALL ********** 
# 
# DAEMONS on firewall which should be accessible to inside/outside. 
# it is presumed that DAEMONS advertised to the outside can also 
# be advertised safely to the inside 
# 
# This is generally NOT A GOOD IDEA (as told by "security experts") 
# since if some service on this machine gets hacked, the firewall is 
# compromised as well, but what the heck ;) it's only a home network 
# 
# 50369 is my p2p port 
# microsoft-ds is for samba 
# 5901 is vnc 
# domain is nameserver 
# ntp is for timeserving 

#EXTTCPDAEMONS="ssh http https ftp ftp-data mail pop3 pop3s imap3 imaps imap2" 
EXTTCPDAEMONS="ssh auth 50369" 
INTTCPDAEMONS="$EXTTCPDAEMONS microsoft-ds 5901" 
EXTUDPDAEMONS="" 
INTUDPDAEMONS="$EXTUDPDAEMONS domain ntp" 

echo -n "FW: Allowing external systems to use tcp services on localhost: " 
for i in $EXTTCPDAEMONS; 
do 
   echo -n "$i " 
   $IPT -A INPUT -i $EXTIF -p tcp -d $EXTIP  \ 
    --dport $i --syn -m state --state NEW -j ACCEPT 
done 
echo "" 

echo -n "FW: Allowing internal systems to use tcp services on localhost: " 
for i in $INTTCPDAEMONS; 
do 
   echo -n "$i " 
   $IPT -A INPUT -i $INTIF -p tcp -d $INTIP  \ 
    --dport $i --syn -m state --state NEW -j ACCEPT 
done 
echo "" 

echo -n "FW: Allowing external systems to use udp services on localhost: " 
for i in $EXTUDPDAEMONS; 
do 
    echo -n "$i " 
    $IPT -A INPUT -i $EXTIF -p udp -d $EXTIP  \ 
     --dport $i -m state --state NEW -j ACCEPT 
done 
echo "" 

echo -n "FW: Allowing internal systems to use udp services on localhost: " 
for i in $INTUDPDAEMONS; 
do 
    echo -n "$i " 
    $IPT -A INPUT -i $INTIF -p udp -d $INTIP  \ 
     --dport $i -m state --state NEW -j ACCEPT 
done 
echo "" 





# ********** ALLOWING P2P FROM FIREWALL ********** 
# 
# Even worse idea :) 
# 
# Allowing all packages generated by processes owned by the P2PUSER out 
$IPT -A OUTPUT -o $EXTIF -d ! $INTNET -m owner --uid-owner $P2PUSER -j ACCEPT 





# ********** FINALIZING NAT & FIREWALL ********** 
# 
# Setup NAT 
$IPT -t nat -A PREROUTING                       -j ACCEPT 
$IPT -t nat -A POSTROUTING -o $EXTIF -s $INTNET -j MASQUERADE 
$IPT -t nat -A POSTROUTING                      -j ACCEPT 
$IPT -t nat -A OUTPUT                           -j ACCEPT 

# allow existing connections 
$IPT -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPT -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT 
$IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT 

# block and log what me may have forgot 
$IPT -A INPUT             -j DROP2 
$IPT -A OUTPUT            -j REJECT2 
$IPT -A FORWARD           -j DROP2 

I also like the dual logging chains for explicitly blocked and ambiguously blocked packets. It helps a lot when pouring over logs to determine new rules.

Cheers!

[JanErik]

Hmm... a little question, I am a true Iptables-newbie.

I am thinking of using this to allow an extra machine to get Internet access through my main workstation (which has to NICs and one of them is connected to the Internet). It only needs to send results to folding@home and sync portage once in a while.

Will this filter act as a firewall locally on my main workstation aswell? Just as if I had a personal firewall like ZoneAlarm installed under Windoze? Or is it more like a routing firewall that isn't supposed to have any local processes accessing the Internet?

[krunk]

It's a full fledged stateful firewall. It can be as restrictive or lenient as you'd like.

Think of how the flow of traffic goes:

client------>server---->internet
internet----->server---->client

All traffic coming into and out of the client must pass through the server. Therefore, when youfirewall the server you firewall your whole network that is behind the server.

[JanErik]

Well, but when the server is also the client?

[c0ol]

WoW....
This is a very complete HowTo. It helped me chunk my linksys POS wireless router in favor of using my gentoo box as a DHCPD/wifi AP/router. THANKS!

[JanErik]

I'm getting this error message, and notwork.

I also got the syncookie error, but that shouldn't be related to this.
Removed all the rules containing INTIF2 since I only have one internal interface.
Linebreak errors from pasting from forum?

Code: Select all

FW: Allowing inside systems to use service:domain iptables: No
chain/target/match by that name
iptables: No chain/target/match by that name
ssh iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
http iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
https iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
ftp iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
ftp-data iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
mail iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
pop3 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
pop3s iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
imap3 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
imaps iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
imap2 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
time iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
rsync iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
\ iptables v1.2.11: invalid TCP port/service `\' specified
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.11: invalid TCP port/service `\' specified
Try `iptables -h' or 'iptables --help' for more information.
ircd iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
1863 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
5190 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name
11371 iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

FW: Allowing inside systems to use service:domain iptables: No
chain/target/match by that name
iptables: No chain/target/match by that name
time iptables: No chain/target/match by that name
iptables: No chain/target/match by that name

[JanErik]

OK, now it works, I had forgot to compile in some stuff in the netfilter configuration.

But one thing... I want to be able to ssh from the firewall machine (which is my primary workstation) to the machine on the inside. It works with the configuration from the Gentoo router guide, but not with this. How do I add a rule for that?

And, I might add, I am able to ssh out from the firewall, aswell as ssh in from the Internet.

Both of the machines are running folding@home, will it be able to get work and send results?

[C.M]

Great howtos! I'm trying to figure out if I should use dhcpd + dnsmasq or just dnsmasq? Does anyone have a hint? Right now I just followed the Home Router Guide, wich uses both. Another tutorial, http://gentoo-wiki.com/HOWTO_setup_a_home-server was equally confusing on that topic. At least the net works now..

Thanks to everyone who know enough to make these tutorials though!

[kannX]

OK, after playing around for a while I have the following. It doesn't include transparent proxy though, as I decided I probably don't want it anyway:

Adding a transparent proxy is quite simple (in the case squid is running on the same machine):

Code: Select all

$IPT -t nat -A PREROUTING -i $INTIF1 -s $INTNET1 -p tcp --dport 80 -j REDIRECT --to-port 3128

edit: removed INPUT-rule - doesn't make sense

[krunk]

***edited****