iptables help

[p3nguin]

Hello all, this is my first attempt at a firewall script. I was wondering if 1) I did it right, and 2) if it looks good or if it needs some additional rules

thanks for the help!

Code: Select all

#!/bin/bash
#clear any previous NAT settings.  presuming NAT modules are already loaded
echo > "eth0 is 192.168.0.1 external interface"
echo > "eth1 is 192.168.10.99 internal interface"

echo "Flushing all previous settings"
iptables -t nat -F
iptables -F
iptables -X
iptables -Z   # zero all counters

echo "Setting up Network Address Translator"
#set up NAT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#turn it on
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Creating blocked ports table"
#block ftpd
#iptables -A INPUT -i eth0 --protocol tcp --dport 2121 -j DROP

#blocking pop3 from the outside for now
iptables -A INPUT -i eth0 --protocol tcp --dport 110 -j DROP

#and pop3s
iptables -A INPUT -i eth0 --protocol tcp --dport 995 -j DROP

#blocking outgoing 8988 UDP for Sobig.E worm
iptables -A INPUT --protocol udp --dport 8998 -j DROP

#blocking incoming port 3000, ntop2 web stuff accessible from inside only
#iptables -A INPUT -i eth0 --protocol tcp --dport 3000 -j DROP

#firewall
echo > "Initializing Firewall Script"

# 
#iptables -A INPUT -p udp --destination-port 53 -j ACCEPT
#iptables -A INPUT -p udp --source-port 53 -j ACCEPT
iptables -A FORWARD -p udp --destination-port 53 -j ACCEPT
iptables -A FORWARD -p udp --source-port 53 -j ACCEPT
# Timeservice.
iptables -A FORWARD -p udp --destination-port 37 -j ACCEPT
iptables -A FORWARD -p udp --source-port 37 -j ACCEPT
#
iptables -A FORWARD -p icmp -s !eth1/24  -j DROP
iptables -A FORWARD -p icmp -d eth0/24  -j DROP

# WEB [[[Not sure what this does]]]] so i leave it commented
#iptables -A INPUT -i eth0 -p tcp --destination-port www  -j REJECT
# sshd
iptables -A FORWARD -p tcp -s 0/0 -d eth0/24
--destination-port 22  -j LOG
#iptables -A FORWARD -p tcp -s 0/0 -d eth0/24
--destination-port 22  -j ACCEPT

#  WWW-Server
iptables -A FORWARD -p tcp -s 0/0 -d 192.168.10.69 --destination-port www -j ACCEPT

# FTP-Server
iptables -A FORWARD -p tcp -s 0/0 -d 192.168.10.69 --destination-port ftp -j
ACCEPT
iptables -A FORWARD -p tcp -s 0/0 -d 192.168.10.69 --destination-port ftp-data
-j ACCEPT
iptables -A FORWARD -p tcp -s eth0/24 -d 0/0 --source-port ftp-data -j ACCEPT
iptables -A FORWARD -p tcp -d eth0/24 -s 0/0 --destination-port ftp-data -j ACCEPT

# ident p. 113 reject
iptables -A FORWARD -p tcp -s eth0/24 -d 0/0 --destination-port auth -j REJECT
iptables -A FORWARD -p tcp -d eth0/24 -s 0/0 --destination-port auth -j REJECT

# SYN-Packets
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -p tcp -d eth0/24 -s 0/0  --syn -j LOG
iptables -A FORWARD -p tcp -d eth0/24 -s 0/0 ! --syn -j ACCEPT
iptables -A FORWARD -p tcp -s eth0/24 -d 0/0  -j ACCEPT


#disable response to ICMP broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

#some spoof protection.  nothing from the internal IP range should be connecting
#to the external interface
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 68.0.118.72 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8
iptables -A INPUT -i eth0 -s 172.16.0.0/12

#don't accept outgoing packets that aren't from 192.168.1.x
iptables -A INPUT -i eth1 -s ! 192.168.10.0/24 -j DROP

#don't accept source routed packets
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route

#unlimited traffic on loopback
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

[triwebb1]

iptables has a script to save your current entries to re-apply them next boot. All you have to do is type "iptables-save" and it will save your current entries, then be sure you have iptables in your rc.

[Valhlalla]

I would put a default DENY or DROP on the input chain at least.

[p3nguin]

I would put a default DENY or DROP on the input chain at least.

could you show me what you mean?

btw are all of my commands valid? I would be very surprised if my first script had no error, lol

[p3nguin]

well i went ahead and added

Code: Select all

iptables-save

to the end of the script and

Code: Select all

iptables -L -n

and tried my script, this is what was generated:

Code: Select all

/etc/init.d/router start
Flushing all previous settings
Setting up Network Address Translator
Creating blocked ports table
Forwarding necessary ports
iptables v1.2.8: host/network `eth1' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: host/network `eth0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: host/network `eth0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: host/network `eth0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: host/network `eth0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: host/network `eth0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: host/network `eth0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: host/network `eth0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: host/network `eth0' not found
Try `iptables -h' or 'iptables --help' for more information.
iptables v1.2.8: host/network `eth0' not found
Try `iptables -h' or 'iptables --help' for more information.
Chain INPUT (policy DROP)
target     prot opt source               destination         
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:110 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp dpt:995 
DROP       udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:8998 
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:!0x16/0x02 state NEW 
DROP       all  --  192.168.0.0/16       0.0.0.0/0          
DROP       all  --  68.0.118.72          0.0.0.0/0          
           all  --  10.0.0.0/8           0.0.0.0/0          
           all  --  172.16.0.0/12        0.0.0.0/0          
DROP       all  -- !192.168.10.0/24      0.0.0.0/0          
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp spt:53 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp dpt:37 
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0          udp spt:37 
ACCEPT     tcp  --  0.0.0.0/0            192.168.10.69      tcp dpt:80 
ACCEPT     tcp  --  0.0.0.0/0            192.168.10.69      tcp dpt:21 
ACCEPT     tcp  --  0.0.0.0/0            192.168.10.69      tcp dpt:20 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0          
# Generated by iptables-save v1.2.8 on Mon Nov 10 22:32:38 2003
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [111:94164]
-A INPUT -i eth0 -p tcp -m tcp --dport 110 -j DROP 
-A INPUT -i eth0 -p tcp -m tcp --dport 995 -j DROP 
-A INPUT -p udp -m udp --dport 8998 -j DROP 
-A INPUT -i eth0 -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP 
-A INPUT -s 192.168.0.0/255.255.0.0 -i eth0 -j DROP 
-A INPUT -s 68.0.118.72 -i eth0 -j DROP 
-A INPUT -s 10.0.0.0/255.0.0.0 -i eth0 
-A INPUT -s 172.16.0.0/255.240.0.0 -i eth0 
-A INPUT -s ! 192.168.10.0/255.255.255.0 -i eth1 -j DROP 
-A INPUT -i lo -j ACCEPT 
-A FORWARD -p udp -m udp --dport 53 -j ACCEPT 
-A FORWARD -p udp -m udp --sport 53 -j ACCEPT 
-A FORWARD -p udp -m udp --dport 37 -j ACCEPT 
-A FORWARD -p udp -m udp --sport 37 -j ACCEPT 
-A FORWARD -d 192.168.10.69 -p tcp -m tcp --dport 80 -j ACCEPT 
-A FORWARD -d 192.168.10.69 -p tcp -m tcp --dport 21 -j ACCEPT 
-A FORWARD -d 192.168.10.69 -p tcp -m tcp --dport 20 -j ACCEPT 
-A OUTPUT -o lo -j ACCEPT 
COMMIT
# Completed on Mon Nov 10 22:32:38 2003
# Generated by iptables-save v1.2.8 on Mon Nov 10 22:32:38 2003
*mangle
:PREROUTING ACCEPT [2503161:1313971228]
:INPUT ACCEPT [73110:7216946]
:FORWARD ACCEPT [2430051:1306754282]
:OUTPUT ACCEPT [3338:694277]
:POSTROUTING ACCEPT [2432698:1307090152]
:outtos - [0:0]
:pretos - [0:0]
-A PREROUTING -j pretos 
-A OUTPUT -j outtos 
-A outtos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 
-A outtos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 
-A outtos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 
-A outtos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 
-A outtos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 
-A outtos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 
-A pretos -p tcp -m tcp --dport 22 -j TOS --set-tos 0x10 
-A pretos -p tcp -m tcp --sport 22 -j TOS --set-tos 0x10 
-A pretos -p tcp -m tcp --dport 21 -j TOS --set-tos 0x10 
-A pretos -p tcp -m tcp --sport 21 -j TOS --set-tos 0x10 
-A pretos -p tcp -m tcp --sport 20 -j TOS --set-tos 0x08 
-A pretos -p tcp -m tcp --dport 20 -j TOS --set-tos 0x08 
COMMIT
# Completed on Mon Nov 10 22:32:38 2003
# Generated by iptables-save v1.2.8 on Mon Nov 10 22:32:38 2003
*nat
:PREROUTING ACCEPT [138036:10462688]
:POSTROUTING ACCEPT [80:4915]
:OUTPUT ACCEPT [171:10454]
:eth0_masq - [0:0]
:net_dnat - [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE 
COMMIT
# Completed on Mon Nov 10 22:32:38 2003

[Valhlalla]

sorry im rusty on the old iptables, so I had to go look up what i was talking about

Code: Select all

iptables -P INPUT -i eth0  DROP

I would also add

Code: Select all

iptables -P FORWARD -i eth0  DROP

this might be redundant, but i like to always put it in.

[EDIT]

you might need to make the output policy accept depending on what you are doing.

Code: Select all

iptables -P OUTPUT -i eth0  ACCEPT