LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Need help verifying iptables rules for network security (http://www.linuxquestions.org/questions/linux-networking-3/need-help-verifying-iptables-rules-for-network-security-867693/)

tido 03-10-2011 08:49 AM

Need help verifying iptables rules for network security
 
Hi,

I need help with some iptables rules. I've done all I can, Googling all over, to cover as many exploits as possible and the following script is what I've come up with. The current set up works and I've checked with NMAP. I just need some sort of confirmation that this is pretty much what I can do.

Code:

LAN="eth0 eth1"
RANGE=10.1.0.0/17
WAN=eth2
 
# Delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
 
##--------------##
# Filter traffic #
##--------------##
 
# Set default policies for all three default chains
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
 
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
 
# All TCP sessions should begin with SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
 
# Drop fragment packets
iptables -A INPUT -f -j DROP
 
# Drop XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
 
# Drop NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
 
# Block spoofing
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP
iptables -A OUTPUT ! -o lo -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $WAN -s $RANGE -j DROP
iptables -A OUTPUT -o $WAN -s $RANGE -j DROP
 
# Drop bad packets
iptables -A INPUT -m state --state INVALID -j DROP
 
# Drop packets routed from outside
iptables -A FORWARD -i $WAN -o $WAN -j DROP
 
 
##---------------##
# Routing traffic #
##---------------##
 
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT
 
# Allow internal traffic
for if in $LAN; do
        iptables -A INPUT -i $if -j ACCEPT
done
 
# Masquerade
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

Also, if I wanted a broadcast to be relayed to all subnets within a defined range, how would such a iptables rule look like? I need this in order to find a networked Canon MP640 printer.

Thanks for all the help.

agentbuzz 03-10-2011 11:46 AM

Hello,
You should put in the following rules (assuming you run avahi-daemon to publish and find printers or other resources)

Code:

iptables -A INPUT -p udp -s 10.1.0.0/17 --dport 5353 -j ACCEPT
iptables -A INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT



All times are GMT -5. The time now is 08:42 PM.