Need help verifying iptables rules for network security
Hi,
I need help with some iptables rules. I've done all I can, Googling all over, to cover as many exploits as possible and the following script is what I've come up with. The current set up works and I've checked with NMAP. I just need some sort of confirmation that this is pretty much what I can do.
Code:
LAN="eth0 eth1"
RANGE=10.1.0.0/17
WAN=eth2
# Delete all existing rules
iptables -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
##--------------##
# Filter traffic #
##--------------##
# Set default policies for all three default chains
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
# Always accept loopback traffic
iptables -A INPUT -i lo -j ACCEPT
#iptables -A OUTPUT -o lo -j ACCEPT
# All TCP sessions should begin with SYN
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# Drop fragment packets
iptables -A INPUT -f -j DROP
# Drop XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# Drop NULL packets
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Block spoofing
iptables -A INPUT ! -i lo -s 127.0.0.0/8 -j DROP
iptables -A OUTPUT ! -o lo -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i $WAN -s $RANGE -j DROP
iptables -A OUTPUT -o $WAN -s $RANGE -j DROP
# Drop bad packets
iptables -A INPUT -m state --state INVALID -j DROP
# Drop packets routed from outside
iptables -A FORWARD -i $WAN -o $WAN -j DROP
##---------------##
# Routing traffic #
##---------------##
# Allow established connections, and those not coming from the outside
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW ! -i $WAN -j ACCEPT
# Allow internal traffic
for if in $LAN; do
iptables -A INPUT -i $if -j ACCEPT
done
# Masquerade
iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE
Also, if I wanted a broadcast to be relayed to all subnets within a defined range, how would such a iptables rule look like? I need this in order to find a networked Canon MP640 printer.
Thanks for all the help.
|