Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've been experimenting with this iptables software. I don't know how well i've prepared it but i've decided that its best to block everything and then slowly open things up. The box that this configuration is set up is on a server supplying DNS, DHCP, and samba really soon. Does this look like a good configuration?
Some of the chains came from a lumeria.org. I decided i would try to protect myself as best i could. try meaning i would pull from this site. thanks in advance!
I'll have a better look at this after dinner, but to get you started:
1. Your FORWARD policy is set to ACCEPT, so there need not be those two rules already there, which are identical anyway. If you want only ESTABLISHED, RELATED connections forwarded, then set to policy DENY.
2. Ditto for OUTPUT chain.
3. I have other comments about the INPUT chain, but mostly it's that you have lots of duplicate rules appearing in various places on the chain (like the first INPUT rule is repeated near the bottom).
I do admit though, that it is a little easier to actually see your intent with this view, rather than the script itself, I find, at least. But showing the script might help isolate where you created duplicate rules.
Finally, if you have the idea of "closing everything down and then opening selected services up" no chain should be POLICY ACCEPT.
Ok here's my detailed audit from top to bottom. (I've made a new post rather than edit in case you're subscribed.)
I want to stress that this is for a home-style installation. If you were a system administrator for a SOHO or something my answers would be quite different (more strict).
FORWARD
Make it POLICY ACCEPT and forget the rules (well, the one rule twice). You don't really need to manage forwarding that much, you can leave that to the firewalls of the respective computers on your LAN. That's what I do at least, since if you're not DNATting (port-forwarding) you don't really need to worry about attacks on your LAN from the outside.
INPUT
Honestly, I'd make a ruleset more like this (pay attention to the bold):
Now, there is still the problem of accepting incoming services. I've added ports for the services you mentioned you'd need to let others access. See, an incoming DHCP_REQ or DNS lookup isn't going to be RELATED or ESTABLISHED, so it'll get dropped. While DNS uses the UDP protocol to move data, it uses TCP for zone transfers, as does DHCP, so I've added a UDP rule. DHCP and DNS both use UDP but I'm not sure about Samba, so I've left it in both. There's really no harm is just having two rules that are identical except for swapping TCP/UDP (since a transport protocol is required when specifying a dport). The moral of this story is to make sure you open up your services!
When you make the script you'll have to change those two rules to "--match multiport --dport ssh,etc."
I've also compressed some rules and re-ordered them, putting what I assume will be most important services at the top, since those will get matched and ACCEPTed without having to traverse the entire chain to get to them. That's why I clustered the LOGs at the end.
OUTPUT
If your chain is POLICY ACCEPT you don't need any of those accept rules. Unless you're super paranoid about trojans broadcasting things you don't really need to worry about OUTPUT. Now, if there are a few services you really want to block then just make DROP- or REJECT --with-icmp-host-unreachable them.
Now, since you like to do a heck of a lot of logging, which is a good thing, I would seriously suggest you look at ULOG and `ulogd`daemon and log to a MySQL database instead of syslog. Looking through syslog for all this information is going to be hard, but with it all in a nice SQL DB it'll be a snap.
I just spent the last few months writing a proprietary wireless authentication server with logging, and I use ULOG.
Wow! This is a lot to take in very late at night. I'm going to look over these suggestions in the morning and get to work. One thing that I may have a problem with is locating the script. I entered everything through "iptables" commands and saving via the "service iptables save" command. I'm very much a newbie at this so if you could point me in the right direction so that I can expedite the replies tat would be great. Thank you both, win32sux and michaelsanford.
I've been listening to LQ PodCast and just watched Revolution OS (again, bought the DVD) so if you post the output of your iptables-save > saved.txt file I can convert it to a script for you. You can take it from there...
(On a tangent, this gives me an idea for a GUN program...translating iptables-save-ed data into shell scripts. hmmm maybe I should finish my thesis first, eh)
To give you an idea of a start up script, here is a very small snippint from one of mine:
Code:
usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t filter -F
/usr/sbin/iptables -t nat -X
/usr/sbin/iptables -t filter -X
/usr/sbin/iptables -t nat -Z
/usr/sbin/iptables -t filter -Z
## ===========================================================
## Definitions:
export LIFACE="eth0"
export WIFACE="eth1"
export LAN_IP="192.168.0.77"
export WIFI_IP="10.0.0.1"
export BAD_SERVICES="113,137,138,139,427" # ident tap, NetBIOS, NetBIOS, NetBIOS, Apple Rendezvous
export PROTECTED_SERVICES="22,161,3306" #ssh, snmp, sql
##
# Walled Garden
/usr/sbin/iptables -t nat -A PREROUTING --match iprange --dst-range 69.90.89.192-69.90.89.255 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING --match iprange --dst-range 69.90.85.0-69.90.85.31 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d 192.168.0.80 -j ACCEPT
/usr/sbin/iptables -t nat -A PREROUTING -d 192.168.0.46 -j ACCEPT
##
# Re-route connections to the authenticator
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i $WIFACE --dport 80 -j DNAT --to 10.0.0.1
/usr/sbin/iptables -t nat -A PREROUTING -p tcp -i $WIFACE ! --dport 80 -j DNAT --to 10.0.0.1:8080
#/usr/sbin/iptables -t nat -A PREROUTING -p udp -i $WIFACE -j DROP
#/usr/sbin/iptables -t nat -A PREROUTING -p udp -i $WIFACE --dport 53 -j DNAT --to 10.0.0.1:53
##
# Block undesirable services
# bad_services will be replied to with an ICMP port-unreachable.
/usr/sbin/iptables -t filter -A FORWARD -p tcp --match multiport --dport $BAD_SERVICES -j REJECT
/usr/sbin/iptables -t filter -A FORWARD -p udp --match multiport --dport $BAD_SERVICES -j REJECT
##
# Security enhancements for the gateway
# If someone on the WLAN tries to access a protected service it will be rejected. We need MAC/IP
# combination allows to let us do it from the WLAN.
/usr/sbin/iptables -t filter -A INPUT -p tcp -i $WIFACE -d 10.0.0.1 --match multiport --dport $PROTECTED_SERVICES -j REJECT
/usr/sbin/iptables -t filter -A INPUT -p udp -i $WIFACE -d 10.0.0.1 --match multiport --dport $PROTECTED_SERVICES -j REJECT
##
# Activate masquerading on the WAN interface
/usr/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
# Make sure NEW tcp connections are SYN packets
/usr/sbin/iptables -A INPUT -i $LIFACE -p tcp ! --syn -m state --state NEW -j DROP
## Show us what we have done
/usr/sbin/iptables -t nat -L -v
/usr/sbin/iptables -t filter -L -v
/bin/echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
/bin/echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
/bin/echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
You'll note the last bit there? Those are actually setting kernel flags to handle part of the job instead of iptables. Those are really simple to implement, just look them up on the 'net. They're all in /proc/sys/net/ipv4 (assuming you're not using IPv6 )
Last edited by michaelsanford; 07-23-2005 at 01:12 AM.
Alright! So I'm awake at... 9:28 on a Saturnday? How'd that happen. Anyway, the output i've recieved from the iptables save is below. I noticed how clean your code was. It would be VERY easy to deavtivate a port or service very easily using a "Bad Services" string like that.
Code:
# Generated by iptables-save v1.3.0 on Sat Jul 23 09:25:53 2005
*nat
:OUTPUT ACCEPT [15:2341]
:POSTROUTING ACCEPT [3:198]
:PREROUTING ACCEPT [65:12137]
-A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
-A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Sat Jul 23 09:25:53 2005
# Generated by iptables-save v1.3.0 on Sat Jul 23 09:25:53 2005
*mangle
:FORWARD ACCEPT [69:13177]
:INPUT ACCEPT [340:52958]
:OUTPUT ACCEPT [83:9198]
:POSTROUTING ACCEPT [158:22843]
:PREROUTING ACCEPT [409:66135]
-A PREROUTING -i eth0 -j MARK --set-mark 0x9
COMMIT
# Completed on Sat Jul 23 09:25:53 2005
# Generated by iptables-save v1.3.0 on Sat Jul 23 09:25:53 2005
*filter
:FORWARD ACCEPT [3:180]
:INPUT ACCEPT [255:34242]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
:in_icmp - [0:0]
:in_tcp - [0:0]
:syn-flood - [0:0]
-A FORWARD -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
-A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
-A INPUT -p tcp -m state --state INVALID -m limit --limit 10/min -j LOG --log-prefix "#### Invalid Packet ####" --log-level 6
-A INPUT -p tcp -m tcp --tcp-option 64 -m limit --limit 5/min -j LOG --log-prefix "### Bad TCP F;AG(64) ###" --log-level 6
-A INPUT -p tcp -m tcp --tcp-option 128 -m limit --limit 5/min -j LOG --log-prefix "### Bad TCP FLAG(128) ###" --log-level 6
-A INPUT -p icmp -j in_icmp
-A INPUT -p tcp -j in_tcp
-A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p tcp -m tcp --dport 902 -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
-A OUTPUT -o eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A in_icmp -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A in_icmp -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A in_icmp -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A in_icmp -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A in_icmp -p icmp -m icmp --icmp-type 30 -j ACCEPT
-A in_tcp -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
-A in_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "####Stealth Scan ####" --log-level 6
-A in_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "#### XMAS Scan ####" --log-level 6
-A in_tcp -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "#### SYN/RST Scan ####" --log-level 6
-A in_tcp -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "#### SYN/FIN Scan ####" --log-level 6
-A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
-A syn-flood -j DROP
COMMIT
# Completed on Sat Jul 23 09:25:53 2005
This is now going to be a .sh executable file you need to chmod +x. I haven't re-ordered the rules as I suggested above, I'll leave that for you to do. Since these rules are all -A you can just change the order they appear in the script and that will change the order in which they're added.
You can also add your own variables like I did for service ports. You can either reference them by port number or service name (i.e., 22 and 'ssh' are synonyms, as defined in /etc/services).
This isn't the most iron-clad firewall script ever, but it should do.
Code:
#!/bin/sh
# Generated by michaelsanford at linuxquestions.org ;)
# It's always good to have variables for things like this
IPTABLES="/usr/sbin/iptables"
# Flush the tables, zero counters and custom chains (in case the script \
re-runs while the system is already running)
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t filter -F
/usr/sbin/iptables -t nat -Z
/usr/sbin/iptables -t filter -Z
/usr/sbin/iptables -t nat -X
/usr/sbin/iptables -t filter -X
# Set up the POLICY and make the custom chains
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 # Take a look at this rule\
it seems to be missing an argument (target).
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#mangle
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 0x9
# The filter table
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P INPUT ACCEPT #Shouldn't this be DENY ?
$IPTABLES -P OUTPUT ACCEPT
# Create custom chains
$IPTABLES -N in_icmp
$IPTABLES -N in_tcp
$IPTABLES -N syn-flood
$IPTABLES -A FORWARD -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp -m state --state INVALID -m limit --limit 10/min -j LOG --log-prefix "#### Invalid Packet ####" --log-level 6
$IPTABLES -A INPUT -p tcp -m tcp --tcp-option 64 -m limit --limit 5/min -j LOG --log-prefix "### Bad TCP F;AG(64) ###" --log-level 6
$IPTABLES -A INPUT -p tcp -m tcp --tcp-option 128 -m limit --limit 5/min -j LOG --log-prefix "### Bad TCP FLAG(128) ###" --log-level 6
$IPTABLES -A INPUT -p icmp -j in_icmp
$IPTABLES -A INPUT -p tcp -j in_tcp
$IPTABLES -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 902 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A in_icmp -p icmp -m icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A in_icmp -p icmp -m icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A in_icmp -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A in_icmp -p icmp -m icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A in_icmp -p icmp -m icmp --icmp-type 30 -j ACCEPT
$IPTABLES -A in_tcp -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A in_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "####Stealth Scan ####" --log-level 6
$IPTABLES -A in_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "#### XMAS Scan ####" --log-level 6
$IPTABLES -A in_tcp -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "#### SYN/RST Scan ####" --log-level 6
$IPTABLES -A in_tcp -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "#### SYN/FIN Scan ####" --log-level 6
$IPTABLES -A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
michaelsanford, I deeply appreciate what effort you have put forth to this small project of mine. I've been cleaning it up here and there but I believe that it will take a while before I will be able to completely perfect this art of security. I do believe it to be a very intriguing topic that I will be referring back to this thread for. As for those definitions that I love, I'm spending the rest of my shift at work on them. My experience in Java has paid off as I can appreciate reusability like that. Good luck on the parser too!
Code:
#!/bin/sh
# Generated by michaelsanford at linuxquestions.org ;)
# It's always good to have variables for things like this
IPTABLES="/sbin/iptables"
# Flush the tables, zero counters and custom chains (in case the script re-runs while the system is already running)
/usr/sbin/iptables -t nat -F
/usr/sbin/iptables -t filter -F
/usr/sbin/iptables -t nat -Z
/usr/sbin/iptables -t filter -Z
/usr/sbin/iptables -t nat -X
/usr/sbin/iptables -t filter -X
# Set up the POLICY and make the custom chains
$IPTABLES -t nat -P OUTPUT ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#mangle
$IPTABLES -t mangle -P FORWARD ACCEPT
$IPTABLES -t mangle -P INPUT ACCEPT
$IPTABLES -t mangle -P OUTPUT ACCEPT
$IPTABLES -t mangle -P POSTROUTING ACCEPT
$IPTABLES -t mangle -P PREROUTING ACCEPT
$IPTABLES -t mangle -A PREROUTING -i eth0 -j MARK --set-mark 0x9
# The filter table
$IPTABLES -P FORWARD ACCEPT
#Couldn't set to DENY because to many local programs will be disables (ex. BASH shell)
$IPTABLES -P INPUT ACCEPT #Shouldn't this be DENY ?
$IPTABLES -P OUTPUT ACCEPT
# Create custom chains
$IPTABLES -N in_icmp
$IPTABLES -N in_tcp
$IPTABLES -N syn-flood
$IPTABLES -A FORWARD -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A FORWARD -i eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j syn-flood
$IPTABLES -A INPUT -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP
$IPTABLES -A INPUT -p tcp -m state --state INVALID -m limit --limit 10/min -j LOG --log-prefix "#### Invalid Packet ####" --log-level 6
$IPTABLES -A INPUT -p tcp -m tcp --tcp-option 64 -m limit --limit 5/min -j LOG --log-prefix "### Bad TCP FLAG(64) ###" --log-level 6
$IPTABLES -A INPUT -p tcp -m tcp --tcp-option 128 -m limit --limit 5/min -j LOG --log-prefix "### Bad TCP FLAG(128) ###" --log-level 6
$IPTABLES -A INPUT -p icmp -j in_icmp
$IPTABLES -A INPUT -p tcp -j in_tcp
$IPTABLES -A INPUT -i eth0 -p tcp -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m tcp --dport 902 -j ACCEPT
$IPTABLES -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -m tcp --sport 1024:65535 --dport 80 -j ACCEPT
$IPTABLES -A OUTPUT -o eth0 -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A in_icmp -p icmp -m icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A in_icmp -p icmp -m icmp --icmp-type 8 -j ACCEPT
$IPTABLES -A in_icmp -p icmp -m icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A in_icmp -p icmp -m icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A in_icmp -p icmp -m icmp --icmp-type 30 -j ACCEPT
$IPTABLES -A in_tcp -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A in_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j LOG --log-prefix "####Stealth Scan ####" --log-level 6
$IPTABLES -A in_tcp -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -m limit --limit 5/min -j LOG --log-prefix "#### XMAS Scan ####" --log-level 6
$IPTABLES -A in_tcp -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 5/min -j LOG --log-prefix "#### SYN/RST Scan ####" --log-level 6
$IPTABLES -A in_tcp -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -m limit --limit 5/min -j LOG --log-prefix "#### SYN/FIN Scan ####" --log-level 6
$IPTABLES -A syn-flood -m limit --limit 1/sec --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
I wanted to address some things that I didn't get the chance to at the beginning of the thread.
1. Forwarding: I had no clue the rules were repeated. :P Logically, it does make sense to leave the policy at ACCEPT and leave it alone after that. It's sole purpose is to forward, nothing else. Unless there's some fancy pre- and postrouting techniques someone wants to implement.
2. I couldn't operate my computer setting the INPUT policy to DROP. Essential programs like the BASH shell were crippled by its affects. Good thing I didn't save those settings. Of course there's always CTRL + SHIFT + ALT + F3 (and others).
3. Duplicates, missing targets, etc. are simply signs of a novice
4. "The RH-Firewall-1-INPUT" chain keeps reappearing out of the blue. I have no clue where it is coming from or how to stop it at this moment. I will probably have to locate the REAL iptables script to figure that out I suppose.
There's a tutorial for iptables at http://iptables-tutorial.frozentux.n...-tutorial.html
It answers a lot of your questions, esp about POLICY choices..
eg.. If there is an ACCEPT policy, why write ACCEPT rules? (your OUTPUT chain)
The idea of scripting a set of rules works best when there is a reason to load rules in a particular order, rather than just getting them all in place quickly, or to add comments to the file.
The netfilter team created iptables-save & iptables-restore to peform the quick dump and relad routines. iptables-restore uses the specific iptables-save dump format to reload the rules. It can add an extra field to the dump showing how many packets have passed through each rule. You can use this to gauge if rules can be re-ordered to place frequently hit rules earlier, making the tables faster, or if rules are having any effect even..
eg
$IPTABLES -t nat -A POSTROUTING -m mark --mark 0x9 -j MASQUERADE
$IPTABLES -t nat -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
Scripting would allow comments to be added about which interface is external, internal and dmz etc.
And comments why 192.168.1.0/255.255.255.0 doesn't need to be MASQUERADED.
I would suggest reading the tutorial carefully and starting with one of the well commented scripts at the end of the tutorial..
The RH-Firewall-1-INPUT chain comes from the RedHat Security Level setting. Set it to off.
There may be a script in /etc/init.d called rc.firewall or similar as well..
Do chkconfig --list to see if it is active..
Last edited by peter_robb; 07-25-2005 at 03:23 AM.
THANKS Perter_Robb! I've been looking at the recommended site for some time now and I can honestly say that I have learned a great deal from it. I'm still making my way through it though. It's a good thing that you explained how iptables save and restore work. According to the save that I posted some of the tables were neverr put to use. I didn't delete them but they are further down the list. As for the scripting I was interested in it and it just happened to be iptables that I was interested in at the time. I appreciate the extra help.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.