Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I would like you, if you don't mind, give me your appreciation about this iptables script.
Is it correct?
Is it safe?
Should i add things to get more secured ?
My other objectif is to add in near future (squid and squidGuard), so i think some rules should be added but for the moment i want to be sure that the following rules are safe, logical and they work
Any suggestion is welcomed
I'm sorry, it is commented in french, but i guess the experts will have no problem since the rules are universal. "just my own view"
Quote:
#!/bin/bash
#---------------------------------------------------------------
# Mettre en place des variables pour le firewall
# Les variables de cette section doivent correspondre à votre réseau
#---------------------------------------------------------------
###############################################################
############# Charger certain module d'iptables #############
###############################################################
#---------------------------------------------------------------
# Charge le module NAT
#---------------------------------------------------------------
modprobe iptable_nat
###############################################################
# Fixer quelques paramètres Linux pour une meilleure sécurité #
###############################################################
#---------------------------------------------------------------
# Désactiver la source des paquets routés
#---------------------------------------------------------------
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#---------------------------------------------------------------
# Activer la protection des attaques de déni de service (DOS)
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#---------------------------------------------------------------
# Désactiver les réponses aux ping broadcasts
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#---------------------------------------------------------------
# Activer le routage IP (forwarding), donc autoriser
# votre Linux à faire jouer son rôle de passerelle
#---------------------------------------------------------------
echo 1 > /proc/sys/net/ipv4/ip_forward
###############################################################
################ Initialiser toutes les chaînes ###############
###############################################################
#---------------------------------------------------------------
# Initialise les tables NAT et filter pré-définies
#---------------------------------------------------------------
iptables -F
iptables -t nat -F
iptables -t mangle -F
#---------------------------------------------------------------
# Initialise les tables NAT et filter propre a l'utilisateur
#---------------------------------------------------------------
iptables -X
iptables -t nat -X
iptables -t mangle -X
#---------------------------------------------------------------
# Les 3 tables de la chaîne filter sont sur DROP donc par default
# on décide de tout détruire.
# Pour ce qui est des cibles par défaut des chaînes de la table NAT
# nous acceptons toutes les connexions.
#---------------------------------------------------------------
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P PREROUTING ACCEPT
#---------------------------------------------------------------
# L'interface loopback accepte tout le trafic
#---------------------------------------------------------------
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
###############################################################
################ Règles du pare-feu (firewall) ################
###############################################################
#---------------------------------------------------------------
# Autoriser les requêtes DNS sortantes du firewall, les réponses
# aussi.
#---------------------------------------------------------------
iptables -A OUTPUT -p udp -o $EXTERNAL_INT --dport 53 --sport 1024:65535 -j ACCEPT
iptables -A INPUT -p udp -i $EXTERNAL_INT --sport 53 --dport 1024:65535 -j ACCEPT
#---------------------------------------------------------------
# Autoriser les connections SSH vers le pare-feu
#---------------------------------------------------------------
iptables -A INPUT -p tcp -i $EXTERNAL_INT --dport 22 --sport 1024:65535 -m state --state NEW -j ACCEPT
#---------------------------------------------------------------
# Autoriser les connections (www) et (https) à partir du firewall
#---------------------------------------------------------------
iptables -A OUTPUT -j ACCEPT -m state --state NEW -o $EXTERNAL_INT -p tcp --dport 80 --sport 1024:65535
iptables -A OUTPUT -j ACCEPT -m state --state NEW -o $EXTERNAL_INT -p tcp --dport 443 --sport 1024:65535
#---------------------------------------------------------------
# Autoriser les demandes ICMP echo-request et
# les réponses echo-reply
#---------------------------------------------------------------
iptables -A OUTPUT -j ACCEPT -o $EXTERNAL_INT -p icmp --icmp-type echo-request
iptables -A INPUT -j ACCEPT -i $EXTERNAL_INT -p icmp --icmp-type echo-reply
#---------------------------------------------------------------
# Permettre un traffic bidirectionnelle du
# firewall <-> réseau interne (privée)
#---------------------------------------------------------------
iptables -A INPUT -j ACCEPT -p all -s $HOME_NETWORK -i $INTERNAL_INT
iptables -A OUTPUT -j ACCEPT -p all -d $HOME_NETWORK -o $INTERNAL_INT
###############################################################
###(Many to one NAT) Masquage d'adresses IP (Masquerading) ####
###############################################################
#---------------------------------------------------------------
# Permettre le masquerading
#---------------------------------------------------------------
iptables -A POSTROUTING -t nat -o $EXTERNAL_INT -s $HOME_NETWORK -d 0/0 -j MASQUERADE
###############################################################
############ Autoriser les connexions déjà établies ###########
###############################################################
#---------------------------------------------------------------
# Accepter en outbound les connections "new, established et related"
# Accepter en inbound les connections "established et related"
#---------------------------------------------------------------
iptables -A FORWARD -t filter -o $EXTERNAL_INT -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -t filter -i $EXTERNAL_INT -m state --state ESTABLISHED,RELATED -j ACCEPT
#---------------------------------------------------------------
# Autoriser les connexions déjà établies
#---------------------------------------------------------------
iptables -A INPUT -j ACCEPT -m state --state ESTABLISHED,RELATED -i $EXTERNAL_INT -p tcp
###############################################################
################ Log and drop les paquets ###############
###############################################################
#---------------------------------------------------------------
# Logger tout ce qui na pas été accepté dans /var/log/messages,
# c’est très pratique, car ainsi on est averti de tout ce
# qui tente d’accéder au système.
#---------------------------------------------------------------
iptables -A OUTPUT -j LOG
iptables -A INPUT -j LOG
iptables -A FORWARD -j LOG
iptables -A OUTPUT -j DROP
iptables -A INPUT -j DROP
iptables -A FORWARD -j DROP
###############################################################
################## Sauveguarde des régles #####################
###############################################################
service iptables save
I'm in an institution where we have got about 200 student's and we are just building the firewall for them.
Another thing is that some student's are very smart, so if they can breack the system, so .....:-(
The --sports arent really needed in your filter rules, since ANY sport is going to match, iptables will look at the dport, and let them through..
Does logging work? You dont appear to have created or setup the logging chains.
Code:
iptables -A FORWARD -t filter -o $EXTERNAL_INT -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
This rule would allow allow any new connections going out to the internet. Which is probably not what you want. It would allow things such as torrents, IM, etc..
Code:
iptables -A INPUT -p tcp -i $EXTERNAL_INT --dport 22 \
--sport 1024:65535 -m state --state NEW -j ACCEPT
Does ssh HAVE to be open to all ip's on the network? Or can it be restricted to only a select few? When I was at school, if I found a server with ssh open, I would've been all over it. Perhaps a rule such as
Code:
-A INPUT -p tcp --dport 22 -s 192.168.0.$yourIPonly -j ACCEPT
Same goes for this rule...
Code:
iptables -A INPUT -j ACCEPT -p all -s $HOME_NETWORK \
-i $INTERNAL_INT
I am half asleep, so I wouldn't pay too much attention to me
The --sports arent really needed in your filter rules, since ANY sport is going to match, iptables will look at the dport, and let them through..
Does logging work? You dont appear to have created or setup the logging chains.
Code:
iptables -A FORWARD -t filter -o $EXTERNAL_INT -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
This rule would allow allow any new connections going out to the internet. Which is probably not what you want. It would allow things such as torrents, IM, etc..
Code:
iptables -A INPUT -p tcp -i $EXTERNAL_INT --dport 22 \
--sport 1024:65535 -m state --state NEW -j ACCEPT
Does ssh HAVE to be open to all ip's on the network? Or can it be restricted to only a select few? When I was at school, if I found a server with ssh open, I would've been all over it. Perhaps a rule such as
Code:
-A INPUT -p tcp --dport 22 -s 192.168.0.$yourIPonly -j ACCEPT
Same goes for this rule...
Code:
iptables -A INPUT -j ACCEPT -p all -s $HOME_NETWORK \
-i $INTERNAL_INT
I am half asleep, so I wouldn't pay too much attention to me
Thanks a lot for your kind help fukawil,
Is it possible to write please the rules as it should be from your comment. I don't have enough experience and i'm afraid if i 'll made some mistakes such as torrents, IM, etc...
Thanks a lot again fukawil, i'm pressed by the time, and the server should be in place .
iptables -A FORWARD -t filter -o $EXTERNAL_INT -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
This rule would allow allow any new connections going out to the internet. Which is probably not what you want. It would allow things such as torrents, IM, etc..
Now that i look at this rule again, you have the FORWARD and "filter" backwards... And iptables defaults to the filter table, so the -t is unnecessary (but wont hurt anything to have it there)
So to replicate that rule you would want
Code:
-A FORWARD -o $EXTERNAL_INT etc
What i was trying to explain is called "egress filtering", basically to do it, you need to either set a default policy of DROP, or have a DROP rule that will drop everything that hasnt been matched by the prior rules..
for example rules to allow the wanted traffic:
Code:
iptables -A FORWARD -p tcp -m multiport --dports 80,443 -m comment --comment "ACCEPT http/s" -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dports 110,143,25,465,585,993,995 comment --comment "Accept email" -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
And then a drop everything else rule..
Code:
iptables -A FORWARD -m comment --comment "Default Policy" -j DROP
Ok, i've already DROPPED the FORWARD chain in my script:
Quote:
iptables -P FORWARD DROP
so, should i put your last line even though ?
Code:
iptables -A FORWARD -m comment --comment "Default Policy" -j DROP
Another thing, you have said something about torrents, ... (this is very important for me)
Please how should be written the rule in order to stop this downloads which eat's all the bandwidth
You've said that the ssh should be allowed only from a certain host which is great.
I want to b abble to ssh from the LAN (192.168.0.0/24)and also from the WAN (Public addres) if necessary.
How should be the rules in this case?
Ok, i've already DROPPED the FORWARD chain in my script:
Quote:
iptables -A FORWARD -t filter -o $EXTERNAL_INT -m state \
--state NEW,ESTABLISHED,RELATED -j ACCEPT
Yes but by matching "NEW,RELATED,ESTABLISHED" it will let any new connection attempts through...
Quote:
Originally Posted by hermouche
so, should i put your last line even though ?
Code:
iptables -A FORWARD -m comment --comment "Default Policy" -j DROP
with the default policy ie: "-P", no.
Quote:
Originally Posted by hermouche
Another thing, you have said something about torrents, ... (this is very important for me)
Please how should be written the rule in order to stop this downloads which eat's all the bandwidth
By accepting only what you want to, and dropping everything else, torrents will be dropped because they wont be included in the list of accepted ports.
Quote:
Originally Posted by hermouche
You've said that the ssh should be allowed only from a certain host which is great.
I want to b abble to ssh from the LAN (192.168.0.0/24)and also from the WAN (Public addres) if necessary.
How should be the rules in this case?
Externally speaking, this can only work with static a static IP address on the internet connection of the client.
Internally speaking, if you really must be able to ssh from any IP on the lan, then what im saying is irrelevant. What i am saying though is, that it would be more secure, if you were to give administrators (ie: yours) a static IP address, and restrict ssh access to those IP's only. As any student PC's on the LAN would be able to see that SSH is open in order to start attacking it.
I would suggest, giving YOUR computer, a static IP, say 192.168.0.1.
then using a rule such as
Code:
-A INPUT -p tcp --dport 22 -s 192.168.0.1 -j ACCEPT
which would only open open the SSH port to your computer, rather than the whole LAN...
Yes but by matching "NEW,RELATED,ESTABLISHED" it will let any new connection attempts through...
with the default policy ie: "-P", no.
By accepting only what you want to, and dropping everything else, torrents will be dropped because they wont be included in the list of accepted ports.
Externally speaking, this can only work with static a static IP address on the internet connection of the client.
Internally speaking, if you really must be able to ssh from any IP on the lan, then what im saying is irrelevant. What i am saying though is, that it would be more secure, if you were to give administrators (ie: yours) a static IP address, and restrict ssh access to those IP's only. As any student PC's on the LAN would be able to see that SSH is open in order to start attacking it.
I would suggest, giving YOUR computer, a static IP, say 192.168.0.1.
then using a rule such as
Code:
-A INPUT -p tcp --dport 22 -s 192.168.0.1 -j ACCEPT
which would only open open the SSH port to your computer, rather than the whole LAN...
Does that make a bit more sense?
OK, fukawil, i begin to catch the philosophy
Just another question which come in mind, do we have to allow local connections with the following:
Quote:
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
Because, if i erase them, i don't reach the web either from the LAN nor from the Firewall !!
is it normal? More over, the following is the results when we allow local connections: "just an extract":
So while allowing the local connection, the results as we can see, it NEGATES the DROP policy for both OUTPUT and INPUT, which means as far as i know that i am telling it to accept everything from anywhere (it's like if i said the policy is ACCEPT for both OUTPUT and INPUT!!!
So what's the point to DROP "INPUT and OUTPUT", since just after it says Accept from anywhere to anywhere !!!!
The FORWARD chain is set a default policy of DROP, i've got the following tree rules and i'm happy with it since torrents..... are STOPPED. At the same time yahoo, hotmail, skype, facebook are stopped too.
So, now if i want to allow facebook, which rule should be written ?
Code:
Quote:
iptables -A FORWARD -p tcp -m multiport --dports 80,443 -m comment --comment "ACCEPT http/s" -j ACCEPT
iptables -A FORWARD -p tcp -m multiport --dports 110,143,25,465,585,993,995 comment --comment "Accept email" -j ACCEPT
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
I should say that the INPUT and the OUTPUT are set to DROP. I've got a transparent proxy for my LAN.
What do you mean allow facebook?
If you mean to allow the Facebook webpage (uses port 80), like any other web page, (unless its https).
Then the rules you are using aren't restricting access to facebook.
If other websites work, and facebook doesn't, i would be looking at your proxy configuration.
What do you mean allow facebook?
If you mean to allow the Facebook webpage (uses port 80), like any other web page, (unless its https).
Then the rules you are using aren't restricting access to facebook.
If other websites work, and facebook doesn't, i would be looking at your proxy configuration.
Yes, you're right, we don't have any problem in "googling". I can say for example that youtube works (before some days we closed it).
The problem is that whenever we want to get facebook.com, we 've got the page in order to log in (Email and password)and then nothing happen !!!
I heard about spoofing a web site so ....
If the proxy does not allow any website, normally we get a cgi web page where it says globally that the admin has closed the web site for such and such and ....etc.
In our case (for facebook) nothing happen, not even an error !!!
What can we do in order to investigate our network ?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.