Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
$IPTABLES -A INPUT -i $DMZ_IFACE -m state --state RELATED,ESTABLISHED
Will that have any affect on my incomming calls, I see this rule as being the problem! What else can I do? If I comment out this line then how are packets going to get into my DMZ to my VOIP modem and also will it have an affect on my incomming calls?
Last edited by metallica1973; 12-22-2005 at 10:26 AM.
$IPTABLES -A INPUT -i $DMZ_IFACE -m state --state RELATED,ESTABLISHED
Will that have any affect on my incomming calls, I see this rule as being the problem! What else can I do? If I comment out this line then how are packets going to get into my DMZ to my VOIP modem and also will it have an affect on my incomming calls?
nope... the INPUT chain doesn't have anything to do with routing, so unless someone on your DMZ needs to connect to some kinda special software you have running on your firewall/router, it's not necessary to accept any connections *TO* your router, only *THROUGH* your router... so you should probably just delete that rule...
BTW, i just realized i didn't write any FORWARD rules for outgoing connections from the DMZ to the WAN... if the protocols and port ranges are the same for outgoing calls then it should look kinda like this:
Code:
#!/bin/sh
###############################################################################
### Variables
###############################################################################
# Don't forget to give these variables the *proper* values:
IPTABLES="/usr/sbin/iptables"
DMZ_IFACE="ethx"
DMZ_VOIP_PHONE="192.168.x.x"
EXTIF="ethx"
###############################################################################
### Kernel Parameters
###############################################################################
# Disable forwarding while we get set-up:
echo "0" > /proc/sys/net/ipv4/ip_forward
# Enable some anti-spoof protection:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
###############################################################################
### Clean-Out Chains, Set Policies, Create User Chains
###############################################################################
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -X -t mangle
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -N FORWARD_WAN2DMZ
$IPTABLES -N FORWARD_DMZ2WAN
###############################################################################
### INPUT Chain
###############################################################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
#$IPTABLES -A INPUT -i $DMZ_IFACE -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 5/minute --limit-burst 5 \
-j LOG --log-prefix "INPUT DROP: "
###############################################################################
### FORWARD Chain
###############################################################################
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -j FORWARD_WAN2DMZ
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j FORWARD_DMZ2WAN
$IPTABLES -A FORWARD -m limit --limit 5/minute --limit-burst 5 \
-j LOG --log-prefix "FORWARD DROP: "
###############################################################################
### FORWARD_WAN2DMZ Chain
###############################################################################
$IPTABLES -A FORWARD_WAN2DMZ -p UDP -d $DMZ_VOIP_PHONE \
--dport 1023:1030 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_WAN2DMZ -p UDP -d $DMZ_VOIP_PHONE \
--dport 5050:5070 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_WAN2DMZ -p UDP -d $DMZ_VOIP_PHONE \
--dport 13456:13470 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_WAN2DMZ -p UDP -d $DMZ_VOIP_PHONE \
--dport 10000:20000 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_WAN2DMZ -j RETURN
###############################################################################
### FORWARD_DMZ2WAN Chain
###############################################################################
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -s $DMZ_VOIP_PHONE \
--dport 1023:1030 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -s $DMZ_VOIP_PHONE \
--dport 5050:5070 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -s $DMZ_VOIP_PHONE \
--dport 13456:13470 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -s $DMZ_VOIP_PHONE \
--dport 10000:20000 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -j RETURN
###############################################################################
### PREROUTING Chain
###############################################################################
$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 1023:1030 \
-j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 5050:5070 \
-j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 13456:13470 \
-j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 10000:20000 \
-j DNAT --to-destination $DMZ_VOIP_PHONE
###############################################################################
### POSTROUTING Chain
###############################################################################
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Enable forwarding now that we are finally set-up:
echo "1" > /proc/sys/net/ipv4/ip_forward
of course if you don't wanna be so strict with your outgoing DMZ traffic then a rule allowing all traffic from the DMZ to the WAN would also work (even though it kinda defeats the purpose of a firewall IMHO):
Code:
#!/bin/sh
###############################################################################
### Variables
###############################################################################
# Don't forget to give these variables the *proper* values:
IPTABLES="/usr/sbin/iptables"
DMZ_IFACE="ethx"
DMZ_VOIP_PHONE="192.168.x.x"
EXTIF="ethx"
###############################################################################
### Kernel Parameters
###############################################################################
# Disable forwarding while we get set-up:
echo "0" > /proc/sys/net/ipv4/ip_forward
# Enable some anti-spoof protection:
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
###############################################################################
### Clean-Out Chains, Set Policies
###############################################################################
$IPTABLES -F
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -X
$IPTABLES -X -t nat
$IPTABLES -X -t mangle
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
###############################################################################
### INPUT Chain
###############################################################################
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i lo -j ACCEPT
#$IPTABLES -A INPUT -i $DMZ_IFACE -m state --state NEW -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 5/minute --limit-burst 5 \
-j LOG --log-prefix "INPUT DROP: "
###############################################################################
### FORWARD Chain
###############################################################################
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF \
-m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p UDP -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_PHONE \
--dport 1023:1030 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p UDP -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_PHONE \
--dport 5050:5070 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p UDP -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_PHONE \
--dport 13456:13470 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -p UDP -i $EXTIF -o $DMZ_IFACE -d $DMZ_VOIP_PHONE \
--dport 10000:20000 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 5/minute --limit-burst 5 \
-j LOG --log-prefix "FORWARD DROP: "
###############################################################################
### PREROUTING Chain
###############################################################################
$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 1023:1030 \
-j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 5050:5070 \
-j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 13456:13470 \
-j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p UDP -i $EXTIF --dport 10000:20000 \
-j DNAT --to-destination $DMZ_VOIP_PHONE
###############################################################################
### POSTROUTING Chain
###############################################################################
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# Enable forwarding now that we are finally set-up:
echo "1" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $DMZ_VOIP_PHONE \
--dport 1023:1030 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $DMZ_VOIP_PHONE \
--dport 5050:5070 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $DMZ_VOIP_PHONE \
--dport 13456:13470 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $DMZ_VOIP_PHONE \
--dport 10000:20000 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -j RETURN
If this is a forward chain from the DMZ to WAN how can the destination ( -d) be the DMZ_VOIP_PHONE if this is outgoing packets. Shouldnt is be the other way around like. Logically it make sense. Sometimes netfilter doesnt make logical sense in there syntax of how should be
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $EXTIF -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $EXTIF -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $EXTIF -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $EXTIF -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -j RETURN
My logical translation of this would be to route all UDP packets to the $EXTIF and to ACCEPT this: It is just me, I find iptables to be really confusing at times!
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $DMZ_VOIP_PHONE \
--dport 1023:1030 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $DMZ_VOIP_PHONE \
--dport 5050:5070 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $DMZ_VOIP_PHONE \
--dport 13456:13470 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $DMZ_VOIP_PHONE \
--dport 10000:20000 -m state --state NEW -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -j RETURN
If this is a forward chain from the DMZ to WAN how can the destination ( -d) be the DMZ_VOIP_PHONE if this is outgoing packets. Shouldnt is be the other way around like. Logically it make sense. Sometimes netfilter doesnt make logical sense in there syntax of how should be
correct... i made a mistake when i was typing the rules, since i was basing myself on a copy/paste from the WAN2DMZ chain... good catch!!
i've updated/corrected those rules, by changing the "-d" to a "-s", as we don't know which is the IP the packets will be going to, but we know where they should be coming from...
Quote:
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $EXTIF -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $EXTIF -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $EXTIF -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -p UDP -d $EXTIF -j ACCEPT
$IPTABLES -A FORWARD_DMZ2WAN -j RETURN
My logical translation of this would be to route all UDP packets to the $EXTIF and to ACCEPT this:
well, as i said above, you don't wanna use a "-d" for these rules... it was an honest mistake... the "-d" is supposed to be a "-s"...
BTW, in case you actually would need to use a "-d" here (which you don't) it would need to be an IP address... $EXTIF represents your external *interface* so a "-d" wouldn't work with it... look at the forward chain in the updated example and you'll see that "-i" and "-o" are the matches you wanna use when referring to interface names...
PS: if you can it would be cool if you'd remove the "##########" part from your post as it's affecting the page's layout and stuff...
your INPUT chain doesn't have anything to do with routing...
you don't need any OUTPUT rules when the policy is set to ACCEPT...
Quote:
$IPTABLES -A INPUT -p udp -i $DMZ_IFACE -d $DMZ_VOIP_PHONE -m state -–state ESTABLISHED,RELATED -j ACCEPT
this makes no sense because a packet that is destined for the $DMZ_VOIP_PHONE would never hit the INPUT chain on the router... the INPUT chain is only for packets headed to the host itself...
Quote:
$IPTABLES -A INPUT -p udp -i $EXTIF -d $DMZ_VOIP_PHONE -m state -–state ESTABLISHED,RELATED -j ACCEPT
see above... and BTW, a generic ESTABLISHED,RELATED rule is enough, you don't need to be so specific with this kinda rule... a rule like this at the top of the INPUT chain would suffice:
Code:
$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
did you check your logfile?? the script i posted would log any packets that are getting filtered...
I think that I have stumbled across something. All this time I have had problems it seems like to me establishing connections. The VOIP problem has been such to where I could make a phone call but I cannot recieve calls and know when I attempt to remote control to another computer outside my firewall using vnc I can get to the point where it ask me for a password to connect to that vnc connection but after that point it just hangs. It seems to me that there is something in my firewall that is preventing a two way established connection. My firewall is rather lengthy so I will post it in two posts and then maybe we can come to a conclusion. Win32sux you have been great and thanks for everything but lets put an end to this chapter and take a look at my firewall rules. many thanks. I will put it up in a couple of threads.
Last edited by metallica1973; 01-18-2006 at 11:19 AM.
discussion continues, based on these posts from another thread... here's the latest script posted by metallica1973 (he's still not able to get VOIP to work):
Code:
#! /bin/sh
IPTABLES="/usr/sbin/iptables"
case "$1" in
stop)
echo "Shutting down firewall..."
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
echo "...done"
;;
status)
echo $"Table: filter"
iptables --list
echo $"Table: nat"
iptables -t nat --list
echo $"Table: mangle"
iptables -t mangle --list
;;
restart|reload)
$0 stop
$0 start
;;
start)
echo "Starting Firewall..."
echo ""
##--------------------------Begin Firewall---------------------------------##
#----Default-Interfaces-----#
EXTIF="eth0"
EXTIP="192.168.3.1"
INTIF="eth3"
INTLAN="192.168.3.0/25"
#EXTGW="192.168.3.1"
INTMASK="255.255.255.128"
#----Special Variables-----#
# IP Mask for all IP addresses
UNIVERSE="0.0.0.0/0"
# Specification of the high unprivileged IP ports.
UNPRIVPORTS="1024:65535"
# Specification of X Window System (TCP) ports.
#XWINPORTS="6000:6063"
# Ports for IRC-Connection-Tracking
#IRCPORTS="6665,6666,6667,6668,6669,7000"
# DMZ UDP ports
#DMZUDP="1024:1030,5060:5065,10000:20000"
####PS2 PORTS####
#-----Port-Forwarding Variables-----#
#IP for forwarded HTTP-traffic
HTTPIP="192.168.3.1"
#IP's for DMZ to VOIP
#DMZ_NETWORK="192.168.2.0"
DMZ_IFACE="eth4"
DMZ_IP="192.168.2.1"
#DMZ_DNS_IP="xx.xx.xxx.xx"
DMZ_VOIP_PHONE="192.168.2.120"
####PS2#######
#PS2_NETWORK="192.168.2.0"
#PS2_IFACE="eth4"
#PS2_IP="192.168.2.1"
#PS2="192.168.2.120"
#----Flood Variables-----#
# Overall Limit for TCP-SYN-Flood detection
TCPSYNLIMIT="5/s"
# Burst Limit for TCP-SYN-Flood detection
TCPSYNLIMITBURST="10"
# Overall Limit for Loggging in Logging-Chains
LOGLIMIT="2/s"
# Burst Limit for Logging in Logging-Chains
LOGLIMITBURST="10"
# Overall Limit for Ping-Flood-Detection
PINGLIMIT="5/s"
# Burst Limit for Ping-Flood-Detection
PINGLIMITBURST="10"
echo "Loading IPTABLES modules"
dmesg -n 1 #Kill copyright display on module load
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe ip_conntrack_sip
/sbin/modprobe ip_nat_sip
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_conntrack_irc ports=$IRCPORTS
#/sbin/modprobe ip_nat_irc ports=$IRCPORTS
dmesg -n 6
echo " --- "
#----Clear/Reset all chains-----#
#Clear all IPTABLES-chains
#Flush everything, start from scratch
$IPTABLES -F
$IPTABLES -F -t mangle
$IPTABLES -F -t nat
$IPTABLES -X
$IPTABLES -X -t mangle
$IPTABLES -X -t nat
#Set default policies to DROP
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
#----Set network sysctl options-----#
echo "Setting sysctl options"
#Enable forwarding in kernel
echo 1 > /proc/sys/net/ipv4/ip_forward
#Disabling IP Spoofing attacks.
echo 2 > /proc/sys/net/ipv4/conf/all/rp_filter
#Don't respond to broadcast pings (Smurf-Amplifier-Protection)
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#Block source routing
echo 0 > /proc/sys/net/ipv4/conf/all/accept_source_route
#Kill timestamps
echo 0 > /proc/sys/net/ipv4/tcp_timestamps
#Enable SYN Cookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#Kill redirects
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
#Enable bad error message protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#Log martians (packets with impossible addresses)
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
#Set out local port range
echo "32768 61000" > /proc/sys/net/ipv4/ip_local_port_range
#Reduce DoS'ing ability by reducing timeouts
echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
echo 2400 > /proc/sys/net/ipv4/tcp_keepalive_time
echo 0 > /proc/sys/net/ipv4/tcp_window_scaling
echo 0 > /proc/sys/net/ipv4/tcp_sack
echo " --- "
echo "Creating user-chains"
#----Create logging chains-----#
#Invalid packets (not ESTABLISHED,RELATED or NEW)
$IPTABLES -N LINVALID
$IPTABLES -A LINVALID -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=INVALID:1 a=DROP "
$IPTABLES -A LINVALID -j DROP
#TCP-Packets with one ore more bad flags
$IPTABLES -N LBADFLAG
$IPTABLES -A LBADFLAG -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=BADFLAG:1 a=DROP "
$IPTABLES -A LBADFLAG -j DROP
#Logging of connection attempts on special ports (Trojan portscans, special services, etc.)
$IPTABLES -N LSPECIALPORT
$IPTABLES -A LSPECIALPORT -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SPECIALPORT:1 a=DROP "
$IPTABLES -A LSPECIALPORT -j DROP
#Logging of possible TCP-SYN-Floods
$IPTABLES -N LSYNFLOOD
$IPTABLES -A LSYNFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=SYNFLOOD:1 a=DROP "
$IPTABLES -A LSYNFLOOD -j DROP
#Logging of possible Ping-Floods
$IPTABLES -N LPINGFLOOD
$IPTABLES -A LPINGFLOOD -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=PINGFLOOD:1 a=DROP "
$IPTABLES -A LPINGFLOOD -j DROP
#All other dropped packets
$IPTABLES -N LDROP
$IPTABLES -A LDROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=DROP "
$IPTABLES -A LDROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=DROP "
$IPTABLES -A LDROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=DROP "
$IPTABLES -A LDROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=DROP "
$IPTABLES -A LDROP -j DROP
#All other rejected packets
$IPTABLES -N LREJECT
$IPTABLES -A LREJECT -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=TCP:1 a=REJECT "
$IPTABLES -A LREJECT -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=UDP:2 a=REJECT "
$IPTABLES -A LREJECT -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=ICMP:3 a=REJECT "
$IPTABLES -A LREJECT -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "fp=FRAGMENT:4 a=REJECT "
$IPTABLES -A LREJECT -p tcp -j REJECT --reject-with tcp-reset
$IPTABLES -A LREJECT -p udp -j REJECT --reject-with icmp-port-unreachable
$IPTABLES -A LREJECT -j REJECT
#----Create Accept-Chains-----#
#TCPACCEPT - Check for SYN-Floods before letting TCP-Packets in
$IPTABLES -N TCPACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -m limit --limit $TCPSYNLIMIT --limit-burst $TCPSYNLIMITBURST -j ACCEPT
$IPTABLES -A TCPACCEPT -p tcp --syn -j LSYNFLOOD
$IPTABLES -A TCPACCEPT -p tcp ! --syn -j ACCEPT
#----Create special User-Chains-----#
#CHECKBADFLAG - Kill any Inbound/Outbound TCP-Packets with impossible flag-combinations (Some port-scanners use these, eg. nmap Xmas,Null,etc.-scan)
$IPTABLES -N CHECKBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL FIN,URG,PSH -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL ALL -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags ALL NONE -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,RST SYN,RST -j LBADFLAG
$IPTABLES -A CHECKBADFLAG -p tcp --tcp-flags SYN,FIN SYN,FIN -j LBADFLAG
#Inbound/Outbound SILENTDROPS/REJECTS (Things we don't want in our Logs)
#SMB-Traffic
$IPTABLES -N SMB
$IPTABLES -A SMB -p tcp --dport 137 -j DROP
$IPTABLES -A SMB -p tcp --dport 138 -j DROP
$IPTABLES -A SMB -p tcp --dport 139 -j DROP
$IPTABLES -A SMB -p tcp --dport 445 -j DROP
$IPTABLES -A SMB -p udp --dport 137 -j DROP
$IPTABLES -A SMB -p udp --dport 138 -j DROP
$IPTABLES -A SMB -p udp --dport 139 -j DROP
$IPTABLES -A SMB -p udp --dport 445 -j DROP
$IPTABLES -A SMB -p tcp --sport 137 -j DROP
$IPTABLES -A SMB -p tcp --sport 138 -j DROP
$IPTABLES -A SMB -p tcp --sport 139 -j DROP
$IPTABLES -A SMB -p tcp --sport 445 -j DROP
$IPTABLES -A SMB -p udp --sport 137 -j DROP
$IPTABLES -A SMB -p udp --sport 138 -j DROP
$IPTABLES -A SMB -p udp --sport 139 -j DROP
$IPTABLES -A SMB -p udp --sport 445 -j DROP
#Inbound Special Ports
$IPTABLES -N SPECIALPORTS
#Deepthroat Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 6670 -j LSPECIALPORT
#Subseven Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 1243 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p udp --dport 27374 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 6711:6713 -j LSPECIALPORT
#Netbus Scan
$IPTABLES -A SPECIALPORTS -p tcp --dport 12345:12346 -j LSPECIALPORT
$IPTABLES -A SPECIALPORTS -p tcp --dport 20034 -j LSPECIALPORT
#Back Orifice scan
$IPTABLES -A SPECIALPORTS -p udp --dport 31337:31338 -j LSPECIALPORT
#X-Win
#$IPTABLES -A SPECIALPORTS -p tcp --dport $XWINPORTS -j LSPECIALPORT
#Hack'a'Tack 2000
$IPTABLES -A SPECIALPORTS -p udp --dport 28431 -j LSPECIALPORT
#ICMP/TRACEROUTE FILTERING
#Inbound ICMP/Traceroute
$IPTABLES -N ICMPINBOUND
#Ping Flood protection. Accept $PINGLIMIT echo-requests/sec, rest will be logged/dropped
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -m limit --limit $PINGLIMIT --limit-burst $PINGLIMITBURST -j ACCEPT
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type echo-request -j LPINGFLOOD
##Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPINBOUND -p icmp --icmp-type address-mask-reply -j LDROP
#Allow all other ICMP in
$IPTABLES -A ICMPINBOUND -p icmp -j ACCEPT
#Outbound ICMP/Traceroute
$IPTABLES -N ICMPOUTBOUND
#Block ICMP-Redirects (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type redirect -j LDROP
#Block ICMP-TTL-Expired
#MS Traceroute (MS uses ICMP instead of UDp for tracert)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-transit -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type ttl-zero-during-reassembly -j LDROP
#Block ICMP-Parameter-Problem
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type parameter-problem -j LDROP
#Block ICMP-Timestamp (Should already be catched by sysctl-options, if enabled)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type timestamp-reply -j LDROP
#Block ICMP-address-mask (can help to prevent OS-fingerprinting)
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-request -j LDROP
$IPTABLES -A ICMPOUTBOUND -p icmp --icmp-type address-mask-reply -j LDROP
##Accept all other ICMP going out
$IPTABLES -A ICMPOUTBOUND -p icmp -j ACCEPT
############################### PS2 Fowarding Chains #########################################
$IPTABLES -N WAN2DMZ
#$IPTABLES -N PS22WAN
$IPTABLES -N DMZ2WAN
#----End User-Chains-----#
echo " --- "
#----Start Ruleset-----#
echo "Implementing firewall rules..."
#################
## INPUT-Chain ## (everything that is addressed to the firewall itself)
#################
##GENERAL Filtering
# Kill INVALID packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A INPUT -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags
$IPTABLES -A INPUT -p tcp -j CHECKBADFLAG
##Packets FROM FIREWALL-BOX ITSELF
#Local IF
$IPTABLES -A INPUT -i lo -j ACCEPT
#
#Kill connections to the local interface from the outside world (--> Should be already catched by kernel/rp_filter)
$IPTABLES -A INPUT -d 127.0.0.0/25 -j LREJECT
$IPTABLES -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 3128 -j DROP
$IPTABLES -A INPUT -m tcp -p tcp -s ! 127.0.0.1 --dport 80 -j DROP
##Packets FROM INTERNAL NET
##Allow unlimited traffic from internal network using legit addresses to firewall-box
##If protection from the internal interface is needed, alter it
$IPTABLES -A INPUT -i $INTIF -s $INTLAN -j ACCEPT
#Kill anything from outside claiming to be from internal network (Address-Spoofing --> Should be already catched by rp_filter)
$IPTABLES -A INPUT -s $INTLAN -j LREJECT
##Packets FROM EXTERNAL NET
##ICMP & Traceroute filtering
#Filter ICMP
$IPTABLES -A INPUT -i $EXTIF -p ICMP -j DROP
#$IPTABLES -A INPUT -i $EXTIF -p icmp -j LDROP
#Block UDP-Traceroute
#$IPTABLES -A INPUT -p udp --dport 33434:33523 -j LDROP
##Silent Drops/Rejects (Things we don't want in our logs)
#Drop all SMB-Traffic
$IPTABLES -A INPUT -i $EXTIF -j SMB
#Silently reject Ident (Don't DROP ident, because of possible delays when establishing an outbound connection)
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 113 -j REJECT --reject-with tcp-reset
##Public services running ON FIREWALL-BOX (comment out to activate):
###########- From DMZ Interface to DMZ firewall IP########################
##################################################################
############################### ssh ###########################################
# $IPTABLES -A INPUT -i $EXTIF -p tcp --dport 513 -j TCPACCEPT
############Separate logging of special portscans/connection attempts #######################
$IPTABLES -A INPUT -i $EXTIF -j SPECIALPORTS
##Allow ESTABLISHED/RELATED connections in
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j TCPACCEPT
$IPTABLES -A INPUT -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED,ESTABLISHED -j ACCEPT
##Catch all rule
$IPTABLES -A INPUT -j LDROP
##################
## Output-Chain ## (everything that comes directly from the Firewall-Box)
##################
##Packets TO FIREWALL-BOX ITSELF
#Local IF
$IPTABLES -A OUTPUT -o lo -j ACCEPT
##Packets TO INTERNAL NET
#Allow unlimited traffic to internal network using legit addresses
$IPTABLES -A OUTPUT -o $INTIF -d $INTLAN -j ACCEPT
##ICMP & Traceroute
$IPTABLES -A OUTPUT -o $EXTIF -p icmp -j ICMPOUTBOUND
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB
#$IPTABLES -A OUTPUT -o $EXTIF -j SMB
#Ident
$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 113 -j REJECT --reject-with tcp-reset
##Public services running ON FIREWALL-BOX (comment out to activate):
# ssh
#$IPTABLES -A OUTPUT -o $EXTIF -p tcp --sport 513 -m state --state ESTABLISHED -j ACCEPT
##Accept all tcp/udp traffic on unprivileged ports going out
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A OUTPUT -o $EXTIF -s $EXTIP -p udp --sport $UNPRIVPORTS -j ACCEPT
##Catch all rule
$IPTABLES -A OUTPUT -j LDROP
####################
## FORWARD-Chain ## (everything that passes the firewall)
####################
##GENERAL Filtering
#Kill invalid packets (not ESTABLISHED, RELATED or NEW)
$IPTABLES -A FORWARD -m state --state INVALID -j LINVALID
# Check TCP-Packets for Bad Flags
$IPTABLES -A FORWARD -p tcp -j CHECKBADFLAG
##Filtering FROM INTERNAL NET
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB
$IPTABLES -A FORWARD -o $EXTIF -j SMB
##Port-Forwarding from Ports < 1024 [outbound] (--> Also see chain PREROUTING)
#HTTP-Forwarding
$IPTABLES -A FORWARD -o $EXTIF -s $HTTPIP -p tcp --sport 3128 -j ACCEPT
##Allow all other forwarding (from Ports > 1024) from Internal Net to External Net
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p tcp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p udp --sport $UNPRIVPORTS -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -s $INTLAN -p icmp -j ACCEPT
##Filtering FROM EXTERNAL NET
##Silent Drops/Rejects (Things we don't want in our logs)
#SMB
# $IPTABLES -A FORWARD -i $EXTIF -j SMB
##Allow replies coming in
$IPTABLES -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p tcp --dport $UNPRIVPORTS -m state --state RELATED -j TCPACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p udp --dport $UNPRIVPORTS -m state --state RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -p icmp -m state --state RELATED -j ACCEPT
######################################## DMZ ################################################
$IPTABLES -A FORWARD -i $EXTIF -o $DMZ_IFACE -j WAN2DMZ
$IPTABLES -A FORWARD -i $DMZ_IFACE -o $EXTIF -j DMZ2WAN
################################## VOIP or PS2 -Forwarding #########################
#################### ################## WAN to PS2 ###########################################
#$IPTABLES -A WAN2DMZ -p tcp -d $DMZ_VOIP_PHONE --dport 80 -m state --state NEW -j ACCEPT
#$IPTABLES -A WAN2DMZ -p tcp -d $DMZ_VOIP_PHONE --dport 443 -m state --state NEW -j ACCEPT
$IPTABLES -A WAN2DMZ -p udp -d $DMZ_VOIP_PHONE --dport 1024:1030 -m state --state NEW -j ACCEPT
$IPTABLES -A WAN2DMZ -p udp -d $DMZ_VOIP_PHONE --dport 5050:5065 -m state --state NEW -j ACCEPT
$IPTABLES -A WAN2DMZ -p udp -d $DMZ_VOIP_PHONE --dport 10000:20000 -m state --state NEW -j ACCEPT
#$IPTABLES -A WAN2DMZ -p tcp -d $DMZ_VOIP_PHONE --dport 26300:26399 -m state --state NEW -j ACCEPT
#$IPTABLES -A WAN2DMZ -p tcp -d $DMZ_VOIP_PHONE --dport 30000:30099 -m state --state NEW -j ACCEPT
$IPTABLES -A WAN2DMZ -j RETURN
################################### PS2 to WAN #################################################################################################### #########################################
#$IPTABLES -A DMZ2WAN -p tcp -s $DMZ_VOIP_PHONE --dport 80 -m state --state NEW -j ACCEPT
#$IPTABLES -A DMZ2WAN -p tcp -s $DMZ_VOIP_PHONE --dport 443 -m state --state NEW -j ACCEPT
$IPTABLES -A DMZ2WAN -p udp -s $DMZ_VOIP_PHONE --dport 1024:1030 -m state --state NEW -j ACCEPT
$IPTABLES -A DMZ2WAN -p udp -s $DMZ_VOIP_PHONE --dport 5050:5065 -m state --state NEW -j ACCEPT
$IPTABLES -A DMZ2WAN -p udp -s $DMZ_VOIP_PHONE --dport 10000:20000 -m state --state NEW -j ACCEPT
#$IPTABLES -I DMZ2WAN -p tcp -s $DMZ_VOIP_PHONE --dport 26300:26399 -m state --state NEW -j ACCEPT
#$IPTABLES -I DMZ2WAN -p tcp -s $DMZ_VOIP_PHONE --dport 30000:30099 -m state --state NEW -j ACCEPT
$IPTABLES -I DMZ2WAN -j RETURN
##Catch all rule/Deny every other forwarding
$IPTABLES -A FORWARD -j LDROP
################
## PREROUTING ##
################
##Port-Forwarding (--> Also see chain FORWARD)
##HTTP
$IPTABLES -A PREROUTING -t nat -i $EXTIF -p tcp --dport 3128 -j REDIRECT --to-port 192.168.3.2:8080
######################################## PS2 #################################################################################################### ###########################################
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 80 -j DNAT --to-destination $DMZ_VOIP_PHONE
#$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 443 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 1024:1030 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 5050:5065 -j DNAT --to-destination $DMZ_VOIP_PHONE
$IPTABLES -t nat -A PREROUTING -p udp -i $EXTIF --dport 10000:20000 -j DNAT --to-destination $DMZ_VOIP_PHONE
#IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 26300:26399 -j DNAT --to-destination $DMZ_VOIP_PHONE
#IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 30000:30099 -j DNAT --to-destination $DMZ_VOIP_PHONE
###################
## POSTROUTING ##
###################
#Masquerade from Internal Net to External Net
$IPTABLES -A POSTROUTING -t nat -o $EXTIF -j MASQUERADE
#####DMZ VOIP PHONE step 5 #######
# $IPTABLES -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source 192.168.2.120
#------End Ruleset------#
echo "...done"
echo ""
echo "--> IPTABLES firewall loaded/activated <--"
##--------------------------------End Firewall---------------------------------##
;;
*)
echo "Usage: firewall (start|stop|restart|status) EXTIF INTIF"
exit 1
esac
exit 0
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
