|
Firewall question
I sat down and started monkeying with iptables and have written myself a firewall script. It's mostly a cut and paste job from a demonstration script and a script a friend of mine wrote. I can still dial out to the internet but I can't do anything more.
This is a sample of what I see in my dmesg output:
IPT OUTPUT packet died: IN= OUT=ppp0 SRC=209.50.1.92 DST=199.184.119.1 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=26247 DF PROTO=UDP SPT=32768 DPT=53 LEN=41
IPT OUTPUT packet died: IN= OUT=ppp0 SRC=209.50.1.92 DST=198.247.225.251 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=26247 DF PROTO=UDP SPT=32768 DPT=53 LEN=41
IPT OUTPUT packet died: IN= OUT=ppp0 SRC=209.50.1.92 DST=199.184.119.1 LEN=61 TOS=0x00 PREC=0x00 TTL=64 ID=26247 DF PROTO=UDP SPT=32768 DPT=53 LEN=41
This is what I know: the DST IP is the DNS server for my connection.
I haven't the slightest idea what's causing the DNS requests to be dropped like that.
Here's my script:
INET_IFACE="ppp0"
LO_IFACE="lo"
LO_IP="127.0.0.1"
IPTABLES="/usr/sbin/iptables"
/sbin/depmod -a
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ipt_REJECT
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
echo "echo 1 > ip_forward"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "echo 1 > ip_dynaddr"
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
for i in /proc/sys/net/ipv4/conf/*; do
echo 0 > $i/rp_filter
echo 0 > $i/log_martians
done
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
$IPTABLES -N bad_tcp_packets
$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPTABLES -A allowed -p tcp --syn -j ACCEPT
$IPTABLES -A allowed -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p tcp -j DROP
$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 6000:6100 -i ppp0 -j REJECT \
--reject-with icmp-host-unreachable
$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 137:139 -i pp0 -j REJECT \
--reject-with icmp-host-unreachable
$IPTABLES -A tcp_packets -p tcp -s 0/0 --sport 80 -j ACCEPT
$IPTABLES -A tcp_packets -p tcp -s 0/0 --dport 113 -i ppp0 -j ACCEPT
$IPTABLES -A udp_packets -p udp -s 0/0 --dport 4000 -j ACCEPT
$IPTABLES -A udp_packets -p udp -s 0/0 --dport 45 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --destination-port 53 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p tcp -j bad_tcp_packets
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d 0/0 -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets
$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "
$IPTABLES -A FORWARD -j LOG
$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets
$IPTABLES -A FORWARD -i ppp0 -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
The same thing happens if I dial-out first and then run the script.
I'm a total newbie to Linux security, so be gentle.
|
