LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Help me check the iptables script (https://www.linuxquestions.org/questions/linux-security-4/help-me-check-the-iptables-script-276516/)

vhh 01-11-2005 09:11 AM
Help me to check the iptables script
 
I'm building up iptables for my redhat linux server. This is the code (some of them collected from somewhere).

Do you guy please show me it's ok or not? I'm going to put it to my server tomorrow. Thank you so much.

=================================================
# Configuration Options
EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LAN_INTERFACE_1="eth1"

# Get the IP Addresses for the network cards
IPADDR=`/sbin/ifconfig $EXTERNAL_INTERFACE | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "`
LAN_IPADDR=`/sbin/ifconfig $LAN_INTERFACE_1 | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "`
LOCALHOST_IP="127.0.0.1/32"
LAN_BCAST_ADDRESS="10.0.0.255"

##########
echo "Starting Firewalling... "

IPTABLES="/usr/sbin/iptables"

########## Module loading.
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

########## /proc set up.
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
#echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

########## remove all rules and chains if any
iptables -F icmp_packets
iptables -F tcp_packets
iptables -F udpincoming_packets
iptables -F allowed
iptables -F

iptables -X icmp_packets
iptables -X tcp_packets
iptables -X udpincoming_packets
iptables -X allowed
iptables -X

########## Enable Masquerading
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j MASQUERADE
iptables -A FORWARD -i $LAN_INTERFACE_1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

########## Log errors when masquerading
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

########## Set default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

########## Create Seperate Chains for ICMP, TCP and UDP to traverse
iptables -N icmp_packets
iptables -N tcp_packets
iptables -N udpincoming_packets

########## The Allowed Chain for TCP connections
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

########## ICMP rules (Internet Control Message Protocol)
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

########## TCP rules (Transmission Control Protocol)
### FTP port
iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed

### SSH port
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed

### SMTP Mail Server port
iptables -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed

### HTTP port
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed

### POP3 port
#iptables -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed

### IRC port
#iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

### IMAP port
iptables -A tcp_packets -p TCP -s 0/0 --dport 143 -j allowed

### No-ip DNS services port
iptables -A tcp_packets -p TCP -s 0/0 --dport 8245 -j allowed

### Example of Port Forwarding using Bittorrent Ports
iptables -t nat -A PREROUTING -d $IPADDR -p tcp -m tcp --dport 6881 -j DNAT --to-destination 10.0.0.76

########## UDP ports (User Datagram Protocol)
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 143 -j ACCEPT

########## Prerouting chain - Check for obviously spoofed IP's
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -s 172.16.0.0/12 -j DROP

########## INPUT chain # Establish the basic Input chain
########## and filter the packets onto the correct chains.
iptables -A INPUT -p ICMP -i $EXTERNAL_INTERFACE -j icmp_packets
iptables -A INPUT -p TCP -i $EXTERNAL_INTERFACE -j tcp_packets
iptables -A INPUT -p UDP -i $EXTERNAL_INTERFACE -j udpincoming_packets

iptables -A INPUT -p ALL -i $LAN_INTERFACE_1 -d $LAN_BCAST_ADDRESS -j ACCEPT
iptables -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
iptables -A INPUT -p ALL -d $LAN_IPADDR -j ACCEPT
iptables -A INPUT -p ALL -d $IPADDR -m state --state ESTABLISHED,RELATED -j ACCEPT

########## ENABLE TO LOG ERRORS
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

########## OUTPUT chain # Establish the basic Output chain
########## and filter them onto the correct chain
iptables -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IPADDR -j ACCEPT
iptables -A OUTPUT -p ALL -s $IPADDR -j ACCEPT

########## ENABLE TO LOG ERRORS
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

########## PREVENT PING FLOOD - IMCP
iptables -N CHECK_PINGFLOOD
iptables -A CHECK_PINGFLOOD -m limit --limit 3/minute --limit-burst 3 -j RETURN
iptables -A CHECK_PINGFLOOD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=PINGFLOOD:warning a=DROP "
iptables -A CHECK_PINGFLOOD -j DROP

iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j CHECK_PINGFLOOD
iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j ACCEPT

########### REJECT SCAN TCP & UDB
iptables -N REJECT_PORTSCAN
iptables -A REJECT_PORTSCAN -p TCP -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=PORTSCAN:tcp a=REJECT "
iptables -A REJECT_PORTSCAN -p UDP -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=PORTSCAN:udp a=REJECT "
iptables -A REJECT_PORTSCAN -p TCP -j REJECT --reject-with tcp-reset
iptables -A REJECT_PORTSCAN -p UDP -j REJECT --reject-with icmp-port-unreachable

iptables -N TCP_INCOMING
iptables -A TCP_INCOMING -p tcp --dport 80 -j ACCEPT
iptables -A TCP_INCOMING -p tcp -j REJECT_PORTSCAN
iptables -A INPUT -i eth0 -p tcp -j TCP_INCOMING

iptables -N CHECK_UDPFLOOD
iptables -A CHECK_UDPFLOOD -m limit --limit 3/minute --limit-burst 3 -j RETURN
iptables -A CHECK_UDPFLOOD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=UDPFLOOD:warning a=DROP "
iptables -A CHECK_UDPFLOOD -j DROP
iptables -A INPUT -i eth0 -p udp -j CHECK_UDPFLOOD

iptables -N UDP_INCOMING
iptables -A UDP_INCOMING -p udp --dport 53 -j ACCEPT
iptables -A UDP_INCOMING -p udp -j REJECT_PORTSCAN
iptables -A INPUT -i eth0 -p udp -j UDP_INCOMING

########### DETECTIVE SCAN NMAP
iptables -N DETECT_NMAP
iptables -A DETECT_NMAP -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:XMAS a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:XMAS-PSH a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags ALL ALL -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:XMAS-ALL a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags ALL FIN -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:FIN a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:SYN-RST a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:SYN-FIN a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags ALL NONE -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:NULL a=DROP "
iptables -A DETECT_NMAP -j DROP
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DETECT_NMAP

############ STOP SYN FLOOD
iptables -N CHECK_SYNFLOOD
iptables -A CHECK_SYNFLOOD -m limit --limit 3/minute --limit-burst 3 -j RETURN
iptables -A CHECK_SYNFLOOD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=SYNFLOOD:warning a=DROP "
iptables -A CHECK_SYNFLOOD -j DROP
iptables -A INPUT -i eth0 -p tcp --syn -j CHECK_SYNFLOOD
===================================================

=End of file=

intranet_man 01-20-2005 04:00 PM
good work
 
I have a similar setup on my box. However, nmap has been trashing my VNC connection while iptables was running. Argh! This looks pretty good though. I'll test out your nmap functions on my box and see how they fair.

.....so far so good.....

Well, at least now my VNC connection is not being trashed. However, nmap is still detecting ports. Oh well. Maybe I don't understand how this is suppose to work.

intranet_man 01-20-2005 04:03 PM
...well
 
Well I take that back. Still trashing my connection. Oh well.

masand 01-20-2005 04:21 PM
if u are going for some important work
i recommend u keep shorewall , Ip tables based FW as ur backup
it will generate the IPtables script as u require very easily

regards

vhh 01-22-2005 06:45 AM
I uploaded and it seem to run well. But the log shown:

Jan 12 12:46:24 myhost ipables: iptables: No chain/target/match by that name
Jan 12 12:46:24 myhost last message repeated 3 times
Jan 12 12:46:24 myhost ipables: iptables: Table does not exist (do you need to insmod?)

I did run: #depmod -a
And I also checked systaxs in the script but no any error be found.

Anyone know this problem?

Capt_Caveman 01-22-2005 11:25 AM
Two errors that I can spot are that you're flushing and deleting the userdefined chains before they're even created, which will generate errors (can't flush or delete a chain that don't exist). Flushing a non-existant chain produces a "iptables: No chain/target/match by that name" error, while trying to delete one results in a "iptables: Table does not exist (do you need to insmod?)" message. Instead, just use iptables -F and iptables -X which will flush and delete all the userdefined chains without producing those errors.

Also verify that iptables is on with 'service iptables status'. Lastly, if neither of those solve the problem, post the output of 'lsmod' after you run the script

vhh 01-26-2005 07:15 AM
Hello,

I've removed all of them below and the problem gone over.

iptables -F icmp_packets
iptables -F tcp_packets
iptables -F udpincoming_packets
iptables -F allowed
iptables -X icmp_packets
iptables -X tcp_packets
iptables -X udpincoming_packets
iptables -X allowed

Unfortunately, I got a another error. It's showing "Bad argument `ACCEPT'".

???

carboncopy 01-26-2005 11:31 AM
Dear vvh,

May I urge your indulgence to put your iptables script in code tags? Thank you.

Thanks for the setup script, learning from it. :)

Capt_Caveman 01-26-2005 05:10 PM
Quote:
Originally posted by vhh
Unfortunately, I got a another error. It's showing "Bad argument `ACCEPT'".
???
Make sure that you have both interfaces up. I noticed it will fail with that message at rules using LAN_IPADDR if eth1 isn't up or doesn't exist. Specifically here:

iptables -A INPUT -p ALL -d $LAN_IPADDR -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IPADDR -j ACCEPT

You might also want to add some debugging rules to dump the value of all the variables to stdout: So once you assign values to the variables add some echo debugging rules like this:
Code:
EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LAN_INTERFACE_1="eth1"

# Get the IP Addresses for the network cards
IPADDR=`/sbin/ifconfig $EXTERNAL_INTERFACE | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "`
LAN_IPADDR=`/sbin/ifconfig $LAN_INTERFACE_1 | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "`
LOCALHOST_IP="127.0.0.1/32"
LAN_BCAST_ADDRESS="10.0.0.255

echo "IPADDR is $IPADDR"
echo "LAN_IPADDR is $LAN_IPADDR"
If your variables aren't the problem, then try adding some logging messages into the script, like echo "Loading INPUT rules" in various sections.

Technically your script has correct syntax and works just fine on a system with 2 interfaces up and running. However it isn't very robust in terms of how the script functions. Along those lines, I noticed that you go through the trouble of assigning the iptables path to a variable, but then you never use it again. So if the iptables binary is in a different location, you'd have to modify each line of the script that invokes iptables with just "iptables" instead of using "$IPTABLES". Plus I'd add some form of error check or 'if statement' to make sure that you're variables are all assigned properly.

vhh 01-28-2005 11:29 AM
Hello Capt_Caveman,

You've given me an excellent help. I removed "eth1" and all of problem were shot out. My iptables currently is perfect :-)

Thanks a lot.

Capt_Caveman 01-28-2005 09:56 PM
Quote:
Originally posted by vhh
Thanks a lot.
Anytime vhh. Glad I could help you out.


All times are GMT -5. The time now is 05:32 PM.