Help me to check the iptables script
I'm building up iptables for my redhat linux server. This is the code (some of them collected from somewhere).
Do you guy please show me it's ok or not? I'm going to put it to my server tomorrow. Thank you so much. ================================================= # Configuration Options EXTERNAL_INTERFACE="eth0" LOOPBACK_INTERFACE="lo" LAN_INTERFACE_1="eth1" # Get the IP Addresses for the network cards IPADDR=`/sbin/ifconfig $EXTERNAL_INTERFACE | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "` LAN_IPADDR=`/sbin/ifconfig $LAN_INTERFACE_1 | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "` LOCALHOST_IP="127.0.0.1/32" LAN_BCAST_ADDRESS="10.0.0.255" ########## echo "Starting Firewalling... " IPTABLES="/usr/sbin/iptables" ########## Module loading. /sbin/depmod -a /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack /sbin/modprobe iptable_filter /sbin/modprobe iptable_mangle /sbin/modprobe iptable_nat /sbin/modprobe ipt_LOG /sbin/modprobe ipt_limit /sbin/modprobe ipt_state /sbin/modprobe ipt_owner /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ip_conntrack_ftp #/sbin/modprobe ip_conntrack_irc /sbin/modprobe ip_nat_ftp #/sbin/modprobe ip_nat_irc ########## /proc set up. echo "1" > /proc/sys/net/ipv4/ip_forward echo "1" > /proc/sys/net/ipv4/tcp_syncookies #echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout #echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time echo "0" > /proc/sys/net/ipv4/tcp_window_scaling echo "0" > /proc/sys/net/ipv4/tcp_sack echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter #echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp echo "1" > /proc/sys/net/ipv4/ip_dynaddr ########## remove all rules and chains if any iptables -F icmp_packets iptables -F tcp_packets iptables -F udpincoming_packets iptables -F allowed iptables -F iptables -X icmp_packets iptables -X tcp_packets iptables -X udpincoming_packets iptables -X allowed iptables -X ########## Enable Masquerading iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j MASQUERADE iptables -A FORWARD -i $LAN_INTERFACE_1 -j ACCEPT iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT ########## Log errors when masquerading iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: " ########## Set default policies iptables -P INPUT DROP iptables -P OUTPUT DROP iptables -P FORWARD DROP iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT ########## Create Seperate Chains for ICMP, TCP and UDP to traverse iptables -N icmp_packets iptables -N tcp_packets iptables -N udpincoming_packets ########## The Allowed Chain for TCP connections iptables -N allowed iptables -A allowed -p TCP --syn -j ACCEPT iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A allowed -p TCP -j DROP ########## ICMP rules (Internet Control Message Protocol) iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT ########## TCP rules (Transmission Control Protocol) ### FTP port iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed ### SSH port iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed ### SMTP Mail Server port iptables -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed ### HTTP port iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed ### POP3 port #iptables -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed ### IRC port #iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed ### IMAP port iptables -A tcp_packets -p TCP -s 0/0 --dport 143 -j allowed ### No-ip DNS services port iptables -A tcp_packets -p TCP -s 0/0 --dport 8245 -j allowed ### Example of Port Forwarding using Bittorrent Ports iptables -t nat -A PREROUTING -d $IPADDR -p tcp -m tcp --dport 6881 -j DNAT --to-destination 10.0.0.76 ########## UDP ports (User Datagram Protocol) iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 143 -j ACCEPT ########## Prerouting chain - Check for obviously spoofed IP's iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -s 192.168.0.0/16 -j DROP iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -s 10.0.0.0/8 -j DROP iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -s 172.16.0.0/12 -j DROP ########## INPUT chain # Establish the basic Input chain ########## and filter the packets onto the correct chains. iptables -A INPUT -p ICMP -i $EXTERNAL_INTERFACE -j icmp_packets iptables -A INPUT -p TCP -i $EXTERNAL_INTERFACE -j tcp_packets iptables -A INPUT -p UDP -i $EXTERNAL_INTERFACE -j udpincoming_packets iptables -A INPUT -p ALL -i $LAN_INTERFACE_1 -d $LAN_BCAST_ADDRESS -j ACCEPT iptables -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT iptables -A INPUT -p ALL -d $LAN_IPADDR -j ACCEPT iptables -A INPUT -p ALL -d $IPADDR -m state --state ESTABLISHED,RELATED -j ACCEPT ########## ENABLE TO LOG ERRORS iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: " ########## OUTPUT chain # Establish the basic Output chain ########## and filter them onto the correct chain iptables -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT iptables -A OUTPUT -p ALL -s $LAN_IPADDR -j ACCEPT iptables -A OUTPUT -p ALL -s $IPADDR -j ACCEPT ########## ENABLE TO LOG ERRORS iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: " ########## PREVENT PING FLOOD - IMCP iptables -N CHECK_PINGFLOOD iptables -A CHECK_PINGFLOOD -m limit --limit 3/minute --limit-burst 3 -j RETURN iptables -A CHECK_PINGFLOOD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=PINGFLOOD:warning a=DROP " iptables -A CHECK_PINGFLOOD -j DROP iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j CHECK_PINGFLOOD iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j ACCEPT ########### REJECT SCAN TCP & UDB iptables -N REJECT_PORTSCAN iptables -A REJECT_PORTSCAN -p TCP -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=PORTSCAN:tcp a=REJECT " iptables -A REJECT_PORTSCAN -p UDP -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=PORTSCAN:udp a=REJECT " iptables -A REJECT_PORTSCAN -p TCP -j REJECT --reject-with tcp-reset iptables -A REJECT_PORTSCAN -p UDP -j REJECT --reject-with icmp-port-unreachable iptables -N TCP_INCOMING iptables -A TCP_INCOMING -p tcp --dport 80 -j ACCEPT iptables -A TCP_INCOMING -p tcp -j REJECT_PORTSCAN iptables -A INPUT -i eth0 -p tcp -j TCP_INCOMING iptables -N CHECK_UDPFLOOD iptables -A CHECK_UDPFLOOD -m limit --limit 3/minute --limit-burst 3 -j RETURN iptables -A CHECK_UDPFLOOD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=UDPFLOOD:warning a=DROP " iptables -A CHECK_UDPFLOOD -j DROP iptables -A INPUT -i eth0 -p udp -j CHECK_UDPFLOOD iptables -N UDP_INCOMING iptables -A UDP_INCOMING -p udp --dport 53 -j ACCEPT iptables -A UDP_INCOMING -p udp -j REJECT_PORTSCAN iptables -A INPUT -i eth0 -p udp -j UDP_INCOMING ########### DETECTIVE SCAN NMAP iptables -N DETECT_NMAP iptables -A DETECT_NMAP -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:XMAS a=DROP " iptables -A DETECT_NMAP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:XMAS-PSH a=DROP " iptables -A DETECT_NMAP -p tcp --tcp-flags ALL ALL -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:XMAS-ALL a=DROP " iptables -A DETECT_NMAP -p tcp --tcp-flags ALL FIN -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:FIN a=DROP " iptables -A DETECT_NMAP -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:SYN-RST a=DROP " iptables -A DETECT_NMAP -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:SYN-FIN a=DROP " iptables -A DETECT_NMAP -p tcp --tcp-flags ALL NONE -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:NULL a=DROP " iptables -A DETECT_NMAP -j DROP iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DETECT_NMAP ############ STOP SYN FLOOD iptables -N CHECK_SYNFLOOD iptables -A CHECK_SYNFLOOD -m limit --limit 3/minute --limit-burst 3 -j RETURN iptables -A CHECK_SYNFLOOD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=SYNFLOOD:warning a=DROP " iptables -A CHECK_SYNFLOOD -j DROP iptables -A INPUT -i eth0 -p tcp --syn -j CHECK_SYNFLOOD =================================================== =End of file= |
good work
I have a similar setup on my box. However, nmap has been trashing my VNC connection while iptables was running. Argh! This looks pretty good though. I'll test out your nmap functions on my box and see how they fair.
.....so far so good..... Well, at least now my VNC connection is not being trashed. However, nmap is still detecting ports. Oh well. Maybe I don't understand how this is suppose to work. |
...well
Well I take that back. Still trashing my connection. Oh well.
|
if u are going for some important work
i recommend u keep shorewall , Ip tables based FW as ur backup it will generate the IPtables script as u require very easily regards |
I uploaded and it seem to run well. But the log shown:
Jan 12 12:46:24 myhost ipables: iptables: No chain/target/match by that name Jan 12 12:46:24 myhost last message repeated 3 times Jan 12 12:46:24 myhost ipables: iptables: Table does not exist (do you need to insmod?) I did run: #depmod -a And I also checked systaxs in the script but no any error be found. Anyone know this problem? |
Two errors that I can spot are that you're flushing and deleting the userdefined chains before they're even created, which will generate errors (can't flush or delete a chain that don't exist). Flushing a non-existant chain produces a "iptables: No chain/target/match by that name" error, while trying to delete one results in a "iptables: Table does not exist (do you need to insmod?)" message. Instead, just use iptables -F and iptables -X which will flush and delete all the userdefined chains without producing those errors.
Also verify that iptables is on with 'service iptables status'. Lastly, if neither of those solve the problem, post the output of 'lsmod' after you run the script |
Hello,
I've removed all of them below and the problem gone over. iptables -F icmp_packets iptables -F tcp_packets iptables -F udpincoming_packets iptables -F allowed iptables -X icmp_packets iptables -X tcp_packets iptables -X udpincoming_packets iptables -X allowed Unfortunately, I got a another error. It's showing "Bad argument `ACCEPT'". ??? |
Dear vvh,
May I urge your indulgence to put your iptables script in code tags? Thank you. Thanks for the setup script, learning from it. :) |
Quote:
iptables -A INPUT -p ALL -d $LAN_IPADDR -j ACCEPT iptables -A OUTPUT -p ALL -s $LAN_IPADDR -j ACCEPT You might also want to add some debugging rules to dump the value of all the variables to stdout: So once you assign values to the variables add some echo debugging rules like this: Code:
EXTERNAL_INTERFACE="eth0" Technically your script has correct syntax and works just fine on a system with 2 interfaces up and running. However it isn't very robust in terms of how the script functions. Along those lines, I noticed that you go through the trouble of assigning the iptables path to a variable, but then you never use it again. So if the iptables binary is in a different location, you'd have to modify each line of the script that invokes iptables with just "iptables" instead of using "$IPTABLES". Plus I'd add some form of error check or 'if statement' to make sure that you're variables are all assigned properly. |
Hello Capt_Caveman,
You've given me an excellent help. I removed "eth1" and all of problem were shot out. My iptables currently is perfect :-) Thanks a lot. |
Quote:
|
All times are GMT -5. The time now is 05:32 PM. |