LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-11-2005, 09:11 AM   #1
vhh
LQ Newbie
 
Registered: Jan 2005
Posts: 11

Rep: Reputation: 0
Post Help me to check the iptables script


I'm building up iptables for my redhat linux server. This is the code (some of them collected from somewhere).

Do you guy please show me it's ok or not? I'm going to put it to my server tomorrow. Thank you so much.

=================================================
# Configuration Options
EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LAN_INTERFACE_1="eth1"

# Get the IP Addresses for the network cards
IPADDR=`/sbin/ifconfig $EXTERNAL_INTERFACE | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "`
LAN_IPADDR=`/sbin/ifconfig $LAN_INTERFACE_1 | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "`
LOCALHOST_IP="127.0.0.1/32"
LAN_BCAST_ADDRESS="10.0.0.255"

##########
echo "Starting Firewalling... "

IPTABLES="/usr/sbin/iptables"

########## Module loading.
/sbin/depmod -a
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

/sbin/modprobe ipt_owner
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

########## /proc set up.
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
#echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
#echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
echo "0" > /proc/sys/net/ipv4/tcp_sack
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "0" > /proc/sys/net/ipv4/conf/eth0/accept_source_route
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
echo "1" > /proc/sys/net/ipv4/ip_dynaddr

########## remove all rules and chains if any
iptables -F icmp_packets
iptables -F tcp_packets
iptables -F udpincoming_packets
iptables -F allowed
iptables -F

iptables -X icmp_packets
iptables -X tcp_packets
iptables -X udpincoming_packets
iptables -X allowed
iptables -X

########## Enable Masquerading
iptables -t nat -A POSTROUTING -o $EXTERNAL_INTERFACE -j MASQUERADE
iptables -A FORWARD -i $LAN_INTERFACE_1 -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

########## Log errors when masquerading
iptables -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT FORWARD packet died: "

########## Set default policies
iptables -P INPUT DROP
iptables -P OUTPUT DROP
iptables -P FORWARD DROP
iptables -A INPUT -i $LOOPBACK_INTERFACE -j ACCEPT
iptables -A OUTPUT -o $LOOPBACK_INTERFACE -j ACCEPT

########## Create Seperate Chains for ICMP, TCP and UDP to traverse
iptables -N icmp_packets
iptables -N tcp_packets
iptables -N udpincoming_packets

########## The Allowed Chain for TCP connections
iptables -N allowed
iptables -A allowed -p TCP --syn -j ACCEPT
iptables -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A allowed -p TCP -j DROP

########## ICMP rules (Internet Control Message Protocol)
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 0 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 3 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 5 -j ACCEPT
iptables -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

########## TCP rules (Transmission Control Protocol)
### FTP port
iptables -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed

### SSH port
iptables -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed

### SMTP Mail Server port
iptables -A tcp_packets -p TCP -s 0/0 --dport 25 -j allowed

### HTTP port
iptables -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed

### POP3 port
#iptables -A tcp_packets -p TCP -s 0/0 --dport 110 -j allowed

### IRC port
#iptables -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

### IMAP port
iptables -A tcp_packets -p TCP -s 0/0 --dport 143 -j allowed

### No-ip DNS services port
iptables -A tcp_packets -p TCP -s 0/0 --dport 8245 -j allowed

### Example of Port Forwarding using Bittorrent Ports
iptables -t nat -A PREROUTING -d $IPADDR -p tcp -m tcp --dport 6881 -j DNAT --to-destination 10.0.0.76

########## UDP ports (User Datagram Protocol)
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT
iptables -A udpincoming_packets -p UDP -s 0/0 --source-port 143 -j ACCEPT

########## Prerouting chain - Check for obviously spoofed IP's
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i $EXTERNAL_INTERFACE -s 172.16.0.0/12 -j DROP

########## INPUT chain # Establish the basic Input chain
########## and filter the packets onto the correct chains.
iptables -A INPUT -p ICMP -i $EXTERNAL_INTERFACE -j icmp_packets
iptables -A INPUT -p TCP -i $EXTERNAL_INTERFACE -j tcp_packets
iptables -A INPUT -p UDP -i $EXTERNAL_INTERFACE -j udpincoming_packets

iptables -A INPUT -p ALL -i $LAN_INTERFACE_1 -d $LAN_BCAST_ADDRESS -j ACCEPT
iptables -A INPUT -p ALL -d $LOCALHOST_IP -j ACCEPT
iptables -A INPUT -p ALL -d $LAN_IPADDR -j ACCEPT
iptables -A INPUT -p ALL -d $IPADDR -m state --state ESTABLISHED,RELATED -j ACCEPT

########## ENABLE TO LOG ERRORS
iptables -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT INPUT packet died: "

########## OUTPUT chain # Establish the basic Output chain
########## and filter them onto the correct chain
iptables -A OUTPUT -p ALL -s $LOCALHOST_IP -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IPADDR -j ACCEPT
iptables -A OUTPUT -p ALL -s $IPADDR -j ACCEPT

########## ENABLE TO LOG ERRORS
iptables -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

########## PREVENT PING FLOOD - IMCP
iptables -N CHECK_PINGFLOOD
iptables -A CHECK_PINGFLOOD -m limit --limit 3/minute --limit-burst 3 -j RETURN
iptables -A CHECK_PINGFLOOD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=PINGFLOOD:warning a=DROP "
iptables -A CHECK_PINGFLOOD -j DROP

iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j CHECK_PINGFLOOD
iptables -A INPUT -i eth0 -p ICMP --icmp-type echo-request -j ACCEPT

########### REJECT SCAN TCP & UDB
iptables -N REJECT_PORTSCAN
iptables -A REJECT_PORTSCAN -p TCP -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=PORTSCAN:tcp a=REJECT "
iptables -A REJECT_PORTSCAN -p UDP -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=PORTSCAN:udp a=REJECT "
iptables -A REJECT_PORTSCAN -p TCP -j REJECT --reject-with tcp-reset
iptables -A REJECT_PORTSCAN -p UDP -j REJECT --reject-with icmp-port-unreachable

iptables -N TCP_INCOMING
iptables -A TCP_INCOMING -p tcp --dport 80 -j ACCEPT
iptables -A TCP_INCOMING -p tcp -j REJECT_PORTSCAN
iptables -A INPUT -i eth0 -p tcp -j TCP_INCOMING

iptables -N CHECK_UDPFLOOD
iptables -A CHECK_UDPFLOOD -m limit --limit 3/minute --limit-burst 3 -j RETURN
iptables -A CHECK_UDPFLOOD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=UDPFLOOD:warning a=DROP "
iptables -A CHECK_UDPFLOOD -j DROP
iptables -A INPUT -i eth0 -p udp -j CHECK_UDPFLOOD

iptables -N UDP_INCOMING
iptables -A UDP_INCOMING -p udp --dport 53 -j ACCEPT
iptables -A UDP_INCOMING -p udp -j REJECT_PORTSCAN
iptables -A INPUT -i eth0 -p udp -j UDP_INCOMING

########### DETECTIVE SCAN NMAP
iptables -N DETECT_NMAP
iptables -A DETECT_NMAP -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:XMAS a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:XMAS-PSH a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags ALL ALL -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:XMAS-ALL a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags ALL FIN -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:FIN a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:SYN-RST a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:SYN-FIN a=DROP "
iptables -A DETECT_NMAP -p tcp --tcp-flags ALL NONE -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=NMAP:NULL a=DROP "
iptables -A DETECT_NMAP -j DROP
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DETECT_NMAP

############ STOP SYN FLOOD
iptables -N CHECK_SYNFLOOD
iptables -A CHECK_SYNFLOOD -m limit --limit 3/minute --limit-burst 3 -j RETURN
iptables -A CHECK_SYNFLOOD -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level DEBUG --log-prefix "fp=SYNFLOOD:warning a=DROP "
iptables -A CHECK_SYNFLOOD -j DROP
iptables -A INPUT -i eth0 -p tcp --syn -j CHECK_SYNFLOOD
===================================================

=End of file=

Last edited by vhh; 01-11-2005 at 09:12 AM.
 
Old 01-20-2005, 04:00 PM   #2
intranet_man
LQ Newbie
 
Registered: Dec 2004
Distribution: RHEL 3/4, Fedora 3, dynebolic, Knoppix
Posts: 22

Rep: Reputation: 15
good work

I have a similar setup on my box. However, nmap has been trashing my VNC connection while iptables was running. Argh! This looks pretty good though. I'll test out your nmap functions on my box and see how they fair.

.....so far so good.....

Well, at least now my VNC connection is not being trashed. However, nmap is still detecting ports. Oh well. Maybe I don't understand how this is suppose to work.
 
Old 01-20-2005, 04:03 PM   #3
intranet_man
LQ Newbie
 
Registered: Dec 2004
Distribution: RHEL 3/4, Fedora 3, dynebolic, Knoppix
Posts: 22

Rep: Reputation: 15
...well

Well I take that back. Still trashing my connection. Oh well.
 
Old 01-20-2005, 04:21 PM   #4
masand
Guru
 
Registered: May 2003
Location: INDIA
Distribution: Ubuntu, Solaris,CentOS
Posts: 5,522

Rep: Reputation: 58
if u are going for some important work
i recommend u keep shorewall , Ip tables based FW as ur backup
it will generate the IPtables script as u require very easily

regards
 
Old 01-22-2005, 06:45 AM   #5
vhh
LQ Newbie
 
Registered: Jan 2005
Posts: 11

Original Poster
Rep: Reputation: 0
I uploaded and it seem to run well. But the log shown:

Jan 12 12:46:24 myhost ipables: iptables: No chain/target/match by that name
Jan 12 12:46:24 myhost last message repeated 3 times
Jan 12 12:46:24 myhost ipables: iptables: Table does not exist (do you need to insmod?)

I did run: #depmod -a
And I also checked systaxs in the script but no any error be found.

Anyone know this problem?
 
Old 01-22-2005, 11:25 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Two errors that I can spot are that you're flushing and deleting the userdefined chains before they're even created, which will generate errors (can't flush or delete a chain that don't exist). Flushing a non-existant chain produces a "iptables: No chain/target/match by that name" error, while trying to delete one results in a "iptables: Table does not exist (do you need to insmod?)" message. Instead, just use iptables -F and iptables -X which will flush and delete all the userdefined chains without producing those errors.

Also verify that iptables is on with 'service iptables status'. Lastly, if neither of those solve the problem, post the output of 'lsmod' after you run the script
 
Old 01-26-2005, 07:15 AM   #7
vhh
LQ Newbie
 
Registered: Jan 2005
Posts: 11

Original Poster
Rep: Reputation: 0
Hello,

I've removed all of them below and the problem gone over.

iptables -F icmp_packets
iptables -F tcp_packets
iptables -F udpincoming_packets
iptables -F allowed
iptables -X icmp_packets
iptables -X tcp_packets
iptables -X udpincoming_packets
iptables -X allowed

Unfortunately, I got a another error. It's showing "Bad argument `ACCEPT'".

???
 
Old 01-26-2005, 11:31 AM   #8
carboncopy
Senior Member
 
Registered: Jan 2003
Location: Malaysia
Distribution: Fedora Core, Slackware, Mac OS X, Debian, OpenSUSE
Posts: 1,210
Blog Entries: 4

Rep: Reputation: 45
Dear vvh,

May I urge your indulgence to put your iptables script in code tags? Thank you.

Thanks for the setup script, learning from it.

Last edited by carboncopy; 01-26-2005 at 11:33 AM.
 
Old 01-26-2005, 05:10 PM   #9
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by vhh
Unfortunately, I got a another error. It's showing "Bad argument `ACCEPT'".
???
Make sure that you have both interfaces up. I noticed it will fail with that message at rules using LAN_IPADDR if eth1 isn't up or doesn't exist. Specifically here:

iptables -A INPUT -p ALL -d $LAN_IPADDR -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_IPADDR -j ACCEPT

You might also want to add some debugging rules to dump the value of all the variables to stdout: So once you assign values to the variables add some echo debugging rules like this:
Code:
EXTERNAL_INTERFACE="eth0"
LOOPBACK_INTERFACE="lo"
LAN_INTERFACE_1="eth1"

# Get the IP Addresses for the network cards
IPADDR=`/sbin/ifconfig $EXTERNAL_INTERFACE | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "`
LAN_IPADDR=`/sbin/ifconfig $LAN_INTERFACE_1 | grep -i "addr:" | cut -f2 -d: | cut -f1 -d " "`
LOCALHOST_IP="127.0.0.1/32"
LAN_BCAST_ADDRESS="10.0.0.255

echo "IPADDR is $IPADDR"
echo "LAN_IPADDR is $LAN_IPADDR"
If your variables aren't the problem, then try adding some logging messages into the script, like echo "Loading INPUT rules" in various sections.

Technically your script has correct syntax and works just fine on a system with 2 interfaces up and running. However it isn't very robust in terms of how the script functions. Along those lines, I noticed that you go through the trouble of assigning the iptables path to a variable, but then you never use it again. So if the iptables binary is in a different location, you'd have to modify each line of the script that invokes iptables with just "iptables" instead of using "$IPTABLES". Plus I'd add some form of error check or 'if statement' to make sure that you're variables are all assigned properly.
 
Old 01-28-2005, 11:29 AM   #10
vhh
LQ Newbie
 
Registered: Jan 2005
Posts: 11

Original Poster
Rep: Reputation: 0
Hello Capt_Caveman,

You've given me an excellent help. I removed "eth1" and all of problem were shot out. My iptables currently is perfect :-)

Thanks a lot.

Last edited by vhh; 01-28-2005 at 11:31 AM.
 
Old 01-28-2005, 09:56 PM   #11
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Quote:
Originally posted by vhh
Thanks a lot.
Anytime vhh. Glad I could help you out.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 04:19 AM
Can someone check my Iptables script fotoguy Linux - Security 2 01-25-2005 12:32 AM
How can I check for iptables? imsam Linux - Newbie 5 11-02-2004 03:55 PM
check my iptables iqbal Linux - Networking 7 08-30-2004 06:53 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM


All times are GMT -5. The time now is 06:03 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration