LinuxQuestions.org - How does my iptables firewall look?

Hello. After working with alot of iptables firewalls I finally read the manual and howto for iptables and have become very familair with it. Tomorrow I will be testing this firewall and I wanted to post it and get your suggestion. I don't have a linux box right now at home so tomorrow's test will be the first time I ever executed it. If you could run a quick glance at it and let me know if A) there is anything malfunctional B) anything more secure C) any holes, anything I could add, etc.

BTW, this firewall is for a dhcp & mail server.

Thanks for all of your help!

~Gian
Code:
#!/bin/bash

##########################################################################

# IPTABLES VERSION

##########################################################################



# USER CONFIGURABLE SECTION



# The name and location of the ipchains utility.

IPTABLES=iptables



# The path to the ipchains executable.

PATH="/sbin"



# Our internal network address space and its supporting network device.

OURNET="192.168.1.0/24"

OURBCAST="255.255.255.0"

OURDEV="eth1"

LAN_IP="192.168.1.1"



# The outside address and the network device that supports it.

ANYADDR="0/0"

ANYDEV="eth0"

INET_IP="209.113.149.108"



# SET LOOPBACK ATTRIBUTES

LO_IFACE="lo"

LO_IP="127.0.0.1"



# The TCP services we wish to allow to pass - "" empty means all ports

# note: comma separated

TCPIN="20,21,22,25,43,80,110,143,443,783,993,3306,12000,15000"

TCPOUT="20,21,22,23,25,43,53,80,110,123,143,443,783,993,3306,12000,15000,2210"



# The UDP services we wish to allow to pass - "" empty means all ports

# note: comma separated

UDPIN="53,123"

UDPOUT="53,123"



# The ICMP services we wish to allow to pass - "" empty means all types

# ref: /usr/include/netinet/ip_icmp.h for type numbers

# note: comma separated

ICMPIN="0,3,11"

ICMPOUT="8,3,11"



# Logging; uncomment the following line to enable logging of datagrams

# that are blocked by the firewall.

LOGGING=1





# Parse command line arguments

case "$1" in

    -f|--flush|--stop|stop)

        down

        ;;

    -s|--start|start)

        up_firewall

        ;;

    -r|--restart|restart)

        echo -n "Restarting the firewall."

        down

        up_firewall

        ;;

    -V|--version)

        echo "Com-tec Firewall for YKSM CPAs"

        echo "GIAN@COM-TEC.US"

        exit 1

        ;;

    *)

esac





up_firewall() {

  echo "Bringing up the firewall..."



# END USER CONFIGURABLE SECTION

###########################################################################



# Initially load modules

/sbin/depmod -a



# LOAD OTHER MODULES



/sbin/modprobe ip_tables

/sbin/modprobe ip_conntrack

/sbin/modprobe iptable_filter

/sbin/modprobe iptable_mangle

/sbin/modprobe iptable_nat

/sbin/modprobe ipt_LOG

/sbin/modprobe ipt_limit

/sbin/modprobe ipt_state



# ADJUST /PROC HERE

## ENABLE IP FORWARD IN /PROC

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "IP Forwarding enabled."

### IGNORE BOGUS ICMP RESPONSES

echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

echo "Now ignoring bogus icmp messages."

#### Set rate for icmp messages to 60/minute

echo "60" > /proc/sys/net/ipv4/icmp_ratelimit

echo "Setting sane icmp responses to 1 per second."

##### Accept syn cookies?

test -f /proc/sys/net/ipv4/tcp_syncookies && echo 0 > /proc/sys/net/ipv4/tcp_syncookies

echo "Not accepting SYN cookies."

###### Require source routing

for z in /proc/sys/net/ipv4/conf/*/accept_source_route;

                  do

                              echo 0 > $z

          done

echo "Block source-routed packets."

####### Anti-Spoof block

        for a in /proc/sys/net/ipv4/conf/*/rp_filter; 

                do

                        echo 1 > $a

                done

echo "Anti-Spoof block enabled."

######## Comply with timestamp standard as defined in RFC1323.

echo 1 > /proc/sys/net/ipv4/tcp_timestamps





# Flush the Input table rules

$IPTABLES -F FORWARD



# We want to deny all access by default.

$IPTABLES -P FORWARD deny

$IPTABLES -P OUTPUT deny

$IPTABLES -P INPUT deny



# Setup Pre-routing to drop some DoS/DDoS attempts.

$IPTABLES -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP 

$IPTABLES -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 

$IPTABLES -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 

$IPTABLES -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 



# Rules for special networks not part of the Internet

$IPTABLES -A INPUT -p ALL -i $OURDEV -s $OURNET -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT

$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT





# ANTI-SPOOFING 2

# We should not accept any datagrams with a source address matching ours

# from the outside, so we deny them.

$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP



# SMURF

# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.

$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET -j DENY



# We should accept fragments, in iptables we must do this explicitly.

$IPTABLES -A FORWARD -f -j ACCEPT



# Accept the packets we actually want to forward

$IPTABLES -A FORWARD -i $OURDEV -j ACCEPT

$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT



# TCP

# We will accept all TCP datagrams belonging to an existing connection

# (i.e. having the ACK bit set) for the TCP ports we're allowing through.

# This should catch more than 95 % of all valid TCP packets.

$IPTABLES -A FORWARD -m multiport -p tcp --dports $TCPIN /

    ! --tcp-flags SYN,ACK ACK -j ACCEPT

$IPTABLES -A FORWARD -m multiport -p tcp --sports $TCPIN /

    ! --tcp-flags SYN,ACK ACK -j ACCEPT





# TCP - INCOMING CONNECTIONS

# We will accept connection requests from the outside only on the

# allowed TCP ports.

$IPTABLES -A INPUT -p ALL -d $ANYDEV -m state --state ESTABLISHED,RELATED \

-j ACCEPT

$IPTABLES -A INPUT -m multiport -p tcp -i $ANYDEV $TCPIN /

    --syn -j ACCEPT



# FORWARD WHATEVER NEEDS TO BE FORWARDED

$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV $TCPIN /

    --syn -j ACCEPT



# ACCEPT DHCP REQUESTS FROM OUR INTERNAL NETWORK ONLY

$IPTABLES -A INPUT -p UDP -i $OURDEV --dport 67 --sport 68 -j ACCEPT



# TCP - OUTGOING CONNECTIONS

# We will accept all outgoing tcp connection requests on the allowed /

    TCP ports.

$IPTABLES -A FORWARD -m multiport -p tcp /

    --dports $TCPOUT --syn -j ACCEPT

# Do not leak SMB info.

SMB="137 138 139"

        for all in $SMB;

                do

                        $IPTABLES -A OUTPUT -p tcp -o $ANYDEV --dport $all -j DROP

                        $IPTABLES -A OUTPUT -p udp -o $ANYDEV --dport $all -j DROP

                        $IPTABLES -A FORWARD -p tcp -o $ANYDEV --dport $all -j DROP

                        $IPTABLES -A FORWARD -p udp -o $ANYDEV --dport $all -j DROP

                done

echo "Server Message Block leak tightened."



#Drop multicast

$IPTABLES -N MULTICAST 2> /dev/null

$IPTABLES -F MULTICAST

$IPTABLES -A MULTICAST -j DROP





# UDP - INCOMING

# We will allow UDP datagrams in on the allowed ports and back.

$IPTABLES -A FORWARD -m multiport -p udp /

    --dports $UDPIN -j ACCEPT

$IPTABLES -A FORWARD -m multiport -p udp /

    --sports $UDPIN -j ACCEPT



# CLOSE NETFILTER FLAW

# http://www.netfilter.org/security/20...icmp-dnat.html

$IPTABLES-A OUTPUT -m state -p icmp --state INVALID -j DROP





# Block XMAS, NULL & FIN

$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -m state --state ! ESTABLISHED -j DROP

$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -m state --state ! ESTABLISHED -j DROP

$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP

$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP





# UDP - OUTGOING

# We will allow UDP datagrams out to the allowed ports and back.

$IPTABLES -A FORWARD -m multiport -p udp /

    --dports $UDPOUT -j ACCEPT

$IPTABLES -A FORWARD -m multiport -p udp /

    --sports $UDPOUT -j ACCEPT

# ICMP - INCOMING

# We will allow ICMP datagrams in of the allowed types.

$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV /

    --dports $ICMPIN -j ACCEPT

# ICMP - OUTGOING

# We will allow ICMP datagrams out of the allowed types.

$IPTABLES -A FORWARD -m multiport -p icmp -i $OURDEV -d $ANYADDR /

    --dports $ICMPOUT -j ACCEPT



# Ignore ICMP Redirects

        for f in /proc/sys/net/ipv4/conf/*/accept_redirects; 

                  do

                        echo 0 > $f

          done

        echo "Ignoring ICMP Redirects."



# Enable simple IP Forwarding and Network Address Translation

$IPTABLES -t nat -A POSTROUTING -o $ANYDEV -j SNAT --to-source $INET_IP



# Log martian packets

echo 1 > /proc/sys/net/ipv4/conf/all/log_martians



# DEFAULT and LOGGING

# All remaining datagrams fall through to the default

# rule and are dropped. They will be logged if you've

# configured the LOGGING variable above.

#

if [ "$LOGGING" ]

then

        # Log barred TCP

        $IPTABLES -A FORWARD -m tcp -p tcp -j LOG

        # Log barred UDP

        $IPTABLES -A FORWARD -m udp -p udp -j LOG

        # Log barred ICMP

        $IPTABLES -A FORWARD -m udp -p icmp -j LOG

fi

#

# end of start.

echo "System is now secure!"

  }



# Disable the firewall.

down() {

    echo "Bringing down the firewall..."

    $IPTABLES -F

    $IPTABLES -F INPUT

    $IPTABLES -F OUTPUT

    $IPTABLES -F FORWARD

    $IPTABLES -F -t mangle

    $IPTABLES -X

    $IPTABLES -F -t nat

    $IPTABLES -P INPUT ACCEPT

    $IPTABLES -P OUTPUT ACCEPT

    $IPTABLES -P FORWARD ACCEPT

    echo "System is now open!"

    exit 1

}