LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-18-2005, 05:42 PM   #1
gian2oo1
Member
 
Registered: Oct 2004
Location: Rhode Island, USA
Distribution: Slackware... Simplicity is bliss.
Posts: 62

Rep: Reputation: 15
How does my iptables firewall look?


Hello. After working with alot of iptables firewalls I finally read the manual and howto for iptables and have become very familair with it. Tomorrow I will be testing this firewall and I wanted to post it and get your suggestion. I don't have a linux box right now at home so tomorrow's test will be the first time I ever executed it. If you could run a quick glance at it and let me know if A) there is anything malfunctional B) anything more secure C) any holes, anything I could add, etc.

BTW, this firewall is for a dhcp & mail server.

Thanks for all of your help!

~Gian

Code:
#!/bin/bash
##########################################################################
# IPTABLES VERSION
##########################################################################

# USER CONFIGURABLE SECTION

# The name and location of the ipchains utility.
IPTABLES=iptables

# The path to the ipchains executable.
PATH="/sbin"

# Our internal network address space and its supporting network device.
OURNET="192.168.1.0/24"
OURBCAST="255.255.255.0"
OURDEV="eth1"
LAN_IP="192.168.1.1"

# The outside address and the network device that supports it.
ANYADDR="0/0"
ANYDEV="eth0"
INET_IP="209.113.149.108"

# SET LOOPBACK ATTRIBUTES
LO_IFACE="lo"
LO_IP="127.0.0.1"

# The TCP services we wish to allow to pass - "" empty means all ports
# note: comma separated
TCPIN="20,21,22,25,43,80,110,143,443,783,993,3306,12000,15000"
TCPOUT="20,21,22,23,25,43,53,80,110,123,143,443,783,993,3306,12000,15000,2210"

# The UDP services we wish to allow to pass - "" empty means all ports
# note: comma separated
UDPIN="53,123"
UDPOUT="53,123"

# The ICMP services we wish to allow to pass - "" empty means all types
# ref: /usr/include/netinet/ip_icmp.h for type numbers
# note: comma separated
ICMPIN="0,3,11"
ICMPOUT="8,3,11"

# Logging; uncomment the following line to enable logging of datagrams
# that are blocked by the firewall.
LOGGING=1


# Parse command line arguments
case "$1" in
    -f|--flush|--stop|stop)
        down
        ;;
    -s|--start|start)
        up_firewall
        ;;
    -r|--restart|restart)
        echo -n "Restarting the firewall."
        down
        up_firewall
        ;;
    -V|--version)
        echo "Com-tec Firewall for YKSM CPAs"
        echo "GIAN@COM-TEC.US"
        exit 1
        ;;
    *)
esac


up_firewall() {
   echo "Bringing up the firewall..."

# END USER CONFIGURABLE SECTION
###########################################################################

# Initially load modules
/sbin/depmod -a

# LOAD OTHER MODULES

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_state

# ADJUST /PROC HERE
## ENABLE IP FORWARD IN /PROC
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "IP Forwarding enabled."
### IGNORE BOGUS ICMP RESPONSES
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "Now ignoring bogus icmp messages."
#### Set rate for icmp messages to 60/minute
echo "60" > /proc/sys/net/ipv4/icmp_ratelimit
echo "Setting sane icmp responses to 1 per second."
##### Accept syn cookies?
test -f /proc/sys/net/ipv4/tcp_syncookies && echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo "Not accepting SYN cookies."
###### Require source routing
for z in /proc/sys/net/ipv4/conf/*/accept_source_route;
   		do
      			echo 0 > $z
   	done
echo "Block source-routed packets."
####### Anti-Spoof block
	for a in /proc/sys/net/ipv4/conf/*/rp_filter; 
		do
			echo 1 > $a
		done
echo "Anti-Spoof block enabled."
######## Comply with timestamp standard as defined in RFC1323.
echo 1 > /proc/sys/net/ipv4/tcp_timestamps


# Flush the Input table rules
$IPTABLES -F FORWARD

# We want to deny all access by default.
$IPTABLES -P FORWARD deny
$IPTABLES -P OUTPUT deny
$IPTABLES -P INPUT deny

# Setup Pre-routing to drop some DoS/DDoS attempts.
$IPTABLES -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP 
$IPTABLES -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP 
$IPTABLES -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP 
$IPTABLES -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 

# Rules for special networks not part of the Internet
$IPTABLES -A INPUT -p ALL -i $OURDEV -s $OURNET -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -s $INET_IP -j ACCEPT


# ANTI-SPOOFING 2
# We should not accept any datagrams with a source address matching ours
# from the outside, so we deny them.
$IPTABLES -A FORWARD -s $OURNET -i $ANYDEV -j DROP

# SMURF
# Disallow ICMP to our broadcast address to prevent "Smurf" style attack.
$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV -d $OURNET -j DENY

# We should accept fragments, in iptables we must do this explicitly.
$IPTABLES -A FORWARD -f -j ACCEPT

# Accept the packets we actually want to forward
$IPTABLES -A FORWARD -i $OURDEV -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# TCP
# We will accept all TCP datagrams belonging to an existing connection
# (i.e. having the ACK bit set) for the TCP ports we're allowing through.
# This should catch more than 95 % of all valid TCP packets.
$IPTABLES -A FORWARD -m multiport -p tcp --dports $TCPIN /
    ! --tcp-flags SYN,ACK ACK -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p tcp --sports $TCPIN /
    ! --tcp-flags SYN,ACK ACK -j ACCEPT


# TCP - INCOMING CONNECTIONS
# We will accept connection requests from the outside only on the
# allowed TCP ports.
$IPTABLES -A INPUT -p ALL -d $ANYDEV -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -m multiport -p tcp -i $ANYDEV $TCPIN /
    --syn -j ACCEPT

# FORWARD WHATEVER NEEDS TO BE FORWARDED
$IPTABLES -A FORWARD -m multiport -p tcp -i $ANYDEV $TCPIN /
    --syn -j ACCEPT

# ACCEPT DHCP REQUESTS FROM OUR INTERNAL NETWORK ONLY
$IPTABLES -A INPUT -p UDP -i $OURDEV --dport 67 --sport 68 -j ACCEPT

# TCP - OUTGOING CONNECTIONS
# We will accept all outgoing tcp connection requests on the allowed /
    TCP ports.
$IPTABLES -A FORWARD -m multiport -p tcp /
    --dports $TCPOUT --syn -j ACCEPT
# Do not leak SMB info.
SMB="137 138 139"
	for all in $SMB;
		do
			$IPTABLES -A OUTPUT -p tcp -o $ANYDEV --dport $all -j DROP
			$IPTABLES -A OUTPUT -p udp -o $ANYDEV --dport $all -j DROP
			$IPTABLES -A FORWARD -p tcp -o $ANYDEV --dport $all -j DROP
			$IPTABLES -A FORWARD -p udp -o $ANYDEV --dport $all -j DROP
		done
echo "Server Message Block leak tightened."

#Drop multicast
$IPTABLES -N MULTICAST 2> /dev/null
$IPTABLES -F MULTICAST
$IPTABLES -A MULTICAST -j DROP


# UDP - INCOMING
# We will allow UDP datagrams in on the allowed ports and back.
$IPTABLES -A FORWARD -m multiport -p udp /
    --dports $UDPIN -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp /
    --sports $UDPIN -j ACCEPT

# CLOSE NETFILTER FLAW
# http://www.netfilter.org/security/20...icmp-dnat.html
$IPTABLES-A OUTPUT -m state -p icmp --state INVALID -j DROP


# Block XMAS, NULL & FIN
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -m state --state ! ESTABLISHED -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -m state --state ! ESTABLISHED -j DROP
$IPTABLES -A FORWARD -p tcp --tcp-flags ALL NONE -j DROP
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -m state --state ! ESTABLISHED -j DROP


# UDP - OUTGOING
# We will allow UDP datagrams out to the allowed ports and back.
$IPTABLES -A FORWARD -m multiport -p udp /
    --dports $UDPOUT -j ACCEPT
$IPTABLES -A FORWARD -m multiport -p udp /
    --sports $UDPOUT -j ACCEPT
# ICMP - INCOMING
# We will allow ICMP datagrams in of the allowed types.
$IPTABLES -A FORWARD -m multiport -p icmp -i $ANYDEV /
    --dports $ICMPIN -j ACCEPT
# ICMP - OUTGOING
# We will allow ICMP datagrams out of the allowed types.
$IPTABLES -A FORWARD -m multiport -p icmp -i $OURDEV -d $ANYADDR /
    --dports $ICMPOUT -j ACCEPT

# Ignore ICMP Redirects
	for f in /proc/sys/net/ipv4/conf/*/accept_redirects; 
   		do
         		echo 0 > $f
   	done
        echo "Ignoring ICMP Redirects."

# Enable simple IP Forwarding and Network Address Translation
$IPTABLES -t nat -A POSTROUTING -o $ANYDEV -j SNAT --to-source $INET_IP

# Log martian packets
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians

# DEFAULT and LOGGING
# All remaining datagrams fall through to the default
# rule and are dropped. They will be logged if you've
# configured the LOGGING variable above.
#
if [ "$LOGGING" ]
then
	# Log barred TCP
	$IPTABLES -A FORWARD -m tcp -p tcp -j LOG
	# Log barred UDP
	$IPTABLES -A FORWARD -m udp -p udp -j LOG
	# Log barred ICMP
	$IPTABLES -A FORWARD -m udp -p icmp -j LOG
fi
#
# end of start.
echo "System is now secure!"
  }

# Disable the firewall.
down() {
    echo "Bringing down the firewall..."
    $IPTABLES -F
    $IPTABLES -F INPUT
    $IPTABLES -F OUTPUT
    $IPTABLES -F FORWARD
    $IPTABLES -F -t mangle
    $IPTABLES -X
    $IPTABLES -F -t nat
    $IPTABLES -P INPUT ACCEPT
    $IPTABLES -P OUTPUT ACCEPT
    $IPTABLES -P FORWARD ACCEPT
    echo "System is now open!"
    exit 1
}
 
Old 10-18-2005, 07:24 PM   #2
Dommy
Member
 
Registered: Jul 2004
Location: Canberra
Distribution: Mint 7
Posts: 204

Rep: Reputation: 30
To test a firewall go to www.grc.com and use his ShieldsUP program if there are any holes that should find it.

From what I can see you've done a good job, you have certainly been a busy beaver.

Another idea would be to use something like gaurd dog to generate a firewall and compare results.

Last edited by Dommy; 10-18-2005 at 07:26 PM.
 
Old 10-20-2005, 08:27 PM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,017
Blog Entries: 54

Rep: Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764Reputation: 2764
BTW, this firewall is for a dhcp & mail server
...and LAN router?


+##### Accept syn cookies?
+test -f /proc/sys/net/ipv4/tcp_syncookies && echo 0 > /proc/sys/net/ipv4/tcp_syncookies
+echo "Not accepting SYN cookies."

Why not accept SYN cookies?


+######## Comply with timestamp standard as defined in RFC1323.
+echo 1 > /proc/sys/net/ipv4/tcp_timestamps

Sure you need this?


+echo "Server Message Block leak tightened."
+
+#Drop multicast

OK, so you DROP outbound SMB and MCAST, but how about bogons?


-# Drop all datagrams destined for this host received from outside.
-echo -n Dropping incoming datagrams... && {
-$IPTABLES -A INPUT -i $ANYDEV -j DROP
-} && echo done
+# We want to deny all access by default.
+$IPTABLES -P FORWARD deny
+$IPTABLES -P OUTPUT deny
+$IPTABLES -P INPUT deny

I thought DENY was ipchains-speak?


+# CLOSE NETFILTER FLAW
+# http://www.netfilter.org/security/2...-icmp-dnat.html
+$IPTABLES-A OUTPUT -m state -p icmp --state INVALID -j DROP

Should not apply anymore (iptables=>1.2.7).


*Diff lines = your fw script vs Linuxguru's rc.firewall_017.txt.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 07:20 AM
iptables vs. rc.firewall FiveFlat Linux - Security 2 08-13-2004 03:39 PM
IPTABLES firewall Vs rc firewall netguy2000 Linux - Security 7 02-28-2004 04:31 AM
Need Help with Firewall, iptables!!!! jamesws Linux - Networking 2 02-11-2002 05:56 PM
IPTables Firewall bfloeagle Linux - Security 6 06-19-2001 02:51 PM


All times are GMT -5. The time now is 07:19 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration