LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 08-09-2005, 09:52 AM   #1
Centinul
Member
 
Registered: Jun 2005
Distribution: Gentoo
Posts: 552

Rep: Reputation: 30
Iptables Critique


I've tried putting a firewall script together based on the tutorials I've read around the internet. Please critique and give me any recommendations especially for a stronger firewall. Thanks!

Code:
#!/bin/sh

#############################################################
# Configuration
#############################################################

	# Load Modules
	/sbin/depmod -a

	# Required modules
	/sbin/modprobe ip_conntrack
	/sbin/modprobe ip_tables
	/sbin/modprobe iptable_filter
	/sbin/modprobe iptable_mangle
	/sbin/modprobe iptable_nat
	/sbin/modprobe ipt_LOG
	/sbin/modprobe ipt_limit
	/sbin/modprobe ipt_MASQUERADE

	# Non-Required modules
	#/sbin/modprobe ipt_owner
	#/sbin/modprobe ipt_REJECT
	#/sbin/modprobe ip_conntrack_ftp
	#/sbin/modprobe ip_conntrack_irc
	#/sbin/modprobe ip_nat_ftp
	#/sbin/modprobe ip_nat_irc

#############################################################
# Local Settings
#############################################################

	# IPTables Location
	IPTABLES="/sbin/iptables"
	
	# External Interface
	EXT="eth0"

	# Internal Interface
	INT="eth1"
	LOCAL_IP="192.168.1.1"
	LOCAL_BCAST="192.168.1.255"

	# Loopback Interface
	LBACK="lo"
	LBACK_IP="127.0.0.1"

	# Internal Network Configuration
	LAN_IP="192.168.1.0/24"

#############################################################
# Firewall Configuration                                                                                  
#############################################################

	# Default Policy
	$IPTABLES -P INPUT 	DROP
	$IPTABLES -P OUTPUT 	DROP
	$IPTABLES -P FORWARD 	DROP

	# User-Specified Chains
	$IPTABLES -N bad_packets
	$IPTABLES -N tcp_packets
	$IPTABLES -N udp_packets
	$IPTABLES -N icmp_packets

	# Flush ALL chains
	$IPTABLES -F INPUT
	$IPTABLES -F OUTPUT
	$IPTABLES -F FORWARD
	$IPTABLES -t nat -F
	$IPTABLES -t mangle -F

	$IPTABLES -F bad_packets
	$IPTABLES -F tcp_packets
	$IPTABLES -F udp_packets
	$IPTABLES -F icmp_packets

#############################################################
# Chains - User Specified
#############################################################

# bad_packets
$IPTABLES -A bad_packets -p tcp --tcp-flags SYN,ACK, SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

$IPTABLES -A bad_packets -p tcp ! --syn -m state --new -j LOG --log-prefix "New not syn:"

$IPTABLES -A bad_packets -p tcp ! --syn -m state --new -j DROP

# tcp_packets


# udp_packets

# Blocks Microsoft Network Broadcasts
$IPTABLES -A udp_packets -p UDP -i $EXT --destination-port 135:139 -j DROP

# Blocks DHCP requests from outside of network.
$IPTABLES -A udp_packets -p UDP -i $EXT -d 255.255.255.255 --destination-port 67:68 -j DROP

# icmp_packets

# Allows Echo request
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

# Allows TTL equals 0 during transit / reassembly
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#############################################################
# Chains - INPUT 
#############################################################

# Filters packets through bad_packets chain
$IPTABLES -A INPUT -p ALL -j bad_packets

# Only except packets that are established or related
$IPTABLES -A INPUT -p ALL -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drops MS multicasts
$IPTABLES -A INPUT -i $EXT -d 224.0.0.0/8 -j DROP

# Drops attempts from outsider acting like they are on the LAN
$IPTABLES -A INPUT -i $EXT -s $LAN_IP -j DROP

# Disperse protocol types on specific chains
$IPTABLES -A INPUT -p TCP -i $EXT -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $EXT -j udp_packets
$IPTABLES -A INPUT -p ICMP	-i $EXT -j icmp_packets


#############################################################
# Chains - OUTPUT
#############################################################

#Allows traffic out of the firewall
$IPTABLES -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXT -j ACCEPT

#############################################################
# Chains - FORWARD
#############################################################

# Filters packets through bad_packets chain
$IPTABLES -A FORWARD -p ALL -j bad_packets

# Drops MS multicasts
$IPTABLES -A FORWARD-d 224.0.0.0/8 -j DROP

# Drops attempts from outsider acting like they are on the LAN
$IPTABLES -A FORWARD -s $LAN_IP -j DROP

# Disperse protocol types on specific chains
$IPTABLES -A FORWARD -p TCP -j tcp_packets
$IPTABLES -A FORWARD -p UDP -j udp_packets
$IPTABLES -A FORWARD -p ICMP -j icmp_packets

#############################################################
# Table - NAT
#############################################################

#NATing for the internal LAN
$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE

#############################################################
# Table - MANGLE
#############################################################

#############################################################

# Enables forwarding of interfaces
echo "1" > /proc/sys/net/ipv4/ip_forward

Last edited by Centinul; 08-09-2005 at 11:01 AM.
 
Old 08-09-2005, 10:35 AM   #2
Half_Elf
Guru
 
Registered: Sep 2001
Location: Montreal, Canada
Distribution: Slackware; Debian; Gentoo...
Posts: 2,163

Rep: Reputation: 45
Nice piece of works.

Just a small critique : your are logging invalid packets. Logging is very dangerous, as an attacker could easily DDOS your computer sending enought invalid trafic to make your harddrive busy. I would recommend to make some "limit" rules about logging, to make sure you don't write more than, let's say, 1 invalid trafic per second?


Btw, your default policy to OUTPUT is to DROP... are you sure this is right? I mean, you won't be able to reach the outside world from this box?! or maybe I missed something...
 
Old 08-09-2005, 11:03 AM   #3
Centinul
Member
 
Registered: Jun 2005
Distribution: Gentoo
Posts: 552

Original Poster
Rep: Reputation: 30
Thanks I made the proper OUTPUT changes, I will make the log changes later. While I was looking around I found this script that I might use and scrap mine because it looks like it covers stuff that I didn't even come close to accounting for

http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

Thoughts?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
New iptables configuration critique gizza23 Linux - Networking 11 08-06-2005 11:05 PM
Partitioning Critique Wanted Skazi Slackware 7 08-11-2004 03:20 PM
Tieing up loose ends on Web Page (Critique needed) johnp General 3 05-14-2004 12:03 AM
IPtables Log Analyzer from http://www.gege.org/iptables/ brainlego Linux - Software 0 08-11-2003 07:08 AM
can experienced java users critique this? megaspaz Programming 8 01-24-2003 01:43 AM


All times are GMT -5. The time now is 12:48 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration