Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've tried putting a firewall script together based on the tutorials I've read around the internet. Please critique and give me any recommendations especially for a stronger firewall. Thanks!
Code:
#!/bin/sh
#############################################################
# Configuration
#############################################################
# Load Modules
/sbin/depmod -a
# Required modules
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE
# Non-Required modules
#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc
#############################################################
# Local Settings
#############################################################
# IPTables Location
IPTABLES="/sbin/iptables"
# External Interface
EXT="eth0"
# Internal Interface
INT="eth1"
LOCAL_IP="192.168.1.1"
LOCAL_BCAST="192.168.1.255"
# Loopback Interface
LBACK="lo"
LBACK_IP="127.0.0.1"
# Internal Network Configuration
LAN_IP="192.168.1.0/24"
#############################################################
# Firewall Configuration
#############################################################
# Default Policy
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
# User-Specified Chains
$IPTABLES -N bad_packets
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets
# Flush ALL chains
$IPTABLES -F INPUT
$IPTABLES -F OUTPUT
$IPTABLES -F FORWARD
$IPTABLES -t nat -F
$IPTABLES -t mangle -F
$IPTABLES -F bad_packets
$IPTABLES -F tcp_packets
$IPTABLES -F udp_packets
$IPTABLES -F icmp_packets
#############################################################
# Chains - User Specified
#############################################################
# bad_packets
$IPTABLES -A bad_packets -p tcp --tcp-flags SYN,ACK, SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_packets -p tcp ! --syn -m state --new -j LOG --log-prefix "New not syn:"
$IPTABLES -A bad_packets -p tcp ! --syn -m state --new -j DROP
# tcp_packets
# udp_packets
# Blocks Microsoft Network Broadcasts
$IPTABLES -A udp_packets -p UDP -i $EXT --destination-port 135:139 -j DROP
# Blocks DHCP requests from outside of network.
$IPTABLES -A udp_packets -p UDP -i $EXT -d 255.255.255.255 --destination-port 67:68 -j DROP
# icmp_packets
# Allows Echo request
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# Allows TTL equals 0 during transit / reassembly
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
#############################################################
# Chains - INPUT
#############################################################
# Filters packets through bad_packets chain
$IPTABLES -A INPUT -p ALL -j bad_packets
# Only except packets that are established or related
$IPTABLES -A INPUT -p ALL -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT
# Drops MS multicasts
$IPTABLES -A INPUT -i $EXT -d 224.0.0.0/8 -j DROP
# Drops attempts from outsider acting like they are on the LAN
$IPTABLES -A INPUT -i $EXT -s $LAN_IP -j DROP
# Disperse protocol types on specific chains
$IPTABLES -A INPUT -p TCP -i $EXT -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $EXT -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $EXT -j icmp_packets
#############################################################
# Chains - OUTPUT
#############################################################
#Allows traffic out of the firewall
$IPTABLES -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXT -j ACCEPT
#############################################################
# Chains - FORWARD
#############################################################
# Filters packets through bad_packets chain
$IPTABLES -A FORWARD -p ALL -j bad_packets
# Drops MS multicasts
$IPTABLES -A FORWARD-d 224.0.0.0/8 -j DROP
# Drops attempts from outsider acting like they are on the LAN
$IPTABLES -A FORWARD -s $LAN_IP -j DROP
# Disperse protocol types on specific chains
$IPTABLES -A FORWARD -p TCP -j tcp_packets
$IPTABLES -A FORWARD -p UDP -j udp_packets
$IPTABLES -A FORWARD -p ICMP -j icmp_packets
#############################################################
# Table - NAT
#############################################################
#NATing for the internal LAN
$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE
#############################################################
# Table - MANGLE
#############################################################
#############################################################
# Enables forwarding of interfaces
echo "1" > /proc/sys/net/ipv4/ip_forward
Just a small critique : your are logging invalid packets. Logging is very dangerous, as an attacker could easily DDOS your computer sending enought invalid trafic to make your harddrive busy. I would recommend to make some "limit" rules about logging, to make sure you don't write more than, let's say, 1 invalid trafic per second?
Btw, your default policy to OUTPUT is to DROP... are you sure this is right? I mean, you won't be able to reach the outside world from this box?! or maybe I missed something...
Thanks I made the proper OUTPUT changes, I will make the log changes later. While I was looking around I found this script that I might use and scrap mine because it looks like it covers stuff that I didn't even come close to accounting for
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.