LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-07-2002, 04:59 PM   #1
Bomber
LQ Newbie
 
Registered: Jan 2002
Location: Melbourne, Australia
Distribution: Debian
Posts: 13

Rep: Reputation: 0
Question IPTables Firewall Advice...


Hey, I've written myself an iptables firewall script (helped by browsing the web and looking at others scripts - raz you may see some stuff you recognise).....but I want to know how secure this script it and if I've gone about it the correct way...

Code:
#!/bin/bash

#IPTABLES Firewall script - created by Ben Birnbaum
#
#If the script has already been run and needs to be restarted for configuration 
#purposes run it with the "stop" command first, then re-run with the "start" 
#command.


#Set to the location of the iptables program
IPT="/sbin/iptables"

#A simple if statement to test for the command line options.
if [ $1 = "stop" ]; then

    #Test to see if unreal.firewall has been started
    if [ -a /etc/firewall/status_stop.pid ]; then

        echo ""
        echo "Error: unreal.firewall script has not been started yet!"
        echo "Run: unreal.firewall start"
        echo ""
        exit 1
    
    fi

    #Flush all firewall rules (stop the script)
    echo -n "Flushing Firewall Rules........."
    $IPT -F
    $IPT -X firewall
    $IPT -X syn-flood
    $IPT -P INPUT ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    echo "DONE"
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then

        echo -n "Removing IP spoofing protection....."
        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f ; done
        echo "DONE"
    fi
    rm /etc/firewall/status_start.pid
    touch /etc/firewall/status_stop.pid
    echo ""
    echo "WARNING: By stopping the firewall you are leaving yourself open to attacks."
    echo ""
    exit 1

elif [[ $1 != "stop" && $1 != "start" || -z $1 ]]; then

    echo "Invalid Option!"
    echo "Valid Options: start|stop"
    exit 1

fi

#Test to see if unreal.firewall is already running..
if [ -a /etc/firewall/status_start.pid ]; then

    echo ""
    echo "Error: unreal.firewall script has already been started.."
    echo "Issue the stop command first."
    echo ""
    exit 1

fi

#Remove the stop file and create the start file (to show that
#unreal.firewall is running)
rm /etc/firewall/status_stop.pid
touch /etc/firewall/status_start.pid

#Set up spoofing protection

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then

        echo -n "Setting up IP spoofing protection....."
        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f ; done
        echo "DONE"

    else

        echo DANGER: PROBLEMS SETTING UP IP SPOOFING PROTECTION.

fi

echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 128 > /proc/sys/net/ipv4/ip_default_ttl
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max


echo -n "Loading Firewall Rules....."

#Flush all existing rules
$IPT -F

#Set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

#Set-up the "firewall-chain" rules
$IPT -N firewall
$IPT -A firewall -m limit --limit 20/minute -j LOG --log-level info --log-prefix "FIREWALL: "
$IPT -A firewall -j DROP

#Accept Ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT

#Drop any bad Flags
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L1: "
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L2: "
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L3: "
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L4: "
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L5: "


#Stuff to stop SYN Floods
$IPT -N syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN
$IPT -A syn-flood -j LOG --log-level info --log-prefix "FIREWALL: SYN Flood Stopped: "
$IPT -A syn-flood -j DROP
$IPT -A INPUT -p tcp --syn -j syn-flood


#Some more Spoofing Protection
$IPT -t nat -A PREROUTING -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FIREWALL: FAKE CLASS A: "
$IPT -t nat -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FIREWALLL: FAKE CLASS B: "
$IPT -t nat -A PREROUTING -s 172.16.0.0/12 -j DROP
$IPT -A INPUT -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FIREWALL: FAKE CLASS A: "
$IPT -A INPUT -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FIREWALL: FAKE CLASS B: "
$IPT -A INPUT -s 172.16.0.0/12 -j DROP
$IPT -A INPUT -s 255.255.255.255 -j LOG --log-level info --log-prefix "FIREWALL: FAKE CLASS E: "
$IPT -A INPUT -s 255.255.255.255 -j DROP
$IPT -A INPUT -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -s 169.254.0.0/15 -j DROP
$IPT -A INPUT -s 224.0.0.0/4 -j DROP
$IPT -A INPUT -s 240.0.0.0/5 -j DROP
$IPT -A INPUT -s 248.0.0.0/5 -j DROP
$IPT -A INPUT -f -j LOG --log-level info --log-prefix "FIREWALL: PACKET FRAGMENTED: "
$IPT -A INPUT -f -j DROP


#State matching stuff - to accept related and established connections.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#ICMP Stuff
$IPT -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type required-option-missing -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type ip-header-bad -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type source-route-failed -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type network-unknown -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

#Accept HTTP requests (uncomment to allow HTTP on port 80)
#$IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT

#Accept HTTPS requests
$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 2789 -j ACCEPT
$IPT -A INPUT -s 192.168.4.198 -p tcp --destination-port 10000 -j ACCEPT

#Accept SSH requests
$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 22 -j ACCEPT

#Accept samba requests
$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 137:139 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p udp --destination-port 137:139 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 445 -j DROP
$IPT -A INPUT -s 192.168.4.1 -p udp --source-port 137 -j ACCEPT
$IPT -A INPUT -s 192.168.4.2 -p udp --source-port 137 -j ACCEPT

#Accept Domain Name Server stuff..
$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p udp --destination-port 53 -j ACCEPT

#Some deny stuff that we dont want to log
$IPT -A INPUT -p udp --destination-port 137 -j DROP
$IPT -A INPUT -p udp --destination-port 138 -j DROP
$IPT -A INPUT -p udp --destination-port 67 -j DROP
$IPT -A INPUT -p udp --destination-port 68 -j DROP

#Send everything else to the firewall chain - DENY it and LOG it.
$IPT -A INPUT -p icmp -j firewall
$IPT -A INPUT -p tcp --syn -j firewall
$IPT -A INPUT -p udp -j firewall

echo "DONE"
Sorry for the length...
Any input/feedback would be greatly appriciated, thanks...
 
Old 01-07-2002, 05:27 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,140
Blog Entries: 54

Rep: Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791Reputation: 2791
I admit Im still "studying" netfilter/iptables,
(even compiled a statefull packet filter for me good 'ol ipchains) but it looks sound to me. The only real thing I think I'd be missing is output chain rules, like allowing only ICMP type messages out related to ping and traceroute (0,1,8, IIRC), no crafted TCP packets out, and separate LOG chains to have different logging options/notes but then maybe Im a logging freak :-]

Other than that Ive only got nagging stuff like, I'd separate sysctl stuff to a separate /etc/sysctl.conf so I would only need one line like "sysctl -e -p /etc/sysctl.conf", and the script shouldnt need a PID/state file (IMHO) when it's not run?

Still stands tho, it looks quite good to me.
 
Old 01-07-2002, 05:47 PM   #3
Bomber
LQ Newbie
 
Registered: Jan 2002
Location: Melbourne, Australia
Distribution: Debian
Posts: 13

Original Poster
Rep: Reputation: 0
Cool, thanks for the tips/advice unSpawn.

I didn't even realise there was a sysctl.conf, that should help make things neater.

Thanks again.
 
Old 01-08-2002, 05:39 AM   #4
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Yeah I thought I recognised some of it.

The lines like this will allow external people to fake internal ip sourced packets to your system, as your accepting from -s and not to a particular network card.

$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p udp --destination-port 53 -j ACCEPT

To do it correctly you need two network cards, the first with the outside ip, the second with your internal ip.

Then only accept to the internal card.

example:
$IPT -A INPUT -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
"eth0 being the external interface."

or

$IPT -A INPUT -i eth1 -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
"eth1 been the internal interface."

Also your giving too much info away in the ICMP accepts.

On your external nic drop all ICMP's except:
--icmp-type required-option-missing -j ACCEPT
--icmp-type parameter-problem -j ACCEPT
--icmp-type ip-header-bad -j ACCEPT
--icmp-type TOS-host-unreachable -j ACCEPT
--icmp-type source-route-failed -j ACCEPT
--icmp-type network-unknown -j ACCEPT
--icmp-type echo-reply -j ACCEPT

Also drop this rule with the main ones.
Yours:

#Set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

Should be:
iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT DROP
# if you don't trust your network then DROP outputs and make rules"
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth0 -p igmp -j LOG --log-level info --log-prefix "** Bad faked IGMP's **"
iptables -A FORWARD -i eth0 -p igmp -j DROP
iptables -P FORWARD DROP

Otherwise it looks ok.

/raz
 
Old 02-19-2002, 07:58 PM   #5
Stingreen
Member
 
Registered: May 2001
Location: Baltimore,MD,USA,Earth,Some Galaxy, We haven't gone that far!
Distribution: Redhat 7.3
Posts: 103

Rep: Reputation: 15
jesus...
I got a looonnggg loooonnggg way ahead just to understand what is going on.
I think I'm gonna sit on a corner and start crying.

Last edited by Stingreen; 02-19-2002 at 07:59 PM.
 
Old 04-11-2004, 01:17 AM   #6
phoenix07
Member
 
Registered: Apr 2004
Posts: 33

Rep: Reputation: 15
Quote:
Originally posted by raz
Yeah I thought I recognised some of it.

The lines like this will allow external people to fake internal ip sourced packets to your system, as your accepting from -s and not to a particular network card.

$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p udp --destination-port 53 -j ACCEPT

To do it correctly you need two network cards, the first with the outside ip, the second with your internal ip.

Then only accept to the internal card.

example:
$IPT -A INPUT -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
"eth0 being the external interface."

or

$IPT -A INPUT -i eth1 -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
"eth1 been the internal interface."

Also your giving too much info away in the ICMP accepts.

On your external nic drop all ICMP's except:
--icmp-type required-option-missing -j ACCEPT
--icmp-type parameter-problem -j ACCEPT
--icmp-type ip-header-bad -j ACCEPT
--icmp-type TOS-host-unreachable -j ACCEPT
--icmp-type source-route-failed -j ACCEPT
--icmp-type network-unknown -j ACCEPT
--icmp-type echo-reply -j ACCEPT

Also drop this rule with the main ones.
Yours:

#Set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

Should be:
iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT DROP
# if you don't trust your network then DROP outputs and make rules"
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth0 -p igmp -j LOG --log-level info --log-prefix "** Bad faked IGMP's **"
iptables -A FORWARD -i eth0 -p igmp -j DROP
iptables -P FORWARD DROP

Otherwise it looks ok.

/raz















hey raz...

do you think you could help me out with this problem i got?


how do i turn off my Firewall so EVERY person on my network can share the itnernet??? if i turn off firewall will that auto-matically share the internet??? i seriously need help.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need some advice about setting up a firewall stuart Linux - Networking 3 08-09-2007 05:00 AM
Iptables with iptables-firewall.conf arno's matt3333 Slackware 16 06-28-2007 07:20 AM
Need advice on my firewall script artielnx Linux - Security 1 04-04-2005 11:04 PM
Iptables rules advice please pembo13 Linux - Security 1 11-04-2003 12:17 PM
Antivirus/Firewall advice Tweaker Linux - Newbie 5 05-14-2003 03:20 AM


All times are GMT -5. The time now is 08:00 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration