IPTABLES Firewall (Good enough????)

wardialer · 01-29-2005, 11:24 PM

I am using a DSL-modem on Mandrake Linux 9.1. All I'm doing with the computer is emails and Internet, and maybe using my Telnet to connect to other UNIX shell servers. Thats all. I am not running Samba or other services and I am on a stand-alone PC. Thats all.

I would appreciate it if someone could tell me if the firewall script which is in my rc.local directory, is sufficient enough. I am using this right now and I probed my computer for common ports and the results were all ports STEALTHED. My question is though, is this sufficient enough for my only emails and Internet computing? Please look below. If its not very secure, than please if someone here could provide me with a more secure code than this.

Code:

#PROC SETTINGS 
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts    #Block pings to broadcast IP (smurf)
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians          #Log non-routable IPs
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route   #Block source-routed packets

iptables -F
iptables -t nat -F
iptables -X
iptables -Z
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
iptables -P FORWARD DROP

#DROP BAD PACKETS
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP      #DROP NEW NOT SYN
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP       #DROP SYN-FIN SCANS
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP       #DROP SYN-RST SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP       #DROP X-MAS SCANS
iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP               #DROP NMAP FIN SCAN
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP              #DROP NULL SCANS
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP               #DROP ALL/ALL SCANS

#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP

iptables -A INPUT -i lo -j ACCEPT

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

Capt_Caveman · 01-29-2005, 11:41 PM

There are always more things you can add to a firewall in order to make it more secure (egress filtering, added spoofing protection,etc), but I think the one you're using is reasonably secure for your needs.

wardialer · 01-29-2005, 11:46 PM

Ok, thanks then I'll go ahead and stick with this one as I probed for ports and resulted in all ports stealthed. That should indicate that it is working.

I am totally off on how to create iptable or ipchains. Everyone here tells me to go read, but even reading this I do not understand. Its very confusing.

Now, what is the real and actual name of the script I have??? Is it called IPTABLES or IPChains???

Capt_Caveman · 01-30-2005, 01:45 AM

I am totally off on how to create iptable or ipchains. Everyone here tells me to go read, but even reading this I do not understand. Its very confusing.
The frozentux tutorial is one of the better written and more detailed guides that I really recommend reading, so that is a good place to start. If you have any specific questions though, feel free to ask.

Now, what is the real and actual name of the script I have??? Is it called IPTABLES or IPChains???
IPTables. IPChains was the older linux firewall used in the 2.2 series kernels.

wardialer · 01-30-2005, 02:00 AM

Could I call it a Firewall or Linux firewall??? Does it really matter?

So, just to confirm, IPTables is actually considered a firewall? Am I right?

Capt_Caveman · 01-30-2005, 03:12 PM

Could I call it a Firewall or Linux firewall??? Does it really matter?
Either one. IPTables is a firewall that runs on the Linux platform and I don't believe it's been ported to any other operating systems, so you can use the two names pretty much interchangably.

So, just to confirm, IPTables is actually considered a firewall? Am I right?
Technically iptables is just the user interface and scripting language for configuring "Netfilter" which is the actual firewalling code present in the linux kernel. However, pretty much everyone just calls it iptables when refering to either one. In fact if you call it Netfilter, people may not know what your talking about. But to get back to your question, yes, iptables/netfilter is a firewall.

wardialer · 02-28-2005, 10:51 PM

How can I add IP Spoofing protection to the script above??? Please let me know where to add the IP spoofing protection??? On which line? If I need one....that is... I dont know if this one already has it or not...

Do you think this script will provide me stealth???

Capt_Caveman · 02-28-2005, 11:01 PM

Quote:

Originally posted by wardialer
How can I add IP Spoofing protection to the script above??? Please let me know where to add the IP spoofing protection??? On which line? If I need one....that is... I dont know if this one already has it or not...

That's what this is:

Code:

#LOG AND DROP IANA RESERVED/BOGONS
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"
iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP

If you have a static IP, you can add it to this block of rules as well.

Do you think this script will provide me stealth???
Yes. Using the DROP target results in 'stealth'. If you open up any ports in that firewall then it's not so stealth.

wardialer · 02-28-2005, 11:06 PM

I have a Dynamic IP service so I do not have to add nothing then. So I could just leave it alone...

Thats all I wanted to ask..

win32sux · 03-01-2005, 01:40 AM

you could also (or instead) set the kernel parameter for reverse path source validation:

Code:

echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter

wardialer · 03-01-2005, 09:29 AM

Win32sux -- Whats up my friend -

Yes, dont worry, I have your codes on CD too. I burnt the Capt_Caveman's and yours onto a CD-R. (The shell script) So I have two scripts...

Both of them I tested and they both give me stealth...thanks guys.