LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   iptables review (http://www.linuxquestions.org/questions/linux-security-4/iptables-review-4175420927/)

dschuett 08-07-2012 10:15 PM

iptables review
 
I am fairly new to iptables, and I just wanted to see if anyone would take a look at my script to see if I am going about iptables the Correct way. I guess my biggest question is if I am going about the order of rules the right way? And if you see anything that could be a possible vulnerability please let me know.

Thanks for your time.

Code:

#!/bin/bash

## Services ##
IPT=/sbin/iptables
IPS=/usr/sbin/ipset
SYSCTL=/sbin/sysctl
## Interfaces ##
INTIF="eth1"
EXTIF="eth0"
VPNIF_SGTS="tun0"
VPNIF_LMTL="tun1"
## Networks ##
INTNET="192.168.0.0/24"
LMTLNET="192.168.100.0/24"
GWISHNET="192.168.1.0/24"
VPNNET_SGTS="10.8.0.0/24"
VPNNET_LMTL="192.168.105.0/24"
## IP Addresses ##
INTADDR="192.168.0.1"
VPNADDR_SGTS="10.8.0.1"
VPNADDR_LMTL="192.168.105.44"
EXTADDR="x.x.x.x"
## Hosts ##
GREENMACHINE="192.168.0.201"
ANGWISH="192.168.1.1"
GWISHSERV="192.168.1.201"
IPKALL="x.x.x.x"


## Flush Iptable Rules
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

## Flush IPSet Rules
$IPS -F
$IPS -X

## Default Policies And Define Chains
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

## Setup Kernel Options
$SYSCTL -w net.ipv4.ip_forward=1 > $NULL ## IP Forwading
$SYSCTL -w net.ipv4.ip_dynaddr=0 > $NULL ## Dynamic Address Hacking
$SYSCTL -w net.ipv4.tcp_syncookies=1 > $NULL ## SYN Flood Protection
$SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1 > $NULL ## Ignore ICMP To Broadcast
$SYSCTL -w net.ipv4.icmp_ignore_bogus_error_responses=1 > $NULL ## Ignore ICMP To Broadcast
$SYSCTL -w net.ipv4.conf.all.rp_filter=1 > $NULL ## Source Validation
$SYSCTL -w net.ipv4.conf.all.accept_source_route=0 > $NULL ## Source Routed Packets
$SYSCTL -w net.ipv4.conf.all.accept_redirects=0 > $NULL ## ICMP Redirects
$SYSCTL -w net.ipv4.conf.all.send_redirects=0 > $NULL ## ICMP Redirects
$SYSCTL -w net.ipv4.conf.all.secure_redirects=1 > $NULL ## Secure Redirects
$SYSCTL -w net.ipv4.conf.all.log_martians=0 > $NULL ## Log Packets From Impossible Addresses
$SYSCTL -w net.netfilter.nf_conntrack_acct=1 > $NULL ## Connection Accounting

## Accept All Connections On lo, tun0, tun1, OpenVPN, And LAN
$IPT -A INPUT -i lo -j ACCEPT

## Start All TCP Connections With SYN
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

## Allow Unpriviledged Ports For Replies - Internal
$IPT -A INPUT -p tcp -d $INTADDR --dport 1024:5059 -i $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $INTADDR --dport 1024:5059 -i $INTIF -j ACCEPT
$IPT -A INPUT -p tcp -d $INTADDR --dport 5062:65535 -i $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $INTADDR --dport 5062:65535 -i $INTIF -j ACCEPT
## Allow Unpriviledged Ports For Replies - SGTS VPN
$IPT -A INPUT -p tcp -d $VPNADDR_SGTS --dport 1024:5059 -i $VPNIF_SGTS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $VPNADDR_SGTS --dport 1024:5059 -i $VPNIF_SGTS -j ACCEPT
$IPT -A INPUT -p tcp -d $VPNADDR_SGTS --dport 5062:65535 -i $VPNIF_SGTS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $VPNADDR_SGTS --dport 5062:65535 -i $VPNIF_SGTS -j ACCEPT
## Allow Unpriviledged Ports For Replies - External
$IPT -A INPUT -p tcp -d $EXTADDR --dport 1024:5059 -i $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $EXTADDR --dport 1024:5059 -i $EXTIF -j ACCEPT
$IPT -A INPUT -p tcp -d $EXTADDR --dport 5062:65535 -i $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $EXTADDR --dport 5062:65535 -i $EXTIF -j ACCEPT

## Allow Specific ICMP (0 = Echo Reply, 3 = Unreachable, 8 = Echo, 11 = Traceroute)
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT

## Allow Specific NTP Servers
for ADDR in 91.189.94.4 192.43.244.18; do # ubuntu,NIST
    $IPT -A INPUT -s $ADDR -d $EXTADDR -i $EXTIF -p udp --dport 123 -j ACCEPT
done

## No Ingress Filtering On LMTL VPN Network
$IPT -A INPUT -i $VPNIF_LMTL -j ACCEPT

## No Ingress Filering On OpenVPN
$IPT -A INPUT -d $EXTADDR -i $EXTIF -p udp --dport 1194 -j ACCEPT

## Internal Accessible Ports
for PORT in 22 53 69 80 123 3128; do ## TCP - ssh, dns, tftp, ntp, squid
    $IPT -A INPUT -s $INTNET -d $INTADDR -i $INTIF -p tcp --dport $PORT -j ACCEPT
done
for PORT in 53 69 123 5060; do ## UDP - dns, tftp, sip
    $IPT -A INPUT -s $INTNET -d $INTADDR -i $INTIF -p udp --dport $PORT -j ACCEPT
done

## SGTS VPN Accessible Ports
for PORT in 22 53; do ## TCP - ssh & dns
    $IPT -A INPUT -s $VPNNET_SGTS -d $VPNADDR_SGTS -i $VPNIF_SGTS -p tcp --dport $PORT -j ACCEPT
    $IPT -A INPUT -s $VPNNET_SGTS -d $INTNET -i $VPNIF_SGTS -p tcp --dport $PORT -j ACCEPT
    $IPT -A INPUT -s $GWISHNET -d $INTNET -i $VPNIF_SGTS -p tcp --dport $PORT -j ACCEPT
done
for PORT in 53 5060; do ## UDP dns & sip
        $IPT -A INPUT -s $VPNNET_SGTS -d $VPNADDR_SGTS -i $VPNIF_SGTS -p udp --dport $PORT -j ACCEPT
        $IPT -A INPUT -s $VPNNET_SGTS -d $INTNET -i $VPNIF_SGTS -p udp --dport $PORT -j ACCEPT
        $IPT -A INPUT -s $GWISHNET -d $INTNET -i $VPNIF_SGTS -p udp --dport $PORT -j ACCEPT
done

## IPKall - SIP Peer
$IPT -A INPUT -s $IPKALL -d $EXTADDR -i $EXTIF -p tcp --dport 5060 -j ACCEPT
$IPT -A INPUT -s $IPKALL -d $EXTADDR -i $EXTIF -p udp --dport 5060 -j ACCEPT

## Squid
$IPT -t nat -A PREROUTING -i $INTIF -p tcp ! -d $INTNET --dport 80 -j DNAT --to-destination $INTADDR:3128
$IPT -t nat -A PREROUTING -i $INTIF -p tcp ! -d $INTNET --dport 80 -j REDIRECT --to-port 3128

## Hairpin NAT For HTTP And SSH (This Is Updated By /root/jobs/CheckIP.sh And Cron)
for PORT in 2020 8080 443 5222; do
        $IPT -t nat -A PREROUTING -d $EXTADDR -p tcp --dport $PORT -j DNAT --to $GREENMACHINE:$PORT
        $IPT -t nat -A POSTROUTING -s $INTNET -p tcp --dport $PORT -d $GREENMACHINE -j MASQUERADE
done
## Port Forwards
for PORT in 2020 8080 443 5222; do
        $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport $PORT -j DNAT --to $GREENMACHINE:$PORT
        $IPT -A FORWARD -p tcp -d $GREENMACHINE --dport $PORT -j ACCEPT
done

## Masquerade Internal Address As Extenal IP
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

## Anything To LMTL Send Out As tun1 IP So I Don't Have To Create Any Special Rules On lmtl-linux Firewall
$IPT -t nat -A POSTROUTING -d $LMTLNET -j SNAT --to $VPNADDR_LMTL

## NAT ACLs For tun0 - OpenVPN
$IPT -A FORWARD -i $EXTIF -o $VPNIF_SGTS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $VPNIF_SGTS -o $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $VPNIF_SGTS -o $INTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -s $VPNNET_SGTS -d $INTNET -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

## NAT ACLs For tun1 - OpenVPN
for ADDR in x.x.x.x x.x.x.x x.x.x.x x.x.x.x; do
    $IPT -A FORWARD -s $ADDR -i $EXTIF -o $VPNIF_LMTL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    $IPT -A FORWARD -s $ADDR -i $VPNIF_LMTL -o $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPT -A FORWARD -s $ADDR -i $VPNIF_LMTL -o $INTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
done
$IPT -A FORWARD -s $VPNNET_LMTL -d $INTNET -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

## NAT ACLs For eth1
$IPT -A FORWARD -i $INTIF -m conntrack  --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $EXTIF -o $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

## Drop Anything Else
$IPT -A FORWARD -i $EXTIF -m conntrack --ctstate NEW,INVALID -j DROP

exit 0


frankbell 08-08-2012 08:32 PM

Unfortunately, I don't know enough about iptables to offer a critique, but one of the members of my LUG posted his iptables script in the hopes that it might help others.

Maybe you will be one of those others.

http://www.twuug.org/mediawiki/index...irewall_Script


All times are GMT -5. The time now is 09:16 AM.