LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-07-2012, 10:15 PM   #1
dschuett
Member
 
Registered: Aug 2010
Posts: 40

Rep: Reputation: 1
iptables review


I am fairly new to iptables, and I just wanted to see if anyone would take a look at my script to see if I am going about iptables the Correct way. I guess my biggest question is if I am going about the order of rules the right way? And if you see anything that could be a possible vulnerability please let me know.

Thanks for your time.

Code:
#!/bin/bash

## Services ##
IPT=/sbin/iptables
IPS=/usr/sbin/ipset
SYSCTL=/sbin/sysctl
## Interfaces ##
INTIF="eth1"
EXTIF="eth0"
VPNIF_SGTS="tun0"
VPNIF_LMTL="tun1"
## Networks ##
INTNET="192.168.0.0/24"
LMTLNET="192.168.100.0/24"
GWISHNET="192.168.1.0/24"
VPNNET_SGTS="10.8.0.0/24"
VPNNET_LMTL="192.168.105.0/24"
## IP Addresses ##
INTADDR="192.168.0.1"
VPNADDR_SGTS="10.8.0.1"
VPNADDR_LMTL="192.168.105.44"
EXTADDR="x.x.x.x"
## Hosts ##
GREENMACHINE="192.168.0.201"
ANGWISH="192.168.1.1"
GWISHSERV="192.168.1.201"
IPKALL="x.x.x.x"


## Flush Iptable Rules
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X

## Flush IPSet Rules
$IPS -F
$IPS -X

## Default Policies And Define Chains
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP

## Setup Kernel Options
$SYSCTL -w net.ipv4.ip_forward=1 > $NULL ## IP Forwading
$SYSCTL -w net.ipv4.ip_dynaddr=0 > $NULL ## Dynamic Address Hacking
$SYSCTL -w net.ipv4.tcp_syncookies=1 > $NULL ## SYN Flood Protection
$SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1 > $NULL ## Ignore ICMP To Broadcast
$SYSCTL -w net.ipv4.icmp_ignore_bogus_error_responses=1 > $NULL ## Ignore ICMP To Broadcast
$SYSCTL -w net.ipv4.conf.all.rp_filter=1 > $NULL ## Source Validation
$SYSCTL -w net.ipv4.conf.all.accept_source_route=0 > $NULL ## Source Routed Packets
$SYSCTL -w net.ipv4.conf.all.accept_redirects=0 > $NULL ## ICMP Redirects
$SYSCTL -w net.ipv4.conf.all.send_redirects=0 > $NULL ## ICMP Redirects
$SYSCTL -w net.ipv4.conf.all.secure_redirects=1 > $NULL ## Secure Redirects
$SYSCTL -w net.ipv4.conf.all.log_martians=0 > $NULL ## Log Packets From Impossible Addresses
$SYSCTL -w net.netfilter.nf_conntrack_acct=1 > $NULL ## Connection Accounting

## Accept All Connections On lo, tun0, tun1, OpenVPN, And LAN
$IPT -A INPUT -i lo -j ACCEPT

## Start All TCP Connections With SYN
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

## Allow Unpriviledged Ports For Replies - Internal
$IPT -A INPUT -p tcp -d $INTADDR --dport 1024:5059 -i $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $INTADDR --dport 1024:5059 -i $INTIF -j ACCEPT
$IPT -A INPUT -p tcp -d $INTADDR --dport 5062:65535 -i $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $INTADDR --dport 5062:65535 -i $INTIF -j ACCEPT
## Allow Unpriviledged Ports For Replies - SGTS VPN
$IPT -A INPUT -p tcp -d $VPNADDR_SGTS --dport 1024:5059 -i $VPNIF_SGTS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $VPNADDR_SGTS --dport 1024:5059 -i $VPNIF_SGTS -j ACCEPT
$IPT -A INPUT -p tcp -d $VPNADDR_SGTS --dport 5062:65535 -i $VPNIF_SGTS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $VPNADDR_SGTS --dport 5062:65535 -i $VPNIF_SGTS -j ACCEPT
## Allow Unpriviledged Ports For Replies - External
$IPT -A INPUT -p tcp -d $EXTADDR --dport 1024:5059 -i $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $EXTADDR --dport 1024:5059 -i $EXTIF -j ACCEPT
$IPT -A INPUT -p tcp -d $EXTADDR --dport 5062:65535 -i $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $EXTADDR --dport 5062:65535 -i $EXTIF -j ACCEPT

## Allow Specific ICMP (0 = Echo Reply, 3 = Unreachable, 8 = Echo, 11 = Traceroute)
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT

## Allow Specific NTP Servers
for ADDR in 91.189.94.4 192.43.244.18; do # ubuntu,NIST
    $IPT -A INPUT -s $ADDR -d $EXTADDR -i $EXTIF -p udp --dport 123 -j ACCEPT
done

## No Ingress Filtering On LMTL VPN Network
$IPT -A INPUT -i $VPNIF_LMTL -j ACCEPT

## No Ingress Filering On OpenVPN
$IPT -A INPUT -d $EXTADDR -i $EXTIF -p udp --dport 1194 -j ACCEPT

## Internal Accessible Ports
for PORT in 22 53 69 80 123 3128; do ## TCP - ssh, dns, tftp, ntp, squid
    $IPT -A INPUT -s $INTNET -d $INTADDR -i $INTIF -p tcp --dport $PORT -j ACCEPT
done
for PORT in 53 69 123 5060; do ## UDP - dns, tftp, sip
    $IPT -A INPUT -s $INTNET -d $INTADDR -i $INTIF -p udp --dport $PORT -j ACCEPT
done

## SGTS VPN Accessible Ports
for PORT in 22 53; do ## TCP - ssh & dns
    $IPT -A INPUT -s $VPNNET_SGTS -d $VPNADDR_SGTS -i $VPNIF_SGTS -p tcp --dport $PORT -j ACCEPT
    $IPT -A INPUT -s $VPNNET_SGTS -d $INTNET -i $VPNIF_SGTS -p tcp --dport $PORT -j ACCEPT
    $IPT -A INPUT -s $GWISHNET -d $INTNET -i $VPNIF_SGTS -p tcp --dport $PORT -j ACCEPT
done
for PORT in 53 5060; do ## UDP dns & sip
        $IPT -A INPUT -s $VPNNET_SGTS -d $VPNADDR_SGTS -i $VPNIF_SGTS -p udp --dport $PORT -j ACCEPT
        $IPT -A INPUT -s $VPNNET_SGTS -d $INTNET -i $VPNIF_SGTS -p udp --dport $PORT -j ACCEPT
        $IPT -A INPUT -s $GWISHNET -d $INTNET -i $VPNIF_SGTS -p udp --dport $PORT -j ACCEPT
done

## IPKall - SIP Peer
$IPT -A INPUT -s $IPKALL -d $EXTADDR -i $EXTIF -p tcp --dport 5060 -j ACCEPT
$IPT -A INPUT -s $IPKALL -d $EXTADDR -i $EXTIF -p udp --dport 5060 -j ACCEPT

## Squid
$IPT -t nat -A PREROUTING -i $INTIF -p tcp ! -d $INTNET --dport 80 -j DNAT --to-destination $INTADDR:3128
$IPT -t nat -A PREROUTING -i $INTIF -p tcp ! -d $INTNET --dport 80 -j REDIRECT --to-port 3128

## Hairpin NAT For HTTP And SSH (This Is Updated By /root/jobs/CheckIP.sh And Cron)
for PORT in 2020 8080 443 5222; do
        $IPT -t nat -A PREROUTING -d $EXTADDR -p tcp --dport $PORT -j DNAT --to $GREENMACHINE:$PORT
        $IPT -t nat -A POSTROUTING -s $INTNET -p tcp --dport $PORT -d $GREENMACHINE -j MASQUERADE
done
## Port Forwards
for PORT in 2020 8080 443 5222; do
        $IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport $PORT -j DNAT --to $GREENMACHINE:$PORT
        $IPT -A FORWARD -p tcp -d $GREENMACHINE --dport $PORT -j ACCEPT
done

## Masquerade Internal Address As Extenal IP
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

## Anything To LMTL Send Out As tun1 IP So I Don't Have To Create Any Special Rules On lmtl-linux Firewall
$IPT -t nat -A POSTROUTING -d $LMTLNET -j SNAT --to $VPNADDR_LMTL

## NAT ACLs For tun0 - OpenVPN
$IPT -A FORWARD -i $EXTIF -o $VPNIF_SGTS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $VPNIF_SGTS -o $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $VPNIF_SGTS -o $INTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -s $VPNNET_SGTS -d $INTNET -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

## NAT ACLs For tun1 - OpenVPN
for ADDR in x.x.x.x x.x.x.x x.x.x.x x.x.x.x; do
    $IPT -A FORWARD -s $ADDR -i $EXTIF -o $VPNIF_LMTL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    $IPT -A FORWARD -s $ADDR -i $VPNIF_LMTL -o $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
    $IPT -A FORWARD -s $ADDR -i $VPNIF_LMTL -o $INTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
done
$IPT -A FORWARD -s $VPNNET_LMTL -d $INTNET -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT

## NAT ACLs For eth1
$IPT -A FORWARD -i $INTIF -m conntrack  --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $EXTIF -o $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

## Drop Anything Else
$IPT -A FORWARD -i $EXTIF -m conntrack --ctstate NEW,INVALID -j DROP

exit 0
 
Old 08-08-2012, 08:32 PM   #2
frankbell
Guru
 
Registered: Jan 2006
Location: Virginia, USA
Distribution: Slackware, Mageia, Mint
Posts: 7,627

Rep: Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442Reputation: 1442
Unfortunately, I don't know enough about iptables to offer a critique, but one of the members of my LUG posted his iptables script in the hopes that it might help others.

Maybe you will be one of those others.

http://www.twuug.org/mediawiki/index...irewall_Script
 
  


Reply

Tags
iptables


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Requesting some community review of my iptables.rules psycroptic Linux - Networking 6 08-26-2011 11:49 AM
LXer: Review: Before Ubuntu Was SimplyMepis: A Long-Term Review LXer Syndicated Linux News 0 05-12-2009 10:50 AM
LXer: Mini Review: Open Source in Harvard Business Review LXer Syndicated Linux News 0 05-03-2008 07:30 AM
LXer: Mini Review: Open Source inHarvard Business Review LXer Syndicated Linux News 0 05-02-2008 05:10 AM
IPtables Script Review carmstrong Linux - Security 6 05-04-2004 12:55 AM


All times are GMT -5. The time now is 01:43 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration