LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-31-2005, 04:56 PM   #1
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Rep: Reputation: 58
Iptables Rules


Here is my iptables rules:


# Generated by iptables-save v1.2.8 on Thu Jun 2 23:32:55 2005
*nat
:PREROUTING ACCEPT [31:3208]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [48:2880]
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT
# Completed on Thu Jun 2 23:32:55 2005
# Generated by iptables-save v1.2.8 on Thu Jun 2 23:32:55 2005
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [744:319548]
:block - [0:0]
-A INPUT -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT
-A INPUT -j block
-A INPUT -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -i ppp0 -m state --state INVALID,NEW -j DROP
-A FORWARD -j block
-A FORWARD -i ppp0 -m state --state INVALID,NEW -j DROP
-A FORWARD -m limit --limit 3/hour -j LOG
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -i ppp0 -m state --state INVALID,RELATED,ESTABLISHED -j DROP
-A block -m state --state RELATED,ESTABLISHED -j ACCEPT
-A block -i ! ppp0 -m state --state NEW -j ACCEPT
-A block -j DROP
COMMIT
# Completed on Thu Jun 2 23:32:55 2005

Can I get some feedback on my iptables rules. Does this look like a decent set of rules. Gurus let me have it!
 
Old 08-31-2005, 05:15 PM   #2
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Most of your rules will NEVER be evaluated because they come AFTER a -j block:
Code:
-A INPUT -i ppp0 -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -i ppp0 -m state --state INVALID,NEW -j DROP
and
Code:
-A FORWARD -i ppp0 -m state --state INVALID,NEW -j DROP
-A FORWARD -m limit --limit 3/hour -j LOG
-A FORWARD -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK RST -m limit --limit 1/sec -j ACCEPT
-A FORWARD -p icmp -m limit --limit 1/sec -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -i ppp0 -m state --state INVALID,RELATED,ESTABLISHED -j DROP
Also, WHY are you dropping ESTABLISHED,RELATED traffic? Most rulesets have '-m state --state ESTABLISHED,RELATED -j ACCEPT' for stateful filtering.

I wonder why you are limiting matches to 1/sec on a lot of rules. Do consider that those packets will fall down to later rules, and you're likely to end up dropping important packets and giving you a headache later.

Also, the policies for INPUT and especially FORWARD are set to ACCEPT by default. So if a packet is not explicitly denied, it is accepted.

Sorry if this seems harsh, it's just what I saw.
 
Old 08-31-2005, 05:48 PM   #3
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Original Poster
Rep: Reputation: 58
I can you give me decent iptables script that I can follow as a good guidline. thanks
 
Old 09-01-2005, 03:43 AM   #4
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
Perhaps this was done offline?
Not very freindly to folk following from a search...

Here's my favorite "Mad Dog" firewall.
'tis a basic, restrictive, firewall for a home system.

All security should start with some sort of policy statement.

Security Policy:
1. Nothing gets in or out without permission.
2. Permission must be explicitly set
3. Internal systems are unlimited
4. Nothing gets in without my asking for it
5. Everything gets out.

Basic Rules:
Code:
## == mdh firewall =======
#!/bin/sh

# remove existing rules
iptables --flush
iptables -t nat --flush
iptables --delete_chain
iptables --zero

# Set up a default DROP policy for the built-in chains.
iptables --policy INPUT DROP
iptables --policy FORWARD DROP
iptables --policy OUTPUT DROP

# Allow all traffic through the loopback interface
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow initiated traffic in
iptables -A INPUT -m state --state RELATED,EXISTING -j ACCEPT

# Uncomment to allow SSH connections
#iptables -A INPUT -t tcp -j ACCEPT -dport 22

# Allow all traffic out
# Any other output rule should go /before/ this one
iptables -A OUTPUT -m state --state NEW,RELATED,EXISTING -j ACCEPT
This makes things tricky but not impossible.
If you have a network, you'll need to make a hole for that too.
 
Old 09-05-2005, 07:06 PM   #5
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Original Poster
Rep: Reputation: 58
I am in the process of redoing the whole things. My current script in a true joke. I have been given no respect up until this point but that will change after I display my total overhaul of my new IPTABLES script. Give me a few and I will displaying it for criticism or for koodos. thanks
 
Old 09-07-2005, 07:03 PM   #6
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
metallica1973: interesting - IMO you have been given nothing but respect. All criticism was phrased with the assumption you had valid reasons for wht you did - and you did invite criticism. Mind you, Matir did shout a bit ... but I don't think he meant to
 
Old 09-07-2005, 09:49 PM   #7
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
I really did not mean to shout in any way. I'm sorry if it came across that way. I (unfortunately) sometimes use LQ as a place to wind down after work, and sometimes the line gets blurred. Sorry if you were offended, I truly did not mean it.
 
Old 09-07-2005, 11:13 PM   #8
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
No trouble Matir: just in case someone searching into this forum dosn't know what I was talking about... I was refferring to the following line:
Quote:
Most of your rules will NEVER be evaluated because they come AFTER a -j block:
... when words are capitalised like that (unless they must be like that - like with the iptables "policy" statements) it looks like shouting.

If you intend boldface or emphasised you can use vb codes like this or this. For example, Matir's statement is best with italics for emphasis like this:
Quote:
Most of your rules will never be evaluated because they come after a -j block:
I point out that Matir very clearly did not intend to shout - this was clear because of the calm-measured tones of the rest of the post.
 
Old 09-07-2005, 11:20 PM   #9
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Yeah, I should've used italics. Bad habits from IRC where color/bold/underline is generally discouraged.
 
Old 09-08-2005, 03:12 AM   #10
Simon Bridge
Guru
 
Registered: Oct 2003
Location: Waiheke NZ
Distribution: Ubuntu
Posts: 9,211

Rep: Reputation: 197Reputation: 197
... anyway, in IRC you gotta get in there fast

Back on topic -
Perhaps you could cast your eye over the mdh firewall and suggest modifications?
I'd especially like to know why it blocks internet in FC2 (not tried with FC4) but works like a charm in RH9.
 
Old 09-08-2005, 09:20 PM   #11
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Original Poster
Rep: Reputation: 58
Gentlemen I truly apprieciate all of your help especially MATIR and SIMON BRIDGE. My last post was not in disappointment, I was just simply saying that in order to get respect to must earn it and I was refering to my linux skills using IPTABLES. I am from the barrio and that is just a term of speech. LOL Everylast one of you that has responded to any of my post kicks but. I want to one day become a senior member and help out newbies like me. I classify myself as a newbie maybe an idiot but not a newbie LOL. thanks

P.S

iptables rules can be a bit challenging!
 
Old 09-08-2005, 09:29 PM   #12
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Sometimes even I have to stop and think about the ordering and arrangement of iptables rules.

Don't fret. And you have gained my respect by showing yourself as someone who is willing to work and learn for answers, rather than expecting us to feed you the exact commands for your goal. I do hope you will answer the questions of those who are new to linux as you become more experienced with it yourself.
 
Old 09-08-2005, 09:36 PM   #13
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Original Poster
Rep: Reputation: 58
These are to refuse directed broadcasts

iptables -A INPUT -i $EXTERNAL_INTERFACE -d $EXTERNAL_NETWORK -j DROP

iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_NET -j DROP

and this for spoofing

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $EXTERNAL_IP -j LnD

my questions is on the variable $EXTERNAL_NETWORK. What does that mean. Do they mean the nic card that goes out to the internet?

and the variable $EXTERNAL_IP what does that mean. Does it also mean the nic that goes to the internet. Are they the same. I need a little clarification.

also

# Refuse malformed broadcast packets.

iptables -A INPUT -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD
iptables -A INPUT -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j LnD
iptables -A OUTPUT -o $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j LnD

Does the variable $BROADCAST_DEST mean your lan broadcast address like 192.168.2.255

Does the variable $BROADCAST_SRC mean broadcast address like 255.255.225.255

Please translate!

Last edited by metallica1973; 09-08-2005 at 09:42 PM.
 
Old 09-08-2005, 09:41 PM   #14
Matir
Moderator
 
Registered: Nov 2004
Location: San Jose, CA
Distribution: Ubuntu
Posts: 8,507

Rep: Reputation: 118Reputation: 118
Well, those rules seem to assume a static IP address. For example, if your ip was 99.99.99.99, then your external network might be 99.99.99.0/255.255.255.0. It's the IP/network/broadcast related to the interface that goes out towards the internet.
 
Old 09-08-2005, 10:01 PM   #15
metallica1973
Senior Member
 
Registered: Feb 2003
Location: Washington D.C
Posts: 2,115

Original Poster
Rep: Reputation: 58
Then how would you explain a dynamic address and opposed to a static address? and could I translate that $EXTERNAL_NETWORK or $EXTERNAL_IP and would it mean the same thing. The reason I ask this is because at home I use PPPOE from my ISP and it dynamically assigns my DSL modem an IP address. So to add that statement to my firewall would it work if I would to translate the $EXTERNAL_NETWORK or $EXTERNAL_IP with lets say ppp0 as my external_ network or external_ip? help. I am slowly working on my firewall. thanks
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
IPTABLES - rules in /etc/sysconfig/iptables The_JinJ Linux - Newbie 6 11-20-2004 01:40 AM
iptables rules puding Linux - Networking 2 08-09-2004 10:46 PM
iptables rules Fatz Linux - Security 1 08-05-2004 06:04 AM
IPTables rules dkny01 Linux - Networking 6 10-23-2003 12:52 AM
iptables rules hazza96 Linux - Security 3 09-09-2001 11:16 AM


All times are GMT -5. The time now is 11:39 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration