LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   IPtables Script Review (http://www.linuxquestions.org/questions/linux-security-4/iptables-script-review-177085/)

carmstrong 05-02-2004 05:19 PM

IPtables Script Review
 
Hello everyone! I've written an IPtables script for my server which won't be routing anything. I'd like any input on anything you see that may not work (I haven't tested this yet as I don't want to lock myself out of SSH!).


Okay below's the script. Are the protocols correct? I'm not sure which run on TCP and which on UDP. Also, are ICMP packets such as ping dropped because of my DROP default for the input chain? Shouldn't I add -j ACCEPT to the state line as well?

Code:

#!/bin/sh
IPTABLES=/usr/sbin/iptables
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 21
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 110
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 25
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 22
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 53
$IPTABLES -A INPUT -j ACCEPT -p udp --dport 53
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80 --tcp-flags SYN,FIN,ACK SYN
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED

Thanks!

akroseit 05-03-2004 01:55 AM

HI,

you need to put 1 instead of 0 here.

echo 1 > /proc/sys/net/ipv4/ip_forward

to forward the packets.

akumar@roseint.com

dominant 05-03-2004 05:40 AM

Why should he forward his packets? The machine in not a gateway.
And why do you put OUTPUT -> ACCEPT?

carmstrong 05-03-2004 06:57 PM

I want packets heading out of the machine to be allowed at first.. once I test this and get the machine configured I'll probably deny those and add specific holes to allow.

vapour-ifh- 05-03-2004 09:18 PM

Will hit the INPUT DROP first. I would move that to last in the chain.

Capt_Caveman 05-04-2004 12:09 AM

Will hit the INPUT DROP first. I would move that to last in the chain.
Take a closer look. The first INPUT rule is the policy rule. The first rule that will really be at the top of the INPUT chain is the --dport 80 rule.

In general it's a pretty basic firewall, not bad just basic. The second --dport 80 rule is redundant (you are already allowing all port 80 traffic through with this rule:

$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80

so you don't need this one:

$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80 --tcp-flags SYN,FIN,ACK SYN

I think you'll also find ftp doesn't work really well with your firewall like that (unless you limit clients to active ftp). Normally passive ftp will require you to open up a chunk of ports > 1023 (check your ftp servers docs). You could do some egress filtering (as per dominants post), restrict DNS packets to only those of your DNS server (or your ISPs) and systems on your network. If you want to get a little more complex, you could add some things like burst limiting/logging rules and drop spoofed IPs.

-Nw- neX 05-04-2004 12:55 AM

Quote:

I think you'll also find ftp doesn't work really well with your firewall like that (unless you limit clients to active ftp). Normally passive ftp will require you to open up a chunk of ports > 1023 (check your ftp servers docs).
cc is correct. you dont want your ftp clients controlling the connection with active ftp. passive leaves the server in control. if you are using vsftpd, you can state a range of ports to use for passive ftp. heres what you want to set in the vsftpd.conf...

Code:

pasv_enable=YES                    # enable pasv ftp
pasv_min_port=63000                      # first pasv port in range
pasv_max_port=65534                      # last pasv port in range
pasv_address=xxx.xxx.xxx.xxx          # listen address here

other ftpd's have similar settings.

you are missing -s [source] on all your rules. so services like http/smtp/pop you want to have -s 0/0 set for accept from anywhere. if you are afraid of locking yourself out of ssh, you can use the -s flag and a few spesific trusted IPs, or your intenal network, to give yourself a backdoor to the system in the case you blow up your connection. you might want to set up a rule to accep all from localhost, just in case [ever had this happen? i have. woo] things blow up on your local interface.

if you are running apache, you may also want to open up port 443 for https if you need secure communications.


All times are GMT -5. The time now is 04:45 AM.