LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
LinkBack Search this Thread
Old 05-02-2004, 05:19 PM   #1
carmstrong
LQ Newbie
 
Registered: May 2004
Location: Pittsburgh, PA, USA
Distribution: Fedora Core 1
Posts: 19

Rep: Reputation: 0
Lightbulb IPtables Script Review


Hello everyone! I've written an IPtables script for my server which won't be routing anything. I'd like any input on anything you see that may not work (I haven't tested this yet as I don't want to lock myself out of SSH!).


Okay below's the script. Are the protocols correct? I'm not sure which run on TCP and which on UDP. Also, are ICMP packets such as ping dropped because of my DROP default for the input chain? Shouldn't I add -j ACCEPT to the state line as well?

Code:
#!/bin/sh 
IPTABLES=/usr/sbin/iptables 
echo 0 > /proc/sys/net/ipv4/ip_forward 
$IPTABLES -F 
$IPTABLES -P INPUT DROP 
$IPTABLES -P FORWARD DROP 
$IPTABLES -P OUTPUT ACCEPT 
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80 
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 21 
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 110 
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 25 
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 22 
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 53 
$IPTABLES -A INPUT -j ACCEPT -p udp --dport 53 
$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80 --tcp-flags SYN,FIN,ACK SYN 
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED
Thanks!
 
Old 05-03-2004, 01:55 AM   #2
akroseit
LQ Newbie
 
Registered: Apr 2004
Location: India
Posts: 1

Rep: Reputation: 0
HI,

you need to put 1 instead of 0 here.

echo 1 > /proc/sys/net/ipv4/ip_forward

to forward the packets.

akumar@roseint.com
 
Old 05-03-2004, 05:40 AM   #3
dominant
Member
 
Registered: Jan 2004
Posts: 409

Rep: Reputation: 30
Why should he forward his packets? The machine in not a gateway.
And why do you put OUTPUT -> ACCEPT?
 
Old 05-03-2004, 06:57 PM   #4
carmstrong
LQ Newbie
 
Registered: May 2004
Location: Pittsburgh, PA, USA
Distribution: Fedora Core 1
Posts: 19

Original Poster
Rep: Reputation: 0
I want packets heading out of the machine to be allowed at first.. once I test this and get the machine configured I'll probably deny those and add specific holes to allow.
 
Old 05-03-2004, 09:18 PM   #5
vapour-ifh-
LQ Newbie
 
Registered: Mar 2004
Posts: 6

Rep: Reputation: 0
Will hit the INPUT DROP first. I would move that to last in the chain.
 
Old 05-04-2004, 12:09 AM   #6
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Will hit the INPUT DROP first. I would move that to last in the chain.
Take a closer look. The first INPUT rule is the policy rule. The first rule that will really be at the top of the INPUT chain is the --dport 80 rule.

In general it's a pretty basic firewall, not bad just basic. The second --dport 80 rule is redundant (you are already allowing all port 80 traffic through with this rule:

$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80

so you don't need this one:

$IPTABLES -A INPUT -j ACCEPT -p tcp --dport 80 --tcp-flags SYN,FIN,ACK SYN

I think you'll also find ftp doesn't work really well with your firewall like that (unless you limit clients to active ftp). Normally passive ftp will require you to open up a chunk of ports > 1023 (check your ftp servers docs). You could do some egress filtering (as per dominants post), restrict DNS packets to only those of your DNS server (or your ISPs) and systems on your network. If you want to get a little more complex, you could add some things like burst limiting/logging rules and drop spoofed IPs.
 
Old 05-04-2004, 12:55 AM   #7
-Nw- neX
Member
 
Registered: Apr 2004
Distribution: Gentoo, RHL, CentOS, Ubuntu, FreeBSD,
Posts: 88

Rep: Reputation: 15
Quote:
I think you'll also find ftp doesn't work really well with your firewall like that (unless you limit clients to active ftp). Normally passive ftp will require you to open up a chunk of ports > 1023 (check your ftp servers docs).
cc is correct. you dont want your ftp clients controlling the connection with active ftp. passive leaves the server in control. if you are using vsftpd, you can state a range of ports to use for passive ftp. heres what you want to set in the vsftpd.conf...

Code:
pasv_enable=YES                     # enable pasv ftp
pasv_min_port=63000                       # first pasv port in range
pasv_max_port=65534                      # last pasv port in range
pasv_address=xxx.xxx.xxx.xxx          # listen address here
other ftpd's have similar settings.

you are missing -s [source] on all your rules. so services like http/smtp/pop you want to have -s 0/0 set for accept from anywhere. if you are afraid of locking yourself out of ssh, you can use the -s flag and a few spesific trusted IPs, or your intenal network, to give yourself a backdoor to the system in the case you blow up your connection. you might want to set up a rule to accep all from localhost, just in case [ever had this happen? i have. woo] things blow up on your local interface.

if you are running apache, you may also want to open up port 443 for https if you need secure communications.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are Off
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 04:19 AM
iptables script tomsasse Linux - Networking 3 09-17-2005 05:25 PM
bash script: Review please carmstrong Linux - General 1 06-13-2004 09:43 AM
IPTABLES script help closer Linux - Networking 18 11-04-2002 09:48 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM


All times are GMT -5. The time now is 02:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration