LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Is this firewall script safe? (http://www.linuxquestions.org/questions/linux-security-4/is-this-firewall-script-safe-514622/)

eponymous 12-29-2006 11:33 AM

Is this firewall script safe?
 
Hi, I'm about to use this firewall script (modified to my needs of course) on my Gentoo server.

Code:


#!/bin/bash
#
# This is a sample firewall for ip_tables, the tool for doing firewalling
# and masquerading under the 2.3.x/2.4.x series of kernels.
#
# Be warned, this is a very restrictive set of firewall rules (and they
# should be, for proper security). Anything that you do not _specifically_
# allow is logged and dropped into /dev/null, so if you're wondering why
# something isn't working, check /var/log/messages.
#
# This is about as close as you get to a 'secure' firewall. It's nasty,
# it's harsh, and it will make your machine nearly invisible to the rest
# of the internet world. Have fun.
#
# To run this script you must 'chmod 700 iptables-script' and then execute
# it. To stop it from running, run 'iptables -F'

#Point this to your copy of ip_tables
IPT="/usr/local/bin/iptables"

#Load the module.
modprobe ip_tables

#Flush old rules, delete the firewall chain if it exists
$IPT -F
$IPT -F -t nat
$IPT -X firewall

#Setup Masquerading. Change the IP to your internal network and uncomment
#this in order to enable it.
#$IPT -A POSTROUTING -t nat -s 192.168.1.0/24 -j MASQUERADE
#$IPT -P FORWARD ACCEPT
#echo 1 > /proc/sys/net/ipv4/ip_forward

#Set up the firewall chain
$IPT -N firewall
$IPT -A firewall -j LOG --log-level info --log-prefix "Firewall:"
$IPT -A firewall -j DROP

#Accept ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#If you're using IP Masquerading, change this IP to whatever your internl
#IP addres is and uncomment it
#$IPT -A INPUT -s 192.168.1.1/32 -d 0/0 -j ACCEPT

#Accept DNS, 'cause it's warm and friendly
$IPT -A INPUT -p udp --source-port 53 -j ACCEPT
$IPT -A INPUT -p tcp --source-port 113 -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT

#Allow ftp to send data back and forth.
$IPT -A INPUT -p tcp ! --syn --source-port 20 --destination-port 1024:65535 -j ACCEPT

#Accept SSH. Duh.
#$IPT -A INPUT -p tcp --destination-port 22  -j ACCEPT

#Send everything else ot the firewall.
$IPT -A INPUT -p icmp -j firewall
$IPT -A INPUT -p tcp --syn -j firewall
$IPT -A INPUT -p udp -j firewall




Can anyone give me any hints on how secure it is?

I did read in this guide that one should place ACCEPTS after DENYS. (Section: "iptables ACCEPTS")


However, I don't see any DENY rules in the script I posted, just "firewall"'s and they appear after the ACCEPT rules :S.

Thanks.

win32sux 12-29-2006 11:44 AM

what services will the server be running?? how many interfaces does it have?? will it also be serving as a router?? how tight do you want the rules to be??

eponymous 12-29-2006 11:59 AM

Quote:

Originally Posted by win32sux
what services will the server be running?? how many interfaces does it have?? will it also be serving as a router?? how tight do you want the rules to be??

It will be running SSH2, Samba (only for local network) and OpenVPN (as an endpoint). It's only really acting as a router for the OpenVPN endpoint. I want maximum security really.

Thanks.

win32sux 12-29-2006 12:19 PM

Quote:

Originally Posted by eponymous
It will be running SSH2, Samba (only for local network) and OpenVPN (as an endpoint). It's only really acting as a router for the OpenVPN endpoint. I want maximum security really.

Thanks.

so that's two interfaces then, right??

hmmm, ok... well then, yes - there are some issues in your script... like, that FTP stuff, for example... not only is it not needed but it's also quite ancient syntax from back in the ipchains days... here's a cleaned-up script to get you started... it lacks the VPN/FORWARD rules as i'm not sure what you are referring to in that regard... if you elaborate a little i'll gladly try to add the proper rules for you...

this script is set to do Samba and SSH2 for the LAN - and nothing else:

Code:

#!/bin/sh

IPT="/usr/local/bin/iptables"

LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"
ADMIN_IP="192.168.1.2"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 137 \
-m state --state NEW -j ACCEPT

# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 138 \
-m state --state NEW -j ACCEPT

# NETBIOS session service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 139 \
-m state --state NEW -j ACCEPT

# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 445 \
-m state --state NEW -j ACCEPT

# SSH2 Daemon:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP --dport 22 \
-m state --state NEW -j ACCEPT

# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "


sarajevo 12-29-2006 12:24 PM

Hi,

first take a look at
http://iptables-tutorial.frozentux.n...-tutorial.html
http://www.linuxquestions.org/questi...light=sarajevo

start your script setting default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

and after that implement other rules.
echo 1 > /proc/sys/net/ipv4/ip_forward should be implemented as last rule, I mean after all iptables rules are set.

I think implementig a script for different systems is completely different task, and you :tisk: cannot use some script you googled around the web for your system, because I suppose your system is different and need custom script.

I recommend you to read iptables tutorial, it worth, and of course ask, people will help :) :)

Regards

eponymous 12-29-2006 01:01 PM

Thanks for the posts.

Yea, eth0 is the only interface on my system. I also have a TUN/TAP device (I assume) for my OpenVPN endpoint.

I thought of doing this for forwarding to VPN clients:

For BitTorrent eg.

Code:

#Allow Bit-Torrent
$IPTABLES -A INPUT -p tcp --dport 6881 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 6881 -j DNAT --to 10.8.0.6:6881

Also, security wise im doing thinking of doing things like:

Code:

$IPTABLES -A INPUT -i eth0 -s 10.8.0.0/24 -d 0/0 -p tcp --dport 22 -j ACCEPT #VPN pool only
Where 10.8.0.6 is the IP given to clients connecting to the OpenVPN endpoint.

Assuming im not using FTP, does this firewall provide a high level of securty otherwise?

I'd like to read through the tutorials you've given me but they're so long and I'm very restrcited with time at the minute.

However, win32sux, your firewall looks just like what the doctor ordered. Can you give me an example of the VPN redirects? Also, do I need to add any more rules for the VPN?

I noticed that there are some nice rules to block all UDP/TCP/ICMP traffic in the old firewall script I gave you, will your version do the same?

If it helps, I was looking at Firestarter (I doubt i will use it though as I prefer a pure hand written script), and it says I have the following devices:

* Routed IP Tunnel (tunl0)
* Unknown Device (gre0)
* IPv6 Tunnel (sit0) (I enabled some IPv6 in the kernel)
* Ethernet Device (eth0) (which is connected to the mian network and internet - everything goes through here)
* Routed IP TUnnel (tun0)

Also, my local network uses a 192.168.0.0/24 range.
My VPN uses a 10.8.0.0/24 range.

I need my VPN nat'ed with my eth0, so web traffic coming in through the VPN is redirected out of eth0 to the internet.

I also want to allow SSH2 from only two IP's, one on a local netowkr, and one on the internet. Im sure I can just simply add another rule below the one you have for the "ADMIN IP" (which i can change to suit my needs).
Thanks :).

eponymous 12-30-2006 01:24 PM

Can anyone help? :)

win32sux 12-30-2006 01:41 PM

Quote:

Originally Posted by eponymous
However, win32sux, your firewall looks just like what the doctor ordered. Can you give me an example of the VPN redirects? Also, do I need to add any more rules for the VPN?

yes, you'll need rules for the VPN... unfortunately, i am not quite understanding how your VPN setup works and hence i can't write the rules... i'll be installing OpenVPN in the next few days when my new laptop arrives, so by next week i should have a decent understanding of what you are going through and what iptables rules you need...

Quote:

I noticed that there are some nice rules to block all UDP/TCP/ICMP traffic in the old firewall script I gave you, will your version do the same?
yes, the script i posted will block ANYTHING which doesn't have a rule specifically allowing it... it will also log when that happens so you'll know...

Quote:

I also want to allow SSH2 from only two IP's, one on a local netowkr, and one on the internet. Im sure I can just simply add another rule below the one you have for the "ADMIN IP" (which i can change to suit my needs).
yeah, just make sure you give the variable a different name, like this perhaps:
Code:

#!/bin/sh

IPT="/usr/local/bin/iptables"

LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"

ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"


$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 137 \
-m state --state NEW -j ACCEPT

# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 138 \
-m state --state NEW -j ACCEPT

# NETBIOS session service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 139 \
-m state --state NEW -j ACCEPT

# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 445 \
-m state --state NEW -j ACCEPT

# SSH2 Daemon (ADMIN #1):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP1 --dport 22 \
-m state --state NEW -j ACCEPT

# SSH2 Daemon (ADMIN #2):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP2 --dport 22 \
-m state --state NEW -j ACCEPT


# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "

sorry that i can't be more helpful... i'll be monitoring this thread to see if anyone posts the proper procedures for doing this, cuz i'm interested in learning too... but in any case, like i said, i should have this down by next week either way (i'll post)... good luck!!!

eponymous 12-30-2006 02:11 PM

Great! thanks!

I made up a firewall a few days ago using the one I posted to you and added the rules for the openvpn forwards.

They do work, but I'm just wondering if I'm missing something and/or if the syntax is as old and out of date as the rest.

eponymous 12-30-2006 05:42 PM

Hmm, I've just finished customizing the script. When I tried running it it says:
Code:

iptables v1.3.5: Can't use -i with OUTPUT

Try `iptables -h' or 'iptables --help' for more information.

Do you have any ideas?

win32sux 12-30-2006 05:54 PM

Quote:

Originally Posted by eponymous
Hmm, I've just finished customizing the script. When I tried running it it says:
Code:

iptables v1.3.5: Can't use -i with OUTPUT

Try `iptables -h' or 'iptables --help' for more information.

Do you have any ideas?

sorry, it was a typo caused by all the copy/pasting involved in writing iptables rules... :)

i've corrected it... OUTPUT rules use a "-o" instead of a "-i"...

eponymous 12-30-2006 06:24 PM

Hmmm, seems to have fixed it. But is this firewall supposed to stop me pinging www.google.com?

Thanks a lot for your help so far btw :)

win32sux 12-30-2006 06:33 PM

Quote:

Originally Posted by eponymous
Hmmm, seems to have fixed it. But is this firewall supposed to stop me pinging www.google.com?

yeah... you said you wanted maximum security... so since the server you described (Samba/SSH2/OpenVPN) has no need to be making any outgoing connections or pinging and stuff, it's all firewalled by the script...

the server won't be able to start any connections on its own - only clients will be able to start them with the server... hence, for example, if someone were to find a user-level exploit on one of your services, they wouldn't be able to use your server to attack other boxes on your LAN or on the Internet, etc...

that said, to allow outgoing PINGs just add a rule for it... like this (notice i also had to add a rule allowing outgoing DNS lookups or else you'd only be able to ping IP addresses):
Code:

#!/bin/sh

IPT="/usr/local/bin/iptables"

LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"

ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 137 \
-m state --state NEW -j ACCEPT

# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 138 \
-m state --state NEW -j ACCEPT

# NETBIOS session service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 139 \
-m state --state NEW -j ACCEPT

# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 445 \
-m state --state NEW -j ACCEPT

# SSH2 Daemon (ADMIN #1):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP1 --dport 22 \
-m state --state NEW -j ACCEPT

# SSH2 Daemon (ADMIN #2):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP2 --dport 22 \
-m state --state NEW -j ACCEPT

# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

$IPT -A OUTPUT -p ICMP -o $LAN_IFACE --icmp-type 8 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -p UDP -o $LAN_IFACE --dport 53 \
-m state --state NEW -j ACCEPT


# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "


eponymous 12-30-2006 07:36 PM

Wow! Damn, thats some nice security :D. Perfect. Thanks!

Also how do I allow web traffic, simply add a port 80 rule?

How would one allow all OUTBOUND traffic?

I may have confused you/myself. I do need to be able to access things like IRC, MSN, FTP, HTTP etc from the machine, as its not only a server, but a desktop machine running Gaim etc.

I'd be happy making individual rules for each application if its better to do that?

Also, just to be sure, when I run iptables -L I get this:

ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere

Can you explain what these mean?

Thanks a lot!

eponymous 01-01-2007 10:25 AM

Update: I found out that my VPN device is tun0 (using ifconfig).


All times are GMT -5. The time now is 04:10 PM.