LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 04-04-2005, 11:06 PM   #1
artielnx
LQ Newbie
 
Registered: Jul 2004
Location: New England
Distribution: Gentoo
Posts: 13

Rep: Reputation: 0
Need advice on my firewall script


Hey, I've been reading up on iptables recently and I'm trying to write my own firewall script. It seems to work OK, but I was wondering if I'm doing it correctly or if I'm missing anything in terms of security. I want this to be as secure as possible.

I've made it so that all incoming connections are dropped unless I say otherwise in the script and all outgoing connections are allowed, since I can trust myself.

Here's my script so far:

PHP Code:
#!/bin/bash
# Simple bastion firewall

IPT="/sbin/iptables"        
INTERNET="eth0"            
LOOPBACK_IFACE="lo"        
LOOPBACK="127.0.0.0/8"        
PRIVPORTS="0:1023"        
UNPRIVPORTS="1024:65535"    

# flush any existing rules
$IPT -F
$IPT 
-t nat -F
$IPT 
-t mangle -F
$IPT 
-X
$IPT 
-t nat -X
$IPT 
-t mangle -X

# unlimited loopback traffic
$IPT -A INPUT -i $LOOPBACK_IFACE -s $LOOPBACK -d $LOOPBACK -j ACCEPT

# set the default policy to deny all incoming 
# connections, but accept all outgoing connections
$IPT -P INPUT DROP
$IPT 
-P OUTPUT ACCEPT
$IPT 
-P FORWARD DROP

# now explicitly allow the following incoming connections:
# DNS
$IPT -A INPUT -i $INTERNET -p udp --sport 53 --dport $UNPRIVPORTS -j ACCEPT
$IPT 
-A INPUT -i $INTERNET -p tcp --sport 53 --dport $UNPRIVPORTS -j ACCEPT

# AUTH
$IPT -A INPUT -i $INTERNET -p tcp ! --syn --sport 113 --dport $UNPRIVPORTS -j ACCEPT
$IPT 
-A INPUT -i $INTERNET -p tcp ! --syn --sport $UNPRIVPORTS --dport 113 -j ACCEPT

# HTTP
$IPT -A INPUT -i $INTERNET -p tcp ! --syn --sport 80 --dport $UNPRIVPORTS -j ACCEPT

# SSL
$IPT -A INPUT -i $INTERNET -p tcp ! --syn --sport 443 --dport $UNPRIVPORTS -j ACCEPT

# POP3
$IPT -A INPUT -i $INTERNET -p tcp ! --syn --sport 110 --dport $UNPRIVPORTS -j ACCEPT

# FTP
$IPT -A INPUT -i $INTERNET -p tcp --sport 20 --dport $UNPRIVPORTS -j ACCEPT

# SSH 
$IPT -A INPUT -i $INTERNET -p tcp --sport $UNPRIVPORTS --dport 22 -j ACCEPT

# AIM 
$IPT -A INPUT -i $INTERNET -p tcp --sport 5190 --dport $UNPRIVPORTS -j ACCEPT

# MSN Messenger
$IPT -A INPUT -i $INTERNET -p tcp --sport 1863 --dport $UNPRIVPORTS -j ACCEPT 

Last edited by artielnx; 04-04-2005 at 11:07 PM.
 
Old 04-05-2005, 12:04 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 57
Couple of comments.

1. For the loopback traffic, you'll likely need a little more lenient policy as your system will occasionally make local connections over the loopback adapter using your actual IP rather than loopback address (127.0.0.1). Using iptables -A INPUT -i lo -j ACCEPT should work better.

2. You should limit DNS traffic to only the IP address of your ISP, ideally to their DNS servers. Giving puclic access is not a good idea and allows an attacker to inject malicious DNS traffic.

3. There is a better way to prevent remote hosts from making connections attempts rather than using the ! syn trick. With the way you've done it, an ACK or FIN scan would go right through your firewall and allow someone to enumerate your open ports. That was actually the method of choice back in the ipchains days, but now linux has statefull filtering with iptables. Use this rule instead:
Code:
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
That will only allow traffic from connections that you initiate, regardless of what tcp flags are on the packets.

4. You may want to consider adding spoofing protection and bogus packet logging as well.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Need some advice about setting up a firewall stuart Linux - Networking 3 08-09-2007 06:00 AM
IPTables Firewall Advice... Bomber Linux - Security 5 04-11-2004 02:17 AM
slackware's /etc/rc.d/rc.firewall equivalent ||| firewall script startup win32sux Debian 1 03-06-2004 10:15 PM
Need Advice - Webserver and Firewall Setup nbin Linux - Networking 8 06-17-2003 08:55 AM
Antivirus/Firewall advice Tweaker Linux - Newbie 5 05-14-2003 04:20 AM


All times are GMT -5. The time now is 03:37 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration