Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm currently writing predatorwall 2.0, and i have everything done and ready. But, i just need some Iptables guru's to make sure i didn't screw up somewhere in this and make sure its secure.
Code:
#!/bin/bash
# This defines certain ips and subnet masks
LOOPBACK="127.0.0.0/8"
RESERVED_172SPACE="172.16.0.0/12"
RESERVED_192SPACE="192.168.0.0/16"
RESERVED_10SPACE="10.0.0.0/8"
RESERVED_MULTICAST="224.0.0.0/4"
RESERVED_FUTURE="240.0.0.0/5"
# Loads Config
config_load() {
PREDWALL=/etc/firewall/predwall.conf
if ! [ -f "$PREDWALL" ]; then
echo; echo -e "predatorwall: Unable to load configuration file"; echo; exit 0
fi
. $PREDWALL
}
config_load
# Checks Current IP, working on implamenting it.
# IP='ifconfig $dev | grep inet | cut -d : -f 2 | cut -d \ -f 1'
# if $PASSIVE is on this loads the ip_conntrack_ftp module
if [ "$PASSIVE" = "ON" ] && ! grep ip_conntrack_ftp /proc/modules 1> /dev/null ; then
/sbin/modprobe ip_conntrack_ftp
fi
# if $OSLVL is defined as on this loads os level security
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_fin_timeout ]; then
echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_keepalive_time ]; then
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_window_scaling ]; then
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_sack ]; then
echo "0" > /proc/sys/net/ipv4/tcp_sack
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/conf/all/log_martians ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_ecn ]; then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for x in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $x; done
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_fack ]; then
echo 1 > /proc/sys/net/ipv4/tcp_fack
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_dsack ]; then
echo 1 > /proc/sys/net/ipv4/tcp_dsack
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_reordering ]; then
echo 5 > /proc/sys/net/ipv4/tcp_reordering
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then
echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then
echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/ip_queue_maxlen ]; then
echo 2048 > /proc/sys/net/ipv4/ip_queue_maxlen
fi
# If $LOG is on then this rule logs
if [ "$LOG" = "ON" ]; then
iptables -A INPUT -j LOG --log-prefix 'predwall:'
iptables -A OUTPUT -j LOG --log-prefix 'predwall:'
iptables -A FORWARD -j LOG --log-prefix 'predwall:'
fi
# If $VALID is ON then create the chain needed by VALID
if [ "$VALID" = "ON" ]; then
iptables -N VALID
fi
# If $VERIFY is on this creates the needed chains
if [ "$VERIFY" = "ON" ]; then
iptables -N VERIFY
fi
# If $FLOODPROT is on it creates the flood chain
if [ "$FLOODPROT" = "ON" ]; then
iptables -N FLOOD
fi
# if $FLOODPROT is on this allows TCP flood protection
if [ "$FLOODPROT" = "ON" ]; then
iptables -A FLOOD -p tcp --syn -m limit --limit 2/s -j RETURN
iptables -A FLOOD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 2/s -j RETURN
iptables -A FLOOD -p tcp -j DROP
iptables -A INPUT -p tcp -m state --state NEW,RELATED -j FLOOD
fi
# If $VALID is ON then pass all traffic from INPUT through VALID
if [ "$VALID" = "ON" ]; then
iptables -A INPUT -p tcp -m state --state NEW,RELATED -j VALID
iptables -A OUTPUT -p tcp -m state --state NEW,RELATED -j VALID
fi
# Drops incoming packets if $BASIC is on
if [ "$BASIC" = "ON" ]; then
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
fi
# Allows access to the loopback interface if $BASIC is on
if [ "$BASIC" = "ON" ]; then
iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
iptables -A OUTPUT -o lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
fi
# Allows Access to the Internet if $BASIC is on
if [ "$BASIC" = "ON" ]; then
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A OUTPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -p udp -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
fi
# Allows SSH if Defined
if [ "$SSHALLOW" = "ON" ]; then
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
fi
# Sets Webserver Rules if degined
if [ "$SERVER" = "ON" ]; then
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
fi
# Allows Passive FTP if defined
if [ "$PASSIVE" = "ON" ]; then
iptables -A INPUT -p tcp --sport 1024 --dport 1024 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024 --dport 1024 -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
# Source/Destination Verification.
if [ "$VERIFY" = "ON" ]; then
iptables -A INPUT -i $dev -p tcp -j VERIFY
iptables -A INPUT -i $dev -p tcp --syn -j VERIFY
iptables -A FORWARD -i $dev -p tcp -j VERIFY
iptables -A FORWARD -i $dev -p tcp --syn -j VERIFY
iptables -A OUTPUT -o $dev -p tcp -j VERIFY
iptables -A OUTPUT -o $dev -p tcp --syn -j VERIFY
iptables -A VERIFY -s $RESERVED_10SPACE -j DROP
iptables -A VERIFY -s $RESERVED_172SPACE -j DROP
iptables -A VERIFY -s $RESERVED_192SPACE -j DROP
iptables -A VERIFY -s $RESERVED_MULTICAST -j DROP
iptables -A VERIFY -s $RESERVED_FUTURE -j DROP
iptables -A VERIFY -s $LOOPBACK -j DROP
iptables -A VERIFY -s 0.0.0.0/8 -j DROP
iptables -A VERIFY -d 255.255.255.255 -j DROP
iptables -A VERIFY -s 169.254.0.0/16 -j DROP
iptables -A VERIFY -s 192.0.2.0/24 -j DROP
#iptables -A VERIFY -s $IP -j DROP
fi
# If $VALID is ON then this sets the default rules for the chain
if [ "$VALID" = "ON" ]; then
iptables -A VALID -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-option 128 -j DROP
iptables -A VALID -p tcp --tcp-option 64 -j DROP
iptables -A VALID -f -j DROP
fi
# Script End
Don't think I qualify as a Guru, but I'll throw my two bits in:
You have a rule for NULL scans twice in the VALID chain.
I don't see anything handling icmp? Your ESTABLISHED,RELATED rules match only tcp and udp, but not icmp. So things like ping won't work. Maybe I'm just missing that though.
Unless you're running your own nameserver, I'd limit the DNS traffic allowed in "Webserver rules" to your ISP or (even better) their DNS server rather than open it up to the world. In fact the RELATED rules will likely match incoming DNS lookup replies anyway. Also the vast majority of this traffic will be udp. The larger tcp lookups are rare and from some estimates I've seen will only occur approx twice per year. Obviously if you are running a nameserver then the above doesn't apply.
Under FLOOD, you might want to adjust the throttle on this (esp. if you have web services on) as 2 syns per second isn't that unreasonable for a moderately busy web site. You also might want to consider adding udp flood protection as well.
Since you're not logging the IANA reserved/bogon IPs in the VERIFY chain, you might want to enable log_martians. That way you get a warning that someone is up to something malicious.
Overall though it's a nicely designed script. I particularly like the modular structure you've included. I'd run something like Nessus against it to make sure that there aren't other holes.
You also need the ip_nat_ftp module loaded..
Sometimes this will autoload the ip_conntrack_ftp module, but not in every system, so have both..
And a lot of the rule validity depends on what you define for $dev..
It looks like it could only be an external interface..
So how about a /etc/firewall/predwall.conf file to test with pls..
This script has to load after the interfaces are up..
That's a security problem..
What if something delays this script starting?
How about considering getting the bulk of the config loaded before the interface is up, then do the ip specific stuff after allocations are made. You could even call the ifup scripts from this firewall script..
It is a better practise to load /proc/sys/net/~~ values from /etc/sysctl.conf
or find a way of removing them when the script stops.. (which seems to be a missing function)
What does this rule do?
iptables -A VERIFY -s 192.0.2.0/24 -j DROP
Capt_Caveman, mind providing me a link to a guide about the DNS stuff? Also, I noticed the IMCP prob as well (trying to ping a host). I'm gonna remove the -p tcp and -p udp switchs from those rules. Also, to petter_robb, ip_nat_ftp is for SNAT/NAT only, which this script isn't designed for. Last night, i did some tweaking/fixing here and there. i also just now removed that dup rule for the NULL scan in VALID. Heres the new script and predwall.conf.
Code:
#!/bin/bash
# This defines certain ips and subnet masks
LOOPBACK="127.0.0.0/8"
RESERVED_172SPACE="172.16.0.0/12"
RESERVED_192SPACE="192.168.0.0/16"
RESERVED_10SPACE="10.0.0.0/8"
RESERVED_MULTICAST="224.0.0.0/4"
RESERVED_FUTURE="240.0.0.0/5"
# Loads Config
config_load() {
PREDWALL=/etc/firewall/predwall.conf
if ! [ -f "$PREDWALL" ]; then
echo; echo -e "predatorwall: Unable to load configuration file"; echo; exit 0
fi
. $PREDWALL
}
config_load
# Checks Current IP, working on implamenting it.
# IP='ifconfig $dev | grep inet | cut -d : -f 2 | cut -d \ -f 1'
# if $PASSIVE is on this loads the ip_conntrack_ftp module
if [ "$PASSIVE" = "ON" ] && ! grep ip_conntrack_ftp /proc/modules 1> /dev/null ; then
/sbin/modprobe ip_conntrack_ftp
fi
# if $OSLVL is defined as on this loads os level security
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_fin_timeout ]; then
echo "10" > /proc/sys/net/ipv4/tcp_fin_timeout
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_keepalive_time ]; then
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_time
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_window_scaling ]; then
echo "0" > /proc/sys/net/ipv4/tcp_window_scaling
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_sack ]; then
echo "0" > /proc/sys/net/ipv4/tcp_sack
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_timestamps ]; then
echo 1 > /proc/sys/net/ipv4/tcp_timestamps
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/conf/all/log_martians ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses ]; then
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_ecn ]; then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_syncookies ]; then
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/conf/all/rp_filter ]; then
for x in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $x; done
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/conf/all/send_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/conf/all/accept_redirects ]; then
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts ]; then
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_fack ]; then
echo 1 > /proc/sys/net/ipv4/tcp_fack
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_dsack ]; then
echo 1 > /proc/sys/net/ipv4/tcp_dsack
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/tcp_reordering ]; then
echo 5 > /proc/sys/net/ipv4/tcp_reordering
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout ]; then
echo 120 > /proc/sys/net/ipv4/netfilter/ip_ct_generic_timeout
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/ip_conntrack_max ]; then
echo 8192 > /proc/sys/net/ipv4/ip_conntrack_max
fi
if [ "$OSLVL" = "ON" ] && [ -f /proc/sys/net/ipv4/ip_queue_maxlen ]; then
echo 2048 > /proc/sys/net/ipv4/ip_queue_maxlen
fi
# If $LOG is on then this rule logs
if [ "$LOG" = "ON" ]; then
iptables -A INPUT -j LOG --log-prefix 'predwall:'
iptables -A OUTPUT -j LOG --log-prefix 'predwall:'
iptables -A FORWARD -j LOG --log-prefix 'predwall:'
fi
# If $VALID is ON then create the chain needed by VALID
if [ "$VALID" = "ON" ]; then
iptables -N VALID
fi
# If $VERIFY is on this creates the needed chains
if [ "$VERIFY" = "ON" ]; then
iptables -N VERIFY
fi
# If $FLOODPROT is on it creates the flood chain
if [ "$FLOODPROT" = "ON" ]; then
iptables -N FLOOD
fi
# if $FLOODPROT is on this allows TCP flood protection
if [ "$FLOODPROT" = "ON" ]; then
iptables -A FLOOD -p tcp --syn -m limit --limit 2/s -j RETURN
iptables -A FLOOD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 5/s -j RETURN
iptables -A FLOOD -p tcp -j DROP
iptables -A INPUT -p tcp -m state --state NEW,RELATED -j FLOOD
fi
# If $VALID is ON then pass all traffic from INPUT through VALID
if [ "$VALID" = "ON" ]; then
iptables -A INPUT -p tcp -m state --state NEW,RELATED -j VALID
iptables -A OUTPUT -p tcp -m state --state NEW,RELATED -j VALID
fi
# Drops incoming packets if $BASIC is on
if [ "$BASIC" = "ON" ]; then
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
fi
# Allows access to the loopback interface if $BASIC is on
if [ "$BASIC" = "ON" ]; then
iptables -A INPUT -i lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
iptables -A OUTPUT -o lo -s 0.0.0.0/0 -d 0.0.0.0/0 -j ACCEPT
fi
# Allows Access to the Internet if $BASIC is on
if [ "$BASIC" = "ON" ]; then
iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A FORWARD -p tcp ! --syn -m state --state NEW -j DROP
iptables -A OUTPUT -p tcp ! --syn -m state --state NEW -j DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
fi
# Allows SSH if Defined
if [ "$SSHALLOW" = "ON" ]; then
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
fi
# Sets Webserver Rules if degined
if [ "$SERVER" = "ON" ]; then
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 21 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j ACCEPT
fi
# Allows Passive FTP if defined
if [ "$PASSIVE" = "ON" ]; then
iptables -A INPUT -p tcp --sport 1024 --dport 1024 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -p tcp --sport 1024 --dport 1024 -m state --state ESTABLISHED,RELATED -j ACCEPT
fi
# Source/Destination Verification.
if [ "$VERIFY" = "ON" ]; then
iptables -A INPUT -p tcp -j VERIFY
iptables -A INPUT -p tcp --syn -j VERIFY
iptables -A FORWARD -p tcp -j VERIFY
iptables -A FORWARD -p tcp --syn -j VERIFY
iptables -A OUTPUT -p tcp -j VERIFY
iptables -A OUTPUT -p tcp --syn -j VERIFY
iptables -A VERIFY -s $RESERVED_10SPACE -j DROP
iptables -A VERIFY -s $RESERVED_172SPACE -j DROP
iptables -A VERIFY -s $RESERVED_192SPACE -j DROP
iptables -A VERIFY -s $RESERVED_MULTICAST -j DROP
iptables -A VERIFY -s $RESERVED_FUTURE -j DROP
iptables -A VERIFY -s $LOOPBACK -j DROP
iptables -A VERIFY -s 0.0.0.0/8 -j DROP
iptables -A VERIFY -d 255.255.255.255 -j DROP
iptables -A VERIFY -s 169.254.0.0/16 -j DROP
#iptables -A VERIFY -s $IP -j DROP
fi
# If $VALID is ON then this sets the default rules for the chain
if [ "$VALID" = "ON" ]; then
iptables -A VALID -p tcp --tcp-flags ALL NONE -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ACK,FIN FIN -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ACK,PSH PSH -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags FIN,RST FIN,RST -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ALL FIN,URG,PSH -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ALL ALL -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags ALL FIN -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags SYN,RST SYN,RST -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-flags SYN,FIN SYN,FIN -m limit --limit 3/m --limit-burst 5 -j DROP
iptables -A VALID -p tcp --tcp-option 128 -j DROP
iptables -A VALID -p tcp --tcp-option 64 -j DROP
iptables -A VALID -f -j DROP
fi
# Script End
Code:
# This is the predatorwall Configuration file, its vary simple to edit making it possible to change settings in predatorwall without
# diving into start.sh. Below are the implamented features and there options. The Defaults are designed for security and not server
# useage. Each option accepts a ON or OFF option, if you plan to use this script for a server, i recommand changing the value of LOG to
# ON. You will also need to turn the value of SERVER to ON aswell.
dev=eth0
VERIFY=ON
FLOODPROT=ON
PASSIVE=OFF
OSLVL=ON
LOG=OFF
TCPSTATE=ON
BASIC=ON
SSHALLOW=OFF
SERVER=OFF
I think that your VERIFY chain wont be verifying traffic that is previously
accepted. The jumps for the chain are loaded after all the ACCEPT rules.
You may want to put the input/output jumps for VERIFY earlier in the script,
or use -I <insert> rather than -A <append>. Example:
Code:
iptables -I INPUT 1 -i $dev -p tcp -j VERIFY
I noticed your putting a variable to get your IP address with ifconfig.
peter_robb pointed out that running your script after interfaces are up is a
bad idea, but I do the same thing and I've been too lazy to change it.
Here's what I use to get current IP, current Broadcast, and netmask from
ifconfig.
The reason I say this is because you mentioned the script doesn't cover SNAT/DNAT, yet you place rules in the FORWARD chain, which is not for local packets, you have dns packets listed as tcp rather than udp, and your passive ftp rule is for only port 1024..
There seems to be a big focus on trapping tcp flags when they are handled by the original "NEW not SYN" drop..
I suggest you give the tutorial a thorough going over and also Oskar's sysctl.conf tutorial..
It has some excellent in depth explanations of the whole netfilter mechanism and rule sets..
That would be a shorter way than taking each one in turn on the forum here..
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.