rc.firewall optimization and determining why connections get cut
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
rc.firewall optimization and determining why connections get cut
wondering if anyone here could help me weed out the unneeded lines and help me determine why is it that if this script is run after getting onto the local LAN that all connections are closed and I have to re-connect to the local LAN.
Code:
001. IPTABLES=/usr/sbin/iptables
002. IPTABLESS="/usr/sbin/iptables-save"
003. IPTABLESR="/usr/sbin/iptables-restore"
004. IFCONFIG=/sbin/ifconfig
005. LSMOD=/bin/lsmod
006. DEPMOD=/sbin/depmod
007. MODPROBE=/sbin/modprobe
008. GREP=/usr/bin/grep
009. AWK=/usr/X11R6/bin/awk
010. SED=/usr/X11R6/bin/sed
011. SYSCTL="/sbin/sysctl -w"
012.
013. EXTIF1="bond0"
014. EXTIF2="eth0"
015. EXTIF3="wlan0"
016. EXTIF="${EXTIF1} ${EXTIF2} ${EXTIF3}"
017.
018. # Define the local network [internal network] and IP address
019. INTNET="192.168.100.0/24"
020. INTGW="192.168.100.1"
021.
022. UNIVERSAL="0.0.0.0/0"
023.
024. $IPTABLES -F
025. $IPTABLES -F INPUT
026. $IPTABLES -F OUTPUT
027. $IPTABLES -F FORWARD
028. $IPTABLES -F -t nat
029.
030. # Flush the user-defined chains if they exist
031. if [ -n "`$IPTABLES -L | $GREP drop-port-denied-n-log`" ]; then
032. $IPTABLES -F drop-port-denied-n-log
033. fi
034. if [ -n "`$IPTABLES -L | $GREP drop-n-log`" ]; then
035. $IPTABLES -F drop-n-log
036. fi
037. if [ -n "`$IPTABLES -L | $GREP KEEP_STATE`" ]; then
038. $IPTABLES -F KEEP_STATE
039. fi
040. if [ -n "`$IPTABLES -L | $GREP CHECK_FLAGS`" ]; then
041. $IPTABLES -F CHECK_FLAGS
042. fi
043. if [ -n "`$IPTABLES -L | $GREP ICMP_FLOOD`" ]; then
044. $IPTABLES -F ICMP_FLOOD
045. fi
046. if [ -n "`$IPTABLES -L | $GREP UDP_FLOOD`" ]; then
047. $IPTABLES -F UDP_FLOOD
048. fi
049.
050. $IPTABLES -P INPUT DROP
051. $IPTABLES -P OUTPUT DROP
052. $IPTABLES -P FORWARD DROP
053.
054. #####################################
055. # Kernel-level switches
056. #####################################
057. echo " - Enabling kernel-level switches..."
058.
059. # Enable broadcast echo protection. This kernel parameter instructs the
060. # kernel to ignore all ICMP echo requests sent to the broadcast address.
061. # This prevents a number of smurfs and similar DoS nasty attacks.
062. if [ "$SYSCTL" = "" ]; then
063. echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
064. else
065. $SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
066. fi
067.
068. # Set this to ignore ICMP errors caused by hosts in the network reacting
069. # badly to frames sent to what they perceive to be the broadcast address.
070. if [ "$SYSCTL" = "" ]; then
071. echo "1" /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
072. else
073. $SYSCTL net.ipv4.icmp_ignore_bogus_error_responses="1"
074. fi
075.
076. # Decrease the amount of time to try to close a connection
077. if [ "$SYSCTL" = "" ]; then
078. echo 30 > /proc/sys/net/ipv4/tcp_fin_timeout
079. else
080. $SYSCTL net.ipv4.tcp_fin_timeout="30"
081. fi
082.
083. # Decrease the amount of time before it will kill a stale connection
084. if [ "$SYSCTL" = "" ]; then
085. echo 1800 > /proc/sys/net/ipv4/tcp_keepalive_time
086. else
087. $SYSCTL net.ipv4.tcp_keepalive_time="1800"
088. fi
089.
090. # Sets the number of SYN packets the kernel will send before giving up on
091. # the new connection. Default is 5.
092. if [ "$SYSCTL" = "" ]; then
093. echo "5" /proc/sys/net/ipv4/tcp_syn_retries
094. else
095. $SYSCTL net.ipv4.tcp_syn_retries="5"
096. fi
097.
098. # Sets the number of times to retry before killing a TCP connection,
099. # closed by our side. Default value 7 corresponds to 50sec-16min depending
100. # on RTO. If your machine is a loaded WEB server, you should think about
101. # lowering this value, as such sockets may consume significant resources.
102. if [ "$SYSCTL" = "" ]; then
103. echo "4" /proc/sys/net/ipv4/tcp_orphan_retries
104. else
105. $SYSCTL net.ipv4.tcp_orphan_retries="4"
106. fi
107.
108. # Turn on TCP SYN cookie protection - prevents SYN attacks by allowing your
109. # system to accept an unlimited number of TCP connections while trying to
110. # give reasonable service during a DoS attack.
111. if [ "$SYSCTL" = "" ]; then
112. echo "1" > /proc/sys/net/ipv4/tcp_syncookies
113. else
114. $SYSCTL net.ipv4.tcp_syncookies="1"
115. fi
116.
117. # Enable martian packets protection (packets with source addresses with no
118. # known route)
119. if [ "$SYSCTL" = "" ]; then
120. echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
121. echo "1" > /proc/sys/net/ipv4/conf/default/log_martians
122. else
123. $SYSCTL net.ipv4.conf.all.log_martians="1"
124. $SYSCTL net.ipv4.conf.default.log_martians="1"
125. fi
126.
127. # Enable IP spoofing protection. This enables source validation by reversed
128. # path according to RFC1812. In other words, did the response packet
129. # originate from the same interface through which the source packet was sent?
130. # It's recommended for single-homed systems and routers on stub networks
131. # since those are the configurations this firewall is designed to support.
132. # Turn it off if you use multiple NICs connected to the same network.
133. if [ "$SYSCTL" = "" ]; then
134. echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
135. echo "1" > /proc/sys/net/ipv4/conf/default/rp_filter
136. else
137. $SYSCTL net.ipv4.conf.all.rp_filter="1"
138. $SYSCTL net.ipv4.conf.default.rp_filter="1"
139. fi
140.
141. # Disable ICMP redirect acceptance. This option can disable ICMP redirects.
142. # ICMP redirects are generally considered a security risk and shouldn't be
143. # needed by most systems using this generator.
144. if [ "$SYSCTL" = "" ]; then
145. echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
146. echo "0" > /proc/sys/net/ipv4/conf/default/accept_redirects
147. else
148. $SYSCTL net.ipv4.conf.all.accept_redirects="0"
149. $SYSCTL net.ipv4.conf.default.accept_redirects="0"
150. fi
151.
152. # Unless this host serves as a network device, do not act like a network
153. # device
154. if [ "$SYSCTL" = "" ]; then
155. echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
156. echo "0" > /proc/sys/net/ipv4/conf/default/send_redirects
157. else
158. $SYSCTL net.ipv4.conf.all.send_redirects="0"
159. $SYSCTL net.ipv4.conf.default.send_redirects="0"
160. fi
161.
162. # However, we'll ensure the secure_redirects option is on instead.
163. # This option accepts only from gateways in the default gateways list.
164. if [ "$SYSCTL" = "" ]; then
165. echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
166. echo "1" > /proc/sys/net/ipv4/conf/default/secure_redirects
167. else
168. $SYSCTL net.ipv4.conf.all.secure_redirects="1"
169. $SYSCTL net.ipv4.conf.default.secure_redirects="1"
170. fi
171.
172. # This option can be used to accept or refuse source routed packets. It is
173. # usually on by default, but is generally considered a security risk. This
174. # option turns it off.
175. if [ "$SYSCTL" = "" ]; then
176. echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
177. echo "0" > /proc/sys/net/ipv4/conf/default/accept_source_route
178. else
179. $SYSCTL net.ipv4.conf.all.accept_source_route="0"
180. $SYSCTL net.ipv4.conf.default.accept_source_route="0"
181. fi
182.
183. # Change the default TTL to help obscure OS fingerprinting. Linux systems
184. # have a value of 64, while Windows has 128.
185. if [ "$SYSCTL" = "" ]; then
186. echo "128" /proc/sys/net/ipv4/ip_default_ttl
187. else
188. $SYSCTL net.ipv4.ip_default_ttl="128"
189. fi
190.
191.
192. #####################################
193. # User-defined chains
194. #####################################
195. if [ ! -n "`$IPTABLES -L | $GREP drop-port-denied-n-log`" ]; then
196. $IPTABLES -N drop-port-denied-n-log
197. fi
198. $IPTABLES -A drop-port-denied-n-log -m limit --limit 4/minute --limit-burst 5
199. $IPTABLES -A drop-port-denied-n-log -j LOG --log-level debug --log-prefix "#### #### iptables-denied port: "
200. $IPTABLES -A drop-port-denied-n-log -j DROP
201.
202. if [ ! -n "`$IPTABLES -L | $GREP drop-n-log`" ]; then
203. $IPTABLES -N drop-n-log
204. fi
205. $IPTABLES -A drop-n-log -m limit --limit 4/minute --limit-burst 5
206. $IPTABLES -A drop-n-log -j LOG --log-level debug --log-prefix "#### #### iptables-logged drop: "
207. $IPTABLES -A drop-n-log -j DROP
208.
209.
210. # Special chain KEEP_STATE to handle incoming, outgoing, and established
211. # connections.
212. if [ ! -n "`$IPTABLES -L | $GREP KEEP_STATE`" ]; then
213. $IPTABLES -N KEEP_STATE
214. fi
215.
216. # DROP packets associated with an "INVALID" connection
217. $IPTABLES -A KEEP_STATE -m conntrack --ctstate INVALID -j DROP
218.
219. # UNCLEAN match target, somewhat experimental at this point
220. #$IPTABLES -A KEEP_STATE -m unclean -j DROP
221.
222. # ACCEPT packets which are related to an established connection
223. $IPTABLES -A KEEP_STATE -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
224.
225. # All good here, so return
226. $IPTABLES -A KEEP_STATE -p ALL -j RETURN
227.
228.
229. if [ ! -n "`$IPTABLES -L | $GREP CHECK_FLAGS`" ]; then
230. $IPTABLES -N CHECK_FLAGS
231. fi
232.
233. # XMAS scan
234. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags ALL FIN,URG,PSH -m limit --limit 4/minute --limit-burst 5 -j LOG --log-level debug --log-prefix "#### #### iptables-XMAS: "
235. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags ALL FIN,URG,PSH -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist XMAS scan" -j DROP
236.
237. # Full XMAS scan
238. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags ALL SYN,RST,ACK,FIN,URG -m limit --limit 4/minute --limit-burst 5 -j LOG --log-level debug --log-prefix "#### #### iptables-XMAS-PSH: "
239. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags ALL SYN,RST,ACK,FIN,URG -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist XMAS-PSH scan" -j DROP
240.
241. # XMAS-ALL scan
242. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags ALL ALL -m limit --limit 4/minute --limit-burst 5 -j LOG --log-level debug --log-prefix "#### #### iptables-XMAS-ALL: "
243. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags ALL ALL -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist XMAS-ALL scan" -j DROP
244.
245. # FIN scan
246. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags ALL FIN -m limit --limit 4/minute --limit-burst 5 -j LOG --log-level debug --log-prefix "#### #### iptables-FIN: "
247. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags ALL FIN -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist FIN scan" -j DROP
248.
249. # SYN scan and TCP connect scan - preventing these scans are difficult for a
250. # firewall because starting a connection with a SYN packet is the normal, so
251. # we need to set up "trapped ports"; ports that we won't use, but most
252. # likely will be targeted. Port 23 is one, as well as 22 if you've changed
253. # SSH to a different port. There is a limit with this. If the attacker is
254. # cautious and has time and uses a very slow SYN scan (a handful of ports
255. # with one connection attempt every 5 minutes) then the "trapped port"
256. # technique won't prevent that type of scan, however it will log the
257. # connection attempt to the trapped port (with information like the IP of
258. # the attacker) so at least we know something is going wrong. Credit to
259. # Thylacine firewall.
260. $IPTABLES -A CHECK_FLAGS -p TCP -m multiport --dports 22,23,79 --tcp-flags ALL SYN -m limit --limit 4/minute --limit-burst 5 -j LOG --log-level debug --log-prefix "#### #### iptables-SYN trap: "
261. $IPTABLES -A CHECK_FLAGS -p TCP -m multiport --dports 22,23,79 --tcp-flags ALL SYN -m recent --name blacklist_180 --set -j DROP
262.
263. # SYN/RST - ##SYN/RST##
264. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags SYN,RST SYN,RST -m limit --limit 4/minute --limit-burst 5 -j LOG --log-level debug --log-prefix "#### #### iptables-SYN/RST: "
265. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags SYN,RST SYN,RST -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist SYN/RST scan" -j DROP
266.
267. # SYN/FIN -- scan (probably) - ##SYN/FIN##
268. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags SYN,FIN SYN,FIN -m limit --limit 4/minute --limit-burst 5 -j LOG --log-level debug --log-prefix "#### #### iptables-SYN/FIN: "
269. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags SYN,FIN SYN,FIN -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist SYN/FIN scan" -j DROP
270.
271. # NULL scan
272. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags ALL NONE -m limit --limit 4/minute --limit-burst 5 -j LOG --log-level debug --log-prefix "#### #### iptables-NULL: "
273. $IPTABLES -A CHECK_FLAGS -p TCP --tcp-flags ALL NONE -m recent --name blacklist_60 --set -m comment --comment "Drop/Blacklist NULL scan" -j DROP
274.
275. # drop connections that do not have SYN and are recognized as NEW (ACK scan)
276. $IPTABLES -A CHECK_FLAGS -p tcp ! --syn -m conntrack --ctstate NEW -j LOG --log-level debug --log-prefix "#### #### iptables-NEW not SYN: "
277. $IPTABLES -A CHECK_FLAGS -p tcp ! --syn -m conntrack --ctstate NEW -j DROP
278.
279. # Make some types of port scans annoyingly slow, also provides some protection
280. # against certain DoS attacks. The rule in chain KEEP_STATE referring to the
281. # INVALID state should catch most TCP packets with the RST or FIN bits set
282. # that aren't associate with an established connection. Still, these will
283. # limit the amount of stuff that is accepted through our open ports (if any).
284. # I suggest you test these for your configuration before you uncomment them,
285. # as they could cause problems.
286.
287. #$IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p TCP --tcp-flags ALL RST -j ACCEPT
288. #$IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p TCP --tcp-flags ALL FIN -j ACCEPT
289. #$IPTABLES -A CHECK_FLAGS -m limit --limit 5/second -p TCP --tcp-flags ALL SYN -j ACCEPT
290.
291. # UDP scans - block all UDP packets with no content. Credit to
292. # Thylacine firewall.
293. $IPTABLES -A CHECK_FLAGS -p UDP -m limit --limit 6/hour --limit-burst 1 -m length --length 0:28 -j LOG --log-level debug --log-prefix "#### #### iptables->0 length UDP: "
294. $IPTABLES -A CHECK_FLAGS -p UDP -m length --length 0:28 -m comment --comment "Drop UDP packet with no content" -j DROP
295.
296. # All good here, so return
297. $IPTABLES -A CHECK_FLAGS -p tcp -j RETURN
298.
299.
300. # Denial of service and distributed denial of service attacks based on packet
301. # flooding
302. # ICMP flood
303. if [ ! -n "`$IPTABLES -L | $GREP ICMP_FLOOD`" ]; then
304. $IPTABLES -N ICMP_FLOOD
305. fi
306. # Get out of chain if packet rate for the same IP is below 4 per second with a
307. # burst of 8 per second
308. $IPTABLES -A ICMP_FLOOD -m limit --limit 4/second --limit-burst 8 -m comment --comment "Limit ICMP rate" -j RETURN
309. # If higher then log as flood
310. $IPTABLES -A ICMP_FLOOD -m limit --limit 6/hour --limit-burst 1 -j LOG --log-level debug --log-prefix "#### #### iptables-ICMP flood: "
311. # Blacklist IP for 3 minutes
312. $IPTABLES -A ICMP_FLOOD -m recent --name blacklist_180 --set -m comment --comment "Blacklist source IP" -j DROP
313.
314.
315. # UDP flood
316. if [ ! -n "`$IPTABLES -L | $GREP UDP_FLOOD`" ]; then
317. $IPTABLES -N UDP_FLOOD
318. fi
319. # Limit UDP rate to 10/sec with burst at 20 (sometimes it is not enough, if
320. # you know a better average rate, let me know!)
321. $IPTABLES -A UDP_FLOOD -m limit --limit 10/second --limit-burst 20 -m comment --comment "Limit UDP rate" -j RETURN
322. # Log otherwise
323. $IPTABLES -A UDP_FLOOD -m limit --limit 6/hour --limit-burst 1 -j LOG --log-level debug --log-prefix "#### #### iptables-UDP flood: "
324. # Blacklist IP for 3 minutes
325. $IPTABLES -A UDP_FLOOD -m recent --name blacklist_180 --set -m comment --comment "Blacklist source IP" -j DROP
326.
327.
328. # SYN flood
329. if [ ! -n "`$IPTABLES -L | $GREP SYN_FLOOD`" ]; then
330. $IPTABLES -N SYN_FLOOD
331. fi
332. # Limit packet rate to 2 per second with a 6 per second burst
333. $IPTABLES -A SYN_FLOOD -m limit --limit 2/second --limit-burst 6 -m comment --comment "Limit TCP SYN rate" -j RETURN
334. # Log otherwise
335. $IPTABLES -A SYN_FLOOD -m limit --limit 6/hour --limit-burst 1 -j LOG --log-level debug --log-prefix "#### #### iptables-SYN flood: "
336. # Blacklist IP for 3 minutes
337. $IPTABLES -A SYN_FLOOD -m recent --name blacklist_180 --set -m comment --comment "Blacklist source IP" -j DROP
338.
339.
340. #####################################
341. # Table rules (OUTPUT)
342. #####################################
343. echo " - Creating OUTPUT rules..."
344.
345. # Filter out bad packets going out on the external interface based on state
346. # and flags
347. $IPTABLES -A OUTPUT -p ALL -j KEEP_STATE
348.
349. # Allow all outgoing communications
350. $IPTABLES -A OUTPUT -s $UNIVERSAL -d $UNIVERSAL -j ACCEPT
351.
352. # Catch all rule, DROP all other incoming. Used for troubleshooting.
353. #$IPTABLES -A OUTPUT -s $UNIVERSAL -d $UNIVERSAL -j drop-n-log
354.
355.
356. #####################################
357. # Table rules (INPUT)
358. #####################################
359. # Allow loopback traffic (input)
360. $IPTABLES -A INPUT -i lo -s $UNIVERSAL -d $UNIVERSAL -j ACCEPT
361.
362. # Filter out bad packets coming in on the external interface based on state
363. # and flags
364. $IPTABLES -A INPUT -m conntrack --ctstate INVALID -j LOG --log-level debug --log-prefix "#### #### iptables-invalid packet: "
365. $IPTABLES -A INPUT -p ALL -j KEEP_STATE
366.
367. # Allow NTP requests from local network
368. $IPTABLES -A INPUT -p UDP -s $INTNET --dport 123 -j ACCEPT
369.
370. # Check TCP packets coming in on the external interface for weird flags
371. $IPTABLES -A INPUT -p TCP -j CHECK_FLAGS
372.
373. # ICMP packets should fit in a Layer 2 frame, thus they should never be
374. # fragmented. Fragmented ICMP packets are a typical sign of a denial of
375. # service attack.
376. $IPTABLES -A INPUT --fragment -p ICMP -j LOG --log-level debug --log-prefix "#### #### iptables-ICMP fragment: "
377. $IPTABLES -A INPUT --fragment -p ICMP -j DROP
378.
379. $IPTABLES -A INPUT -p ICMP -s $INTNET --icmp-type 8 -j ACCEPT
380. $IPTABLES -A INPUT -p ICMP -s $UNIVERSAL --icmp-type 8 -j LOG --log-level debug --log-prefix "#### #### iptables-PING detected: "
381. $IPTABLES -A INPUT -p ICMP -s $UNIVERSAL --icmp-type 8 -j DROP
382.
383. # Time Exceeded (traceroute)
384. $IPTABLES -A INPUT -p ICMP -s $UNIVERSAL --icmp-type 11 -j ACCEPT
385.
386. # Jump into appropriate flood chain for DOS/DDOS prevention
387. $IPTABLES -A INPUT -p ICMP -j ICMP_FLOOD
388. $IPTABLES -A INPUT -p UDP -j UDP_FLOOD
389. $IPTABLES -A INPUT -p TCP --syn -j SYN_FLOOD
390.
391. # Reject requests to the following port types
392. #### Samba (NetBIOS)
393. $IPTABLES -A INPUT -p TCP -s $INTNET --dport 137:139 -j DROP
394. $IPTABLES -A INPUT -p UDP -s $INTNET --dport 137:139 -j DROP
395. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 137:139 -j drop-port-denied-n-log
396. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 137:139 -j drop-port-denied-n-log
397. #### Microsoft ports that provide a risk according to ShieldsUP!! - www.grc.com
398. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 1023:1055 -j drop-port-denied-n-log
399. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 1023:1055 -j drop-port-denied-n-log
400. #### Microsoft SQL
401. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 1433 -j drop-port-denied-n-log
402. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 1433 -j drop-port-denied-n-log
403. #### Microsoft's H.323 (Microsoft NetMeeting) call setup protocol
404. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 1720 -j drop-port-denied-n-log
405. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 1720 -j drop-port-denied-n-log
406. #### Microsoft's UPnP
407. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 1900 -j drop-port-denied-n-log
408. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 1900 -j drop-port-denied-n-log
409. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 5000 -j drop-port-denied-n-log
410. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 5000 -j drop-port-denied-n-log
411. #### Network File System
412. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 2049 -j drop-port-denied-n-log
413. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 2049 -j drop-port-denied-n-log
414. #### MySQL
415. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 3306 -j drop-port-denied-n-log
416. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 3306 -j drop-port-denied-n-log
417. #### Postgres SQL
418. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 5432 -j drop-port-denied-n-log
419. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 5432 -j drop-port-denied-n-log
420. #### X Displays :0-:2-
421. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 5999:6003 -j drop-port-denied-n-log
422. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 5999:6003 -j drop-port-denied-n-log
423. #### X Font Server :0-:2-
424. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 7100 -j drop-port-denied-n-log
425. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 7100 -j drop-port-denied-n-log
426. #### Transmission remote web server (custom port of 9094)
427. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 9094 -j drop-port-denied-n-log
428. #### NetBus (logged)
429. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 12345:12346 -j drop-port-denied-n-log
430. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 12345:12346 -j drop-port-denied-n-log
431. #### Back Orifice (logged)
432. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 31337 -j drop-port-denied-n-log
433. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 31337 -j drop-port-denied-n-log
434.
435. # Allow internal network traffic (input)
436. $IPTABLES -A INPUT -s $INTNET -d $INTNET -j ACCEPT
437.
438. # Allow traffic through ports 1023 through 65535 to allow sockets created
439. # by connections
440. $IPTABLES -A INPUT -p TCP -s $UNIVERSAL --dport 1056:65535 -j ACCEPT
441. $IPTABLES -A INPUT -p UDP -s $UNIVERSAL --dport 1056:65535 -j ACCEPT
442.
443. # Catch all rule, DROP all other incoming. Used for troubleshooting.
444. #$IPTABLES -A INPUT -s $UNIVERSAL -d $UNIVERSAL -j drop-n-log
445.
446.
447. #####################################
448. # Table rules (FORWARD)
449. #####################################
450. # Allow established traffic to pass back and forth
451. $IPTABLES -A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,NEW -j ACCEPT
452.
453. # Catch all rule, DROP all other incoming. Used for troubleshooting.
454. #$IPTABLES -A FORWARD -j drop-n-log
This looks like a nightmare. Doesn't look like you are using STATEFUL inspection either. I'm willing to help but I need a better file to view. Run the script again and save the firewall with the following:
Code:
iptables-save > ~/firewall-rules
This will save the rules to the named file in your home directory.
this is actually a script compiled over the years from different places that I use for my laptop... I'm planning to use the same script on a server that will be running openvpn and ssh once I've gotten this script optimized. the server will already be behind the firewall on the router, however the laptop won't always be behind a router as I travel with it often.
For your Laptop you don't need anything close to this script. The following should be enough;
Code:
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
:syn_flood [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m tcp -p tcp --syn -j syn_flood
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -j ACCEPT
-A syn_flood -m limit --limit 1/s --limit-burst 3 -j RETURN
-A syn_flood -j DROP
COMMIT
Any ports you want to be able to connect to the laptop place them under the ICMP DROP rule and should look like this:
Code:
-A INPUT -m (tcp/udp) -p (tcp/udp) --dport ### -m conntrack --ctstate NEW -j ACCEPT
example:
-A INPUT -m tcp -p tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
All that logging is a waste of time. And it not going to help you much either on a laptop.
You really shouldn't block icmp as this is a control protocol and more than just ping.
I'm sure you believe you are doing something amassing with your script but it is a waste of time too if the server is not sitting directly on the internet. And log-level 7 isn't really needed unless you are debugging something.
So I would suggest starting out with this and work your way up as needed.
Code:
# sample configuration for iptables service
# you can edit this manually or use system-config-firewall
# please do not ask us to add additional ports/services to this default configuration
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m conntrack --ctstate NEW -m tcp --dport 943 -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -m udp --dport 1194 -j ACCEPT
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -j ACCEPT
COMMIT
I'm not sure what all should be open here so open up the ports you require to access this server.
apologies for such a late response and I hope you're still with me. it did take me a while to find some time and courage to go through my old script to weed out all the unnecessary rules, but I've managed to do so and here below is my updated set of rules
Code:
# Generated by iptables-save v1.6.0 on Sat Oct 22 13:45:13 2016
*nat
:PREROUTING ACCEPT [40:3943]
:INPUT ACCEPT [11:616]
:OUTPUT ACCEPT [509:55551]
:POSTROUTING ACCEPT [478:53468]
COMMIT
# Completed on Sat Oct 22 13:45:13 2016
# Generated by iptables-save v1.6.0 on Sat Oct 22 13:45:13 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DLNA_ALLOW - [0:0]
:TORRENT_ALLOW - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -s 10.8.4.0/24 -i tun0 -o bond0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Oct 22 13:45:13 2016
the only problem I face right now is that after a reboot or even after a fresh flush of the rules, everything is set to a default of DROP before the rules are applied again. once this happens, if I don't issue a '/etc/rc.d/rc.inet1 eth0_restart' then effectively everything is blocked. any suggestions on how to work around this?
apologies for such a late response and I hope you're still with me.
No problem, I'm still here.
Quote:
it did take me a while to find some time and courage to go through my old script to weed out all the unnecessary rules, but I've managed to do so and here below is my updated set of rules
OK, one thing I noticed is you have no input rules that allow you to connect to this box from a remote connection. So this will only allow you local access to this box. This is very secure but if you are remote you will not be able to connect to this machine. I only tell you this so you are aware of the fact.
I see some things that are not required and can safely be removed if you would like.
Quote:
Code:
# Generated by iptables-save v1.6.0 on Sat Oct 22 13:45:13 2016
*nat
:PREROUTING ACCEPT [40:3943]
:INPUT ACCEPT [11:616]
:OUTPUT ACCEPT [509:55551]
:POSTROUTING ACCEPT [478:53468]
COMMIT
# Completed on Sat Oct 22 13:45:13 2016
# Generated by iptables-save v1.6.0 on Sat Oct 22 13:45:13 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
:DLNA_ALLOW - [0:0]
:TORRENT_ALLOW - [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m limit --limit 1/s --limit-burst 3 -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -s 10.8.4.0/24 -i tun0 -o bond0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate NEW -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Sat Oct 22 13:45:13 2016
I would set them up as so:
Code:
# Generated by iptables-save v1.6.0 on Sat Oct 22 13:45:13 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -m limit --limit 1/s --limit-burst 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -m limit --limit 1/s --limit-burst 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 30 -m limit --limit 1/s --limit-burst 3 -j ACCEPT
-A INPUT -p icmp -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m conntrack --ctstate NEW,RELATED,ESTABLISHED -j ACCEPT
COMMIT
# Completed on Sat Oct 22 13:45:13 2016
Looking at what you were doing I noticed that a few things could be changed with your FORWARD and OUTPUT rules. Since in effect you were allowing everything it was easier to just combined all your rules into one.
I also changed your ICMP rule to only allow what would be needed for normal operation. You can look up the ICMPports yourself and decide what is not needed or what you would like to add.
Quote:
the only problem I face right now is that after a reboot or even after a fresh flush of the rules, everything is set to a default of DROP before the rules are applied again. once this happens, if I don't issue a '/etc/rc.d/rc.inet1 eth0_restart' then effectively everything is blocked. any suggestions on how to work around this?
The reason everything is dropped is because your policy is set to drop. Policy is that last thing to be looked at if there were no matching rules for the packets. But a reboot should not be causing this issue as your saved rules should be loaded before the interface is brought up.
There is a way to get around this, simple set our policy to ACCEPT and then at the end of your input rule place a drop statement like so:
Code:
-A INPUT -j DROP
The same would also apply to your FORWARD setup. Not needed for OUTPUT if you make the changes I posted above.
hrmm, I'm not sure why iptables-save did not show the lines for
Code:
:DLNA_ALLOW - [0:0]
:TORRENT_ALLOW - [0:0]
but I basically had DLNA_ALLOW to open the ports required for DLNA locally to specific IPs by going to the DLNA_ALLOW chain. the same goes for the TORRENT_ALLOW chain, which opens up the port needed for torrents except this is for outside of the network. I'll see if I can get a fresh iptables-save and if not, see if I left something out.
With this set of rules, I did have to add in an extra
Code:
-A INPUT -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT
to allow this machine to be seen on the Windows network. is there something better than this?
Quote:
Originally Posted by dimm0k
the only problem I face right now is that after a reboot or even after a fresh flush of the rules, everything is set to a default of DROP before the rules are applied again. once this happens, if I don't issue a '/etc/rc.d/rc.inet1 eth0_restart' then effectively everything is blocked. any suggestions on how to work around this?
as for this portion, I've narrowed it down to the arp spoof protection I had in place that basically locked the MAC address of the router... any suggestions on whether or not this is really needed and if so, is there a better way? I'll insert the command I used when I get to a home PC...
hrmm, I'm not sure why iptables-save did not show the lines for
Code:
:DLNA_ALLOW - [0:0]
:TORRENT_ALLOW - [0:0]
If you run the following;
Code:
iptables -vnL
do you see them there? If not then those rules were never loaded.
Quote:
With this set of rules, I did have to add in an extra
Code:
-A INPUT -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT
to allow this machine to be seen on the Windows network. is there something better than this?
Not sure what you mean by seen, you should be able to ping this machine with the above rules.
As to INPUT rules you don't really need the -d 192.168.100.0/24.
If you are talking about logging in then that is another rule that should be added. I believe you have 2 interfaces on this system, why else would you need FORWARD rules, so I would lock this down to the interface where you would be connecting from.
Quote:
I've narrowed it down to the arp spoof protection I had in place that basically locked the MAC address of the router... any suggestions on whether or not this is really needed and if so, is there a better way? I'll insert the command I used when I get to a home PC...
Not sure how your spoof protection was stopping traffic from passing when you flushed the rules. As I stated since your POLICY were set to DROP, when you flush the rules everything would be dropped.
Not sure what you mean by seen, you should be able to ping this machine with the above rules.
As to INPUT rules you don't really need the -d 192.168.100.0/24.
If you are talking about logging in then that is another rule that should be added. I believe you have 2 interfaces on this system, why else would you need FORWARD rules, so I would lock this down to the interface where you would be connecting from.
Not sure how your spoof protection was stopping traffic from passing when you flushed the rules. As I stated since your POLICY were set to DROP, when you flush the rules everything would be dropped.
so what I meant by seen was that without the -A INPUT -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT rule, I was not able to see the samba shares I had set up on this machine from another machine running Windows. if I put this line it, I can see all the shares...
as for the two FORWARD rules, one was needed for VPN and the other was more of allowing established traffic to pass back and forth.
lastly, the spoof protection I was using was with "/sbin/arp -i bond0 -s 192.168.100.1 e4:8c:8c:5c:b0:9c". I pretty much had this line run within rc.firewall so it ran after all the rules were installed. In essence the firewall rules would install, arp lockdown happened and all of the network was done until I restarted /etc/rc.d/rc.inet1 bond0. does what I did make sense now?
so what I meant by seen was that without the -A INPUT -s 192.168.100.0/24 -d 192.168.100.0/24 -j ACCEPT rule, I was not able to see the samba shares I had set up on this machine from another machine running Windows. if I put this line it, I can see all the shares...
OK then you would only need:
Code:
-A INPUT -s 192.168.100.0/24 -j ACCEPT
Quote:
as for the two FORWARD rules, one was needed for VPN and the other was more of allowing established traffic to pass back and forth.
Established traffic from where to where? I don't know your network layout so I have only what you tell me to go on.
Quote:
lastly, the spoof protection I was using was with "/sbin/arp -i bond0 -s 192.168.100.1 e4:8c:8c:5c:b0:9c". I pretty much had this line run within rc.firewall so it ran after all the rules were installed. In essence the firewall rules would install, arp lockdown happened and all of the network was done until I restarted /etc/rc.d/rc.inet1 bond0. does what I did make sense now?
Again spoof protecting should not stop traffic from passing unless someone is trying to spoof your mac address.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
