simple firewall for dial up modem (Slackware 10)
Hi
I would not normally reveal my security issues to strangers but I have tested this firewall at www.auditmypc.com and www.pcflank.com so altho its not perfect it may help some others? This firewall is started on Slackware 10 by the /etc/rc.d/rc.inet2 script which is if [ -x /etc/rc.d/rc.firewall ]; then /etc/rc.d/rc.firewall start fi I have commented the insert module ip_tables as my kernel starts this module. EDIT MY /etc/rc.d/rc.modules has modem started by this line /sbin/modprobe ppp_generic Please note I have no ethernet card just a external dial up modem. If you like it, copy to a text editor then make it executable and test it of course. ###########my firewall is at /etc/rc.d/rc.firewall ######## #!/bin/bash #IPTABLES Firewall script - created by Ben Birnbaum and modified for slack by aus9 # "--dport" is the same as "--destination-port" # PROOF READ TIPS # -F is hypen capital F means flush # -P is hypen capital P means create the policy (default standard) # -X is hypen capital X means delete a rule named whatever and if nothing specified # then the X deletes all rules # -j ACCEPT is hypen lowercase j and capital accept and means this rule is a winner and don't # look for any more rules, accept it and hope for the best, heh heh #Set to the location of the iptables executable and "Z" is a code to save typing "iptables" Z="/usr/sbin/iptables" ####insmod ip_tables #Flush all firewall rules (stop the script) echo -n "Flushing Firewall Rules........." $Z -F $Z -X firewall $Z -X syn-flood $Z -P INPUT ACCEPT $Z -P OUTPUT ACCEPT $Z -P FORWARD ACCEPT echo "DONE" #Set up spoofing protection echo 1 > /proc/sys/net/ipv4/ip_forward sysctl -w net.ipv4.tcp_max_syn_backlog=256 sysctl -w net.ipv4.tcp_syn_retries=5 sysctl -w net.ipv4.route.mtu_expires=512 sysctl -w net.ipv4.tcp_keepalive_time=7600 ###sysctl -w net.ipv4.icmp_echoreply_rate=10 sysctl -w net.ipv4.tcp_fin_timeout=360 sysctl -w net.ipv4.tcp_rfc1337=1 echo 1 > /proc/sys/net/ipv4/ip_forward ####echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 128 > /proc/sys/net/ipv4/ip_default_ttl echo 262144 > /proc/sys/net/core/rmem_default echo 262144 > /proc/sys/net/core/rmem_max echo 262144 > /proc/sys/net/core/wmem_default echo 262144 > /proc/sys/net/core/wmem_max echo -n "Loading Firewall Rules....." #Set default policies $Z -F $Z -X $Z -F -t nat $Z -P INPUT DROP #Set-up the "firewall-chain" rules $Z -N firewall $Z -A firewall -m limit --limit 20/minute -j LOG --log-level info --log-prefix "FIREWALL: " $Z -A firewall -j DROP #Stuff to stop SYN Floods $Z -N syn-flood $Z -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN $Z -A syn-flood -j LOG --log-level info --log-prefix "FIREWALL: SYN Flood Stopped: "$Z -A syn-flood -j DROP $Z -A INPUT -p tcp --syn -j syn-flood #State matching stuff - to accept related and established connections. $Z -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT #ICMP Stuff $Z -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT $Z -A INPUT -p icmp --icmp-type required-option-missing -j ACCEPT $Z -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT $Z -A INPUT -p icmp --icmp-type ip-header-bad -j ACCEPT $Z -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT $Z -A INPUT -p icmp --icmp-type TOS-host-unreachable -j ACCEPT $Z -A INPUT -p icmp --icmp-type source-route-failed -j ACCEPT $Z -A INPUT -p icmp --icmp-type network-unknown -j ACCEPT $Z -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT $Z -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT # Allow loopback traffic. $Z -A INPUT -i lo -j ACCEPT $Z -A OUTPUT -o lo -j ACCEPT #Some deny stuff that we dont want to log $Z -A INPUT -p udp --dport 137 -j DROP $Z -A INPUT -p udp --dport 138 -j DROP $Z -A INPUT -p udp --dport 67 -j DROP $Z -A INPUT -p udp --dport 68 -j DROP #Send everything else to the firewall chain - DENY it and LOG it. $Z -A INPUT -p icmp -j firewall $Z -A INPUT -p tcp --syn -j firewall $Z -A INPUT -p udp -j firewall echo "DONE" ########## end of file ########### If others can spot any mistakes cos I am NO expert feel free to comment etc |
Looks good. First thing I'd do is chop off the IN chain either using DROP or allowing only ESTABLISHED, RELATED. If you're running services you could define subchains for them. (Not directly related to this, but remember if you're running services you've got more options to curb access if daemons are TCP wrappers aware (compiled with libwrap: /etc/hosts.deny, /etc/hosts.allow) and that running services tru (X)inetd gives you even more capabilities.) Personal choice, but I drop both in- and outbound traffic to unroutables I don't use (Google for IANA, "LAN range", bogon(s)). Personal choice, but I don't like to mix things: sysctl for me goes in /etc/sysctl.* files (they won't work anyway on boot once Grsecurity sealed access off), so they become executable at will, OTOH something you may want to incorporate if you're sealing of module-loading capabilities (see Grsecurity, Lcap) is preloading modules.
Logging is knowing. Good you end the script with that. Please check yourself if you missed anything else: check out the LQ FAQ: Security references. We've got some info and URI's to Iptables script repositories. |
unSpawn
I have just had a quick look myself, and it looks like the script has (2) input policies. In the section under #Flush all firewall rules (stop the script) my input is ACCEPT and then I appear to correct it under #Set default policies with a policy for input to DROP. Then I amend that under #State matching stuff - to accept related and established connections. $Z -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT Or are you alluding to something else. BTW, its going to take me years to cover all your links so any clues you can give on this one will be greatly appreciated. |
In the section under #Flush.*Then I amend that under #State matching stuff - to accept related and established connections.
You're right. That teaches me to quickscan scripts instead of reading them well... |
All times are GMT -5. The time now is 01:40 AM. |