LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 08-12-2004, 05:19 AM   #1
aus9
Guru
 
Registered: Oct 2003
Posts: 5,060

Rep: Reputation: Disabled
simple firewall for dial up modem (Slackware 10)


Hi

I would not normally reveal my security issues to strangers but I have tested this firewall at
www.auditmypc.com and www.pcflank.com so altho its not perfect it may help some others?

This firewall is started on Slackware 10 by the /etc/rc.d/rc.inet2 script which is
if [ -x /etc/rc.d/rc.firewall ]; then
/etc/rc.d/rc.firewall start
fi

I have commented the insert module ip_tables as my kernel starts this module.
EDIT MY /etc/rc.d/rc.modules has modem started by this line
/sbin/modprobe ppp_generic

Please note I have no ethernet card just a external dial up modem.

If you like it, copy to a text editor then make it executable and test it of course.

###########my firewall is at /etc/rc.d/rc.firewall ########

#!/bin/bash

#IPTABLES Firewall script - created by Ben Birnbaum and modified for slack by aus9
# "--dport" is the same as "--destination-port"
# PROOF READ TIPS
# -F is hypen capital F means flush
# -P is hypen capital P means create the policy (default standard)
# -X is hypen capital X means delete a rule named whatever and if nothing specified
# then the X deletes all rules
# -j ACCEPT is hypen lowercase j and capital accept and means this rule is a winner and don't
# look for any more rules, accept it and hope for the best, heh heh

#Set to the location of the iptables executable and "Z" is a code to save typing "iptables"
Z="/usr/sbin/iptables"
####insmod ip_tables

#Flush all firewall rules (stop the script)
echo -n "Flushing Firewall Rules........."
$Z -F
$Z -X firewall
$Z -X syn-flood
$Z -P INPUT ACCEPT
$Z -P OUTPUT ACCEPT
$Z -P FORWARD ACCEPT
echo "DONE"

#Set up spoofing protection
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
###sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 1 > /proc/sys/net/ipv4/ip_forward
####echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 128 > /proc/sys/net/ipv4/ip_default_ttl
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max


echo -n "Loading Firewall Rules....."

#Set default policies
$Z -F
$Z -X
$Z -F -t nat
$Z -P INPUT DROP

#Set-up the "firewall-chain" rules
$Z -N firewall
$Z -A firewall -m limit --limit 20/minute -j LOG --log-level info --log-prefix "FIREWALL: "
$Z -A firewall -j DROP


#Stuff to stop SYN Floods
$Z -N syn-flood
$Z -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN
$Z -A syn-flood -j LOG --log-level info --log-prefix "FIREWALL: SYN Flood
Stopped: "$Z -A syn-flood -j DROP
$Z -A INPUT -p tcp --syn -j syn-flood


#State matching stuff - to accept related and established connections.
$Z -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#ICMP Stuff
$Z -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT
$Z -A INPUT -p icmp --icmp-type required-option-missing -j ACCEPT
$Z -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$Z -A INPUT -p icmp --icmp-type ip-header-bad -j ACCEPT
$Z -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$Z -A INPUT -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
$Z -A INPUT -p icmp --icmp-type source-route-failed -j ACCEPT
$Z -A INPUT -p icmp --icmp-type network-unknown -j ACCEPT
$Z -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$Z -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

# Allow loopback traffic.
$Z -A INPUT -i lo -j ACCEPT
$Z -A OUTPUT -o lo -j ACCEPT

#Some deny stuff that we dont want to log
$Z -A INPUT -p udp --dport 137 -j DROP
$Z -A INPUT -p udp --dport 138 -j DROP
$Z -A INPUT -p udp --dport 67 -j DROP
$Z -A INPUT -p udp --dport 68 -j DROP

#Send everything else to the firewall chain - DENY it and LOG it.
$Z -A INPUT -p icmp -j firewall
$Z -A INPUT -p tcp --syn -j firewall
$Z -A INPUT -p udp -j firewall

echo "DONE"


########## end of file ###########


If others can spot any mistakes cos I am NO expert feel free to comment etc

Last edited by aus9; 08-12-2004 at 12:32 PM.
 
Old 08-28-2004, 06:00 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
Looks good. First thing I'd do is chop off the IN chain either using DROP or allowing only ESTABLISHED, RELATED. If you're running services you could define subchains for them. (Not directly related to this, but remember if you're running services you've got more options to curb access if daemons are TCP wrappers aware (compiled with libwrap: /etc/hosts.deny, /etc/hosts.allow) and that running services tru (X)inetd gives you even more capabilities.) Personal choice, but I drop both in- and outbound traffic to unroutables I don't use (Google for IANA, "LAN range", bogon(s)). Personal choice, but I don't like to mix things: sysctl for me goes in /etc/sysctl.* files (they won't work anyway on boot once Grsecurity sealed access off), so they become executable at will, OTOH something you may want to incorporate if you're sealing of module-loading capabilities (see Grsecurity, Lcap) is preloading modules.
Logging is knowing. Good you end the script with that.


Please check yourself if you missed anything else: check out the LQ FAQ: Security references. We've got some info and URI's to Iptables script repositories.
 
Old 08-28-2004, 10:34 AM   #3
aus9
Guru
 
Registered: Oct 2003
Posts: 5,060

Original Poster
Rep: Reputation: Disabled
unSpawn

I have just had a quick look myself, and it looks like the script has (2) input policies.
In the section under #Flush all firewall rules (stop the script) my input is ACCEPT
and then I appear to correct it under #Set default policies with a policy for input to DROP.

Then I amend that under #State matching stuff - to accept related and established connections.
$Z -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

Or are you alluding to something else.

BTW, its going to take me years to cover all your links so any clues you can give on this one will be greatly appreciated.
 
Old 08-28-2004, 02:09 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,666
Blog Entries: 54

Rep: Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952Reputation: 2952
In the section under #Flush.*Then I amend that under #State matching stuff - to accept related and established connections.
You're right. That teaches me to quickscan scripts instead of reading them well...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Dial-In PPP dial-in server/ Cable-modem & LAN / Setting up "dannyboyOnline" dannyboy259 Linux - Networking 2 01-12-2007 01:40 AM
SUSE 9.2 detect my [B]ADSL USB-Ethernet Modem-Router [/B] as a [B]Dial up modem[/B]. myprecius Linux - Hardware 0 06-27-2005 10:21 AM
Modem to Modem connection to test dial-up webcam server dazz Linux - Newbie 2 06-01-2005 05:43 AM
Dial Up modem issue in Slackware 10. RoaCh Of DisCor Linux - Hardware 2 05-04-2005 03:25 AM
firewall for dial up modem aus9 Mandriva 0 12-13-2004 08:11 AM


All times are GMT -5. The time now is 11:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration