Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi, I've spent some time lately learning iptables better. So now I've made this firewall for my GNU/Linux server that contains some of the things I've learnt. So I was wondering if you can give me some feedback on the things I've done right and the things I've done not so right (pretty sure FTP is set up wrong). Anyway, here's what you need to know about my network:
I sometimes use VNC over an SSH tunnel and that's why I allow VNC (port 5900-5902) from localhost to localhost.
I sometimes use Remote Administrator (port 4899) on my Windows box (192.168.1.19), also over an SSH tunnel.
The server is running the following services:
NFS (2049, 32765-32767 TCP/UDP)
Samba (137, 138 UDP, 139, 445 TCP)
FTP (2121, 22000-24000 TCP)
Portmap (111 TCP/UDP)
HTTP (443 TCP)
SSH (22 TCP)
Here's the firewall config:
Code:
#!/bin/bash
if [ $UID -ne 0 ]; then
echo "you must run this script as root"
exit 1
fi
SELF_IP="192.168.1.4"
INT_NET="192.168.1.0/24"
PATH=/usr/sbin:/sbin:/bin:/usr/bin
IPTABLES=/sbin/iptables
# CLEAR ALL OLD RULES
"$IPTABLES" -F
"$IPTABLES" -t nat -F
"$IPTABLES" -P INPUT ACCEPT
"$IPTABLES" -P OUTPUT ACCEPT
"$IPTABLES" -P FORWARD ACCEPT
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
"$IPTABLES" -X logdrop 2> /dev/null
"$IPTABLES" -X logaccept 2> /dev/null
# POLICY SECTION
"$IPTABLES" -P INPUT DROP
"$IPTABLES" -P OUTPUT DROP
"$IPTABLES" -P FORWARD ACCEPT
"$IPTABLES" -A INPUT -m state --state INVALID -j DROP
# CUSTOM CHAINS
"$IPTABLES" -N logdrop
"$IPTABLES" -A logdrop -j LOG --log-level info --log-prefix "Firewall [ DROP ]: "
"$IPTABLES" -A logdrop -j DROP
"$IPTABLES" -N logaccept
"$IPTABLES" -A logaccept -j LOG --log-level info --log-prefix "Firewall [ ACCEPT ]: "
"$IPTABLES" -A logaccept -j ACCEPT
# ALLOW ESTABLISHED TRAFFIC
"$IPTABLES" -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
"$IPTABLES" -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# PREVENT FLOODS
"$IPTABLES" -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
"$IPTABLES" -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# INBOUND PORTS
# TCP
# EXTERNAL SERVICES
"$IPTABLES" -A INPUT -p tcp --dport 22 -d "$SELF_IP" -m state --state NEW -j logaccept
"$IPTABLES" -A INPUT -p tcp --dport 22000:24000 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp --dport 443 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp --dport 2121 -d "$SELF_IP" -m state --state NEW -j ACCEPT
# INTERNAL SERVICES
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 2049 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 111 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 139 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 445 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 32765 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 32767 -d "$SELF_IP" -m state --state NEW -j ACCEPT
# LOCALHOST SERVICES
"$IPTABLES" -A INPUT -p tcp --dport 25 -s 127.0.0.1 -d 127.0.0.1 -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp --dport 5900:5902 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# DROP AND LOG THE REST
"$IPTABLES" -A INPUT -p tcp -j logdrop
# UDP
# INTERNAL SERVICES
"$IPTABLES" -A INPUT -p udp -s "$INT_NET" --dport 111 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p udp -s "$INT_NET" --dport 137:138 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p udp -s "$INT_NET" --dport 2049 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p udp -s "$INT_NET" --dport 32765:32767 -d "$SELF_IP" -m state --state NEW -j ACCEPT
# DROP AND LOG THE REST
"$IPTABLES" -A INPUT -p udp -j logdrop
# OUTBOUND PORTS
# ICMP
"$IPTABLES" -A OUTPUT -p icmp -j ACCEPT
# TCP
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --dport 21 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --dport 22 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --dport 80 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --dport 443 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --dport 53 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --dport 113 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 -m owner --uid-owner 0 --dport 67 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 -m owner --uid-owner 1000 -d 192.168.1.19 --dport 4899 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -m owner --uid-owner 1000 -d 127.0.0.1 --dport 5900:5902 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --sport 2121 -m state --state ESTABLISHED -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --sport 22000:24000 -m state --state NEW,ESTABLISHED -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -j logdrop
# UDP
"$IPTABLES" -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
"$IPTABLES" -A OUTPUT -p udp -j logdrop
# ADDITIONAL SECURITY
# TURN ON LINUX KERNEL SUPPORT FOR SPOOF AND DOS PROTECTION
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# TURN ON SOURCE ADDRESS VERIFICATION
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# TURN ON ADDITIONAL LOGGING
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
Distribution: debian, gentoo, os x (darwin), ubuntu
Posts: 940
Rep:
if you want to protect against syn flooding, i would get some info on that if i were you,
limiting to one syn every 1 second will not protect you in any way!!
limit syn packets to 3 or 5 in 3 minutes is more helpfull.
dns is usually over udp, unless you are doing zone transfers (axfr)
if the dhcp server is running on that machine too, then you need no rules to allow it, as you will not be able to interfer with dhcp packets. dhcp (server & client) listen directly to the wire, does not even pass through iptables on the machine where the dhcp server / client is running - at least not before the client / server have read the packet.
i would not put ESTABLISHED,RELATED in output, i would specify the source ports in the output chain, to make sure your server does not respond to anything once someone got in
#!/bin/bash
if [ $UID -ne 0 ]; then
echo "you must run this script as root"
exit 1
fi
SELF_IP="192.168.1.4"
INT_NET="192.168.1.0/24"
PATH=/usr/sbin:/sbin:/bin:/usr/bin
IPTABLES=/sbin/iptables
# CLEAR ALL OLD RULES
"$IPTABLES" -F
"$IPTABLES" -t nat -F
"$IPTABLES" -P INPUT ACCEPT
"$IPTABLES" -P OUTPUT ACCEPT
"$IPTABLES" -P FORWARD ACCEPT
echo 0 > /proc/sys/net/ipv4/tcp_syncookies
echo 0 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/log_martians
"$IPTABLES" -X logdrop 2> /dev/null
"$IPTABLES" -X logaccept 2> /dev/null
# POLICY SECTION
"$IPTABLES" -P INPUT DROP
"$IPTABLES" -P OUTPUT DROP
"$IPTABLES" -P FORWARD ACCEPT
"$IPTABLES" -A INPUT -m state --state INVALID -j DROP
# CUSTOM CHAINS
"$IPTABLES" -N logdrop
"$IPTABLES" -A logdrop -j LOG --log-level info --log-prefix "Firewall [ DROP ]: "
"$IPTABLES" -A logdrop -j DROP
"$IPTABLES" -N logaccept
"$IPTABLES" -A logaccept -j LOG --log-level info --log-prefix "Firewall [ ACCEPT ]: "
"$IPTABLES" -A logaccept -j ACCEPT
# ALLOW ESTABLISHED TRAFFIC
"$IPTABLES" -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# PREVENT FLOODS
"$IPTABLES" -A INPUT -p tcp --syn -m limit --limit 1/m -j ACCEPT
"$IPTABLES" -A INPUT -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT
"$IPTABLES" -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT
# INBOUND PORTS
# TCP
# EXTERNAL SERVICES
"$IPTABLES" -A INPUT -p tcp --dport 22 -d "$SELF_IP" -m state --state NEW -j logaccept
"$IPTABLES" -A INPUT -p tcp --dport 22000:24000 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp --dport 443 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp --dport 2121 -d "$SELF_IP" -m state --state NEW -j ACCEPT
# INTERNAL SERVICES
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 2049 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 111 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 139 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 445 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 32765 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp -s "$INT_NET" --dport 32767 -d "$SELF_IP" -m state --state NEW -j ACCEPT
# LOCALHOST SERVICES
"$IPTABLES" -A INPUT -p tcp --dport 25 -s 127.0.0.1 -d 127.0.0.1 -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p tcp --dport 5900:5902 -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# DROP AND LOG THE REST
"$IPTABLES" -A INPUT -p tcp -j logdrop
# UDP
# INTERNAL SERVICES
"$IPTABLES" -A INPUT -p udp -s "$INT_NET" --dport 111 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p udp -s "$INT_NET" --dport 137:138 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p udp -s "$INT_NET" --dport 2049 -d "$SELF_IP" -m state --state NEW -j ACCEPT
"$IPTABLES" -A INPUT -p udp -s "$INT_NET" --dport 32765:32767 -d "$SELF_IP" -m state --state NEW -j ACCEPT
# DROP AND LOG THE REST
"$IPTABLES" -A INPUT -p udp -j logdrop
# OUTBOUND PORTS
# ICMP
"$IPTABLES" -A OUTPUT -p icmp -j ACCEPT
# TCP
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --sport 22 -m state --state ESTABLISHED -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --sport 443 -m state --state ESTABLISHED -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --sport 2121 -m state --state ESTABLISHED -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --sport 22000:24000 -m state --state NEW,ESTABLISHED -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --dport 21 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --dport 80 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 --dport 113 -m state --state NEW,ESTABLISHED -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -o eth0 -m owner --uid-owner 1000 -d 192.168.1.19 --dport 4899 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -m owner --uid-owner 1000 -d 127.0.0.1 --dport 5900:5902 -m state --state NEW -j ACCEPT
"$IPTABLES" -A OUTPUT -p tcp -j logdrop
# UDP
"$IPTABLES" -A OUTPUT -p udp -o eth0 --dport 53 -j ACCEPT
"$IPTABLES" -A OUTPUT -p udp -j logdrop
# ADDITIONAL SECURITY
# TURN ON LINUX KERNEL SUPPORT FOR SPOOF AND DOS PROTECTION
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# TURN ON SOURCE ADDRESS VERIFICATION
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
# TURN ON ADDITIONAL LOGGING
echo 1 > /proc/sys/net/ipv4/conf/all/log_martians
So something like this? I removed the TCP entry for DNS and DHCP, added a rule to prevent SYN floods. I also removed the ESTABLISHED,RELATED entry in OUTPUT and allowed ESTABLISHED traffic from the source ports instead. Not sure if that's how I should do it but it makes sense to me.
Maybe the SYN flood rule isn't needed since I have:
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
And that is supposed to accomplish the same thing.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
