LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-17-2007, 02:37 PM   #1
ULADK
LQ Newbie
 
Registered: May 2003
Location: UK
Distribution: Slackware Current
Posts: 26

Rep: Reputation: 15
Post Does my iptables script cut it?


Hello everyone,

I've created my first iptables firewall from my research and a parts of other scripts on the net.

I'd like some to ask if you could review it's effectiveness. Anything that needs to be added, removed or moved?

Below is the full script (/etc/rc.d/rc.firewall) and at the very end is the status output.

Thank you.


Code:
#!/bin/sh

# Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24 
# bits of the 32 bit IP adress. the same as netmask 255.255.255.0

  LAN_IP="10.168.2.2"
  LAN_IP_RANGE="10.168.2.0/24"
  LAN_BCAST_ADRESS="10.168.2.255"
  LAN_IFACE="wlan0"


# Localhost Configuration.

  LO_IFACE="lo"
  LO_IP="127.0.0.1"


# Internet Configuration.

  INET_IP="x.x.x.x"
  INET_IFACE="wlan0"


# IPTables Configuration.

  IPT="/usr/sbin/iptables"
  MODULE="ip_tables iptable_nat iptable_mangle iptable_filter ipt_state ipt_LOG ip_conntrack nfnetlink_queue nfnetlink ipt_NFQUEUE"
  IPFORWARD="0"
  TCP_IN=""
  TCP_OUT="ftp http https 1863 mmcc aol"
  UDP_IN=""
  UDP_OUT=""


# MoBlock Configuration

  ACTIVATE_CHAINS=1
  WHITE_TCP_IN=""
  WHITE_UDP_IN=""
  WHITE_TCP_OUT="http https"
  WHITE_UDP_OUT=""
  WHITE_TCP_FW=""
  WHITE_UDP_FW=""


############################################################################

   # Start Firewall
   start_firewall() {

     # Load modules
     for modules in $MODULE ; do
        modprobe $modules #2> /dev/null
        echo "Firewall: loading module  [ OK ]  $modules"
     done

     echo "Firewall: Optimal policy | LOADED."

     # Disable TCP timestamps to reduce TCP stack workload:
     echo "0" > /proc/sys/net/ipv4/tcp_timestamps

     # Enable TCP SYN Cookie Protection:
     if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
        echo "1" > /proc/sys/net/ipv4/tcp_syncookies
     fi

     # Enable reverse path filtering for anti-spoofing:
     echo "1" > in /proc/sys/net/ipv4/conf/all/rp_filter

     # Allow redirects from trusted gateways only:
     echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

     # Do not send Redirect Messages:
     echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects

     # Disable ICMP Redirect Acceptance:
     echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
	
     # Disable source routed packets as they are ridiculous:
     echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
	
     # Ignore PINGs which have been BROADCAST (broadcast echo protection):
     echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

     # Enable bad error message protection
     echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses

     # Enable or disable IP forwarding
     echo "$IPFORWARD" > /proc/sys/net/ipv4/ip_forward
     if [ `cat /proc/sys/net/ipv4/ip_forward` -eq 0 ]; then
        echo "Firewall: IP forwarding disabled."
     else 
        echo "Firewall: IP forwarding enabled."
     fi;

     # Log spoofed packets, source-routed packets, and redirect packets
     echo "1" > /proc/sys/net/ipv4/conf/all/log_martians


     # Default Policies for no match
     $IPT -P INPUT DROP
     $IPT -P OUTPUT ACCEPT
     $IPT -P FORWARD DROP

     # Create a chain to filter INVALID packets
     $IPT -N BAD_PKTS
     # Create another chain to filter bad tcp packets
     $IPT -N BAD_TCPPKTS
     # Create separate chains for ICMP
     $IPT -N ICMP_PKTS
     # Create MoBlock Chains
     $IPT -N MOBLOCK_IN
     $IPT -N MOBLOCK_OUT
     $IPT -N MOBLOCK_FW


     #### BAD_PKTS chain ################

     # Drop INVALID packets immediately
     $IPT -A BAD_PKTS -p ALL -m state --state INVALID -j LOG --log-prefix "fp=BAD_PKTS:1 a=DROP "
     $IPT -A BAD_PKTS -p ALL -m state --state INVALID -j DROP

     # Then check the tcp packets for additional problems
     $IPT -A BAD_PKTS -p tcp -j BAD_TCPPKTS

     # All good, so return
     $IPT -A BAD_PKTS -p ALL -j RETURN


     #### BAD_TCPPKTS chain #############

     # All tcp pkts will traverse this chain. Every new connection attempt should begin with a syn packet.
     # If not, it's likely a port scan. This drops pkts in state NEW that are not flagged as syn pkts.
     $IPT -A BAD_TCPPKTS -p tcp ! --syn -m state --state NEW -j LOG --log-prefix "fp=BAD_TCPPKTS:1 a=DROP "
     $IPT -A BAD_TCPPKTS -p tcp ! --syn -m state --state NEW -j DROP
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "fp=BAD_TCPPKTS:2 a=DROP "
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags ALL NONE -j DROP
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "fp=BAD_TCPPKTS:3 a=DROP "
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags ALL ALL -j DROP
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-prefix "fp=BAD_TCPPKTS:4 a=DROP "
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-prefix "fp=BAD_TCPPKTS:5 a=DROP "
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "fp=BAD_TCPPKTS:6 a=DROP "
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-prefix "fp=BAD_TCPPKTS:7 a=DROP "
     $IPT -A BAD_TCPPKTS -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

     # All good, so return
     $IPT -A BAD_TCPPKTS -p tcp -j RETURN


     #### ICMP_PKTS chain ###############

     # This chain is for inbound (from the Internet) icmp packets only. Type 8 (Echo Request) is not
     # accepted by default. Enable it if you want remote hosts to be able to reach you. 11 (Time Exceeded)
     # is the only one accepted that would not already be covered by the established connection rule.
     # Applied to INPUT on the external interface.
     # N.B. that stateful settings allow replies to ICMP packets. These rules allow new packets of the specified types.

     # ICMP packets should fit in a Layer 2 frame, thus they should
     # never be fragmented.  Fragmented ICMP packets are a typical sign
     # of a denial of service attack.
     $IPT -A ICMP_PKTS --fragment -p ICMP -j LOG --log-prefix "fp=ICMP_PKTS:1 a=DROP "
     $IPT -A ICMP_PKTS --fragment -p ICMP -j DROP

     # Echo - uncomment to allow your system to be pinged. Uncomment LOG command if you want to log attempts
     # $IPT -A ICMP_PKTS -p ICMP -s 0/0 --icmp-type 8 -j LOG --log-prefix "fp=ICMP_PKTS:2 a=ACCEPT "
     # $IPT -A ICMP_PKTS -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

     # By default, drop pings without logging. Blaster & other worms have infected systems blasting pings.
     # Comment the line below if you want pings logged, but it will likely fill your logs.
     $IPT -A ICMP_PKTS -p ICMP -s 0/0 --icmp-type 8 -j DROP

     # Time Exceeded
     $IPT -A ICMP_PKTS -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

     # Not matched, so return so it will be logged
     $IPT -A ICMP_PKTS -p ICMP -j RETURN


     #### MOBLOCK chains #################

     # MOBLOCK_IN chain rule: Incoming traffic queued
     $IPT -I MOBLOCK_IN -p all -j NFQUEUE

     # MOBLOCK_OUT chain rule: Outgoing traffic queued
     $IPT -I MOBLOCK_OUT -p all -j NFQUEUE

     # MOBLOCK_FW chain rule: Forwarded traffic queued
     $IPT -I MOBLOCK_FW -p all -j NFQUEUE

     # MoBlock Bypass
     for PORT in $WHITE_TCP_OUT; do
        $IPT -I MOBLOCK_OUT -p tcp --dport $PORT -j ACCEPT
     done
     for PORT in $WHITE_UDP_OUT; do
        $IPT -I MOBLOCK_OUT -p udp --dport $PORT -j ACCEPT
     done

     for PORT in $WHITE_TCP_IN; do
        $IPT -I MOBLOCK_IN -p tcp --dport $PORT -j ACCEPT
     done
     for PORT in $WHITE_UDP_IN; do
        $IPT -I MOBLOCK_IN -p udp --dport $PORT -j ACCEPT
     done

     for PORT in $WHITE_TCP_FW; do
        $IPT -I MOBLOCK_FW -p tcp --dport $PORT -j ACCEPT
     done
     for PORT in $WHITE_UDP_FW; do
        $IPT -I MOBLOCK_FW -p udp --dport $PORT -j ACCEPT
     done

     # Start MoBlock, Load list and start logging
     /ul/NIProgs/MoBlock/moblock_control start


     #### INPUT chain ####################

     # Drop bad packets
     $IPT -I INPUT 1 -p ALL -j BAD_PKTS

     # Allow loopback traffic
     $IPT -A INPUT -p all -i $LO_IFACE -j ACCEPT

     # If MoBlock activated then state NEW packets directed to MobBlock (accepted or dropped)
     if [ $ACTIVATE_CHAINS -eq 1 ]; then
        $IPT -A INPUT -i $LAN_IFACE -p tcp -m state --state NEW --tcp-flags SYN,RST,ACK SYN --dport 37766:37768 -j MOBLOCK_IN
        $IPT -A INPUT -i $LAN_IFACE -p udp -m state --state NEW --dport 37766:37768 -j MOBLOCK_IN
     fi;

     # Accept existing connections
     $IPT -A INPUT -i $LAN_IFACE -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

     ## Allow TCP IN traffic based on port number
     for PORT in $TCP_IN; do
        $IPT -A INPUT -i $LAN_IFACE -p tcp --dport $PORT -j ACCEPT
     done

     ## Allow UDP IN traffic based on port number
     for PORT in $UDP_IN; do
        $IPT -A INPUT -i $LAN_IFACE -p udp --dport $PORT -j ACCEPT
     done

     $IPT -A INPUT -p ICMP -i $INET_IFACE -j ICMP_PKTS

     # Drop without logging broadcasts that get this far. Cuts down on log clutter.
     # Comment this line if testing new rules that impact broadcast protocols.
     $IPT -A INPUT -m pkttype --pkt-type broadcast -j DROP

     # Log packets that still don't match
     $IPT -A INPUT -j LOG --log-prefix "fp=INPUT:99 a=DROP "


     #### OUTPUT chain ###################

     # However, invalid icmp packets need to be dropped
     # to prevent a possible exploit.
     $IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

     # Allow loopback traffic
     $IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
     $IPT -A OUTPUT -p all -o $LO_IFACE -j ACCEPT

     # If MoBlock activated then state NEW packets directed to MoBlock (accepted or dropped)
     if [ $ACTIVATE_CHAINS -eq 1 ]; then
        $IPT -I OUTPUT -o $LAN_IFACE -p udp -m state --state NEW --sport 37766:37768 -j MOBLOCK_OUT
        $IPT -I OUTPUT -o $LAN_IFACE -p tcp -m state --state NEW --dport 80 -j MOBLOCK_OUT
     fi;

     # Accept existing connections
     $IPT -A OUTPUT -o $LAN_IFACE -p all -m state --state ESTABLISHED,RELATED -j ACCEPT

     # Allow Receive DNS ()
     $IPT -A OUTPUT -o $LAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -p udp --dport 53 -j ACCEPT
     $IPT -A OUTPUT -o $LAN_IFACE -m state --state NEW,ESTABLISHED,RELATED -p tcp --dport 53 -j ACCEPT

     ## Allow TCP OUT traffic based on port number
     for PORT in $TCP_OUT; do
        $IPT -A OUTPUT -o $LAN_IFACE -p tcp --dport $PORT -j ACCEPT
     done

     ## Allow UDP OUT traffic based on port number
     for PORT in $UDP_OUT; do
        $IPT -A OUTPUT -o $LAN_IFACE -p udp --dport $PORT -j ACCEPT
     done

     # Log packets that still don't match
     $IPT -A OUTPUT -j LOG --log-prefix "fp=OUTPUT:99 a=DROP "


     #### FORWARD chain ##################

     # Accept existing connections
     $IPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

   }


   # Local Traffic only
   local_only() {

     echo "Firewall: Allowing local traffic"
     $IPT -A INPUT -p all -i lo -j ACCEPT
     $IPT -A OUTPUT -p all -o lo -j ACCEPT

   }


   # Block ALL
   block_all() {

     echo "Firewall: Block all | LOADED"
     $IPT -P INPUT DROP
     $IPT -P OUTPUT DROP
     $IPT -P FORWARD DROP

   }


   # Stop Firewall
   stop_firewall() {

     echo "Firewall: Resetting default policy"
     $IPT -P INPUT ACCEPT
     $IPT -P OUTPUT ACCEPT
     $IPT -P FORWARD ACCEPT

     echo "Firewall: Stopped"

   }


   # Flushing, removing and zeroing tables
   reset_firewall() {

     echo "Firewall: Resetting tables & chains"
     CHAINS=`cat /proc/net/ip_tables_names`
     for i in $CHAINS; do
       $IPT -t $i -F
       $IPT -t $i -X
       $IPT -t $i -Z
     done

   }


   # Firewall Status
   status_firewall () {
     $IPT -L -n -v --line-numbers
   }


   # EXECUTE
   case "$1" in

     start|restart|reload)
       reset_firewall
       start_firewall
       ;;
     stop)
       reset_firewall
       stop_firewall
       ;;
     local)
       reset_firewall
       block_all
       local_only
       ;;
     block)
       reset_firewall
       block_all
       ;;
     status)
       status_firewall
       ;;
     *)
       echo "Usage: $0 {start|stop|restart|reload|local|block|status}";
       exit 1
       ;;

   esac
Output from my iptables status:

Code:
Chain INPUT (policy DROP 544 packets, 64624 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1     500K  411M BAD_PKTS   all  --  *      *       0.0.0.0/0            0.0.0.0/0           
2      156  7592 MOBLOCK_IN  tcp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           state NEW tcp dpts:37766:37768 flags:0x16/0x02 
3     6284  600K MOBLOCK_IN  udp  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           state NEW udp dpts:37766:37768 
4     493K  410M ACCEPT     all  --  wlan0  *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
5       99  5472 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0           
6        0     0 ICMP_PKTS  icmp --  wlan0  *       0.0.0.0/0            0.0.0.0/0           
7        0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           PKTTYPE = broadcast 
8      543 64584 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `fp=INPUT:99 a=DROP ' 

Chain FORWARD (policy DROP 0 packets, 0 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 

Chain OUTPUT (policy ACCEPT 745 packets, 72046 bytes)
num   pkts bytes target     prot opt in     out     source               destination         
1      122  6344 MOBLOCK_OUT  tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           state NEW tcp dpt:80 
2    10290  907K MOBLOCK_OUT  udp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           state NEW udp spts:37766:37768 
3        0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
4        0     0 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0           
5       99  5472 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0           
6     358K  104M ACCEPT     all  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           state RELATED,ESTABLISHED 
7       29  2072 ACCEPT     udp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED udp dpt:53 
8        0     0 ACCEPT     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           state NEW,RELATED,ESTABLISHED tcp dpt:53 
9        0     0 ACCEPT     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           tcp dpt:21 
10       0     0 ACCEPT     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
11       0     0 ACCEPT     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
12       0     0 ACCEPT     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           tcp dpt:1863 
13       0     0 ACCEPT     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           tcp dpt:5050 
14       3   156 ACCEPT     tcp  --  *      wlan0   0.0.0.0/0            0.0.0.0/0           tcp dpt:5190 
15     744 71994 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `fp=OUTPUT:99 a=DROP ' 

Chain BAD_PKTS (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1       50  4120 LOG        all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID LOG flags 0 level 4 prefix `fp=BAD_PKTS:1 a=DROP ' 
2       50  4120 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0           state INVALID 
3     488K  409M BAD_TCPPKTS  tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           
4     500K  411M RETURN     all  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain BAD_TCPPKTS (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW LOG flags 0 level 4 prefix `fp=BAD_TCPPKTS:1 a=DROP ' 
2        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:!0x17/0x02 state NEW 
3        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 LOG flags 0 level 4 prefix `fp=BAD_TCPPKTS:2 a=DROP ' 
4        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x00 
5        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F LOG flags 0 level 4 prefix `fp=BAD_TCPPKTS:3 a=DROP ' 
6        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x3F 
7        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 LOG flags 0 level 4 prefix `fp=BAD_TCPPKTS:4 a=DROP ' 
8        0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x29 
9        0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37 LOG flags 0 level 4 prefix `fp=BAD_TCPPKTS:5 a=DROP ' 
10       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x3F/0x37 
11       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 LOG flags 0 level 4 prefix `fp=BAD_TCPPKTS:6 a=DROP ' 
12       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x06/0x06 
13       0     0 LOG        tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 LOG flags 0 level 4 prefix `fp=BAD_TCPPKTS:7 a=DROP ' 
14       0     0 DROP       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp flags:0x03/0x03 
15    488K  409M RETURN     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain ICMP_PKTS (1 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 LOG        icmp -f  *      *       0.0.0.0/0            0.0.0.0/0           LOG flags 0 level 4 prefix `fp=ICMP_PKTS:1 a=DROP ' 
2        0     0 DROP       icmp -f  *      *       0.0.0.0/0            0.0.0.0/0           
3        0     0 DROP       icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 8 
4        0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           icmp type 11 
5        0     0 RETURN     icmp --  *      *       0.0.0.0/0            0.0.0.0/0           

Chain MOBLOCK_FW (0 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 0

Chain MOBLOCK_IN (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1     6440  607K NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 0

Chain MOBLOCK_OUT (2 references)
num   pkts bytes target     prot opt in     out     source               destination         
1        0     0 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:443 
2      122  6344 ACCEPT     tcp  --  *      *       0.0.0.0/0            0.0.0.0/0           tcp dpt:80 
3    10290  907K NFQUEUE    all  --  *      *       0.0.0.0/0            0.0.0.0/0           NFQUEUE num 0

Last edited by ULADK; 08-19-2007 at 04:53 PM.
 
Old 08-17-2007, 08:59 PM   #2
Brian1
LQ Guru
 
Registered: Jan 2003
Location: Seymour, Indiana
Distribution: Distribution: RHEL 5 with Pieces of this and that. Kernel 2.6.23.1, KDE 3.5.8 and KDE 4.0 beta, Plu
Posts: 5,700

Rep: Reputation: 65
Might use one of those sites that test your firewall like this one to see how secure. http://www.hackerwatch.org/probe/

Brian
 
Old 08-18-2007, 11:44 PM   #3
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Is there some particular reason why you've chosen to start off with such a difficult to read (and quite likely overly-complicated) iptables script? I began reading your script but quit after a while for fear my head would explode.

My guess is that other members have had similar experiences, which would explain why you haven't gotten any feedback on it yet. I'd like to understand what you are trying to accomplish with your script (that's the first thing to ask yourself when making one). Also, I would like to ask if you understand every single line in your script.

Last edited by win32sux; 08-19-2007 at 12:10 AM.
 
Old 08-19-2007, 12:32 AM   #4
ULADK
LQ Newbie
 
Registered: May 2003
Location: UK
Distribution: Slackware Current
Posts: 26

Original Poster
Rep: Reputation: 15
Difficult to read how? As in the formatting or because I've used a lot of variables for each command? It may look confusing because I'm reusing a lot of the code. Yes I do understand every single line. I'll explain a little.

I decided to use many variables because I travel a lot with the laptop. For instance, if I'm using Ethernet instead of wireless I can just replace that particular variable (wlan0) with eth0, or I can change my settings based on what network I'm connected to. Other examples: modules are loaded depending if they are listed in a variable. I use the for loop to load the modules and echo that they have loaded (done in 5 lines instead of 20). I did the same with port numbers, If I need to use SSH I can just add "22" to the variable and I'm done.

Just makes it easier, more adaptable and saves a lot of typing. I also use MoBlock so might make it seem more complex.

- The script begins with enabling/disabling a few options.
- Setting the default policies.
- Creating my chains
- INPUT, OUTPUT direct packets to specified chains
- I call another script to start MoBlock
- state NEW packets on port X are sent to the MoBlock chains (if enabled)
- I can redirect certain packets to MoBlock or bypass it (if enabled)
- TCP packets are checked for validity and dealt with
- ICMP packets are handled depending on type

The rest of the script is your usual restarting, stopping, etc. I also added the ability to block all traffic or only allow local traffic. It all works fine but I just wanted that second opinion.

Last edited by ULADK; 08-19-2007 at 12:35 AM.
 
Old 08-19-2007, 04:32 AM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by ULADK View Post
Difficult to read how? As in the formatting or because I've used a lot of variables for each command?
I guess a bit of both actually. In any case, it's just a matter of personal preference.

For example, let's take 30 lines from your script:
Code:
     # Disable TCP timestamps to reduce TCP stack workload:
     echo "0" > /proc/sys/net/ipv4/tcp_timestamps

     # Enable TCP SYN Cookie Protection:
     if [ -e /proc/sys/net/ipv4/tcp_syncookies ]; then
        echo "1" > /proc/sys/net/ipv4/tcp_syncookies
     fi

     # Enable reverse path filtering for anti-spoofing:
     for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do
        echo "1" > $f
     done

     # Allow redirects from trusted gateways only:
     echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

     # Do not send Redirect Messages:
     for f in /proc/sys/net/ipv4/conf/*/send_redirects ; do
        echo "0" > $f
     done

     # Disable ICMP Redirect Acceptance:
     for f in /proc/sys/net/ipv4/conf/*/accept_redirects ; do
        echo "0" > $f
     done
	
     # Disable source routed packets as they are ridiculous:
     for f in /proc/sys/net/ipv4/conf/*/accept_source_route ; do
        echo "0" > $f
     done

I'd probably have used these 7 lines instead:
Code:
echo "0" > /proc/sys/net/ipv4/tcp_timestamps
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/send_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
The effect is the same, but we just went from 30 lines to 7 - that's a lot of screen real estate saved (almost 77%), and I would argue that my 7 lines are much easier to read than your 30. Of course, that's totally subjective - and this is just meant as an illustration of what I mean. In the end, if you feel more comfortable with the 30 lines, then it's definitely what you should stick with.

I was curious about whether or not you understood every line in your script because when you mentioned you had parts from scripts on the Net I suspected perhaps this was some huge copy/paste experiment, which would have been terrible. I'm glad that isn't the case.

Last edited by win32sux; 08-19-2007 at 04:20 PM.
 
Old 08-19-2007, 04:47 PM   #6
ULADK
LQ Newbie
 
Registered: May 2003
Location: UK
Distribution: Slackware Current
Posts: 26

Original Poster
Rep: Reputation: 15
Ahh, I made those changes. I didn't realise I could use "all" instead of the wildcard. So that cuts the need out for the for loop in those sections. I updated the script to reflect that.

I try to keep a description of each line though for future reference. If those were taken out it would be a lot cleaner looking but it helps.

Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
how to use cut command in the shell script narendra.pant Linux - Newbie 3 06-01-2006 09:46 PM
script: 'for' and 'cut' problems YaK. Linux - General 2 11-06-2005 05:49 AM
How to use cut in Perl script? mimf Linux - General 1 12-01-2003 04:21 AM
shell script - cut off the '^M' d-fens Programming 5 07-20-2003 11:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:48 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration