LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-23-2007, 03:02 PM   #1
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Rep: Reputation: 30
Question Guys Help me to be secured


Hi guys, i need a firewall script urgently... here is the sample... that i am using now...

Code:
# Some variables.. making the life may be a little complex...

IPTABLES=iptables
PATH="/sbin"

WAN_DEV="eth0"
WAN_IP="A.A.A.A"
ANY_ADDR="0/0"

# Flushing all rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -Z
$IPTABLES -t nat -Z

# My default rules

$IPTABLES -A INPUT -p tcp -m multiport --destination-port 111,135,139,199,445,587,593,953,4444,6000 -j DROP
$IPTABLES -A INPUT -p udp -m multiport --destination-port 69,135,137,138 -j DROP

# Do some checks for obviously spoofed IP's

$IPTABLES -A INPUT -i $WAN_DEV -d $WAN_IP -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -i $WAN_DEV -d $WAN_IP -s 172.16.0.0/12 -j DROP
$IPTABLES -A INPUT -i $WAN_DEV -d $WAN_IP -s 192.168.0.0/16 -j DROP

# Denying permanently these as they always found to make disturbance

$IPTABLES -A INPUT -i eth0 -s 59.120.161.18 -d $ANY_ADDR -j DROP

# Saving and activating the new rules

service iptables save
service iptables restart
Now, this were ok.. but here is the things... My linux box is a web server, secure web server, DNS server [which replies to ppls queries and it also query from other servers itself. means DNS server and also acts like a dns client to resolv ips that is does not have.], FTP server, MySQL server. I also have to allow SSH from WAN. Now all i need to do is I need to block all the ports to IN and allow only specific ports to come IN then. I also want to deny all local/private IPs at the eth0, the wan interface of mine, to prevent the spoofing. Please help me by providing a cool script which is easy to read (Dont forget to write comments in the script.) Guys, I need your this kind of assistance because right now, i cant concentrate in any thing...
 
Old 03-24-2007, 09:23 AM   #2
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Original Poster
Rep: Reputation: 30
Question

Code:
#!/bin/bash
# Some variables.. making the life may be a little complex...

IPTABLES=iptables
PATH="/sbin"

LAN_DEV="eth1"
WAN_DEV="eth0"
WAN_IP="A.A.A.A"
ANY_ADDR="0/0"

# Flushing all rules
iptables -F
iptables -t nat -F
iptables -Z
iptables -t nat -Z
iptables -X

# Default Deny at the input
iptables -P INPUT DROP

# Default deny at the output
iptables -P OUTPUT DROP

# Allow input that has been established and related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allowing all outpus those are estublished and related
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow DNS query input from others (since it is a DNS server)
iptables -A INPUT -p UDP -i eth0 --dport 53 -m state --state NEW -j ACCEPT

# Allow the box to query to other DNS servers.(Since it is also a DNS client)
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW -j ACCEPT

# Allow specific services to input. They are http, https, ftp, mySQL, ssh
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 80,443,21,3306,22 -m state --state NEW -j ACCEPT

# Allow to ping the box
iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow to respond to ping requests
iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow loopback input
iptables -A INPUT -i lo -j ACCEPT

# Allow output to loopback
iptables -A OUTPUT -o lo -j ACCEPT

# Do some checks for obviously spoofed IP's
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP

# Saving and activating the new rules
service iptables save
service iptables restart
Is it okk what i was asking for??
 
Old 03-24-2007, 11:43 AM   #3
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Note that with that config you will not be able to initiate outgoing connections from that box. So for example, if you wanted to send an email to someone else, you wouldn't be able to. Is that how you want it configured? From a security standpoint, that is excellent but definitely limits usability.

Also why do you want systems to be able to access MySQL on this host? If it's a backend DB for a webserver app or even for other systems on your network, then you should just limit access to only those systems. Definitely don't want people hammering away on it if you don't need to provide open access to it.

Also how does this system get an IP? Is it static or is it dynamically assigned (like via DHCP)?
 
Old 03-24-2007, 03:50 PM   #4
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Original Poster
Rep: Reputation: 30
Question

Dear Sir,
This box is used to be a
  1. Web server + Secure web server
  2. ftp server
  3. dns server + dns client
  4. database server (mySQL)
  5. And it'll allow ping from anywhere
It will not receive any mail and also will not send any mail. Well, can u give me an idea? Is php's mail function uses local smtp? I think so. If so, then what else i should use along with it? Adding a rule to allow output on 25??Well, it could not initiate any new connections but it can lookup udp 53 from other servers. means it is working as a dns server adn also when requires, it works asa dns client. i have tested... now other things need to be test is ssh from this machine. and ohh.. it has a static ip. mysql will be allowed from specific ips as per your advice. any more advice?? I need a really secure (so far possible) system. thus the firewall should be really a HOT higly inflamable fire... but upon needs, it will allow and fullfill all the needs also...

Last edited by aq_mishu; 03-25-2007 at 08:56 AM.
 
Old 03-25-2007, 03:40 PM   #5
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Original Poster
Rep: Reputation: 30
Unhappy

MAjor prpblem happened. After using the new script...
Code:
#!/bin/bash

IPTABLES=iptables
PATH="/sbin"

WAN_DEV="eth0"
WAN_IP="A.A.A.A"
ANY_ADDR="0/0"

# Flushing all rules
iptables -F
iptables -t nat -F
iptables -Z
iptables -t nat -Z
iptables -X

# Default Deny at the input
iptables -P INPUT DROP

# Default deny at the output
iptables -P OUTPUT DROP

# Allow input that has been established and related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allowing all outpus those are estublished and related
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow DNS query input from others (since it is a DNS server)
iptables -A INPUT -p UDP -i eth0 --dport 53 -m state --state NEW -j ACCEPT

# Allow the box to query to other DNS servers.(Since it is also a DNS client)
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW -j ACCEPT

# Allow specific services to input. They are http, https, ftp, mySQL, ssh
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 80,443,20,21,22 -m state --state NEW -j ACCEPT

# Allow to query on some ports from this host. They are http, https, smtp, ssh
iptables -A OUTPUT -p TCP -o eth0 -m multiport --dports 25,80,443,22 -m state --state NEW -j ACCEPT

# Allow to ping the box
iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow to respond to ping requests
iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 8 -m state --state NEW -j ACCEPT

# Allow loopback input
iptables -A INPUT -i lo -j ACCEPT

# Allow output to loopback
iptables -A OUTPUT -o lo -j ACCEPT

# Do some checks for obviously spoofed IP's
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP

# Saving and activating the new rules
service iptables save
service iptables restart
After doing this, I found i can't upload files to the server using ftp. I've checked using iptraf that is is trying to listen on 20 and 21 for ftp upload. but i get a long delay and finally timeout. it was ok before implementing this script. also http files are coming to my pc more slower than before though i am in the lan and directly conencted to the server.
 
Old 03-25-2007, 03:47 PM   #6
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Original Poster
Rep: Reputation: 30
Unhappy

Then i used this one, a little change to the existing ...
Code:
# Default Deny at the input
iptables -P INPUT DROP

# Default deny at the output
iptables -P OUTPUT ACCEPT

# Allow input that has been established and related
iptables -A OUTPUT -o eth0 -m state --state NEW,STABLISHED,RELATED -j ACCEPT

# Allow input that has been established and related
iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
But get zero... same thing... and then i simply did this...
Code:
# Flushing all rules
iptables -F
iptables -t nat -F
iptables -Z
iptables -t nat -Z
iptables -X

# Default Deny at the input
iptables -P INPUT ACCEPT

# Default deny at the output
iptables -P OUTPUT ACCEPT

# Allow input that has been established and related
iptables -A INPUT -i eth0 -m state --state NEW,STABLISHED,RELATED -j ACCEPT

# Allow input that has been established and related
iptables -A OUTPUT -o eth0 -m state --state NEW,STABLISHED,RELATED -j ACCEPT
in the same code. But again, no result... i have restarted the machine but no change... then i used the previous one...
Code:
# Flushing all rules
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -Z
$IPTABLES -t nat -Z

#System Default
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P OUTPUT ACCEPT

# My default rules

$IPTABLES -A INPUT -p tcp -m multiport --destination-port 111,135,139,199,445,587,593,4444,6000 -j DROP
$IPTABLES -A INPUT -p udp -m multiport --destination-port 69,135,137,138 -j DROP
But also no change... I can browse http and others but slow. and ftp is not working... please help...
 
Old 03-25-2007, 04:10 PM   #7
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
i haven't looked at your rules in-depth, but FTP problems like you mention are usually caused by not not having the FTP conntrack module loaded...
Code:
/sbin/modprobe ip_conntrack_ftp
 
Old 03-26-2007, 01:17 AM   #8
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Original Poster
Rep: Reputation: 30
Unhappy

previously that mobpobe was not used ad it was okk then... but now it is not okk..

Note: that i can log in. but i cant just upload. it gets a timeout. and other services like http become slow.

Last edited by aq_mishu; 03-26-2007 at 01:19 AM.
 
Old 03-26-2007, 02:25 AM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
which of all the scripts you posted are you using now?? also, if you could post your complete active iptables configuration it would be great:
Code:
iptables -nvL -t filter
Code:
iptables -nvL -t mangle
Code:
iptables -nvL -t nat
PS: assuming your policy is set to DROP, appending a LOG rule to the end of your INPUT chain (and your OUTPUT one too, depending) and before any DROP rules will let you see exactly what kinda packets are getting filtered...

Last edited by win32sux; 03-26-2007 at 02:27 AM.
 
Old 03-26-2007, 02:42 AM   #10
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Original Poster
Rep: Reputation: 30
Question

currently i am using this... this is a 755 file in my server which i just executed for once and then iptables conf file generates and takes care of everything

Code:
# Some variables.. making the life may be a little complex...

IPTABLES=iptables
PATH="/sbin"

LAN_DEV="eth1"
WAN_DEV="eth0"
WAN_IP="A.A.A.A"
ANY_ADDR="0/0"

echo "Adding modprobes and appending them to the module loading file"
# Adding mobprobes
/sbin/modprobe ip_conntrack_ftp
echo > /etc/rc.d/init.d/modprobes
echo "# Adding modprobes so they can load later while reboot. These are for iptables firawall" >> /etc/rc.d/init.d/modprobes
echo "/sbin/modprobe ip_conntrack_ftp" >> /etc/rc.d/init.d/modprobes
echo "#" >> /etc/rc.d/init.d/modprobes
echo "# modprobes added" >> /etc/rc.d/init.d/modprobes

echo "Flushing all existing rules"
# Flushing all rules
iptables -F
iptables -t nat -F
iptables -Z
iptables -t nat -Z
iptables -X

echo "Default deny at input"
# Default Deny at the input
iptables -P INPUT DROP

echo "Default deny at output"
# Default deny at the output
iptables -P OUTPUT DROP

echo "Allowing all ESTUBLISHED and RELATED connections at the INPUT"
# Allow input that has been established and related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allowing all ESTUBLISHED and RELATED connections at the OUTPUT"
# Allowing all outpus those are estublished and related
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Allowing to respond as a DNS server, listening on UDP 53 @ the INPUT"
# Allow DNS query input from others (since it is a DNS server)
iptables -A INPUT -p UDP -i eth0 --dport 53 -m state --state NEW -j ACCEPT

echo "Allowing to be a DNS client, querying on UDP 53 @ OUTPUT (Other party is listening on 53)"
# Allow the box to query to other DNS servers.(Since it is also a DNS client)
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW -j ACCEPT

echo "Allowing to listen on some ports those are providing services"
# Allow specific services to input. They are http, https, ftp, mySQL, ssh
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 80,443,20,21,22 -m state --state NEW -j ACCEPT

echo "Allowing to query on some ports those are necessary by the local system"
# Allow to query on some ports from this host. They are http, https, smtp, ssh
iptables -A OUTPUT -p TCP -o eth0 -m multiport --dports 25,80,443,22 -m state --state NEW -j ACCEPT

echo "Allowing to ping myself"
# Allow to ping the box
iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -m state --state NEW -j ACCEPT

echo "Allowing to respond on ping to me"
# Allow to respond to ping requests
iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 8 -m state --state NEW -j ACCEPT

echo "Allowing localhost loopback INPUT"
# Allow loopback input
iptables -A INPUT -i lo -j ACCEPT

echo "Allowing localhost loopback OUTPUT"
# Allow output to loopback
iptables -A OUTPUT -o lo -j ACCEPT

echo "Preventing Spoofing"
# Do some checks for obviously spoofed IP's
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
echo "Saving the policies and restarting the service"
# Saving and activating the new rules
service iptables save
service iptables restart

echo "Firewall setup completed"
echo "Your firewall chain policies are: "
echo ""
echo ""
iptables -L -v
This my current code. And finally i doscovered adding the modprobe solves the problem more or less. Now, since i am using service iptables save, means im using the conf file from /etc/sysconfig/iptables while rebooting the machine, i need a way to add the modprobe auto like the way iptables adding the rules. putting a file whih chmod 755 in /etc/init.d and ln -s at rc0.d/KxxZZZZ is making no output. I wat to load the rules the way basically it loads while startup, from the /etc/sysconfig/iptables by iptables save. But also i need to add the modprobe such a way so it'll load along with iptables and thus i will not need to type the command after reboot. any help??

Last edited by aq_mishu; 03-26-2007 at 02:53 AM.
 
Old 03-26-2007, 03:04 AM   #11
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by aq_mishu
finally i doscovered adding the modprobe solves the problem more or less. Now, since i am using service iptables save, means im using the conf file from /etc/sysconfig/iptables while rebooting the machine, i need a way to add the modprobe auto like the way iptables adding the rules. putting a file whih chmod 755 in /etc/init.d and ln -s at rc0.d/KxxZZZZ is making no output. I wat to load the rules the way basically it loads while startup, from the /etc/sysconfig/iptables by iptables save. But also i need to add the modprobe such a way so it'll load along with iptables and thus i will not need to type the command after reboot. any help??
you don't really load any modules from the iptables configuration file... on red hat, what you wanna use is the /etc/modules.conf file or something along those lines...
 
Old 03-26-2007, 03:22 AM   #12
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Original Poster
Rep: Reputation: 30
Question

Quote:
you don't really load any modules from the iptables configuration file... on red hat, what you wanna use is the /etc/modules.conf file or something along those lines...
Okk.. I am not loading from iptables (modprobes) but i want them to load auto while reboot like iptables rules loads auto after the command iptables save and iptables restart. I checked the /etc/modules.conf but i can't understanding ny thing of it...
cat /etc/modules.conf gives me..

alias parport_lowlevel parport_pc
alias eth0 tulip
alias usb-controller ehci-hcd
alias usb-controller1 usb-uhci

So?? all i need is an 755 file that will have the modprobe lines and that will be executed while booting. So they'll automatically load (So far i think..) help...
 
Old 03-26-2007, 03:51 AM   #13
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally Posted by aq_mishu
Okk.. I am not loading from iptables (modprobes) but i want them to load auto while reboot like iptables rules loads auto after the command iptables save and iptables restart. I checked the /etc/modules.conf but i can't understanding ny thing of it...
cat /etc/modules.conf gives me..

alias parport_lowlevel parport_pc
alias eth0 tulip
alias usb-controller ehci-hcd
alias usb-controller1 usb-uhci

So??
add a line like this to the file:
Code:
add above ip_conntrack ip_conntrack_ftp
Quote:
all i need is an 755 file that will have the modprobe lines and that will be executed while booting. So they'll automatically load (So far i think..) help...
well, the modules.conf file is the recommended way to do it, but if you really must do it this way, my money's on a rc.local file...

Quote:
Originally Posted by aq_mishu
currently i am using this... this is a 755 file in my server which i just executed for once and then iptables conf file generates and takes care of everything

Code:
# Some variables.. making the life may be a little complex...

IPTABLES=iptables
PATH="/sbin"

LAN_DEV="eth1"
WAN_DEV="eth0"
WAN_IP="A.A.A.A"
ANY_ADDR="0/0"

echo "Adding modprobes and appending them to the module loading file"
# Adding mobprobes
/sbin/modprobe ip_conntrack_ftp
echo > /etc/rc.d/init.d/modprobes
echo "# Adding modprobes so they can load later while reboot. These are for iptables firawall" >> /etc/rc.d/init.d/modprobes
echo "/sbin/modprobe ip_conntrack_ftp" >> /etc/rc.d/init.d/modprobes
echo "#" >> /etc/rc.d/init.d/modprobes
echo "# modprobes added" >> /etc/rc.d/init.d/modprobes

echo "Flushing all existing rules"
# Flushing all rules
iptables -F
iptables -t nat -F
iptables -Z
iptables -t nat -Z
iptables -X

echo "Default deny at input"
# Default Deny at the input
iptables -P INPUT DROP

echo "Default deny at output"
# Default deny at the output
iptables -P OUTPUT DROP

echo "Allowing all ESTUBLISHED and RELATED connections at the INPUT"
# Allow input that has been established and related
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
echo "Allowing all ESTUBLISHED and RELATED connections at the OUTPUT"
# Allowing all outpus those are estublished and related
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

echo "Allowing to respond as a DNS server, listening on UDP 53 @ the INPUT"
# Allow DNS query input from others (since it is a DNS server)
iptables -A INPUT -p UDP -i eth0 --dport 53 -m state --state NEW -j ACCEPT

echo "Allowing to be a DNS client, querying on UDP 53 @ OUTPUT (Other party is listening on 53)"
# Allow the box to query to other DNS servers.(Since it is also a DNS client)
iptables -A OUTPUT -p UDP -o eth0 --dport 53 -m state --state NEW -j ACCEPT

echo "Allowing to listen on some ports those are providing services"
# Allow specific services to input. They are http, https, ftp, mySQL, ssh
iptables -A INPUT -p TCP -i eth0 -m multiport --dports 80,443,20,21,22 -m state --state NEW -j ACCEPT

echo "Allowing to query on some ports those are necessary by the local system"
# Allow to query on some ports from this host. They are http, https, smtp, ssh
iptables -A OUTPUT -p TCP -o eth0 -m multiport --dports 25,80,443,22 -m state --state NEW -j ACCEPT

echo "Allowing to ping myself"
# Allow to ping the box
iptables -A INPUT -p ICMP -i eth0 --icmp-type 8 -m state --state NEW -j ACCEPT

echo "Allowing to respond on ping to me"
# Allow to respond to ping requests
iptables -A OUTPUT -p ICMP -o eth0 --icmp-type 8 -m state --state NEW -j ACCEPT

echo "Allowing localhost loopback INPUT"
# Allow loopback input
iptables -A INPUT -i lo -j ACCEPT

echo "Allowing localhost loopback OUTPUT"
# Allow output to loopback
iptables -A OUTPUT -o lo -j ACCEPT

echo "Preventing Spoofing"
# Do some checks for obviously spoofed IP's
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
echo "Saving the policies and restarting the service"
# Saving and activating the new rules
service iptables save
service iptables restart

echo "Firewall setup completed"
echo "Your firewall chain policies are: "
echo ""
echo ""
iptables -L -v
This my current code.
i've cleaned your script up a little bit... there was some weird stuff in there, but AFAICT nothing which would cause the symptoms you are experiencing... then again, your script might not reflect your active configuration (which is why i asked you for -nvL output too)...
Code:
#!/bin/sh

IPT="/sbin/iptables"
IFACE="eth0"

$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP

$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT

$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle

$IPT -X
$IPT -X -t nat
$IPT -X -t mangle

$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT

$IPT -A INPUT -i $IFACE -s 192.168.0.0/16 -m limit \
-j LOG --log-prefix "INPUT DROP SPOOF: "
$IPT -A INPUT -i $IFACE -s 192.168.0.0/16 -j DROP

$IPT -A INPUT -i $IFACE -s 172.16.0.0/12 -m limit \
-j LOG --log-prefix "INPUT DROP SPOOF: "
$IPT -A INPUT -i $IFACE -s 172.16.0.0/12 -j DROP

$IPT -A INPUT -i $IFACE -s 10.0.0.0/8 -m limit \
-j LOG --log-prefix "INPUT DROP SPOOF: "
$IPT -A INPUT -i $IFACE -s 10.0.0.0/8 -j DROP

$IPT -A INPUT -p UDP -i $IFACE --dport 53 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p TCP -i $IFACE -m multiport --dports 21,22,80,443 \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -p ICMP -i $IFACE --icmp-type 8 ! --fragment \
-m state --state NEW -j ACCEPT

$IPT -A INPUT -m limit -j LOG --log-prefix "INPUT DROP: "

$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT

$IPT -A OUTPUT -p TCP -o $IFACE -m multiport --dports 22,25,80,443 \
-m state --state NEW -j ACCEPT

$IPT -A OUTPUT -m limit -j LOG --log-prefix "OUTPUT DROP: "

echo "Firewall setup completed! Your iptables configuration is:"
echo ""
echo ""
$IPT -nvL
NOTES: having "service iptables" commands in your iptables script is not a good idea... your iptables script should get run by you manually, and you shouldn't do a "service iptables save" until *you* are completely satisfied with the active configuration... also, the port 20 rule isn't needed, due to the conntrack FTP module... this script will log anything it filters, so you should be able to see what gets sent to DROP right while the problem occurs with a:
Code:
tail -f /var/log/syslog

Last edited by win32sux; 03-26-2007 at 04:00 AM.
 
Old 03-26-2007, 03:59 AM   #14
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Original Poster
Rep: Reputation: 30
Question

so will be like

add above ip_conntrack ip_conntrack_ftp
alias parport_lowlevel parport_pc
alias eth0 tulip
alias usb-controller ehci-hcd
alias usb-controller1 usb-uhci

or

ip_conntrack ip_conntrack_ftp
alias parport_lowlevel parport_pc
alias eth0 tulip
alias usb-controller ehci-hcd
alias usb-controller1 usb-uhci

giving you the iptables -nvL ....
Code:
 iptables -nvL
Chain INPUT (policy DROP 76 packets, 28994 bytes)
 pkts bytes target     prot opt in     out     source               destination
 661K   27M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
    9   568 ACCEPT     udp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          state NEW udp dpt:53
   66  3248 ACCEPT     tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0          state NEW multiport dports 80,443,20,21,22
 1931  116K ACCEPT     icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0          state NEW icmp type 8
    7   502 ACCEPT     all  --  lo     *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  eth0   *       192.168.0.0/16       0.0.0.0/0
    0     0 DROP       all  --  eth0   *       10.0.0.0/8           0.0.0.0/0
    0     0 DROP       all  --  eth0   *       172.16.0.0/12        0.0.0.0/0

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy DROP 10 packets, 605 bytes)
 pkts bytes target     prot opt in     out     source               destination
1128K 1685M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
   55  4147 ACCEPT     udp  --  *      eth0    0.0.0.0/0            0.0.0.0/0          state NEW udp dpt:53
    0     0 ACCEPT     tcp  --  *      eth0    0.0.0.0/0            0.0.0.0/0          state NEW multiport dports 25,80,443,22
    0     0 ACCEPT     icmp --  *      eth0    0.0.0.0/0            0.0.0.0/0          state NEW icmp type 8
    7   502 ACCEPT     all  --  *      lo      0.0.0.0/0            0.0.0.0/0
 
Old 03-26-2007, 04:39 AM   #15
aq_mishu
Member
 
Registered: Sep 2005
Location: Bangladesh
Distribution: RH 7.2, 8, 9, Fedora
Posts: 217

Original Poster
Rep: Reputation: 30
Well, guys, thanks a LOT for the kind help. So far it's working fine. I mean upto now, it is okk. Now rest of the things have to be done by me like to remember what i have done where... (My memory is low... i cant remember a lot) But upto now, it is working fine. Thanks win32sux, i have added the line that you have written. Well, if i did it wrong, then u may suggest me. And also any suggestion from any part of the world is always welcome. The modules.conf is:

add above ip_conntrack ip_conntrack_ftp
alias parport_lowlevel parport_pc
alias eth0 tulip
alias usb-controller ehci-hcd
alias usb-controller1 usb-uhci

and it is now working... i have rebooted my box and tested... so far, so good.

thanks again...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is Linux truly SECURED? poda Linux - Security 9 06-01-2005 08:04 PM
Secured Login bharaniks Linux - Newbie 4 05-30-2005 12:30 AM
Is Linux truly SECURED? poda Linux - Security 1 05-26-2005 07:44 PM
best secured linux crikkett10 Linux - Security 3 08-20-2004 04:42 AM
Secured Cert Terri Linux - Software 1 06-11-2002 07:44 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:04 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration