3 weeks after fresh install of Redhat Fedora core 2 things started to happened. First I couldn't get into the setup of my broadband router connected to the internet using
http://<ip-address of the router> in the browser address field. I had to replace the router with a new one. Then after a while I should for some reason restart the iptables service I got an error in line 26 in the iptables script. The COMMIT line. I had to comment out the COMMIT line and the error disappeared. I cant quote the file because somehow I lost it. I was after applying a new firewall script called iptables and thought I saved the original. I'm afraid I'm not quite familiar with iptables since in my old RH7.2 distro used ipchains and never had any problems or suspect being hacked. Anyway here is my new iptables script.
#!/bin/bash
IPTABLES="/sbin/iptables"
# Load required modules
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_MASQUERADE
# Then flush all rules
/sbin/iptables -F
/sbin/iptables -t nat -F
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD ACCEPT
# In the NAT table (-t nat), Append a rule (-A) after routing
# (POSTROUTING) for all packets going out eth0 (-o ppp0) which says to
# MASQUERADE the connection (-j MASQUERADE).
/sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
/sbin/iptables -A FORWARD -d 192.168.0.0/24 -j ACCEPT
/sbin/iptables -A FORWARD -s ! 192.168.0.0/24 -j DROP
# Disallow NEW and INVALID incoming or forwarded packets from eth0.
/sbin/iptables -A INPUT -i eth0 -m state --state NEW,INVALID -j DROP
/sbin/iptables -A FORWARD -i eth0 -m state --state NEW,INVALID -j DROP
# port 113 is evil
/sbin/iptables -A INPUT --protocol udp --source-port 113 -j DROP
/sbin/iptables -A INPUT --protocol udp --destination-port 113 -j DROP
/sbin/iptables -A INPUT --protocol tcp --source-port 25 -j ACCEPT
/sbin/iptables -A INPUT --protocol tcp --source-port 80 -j ACCEPT
#/sbin/iptables -A INPUT --protocol udp --destination-port 25 -j ACCEPT
/sbin/iptables -A INPUT --protocol tcp --source-port 111 -j DROP
/sbin/iptables -A INPUT --protocol tcp --source-port 139 -j DROP
/sbin/iptables -A INPUT --protocol udp --source-port 138 -j DROP
/sbin/iptables -A INPUT --protocol udp --source-port 137 -j DROP
$IPTABLES -A INPUT -i lo -j ACCEPT
# Turn on IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
#Now, our firewall chain
#We use the limit commands to cap the rate at which it alerts to 15
#log messages per minute
$IPTABLES -N firewall
$IPTABLES -A firewall -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice --log-prefix "Netfilter in: "
$IPTABLES -A firewall -j DROP
#Now, our dropwall chain, for the final catchall filter
$IPTABLES -N dropwall
$IPTABLES -A dropwall -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice --log-prefix "Netfilter in: "
$IPTABLES -A dropwall -j DROP
#Our "hey, them's some bad tcp flags!" chain
$IPTABLES -N badflags
$IPTABLES -A badflags -m limit --limit 3/minute --limit-burst 3 -j LOG --log-level notice --log-prefix "Netfilter in: "
$IPTABLES -A badflags -j DROP
#And our silent logging chain
$IPTABLES -N silent
$IPTABLES -A silent -j DROP
#Drop those nasty packets!
#These are all TCP flag combinations that should never, ever occur in the
#wild. All of these are illegal combinations that are used to attack a box
#in various ways, so we just drop them and log them here.
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j badflags
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j badflags
#Drop icmp, but only after letting certain types through
$IPTABLES -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPTABLES -A INPUT -p icmp -j firewall
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPTABLES -A INPUT -j dropwall
#Accept my 2 lan windozes
$IPTABLES -A INPUT -s 192.168.0.4 -d 0/0 -p all -j ACCEPT
$IPTABLES -A INPUT -s 192.168.0.3 -d 0/0 -p all -j ACCEPT
/etc/rc.d/init.d/iptables restart
/sbin/iptables-save > /etc/sysconfig/iptables
#********************END OF SCRIPT***********
I found the script on google and edited a little. As I said I'm a newbie to this.
Ok. First trouble. The last line save command doesn't save this roules in /etc/sysconfig/iptables
I pico it and get nothing in the file.
But when I ran the script I get no errors and iptables use the rules. It prints out OK to this. It put rules to ACCEPT: filter,nat [OK]
I cant quote these outputs because it's printed in norwegian.
Second trouble:
When I type /sbin/iptables -nvL filer I get this:
[root@ove root]# /sbin/iptables -nvL filter
iptables: Table does not exist (do you need to insmod?)
[root@ove root]#
And I don't understand this because the nessessary modules for iptables is loaded. And it says table does not exist meaning in my opinion I don't have no protection at all. Or I'm I wrong?
I get the same answer with -nvL nat
Before all the trouble I could check both filter status ant nat typing this commands. So I'm really worried if I've been hacked or is it only a bug in FC2.
In my old rh7.2 I could type rpm -V kernel to see if the kernel was changed (MD5 as an answer)
but here the same command shows nothing. No dots as in rh7.2 which tells me it's all ok.
I'm really worried about what happened to my system and need help to solve this.