LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)
-   -   Iptables Critique (https://www.linuxquestions.org/questions/linux-security-4/iptables-critique-351491/)

Centinul 08-09-2005 08:52 AM
Iptables Critique
 
I've tried putting a firewall script together based on the tutorials I've read around the internet. Please critique and give me any recommendations especially for a stronger firewall. Thanks!

Code:
#!/bin/sh

#############################################################
# Configuration
#############################################################

        # Load Modules
        /sbin/depmod -a

        # Required modules
        /sbin/modprobe ip_conntrack
        /sbin/modprobe ip_tables
        /sbin/modprobe iptable_filter
        /sbin/modprobe iptable_mangle
        /sbin/modprobe iptable_nat
        /sbin/modprobe ipt_LOG
        /sbin/modprobe ipt_limit
        /sbin/modprobe ipt_MASQUERADE

        # Non-Required modules
        #/sbin/modprobe ipt_owner
        #/sbin/modprobe ipt_REJECT
        #/sbin/modprobe ip_conntrack_ftp
        #/sbin/modprobe ip_conntrack_irc
        #/sbin/modprobe ip_nat_ftp
        #/sbin/modprobe ip_nat_irc

#############################################################
# Local Settings
#############################################################

        # IPTables Location
        IPTABLES="/sbin/iptables"
       
        # External Interface
        EXT="eth0"

        # Internal Interface
        INT="eth1"
        LOCAL_IP="192.168.1.1"
        LOCAL_BCAST="192.168.1.255"

        # Loopback Interface
        LBACK="lo"
        LBACK_IP="127.0.0.1"

        # Internal Network Configuration
        LAN_IP="192.168.1.0/24"

#############################################################
# Firewall Configuration                                                                                 
#############################################################

        # Default Policy
        $IPTABLES -P INPUT        DROP
        $IPTABLES -P OUTPUT        DROP
        $IPTABLES -P FORWARD        DROP

        # User-Specified Chains
        $IPTABLES -N bad_packets
        $IPTABLES -N tcp_packets
        $IPTABLES -N udp_packets
        $IPTABLES -N icmp_packets

        # Flush ALL chains
        $IPTABLES -F INPUT
        $IPTABLES -F OUTPUT
        $IPTABLES -F FORWARD
        $IPTABLES -t nat -F
        $IPTABLES -t mangle -F

        $IPTABLES -F bad_packets
        $IPTABLES -F tcp_packets
        $IPTABLES -F udp_packets
        $IPTABLES -F icmp_packets

#############################################################
# Chains - User Specified
#############################################################

# bad_packets
$IPTABLES -A bad_packets -p tcp --tcp-flags SYN,ACK, SYN,ACK -m state --state NEW -j REJECT --reject-with tcp-reset

$IPTABLES -A bad_packets -p tcp ! --syn -m state --new -j LOG --log-prefix "New not syn:"

$IPTABLES -A bad_packets -p tcp ! --syn -m state --new -j DROP

# tcp_packets


# udp_packets

# Blocks Microsoft Network Broadcasts
$IPTABLES -A udp_packets -p UDP -i $EXT --destination-port 135:139 -j DROP

# Blocks DHCP requests from outside of network.
$IPTABLES -A udp_packets -p UDP -i $EXT -d 255.255.255.255 --destination-port 67:68 -j DROP

# icmp_packets

# Allows Echo request
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

# Allows TTL equals 0 during transit / reassembly
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#############################################################
# Chains - INPUT
#############################################################

# Filters packets through bad_packets chain
$IPTABLES -A INPUT -p ALL -j bad_packets

# Only except packets that are established or related
$IPTABLES -A INPUT -p ALL -i $EXT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Drops MS multicasts
$IPTABLES -A INPUT -i $EXT -d 224.0.0.0/8 -j DROP

# Drops attempts from outsider acting like they are on the LAN
$IPTABLES -A INPUT -i $EXT -s $LAN_IP -j DROP

# Disperse protocol types on specific chains
$IPTABLES -A INPUT -p TCP -i $EXT -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $EXT -j udp_packets
$IPTABLES -A INPUT -p ICMP        -i $EXT -j icmp_packets


#############################################################
# Chains - OUTPUT
#############################################################

#Allows traffic out of the firewall
$IPTABLES -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXT -j ACCEPT

#############################################################
# Chains - FORWARD
#############################################################

# Filters packets through bad_packets chain
$IPTABLES -A FORWARD -p ALL -j bad_packets

# Drops MS multicasts
$IPTABLES -A FORWARD-d 224.0.0.0/8 -j DROP

# Drops attempts from outsider acting like they are on the LAN
$IPTABLES -A FORWARD -s $LAN_IP -j DROP

# Disperse protocol types on specific chains
$IPTABLES -A FORWARD -p TCP -j tcp_packets
$IPTABLES -A FORWARD -p UDP -j udp_packets
$IPTABLES -A FORWARD -p ICMP -j icmp_packets

#############################################################
# Table - NAT
#############################################################

#NATing for the internal LAN
$IPTABLES -t nat -A POSTROUTING -o $EXT -j MASQUERADE

#############################################################
# Table - MANGLE
#############################################################

#############################################################

# Enables forwarding of interfaces
echo "1" > /proc/sys/net/ipv4/ip_forward

Half_Elf 08-09-2005 09:35 AM
Nice piece of works.

Just a small critique : your are logging invalid packets. Logging is very dangerous, as an attacker could easily DDOS your computer sending enought invalid trafic to make your harddrive busy. I would recommend to make some "limit" rules about logging, to make sure you don't write more than, let's say, 1 invalid trafic per second?


Btw, your default policy to OUTPUT is to DROP... are you sure this is right? I mean, you won't be able to reach the outside world from this box?! or maybe I missed something...

Centinul 08-09-2005 10:03 AM
Thanks I made the proper OUTPUT changes, I will make the log changes later. While I was looking around I found this script that I might use and scrap mine because it looks like it covers stuff that I didn't even come close to accounting for

http://gentoo-wiki.com/HOWTO_Iptables_for_newbies

Thoughts?


All times are GMT -5. The time now is 11:20 AM.