IPTables Firewall Advice...

Bomber · 01-07-2002, 04:59 PM

Hey, I've written myself an iptables firewall script (helped by browsing the web and looking at others scripts - raz you may see some stuff you recognise).....but I want to know how secure this script it and if I've gone about it the correct way...

Code:

#!/bin/bash

#IPTABLES Firewall script - created by Ben Birnbaum
#
#If the script has already been run and needs to be restarted for configuration 
#purposes run it with the "stop" command first, then re-run with the "start" 
#command.


#Set to the location of the iptables program
IPT="/sbin/iptables"

#A simple if statement to test for the command line options.
if [ $1 = "stop" ]; then

    #Test to see if unreal.firewall has been started
    if [ -a /etc/firewall/status_stop.pid ]; then

        echo ""
        echo "Error: unreal.firewall script has not been started yet!"
        echo "Run: unreal.firewall start"
        echo ""
        exit 1
    
    fi

    #Flush all firewall rules (stop the script)
    echo -n "Flushing Firewall Rules........."
    $IPT -F
    $IPT -X firewall
    $IPT -X syn-flood
    $IPT -P INPUT ACCEPT
    $IPT -P OUTPUT ACCEPT
    $IPT -P FORWARD ACCEPT
    echo "DONE"
    if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then

        echo -n "Removing IP spoofing protection....."
        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 0 > $f ; done
        echo "DONE"
    fi
    rm /etc/firewall/status_start.pid
    touch /etc/firewall/status_stop.pid
    echo ""
    echo "WARNING: By stopping the firewall you are leaving yourself open to attacks."
    echo ""
    exit 1

elif [[ $1 != "stop" && $1 != "start" || -z $1 ]]; then

    echo "Invalid Option!"
    echo "Valid Options: start|stop"
    exit 1

fi

#Test to see if unreal.firewall is already running..
if [ -a /etc/firewall/status_start.pid ]; then

    echo ""
    echo "Error: unreal.firewall script has already been started.."
    echo "Issue the stop command first."
    echo ""
    exit 1

fi

#Remove the stop file and create the start file (to show that
#unreal.firewall is running)
rm /etc/firewall/status_stop.pid
touch /etc/firewall/status_start.pid

#Set up spoofing protection

if [ -e /proc/sys/net/ipv4/conf/all/rp_filter ]; then

        echo -n "Setting up IP spoofing protection....."
        for f in /proc/sys/net/ipv4/conf/*/rp_filter; do echo 1 > $f ; done
        echo "DONE"

    else

        echo DANGER: PROBLEMS SETTING UP IP SPOOFING PROTECTION.

fi

echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 1 > /proc/sys/net/ipv4/ip_forward
echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 128 > /proc/sys/net/ipv4/ip_default_ttl
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max


echo -n "Loading Firewall Rules....."

#Flush all existing rules
$IPT -F

#Set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

#Set-up the "firewall-chain" rules
$IPT -N firewall
$IPT -A firewall -m limit --limit 20/minute -j LOG --log-level info --log-prefix "FIREWALL: "
$IPT -A firewall -j DROP

#Accept Ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT

#Drop any bad Flags
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L1: "
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L2: "
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L3: "
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L4: "
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix "FIREWALL: BAD FLAG! L5: "


#Stuff to stop SYN Floods
$IPT -N syn-flood
$IPT -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN
$IPT -A syn-flood -j LOG --log-level info --log-prefix "FIREWALL: SYN Flood Stopped: "
$IPT -A syn-flood -j DROP
$IPT -A INPUT -p tcp --syn -j syn-flood


#Some more Spoofing Protection
$IPT -t nat -A PREROUTING -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FIREWALL: FAKE CLASS A: "
$IPT -t nat -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FIREWALLL: FAKE CLASS B: "
$IPT -t nat -A PREROUTING -s 172.16.0.0/12 -j DROP
$IPT -A INPUT -s 10.0.0.0/8 -j LOG --log-level info --log-prefix "FIREWALL: FAKE CLASS A: "
$IPT -A INPUT -s 10.0.0.0/8 -j DROP
$IPT -A INPUT -s 172.16.0.0/12 -j LOG --log-level info --log-prefix "FIREWALL: FAKE CLASS B: "
$IPT -A INPUT -s 172.16.0.0/12 -j DROP
$IPT -A INPUT -s 255.255.255.255 -j LOG --log-level info --log-prefix "FIREWALL: FAKE CLASS E: "
$IPT -A INPUT -s 255.255.255.255 -j DROP
$IPT -A INPUT -s 0.0.0.0/8 -j DROP
$IPT -A INPUT -s 169.254.0.0/15 -j DROP
$IPT -A INPUT -s 224.0.0.0/4 -j DROP
$IPT -A INPUT -s 240.0.0.0/5 -j DROP
$IPT -A INPUT -s 248.0.0.0/5 -j DROP
$IPT -A INPUT -f -j LOG --log-level info --log-prefix "FIREWALL: PACKET FRAGMENTED: "
$IPT -A INPUT -f -j DROP


#State matching stuff - to accept related and established connections.
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

#ICMP Stuff
$IPT -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type required-option-missing -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type ip-header-bad -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type source-route-failed -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type network-unknown -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

#Accept HTTP requests (uncomment to allow HTTP on port 80)
#$IPT -A INPUT -p tcp --destination-port 80 -j ACCEPT

#Accept HTTPS requests
$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 2789 -j ACCEPT
$IPT -A INPUT -s 192.168.4.198 -p tcp --destination-port 10000 -j ACCEPT

#Accept SSH requests
$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 22 -j ACCEPT

#Accept samba requests
$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 137:139 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p udp --destination-port 137:139 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 445 -j DROP
$IPT -A INPUT -s 192.168.4.1 -p udp --source-port 137 -j ACCEPT
$IPT -A INPUT -s 192.168.4.2 -p udp --source-port 137 -j ACCEPT

#Accept Domain Name Server stuff..
$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p udp --destination-port 53 -j ACCEPT

#Some deny stuff that we dont want to log
$IPT -A INPUT -p udp --destination-port 137 -j DROP
$IPT -A INPUT -p udp --destination-port 138 -j DROP
$IPT -A INPUT -p udp --destination-port 67 -j DROP
$IPT -A INPUT -p udp --destination-port 68 -j DROP

#Send everything else to the firewall chain - DENY it and LOG it.
$IPT -A INPUT -p icmp -j firewall
$IPT -A INPUT -p tcp --syn -j firewall
$IPT -A INPUT -p udp -j firewall

echo "DONE"

Sorry for the length...
Any input/feedback would be greatly appriciated, thanks...

unSpawn · 01-07-2002, 05:27 PM

I admit Im still "studying" netfilter/iptables,
(even compiled a statefull packet filter for me good 'ol ipchains) but it looks sound to me. The only real thing I think I'd be missing is output chain rules, like allowing only ICMP type messages out related to ping and traceroute (0,1,8, IIRC), no crafted TCP packets out, and separate LOG chains to have different logging options/notes but then maybe Im a logging freak :-]

Other than that Ive only got nagging stuff like, I'd separate sysctl stuff to a separate /etc/sysctl.conf so I would only need one line like "sysctl -e -p /etc/sysctl.conf", and the script shouldnt need a PID/state file (IMHO) when it's not run?

Still stands tho, it looks quite good to me.

Bomber · 01-07-2002, 05:47 PM

Cool, thanks for the tips/advice unSpawn.

I didn't even realise there was a sysctl.conf, that should help make things neater.

Thanks again.

raz · 01-08-2002, 05:39 AM

Yeah I thought I recognised some of it.

The lines like this will allow external people to fake internal ip sourced packets to your system, as your accepting from -s and not to a particular network card.

$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p udp --destination-port 53 -j ACCEPT

To do it correctly you need two network cards, the first with the outside ip, the second with your internal ip.

Then only accept to the internal card.

example:
$IPT -A INPUT -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
"eth0 being the external interface."

or

$IPT -A INPUT -i eth1 -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
"eth1 been the internal interface."

Also your giving too much info away in the ICMP accepts.

On your external nic drop all ICMP's except:
--icmp-type required-option-missing -j ACCEPT
--icmp-type parameter-problem -j ACCEPT
--icmp-type ip-header-bad -j ACCEPT
--icmp-type TOS-host-unreachable -j ACCEPT
--icmp-type source-route-failed -j ACCEPT
--icmp-type network-unknown -j ACCEPT
--icmp-type echo-reply -j ACCEPT

Also drop this rule with the main ones.
Yours:

#Set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

Should be:
iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT DROP
# if you don't trust your network then DROP outputs and make rules"
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth0 -p igmp -j LOG --log-level info --log-prefix "** Bad faked IGMP's **"
iptables -A FORWARD -i eth0 -p igmp -j DROP
iptables -P FORWARD DROP

Otherwise it looks ok.

/raz

Stingreen · 02-19-2002, 07:58 PM

jesus...
I got a looonnggg loooonnggg way ahead just to understand what is going on.
I think I'm gonna sit on a corner and start crying.

phoenix07 · 04-11-2004, 01:17 AM

Quote:

Originally posted by raz
Yeah I thought I recognised some of it.

The lines like this will allow external people to fake internal ip sourced packets to your system, as your accepting from -s and not to a particular network card.

$IPT -A INPUT -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
$IPT -A INPUT -s 192.168.4.0/24 -p udp --destination-port 53 -j ACCEPT

To do it correctly you need two network cards, the first with the outside ip, the second with your internal ip.

Then only accept to the internal card.

example:
$IPT -A INPUT -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
"eth0 being the external interface."

or

$IPT -A INPUT -i eth1 -s 192.168.4.0/24 -p tcp --destination-port 53 -j ACCEPT
"eth1 been the internal interface."

Also your giving too much info away in the ICMP accepts.

On your external nic drop all ICMP's except:
--icmp-type required-option-missing -j ACCEPT
--icmp-type parameter-problem -j ACCEPT
--icmp-type ip-header-bad -j ACCEPT
--icmp-type TOS-host-unreachable -j ACCEPT
--icmp-type source-route-failed -j ACCEPT
--icmp-type network-unknown -j ACCEPT
--icmp-type echo-reply -j ACCEPT

Also drop this rule with the main ones.
Yours:

#Set default policies
$IPT -P INPUT DROP
$IPT -P FORWARD DROP

Should be:
iptables -F
iptables -X
iptables -F -t nat
iptables -P INPUT DROP
# if you don't trust your network then DROP outputs and make rules"
iptables -P OUTPUT ACCEPT
iptables -A FORWARD -i eth0 -p igmp -j LOG --log-level info --log-prefix "** Bad faked IGMP's **"
iptables -A FORWARD -i eth0 -p igmp -j DROP
iptables -P FORWARD DROP

Otherwise it looks ok.

/raz

hey raz...

do you think you could help me out with this problem i got?

how do i turn off my Firewall so EVERY person on my network can share the itnernet??? if i turn off firewall will that auto-matically share the internet??? i seriously need help.