Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I've made a firewall script for my network using bits from other scripts i found . I need to forward some ports (21,22,25,80,110) to my server, but when i use the command "iptables -A FORWARD -p tcp -i eth0 -d 192.168.2.2 --dport 80 -j ACCEPT" the port does not get forwarded.
ENABLE=Y
#-------------------------------------------------------------------
#- DO NOT EDIT BEYOND THIS POINT UNLESS YOU KNOW WHAT YOUR DOING - |
#-------------------------------------------------------------------
#
if [ "$ENABLE" = "N" ]
then
echo "Please edit the firewall and change ENABLE to Y"
exit 1
fi
if [ "$1" = "save" ]
then
echo -n "Saving firewall to /etc/sysconfig/iptables ... "
$IPTABLES_SAVE > /etc/sysconfig/iptables
echo "done"
exit 0
elif [ "$1" = "restore" ]
then
echo -n "Restoring firewall from /etc/sysconfig/iptables ... "
$IPTABLES_RESTORE < /etc/sysconfig/iptables
echo "done"
exit 0
fi
#---------
echo "|- Seting default policies for packets entering this box"
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
###############################################################################
#
# User-Specified Chains
#
# Create user chains to reduce the number of rules each packet
# must traverse.
echo "|- Creating custom rule chains ..."
# Create a chain to filter INVALID packets
$IPTABLES -N bad_packets
# Create another chain to filter bad tcp packets
$IPTABLES -N bad_tcp_packets
# Create separate chains for icmp, tcp (incoming and outgoing),
# and incoming udp packets.
$IPTABLES -N icmp_packets
# Used for UDP packets inbound from the Internet
$IPTABLES -N udp_inbound
# Used to block outbound UDP services from internal network
# Default to allow all
$IPTABLES -N udp_outbound
# Used to allow inbound services if desired
# Default fail except for established sessions
$IPTABLES -N tcp_inbound
# Used to block outbound services from internal network
# Default to allow all
$IPTABLES -N tcp_outbound
###############################################################################
#
# Populate User Chains
#
echo "|- Populating custom rule chains ..."
# bad_packets chain
#
# Drop INVALID packets immediately
$IPTABLES -A bad_packets -p ALL -m state --state INVALID -j LOG \
--log-prefix "Invalid packet: "
$IPTABLES -A bad_packets -p ALL -m state --state INVALID -j DROP
# Then check the tcp packets for additional problems
$IPTABLES -A bad_packets -p tcp -j bad_tcp_packets
# All good, so return
$IPTABLES -A bad_packets -p ALL -j RETURN
# bad_tcp_packets chain
#
# All tcp packets will traverse this chain.
# Every new connection attempt should begin with
# a syn packet. If it doesn't, it is likely a
# port scan. This drops packets in state
# NEW that are not flagged as syn packets.
# Return to the calling chain if the bad packets originate
# from the local interface. This maintains the approach
# throughout this firewall of a largely trusted internal
# network.
$IPTABLES -A bad_tcp_packets -p tcp -i $LANIF -j RETURN
$IPTABLES -A bad_tcp_packets -p tcp -i $DMZIF -j RETURN
# However, I originally did apply this filter to the forward chain
# for packets originating from the internal network. While I have
# not conclusively determined its effect, it appears to have the
# interesting side effect of blocking some of the ad systems.
# Apparently some ad systems have the browser initiate a NEW
# connection that is not flagged as a syn packet to retrieve
# the ad image. If you wish to experiment further comment the
# rule above. If you try it, you may also wish to uncomment the
# rule below. It will keep those packets from being logged.
# There are a lot of them.
# $IPTABLES -A bad_tcp_packets -p tcp -i $LANIF ! --syn -m state \
# --state NEW -j DROP
# $IPTABLES -A bad_tcp_packets -p tcp -i $DMZIF ! --syn -m state \
# --state NEW -j DROP
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn: "
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
# All good, so return
$IPTABLES -A bad_tcp_packets -p tcp -j RETURN
# icmp_packets chain
#
# This chain is for inbound (from the Internet) icmp packets only.
# Type 8 (Echo Request) is not accepted by default
# Enable it if you want remote hosts to be able to reach you.
# 11 (Time Exceeded) is the only one accepted
# that would not already be covered by the established
# connection rule. Applied to INPUT on the external interface.
#
#
# Note that the stateful settings allow replies to ICMP packets.
# These rules allow new packets of the specified types.
# ICMP packets should fit in a Layer 2 frame, thus they should
# never be fragmented. Fragmented ICMP packets are a typical sign
# of a denial of service attack.
$IPTABLES -A icmp_packets --fragment -p ICMP -j LOG \
--log-prefix "ICMP Fragment: "
$IPTABLES -A icmp_packets --fragment -p ICMP -j DROP
# Echo - uncomment to allow your system to be pinged.
# Uncomment the LOG command if you also want to log PING attempts
#
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j LOG \
# --log-prefix "Ping detected: "
# $IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
# By default, however, drop pings without logging. Blaster
# and other worms have infected systems blasting pings.
# Comment the line below if you want pings logged, but it
# will likely fill your logs.
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j DROP
# Time Exceeded
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
# Not matched, so return so it will be logged
$IPTABLES -A icmp_packets -p ICMP -j RETURN
# TCP & UDP
# udp_inbound chain
#
# This chain describes the inbound UDP packets it will accept.
# It's applied to INPUT on the external or Internet interface.
# Note that the stateful settings allow replies.
# These rules are for new requests.
# It drops netbios packets (windows) immediately without logging.
# Drop netbios calls
# Please note that these rules do not really change the way the firewall
# treats netbios connections. Connections from the localhost and
# internal interface (if one exists) are accepted by default.
# Responses from the Internet to requests initiated by or through
# the firewall are also accepted by default. To get here, the
# packets would have to be part of a new request received by the
# Internet interface. You would have to manually add rules to
# accept these. I added these rules because some network connections,
# such as those via cable modems, tend to be filled with noise from
# unprotected Windows machines. These rules drop those packets
# quickly and without logging them. This prevents them from traversing
# the whole chain and keeps the log from getting cluttered with
# chatter from Windows systems.
$IPTABLES -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPTABLES -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP
# Not matched, so return for logging
$IPTABLES -A udp_inbound -p UDP -j RETURN
# udp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# UDP requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPTABLES -A udp_outbound -p UDP -s 0/0 -j ACCEPT
# tcp_inbound chain
#
# This chain is used to allow inbound connections to the
# system/gateway. Use with care. It defaults to none.
# It's applied on INPUT from the external or Internet interface.
# Not matched, so return so it will be logged
$IPTABLES -A tcp_inbound -p TCP -j RETURN
# tcp_outbound chain
#
# This chain is used with a private network to prevent forwarding for
# requests on specific protocols. Applied to the FORWARD rule from
# the internal network. Ends with an ACCEPT
# No match, so ACCEPT
$IPTABLES -A tcp_outbound -p TCP -s 0/0 -j ACCEPT
# Allow all on localhost interface
$IPTABLES -A INPUT -p ALL -i $LOIF -j ACCEPT
# Drop bad packets
$IPTABLES -A INPUT -p ALL -j bad_packets
# DOCSIS compliant cable modems
# Some DOCSIS compliant cable modems send IGMP multicasts to find
# connected PCs. The multicast packets have the destination address
# 224.0.0.1. You can accept them. If you choose to do so,
# Uncomment the rule to ACCEPT them and comment the rule to DROP
# them The firewall will drop them here by default to avoid
# cluttering the log. The firewall will drop all multicasts
# to the entire subnet (224.0.0.1) by default. To only affect
# IGMP multicasts, change '-p ALL' to '-p 2'. Of course,
# if they aren't accepted elsewhere, it will only ensure that
# multicasts on other protocols are logged.
# Drop them without logging.
$IPTABLES -A INPUT -p ALL -d 224.0.0.1 -j DROP
# The rule to accept the packets.
# $IPTABLES -A INPUT -p ALL -d 224.0.0.1 -j ACCEPT
# Rules for the private network (accessing gateway system itself)
$IPTABLES -A INPUT -p ALL -i $LANIF -s $LAN_NET -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LANIF -d $LAN_BCAST -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DMZIF -s $DMZ_NET -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $DMZIF -d $DMZ_BCAST -j ACCEPT
# Inbound Internet Packet Rules
# Accept Established Connections
$IPTABLES -A INPUT -p ALL -i $INETIF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Route the rest to the appropriate user chain
$IPTABLES -A INPUT -p TCP -i $INETIF -j tcp_inbound
$IPTABLES -A INPUT -p UDP -i $INETIF -j udp_inbound
$IPTABLES -A INPUT -p ICMP -i $INETIF -j icmp_packets
# Drop without logging broadcasts that get this far.
# Cuts down on log clutter.
# Comment this line if testing new rules that impact
# broadcast protocols.
$IPTABLES -A INPUT -p ALL -d 255.255.255.255 -j DROP
# Kill malformed packets
# Block XMAS packets
iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
iptables -A FORWARD -p tcp --tcp-flags ALL ALL -j DROP
# NMAP FIN/URG/PSH
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
# SYN/RST
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
# SYN/FIN -- Scan(probably)
$IPTABLES -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# NMAP FIN Stealth
$IPTABLES -A INPUT -p tcp --tcp-flags ALL FIN -j DROP
# ALL/ALL Scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL ALL -j DROP
# NMAP Null Scan
$IPTABLES -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Drop invalid packets
$IPTABLES -A INPUT -m state --state INVALID -j DROP
# Drop fragmented packets
$IPTABLES -A INPUT -f -j DROP
# Drop packets with bad tcp flags
$IPTABLES -A INPUT -p tcp --tcp-option 64 -j DROP
$IPTABLES -A INPUT -p tcp --tcp-option 128 -j DROP
# Accept TCP packets we want to forward from internal sources
$IPTABLES -A FORWARD -p tcp -i $LANIF -j tcp_outbound
$IPTABLES -A FORWARD -p tcp -i $DMZIF -j tcp_outbound
# Accept UDP packets we want to forward from internal sources
$IPTABLES -A FORWARD -p udp -i $LANIF -j udp_outbound
$IPTABLES -A FORWARD -p udp -i $DMZIF -j udp_outbound
# If not blocked, accept any other packets from the internal interface
$IPTABLES -A FORWARD -p ALL -i $LANIF -j ACCEPT
$IPTABLES -A FORWARD -p ALL -i $DMZIF -j ACCEPT
# Deal with responses from the internet
$IPTABLES -A FORWARD -i $INETIF -m state --state ESTABLISHED,RELATED \
-j ACCEPT
# Anything coming from the Internet should have a real Internet address
$IPTABLES -A FORWARD -i eth0 -s 192.168.0.0/16 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 172.16.0.0/12 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 10.0.0.0/8 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 169.254.0.0/16 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 224.0.0.0/4 -j DROP
$IPTABLES -A FORWARD -i eth0 -s 240.0.0.0/5 -j DROP
# Anything coming from our internal network should have only our addresses!
$IPTABLES -A FORWARD -i eth2 -s ! $LAN_NET -j DROP
# Anything coming from our DMZ network should have only our addresses!
$IPTABLES -A FORWARD -i eth1 -s ! $DMZ_NET -j DROP
# Block outgoing network filesharing protocols that aren't designed
# to leave the LAN
# SMB / Windows filesharing
iptables -A FORWARD -p tcp --sport 137:139 -j DROP
iptables -A FORWARD -p udp --sport 137:139 -j DROP
# NFS Mount Service (TCP/UDP 635)
iptables -A FORWARD -p tcp --sport 635 -j DROP
iptables -A FORWARD -p udp --sport 635 -j DROP
# NFS (TCP/UDP 2049)
iptables -A FORWARD -p tcp --sport 2049 -j DROP
iptables -A FORWARD -p udp --sport 2049 -j DROP
# Portmapper (TCP/UDP 111)
iptables -A FORWARD -p tcp --sport 111 -j DROP
iptables -A FORWARD -p udp --sport 111 -j DROP
# Block incoming syslog, lpr, rsh, rexec...
iptables -A FORWARD -i eth0 -p udp --dport syslog -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 515 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 514 -j DROP
iptables -A FORWARD -i eth0 -p tcp --dport 512 -j DROP
# Log packets that still don't match
$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "FORWARD packet died: "
# However, invalid icmp packets need to be dropped
# to prevent a possible exploit.
$IPTABLES -A OUTPUT -m state -p icmp --state INVALID -j DROP
# Localhost
$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LOIF -j ACCEPT
# To internal network
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $LANIF -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $DMZ_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $DMZIF -j ACCEPT
# To internet
$IPTABLES -A OUTPUT -p ALL -o $INETIF -j ACCEPT
# Log packets that still don't match
$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-prefix "OUTPUT packet died: "
# The nat table is where network address translation occurs if there
# is a private network. If the gateway is connected to the Internet
# with a static IP, snat is used. If the gateway has a dynamic address,
# masquerade must be used instead. There is more overhead associated
# with masquerade, so snat is better when it can be used.
# The nat table has a builtin chain, PREROUTING, for dnat and redirects.
# Another, POSTROUTING, handles snat and masquerade.
# The mangle table is used to alter packets. It can alter or mangle them in
# several ways. For the purposes of this generator, we only use its ability
# to alter the TTL in packets. However, it can be used to set netfilter
# mark values on specific packets. Those marks could then be used in another
# table like filter, to limit activities associated with a specific host, for
# instance. The TOS target can be used to set the Type of Service field in
# the IP header. Note that the TTL target might not be included in the
# distribution on your system. If it is not and you require it, you will
# have to add it. That may require that you build from source.
# Kill spoofed packets
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Source NAT to get Internet traffic through
#$IPTABLES -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $INET_IP
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/ip_forward
else
$SYSCTL net.ipv4.ip_forward="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
else
$SYSCTL net.ipv4.tcp_syncookies="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
else
$SYSCTL net.ipv4.conf.all.proxy_arp="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
else
$SYSCTL net.ipv4.icmp_echo_ignore_broadcasts="1"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
else
$SYSCTL net.ipv4.conf.all.accept_source_route="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
else
$SYSCTL net.ipv4.conf.all.accept_redirects="0"
fi
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
else
$SYSCTL net.ipv4.conf.all.secure_redirects="1"
fi
# This option logs packets from impossible addresses.
if [ "$SYSCTL" = "" ]
then
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
else
$SYSCTL net.ipv4.conf.all.log_martians="1"
fi
Originally posted by deadlydemon I've made a firewall script for my network using bits from other scripts i found.
I need to forward some ports (21,22,25,80,110) to my server, but when i use the command
the port does not get forwarded. can any one help me?
This firewall rule is saying:
Allow all TCP packets: -p tcp -j ACCEPT
coming from the eth0 NIC: -i eth0
that are going to the IP address 192.168.2.2: -d 192.168.2.2
on port 80: --dport 80
The only thing that this rules is doing is saying "yes, it's ok to let this packet through".
My impression is that you're thinking "if a packet comes from eth0 for port 80, forward
it to 192.168.2.2", which is not correct.
How many NICS are in this machine? If more than one, which is the internal, which is
the external, etc? Are you trying to accept an internal IP addy from a public IP?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
