Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I am fairly new to iptables, and I just wanted to see if anyone would take a look at my script to see if I am going about iptables the Correct way. I guess my biggest question is if I am going about the order of rules the right way? And if you see anything that could be a possible vulnerability please let me know.
Thanks for your time.
Code:
#!/bin/bash
## Services ##
IPT=/sbin/iptables
IPS=/usr/sbin/ipset
SYSCTL=/sbin/sysctl
## Interfaces ##
INTIF="eth1"
EXTIF="eth0"
VPNIF_SGTS="tun0"
VPNIF_LMTL="tun1"
## Networks ##
INTNET="192.168.0.0/24"
LMTLNET="192.168.100.0/24"
GWISHNET="192.168.1.0/24"
VPNNET_SGTS="10.8.0.0/24"
VPNNET_LMTL="192.168.105.0/24"
## IP Addresses ##
INTADDR="192.168.0.1"
VPNADDR_SGTS="10.8.0.1"
VPNADDR_LMTL="192.168.105.44"
EXTADDR="x.x.x.x"
## Hosts ##
GREENMACHINE="192.168.0.201"
ANGWISH="192.168.1.1"
GWISHSERV="192.168.1.201"
IPKALL="x.x.x.x"
## Flush Iptable Rules
$IPT -F
$IPT -X
$IPT -t nat -F
$IPT -t nat -X
$IPT -t mangle -F
$IPT -t mangle -X
## Flush IPSet Rules
$IPS -F
$IPS -X
## Default Policies And Define Chains
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD DROP
## Setup Kernel Options
$SYSCTL -w net.ipv4.ip_forward=1 > $NULL ## IP Forwading
$SYSCTL -w net.ipv4.ip_dynaddr=0 > $NULL ## Dynamic Address Hacking
$SYSCTL -w net.ipv4.tcp_syncookies=1 > $NULL ## SYN Flood Protection
$SYSCTL -w net.ipv4.icmp_echo_ignore_broadcasts=1 > $NULL ## Ignore ICMP To Broadcast
$SYSCTL -w net.ipv4.icmp_ignore_bogus_error_responses=1 > $NULL ## Ignore ICMP To Broadcast
$SYSCTL -w net.ipv4.conf.all.rp_filter=1 > $NULL ## Source Validation
$SYSCTL -w net.ipv4.conf.all.accept_source_route=0 > $NULL ## Source Routed Packets
$SYSCTL -w net.ipv4.conf.all.accept_redirects=0 > $NULL ## ICMP Redirects
$SYSCTL -w net.ipv4.conf.all.send_redirects=0 > $NULL ## ICMP Redirects
$SYSCTL -w net.ipv4.conf.all.secure_redirects=1 > $NULL ## Secure Redirects
$SYSCTL -w net.ipv4.conf.all.log_martians=0 > $NULL ## Log Packets From Impossible Addresses
$SYSCTL -w net.netfilter.nf_conntrack_acct=1 > $NULL ## Connection Accounting
## Accept All Connections On lo, tun0, tun1, OpenVPN, And LAN
$IPT -A INPUT -i lo -j ACCEPT
## Start All TCP Connections With SYN
$IPT -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPT -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
## Allow Unpriviledged Ports For Replies - Internal
$IPT -A INPUT -p tcp -d $INTADDR --dport 1024:5059 -i $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $INTADDR --dport 1024:5059 -i $INTIF -j ACCEPT
$IPT -A INPUT -p tcp -d $INTADDR --dport 5062:65535 -i $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $INTADDR --dport 5062:65535 -i $INTIF -j ACCEPT
## Allow Unpriviledged Ports For Replies - SGTS VPN
$IPT -A INPUT -p tcp -d $VPNADDR_SGTS --dport 1024:5059 -i $VPNIF_SGTS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $VPNADDR_SGTS --dport 1024:5059 -i $VPNIF_SGTS -j ACCEPT
$IPT -A INPUT -p tcp -d $VPNADDR_SGTS --dport 5062:65535 -i $VPNIF_SGTS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $VPNADDR_SGTS --dport 5062:65535 -i $VPNIF_SGTS -j ACCEPT
## Allow Unpriviledged Ports For Replies - External
$IPT -A INPUT -p tcp -d $EXTADDR --dport 1024:5059 -i $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $EXTADDR --dport 1024:5059 -i $EXTIF -j ACCEPT
$IPT -A INPUT -p tcp -d $EXTADDR --dport 5062:65535 -i $EXTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -p udp -d $EXTADDR --dport 5062:65535 -i $EXTIF -j ACCEPT
## Allow Specific ICMP (0 = Echo Reply, 3 = Unreachable, 8 = Echo, 11 = Traceroute)
$IPT -A INPUT -p icmp --icmp-type 0 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 3 -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 8 -m limit --limit 1/second -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type 11 -j ACCEPT
## Allow Specific NTP Servers
for ADDR in 91.189.94.4 192.43.244.18; do # ubuntu,NIST
$IPT -A INPUT -s $ADDR -d $EXTADDR -i $EXTIF -p udp --dport 123 -j ACCEPT
done
## No Ingress Filtering On LMTL VPN Network
$IPT -A INPUT -i $VPNIF_LMTL -j ACCEPT
## No Ingress Filering On OpenVPN
$IPT -A INPUT -d $EXTADDR -i $EXTIF -p udp --dport 1194 -j ACCEPT
## Internal Accessible Ports
for PORT in 22 53 69 80 123 3128; do ## TCP - ssh, dns, tftp, ntp, squid
$IPT -A INPUT -s $INTNET -d $INTADDR -i $INTIF -p tcp --dport $PORT -j ACCEPT
done
for PORT in 53 69 123 5060; do ## UDP - dns, tftp, sip
$IPT -A INPUT -s $INTNET -d $INTADDR -i $INTIF -p udp --dport $PORT -j ACCEPT
done
## SGTS VPN Accessible Ports
for PORT in 22 53; do ## TCP - ssh & dns
$IPT -A INPUT -s $VPNNET_SGTS -d $VPNADDR_SGTS -i $VPNIF_SGTS -p tcp --dport $PORT -j ACCEPT
$IPT -A INPUT -s $VPNNET_SGTS -d $INTNET -i $VPNIF_SGTS -p tcp --dport $PORT -j ACCEPT
$IPT -A INPUT -s $GWISHNET -d $INTNET -i $VPNIF_SGTS -p tcp --dport $PORT -j ACCEPT
done
for PORT in 53 5060; do ## UDP dns & sip
$IPT -A INPUT -s $VPNNET_SGTS -d $VPNADDR_SGTS -i $VPNIF_SGTS -p udp --dport $PORT -j ACCEPT
$IPT -A INPUT -s $VPNNET_SGTS -d $INTNET -i $VPNIF_SGTS -p udp --dport $PORT -j ACCEPT
$IPT -A INPUT -s $GWISHNET -d $INTNET -i $VPNIF_SGTS -p udp --dport $PORT -j ACCEPT
done
## IPKall - SIP Peer
$IPT -A INPUT -s $IPKALL -d $EXTADDR -i $EXTIF -p tcp --dport 5060 -j ACCEPT
$IPT -A INPUT -s $IPKALL -d $EXTADDR -i $EXTIF -p udp --dport 5060 -j ACCEPT
## Squid
$IPT -t nat -A PREROUTING -i $INTIF -p tcp ! -d $INTNET --dport 80 -j DNAT --to-destination $INTADDR:3128
$IPT -t nat -A PREROUTING -i $INTIF -p tcp ! -d $INTNET --dport 80 -j REDIRECT --to-port 3128
## Hairpin NAT For HTTP And SSH (This Is Updated By /root/jobs/CheckIP.sh And Cron)
for PORT in 2020 8080 443 5222; do
$IPT -t nat -A PREROUTING -d $EXTADDR -p tcp --dport $PORT -j DNAT --to $GREENMACHINE:$PORT
$IPT -t nat -A POSTROUTING -s $INTNET -p tcp --dport $PORT -d $GREENMACHINE -j MASQUERADE
done
## Port Forwards
for PORT in 2020 8080 443 5222; do
$IPT -t nat -A PREROUTING -i $EXTIF -p tcp --dport $PORT -j DNAT --to $GREENMACHINE:$PORT
$IPT -A FORWARD -p tcp -d $GREENMACHINE --dport $PORT -j ACCEPT
done
## Masquerade Internal Address As Extenal IP
$IPT -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
## Anything To LMTL Send Out As tun1 IP So I Don't Have To Create Any Special Rules On lmtl-linux Firewall
$IPT -t nat -A POSTROUTING -d $LMTLNET -j SNAT --to $VPNADDR_LMTL
## NAT ACLs For tun0 - OpenVPN
$IPT -A FORWARD -i $EXTIF -o $VPNIF_SGTS -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $VPNIF_SGTS -o $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $VPNIF_SGTS -o $INTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -s $VPNNET_SGTS -d $INTNET -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
## NAT ACLs For tun1 - OpenVPN
for ADDR in x.x.x.x x.x.x.x x.x.x.x x.x.x.x; do
$IPT -A FORWARD -s $ADDR -i $EXTIF -o $VPNIF_LMTL -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -s $ADDR -i $VPNIF_LMTL -o $EXTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -s $ADDR -i $VPNIF_LMTL -o $INTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
done
$IPT -A FORWARD -s $VPNNET_LMTL -d $INTNET -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
## NAT ACLs For eth1
$IPT -A FORWARD -i $INTIF -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT
$IPT -A FORWARD -i $EXTIF -o $INTIF -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
## Drop Anything Else
$IPT -A FORWARD -i $EXTIF -m conntrack --ctstate NEW,INVALID -j DROP
exit 0
Unfortunately, I don't know enough about iptables to offer a critique, but one of the members of my LUG posted his iptables script in the hopes that it might help others.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
