iptables script
Hello. I'm learning how to make a firewall in Linux. Here is my iptables script.
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -m state --state NEW -i ! eth0 -j ACCEPT iptables -A FORWARD -s 10.20.30.0/24 -i eth0 -j DROP #spoofing iptables -A FORWARD -p icmp -d 10.20.30.255 -j DROP #smurf iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #syn-flood iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT #port scan iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT #ping of death iptables -A FORWARD -i eth1 -j ACCEPT iptables -A FORWARD -j DROP iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT iptables -A INPUT -i eth1 -j ACCEPT iptables -A INPUT -j DROP iptables -A OUTPUT -j ACCEPT iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE The 10.20.30.0 network is my iternal network. Is there anything that doesn't look right. Maybe there are some things I'm missing, or redundant entries, etc. Any ideas? Thanks. |
you may want to flush each table at the start
|
Got it. Is there anything else?
|
You've missed a few things out, check out the example I've write for more info.
# internet INET_IP="198.81.129.100" INET_IFACE="eth0" # internal LAN_IP="192.168.0.2" LAN_IFACE="eth1" LAN_SUB=”192.168.0/24” # DNS's DNS1=”198.6.1.202” DNS2=”198.6.2.203” iptables -F iptables -X iptables -F -t nat echo 1 > /proc/sys/net/ipv4/ip_forward sysctl -w net.ipv4.tcp_max_syn_backlog=256 sysctl -w net.ipv4.tcp_syn_retries=5 sysctl -w net.ipv4.route.mtu_expires=512 sysctl -w net.ipv4.tcp_keepalive_time=7600 sysctl -w net.ipv4.icmp_echoreply_rate=10 sysctl -w net.ipv4.tcp_fin_timeout=360 sysctl -w net.ipv4.tcp_rfc1337=1 echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc echo 1 > /proc/sys/net/ipv4/tcp_syncookies echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects echo 128 > /proc/sys/net/ipv4/ip_default_ttl echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects echo 262144 > /proc/sys/net/core/rmem_default echo 262144 > /proc/sys/net/core/rmem_max echo 262144 > /proc/sys/net/core/wmem_default echo 262144 > /proc/sys/net/core/wmem_max /sbin/depmod -a /sbin/modprobe ipt_LOG /sbin/modprobe ipt_REJECT /sbin/modprobe ipt_MASQUERADE /sbin/modprobe ip_nat_ftp /sbin/modprobe ip_nat_irc /sbin/modprobe ipt_owner /sbin/modprobe ip_conntrack_ftp /sbin/modprobe ip_conntrack_irc /sbin/modprobe ip_tables /sbin/modprobe ip_conntrack # MASQ for eth0 to outside iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $INET_IP echo ”NAT enabled for internal network on eth0" iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP iptables -A FORWARD -i eth0 -p igmp -j DROP iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 8 iptables -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos 8 iptables -t mangle -A OUTPUT -p tcp --dport 8080 -j TOS --set-tos 8 iptables -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 8 echo ”Priority delay set for DNS" iptables -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos 16 # drop nasty flags: iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix “BAD FLAG !! L1" iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level info --log-prefix “BAD FLAG !! L2" iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix “BAD FLAG !! L3" iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log- level info --log-prefix “BAD FLAG !! L4" iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix “BAD FLAG !! L5" iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # SYN flood stuff iptables -N syn-flood iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN iptables -A syn-flood -j LOG --log-level info --log-prefix “SYN Flood stopped “ iptables -A syn-flood -j DROP # Drop Private iptables -A INPUT -i eth0 -p tcp --sport 1:1024 --dport 1:1024 -j LOG --log-level info --log-prefix “PRIVATE PORT L1” iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1:1024 -j LOG --log-level info --log-prefix “PRIVATE PORT L2” iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 6000 -j LOG --log-level info --log-prefix “PRIVATE X PORT “ iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1:1024 -j DROP iptables -A INPUT -i eth0 -p tcp --sport 1:1024 --dport 1:1024 -j DROP iptables -A INPUT -i eth0 -p tcp --sport 1:1024 --dport 6000 -j DROP iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 6000 -j DROP # SYN dropped iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j LOG --log-level info --log-prefix “SYN DROPPED “ iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP # spoofing protection iptables -A INPUT -i lo -j ACCEPT iptables -A OUTPUT -o lo -j ACCEPT iptables -A FORWARD -i eth0 -j ACCEPT iptables -A FORWARD -i eth1 -j ACCEPT iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix “FAKE CLASS C” iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix “FAKE CLASS A “ iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix “FAKE CLASS B “ iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix “FAKE CLASS C “ iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix “FAKE CLASS A “ iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix “FAKE CLASS B “ iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP iptables -A INPUT -i eth0 -s 255.255.255.255 -j LOG --log-level info --log-prefix “FAKE CLASS E “ iptables -A INPUT -i eth0 -s 255.255.255.255 -j DROP iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j LOG --log-level info --log-prefix “FAKE LOCAL 127 “ iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP iptables -A INPUT -i eth0 -s 248.0.0.0/5 -j DROP iptables -A INPUT -i eth0 -f -j LOG --log-level info --log-prefix “PACKET FRAGMENTED “ iptables -A INPUT -i eth0 -f -j DROP # full access to eth1 nic iptables -A INPUT -p ALL -i eth1 -s $LAN_SUB -j ACCEPT iptables -A OUTPUT -p ALL -s $LAN_SUB -j ACCEPT # The weakest link #iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT # Active FTP iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS1 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS2 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 10.50.28.4 --dport 1023:65535 -j ACCEPT # ICMP iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-reply -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type required-option-missing -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type parameter-problem -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type ip-header-bad -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type source-route-failed -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type network-unknown -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT # Deny ICMP types inbound iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type network-unreachable -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type host-unreachable -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type protocol-unreachable -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type port-unreachable -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type fragmentation-needed -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type host-unknown -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type network-prohibited -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type host-prohibited -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-unreachable -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type communication-prohibited -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type host-precedence-violation -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type precedence-cutoff -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type source-quench -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type redirect -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type network-redirect -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type host-redirect -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-redirect -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-redirect -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level info --log-prefix “PING REQUEST “ iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type router-advertisement -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type router-solicitation -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-transit -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-reassembly -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-request -j DROP iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-reply -j ACCEPT iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-request -j DROP |
WOW! Great example. I have a couple of questions. At the beginning of the script I see a lot of lines that "echo" or use "sysctl" a parameter into a bunch of files. What is exactly is that doing? I've tried the LOG target, but nothing gets written to the /var/log/messages file. How do I configure syslog to write messages from iptables? I didn't include all the modules because I compiled them all into the kernel. Just by looking at my script, what obvious vulnerabilities can you see?
THANKS! |
Yeah it took awhile to test it too.
the echo's and sysctl fine tune the systems stacks and improve the ability of the system to fight off DOS attacks. What do you mean by LOG target ? The main problem with your script is you drop everything in on the INPUT chain, not all ICMP messages should be dropped, that's why the last lines of my script have icmp accepts and drops. /Raz |
How do I log packets using iptables?
|
Instead of -j accept or drop.
-j LOG --log-level info --log-prefix "** whatever text in log** " |
this is something i have been trying like heck to figure out... my only question at this point, though, is what file are you guys editing here?
|
whatever file you want, it's just a script file.
|
raz, i've not got a log set up for my firewall, and so i get all the logs for rejected packets dumped on console. Can i change syslog.conf to send them to a log instead? i don't want to edit my firewall script as i'm thick so use firestarter to build it automatically.
|
right, acid... but where would you put a file like this and what would you name it so that you would have a firewall going?
|
Hey raz I adapted your script to fit my needs but I was wondering what the IP is in the following line
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 10.50.28.4 --dport 1023:65535 -j ACCEPT ^^^^^ Is that IP sepcific to your network or is that one that I should keep? |
sorry about the double post
|
Chijtska
Most of these scripts are /etc/rc.d/rc.firewall but some have them named something else.
|
All times are GMT -5. The time now is 06:23 AM. |