LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 01-29-2002, 09:11 AM   #1
buttnutt
Member
 
Registered: Dec 2001
Location: Dallas, TX
Distribution: Slackware
Posts: 46

Rep: Reputation: 15
iptables script


Hello. I'm learning how to make a firewall in Linux. Here is my iptables script.

iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A FORWARD -s 10.20.30.0/24 -i eth0 -j DROP #spoofing
iptables -A FORWARD -p icmp -d 10.20.30.255 -j DROP #smurf
iptables -A FORWARD -p tcp --syn -m limit --limit 1/s -j ACCEPT #syn-flood
iptables -A FORWARD -p tcp --tcp-flags SYN,ACK,FIN,RST RST -m limit --limit 1/s -j ACCEPT #port scan
iptables -A FORWARD -p icmp --icmp-type echo-request -m limit --limit 1/s -j ACCEPT #ping of death
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -A FORWARD -j DROP

iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state NEW -i ! eth0 -j ACCEPT
iptables -A INPUT -i eth1 -j ACCEPT
iptables -A INPUT -j DROP

iptables -A OUTPUT -j ACCEPT

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE


The 10.20.30.0 network is my iternal network.

Is there anything that doesn't look right. Maybe there are some things I'm missing, or redundant entries, etc.

Any ideas?

Thanks.
 
Old 01-29-2002, 10:06 AM   #2
theFuzzyOne
Member
 
Registered: Dec 2001
Distribution: redhat
Posts: 154

Rep: Reputation: 30
you may want to flush each table at the start
 
Old 01-29-2002, 10:20 AM   #3
buttnutt
Member
 
Registered: Dec 2001
Location: Dallas, TX
Distribution: Slackware
Posts: 46

Original Poster
Rep: Reputation: 15
Got it. Is there anything else?
 
Old 01-30-2002, 04:01 AM   #4
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
You've missed a few things out, check out the example I've write for more info.

# internet
INET_IP="198.81.129.100"
INET_IFACE="eth0"
# internal
LAN_IP="192.168.0.2"
LAN_IFACE="eth1"
LAN_SUB=”192.168.0/24”
# DNS's
DNS1=”198.6.1.202”
DNS2=”198.6.2.203”
iptables -F
iptables -X
iptables -F -t nat
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 128 > /proc/sys/net/ipv4/ip_default_ttl
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max
/sbin/depmod -a
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_REJECT
/sbin/modprobe ipt_MASQUERADE
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_nat_irc
/sbin/modprobe ipt_owner
/sbin/modprobe ip_conntrack_ftp
/sbin/modprobe ip_conntrack_irc
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
# MASQ for eth0 to outside
iptables -t nat -A POSTROUTING -o eth0 -j SNAT --to-source $INET_IP
echo ”NAT enabled for internal network on eth0"
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
iptables -A FORWARD -i eth0 -p igmp -j DROP
iptables -t mangle -A OUTPUT -p tcp --dport 80 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 443 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 8080 -j TOS --set-tos 8
iptables -t mangle -A OUTPUT -p tcp --dport 21 -j TOS --set-tos 8
echo ”Priority delay set for DNS"
iptables -t mangle -A OUTPUT -p tcp --dport 53 -j TOS --set-tos 16
# drop nasty flags:
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j LOG --log-level info --log-prefix “BAD FLAG !! L1"
iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j LOG --log-level info --log-prefix “BAD FLAG !! L2"
iptables -A INPUT -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-level info --log-prefix “BAD FLAG !! L3"
iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-
level info --log-prefix “BAD FLAG !! L4"
iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j LOG --log-level info --log-prefix “BAD FLAG !! L5"
iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
# SYN flood stuff
iptables -N syn-flood
iptables -A INPUT -i eth0 -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j LOG --log-level info --log-prefix “SYN Flood stopped “
iptables -A syn-flood -j DROP
# Drop Private
iptables -A INPUT -i eth0 -p tcp --sport 1:1024 --dport 1:1024 -j LOG --log-level info --log-prefix “PRIVATE PORT L1”
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1:1024 -j LOG --log-level info --log-prefix “PRIVATE PORT L2”
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 6000 -j LOG --log-level info --log-prefix “PRIVATE X PORT “
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 1:1024 -j DROP
iptables -A INPUT -i eth0 -p tcp --sport 1:1024 --dport 1:1024 -j DROP
iptables -A INPUT -i eth0 -p tcp --sport 1:1024 --dport 6000 -j DROP
iptables -A INPUT -i eth0 -p tcp --sport 1024:65535 --dport 6000 -j DROP
# SYN dropped
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j LOG --log-level info --log-prefix “SYN DROPPED “
iptables -A INPUT -i eth0 -p tcp ! --syn -m state --state NEW -j DROP
# spoofing protection
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT
iptables -A FORWARD -i eth1 -j ACCEPT
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix “FAKE CLASS C”
iptables -t nat -A PREROUTING -i eth0 -s 192.168.0.0/16 -j DROP
iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix “FAKE CLASS A “
iptables -t nat -A PREROUTING -i eth0 -s 10.0.0.0/8 -j DROP
iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix “FAKE CLASS B “
iptables -t nat -A PREROUTING -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j LOG --log-level info --log-prefix “FAKE CLASS C “
iptables -A INPUT -i eth0 -s 192.168.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j LOG --log-level info --log-prefix “FAKE CLASS A “
iptables -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j LOG --log-level info --log-prefix “FAKE CLASS B “
iptables -A INPUT -i eth0 -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i eth0 -s 255.255.255.255 -j LOG --log-level info --log-prefix “FAKE CLASS E “
iptables -A INPUT -i eth0 -s 255.255.255.255 -j DROP
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j LOG --log-level info --log-prefix “FAKE LOCAL 127 “
iptables -A INPUT -i eth0 -s 127.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 0.0.0.0/8 -j DROP
iptables -A INPUT -i eth0 -s 169.254.0.0/16 -j DROP
iptables -A INPUT -i eth0 -s 224.0.0.0/4 -j DROP
iptables -A INPUT -i eth0 -s 240.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -s 248.0.0.0/5 -j DROP
iptables -A INPUT -i eth0 -f -j LOG --log-level info --log-prefix “PACKET FRAGMENTED “
iptables -A INPUT -i eth0 -f -j DROP
# full access to eth1 nic
iptables -A INPUT -p ALL -i eth1 -s $LAN_SUB -j ACCEPT
iptables -A OUTPUT -p ALL -s $LAN_SUB -j ACCEPT
# The weakest link
#iptables -A INPUT -i eth0 -p tcp --sport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
# Active FTP
iptables -A INPUT -i eth0 -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS1 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW,RELATED,ESTABLISHED -s $DNS2 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d $INET_IP --dport 1023:65535 -j ACCEPT
iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 10.50.28.4 --dport 1023:65535 -j ACCEPT
# ICMP
iptables -A OUTPUT -o eth0 -p icmp -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-reply -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type required-option-missing -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type ip-header-bad -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type time-exceeded -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type source-route-failed -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type network-unknown -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-reply -j ACCEPT
# Deny ICMP types inbound
iptables -A INPUT -i eth0 -p icmp --icmp-type destination-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type protocol-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type port-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type fragmentation-needed -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-unknown -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-unreachable -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type communication-prohibited -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-precedence-violation -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type precedence-cutoff -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type source-quench -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type network-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type host-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-network-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type TOS-host-redirect -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -m limit --limit 1/s --limit-burst 1 -j LOG --log-level info --log-prefix “PING REQUEST “
iptables -A INPUT -i eth0 -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type router-advertisement -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type router-solicitation -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-transit -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type ttl-zero-during-reassembly -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-request -j DROP
iptables -A INPUT -i eth0 -p icmp --icmp-type timestamp-reply -j ACCEPT
iptables -A INPUT -i eth0 -p icmp --icmp-type address-mask-request -j DROP

Last edited by raz; 01-30-2002 at 04:04 AM.
 
Old 01-30-2002, 11:33 AM   #5
buttnutt
Member
 
Registered: Dec 2001
Location: Dallas, TX
Distribution: Slackware
Posts: 46

Original Poster
Rep: Reputation: 15
WOW! Great example. I have a couple of questions. At the beginning of the script I see a lot of lines that "echo" or use "sysctl" a parameter into a bunch of files. What is exactly is that doing? I've tried the LOG target, but nothing gets written to the /var/log/messages file. How do I configure syslog to write messages from iptables? I didn't include all the modules because I compiled them all into the kernel. Just by looking at my script, what obvious vulnerabilities can you see?

THANKS!
 
Old 01-31-2002, 08:49 AM   #6
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Yeah it took awhile to test it too.

the echo's and sysctl fine tune the systems stacks and improve the ability of the system to fight off DOS attacks.

What do you mean by LOG target ?

The main problem with your script is you drop everything in on the INPUT chain, not all ICMP messages should be dropped, that's why the last lines of my script have icmp accepts and drops.

/Raz
 
Old 01-31-2002, 03:25 PM   #7
buttnutt
Member
 
Registered: Dec 2001
Location: Dallas, TX
Distribution: Slackware
Posts: 46

Original Poster
Rep: Reputation: 15
How do I log packets using iptables?
 
Old 02-12-2002, 09:26 AM   #8
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Instead of -j accept or drop.
-j LOG --log-level info --log-prefix "** whatever text in log** "
 
Old 02-19-2002, 06:20 AM   #9
Chijtska
Member
 
Registered: Jan 2002
Location: High Falls, GA
Distribution: Mandrake8.2, FreeBSD, Solaris
Posts: 362

Rep: Reputation: 30
this is something i have been trying like heck to figure out... my only question at this point, though, is what file are you guys editing here?
 
Old 02-19-2002, 06:49 AM   #10
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
whatever file you want, it's just a script file.
 
Old 02-19-2002, 07:20 AM   #11
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,417

Rep: Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985Reputation: 1985
raz, i've not got a log set up for my firewall, and so i get all the logs for rejected packets dumped on console. Can i change syslog.conf to send them to a log instead? i don't want to edit my firewall script as i'm thick so use firestarter to build it automatically.
 
Old 02-19-2002, 09:15 AM   #12
Chijtska
Member
 
Registered: Jan 2002
Location: High Falls, GA
Distribution: Mandrake8.2, FreeBSD, Solaris
Posts: 362

Rep: Reputation: 30
right, acid... but where would you put a file like this and what would you name it so that you would have a firewall going?
 
Old 03-01-2002, 06:54 PM   #13
bbenz3
Member
 
Registered: Feb 2002
Location: Orlando
Distribution: Whatever I feel like at the time I install.
Posts: 284

Rep: Reputation: 30
Hey raz I adapted your script to fit my needs but I was wondering what the IP is in the following line

iptables -A INPUT -p udp -m state --state RELATED,ESTABLISHED -s 0/0 --sport 53 -d 10.50.28.4 --dport 1023:65535 -j ACCEPT
^^^^^
Is that IP sepcific to your network or is that one that I should keep?

Last edited by bbenz3; 03-01-2002 at 06:56 PM.
 
Old 03-01-2002, 06:55 PM   #14
bbenz3
Member
 
Registered: Feb 2002
Location: Orlando
Distribution: Whatever I feel like at the time I install.
Posts: 284

Rep: Reputation: 30
sorry about the double post

Last edited by bbenz3; 03-01-2002 at 06:56 PM.
 
Old 03-03-2002, 02:10 PM   #15
jimval7
Member
 
Registered: Jan 2002
Location: Dallas, TX
Distribution: RedHat 7.0 - Kernel 2.4.17
Posts: 95

Rep: Reputation: 16
Chijtska

Most of these scripts are /etc/rc.d/rc.firewall but some have them named something else.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 04:19 AM
iptables script tomsasse Linux - Networking 3 09-17-2005 05:25 PM
my first iptables script sh1ft Linux - Security 1 02-24-2005 04:17 PM
IPTABLES script help closer Linux - Networking 18 11-04-2002 09:48 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 11:40 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration