iptables script for you Gurus out there...
I haven't used iptables in quite some time now and just made an iptables script. This script was designed for a home network. Is there anything else I can do to beef up this script? I've spent a lot of time reading about iptables ( seems to be an endless journey ). Any thoughts would be appreciated.
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= # iptables v1.2.10 # # Firewall script to keep those unwanted attackers out of # # my box... hopefully! # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= # Make default policies... iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Allow loopback... iptables -A INPUT -i lo -j ACCEPT # Allow UDP port 53... iptables -A INPUT -i eth0 -p udp --sport 53 -s 192.168.0.1/255.255.255.0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Add some TCP INPUT rules... iptables -A INPUT -i eth0 -s 192.168.0.101/255.255.255.0 -d 0/0 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 --dport 22 -j ACCEPT # Drop those nasty packets... iptables -A INPUT -i eth0 -p ALL -m state --state INVALID -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP |
I am no IPTables expert, but I have been reading a lot lately on the subject in prepartion for numerous projects.
i would ask the following; Do you have any hosts behind this box that need to go outbound? I see you are accepting SSH connection. I would say, if you can, put the Source IP from the ssh originating connection, if possible. That would give you more protection. |
Personally, I would drop the bad stuff before I started accepting anything. I know that means more rules to traverse, but the way you've got it written, the nasty packet rules aren't doing anything since there are no ACCEPT rules after them.
|
Thanks for the input! This is what I have now...
#!/bin/bash #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= # iptables v1.2.10 # # Firewall script to keep those unwanted attackers out of # # my box... hopefully! # #=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#= # Flush any existing rules... iptables -F # Make default policies... iptables -P INPUT DROP iptables -P OUTPUT ACCEPT iptables -P FORWARD DROP # Drop those nasty packets... iptables -A INPUT -i eth0 -p ALL -m state --state INVALID -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP # Allow loopback... iptables -A INPUT -i lo -j ACCEPT # Allow UDP port 68... iptables -A INPUT -i eth0 -p udp --sport 68 -s 192.168.0.1/255.255.255.0 -m state --state ESTABLISHED,RELATED -j ACCEPT # Add some TCP INPUT rules... iptables -A INPUT -i eth0 -s 192.168.0.101/255.255.255.0 -d 0/0 -j ACCEPT iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 --dport 22 -j ACCEPT # Log DROPed packets... #iptables -A INPUT LOG #iptables -A INPUT DROP |
All times are GMT -5. The time now is 10:38 AM. |