LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 12-09-2004, 05:41 PM   #1
Linux~Powered
Member
 
Registered: Jan 2004
Location: /lost+found
Distribution: Slackware 14.2
Posts: 849

Rep: Reputation: 33
iptables script for you Gurus out there...


I haven't used iptables in quite some time now and just made an iptables script. This script was designed for a home network. Is there anything else I can do to beef up this script? I've spent a lot of time reading about iptables ( seems to be an endless journey ). Any thoughts would be appreciated.

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# iptables v1.2.10 #
# Firewall script to keep those unwanted attackers out of #
# my box... hopefully! #
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=

# Make default policies...

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Allow loopback...

iptables -A INPUT -i lo -j ACCEPT

# Allow UDP port 53...

iptables -A INPUT -i eth0 -p udp --sport 53 -s 192.168.0.1/255.255.255.0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Add some TCP INPUT rules...

iptables -A INPUT -i eth0 -s 192.168.0.101/255.255.255.0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 --dport 22 -j ACCEPT

# Drop those nasty packets...

iptables -A INPUT -i eth0 -p ALL -m state --state INVALID -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
 
Old 12-09-2004, 06:37 PM   #2
tarballed
Member
 
Registered: Jun 2002
Distribution: RH, FC, FreeBSD,OpenBSD
Posts: 326

Rep: Reputation: 30
I am no IPTables expert, but I have been reading a lot lately on the subject in prepartion for numerous projects.

i would ask the following;

Do you have any hosts behind this box that need to go outbound?

I see you are accepting SSH connection. I would say, if you can, put the Source IP from the ssh originating connection, if possible. That would give you more protection.
 
Old 12-09-2004, 09:11 PM   #3
Hangdog42
LQ Veteran
 
Registered: Feb 2003
Location: Maryland
Distribution: Slackware
Posts: 7,803
Blog Entries: 1

Rep: Reputation: 422Reputation: 422Reputation: 422Reputation: 422Reputation: 422
Personally, I would drop the bad stuff before I started accepting anything. I know that means more rules to traverse, but the way you've got it written, the nasty packet rules aren't doing anything since there are no ACCEPT rules after them.
 
Old 12-22-2004, 03:50 AM   #4
Linux~Powered
Member
 
Registered: Jan 2004
Location: /lost+found
Distribution: Slackware 14.2
Posts: 849

Original Poster
Rep: Reputation: 33
Thanks for the input! This is what I have now...



#!/bin/bash

#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=
# iptables v1.2.10 #
# Firewall script to keep those unwanted attackers out of #
# my box... hopefully! #
#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=#=




# Flush any existing rules...

iptables -F

# Make default policies...

iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP

# Drop those nasty packets...

iptables -A INPUT -i eth0 -p ALL -m state --state INVALID -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL ALL -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT -i eth0 -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

# Allow loopback...

iptables -A INPUT -i lo -j ACCEPT

# Allow UDP port 68...

iptables -A INPUT -i eth0 -p udp --sport 68 -s 192.168.0.1/255.255.255.0 -m state --state ESTABLISHED,RELATED -j ACCEPT

# Add some TCP INPUT rules...

iptables -A INPUT -i eth0 -s 192.168.0.101/255.255.255.0 -d 0/0 -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -s 0/0 -d 0/0 --dport 22 -j ACCEPT

# Log DROPed packets...

#iptables -A INPUT LOG
#iptables -A INPUT DROP
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Iptables (with masq) troubleshooting, very simple script attached script and logs. xinu Linux - Networking 13 11-01-2007 04:19 AM
iptables script tomsasse Linux - Networking 3 09-17-2005 05:25 PM
Yet another iptables script Cron Linux - Networking 0 03-12-2005 11:11 AM
iptables script jayakrishnan Linux - Networking 5 11-01-2003 12:55 AM
My iptables script is /etc/sysconfig/iptables. How do i make this baby execute on boo ForumKid Linux - General 3 01-22-2002 07:36 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 09:24 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration