LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 08-10-2004, 11:28 AM   #1
ithawtewrong
Member
 
Registered: Jul 2004
Location: Mile High
Posts: 161

Rep: Reputation: 30
iptables verification


I was hoping to get some input on this script here. I posted earlier about whether or not IpTables was need for a home user and came to the understanding that yes it is better to be safe than sorry. So here it goes!

I have taken this from the IpTables tutorial on frozentux:

http://iptables-tutorial.frozentux.n...-tutorial.html

I have added some of my own comments/questions in it hoping to get some further explanation. The tutorial is excellent, however a little long and slightly confusing for someone new.

I want to allow my system to access the internet pretty much for web browsing only. I may do FTP later, but not now, but I'm thinking that as long as I'm bringing in the data the request should be okay and that I'll only need to reconfigure to allow someone to connect to my machine if I'm hosting. (Is that correct?)

I would like to enable the ability to allow Yahoo IM and Chat if possible, but don't know what ports, etc to configure so if anyone knows I'd appreciate that feedback as well.

I have listed in RED my question/comments/understandings so please point out where I have an incorrect understanding or misconfigured statement.

I'm also curious though that since I'm not online during bootup will this script still protect me if I run it at boot up or do I need to execute the script once I logon via my ISP?

I know this is a lot of stuff to digest so thanks in advance for the time and effort.

Thanks to Oskar for the initial format though this is great!

#!/bin/sh
#
# rc.firewall - DHCP IP Firewall script for Linux 2.4.x and iptables
#
# Copyright (C) 2001 Oskar Andreasson <bluefluxATkoffeinDOTnet>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; version 2 of the License.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program or from the site that you downloaded it
# from; if not, write to the Free Software Foundation, Inc., 59 Temple
# Place, Suite 330, Boston, MA 02111-1307 USA
#

###########################################################################
#
# 1. Configuration options.
#

#
# 1.1 Internet Configuration.
####My interface is ppp0 for now and below you will see it's DHCP
INET_IFACE="ppp0"

#
# 1.1.1 DHCP
#

#
# Information pertaining to DHCP over the Internet, if needed.
#
# Set DHCP variable to no if you don't get IP from DHCP. If you get DHCP
# over the Internet set this variable to yes, and set up the proper IP
# address for the DHCP server in the DHCP_SERVER variable.
I place my ISP's DHCP server in the DHCP_SERVER space below?

DHCP="YES"
DHCP_SERVER="xxx.xxx.xxx.xxx"

#
# 1.1.2 PPPoE
#

# Configuration options pertaining to PPPoE.
#
# If you have problem with your PPPoE connection, such as large mails not
# getting through while small mail get through properly etc, you may set
# this option to "yes" which may fix the problem. This option will set a
# rule in the PREROUTING chain of the mangle table which will clamp
# (resize) all routed packets to PMTU (Path Maximum Transmit Unit).
#
# Note that it is better to set this up in the PPPoE package itself, since
# the PPPoE configuration option will give less overhead.
#

PPPOE_PMTU="no"

#
# 1.2 Local Area Network configuration.
#
# your LAN's IP range and localhost IP. /24 means to only use the first 24
# bits of the 32 bit IP address. the same as netmask 255.255.255.0
#

#LAN_IP="192.168.0.2"
#LAN_IP_RANGE="192.168.0.0/16"
#LAN_IFACE="eth1"

#
# 1.3 DMZ Configuration.
#

#
# 1.4 Localhost Configuration.
#

LO_IFACE="lo"
LO_IP="127.0.0.1"

#
# 1.5 IPTables Configuration.
#

IPTABLES="/usr/sbin/iptables"

#
# 1.6 Other Configuration.
#

###########################################################################
#
# 2. Module loading.
#

#
# Needed to initially load modules
#

/sbin/depmod -a

#
# 2.1 Required modules
#

/sbin/modprobe ip_conntrack
/sbin/modprobe ip_tables
/sbin/modprobe iptable_filter
/sbin/modprobe iptable_mangle
/sbin/modprobe iptable_nat
/sbin/modprobe ipt_LOG
/sbin/modprobe ipt_limit
/sbin/modprobe ipt_MASQUERADE

#
# 2.2 Non-Required modules
#

#/sbin/modprobe ipt_owner
#/sbin/modprobe ipt_REJECT
#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

###########################################################################
#
# 3. /proc set up.
#

#
# 3.1 Required proc configuration
#

echo "1" > /proc/sys/net/ipv4/ip_forward

#
# 3.2 Non-Required proc configuration
#

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
#echo "1" > /proc/sys/net/ipv4/conf/all/proxy_arp
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

###########################################################################
#
# 4. rules set up.
#

######
# 4.1 Filter table
#

#
# 4.1.1 Set policies
#

$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP

#
# 4.1.2 Create userspecified chains
#

#
# Create chain for bad tcp packets
#

$IPTABLES -N bad_tcp_packets

#
# Create separate chains for ICMP, TCP and UDP to traverse
####Creates variables that are defined below

$IPTABLES -N allowed
$IPTABLES -N tcp_packets
$IPTABLES -N udp_packets
$IPTABLES -N icmp_packets

#
# 4.1.3 Create content in userspecified chains
#

#
# bad_tcp_packets chain
####Defining what a bad_tcp_packet is. if the flag is syn,ack syn or ack and the packet is NEW it will be Rejected
####with the tcp-reset parameter
####if the flag is not syn and the packet is NEW it will be logged and with ####a New not syn log entry then it will drop the packet


$IPTABLES -A bad_tcp_packets -p tcp --tcp-flags SYN,ACK SYN,ACK \
-m state --state NEW -j REJECT --reject-with tcp-reset
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j LOG \
--log-prefix "New not syn:"
$IPTABLES -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP

#
# allowed chain
####Allows data that is TCP protocol with syn flag, or is part of communication already established, otherwise it
####is dropped.


$IPTABLES -A allowed -p TCP --syn -j ACCEPT
$IPTABLES -A allowed -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A allowed -p TCP -j DROP

#
# TCP rules
#
####Does 0/0 match all packets or none or do I need to put my address range in here from ISP?
####If the -s is my PC then I will only be allowed OUT and noone is allowed in?, unless i initiate it?

$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 21 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 22 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 80 -j allowed
$IPTABLES -A tcp_packets -p TCP -s 0/0 --dport 113 -j allowed

#
# UDP ports
####0/0 again? Allows a DHCP communication to be established using udp?

$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
if [ $DHCP == "yes" ] ; then
$IPTABLES -A udp_packets -p UDP -s $DHCP_SERVER --sport 67 \
--dport 68 -j ACCEPT
fi

####why are the first two commented out? and what are udp ports of 2074 & 4000? ICQ=port 4000 which I don't really use, but may in the future
#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 53 -j ACCEPT
#$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 123 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 2074 -j ACCEPT
$IPTABLES -A udp_packets -p UDP -s 0/0 --source-port 4000 -j ACCEPT

#
# In Microsoft Networks you will be swamped by broadcasts. These lines
# will prevent them from showing up in the logs.
#
####My brother may hook up in the future a windows laptop to a hub I have. I enable this now and I won't have to worry about it in the future
$IPTABLES -A udp_packets -p UDP -i $INET_IFACE \
--destination-port 135:139 -j DROP

#
# If we get DHCP requests from the Outside of our network, our logs will
# be swamped as well. This rule will block them from getting logged.
#

$IPTABLES -A udp_packets -p UDP -i $INET_IFACE -d 255.255.255.255 \
--destination-port 67:68 -j DROP

#
# ICMP rules
####Allows ICMP (ping request) to be acknowledged and forwarded? But again the 0/0 what goes here?

$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT
$IPTABLES -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT

#
# 4.1.4 INPUT chain
#

#
# Bad TCP packets we don't want.
#

$IPTABLES -A INPUT -p tcp -j bad_tcp_packets

#
# Rules for special networks not part of the Internet
####Accepts all request from local machine and loopback?

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

#
# Special rule for DHCP requests from LAN, which are not caught properly
# otherwise.
####Not sure why they wouldn't be caught properly with the UDP rule above shouldn't they?

$IPTABLES -A INPUT -p UDP -i $LAN_IFACE --dport 67 --sport 68 -j ACCEPT

#
# Rules for incoming packets from the internet.
####Allows all established, related communication to be accepted, refers all other communications to
####rules defined in variables up top.


$IPTABLES -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED \
-j ACCEPT
$IPTABLES -A INPUT -p TCP -i $INET_IFACE -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $INET_IFACE -j udp_packets
$IPTABLES -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets

#
# If you have a Microsoft Network on the outside of your firewall, you may
# also get flooded by Multicasts. We drop them so we do not get flooded by
# logs
#Drops all Microsoft communications from the 224. address range

$IPTABLES -A INPUT -i $INET_IFACE -d 224.0.0.0/8 -j DROP

#
# Log weird packets that don't match the above.
####Prevents a flood of bad packets from being logged or given communication within a 3 minute time limit. DOS attacks?

$IPTABLES -A INPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT INPUT packet died: "

#
# 4.1.5 FORWARD chain
#

#
# Bad TCP packets we don't want
####Does this Forward bad packets?

$IPTABLES -A FORWARD -p tcp -j bad_tcp_packets

#
# Accept the packets we actually want to forward
####Forwards all traffic coming in from LAN interface
####Forwards all traffic coming in that is Established or Related


$IPTABLES -A FORWARD -i $LAN_IFACE -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

#
# Log weird packets that don't match the above.
####Logs all bad traffic requesting a Forward with a 3/minute limit
####This prevents log file jam up due to an attack on my machine or routing through my machine?


$IPTABLES -A FORWARD -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT FORWARD packet died: "

#
# 4.1.6 OUTPUT chain
#

#
# Bad TCP packets we don't want.
####Refers all packets going out through the variable up top.

$IPTABLES -A OUTPUT -p tcp -j bad_tcp_packets

#
# Special OUTPUT rules to decide which IP's to allow.
####Allows all traffic originating from loopback & lan interface to go through the internet interface.

$IPTABLES -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT

#
# Log weird packets that don't match the above.
####Will log all floods of traffic originating from your machine? and limits them to 3/a minute?

$IPTABLES -A OUTPUT -m limit --limit 3/minute --limit-burst 3 -j LOG \
--log-level DEBUG --log-prefix "IPT OUTPUT packet died: "

######
# 4.2 nat table
#

#
# 4.2.1 Set policies
#

#
# 4.2.2 Create user specified chains
#

#
# 4.2.3 Create content in user specified chains
#

#
# 4.2.4 PREROUTING chain
#

#
# 4.2.5 POSTROUTING chain
#
####This allows all NAT postrouting over TCP? and will masquerade the internet interface? although I'm still not sure what NAT and masquerading do.

if [ $PPPOE_PMTU == "yes" ] ; then
$IPTABLES -t nat -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN \
-j TCPMSS --clamp-mss-to-pmtu
fi
$IPTABLES -t nat -A POSTROUTING -o $INET_IFACE -j MASQUERADE

#
# 4.2.6 OUTPUT chain
#

######
# 4.3 mangle table
#

#
# 4.3.1 Set policies
#

#
# 4.3.2 Create user specified chains
#

#
# 4.3.3 Create content in user specified chains
#

#
# 4.3.4 PREROUTING chain
#

#
# 4.3.5 INPUT chain
#

#
# 4.3.6 FORWARD chain
#

#
# 4.3.7 OUTPUT chain
#

#
# 4.3.8 POSTROUTING chain
#
 
Old 08-10-2004, 03:32 PM   #2
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
I want to allow my system to access the internet pretty much for web browsing only. I may do FTP later, but not now, but I'm thinking that as long as I'm bringing in the data the request should be okay and that I'll only need to reconfigure to allow someone to connect to my machine if I'm hosting. (Is that correct?)
The request isn't ok.. gives away info that should be kept quiet.
Don't open any inward connection without a good reason.
Just allow replies to your requests...

I'm also curious though that since I'm not online during bootup will this script still protect me if I run it at boot up or do I need to execute the script once I logon via my ISP?
Run the script as early as possible.. it doesn't require your ppp0 ip number to work.

I place my ISP's DHCP server in the DHCP_SERVER space below?
Correct.. it may require a bit if digging to find it tho'.. or a phone call..

#LAN_IP="192.168.0.2"
#LAN_IP_RANGE="192.168.0.0/16"
#LAN_IFACE="eth1"

Leaving these commented, to me means you are just 1 workstation, nothing else...

#/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_conntrack_irc
#/sbin/modprobe ip_nat_ftp
#/sbin/modprobe ip_nat_irc

Uncomment these.. they don't auto-load when the rule is added, the rest do..

#echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
...
#echo "1" > /proc/sys/net/ipv4/ip_dynaddr

Uncomment these 2 rules too.. rp_filter is necessary to prevent spoofing attempts,
ip_dynaddr is needed if your ip number changes while you are connected..

####Defining what a bad_tcp_packet is. if the flag is syn,ack syn or ack and the packet is NEW it will be Rejected
Rather, it looks at both SYN & ACK flags and if both are set, then reject..

####Does 0/0 match all packets or none or do I need to put my address range in here from ISP?
####If the -s is my PC then I will only be allowed OUT and noone is allowed in?, unless i initiate it?

0/0 matches everybody.. but these rules are for NEW incoming connections to your servers..
which you don't have any running.. so comment them all out..
The previous RELATED,ESTABLISHED rule handles replies to your requests..

####0/0 again? Allows a DHCP communication to be established using udp?
Correct..

####why are the first two commented out? and what are udp ports of 2074 & 4000? ICQ=port 4000 which I don't really use, but may in the future
First one is a duplicate of the one 2 rules higher, (but in a different position)
123 is ntp time, 2074 looks like speak-freely irc..
Remember, these are only for NEW inward connections to your servers (etc..)...
The conntrack_irc module looks after the additional ports etc for you when you start the connection.

####My brother may hook up in the future a windows laptop to a hub I have. I enable this now and I won't have to worry about it in the future
Do it in the future.. Until you install samba suite and a 2nd network card and the hub and allow FORWARDing etc, you won't be able to share anything on your pc..
Comment it out..

####Allows ICMP (ping request) to be acknowledged and forwarded? But again the 0/0 what goes here?
-s 0/0 means from any source address.. it's ok

####Accepts all request from local machine and loopback?

$IPTABLES -A INPUT -p ALL -i $LAN_IFACE -s $LAN_IP_RANGE -j ACCEPT
$IPTABLES -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

What local machine? This means you have a 2nd network card called LAN_IFACE..
And if you do, you must act a gateway for this network to connect to the Internet
and that's a different configuration from a single workstation..

####Not sure why they wouldn't be caught properly with the UDP rule above shouldn't they?
Two different rule sets.. one can be used for both INPUT & FORWARD and this for just INPUT (workstation)
dhcp packets don't get treated very well by the state machine, so the rule comes before the state test..

####Prevents a flood of bad packets from being logged or given communication within a 3 minute time limit. DOS attacks?
It drops any more than 3 LOG packets per minute to keep the log file clear..
Just LOG packets, not real packets..

####Does this Forward bad packets?
No, it send them to the bad_packets chain for destruction.. before they can escape anywhere..

Nothing in the FORWARD chain needs to be active, (coz you don't have a 2nd NIC, right?)
Comment out everything..

####Allows all traffic originating from loopback & lan interface to go through the internet interface.
Yup, coz there is a DROP policy, everything must be allowed individually..

####Will log all floods of traffic originating from your machine? and limits them to 3/a minute?
The DROP policy is the next rule, so this tells you what is about to get dropped.
Necessary to discover why something doesn't work..

####This allows all NAT postrouting over TCP? and will masquerade the internet interface? although I'm still not sure what NAT and masquerading do.
It allows NAT over IP.. These are the packets with numbers. TCP & UDP only have ports..
NAT uses fixed numbers and MASQUERADE uses fixed or dynamic numbers

I would recommend reading the rules and then reread the tutorial to explain why the order of the rules is important.. (Hint.. more specific rules first, general later)
There is a flow pattern you need to see first, then you can easily master this stuff..

If you intend to add a 2nd network card, I strongly recommend getting these rules working ok before adding FORWARD rules and samba etc. It will make the whole lot fall into place much more easily..

To see the effect of loading the rules, do iptables-save to print them on the screen..

Last edited by peter_robb; 08-10-2004 at 03:41 PM.
 
Old 08-10-2004, 03:57 PM   #3
ithawtewrong
Member
 
Registered: Jul 2004
Location: Mile High
Posts: 161

Original Poster
Rep: Reputation: 30
Clearly I didn't grasp what was going on. I'll reread the tutorial.

Thanks for the followup and explanation.
 
Old 08-11-2004, 07:05 AM   #4
peter_robb
Senior Member
 
Registered: Feb 2002
Location: Szczecin, Poland
Distribution: Gentoo, Debian
Posts: 2,458

Rep: Reputation: 48
Not to worry..

Once you get the picture of when and where packets travel, it'll seem quite easy..

Hang in there!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Patch Verification jfvanmeter Linux - Security 1 10-24-2005 12:47 PM
What is MD5 Verification anindyanuri Linux - Networking 7 03-31-2005 09:06 AM
TCPA verification... darklogik_org Linux - Hardware 0 10-03-2004 10:01 AM
re: how to md5 for verification ergo_sum Linux - Software 2 11-02-2003 09:18 AM
kernel verification.... roofy Linux - Software 4 05-05-2003 02:21 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 10:42 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration