is my iptables script enough already

packets · 06-21-2010, 09:11 PM

I just wanna consult iptables guru if my script was enough and secured for a production. The iptables will be use for a web server and with 2 private machine (10.0.1.2 & 10.0.1.3) that will make the web server also a gateway for those two machine to access the Internet.

Anyone who wants to add, please let me know and please explain what is it for.

If find no vulnerable, can anyone advise also.

Please don't mind apache as it was not my responsibility anymore to secure it. I'm just wondering if someone try to hack,would it suffice enough?

Thanks.

Code:

#!/bin/bash

echo "Load Modules"
modprobe ip_tables
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_filter

EXT_IF="eth0"                        # network interface to the external
LOOPBACK_INTERFACE="lo"              # however your system names it
EXT_IPADDR="X.X.X.X"                 # static allocated IP address
PRIVPORTS="0:1023"                   # well-known, privileged port range
UNPRIVPORTS="1024:65535"             # unprivileged port range

###############################################################
echo "Enables packet forwarding by kernel"
echo 1 > /proc/sys/net/ipv4/ip_forward

echo "Enable broadcast echo Protection"
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "Disable Source Routed Packets"
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
    echo 0 > $f
done

echo "Enable TCP SYN Cookie Protection"
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

echo "Disable ICMP Redirect Acceptance"
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
    echo 0 > $f
done

echo "Don't send Redirect Messages"
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
    echo 0 > $f
done

echo "Drop Spoofed Packets"
# coming in on an interface, which if replied to,
# would result in the reply going out a different interface.
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
    echo 1 > $f
done

echo "Do not log packets with impossible addresses"
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
    echo 0 > $f
done

echo "Disable rp_filter"
echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter

###############################################################

echo "Remove any existing rules from all chains"
iptables --flush
iptables -t nat --flush
iptables -t mangle --flush

echo "Unlimited traffic on the loopback interface"
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

echo "Set the default policy to drop"
# Drop all INPUT
iptables --policy INPUT   DROP
# Accept any OUTPUT Connection
iptables --policy OUTPUT  ACCEPT
# Drop all FORWARD
iptables --policy FORWARD DROP

echo "Remove any pre-existing user-defined chains"
iptables --delete-chain
iptables -t nat --delete-chain
iptables -t mangle --delete-chain
###############################################################

# Using Connection State to By-pass Rule Checking
iptables -A INPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -m state --state INVALID -j DROP
iptables -A OUTPUT -m state --state INVALID -j DROP
iptables -A FORWARD -m state --state INVALID -j DROP

###############################################################

# Stealth Scans and TCP State Flags
# All of the bits are cleared
iptables -A INPUT   -p tcp --tcp-flags ALL NONE -j DROP
iptables -A INPUT   -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
iptables -A INPUT   -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
iptables -A INPUT   -p tcp --tcp-flags FIN,RST FIN,RST -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,FIN FIN -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,PSH PSH -j DROP
iptables -A INPUT   -p tcp --tcp-flags ACK,URG URG -j DROP

###############################################################

echo "Allowing to act as a gateway"

iptables --table nat --append POSTROUTING --out-interface eth0 -s 10.0.1.0/24 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -s 10.0.1.0/24 -j ACCEPT

##############################################################

# ICMP Control and Status Messages

for ext_ipaddr in $EXT_IPADDR;do
iptables -A INPUT  -p icmp --icmp-type echo-request -s 10.0.1.0/24 -d $ext_ipaddr -m state --state NEW -j ACCEPT
done

# Drop initial ICMP fragments
iptables -A INPUT -p icmp --fragment -j DROP
iptables -A INPUT -p icmp --icmp-type source-quench  -j ACCEPT
iptables -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
iptables -A INPUT -p icmp --icmp-type destination-unreachable -j ACCEPT
iptables -A INPUT -p icmp --icmp-type fragmentation-needed -j ACCEPT

# Intermediate traceroute responses
iptables -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT

###############################################################"
#    Accept the following input requests and ports            #"
###############################################################"

for ext_ipaddr in $EXT_IPADDR;do
echo "Allowing Apache"
iptables -A INPUT -p tcp --sport $UNPRIVPORTS -d $ext_ipaddr --dport 80 -m state --state NEW,ESTABLISHED -j ACCEPT

echo "Allowing Secure Apache"
iptables -A INPUT -p tcp --sport $UNPRIVPORTS -d $ext_ipaddr --dport 443 -m state --state NEW,ESTABLISHED -j ACCEPT

done

echo "Allowing all private servers to connect"
iptables -A INPUT -p ALL -i eth1 -s 10.0.10.2 -j ACCEPT
iptables -A INPUT -p ALL -i eth1 -s 10.0.10.3 -j ACCEPT
iptables -A INPUT -p ALL -s 127.0.0.1 -j ACCEPT

unSpawn · 06-22-2010, 04:30 AM

Quote:

Originally Posted by packets

will make the web server also a gateway for those two machine

Ideally a web server is only a web server and not a gateway.

Quote:

Originally Posted by packets

I'm just wondering if someone try to hack,would it suffice enough?

Let's see:
- there's no bogon filtering,
- there's no limiting (--recent or --limit),
- you use "-j DROP" but as there is no "-j LOG" you will not be able to tell the rate of problems arising,
- using "--policy OUTPUT ACCEPT" is good but the OUTPUT chain is unfiltered, meaning all traffic is allowed including traffic to bogon addresses,
- what happens with any "-p udp" traffic?
- would you detect any attacks against Perl, PHP, Ruby or any other web stack component using these filter rules? (No.)
- since you run a web server, what is going to happen if it gets DOSsed?

- If you're using SSH from the outside it's best to protect that using methods descriped in the Failed SSH login attempts thread.
- If you've got /etc/sysctl.conf I'd separate sysctls from the shell script. Centrally stored it's easier to manage, more efficient.
- Please always keep the http://www.frozentux.net/documents/iptables-tutorial/ as reference.
- Do always test your ruleset from the outside using a good packet generator.
- Do use a log watching tool like Logwatch.
- Do deploy defensive measures when running a web server (mod_security etc).
- Do not run unchecked, vulnerable, outdated, unsupported scripts or web applications.

packets · 06-22-2010, 07:13 PM

Quote:

- there's no limiting (--recent or --limit),

I've now put :

Code:

iptables -A INPUT -m tcp -p tcp -i eth0 --sport $UNPRIVPORTS -d $ext_ipaddr --dport 80 -m state --state NEW,ESTABLISHED -m limit --limit 20/sec --limit-burst=30 -j ACCEPT
iptables -A INPUT -m tcp -p tcp -i eth0 --sport $UNPRIVPORTS -d $ext_ipaddr --dport 80 -m state --state NEW,ESTABLISHED -m limit --limit 20/sec --limit-burst=30 -j LOG --log-prefix "HTTP:  "

Is it advisable to use --limit 20/sec --limit-burst=30 for a web server? Could it affect the browsing if I limit traffic to 20 packets per second?

Quote:

- you use "-j DROP" but as there is no "-j LOG" you will not be able to tell the rate of problems arising,

In the end of the script, I put

Code:

iptables -A INPUT -p tcp -i eth0 -j LOG_DROP
iptables -A INPUT -p udp -i eth0 -j LOG_DROP

Below is the custom chain

Code:

echo "Define custome chain"
iptables -N LOG_DROP
iptables -A LOG_DROP -p tcp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "TCP LOGDROP: "
iptables -A LOG_DROP -p udp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "UDP LOGDROP: "
iptables -A LOG_DROP -p icmp -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "ICMP LOGDROP: "
iptables -A LOG_DROP -f -m limit --limit $LOGLIMIT --limit-burst $LOGLIMITBURST -j LOG --log-prefix "FRAGMENT LOGDROP: "
iptables -A LOG_DROP -j DROP

My LOGLIMIT is 20/s and LOGLIMITBURST is 30.

Quote:

- what happens with any "-p udp" traffic?

I added on the last line of the script

Code:

iptables -A INPUT -p udp -i eth0 -j LOG_DROP

Quote:

If you're using SSH from the outside it's best to protect that using methods descriped in the Failed SSH login attempts thread.

I restrict ssh access to certain ip address using iptables. I just don't include it on the script. I also use tcpwrappers for another layer of protection on ssh.

Quote:

Do always test your ruleset from the outside using a good packet generator.

Could you advise a good packet generator software for me to be able to test the machine? Is there a ddos tool available for linux or windows?

vishesh · 06-23-2010, 04:30 AM

Quote:

Originally Posted by packets

Could you advise a good packet generator software for me to be able to test the machine? Is there a ddos tool available for linux or windows?

I used hping and scapy both are really gud packet generator. Test you iptables rules by generaing packets through it.

Thanks