Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
12-29-2006, 10:33 AM
|
#1
|
Member
Registered: Oct 2004
Distribution: Gentoo
Posts: 78
Rep:
|
Is this firewall script safe?
Hi, I'm about to use this firewall script (modified to my needs of course) on my Gentoo server.
Code:
#!/bin/bash
#
# This is a sample firewall for ip_tables, the tool for doing firewalling
# and masquerading under the 2.3.x/2.4.x series of kernels.
#
# Be warned, this is a very restrictive set of firewall rules (and they
# should be, for proper security). Anything that you do not _specifically_
# allow is logged and dropped into /dev/null, so if you're wondering why
# something isn't working, check /var/log/messages.
#
# This is about as close as you get to a 'secure' firewall. It's nasty,
# it's harsh, and it will make your machine nearly invisible to the rest
# of the internet world. Have fun.
#
# To run this script you must 'chmod 700 iptables-script' and then execute
# it. To stop it from running, run 'iptables -F'
#Point this to your copy of ip_tables
IPT="/usr/local/bin/iptables"
#Load the module.
modprobe ip_tables
#Flush old rules, delete the firewall chain if it exists
$IPT -F
$IPT -F -t nat
$IPT -X firewall
#Setup Masquerading. Change the IP to your internal network and uncomment
#this in order to enable it.
#$IPT -A POSTROUTING -t nat -s 192.168.1.0/24 -j MASQUERADE
#$IPT -P FORWARD ACCEPT
#echo 1 > /proc/sys/net/ipv4/ip_forward
#Set up the firewall chain
$IPT -N firewall
$IPT -A firewall -j LOG --log-level info --log-prefix "Firewall:"
$IPT -A firewall -j DROP
#Accept ourselves
$IPT -A INPUT -s 127.0.0.1/32 -d 127.0.0.1/32 -j ACCEPT
#If you're using IP Masquerading, change this IP to whatever your internl
#IP addres is and uncomment it
#$IPT -A INPUT -s 192.168.1.1/32 -d 0/0 -j ACCEPT
#Accept DNS, 'cause it's warm and friendly
$IPT -A INPUT -p udp --source-port 53 -j ACCEPT
$IPT -A INPUT -p tcp --source-port 113 -j ACCEPT
$IPT -A INPUT -p tcp --destination-port 113 -j ACCEPT
#Allow ftp to send data back and forth.
$IPT -A INPUT -p tcp ! --syn --source-port 20 --destination-port 1024:65535 -j ACCEPT
#Accept SSH. Duh.
#$IPT -A INPUT -p tcp --destination-port 22 -j ACCEPT
#Send everything else ot the firewall.
$IPT -A INPUT -p icmp -j firewall
$IPT -A INPUT -p tcp --syn -j firewall
$IPT -A INPUT -p udp -j firewall
Can anyone give me any hints on how secure it is?
I did read in this guide that one should place ACCEPTS after DENYS. (Section: "iptables ACCEPTS")
However, I don't see any DENY rules in the script I posted, just "firewall"'s and they appear after the ACCEPT rules :S.
Thanks.
|
|
|
12-29-2006, 10:44 AM
|
#2
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
what services will the server be running?? how many interfaces does it have?? will it also be serving as a router?? how tight do you want the rules to be??
|
|
|
12-29-2006, 10:59 AM
|
#3
|
Member
Registered: Oct 2004
Distribution: Gentoo
Posts: 78
Original Poster
Rep:
|
Quote:
Originally Posted by win32sux
what services will the server be running?? how many interfaces does it have?? will it also be serving as a router?? how tight do you want the rules to be??
|
It will be running SSH2, Samba (only for local network) and OpenVPN (as an endpoint). It's only really acting as a router for the OpenVPN endpoint. I want maximum security really.
Thanks.
|
|
|
12-29-2006, 11:19 AM
|
#4
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by eponymous
It will be running SSH2, Samba (only for local network) and OpenVPN (as an endpoint). It's only really acting as a router for the OpenVPN endpoint. I want maximum security really.
Thanks.
|
so that's two interfaces then, right??
hmmm, ok... well then, yes - there are some issues in your script... like, that FTP stuff, for example... not only is it not needed but it's also quite ancient syntax from back in the ipchains days... here's a cleaned-up script to get you started... it lacks the VPN/FORWARD rules as i'm not sure what you are referring to in that regard... if you elaborate a little i'll gladly try to add the proper rules for you...
this script is set to do Samba and SSH2 for the LAN - and nothing else:
Code:
#!/bin/sh
IPT="/usr/local/bin/iptables"
LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"
ADMIN_IP="192.168.1.2"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 137 \
-m state --state NEW -j ACCEPT
# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 138 \
-m state --state NEW -j ACCEPT
# NETBIOS session service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 139 \
-m state --state NEW -j ACCEPT
# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 445 \
-m state --state NEW -j ACCEPT
# SSH2 Daemon:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP --dport 22 \
-m state --state NEW -j ACCEPT
# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
Last edited by win32sux; 12-30-2006 at 04:55 PM.
|
|
|
12-29-2006, 11:24 AM
|
#5
|
Member
Registered: Apr 2005
Distribution: Debian, OpenBSD,Fedora,RedHat
Posts: 228
Rep:
|
Hi,
first take a look at
http://iptables-tutorial.frozentux.n...-tutorial.html
http://www.linuxquestions.org/questi...light=sarajevo
start your script setting default policies
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
and after that implement other rules.
echo 1 > /proc/sys/net/ipv4/ip_forward should be implemented as last rule, I mean after all iptables rules are set.
I think implementig a script for different systems is completely different task, and you cannot use some script you googled around the web for your system, because I suppose your system is different and need custom script.
I recommend you to read iptables tutorial, it worth, and of course ask, people will help
Regards
|
|
|
12-29-2006, 12:01 PM
|
#6
|
Member
Registered: Oct 2004
Distribution: Gentoo
Posts: 78
Original Poster
Rep:
|
Thanks for the posts.
Yea, eth0 is the only interface on my system. I also have a TUN/TAP device (I assume) for my OpenVPN endpoint.
I thought of doing this for forwarding to VPN clients:
For BitTorrent eg.
Code:
#Allow Bit-Torrent
$IPTABLES -A INPUT -p tcp --dport 6881 -j ACCEPT
$IPTABLES -t nat -A PREROUTING -p tcp -i eth0 --dport 6881 -j DNAT --to 10.8.0.6:6881
Also, security wise im doing thinking of doing things like:
Code:
$IPTABLES -A INPUT -i eth0 -s 10.8.0.0/24 -d 0/0 -p tcp --dport 22 -j ACCEPT #VPN pool only
Where 10.8.0.6 is the IP given to clients connecting to the OpenVPN endpoint.
Assuming im not using FTP, does this firewall provide a high level of securty otherwise?
I'd like to read through the tutorials you've given me but they're so long and I'm very restrcited with time at the minute.
However, win32sux, your firewall looks just like what the doctor ordered. Can you give me an example of the VPN redirects? Also, do I need to add any more rules for the VPN?
I noticed that there are some nice rules to block all UDP/TCP/ICMP traffic in the old firewall script I gave you, will your version do the same?
If it helps, I was looking at Firestarter (I doubt i will use it though as I prefer a pure hand written script), and it says I have the following devices:
* Routed IP Tunnel (tunl0)
* Unknown Device (gre0)
* IPv6 Tunnel (sit0) (I enabled some IPv6 in the kernel)
* Ethernet Device (eth0) (which is connected to the mian network and internet - everything goes through here)
* Routed IP TUnnel (tun0)
Also, my local network uses a 192.168.0.0/24 range.
My VPN uses a 10.8.0.0/24 range.
I need my VPN nat'ed with my eth0, so web traffic coming in through the VPN is redirected out of eth0 to the internet.
I also want to allow SSH2 from only two IP's, one on a local netowkr, and one on the internet. Im sure I can just simply add another rule below the one you have for the "ADMIN IP" (which i can change to suit my needs).
Thanks .
Last edited by eponymous; 12-29-2006 at 04:41 PM.
|
|
|
12-30-2006, 12:24 PM
|
#7
|
Member
Registered: Oct 2004
Distribution: Gentoo
Posts: 78
Original Poster
Rep:
|
Can anyone help?
|
|
|
12-30-2006, 12:41 PM
|
#8
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by eponymous
However, win32sux, your firewall looks just like what the doctor ordered. Can you give me an example of the VPN redirects? Also, do I need to add any more rules for the VPN?
|
yes, you'll need rules for the VPN... unfortunately, i am not quite understanding how your VPN setup works and hence i can't write the rules... i'll be installing OpenVPN in the next few days when my new laptop arrives, so by next week i should have a decent understanding of what you are going through and what iptables rules you need...
Quote:
I noticed that there are some nice rules to block all UDP/TCP/ICMP traffic in the old firewall script I gave you, will your version do the same?
|
yes, the script i posted will block ANYTHING which doesn't have a rule specifically allowing it... it will also log when that happens so you'll know...
Quote:
I also want to allow SSH2 from only two IP's, one on a local netowkr, and one on the internet. Im sure I can just simply add another rule below the one you have for the "ADMIN IP" (which i can change to suit my needs).
|
yeah, just make sure you give the variable a different name, like this perhaps:
Code:
#!/bin/sh
IPT="/usr/local/bin/iptables"
LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"
ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 137 \
-m state --state NEW -j ACCEPT
# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 138 \
-m state --state NEW -j ACCEPT
# NETBIOS session service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 139 \
-m state --state NEW -j ACCEPT
# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 445 \
-m state --state NEW -j ACCEPT
# SSH2 Daemon (ADMIN #1):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP1 --dport 22 \
-m state --state NEW -j ACCEPT
# SSH2 Daemon (ADMIN #2):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP2 --dport 22 \
-m state --state NEW -j ACCEPT
# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
sorry that i can't be more helpful... i'll be monitoring this thread to see if anyone posts the proper procedures for doing this, cuz i'm interested in learning too... but in any case, like i said, i should have this down by next week either way (i'll post)... good luck!!!
Last edited by win32sux; 12-30-2006 at 04:54 PM.
|
|
|
12-30-2006, 01:11 PM
|
#9
|
Member
Registered: Oct 2004
Distribution: Gentoo
Posts: 78
Original Poster
Rep:
|
Great! thanks!
I made up a firewall a few days ago using the one I posted to you and added the rules for the openvpn forwards.
They do work, but I'm just wondering if I'm missing something and/or if the syntax is as old and out of date as the rest.
|
|
|
12-30-2006, 04:42 PM
|
#10
|
Member
Registered: Oct 2004
Distribution: Gentoo
Posts: 78
Original Poster
Rep:
|
Hmm, I've just finished customizing the script. When I tried running it it says:
Code:
iptables v1.3.5: Can't use -i with OUTPUT
Try `iptables -h' or 'iptables --help' for more information.
Do you have any ideas?
|
|
|
12-30-2006, 04:54 PM
|
#11
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by eponymous
Hmm, I've just finished customizing the script. When I tried running it it says:
Code:
iptables v1.3.5: Can't use -i with OUTPUT
Try `iptables -h' or 'iptables --help' for more information.
Do you have any ideas?
|
sorry, it was a typo caused by all the copy/pasting involved in writing iptables rules...
i've corrected it... OUTPUT rules use a "-o" instead of a "-i"...
Last edited by win32sux; 12-30-2006 at 04:57 PM.
|
|
|
12-30-2006, 05:24 PM
|
#12
|
Member
Registered: Oct 2004
Distribution: Gentoo
Posts: 78
Original Poster
Rep:
|
Hmmm, seems to have fixed it. But is this firewall supposed to stop me pinging www.google.com?
Thanks a lot for your help so far btw
|
|
|
12-30-2006, 05:33 PM
|
#13
|
LQ Guru
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870
|
Quote:
Originally Posted by eponymous
Hmmm, seems to have fixed it. But is this firewall supposed to stop me pinging www.google.com?
|
yeah... you said you wanted maximum security... so since the server you described (Samba/SSH2/OpenVPN) has no need to be making any outgoing connections or pinging and stuff, it's all firewalled by the script...
the server won't be able to start any connections on its own - only clients will be able to start them with the server... hence, for example, if someone were to find a user-level exploit on one of your services, they wouldn't be able to use your server to attack other boxes on your LAN or on the Internet, etc...
that said, to allow outgoing PINGs just add a rule for it... like this (notice i also had to add a rule allowing outgoing DNS lookups or else you'd only be able to ping IP addresses):
Code:
#!/bin/sh
IPT="/usr/local/bin/iptables"
LAN_IFACE="eth0"
LAN_NET="192.168.1.0/24"
ADMIN_IP1="192.168.1.2"
ADMIN_IP2="200.100.100.140"
$IPT -P INPUT DROP
$IPT -P FORWARD DROP
$IPT -P OUTPUT DROP
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P INPUT ACCEPT
$IPT -t mangle -P FORWARD ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
$IPT -t mangle -P POSTROUTING ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A INPUT -i lo -j ACCEPT
# NETBIOS Name Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 137 \
-m state --state NEW -j ACCEPT
# NETBIOS Datagram Service:
$IPT -A INPUT -p UDP -i $LAN_IFACE -s $LAN_NET --dport 138 \
-m state --state NEW -j ACCEPT
# NETBIOS session service:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 139 \
-m state --state NEW -j ACCEPT
# Microsoft Naked CIFS:
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $LAN_NET --dport 445 \
-m state --state NEW -j ACCEPT
# SSH2 Daemon (ADMIN #1):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP1 --dport 22 \
-m state --state NEW -j ACCEPT
# SSH2 Daemon (ADMIN #2):
$IPT -A INPUT -p TCP -i $LAN_IFACE -s $ADMIN_IP2 --dport 22 \
-m state --state NEW -j ACCEPT
# Log (with limit) other packets before sending them to DROP:
$IPT -A INPUT -j LOG -m limit --limit 3/minute \
--log-prefix "INPUT DROP: "
$IPT -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
$IPT -A OUTPUT -o lo -j ACCEPT
$IPT -A OUTPUT -p ICMP -o $LAN_IFACE --icmp-type 8 \
-m state --state NEW -j ACCEPT
$IPT -A OUTPUT -p UDP -o $LAN_IFACE --dport 53 \
-m state --state NEW -j ACCEPT
# Log all other packets before sending them to DROP:
$IPT -A OUTPUT -j LOG --log-prefix "OUTPUT DROP: "
Last edited by win32sux; 12-30-2006 at 05:37 PM.
|
|
|
12-30-2006, 06:36 PM
|
#14
|
Member
Registered: Oct 2004
Distribution: Gentoo
Posts: 78
Original Poster
Rep:
|
Wow! Damn, thats some nice security . Perfect. Thanks!
Also how do I allow web traffic, simply add a port 80 rule?
How would one allow all OUTBOUND traffic?
I may have confused you/myself. I do need to be able to access things like IRC, MSN, FTP, HTTP etc from the machine, as its not only a server, but a desktop machine running Gaim etc.
I'd be happy making individual rules for each application if its better to do that?
Also, just to be sure, when I run iptables -L I get this:
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
Can you explain what these mean?
Thanks a lot!
Last edited by eponymous; 12-30-2006 at 06:45 PM.
|
|
|
01-01-2007, 09:25 AM
|
#15
|
Member
Registered: Oct 2004
Distribution: Gentoo
Posts: 78
Original Poster
Rep:
|
Update: I found out that my VPN device is tun0 (using ifconfig).
|
|
|
All times are GMT -5. The time now is 05:20 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|