My firewall not run ok ?

matthewchin · 06-07-2004, 11:32 PM

I have the following firewall call by /etc/rc.d/rc.local:
It run failed with "no such file and directory"

using manual run and syntax check , sh -n firewall, it complaint
problem in the first for loop.

Can anyone show me how to correct? I am newbie in linux and iptables.

Quote:

#! /bin/sh
#
# Original Script Reference
# http://www.sns.ias.edu/~jns/security...les/rules.html
# http://www.study-area.org/linux/servers/linux_nat.htm
#
# Modified by - Matthew Chin
# Date - 2004/06/05
# Version - 1.0
#
# Redistribution of this file is permitted under the terms of
# the GNU General Public License (GPL).
#
#
# --------------- Start of Script ---------------
#
# --------------- Some definitions ---------------
echo "Set up definitions..."
IFACE="eth0"
IPADDR="192.168.1.5"
BROADCAST="192.168.1.255"
LOOPBACK="127.0.0.0/8"
CLASS_A="10.0.0.0/8"
CLASS_B="172.16.0.0/12"
CLASS_C="192.168.0.0/16"
CLASS_D_MULTICAST="224.0.0.0/4"
CLASS_E_RESERVED_NET="240.0.0.0/4"
P_PORTS="0:1023"
UP_PORTS="1024:65535"
TR_SRC_PORTS="32769:65535"
TR_DEST_PORTS="33434:33523"
TR_TCP_PORTS="20 21 22 23 25 53 80 110 113 139 143 220 443 445 465 515 631 783 993 995 000 3306 6000 10000 10001"
TR_UDP_PORTS="53 137 138 445"
# --------------- Allow TCP, UDP port deswcription ---------------
# 20 - ftp data
# 21 - ftp control
# 22 - SSH
# 23 - Telnet
# 25 - SMTP
# 53 - DNS
# 80 - WWW
# 110 - POP3
# 113 - auth
# 137 - samba
# 138 - samba
# 139 - samba
# 143 - ?
# 220 - ?
# 443 - https
# 445 - samba
# 465 - ?
# 515 - printer
# 631 - ipp (CUPS)
# 783 - hp-alarm-mgr
# 993 - ?
# 995 - ?
# 3000 - palantir - webcam
# 3306 - mysql
# 6000 - X11
# 10000 - webmin
# 10001 - router remote
#
# --------------- Load appropriate modules ---------------
echo "Loading modules..."
#
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o
do
module=$(basename $file)
/sbin/modprobe ${module%.*} &>/dev/null
done
for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_*.o
do
module=$(basename $file)
/sbin/modprobe ${module%.*} &>/dev/null
done
#
# --------------- ip forwarding ---------------
echo "Turning on IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/ip_dynaddr
#
# --------------- anti spoofing etc ---------------
echo "Turning on anti-spoofing..."
for file in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo "1" > $file
done
#
# Disable response to ping.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
#
# Disable response to broadcasts.
# You don't want yourself becoming a Smurf amplifier.
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
#
# Don't accept source routed packets. Attackers can use source routing to generate
# traffic pretending to be from inside your network, but which is routed back along
# the path from which it came, namely outside, so attackers can compromise your
# network. Source routing is rarely used for legitimate purposes.
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
#
# Disable ICMP redirect acceptance. ICMP redirects can be used to alter your routing
# tables, possibly to a bad end.
for interface in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo "0" > ${interface}
done
#
# Enable bad error message protection.
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
#
# Log spoofed packets, source routed packets, redirect packets.
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
#
# ---------- Remove all rules ----------
echo "Cleaning up..."
iptables -F
iptables -X
iptables -Z
#
iptables -F -t nat
iptables -X -t nat
iptables -Z -t nat
#
# ------------- Policies -------------
echo "Setting up policies to ACCEPT..."
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
#
# --------------- Rules ---------------
echo "Creating rules ..."
# Allow unlimited traffic on the loopback interface.
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#
# SYN-FLOODING PROTECTION
# This rule maximises the rate of incoming connections. In order to do this we divert tcp
# packets with the SYN bit set off to a user-defined chain. Up to limit-burst connections
# can arrive in 1/limit seconds ..... in this case 4 connections in one second. After this, one
# of the burst is regained every second and connections are allowed again. The default limit
# is 3/hour. The default limit burst is 5.
#
iptables -N syn-flood
iptables -A INPUT -i $IFACE -p tcp --syn -j syn-flood
iptables -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
iptables -A syn-flood -j DROP
#
# Make sure NEW tcp connections are SYN packets
iptables -A INPUT -i $IFACE -p tcp ! --syn -m state --state NEW -j DROP
#
#
# Refuse spoofed packets pretending to be from your IP address.
iptables -A INPUT -i $IFACE -s $IPADDR -j DROP
# Refuse packets claiming to be from a Class A private network.
iptables -A INPUT -i $IFACE -s $CLASS_A -j DROP
# Refuse packets claiming to be from a Class B private network.
iptables -A INPUT -i $IFACE -s $CLASS_B -j DROP
# Refuse packets claiming to be from a Class C private network.
# iptables -A INPUT -i $IFACE -s $CLASS_C -j DROP
# Refuse Class D multicast addresses. Multicast is illegal as a source address.
iptables -A INPUT -i $IFACE -s $CLASS_D_MULTICAST -j DROP
# Refuse Class E reserved IP addresses.
iptables -A INPUT -i $IFACE -s $CLASS_E_RESERVED_NET -j DROP
# Refuse packets claiming to be to the loopback interface.
# Refusing packets claiming to be to the loopback interface protects against
# source quench, whereby a machine can be told to slow itself down by an icmp source
# quench to the loopback.
iptables -A INPUT -i $IFACE -d $LOOPBACK -j DROP
# Refuse broadcast address packets.
iptables -A INPUT -i $IFACE -d $BROADCAST -j DROP
#
# --------------- ICMP ---------------
echo "Creating ICMP chain...."
# We prefilter icmp by pulling it off to user-dfined chains so that we can restrict which
# types are allowed from the beginning rather than leaving it to the connection tracking.
# For instance, we don't want redirects whatever happens.
# In case you hadn't realised, ICMP scares me ...................
#
# 0: echo reply (pong)
# 3: destination-unreachable (port-unreachable, fragmentation-needed etc).
# 4: source quench
# 5: redirect
# 8: echo request (ping)
# 9: router advertisement
# 10: router solicitation
# 11: time-exceeded
# 12: parameter-problem
# 13: timestamp request
# 14: timestamp reply
# 15: information request
# 16: information reply
# 17: address mask request
# 18: address mask reply
#
iptables -N icmp-in
iptables -N icmp-out
#
iptables -A INPUT -i $IFACE -p icmp -j icmp-in
iptables -A OUTPUT -o $IFACE -p icmp -j icmp-out
#
# Accept 0,3,4,11,12,14,16,18 in.
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 0 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 3 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 4 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 11 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 12 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 14 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 16 -s 0/0 -d $IPADDR -j RETURN
iptables -A icmp-in -i $IFACE -p icmp --icmp-type 18 -s 0/0 -d $IPADDR -j RETURN
# Allow 4,8,12,13,15,17 out.
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 4 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 8 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 12 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 13 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 15 -s $IPADDR -d 0/0 -j RETURN
iptables -A icmp-out -o $IFACE -p icmp --icmp-type 17 -s $IPADDR -d 0/0 -j RETURN
#
# Any ICMP not already allowed is logged and then dropped.
iptables -A icmp-in -i $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-IN: "
iptables -A icmp-in -i $IFACE -j DROP
iptables -A icmp-out -o $IFACE -j LOG --log-prefix "IPTABLES ICMP-BAD-TYPE-OUT: "
iptables -A icmp-out -o $IFACE -j DROP
#
# Now we have returned from the icmp-in chain allowing only certain types
# of icmp inbound, we can accept it if it is related to other connections
# (e.g a time exceed from a traceroute) or part of an established one
# (e.g. an echo reply)
iptables -A INPUT -i $IFACE -p icmp -m state --state ESTABLISHED,RELATED -j ACCEPT
# Now we have returned from the icmp-out chain allowing only certain types
# of icmp outbound, we can just accept it under all circumstances.
iptables -A OUTPUT -o $IFACE -p icmp -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
#
# --------------- services ---------------
echo "Creating services chain...."
iptables -N services
for PORT in $TR_TCP_PORTS; do
iptables -A services -i $IFACE -p tcp --dport $PORT -j ACCEPT
done
for PORT in $TR_UDP_PORTS; do
iptables -A services -i $IFACE -p udp --dport $PORT -j ACCEPT
done
#
# ------------- block -------------
echo "Creating block chain..."
iptables -N block
iptables -A block -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A block -m state --state NEW -i ! $IFACE -j ACCEPT
iptables -A block -j DROP
#
# ------------- filter -------------
echo "Filtering packets..."
#
iptables -A INPUT -j services
iptables -A INPUT -j block
iptables -A FORWARD -j block
#
# FTP
echo "FTP control..."
# Allow ftp outbound.
iptables -A INPUT -i $IFACE -p tcp --sport 21 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
#
# Now for the connection tracking part of ftp. This is discussed more completely in my section
# on connection tracking to be found here.
# 1) Active ftp.
# This involves a connection INbound from port 20 on the remote machine, to a local port
# passed over the ftp channel via a PORT command. The ip_conntrack_ftp module recognizes
# the connection as RELATED to the original outgoing connection to port 21 so we don't
# need NEW as a state match.
iptables -A INPUT -i $IFACE -p tcp --sport 20 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --dport 20 -m state --state ESTABLISHED -j ACCEPT
#
# 2) Passive ftp.
# This involves a connection outbound from a port >1023 on the local machine, to a port >1023
# on the remote machine previously passed over the ftp channel via a PORT command. The
# ip_conntrack_ftp module recognizes the connection as RELATED to the original outgoing
# connection to port 21 so we don't need NEW as a state match.
iptables -A INPUT -i $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -o $IFACE -p tcp --sport $UP_PORTS --dport $UP_PORTS \
-m state --state ESTABLISHED,RELATED -j ACCEPT
#
# TRACEROUTE
echo "TRACEROUTE control..."
# Outgoing traceroute anywhere.
# The reply to a traceroute is an icmp time-exceeded which is dealt with by the next rule.
iptables -A OUTPUT -o $IFACE -p udp --sport $TR_SRC_PORTS --dport $TR_DEST_PORTS \
-m state --state NEW -j ACCEPT
#
# FORWARD
echo "Forward control..."
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#
iptables -A FORWARD -j ACCEPT
#
iptables -A FORWARD -j LOG --log-prefix "IPTABLES FORWARD: "
#
iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
#
# ------------- Logging -------------
echo "Logging..."
# You don't have to split up your logging like I do below, but I prefer to do it this way
# because I can then grep for things in the logs more easily. One thing you probably want
# to do is rate-limit the logging. I didn't do that here because it is probably best not too
# when you first set things up ................. you actually really want to see everything going to
# the logs to work out what isn't working and why. You can implement logging with
# "-m limit --limit 6/h --limit-burst 5" (or similar) before the -j LOG in each case.
#
# Any udp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-IN: "
iptables -A INPUT -i $IFACE -p udp -j DROP
iptables -A OUTPUT -o $IFACE -p udp -j LOG --log-prefix "IPTABLES UDP-OUT: "
iptables -A OUTPUT -o $IFACE -p udp -j DROP
# Any icmp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-IN: "
iptables -A INPUT -i $IFACE -p icmp -j DROP
iptables -A OUTPUT -o $IFACE -p icmp -j LOG --log-prefix "IPTABLES ICMP-OUT: "
iptables -A OUTPUT -o $IFACE -p icmp -j DROP
# Any tcp not already allowed is logged and then dropped.
iptables -A INPUT -i $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-IN: "
iptables -A INPUT -i $IFACE -p tcp -j DROP
iptables -A OUTPUT -o $IFACE -p tcp -j LOG --log-prefix "IPTABLES TCP-OUT: "
iptables -A OUTPUT -o $IFACE -p tcp -j DROP
# Anything else not already allowed is logged and then dropped.
# It will be dropped by the default policy anyway ........ but let's be paranoid.
iptables -A INPUT -i $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-IN: "
iptables -A INPUT -i $IFACE -j DROP
iptables -A OUTPUT -o $IFACE -j LOG --log-prefix "IPTABLES PROTOCOL-X-OUT: "
iptables -A OUTPUT -o $IFACE -j DROP
#
echo "Firewall Setup is Completed..."
#
# --------------- End of Script ---------------
#

heema · 06-07-2004, 11:36 PM

u could use an easy to use firewall like guarddog

Capt_Caveman · 06-07-2004, 11:54 PM

using manual run and syntax check , sh -n firewall, it complaint problem in the first for loop.

The first loop works for me. Verify that the paths used in the script are correct for your system ( ie make sure the directory /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ exists) and that you have the proper permissions when executing the script (ie. normal users can't execute modprobe).

matthewchin · 06-08-2004, 12:24 AM

Capt_Caveman:

Thanks,

-rwxr-xr-x 1 root root 13548 Jun 7 22:40 firewall

the directory is valid.

Still complaint ??

Quote:

> sh -n firewall
firewall: line 67: syntax error near unexpected token `do
'
firewall: line 67: `for file in /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_*.o; do
'

p.s. What is diff:
#! /bin/sh
#! /bin/bash

Capt_Caveman · 06-09-2004, 12:27 AM

Are you absolutely sure the script is 100% identical to what you've posted? Maybe highlight and copy the posted script, then paste it into a new file and diff them. Aside from that, I'm not sure why it isn't working for you. I did notice, that for me the for loop and the do statement are on different line numbers, with no semicolon. That doesn't seem to make a difference by itself, but it does lead me to think that maybe the version you're running is different somehow

/bin/sh and /bin/bash are both *NIX shells. /bin/sh refers to the bourne shell, while /bin/bash is the bourne again shell. They are very similar, but do have some slight differences. There are all kinds of other shells available: csh, ksh, zsh, etc. If you are really curious, here is a little history about the different shells.

Garak · 06-11-2004, 02:27 PM

I'm with heema on this one. Get a more mainstream, easier to use firewall that is already debugged.

Trying to debug your script from a forum post is somewhat time consuming.
Why re-invent the wheel? The two best firewalls I've seen are Shorewall
and homeLANsecurity .

Of the two, homeLANsecurity is the easiest to use. Why not start with one of
these and only script something if they don't already have it built in?

matthewchin · 06-13-2004, 10:03 PM

Thanks for info.

That one is great !