Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hi folks, would anyone care to comment on the following iptables script and suggest any improvements or additions i can make to secure it a little more?
I guess a little info on the machine is also needed. Its running FC2 as a server (only on dial-up temporarily), and gives access to HTTP, Telnet and Passive FTP. Also has a win98 client sitting behind it.
thanks.
Code:
#!/bin/sh
IPTABLES=/sbin/iptables
# Setting EXTERNAL and INTERNAL interfaces
EXTIF="ppp0"
INTIF="eth0"
echo "loading firewall script"
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
# load some modules if not loaded
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then /sbin/modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then /sbin/modprobe ip_nat_ftp; fi
# Flushing old tables & setting defaults
$IPTABLES -F INPUT
$IPTABLES -P INPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT ACCEPT
# Setup nat
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -P FORWARD DROP
# Allow all internal traffic
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -j ACCEPT
# allow established and related packets back in
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 23 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p tcp --dport 1024: -j ACCEPT
$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
# allow all packets on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT
# End of script
From there, look for Shields Up. Then do test on the following: File Sharing, Common Ports, and All Service Ports. If all of your ports are stealthed, then your OK.
However, some people out here think that this is not reliable nor accurate results. I dont know. But give it a try. Steve Gibson is a security expert (mainly for Windows systems).
As posted above, the machine is running public services. GRC is good to see what ports are open, but they arent going to be stealthed are they? I asked for help with the scripting, not to see if im totally locked down, as i dont want to be.
--
you might find that thread interesting and educational, even though the script i contributed on that thread is way more restrictive than you need yours to be...
also you might want to consider using REJECT more then DROP, as stealthing can sometimes make your computer look suspicious ("ooo, a filewall, i wonder how much important stuff is in that computer!!")
Originally posted by SciYro $IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
concerning that line, you should change it, as stated in the following link it could make you into a prime target for someone to pretend to be you
i think you are somewhat confused... that rule drops any new packet that doesn't have the syn bit set...
every new packet should be a SYN packet, if it isn't then the packet is usually part of something funky, like a portscan (for example), so we ignore it...
using the "new not syn" rule on the forward chain also provides an interesting side-effect: it can prevent certain windows spyware on the lan from "calling home"...
Quote:
also you might want to consider using REJECT more then DROP, as stealthing can sometimes make your computer look suspicious ("ooo, a filewall, i wonder how much important stuff is in that computer!!")
i respectfully disagree... you should use DROP whenever you can, and only use REJECT when you must...
also, there's no such thing as "stealth" on a machine that's running a web, ftp, and a telnet daemon...
yea i am confused ... but thats only expect i get confused easily
anyways, from my confused myself, ill just ask .... did you even read the small link? .. i know that no new connections should be without a syn bit
rereading my post i think i was confused when writing that, which leads to further confusion down the line of confusions on this day of confusion .... .. i should rewrite that first part to "maybe consider adding a new rule"
kola, the script i gave you permits all output... this is only necessary if you are also going to be using the firewall machine as a client on the internet... if it's a 100% pure server and gateway only machine, then you should only allow traffic related to the daemons to be output...
i mention this cuz, well, this thread is about hardening your script... so here you go:
Code:
#!/bin/sh
IPTABLES="/sbin/iptables"
EXTIF="ppp0"
INTIF="eth0"
INTIF_IP="192.168.0.1"
INTIF_NET="192.168.0.0/24"
LO="lo"
LO_IP="127.0.0.1"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
###############################################################################
### INPUT
###############################################################################
$IPTABLES -A INPUT -p ALL -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p ALL -i $LO -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 23 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p ICMP ! --fragment --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "INPUT DROP: "
###############################################################################
### OUTPUT
###############################################################################
$IPTABLES -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p ALL -o $LO -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXTIF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "OUTPUT DROP: "
###############################################################################
### FORWARD
###############################################################################
$IPTABLES -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -p ALL -i $EXTIF -o $INTIF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p ALL -i $INTIF -o $EXTIF -s $INTIF_NET -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "FORWARD DROP: "
###############################################################################
### POSTROUTING
###############################################################################
$IPTABLES -t nat -A POSTROUTING -p ALL -o $EXTIF -j MASQUERADE
echo "So let it be written, so let it be done..."
also, the forward chain right now allows all traffic from the lan to the internet... you can tweak the forward chain and allow only certain types of connections from the lan to the internet... like, for example, web or email traffic... that would make it much tighter...
this example blocks anything from the lan to the internet that isn't WEB traffic:
Code:
#!/bin/sh
IPTABLES="/sbin/iptables"
EXTIF="ppp0"
INTIF="eth0"
INTIF_IP="192.168.0.1"
INTIF_NET="192.168.0.0/24"
LO="lo"
LO_IP="127.0.0.1"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc
$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
###############################################################################
### INPUT
###############################################################################
$IPTABLES -A INPUT -p ALL -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p ALL -i $LO -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 23 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p ICMP ! --fragment --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "INPUT DROP: "
###############################################################################
### OUTPUT
###############################################################################
$IPTABLES -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p ALL -o $LO -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXTIF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "OUTPUT DROP: "
###############################################################################
### FORWARD
###############################################################################
$IPTABLES -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -p ALL -i $EXTIF -o $INTIF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INTIF -o $EXTIF -s $INTIF_NET \
--dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INTIF -o $EXTIF -s $INTIF_NET \
--dport 443 -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "FORWARD DROP: "
###############################################################################
### POSTROUTING
###############################################################################
$IPTABLES -t nat -A POSTROUTING -p ALL -o $EXTIF -j MASQUERADE
echo "So let it be written, so let it be done..."
Thanks for the help buddy. Unfortunately yes i am using this machine as a client on the internet, so al output is needed, your first script is a great help.
Looks like we might be changing to adsl in a week or so, so i guess it'll need changing again then, but hey.. :P
One more thing. Does this log to the system log? And is it possible to change the logfile and add in more log-dumps?
Straight away in the sys log i am getting lots of:
Sep 12 21:37:16 xeres kernel: INPUT DROP: IN=eth0 OUT= MAC=00:d0:09:dc:84:43:00:10:b5:52:d9:81:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=42502 DF PROTO=TCP SPT=1237 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0
This looks like outbound traffic from the win98 client, yes? any idea what its blocking and why? Im thinlking maybe a kazaa/msn type program?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
I asked for help with the scripting, not to see if im totally locked down, as i dont want to be.
yea i am confused ... but thats only expect 
