-   Linux - Security (
-   -   simple firewall for dial up modem (Slackware 10) (

aus9 08-12-2004 04:19 AM

simple firewall for dial up modem (Slackware 10)

I would not normally reveal my security issues to strangers but I have tested this firewall at and so altho its not perfect it may help some others?

This firewall is started on Slackware 10 by the /etc/rc.d/rc.inet2 script which is
if [ -x /etc/rc.d/rc.firewall ]; then
/etc/rc.d/rc.firewall start

I have commented the insert module ip_tables as my kernel starts this module.
EDIT MY /etc/rc.d/rc.modules has modem started by this line
/sbin/modprobe ppp_generic

Please note I have no ethernet card just a external dial up modem.

If you like it, copy to a text editor then make it executable and test it of course.

###########my firewall is at /etc/rc.d/rc.firewall ########


#IPTABLES Firewall script - created by Ben Birnbaum and modified for slack by aus9
# "--dport" is the same as "--destination-port"
# -F is hypen capital F means flush
# -P is hypen capital P means create the policy (default standard)
# -X is hypen capital X means delete a rule named whatever and if nothing specified
# then the X deletes all rules
# -j ACCEPT is hypen lowercase j and capital accept and means this rule is a winner and don't
# look for any more rules, accept it and hope for the best, heh heh

#Set to the location of the iptables executable and "Z" is a code to save typing "iptables"
####insmod ip_tables

#Flush all firewall rules (stop the script)
echo -n "Flushing Firewall Rules........."
$Z -F
$Z -X firewall
$Z -X syn-flood
echo "DONE"

#Set up spoofing protection
echo 1 > /proc/sys/net/ipv4/ip_forward
sysctl -w net.ipv4.tcp_max_syn_backlog=256
sysctl -w net.ipv4.tcp_syn_retries=5
sysctl -w net.ipv4.route.mtu_expires=512
sysctl -w net.ipv4.tcp_keepalive_time=7600
###sysctl -w net.ipv4.icmp_echoreply_rate=10
sysctl -w net.ipv4.tcp_fin_timeout=360
sysctl -w net.ipv4.tcp_rfc1337=1
echo 1 > /proc/sys/net/ipv4/ip_forward
####echo 8176 > /proc/sys/net/ipv4/ip_conntrack_max
echo 0 > /proc/sys/net/ipv4/ip_no_pmtu_disc
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/all/accept_redirects
echo 0 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 128 > /proc/sys/net/ipv4/ip_default_ttl
echo 262144 > /proc/sys/net/core/rmem_default
echo 262144 > /proc/sys/net/core/rmem_max
echo 262144 > /proc/sys/net/core/wmem_default
echo 262144 > /proc/sys/net/core/wmem_max

echo -n "Loading Firewall Rules....."

#Set default policies
$Z -F
$Z -X
$Z -F -t nat

#Set-up the "firewall-chain" rules
$Z -N firewall
$Z -A firewall -m limit --limit 20/minute -j LOG --log-level info --log-prefix "FIREWALL: "
$Z -A firewall -j DROP

#Stuff to stop SYN Floods
$Z -N syn-flood
$Z -A syn-flood -m limit --limit 1/s --limit-burst 10 -j RETURN
$Z -A syn-flood -j LOG --log-level info --log-prefix "FIREWALL: SYN Flood
Stopped: "$Z -A syn-flood -j DROP
$Z -A INPUT -p tcp --syn -j syn-flood

#State matching stuff - to accept related and established connections.

#ICMP Stuff
$Z -A INPUT -p icmp --icmp-type address-mask-reply -j ACCEPT
$Z -A INPUT -p icmp --icmp-type required-option-missing -j ACCEPT
$Z -A INPUT -p icmp --icmp-type parameter-problem -j ACCEPT
$Z -A INPUT -p icmp --icmp-type ip-header-bad -j ACCEPT
$Z -A INPUT -p icmp --icmp-type time-exceeded -j ACCEPT
$Z -A INPUT -p icmp --icmp-type TOS-host-unreachable -j ACCEPT
$Z -A INPUT -p icmp --icmp-type source-route-failed -j ACCEPT
$Z -A INPUT -p icmp --icmp-type network-unknown -j ACCEPT
$Z -A INPUT -p icmp --icmp-type echo-reply -j ACCEPT
$Z -A INPUT -p icmp --icmp-type echo-request -m limit --limit 1/second -j ACCEPT

# Allow loopback traffic.
$Z -A INPUT -i lo -j ACCEPT
$Z -A OUTPUT -o lo -j ACCEPT

#Some deny stuff that we dont want to log
$Z -A INPUT -p udp --dport 137 -j DROP
$Z -A INPUT -p udp --dport 138 -j DROP
$Z -A INPUT -p udp --dport 67 -j DROP
$Z -A INPUT -p udp --dport 68 -j DROP

#Send everything else to the firewall chain - DENY it and LOG it.
$Z -A INPUT -p icmp -j firewall
$Z -A INPUT -p tcp --syn -j firewall
$Z -A INPUT -p udp -j firewall

echo "DONE"

########## end of file ###########

If others can spot any mistakes cos I am NO expert feel free to comment etc

unSpawn 08-28-2004 05:00 AM

Looks good. First thing I'd do is chop off the IN chain either using DROP or allowing only ESTABLISHED, RELATED. If you're running services you could define subchains for them. (Not directly related to this, but remember if you're running services you've got more options to curb access if daemons are TCP wrappers aware (compiled with libwrap: /etc/hosts.deny, /etc/hosts.allow) and that running services tru (X)inetd gives you even more capabilities.) Personal choice, but I drop both in- and outbound traffic to unroutables I don't use (Google for IANA, "LAN range", bogon(s)). Personal choice, but I don't like to mix things: sysctl for me goes in /etc/sysctl.* files (they won't work anyway on boot once Grsecurity sealed access off), so they become executable at will, OTOH something you may want to incorporate if you're sealing of module-loading capabilities (see Grsecurity, Lcap) is preloading modules.
Logging is knowing. Good you end the script with that.

Please check yourself if you missed anything else: check out the LQ FAQ: Security references. We've got some info and URI's to Iptables script repositories.

aus9 08-28-2004 09:34 AM


I have just had a quick look myself, and it looks like the script has (2) input policies.
In the section under #Flush all firewall rules (stop the script) my input is ACCEPT
and then I appear to correct it under #Set default policies with a policy for input to DROP.

Then I amend that under #State matching stuff - to accept related and established connections.

Or are you alluding to something else.

BTW, its going to take me years to cover all your links so any clues you can give on this one will be greatly appreciated.

unSpawn 08-28-2004 01:09 PM

In the section under #Flush.*Then I amend that under #State matching stuff - to accept related and established connections.
You're right. That teaches me to quickscan scripts instead of reading them well...

All times are GMT -5. The time now is 09:11 AM.