LinuxQuestions.org - Where should this firewall script be placed?

- Linux - Security (https://www.linuxquestions.org/questions/linux-security-4/)

- - Where should this firewall script be placed? (https://www.linuxquestions.org/questions/linux-security-4/where-should-this-firewall-script-be-placed-288690/)

Where should this firewall script be placed?

I am running Mandrake 9.1 and currently the IPtables that I have below here is placed in '/etc/rc.local' directory. Should it be placed somewhere else? I did a ports security scan and it came up all stealthed. So I dont know.

Plus, even if I have this code placed on there, should I leave the 'iptables' Services ON or OFF??? As I recall, when I did this security test, I had the service not running and still came up as stealth. (As I could remember).

So, my question is, in what directory should this firewall code be placed in? Or, is the 'rc.local' directory OK??? And, should I leave the IPtables under Services left running or not running?

Heres the code:

Code:

#PROC SETTINGS 

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts    #Block pings to broadcast IP (smurf)

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians          #Log non-routable IPs

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route  #Block source-routed packets



iptables -F

iptables -t nat -F

iptables -X

iptables -Z

iptables -P OUTPUT ACCEPT

iptables -P INPUT DROP

iptables -P FORWARD DROP



#DROP BAD PACKETS

iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP      #DROP NEW NOT SYN

iptables -A INPUT -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP      #DROP SYN-FIN SCANS

iptables -A INPUT -p tcp --tcp-flags SYN,RST SYN,RST -j DROP      #DROP SYN-RST SCANS

iptables -A INPUT -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP      #DROP X-MAS SCANS

iptables -A INPUT -p tcp --tcp-flags ALL FIN -j DROP              #DROP NMAP FIN SCAN

iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP              #DROP NULL SCANS

iptables -A INPUT -p tcp --tcp-flags ALL ALL -j DROP              #DROP ALL/ALL SCANS



#LOG AND DROP IANA RESERVED/BOGONS

iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"

iptables -A INPUT -i ppp0 -s 0.0.0.0/8 -j DROP

iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"

iptables -A INPUT -i ppp0 -s 127.0.0.0/8 -j DROP

iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"

iptables -A INPUT -i ppp0 -s 10.0.0.0/8 -j DROP

iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"

iptables -A INPUT -i ppp0 -s 192.168.0.0/16 -j DROP

iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -m limit --limit 5/m -j LOG --log-prefix "WARN: INVALID IP"

iptables -A INPUT -i ppp0 -s 172.16.0.0/12 -j DROP



iptables -A INPUT -i lo -j ACCEPT



iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

i think that after running your script you could do a:

Code:

service iptables save

and that would save your current rules and stuff to /etc/sysconfig/iptables...

just my two cents...

Hello stranger!!!! Win32sux -

So in the console, I do an 'su' and then type the command EXACTLY what you have and then that all I have to do????

Please explain.

For some reason, someone told me to paste the code in the rc.local directory. But even though its there, I still get all stealthed ports for some reason.

Now please explain, should I take the code and move it in the /etc/sysconfig/iptables????? Please tell me.

And should I leave the IPTables Service running the whole time under Services????

yeah, that's it... and you can use this command to make sure the rules have kicked-in:

Code:

iptables -L

remember that when you run that script from it's own file you need to make the file executable, and there should be a shebang at the top:

Code:

chmod 755 firewall.txt

here's what i'd do with your firewall.txt script:

Code:

#!/bin/sh



IPT="/sbin/iptables"



echo "0" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/tcp_syncookies

echo "0" > /proc/sys/net/ipv4/tcp_timestamps

echo "2" > /proc/sys/net/ipv4/conf/all/rp_filter

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts

echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route

echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects

echo "1" > /proc/sys/net/ipv4/conf/all/log_martians



$IPT -F

$IPT -F -t nat

$IPT -F -t mangle

$IPT -X

$IPT -X -t nat

$IPT -X -t mangle

$IPT -Z

$IPT -P INPUT DROP

$IPT -P OUTPUT ACCEPT

$IPT -P FORWARD DROP



/sbin/modprobe ip_conntrack_ftp

/sbin/modprobe ip_conntrack_irc



$IPT -A INPUT -m state --state INVALID -j DROP

$IPT -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPT -A INPUT -i lo -j ACCEPT

some people like to use rc.local for firewall scripts, but it's not a very good idea IMHO... i don't know about mandrake, but on slackware rc.local is one of the last startup scripts run - so there would be a "window" between when the network is brought-up and when the firewall kicks-in if you put your firewall script there... it may or may not be like this on mandrake... the optimal thing is to have te rules active before the network is up... that way you're always covered...

i believe you could manually put your rules in /etc/sysconfig/iptables if you want... but take a look at it after running the "service iptables save" command cuz i don't think the file is shell-script formatted...

i'm sorry i can't give you better answers, as you can see i don't use mandrake and i don't have access to a mandrake box to see for myself...

as for your box being stealthed: if you're not allowing any incoming connections on any port then "stealthed" is actually what you want... ;-)

Ok, Im still a bit confused here.

I got the service iptables save command. Ok....

What output should I really be looking for on these two commnds?: Just please explain when I type these commands, what output should I be looking for in order for this firewall script of mine to work?

service iptables save
Chmod 755 firewall.txt

So, do I have to really have this script in the (rc.local) or the one you mentioned (/etc/sysconfig/iptables)???

But, as so many people had confirmed that my script uses Stateful Packet Inspection, that I really want to keep mine after all.

All I want to know is what directory should it be placed in?

IT HAS TO BE STATEFUL PACKET INSPECTION IPTABLES****

Quote:

Originally posted by wardialer
I got the service iptables save command. Ok....

But what do I have to do after that?

not much... that's basically it... once you execute your firewall script and you've checked that it's all working the way you want it to, you run the "service iptables save" and the firewall configuration is *saved*... if you wanna make changes just edit your script, execute it, and do the save again...

Quote:

And where does this Chmod 755 firewall.txt come into action? When do I have to type that command?

"chmod 755" makes any file executable... my point was that if you wanted to execute your firewall script you'd need to make sure the file was executable first... the name "firewall.txt" is just an example, you could call your firewall script anything you like, but make sure there's a shebang at the top...

let's say i have my firewall script in a file called wardialer_firewall.sh... to make it executable and then execute it i would do this:

Code:

chmod 755 wardialer_firewall.sh



./wardialer_firewall.sh

then i can use whatever method i use to check if everything is fine and when i'm sure then i can save the firewall configuration using the "service iptables save" command to make it "permanent"... if you don't do the "save" after running the script the configuration will be gone upon reboot...

Quote:

So, do I have to really have this script in the (rc.local) or the one you mentioned (/etc/sysconfig/iptables)???

you really don't need to put the script anywhere in particular... run it from anywhere you want - when you do the "service iptables save" your configuration will be properly saved to /etc/sysconfig/iptables... as i mentioned before, using rc.local for a firewall script is not a good idea...

Quote:

And you posted a script.... can you confirm that it uses Stateful Packet Inspection? or does mine uses Stateful Packet Inspection???

yeah, it basically does the same thing your script does, except i removed stuff i found useless and added a thing or two... yes, it uses stateful packet filtering - any firewall that can recognize what NEW, ESTABLISHED, and RELATED packets are is using stateful packet filtering - it's a fundamental part of netfilter, which is what you are using...

remember that iptables is only the tool that is used to configure netfilter... technically speaking, your iptables script isn't a "firewall", it's just the script with the instructions to "configure" your firewall... the "service iptables save" thing does nothing but save the configuration in such a manner that it will be there when you reboot...

Quote:

IT HAS TO BE STATEFUL PACKET INSPECTION IPTABLES**** Thats it, nothing else.

any decent iptables script is like this nowadays... in yours, for example, you are blocking all incoming packets to your computer, except those that are determined to have a *state* of ESTABLISHED/RELATED... in other words, you are only allowing input packets that are related to connections you have established yourself (from inside) - none that are starting connections from the outside are allowed...

take a look at the LQ iptables wiki:

http://wiki.linuxquestions.org/wiki/Iptables

also - more importantly - here's a page where you can find lots of links to iptables documentation (howtos, faqs, example scripts, tutorials, etc.):

http://www.linuxguruz.com/iptables/

once you read-up on iptables all of this will be very clear to you, and easy...

=)

I would like to start from scratch with this explaination: Please exlain the whole thing from scratch, because Im still lost.

Do I have to do the service iptables save first, or the Chmod 755 firewall.txt??? I dont understand why I can't just Cut/Paste it into the other mentioned directory without doing these commands??? What do mean by "Executing" the script??? Thats really has me confused, and I appologize.

Ok, I have my current script in the 'rc.local' directory. What should I do with this once I boot into Linux? Please explain the commands in order of importance. What do you mean I have to execute it? Its just a written script, not an application. So, your saying I have to run the execute command everytime I boot??? So where is my actual firewall if the script is not a firewall? And what should I use as an actual firewall if this script is not a firewall??

So my question is, what command do I have to do first in order for this to work the whole time??? The Chmod 755 command or the other one?

Do I have to it like this: chmod 755 /etc/sysconfig/iptables

And the iptables service under Services, should I leave that running or turned off?

Quote:

Ok, I have my current script in the 'rc.local' directory. What should I do with this once I boot into Linux?

NOTHING... if you use the rc.local method, then the iptables rules will be run from there every boot... using your own INDIVIDUAL script and the "service iptables save" thing is the proper ALTERNATIVE... you don't do both...

in other words, putting your iptables rules in rc.local will "work", but it's not the "kosher" way of doing things... rc.local is mainly used for other types of things... for something security-oriented like iptables it's better to do it the right way...

by using rc.local for your iptables rules there would be a window of opportunity between the time your network card is brought-up and the time your rules take effect - that sucks...

Quote:

What do you mean I have to execute it? Its just a written script, not an application.

scripts get executed also, not just applications... the rc.local file is executed at startup time... so the commands you put in there are run when the file is executed... think about it: your rc.local file isn't an application either, yet it gets executed at startup... check this out:

http://gd.tuwien.ac.at/linuxcommand....l_scripts.html

Quote:

So, your saying I have to run the execute command everytime I boot???

no, just once... but this is if you choose to do the firewall thing by using an individual iptables script as i suggested... you create the script with all your iptables rules and stuff, and then you execute it (which configures your firewall)... after that you do the "save" thing and the firewall configuration is stored... you could even delete the iptables script after that, for example...

remove the iptables rules you have in rc.local... then save the script i posted to a text file, make it executable, and then execute it... now do the "service iptables save" thing and you're done... when you wanna make changes to your firewall configuration simply edit the script and execute it, and when you've checked it's fine you do the save thing... if you screwed-up and the new script sucked you'd stil be okay cuz you hadn't saved it yet... so upon reboot you'd be back to your latest "known-good" configuration...

Quote:

So where is my actual firewall if the script is not a firewall?

the actual firewall is part of the linux kernel... it's called netfilter...

Quote:

netfilter and iptables are building blocks of a framework inside the Linux 2.4.x and 2.6.x kernel. This framework enables packet filtering, network addresss [and port] translation (NA[P]T) and other packet mangling. It is the re-designed and heavily improved successor of the previous Linux 2.2.x ipchains and Linux 2.0.x ipfwadm systems.

netfilter is a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack. A registered callback function is then called back for every packet that traverses the respective hook within the network stack.

iptables is a generic table structure for the definition of rulesets. Each rule within an IP table consists out of a number of classifiers (iptables matches) and one connected action (iptables target).

netfilter, iptables and the connection tracking as well as the NAT subsystem together build the whole framework.

http://www.netfilter.org/

your iptables script simply "tells" netfilter how you want it to work... the "service iptables save" command simply tells iptables to "remember" the instructions that you've given it, so that you don't have to execute the script yourself everytime you boot...

by putting the iptables rules in rc.local you aren't using iptables' "save" feature, you're just running the rules at startup everytime, much like if you would do it manually after the network is up...

Quote:

And the iptables service under Services, should I leave that running or turned off?

leave it turned-on cuz you're using it... ;-)

Quote:

And this time, I am so mad at myself that starting from now, ITS A MUST that I will learn Linux. Its just a whole different OS and I MUST learn it.

i know what you're going through, i've been there... i'm an ex-windows user... what i can tell you is that it's important for you to READ... i had to read quite a few iptables tutorials before i grasped the "general concept" properly... once i had the concept down, learning the ins and outs wasn't so painful... i know you haven't read the documentation i gave you yet, but it's important that you do read lots of it if you really wanna understand iptables...

http://www.linuxguruz.com/iptables/

also, do some research about shell scripts, make sure you check out the link about shell scripts i posted above... it's important that you know how to make files executable, how to execute them, and what shell scripts are...

http://www.google.com/linux?hl=en&lr...=Google+Search

Ok, I just did the service iptables save command and I saw it was OK. So, I went to the /etc/sysconfig/iptables and I saw the script there. ....

Is this a good sign??? Now, what do I have to do after this???

Quote:

Originally posted by wardialer
I did a IPTables -L command and my script is listed. Is this a good sign????

well, yeah... but i don't think there has been any doubt that your rules were getting executed, since you stated you were stealthed...

the only issue i see is that you're doing it from rc.local... it's important that you learn to work with an individual iptables script and not rely on rc.local for your iptables needs...

you can post the output of the "iptables -L" command here by copy/pasting it...

Quote:

Also, there is no /etc/sysconfig/iptables. I double checked in Gedit/Open/Directory

well, maybe it's another file or something... honestly i based myself on this thread, since i don't use mandrake:

http://www.linuxquestions.org/questi...threadid=73921

perhaps the file is created the first time you run the save command??

but the main thing is that when using iptables' save feature you don't need to know what file it uses to save the config (cuz you don't need to touch that file yourself)...

the most important thing (for now) is that you know how to make/edit your own script, how to make it executable, how to execute it, and how to save it's config...

;-)

Ok, I just did the service iptables save command and I saw it was OK. So, I went to the /etc/sysconfig/iptables and I saw the script there. ....

Is this a good sign??? Now, what do I have to do after this???

Ok, now, I just truned ON the iptables as RUNNING under the Mandrake Services. Its RUNNING.

Now where does the Chmod 755 come into action???

the rules you just saved... where'd you run them from??

I ran them from the terminal Konsole.... Why?

Heres a recap of what I did in order:

1. Did a service iptables save command and was told me OK.
2. Went into the /etc/sysconfig/iptables and it showed my script.
3. Then I went to Mandrake Sysem services I started iptables as RUNNING. Now its running.
4. Whats next???

Whats next??? I still have the same script in my rc.local. Should I remove that?

Now, when should I do the Chmod 755 thing???

yes, if you want to do it the right way then remove any iptables stuff from your rc.local...

once you've done that, then save the example script i posted to a text file, make the text file executable, and then execute it... then do the save again... then reboot your computer and do a "iptables -L" and post the output on this thread....

But I want to use the script what I posted above. Could I do that??? And which textfile program does Mandrake use?I just feel comfortable with my script. So your saying its not really secure? I may use yours but could I please use mine for now. I just feel comfortable with it.

Ok, how would I make the script executable???? This what confuses me. How can I make the text file executable??

Suppose I use Kwrite, after Pasting my script in there, then how can I make it executable?