LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 09-10-2004, 06:48 PM   #1
kola
Member
 
Registered: Jul 2004
Location: Christchurch, New Zealand
Distribution: FC2, Debian 'Sarge'
Posts: 64

Rep: Reputation: 15
Securing iptables


Hi folks, would anyone care to comment on the following iptables script and suggest any improvements or additions i can make to secure it a little more?

I guess a little info on the machine is also needed. Its running FC2 as a server (only on dial-up temporarily), and gives access to HTTP, Telnet and Passive FTP. Also has a win98 client sitting behind it.

thanks.

Code:
#!/bin/sh
IPTABLES=/sbin/iptables

# Setting EXTERNAL and INTERNAL interfaces
EXTIF="ppp0"
INTIF="eth0"

echo "loading firewall script"
# Enable forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward

# load some modules if not loaded
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_conntrack_ftp.o ]; then /sbin/modprobe ip_conntrack_ftp; fi
if [ -e /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ip_nat_ftp.o ]; then /sbin/modprobe ip_nat_ftp; fi

# Flushing old tables & setting defaults
$IPTABLES -F INPUT
$IPTABLES -P INPUT DROP
$IPTABLES -F OUTPUT
$IPTABLES -P OUTPUT ACCEPT

# Setup nat
$IPTABLES -F FORWARD
$IPTABLES -F -t nat
$IPTABLES -F -t mangle
$IPTABLES -P FORWARD DROP
# Allow all internal traffic
$IPTABLES -A INPUT -i $INTIF -j ACCEPT
$IPTABLES -A OUTPUT -o $INTIF -j ACCEPT

# allow established and related packets back in
$IPTABLES -A INPUT -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 23 -j ACCEPT
$IPTABLES -A INPUT -p tcp -m state --state NEW,ESTABLISHED -m tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 21 -m state --state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p tcp --dport 21 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -i ppp0 -p tcp --dport 1024: -m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -o ppp0 -p tcp --dport 1024: -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

# allow all packets on the loopback interface
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A OUTPUT -o lo -j ACCEPT

# End of script
 
Old 09-10-2004, 07:54 PM   #2
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
your script actually works, right? like, you just want to tighten-it-up and stuff??
 
Old 09-10-2004, 08:00 PM   #3
kola
Member
 
Registered: Jul 2004
Location: Christchurch, New Zealand
Distribution: FC2, Debian 'Sarge'
Posts: 64

Original Poster
Rep: Reputation: 15
Yes it works as it is,,

but are those rules safe? Im still a bit dubious about the ftp ones but couldnt see another way to do it.

And there must be rules i should have for other things but dont.
Im just after some tweaking

thanks
 
Old 09-10-2004, 08:03 PM   #4
wardialer
Member
 
Registered: Sep 2004
Distribution: SUSE Linux Pro 9.3
Posts: 375

Rep: Reputation: 30
Go to www.grc.com

From there, look for Shields Up. Then do test on the following: File Sharing, Common Ports, and All Service Ports. If all of your ports are stealthed, then your OK.

However, some people out here think that this is not reliable nor accurate results. I dont know. But give it a try. Steve Gibson is a security expert (mainly for Windows systems).

Good Luck
 
Old 09-10-2004, 08:04 PM   #5
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally posted by kola
Im just after some tweaking
i'm tweaking your script as we speak...
 
Old 09-10-2004, 08:19 PM   #6
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Code:
#!/bin/sh

IPTABLES="/sbin/iptables"
EXTIF="ppp0"
INTIF="eth0"
INTIF_IP="192.168.0.1"
INTIF_NET="192.168.0.0/24"
LO="lo"
LO_IP="127.0.0.1"

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT


###############################################################################
### INPUT
###############################################################################

$IPTABLES -A INPUT -p ALL -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p ALL -i $LO -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 23 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p ICMP ! --fragment --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "INPUT DROP: "


###############################################################################
### OUTPUT
###############################################################################

$IPTABLES -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p ALL -o $LO -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $INTIF -s $INTIF_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXTIF -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "OUTPUT DROP: "


###############################################################################
### FORWARD
###############################################################################

$IPTABLES -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -p ALL -i $EXTIF -o $INTIF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p ALL -i $INTIF -o $EXTIF -s $INTIF_NET -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "FORWARD DROP: "


###############################################################################
### POSTROUTING
###############################################################################

$IPTABLES -t nat -A POSTROUTING -p ALL -o $EXTIF -j MASQUERADE


echo "So let it be written, so let it be done..."

Last edited by win32sux; 09-10-2004 at 08:49 PM.
 
Old 09-10-2004, 08:19 PM   #7
kola
Member
 
Registered: Jul 2004
Location: Christchurch, New Zealand
Distribution: FC2, Debian 'Sarge'
Posts: 64

Original Poster
Rep: Reputation: 15
Wardialer...

As posted above, the machine is running public services. GRC is good to see what ports are open, but they arent going to be stealthed are they? I asked for help with the scripting, not to see if im totally locked down, as i dont want to be.
--

Cheers win32sux, i appreciate the help
 
Old 09-10-2004, 08:25 PM   #8
kola
Member
 
Registered: Jul 2004
Location: Christchurch, New Zealand
Distribution: FC2, Debian 'Sarge'
Posts: 64

Original Poster
Rep: Reputation: 15
Well, thats certainly a lot more detailed than my script was!

Could you just explain the major changes you made, so i know what im looking at? Better to learn than to just copy

cheers for the help
 
Old 09-10-2004, 08:26 PM   #9
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
post any part of the script which you have doubts about, and i'll gladly do my best to explain...




Last edited by win32sux; 09-10-2004 at 08:45 PM.
 
Old 09-10-2004, 09:05 PM   #10
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
i've made a couple fixes, make sure you try the latest version of the tweaked script...

also, if you wanna take a look at a more secure setup i'm helping someone else with, go here:

http://www.linuxquestions.org/questi...hreadid=225598

you might find that thread interesting and educational, even though the script i contributed on that thread is way more restrictive than you need yours to be...
 
Old 09-11-2004, 02:54 PM   #11
SciYro
Senior Member
 
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP

concerning that line, you should change it, as stated in the following link it could make you into a prime target for someone to pretend to be you

http://iptables-tutorial.frozentux.n...l#SYNACKANDNEW

also you might want to consider using REJECT more then DROP, as stealthing can sometimes make your computer look suspicious ("ooo, a filewall, i wonder how much important stuff is in that computer!!")
 
Old 09-11-2004, 07:47 PM   #12
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
Quote:
Originally posted by SciYro
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP

concerning that line, you should change it, as stated in the following link it could make you into a prime target for someone to pretend to be you
i think you are somewhat confused... that rule drops any new packet that doesn't have the syn bit set...

every new packet should be a SYN packet, if it isn't then the packet is usually part of something funky, like a portscan (for example), so we ignore it...

using the "new not syn" rule on the forward chain also provides an interesting side-effect: it can prevent certain windows spyware on the lan from "calling home"...

Quote:
also you might want to consider using REJECT more then DROP, as stealthing can sometimes make your computer look suspicious ("ooo, a filewall, i wonder how much important stuff is in that computer!!")
i respectfully disagree... you should use DROP whenever you can, and only use REJECT when you must...

also, there's no such thing as "stealth" on a machine that's running a web, ftp, and a telnet daemon...
 
Old 09-11-2004, 09:48 PM   #13
SciYro
Senior Member
 
Registered: Oct 2003
Location: hopefully not here
Distribution: Gentoo
Posts: 2,038

Rep: Reputation: 51
yea i am confused ... but thats only expect i get confused easily

anyways, from my confused myself, ill just ask .... did you even read the small link? .. i know that no new connections should be without a syn bit

rereading my post i think i was confused when writing that, which leads to further confusion down the line of confusions on this day of confusion .... .. i should rewrite that first part to "maybe consider adding a new rule"

i think ill go eat ..
 
Old 09-11-2004, 11:47 PM   #14
win32sux
LQ Guru
 
Registered: Jul 2003
Location: Los Angeles
Distribution: Ubuntu
Posts: 9,870

Rep: Reputation: 380Reputation: 380Reputation: 380Reputation: 380
kola, the script i gave you permits all output... this is only necessary if you are also going to be using the firewall machine as a client on the internet... if it's a 100% pure server and gateway only machine, then you should only allow traffic related to the daemons to be output...

i mention this cuz, well, this thread is about hardening your script... so here you go:

Code:
#!/bin/sh

IPTABLES="/sbin/iptables"
EXTIF="ppp0"
INTIF="eth0"
INTIF_IP="192.168.0.1"
INTIF_NET="192.168.0.0/24"
LO="lo"
LO_IP="127.0.0.1"

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT


###############################################################################
### INPUT
###############################################################################

$IPTABLES -A INPUT -p ALL -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p ALL -i $LO -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 23 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p ICMP ! --fragment --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "INPUT DROP: "


###############################################################################
### OUTPUT
###############################################################################

$IPTABLES -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p ALL -o $LO -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXTIF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "OUTPUT DROP: "


###############################################################################
### FORWARD
###############################################################################

$IPTABLES -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -p ALL -i $EXTIF -o $INTIF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p ALL -i $INTIF -o $EXTIF -s $INTIF_NET -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "FORWARD DROP: "


###############################################################################
### POSTROUTING
###############################################################################

$IPTABLES -t nat -A POSTROUTING -p ALL -o $EXTIF -j MASQUERADE


echo "So let it be written, so let it be done..."

also, the forward chain right now allows all traffic from the lan to the internet... you can tweak the forward chain and allow only certain types of connections from the lan to the internet... like, for example, web or email traffic... that would make it much tighter...

this example blocks anything from the lan to the internet that isn't WEB traffic:

Code:
#!/bin/sh

IPTABLES="/sbin/iptables"
EXTIF="ppp0"
INTIF="eth0"
INTIF_IP="192.168.0.1"
INTIF_NET="192.168.0.0/24"
LO="lo"
LO_IP="127.0.0.1"

echo "1" > /proc/sys/net/ipv4/ip_forward
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/conf/all/rp_filter
echo "1" > /proc/sys/net/ipv4/conf/all/secure_redirects
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians

/sbin/modprobe ip_tables
/sbin/modprobe ip_conntrack
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
#/sbin/modprobe ip_nat_irc
#/sbin/modprobe ip_conntrack_irc

$IPT -F
$IPT -F -t nat
$IPT -F -t mangle
$IPT -X
$IPT -X -t nat
$IPT -X -t mangle
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT


###############################################################################
### INPUT
###############################################################################

$IPTABLES -A INPUT -p ALL -m state --state INVALID -j DROP
$IPTABLES -A INPUT -p ALL -i $LO -s $LO_IP -j ACCEPT
$IPTABLES -A INPUT -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A INPUT -p ALL -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 23 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 80 -j ACCEPT
$IPTABLES -A INPUT -p TCP -i $EXTIF --dport 21 -j ACCEPT
$IPTABLES -A INPUT -p ICMP ! --fragment --icmp-type 8 -j ACCEPT
$IPTABLES -A INPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "INPUT DROP: "


###############################################################################
### OUTPUT
###############################################################################

$IPTABLES -A OUTPUT -p ALL -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -p ALL -o $LO -s $LO_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -o $EXTIF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "OUTPUT DROP: "


###############################################################################
### FORWARD
###############################################################################

$IPTABLES -A FORWARD -p ALL -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -p TCP ! --syn -m state --state NEW -j DROP
$IPTABLES -A FORWARD -p ALL -i $EXTIF -o $INTIF -m state --state \
ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INTIF -o $EXTIF -s $INTIF_NET \
--dport 80 -j ACCEPT
$IPTABLES -A FORWARD -p TCP -i $INTIF -o $EXTIF -s $INTIF_NET \
--dport 443 -j ACCEPT
$IPTABLES -A FORWARD -m limit --limit 12/minute --limit-burst 12 -j LOG \
--log-prefix "FORWARD DROP: "


###############################################################################
### POSTROUTING
###############################################################################

$IPTABLES -t nat -A POSTROUTING -p ALL -o $EXTIF -j MASQUERADE


echo "So let it be written, so let it be done..."

just my two cents...


Last edited by win32sux; 09-11-2004 at 11:59 PM.
 
Old 09-12-2004, 05:58 AM   #15
kola
Member
 
Registered: Jul 2004
Location: Christchurch, New Zealand
Distribution: FC2, Debian 'Sarge'
Posts: 64

Original Poster
Rep: Reputation: 15
Win32sux,

Thanks for the help buddy. Unfortunately yes i am using this machine as a client on the internet, so al output is needed, your first script is a great help.

Looks like we might be changing to adsl in a week or so, so i guess it'll need changing again then, but hey.. :P

One more thing. Does this log to the system log? And is it possible to change the logfile and add in more log-dumps?

Straight away in the sys log i am getting lots of:
Sep 12 21:37:16 xeres kernel: INPUT DROP: IN=eth0 OUT= MAC=00:d0:09:dc:84:43:00:10:b5:52:d9:81:08:00 SRC=192.168.0.2 DST=192.168.0.1 LEN=48 TOS=0x00 PREC=0x00 TTL=128 ID=42502 DF PROTO=TCP SPT=1237 DPT=80 WINDOW=8192 RES=0x00 SYN URGP=0

This looks like outbound traffic from the win98 client, yes? any idea what its blocking and why? Im thinlking maybe a kazaa/msn type program?

Quote:
just my two cents...
Worth much more than that
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Securing server - SELinux or iptables or both? pingu Linux - Networking 2 11-10-2005 05:07 AM
Securing a redhat eagle683 Linux - Security 5 06-06-2005 06:37 PM
Securing System: Snort, IPTables, Logging Matir Linux - Security 1 11-29-2004 04:06 PM
securing using firestarter or iptables PennyroyalFrog Linux - Security 3 10-13-2004 02:36 PM
securing vsftp dshafi Linux - Security 3 08-31-2004 08:31 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 12:32 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration