Firewall Rules Summary
From: Hal Flynn (flynn@securityfocus.com)Date: 08/16/01
- Previous message: Rob 'Feztaa' Park: "Re: Disabling X and KDM from listening on a port."
- Next in thread: Brian Cervenka: "Re: Firewall Rules Summary"
- Reply: Brian Cervenka: "Re: Firewall Rules Summary"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 16 Aug 2001 05:23:34 -0600 (MDT) From: Hal Flynn <flynn@securityfocus.com> To: <focus-linux@securityfocus.com> Subject: Firewall Rules Summary Message-ID: <Pine.GSO.4.30.0108160517110.13631-100000@mail>
Hi Folks,
First, I'd like to thank all of you that contributed to this summary.
All of your contributions are excellent.
Second, I want to apologize in advance if anybody is offended by the
reformatting of their code/rulesets. I had to adjust some of the
formatting of some of the rulesets to keep it from wrapping and becoming
mangled in the post. The rule content, however, was unchanged.
Third, and finally, I'd like to apologize for getting this out later than
I expected. What started with good intentions of being a 45 minute
project before bed somehow turned into 3 hours worth of reformatting.
Funny how that works.
Thanks again to everybody who participated.
Hal Flynn
Sun/Linux Focus Area Manager
SecurityFocus
"Arbeit macht das Leben süss."
----------
+++++
Contributed by Todd A. Wood <devnull@cme.ch>
+++++
My General Guidelines:
Rule #1: Know all services and ports open on your system (netstat -an)
Rule #2: Block all reserved ports by default and open only those of your choice
(i.e. www, ssh, auth, dns). Do not forget ports > 1024 (i.e. mysql, tomcat, et
al) that should not be accessible from the Internet directly.
Rule #3: Frequently review your log files and errata alerts for your
distribution.
Attached is my /usr/local/sbin/setup_firewall shell script executed
by /etc/rc.d/rc.local at boot time. This script runs on a fully patched Red
Hat 6.1 and 7.0 box. Interface eth1 is directly on the Internet and eth0 links
to the internal corporate network. These boxes provided HTTP, HTTPS, DNS,
SMTP, POP, and VPN (PPP over SSH) services. Access to IMAP is limited to
Intranet and VPN connections.
This script is provided "as is" with no implied warranty.
<insert your favorite disclaimers here>
#!/bin/bash
##############################################################################
# Copyright (c)2001 come Computer Systeme GmbH. All rights reserved.
#
# $Id: setup_firewall,v 1.7 2001/03/06 12:41:09 tawood Exp $
#
# Setup Firewall Rules using ipchains or iptables depending on kernel version
#
##############################################################################
# Created......: 12 February 2001
# Last Modified: $Date: 2001/03/06 12:41:09 $
# Author.......: $Author: tawood $
# File Version.: $Name: $ $Revision: 1.7 $
# Status.......: $State: Exp $
# Documentation: http://techweb.frick.cme.ch
##############################################################################
# Change History
# --------------
# $Log: setup_firewall,v $
# Revision 1.7 2001/03/06 12:41:09 tawood
# Removed ntp rules as these are covered by the state
# RELATED,ESTABLISHED rule
#
# Revision 1.6 2001/03/06 12:38:38 tawood
# Removed imap2 from allowed Internet Connections -- Only
# allowed via VPN connection now
#
# Revision 1.5 2001/02/20 11:27:06 tawood
# Bug 3 - Added firewall rules to combat spread of Ramen Worm
#
# Revision 1.4 2001/02/19 10:55:14 tawood
# Added chain LOGDROP to enable single logging and dropping
# rules for INPUT chain.
# Added rule for mysql connections.
#
##############################################################################
#
case $(/bin/uname -r) in 2.4*)
#
# Flush Rules
#
IPT=/usr/local/sbin/iptables
IPC=/sbin/ipchains
$IPT -F INPUT
$IPT -F FORWARD
$IPT -t nat -F POSTROUTING
$IPT -F LOGDROP
$IPT -X LOGDROP
$IPT -N LOGDROP
#
# Log and Drop Chain
#
$IPT -A LOGDROP -i eth1 -j LOG
$IPT -A LOGDROP -i eth1 -j DROP
#
# Firewall Rules
#
$IPT -A INPUT -i eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPT -A INPUT -i eth1 -p icmp --icmp-type echo-request -m limit \
--limit 1/s -j ACCEPT
$IPT -A INPUT -i eth1 -p icmp --icmp-type ! echo-request -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --destination-port ssh -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --destination-port auth -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --destination-port smtp -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --destination-port pop3 -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --destination-port domain -j ACCEPT
$IPT -A INPUT -i eth1 -p udp --destination-port domain -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --destination-port www -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --destination-port https -j ACCEPT
$IPT -A INPUT -i eth1 -p tcp --destination-port 27374 --syn \
-j LOGDROP # Ramen Worm
$IPT -A INPUT -i eth1 -p tcp --destination-port 5555 --syn \
-j LOGDROP # Ramen Worm
$IPT -A INPUT -i eth1 -p udp --destination-port 5555 \
-j LOGDROP # Ramen Worm
$IPT -A INPUT -i eth1 -p tcp --destination-port mysql -j LOGDROP
$IPT -A INPUT -i eth1 -p tcp --destination-port 1024: -j ACCEPT
$IPT -A INPUT -i eth1 -p udp --destination-port 1024: -j ACCEPT
$IPT -A INPUT -i eth1 -j LOG
$IPT -A INPUT -i eth1 -p tcp --syn -j DROP
$IPT -A INPUT -i eth1 -j DROP
#
# IP Masquerading
#
$IPT -t nat -A POSTROUTING -o eth1 -j MASQUERADE
$IPT -A FORWARD -i eth1 -m state --state NEW,INVALID -j LOG
$IPT -A FORWARD -i eth1 -m state --state NEW,INVALID -j REJECT
;;
2.2*)
#
# Flush Rules
#
$IPC -F input
$IPC -F forward
#
# Firewall Rules
#
$IPC -A input -i eth1 -p icmp -j ACCEPT
$IPC -A input -i eth1 --destination-port ssh -p tcp -j ACCEPT
$IPC -A input -i eth1 --destination-port auth -p tcp -j ACCEPT
$IPC -A input -i eth1 --destination-port smtp -p tcp -j ACCEPT
$IPC -A input -i eth1 --destination-port pop3 -p tcp -j ACCEPT
$IPC -A input -i eth1 --destination-port domain -p tcp -j ACCEPT
$IPC -A input -i eth1 --destination-port domain -p udp -j ACCEPT
$IPC -A input -i eth1 --destination-port www -p tcp -j ACCEPT
$IPC -A input -i eth1 --destination-port https -p tcp -j ACCEPT
## Begin Ramen Rules
$IPC -A input -l -i eth1 --destination-port 27374 -p tcp --syn -j DENY
$IPC -A input -l -i eth1 --destination-port 5555 -p tcp --syn -j DENY
$IPC -A input -l -i eth1 --destination-port 5555 -p udp -j DENY
## End Ramen Rules
$IPC -A input -l -i eth1 --destination-port mysql -p tcp -j DENY
$IPC -A input -i eth1 --destination-port 1024: -p tcp -j ACCEPT
$IPC -A input -i eth1 --destination-port 1024: -p udp -j ACCEPT
$IPC -A input -l -i eth1 -j DENY
#
# IP Masquerading
#
$IPC -P forward DENY
$IPC -A forward -i eth1 -j MASQ
#
# Masquerading Assistance for FTP and Real Audio
#
$IPC ip_masq_ftp
$IPC ip_masq_raudio
;;
esac
----------
+++++
Contributed by dewt <dewt@kc.rr.com>
+++++
here's mine, it's somewhat modular so it needs to be a tar archive. chunks of
this came from various howtos and articles on iptables that existed around
the release of 2.4.0, so i'm not who gets credit for those parts. the rest of
it is mine. this script does NAT and firewalling(customized to my box so
you'll have to look in block/local to secure the local machine)
a few notes:
modules you create have to be +x to be run (so you can easily turn them off)
the battlenet module is only needed to host games on battlenet
some of my todo notes in the file are done so don't get confused
hope it's of use
dewt
(unable to post due to .tar.gz and multiple files...standby on this one)
----------
+++++
Contributed by Jem Berkes <berkes@pc9.org>
+++++
I'm somewhat new to iptables as well, but I think I have the hang of it.
Note that this is a firewall script used on a multipurpose machine: it
has some servers, and is also a masquerading gateway. But with the current
setup everything seems to be working perfectly (including ftp
connections). INTIF and EXTIF refer to internal and external interfaces.
TCP_SERVICES are the servers that I'm running.
#!/bin/sh
INTIF=eth0
EXTIF=ppp0
TCP_SERVICES="21,22,25,80,113"
modprobe ip_nat_ftp
modprobe ip_conntrack_ftp
iptables -F INPUT
iptables -F FORWARD
iptables -F OUTPUT
iptables -t nat -F PREROUTING
iptables -t nat -F POSTROUTING
# Kernel guard against SYN flooding
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
iptables -P INPUT DROP
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -i $EXTIF -m state --state NEW -p tcp -m multiport \
--dport $TCP_SERVICES -j ACCEPT
iptables -A INPUT -i $INTIF -m state --state NEW -j ACCEPT
iptables -A INPUT -i lo -m state --state NEW -j ACCEPT
iptables -A INPUT -j LOG --log-prefix "FW_INPUT "
iptables -P FORWARD DROP
iptables -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT
iptables -A FORWARD -i $EXTIF -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -j LOG --log-prefix "FW_FORWARD "
iptables -P OUTPUT ACCEPT
iptables -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE
----------
+++++
Contributed by Teemu Torma <tot@trema.com>
+++++
Ok, here is my contribution. I am on a fixed DSL ip address. Very liberal
policy, by default, everything over 1024 accepted.
It tries to limit some DoS attacks, but since I never had them, it is
difficult to know if they are effective. I have been on DSL for only a month
now, so this is still evolving.
Teemu
# Interface to Internet
EXTIF=ppp+
SECIF=ipsec1 # ipsec interface associated with my ppp interface.
EXTIP=1.2.3.4 # my ip address to internet (one fixed DSL address)
# Clean up old rules.
iptables -t filter -F
iptables -t nat -F
iptables -t mangle -F
iptables -X
# Default policies.
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
# For TOS.
iptables -t mangle -A PREROUTING -p tcp --dport ssh \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport ftp \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport telnet \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport http \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport https \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p udp --dport domain \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A PREROUTING -p tcp --dport rsync \
-j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp --dport ftp-data \
-j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp --dport cvspserver \
-j TOS --set-tos Maximize-Throughput
iptables -t mangle -A PREROUTING -p tcp \
-j TOS --set-tos Maximize-Throughput
# TOS for output packages.
iptables -t mangle -A OUTPUT -p tcp --dport ssh \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp --dport ftp \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp --dport telnet \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp --dport http \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp --dport https \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p udp --dport domain \
-j TOS --set-tos Minimize-Delay
iptables -t mangle -A OUTPUT -p tcp --dport rsync \
-j TOS --set-tos Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp --dport ftp-data \
-j TOS --set-tos Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp --dport cvspserver \
-j TOS --set-tos Maximize-Throughput
iptables -t mangle -A OUTPUT -p tcp \
-j TOS --set-tos Maximize-Throughput
# Allow ipsec on output. Just for packet counting.
iptables -A OUTPUT -p udp --dport 500 -j ACCEPT
iptables -A OUTPUT -p 50 -j ACCEPT
iptables -A OUTPUT -p 51 -j ACCEPT
# Transparent proxy.
#iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! $EXTIP \
# --dport http -j REDIRECT --to-port 3128
#iptables -t nat -A PREROUTING -i eth0 -p tcp -d ! $EXTIP \
# --dport https -j REDIRECT --to-port 3128
# No NAT for ipsec traffic.
iptables -t nat -A POSTROUTING -p udp --dport 500 -j ACCEPT
iptables -t nat -A POSTROUTING -p 50 -j ACCEPT
iptables -t nat -A POSTROUTING -p 51 -j ACCEPT
# NAT for external traffic.
iptables -t nat -A POSTROUTING -o $EXTIF -j SNAT --to-source $EXTIP
iptables -t nat -A POSTROUTING -o $SECIF -j SNAT --to-source $EXTIP
# Convenience chains to accept with syn/flood protection and port/scanner
iptables -N do-accept
iptables -A do-accept -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 5/s -j ACCEPT
iptables -A do-accept -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 1/s \
-j LOG --log-prefix "TCP scan dropped: "
iptables -A do-accept -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-j DROP
iptables -A do-accept -p tcp --syn \
-m limit --limit 5/s -j ACCEPT
iptables -A do-accept -p tcp --syn \
-m limit --limit 1/s \
-j LOG --log-prefix "TCP SYN Flood dropped: "
iptables -A do-accept -p tcp --syn \
-j DROP
iptables -A do-accept -p icmp --icmp-type echo-request \
-m limit --limit 5/s -j ACCEPT
iptables -A do-accept -p icmp --icmp-type echo-request \
-m limit --limit 1/s \
-j LOG --log-prefix "ICMP Echo-Request dropped: "
iptables -A do-accept -p icmp --icmp-type echo-request \
-j DROP
iptables -A do-accept -j ACCEPT
# Convenince chain to reject with logging.
iptables -N do-reject
iptables -A do-reject -m limit --limit 1/sec \
-j LOG --log-prefix "Rejected: "
iptables -A do-reject -j REJECT
# Convenince chain to reject without logging.
iptables -N do-reject-silent
iptables -A do-reject-silent -j REJECT
# Convenince chain to drop with logging.
iptables -N do-drop
iptables -A do-drop -m limit --limit 1/sec \
-j LOG --log-prefix "Dropped: "
iptables -A do-drop -j DROP
# Setup common services we accept/reject.
iptables -N services
iptables -A services -p udp --dport router -j do-accept
iptables -A services -p udp --dport ntp -j do-accept
iptables -A services -p udp --dport domain -j do-accept
iptables -A services -p tcp --dport domain -j do-accept
iptables -A services -p tcp --dport smtp -j do-accept
iptables -A services -p tcp --dport smtps -j do-accept
iptables -A services -p tcp --dport imap -j do-accept
iptables -A services -p tcp --dport imaps -j do-accept
iptables -A services -p tcp --dport pop3 -j do-accept
iptables -A services -p tcp --dport pop3s -j do-accept
iptables -A services -p tcp --dport nntp -j do-accept
iptables -A services -p tcp --dport nntps -j do-accept
iptables -A services -p tcp --dport finger -j do-accept
iptables -A services -p tcp --dport ident -j do-accept
iptables -A services -p tcp --dport http -j do-accept
iptables -A services -p tcp --dport https -j do-accept
iptables -A services -p tcp --dport kerberos -j do-accept
iptables -A services -p udp --dport kerberos -j do-accept
iptables -A services -p udp --dport talk -j do-accept
iptables -A services -p udp --dport ntalk -j do-accept
iptables -A services -p tcp --dport squid -j do-accept
iptables -A services -p tcp --dport rsync -j do-accept
iptables -A services -p tcp --dport ldap -j do-accept
iptables -A services -p tcp --dport ldaps -j do-accept
iptables -A services -p tcp --dport ssh -j do-accept
iptables -A services -p tcp --dport nfs -j do-reject
iptables -A services -p udp --dport nfs -j do-reject
# Silent reject common packets that are always probed.
iptables -A services -i $EXTIF -p udp --dport sunrpc -j do-reject-silent
iptables -A services -i $EXTIF -p tcp --dport sunrpc -j do-reject-silent
iptables -A services -i $SECIF -p udp --dport sunrpc -j do-reject-silent
iptables -A services -i $SECIF -p tcp --dport sunrpc -j do-reject-silent
iptables -A services -p udp --dport 137:139 -j do-reject-silent
iptables -A services -p tcp --dport 137:139 -j do-reject-silent
iptables -A services -p udp --dport 407 -j do-reject-silent
iptables -A services -p tcp --dport ftp -j do-reject-silent
# Setup common internal service we accept/reject.
iptables -N int-services
iptables -A int-services -p udp --dport syslog -j do-accept
iptables -A int-services -p udp --dport bootps -j do-accept
iptables -A int-services -p tcp --dport bootps -j do-accept
iptables -A int-services -p udp --dport bootpc -j do-accept
iptables -A int-services -p tcp --dport bootpc -j do-accept
iptables -A int-services -p udp --dport comsat -j do-accept
iptables -A int-services -p tcp --dport at-rtmp -j do-accept
iptables -A int-services -p udp --dport at-rtmp -j do-accept
iptables -A int-services -p tcp --dport at-nbp -j do-accept
iptables -A int-services -p udp --dport at-nbp -j do-accept
iptables -A int-services -p tcp --dport at-echo -j do-accept
iptables -A int-services -p udp --dport at-echo -j do-accept
iptables -A int-services -p tcp --dport at-zis -j do-accept
iptables -A int-services -p udp --dport at-zis -j do-accept
# Common sanity rules to disallow fake packets.
iptables -N sanity
iptables -A sanity -i $EXTIF -d 255.255.255.255/32 -j do-drop
iptables -A sanity -i $EXTIF -s 0.0.0.0/32 -j do-drop
iptables -A sanity -i $EXTIF -s 10.7/16 -j do-drop
iptables -A sanity -i $EXTIF -s $EXTIP -j do-drop
iptables -A sanity -i $SECIF -d 255.255.255.255/32 -j do-drop
iptables -A sanity -i $SECIF -s 0.0.0.0/32 -j do-drop
iptables -A sanity -i $SECIF -s 10.7/16 -j do-drop
iptables -A sanity -i $SECIF -s $EXTIP -j do-drop
# Allow established/related connections.
iptables -A INPUT -p tcp -m state --state ESTABLISHED -j ACCEPT
iptables -A INPUT -m state --state RELATED -j ACCEPT
# Allow everything on the local interface.
iptables -A INPUT -i lo -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT
# Allow ipsec.
iptables -A INPUT -p udp --dport 500 -j ACCEPT
iptables -A INPUT -p 50 -j ACCEPT
iptables -A INPUT -p 51 -j ACCEPT
# Check other services
iptables -A INPUT -j sanity
iptables -A INPUT -j services
# Log unauthorized stuff.
# Drop everything here for the range 1..1023, and allow the rest.
iptables -A INPUT -i $EXTIF -p udp --dport :1023 -j do-reject
iptables -A INPUT -i $SECIF -p udp --dport :1023 -j do-reject
iptables -A INPUT -p udp --dport : -j do-accept
iptables -A INPUT -i $EXTIF -p tcp --dport :1023 -j do-reject
iptables -A INPUT -i $SECIF -p tcp --dport :1023 -j do-reject
iptables -A INPUT -p tcp --dport : -j do-accept
iptables -A INPUT -p icmp -j do-accept
# Forward established and related connections.
iptables -A FORWARD -m state --state ESTABLISHED -j ACCEPT
iptables -A FORWARD -m state --state RELATED -j ACCEPT
# Allow ipsec.
iptables -A FORWARD -p udp --dport 500 -j ACCEPT
iptables -A FORWARD -p 50 -j ACCEPT
iptables -A FORWARD -p 51 -j ACCEPT
# Check for services.
iptables -A FORWARD -o $EXTIF -j ACCEPT
iptables -A FORWARD -o $SECIF -j ACCEPT
iptables -A FORWARD -j sanity
iptables -A FORWARD -j services
# Drop everything here for the range 1..1023 coming from the external,
# and allow the rest.
iptables -A FORWARD -i $EXTIF -p udp --dport :1023 -j do-reject
iptables -A FORWARD -i $SECIF -p udp --dport :1023 -j do-reject
iptables -A FORWARD -i $EXTIF -p udp --dport : -j do-accept
iptables -A FORWARD -i $SECIF -p udp --dport : -j do-accept
iptables -A FORWARD -i $EXTIF -p tcp --dport :1023 -j do-reject
iptables -A FORWARD -i $SECIF -p tcp --dport :1023 -j do-reject
iptables -A FORWARD -i $EXTIF -p tcp --dport : -j do-accept
iptables -A FORWARD -i $SECIF -p tcp --dport : -j do-accept
iptables -A FORWARD -p icmp -j do-accept
----------
+++++
Contributed by skylinux <skylinux@earthlink.net>
+++++
here's a nice IPtables example script you can start with.
http://home.earthlink.net/~skylinux/
Skylinux
----------
+++++
Contributed by Rafael Vidal Aroca <rafael@3wt.com.br>
+++++
# rc.firewall for kernel 2.4
# 14/05/2001 - rafael@3wt.com.br
#
INTERNAL_CLASS="10.0.0.0/24"
REAL_IP="x.x.x.x"
#Flush all rules
iptables -F
iptables -F -t nat
iptables -X
iptables -X -t nat
#Close input and forward of packets
iptables -P INPUT DROP
iptables -P FORWARD DROP
#IP Forwarding so that local net can acces internet
iptables -t nat -A POSTROUTING -o eth0 -s $INTERNAL_CLASS -j SNAT \
--to $REAL_IP
#Allow return of the packets
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
#Define the IP class that can use nat
iptables -A FORWARD -s $INTERNAL_CLASS -j ACCEPT
#Opened services
iptables -A INPUT -s 127.0.0.1/32 -j ACCEPT
iptables -A INPUT -s $INTERNAL_CLASS -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 25 -j ACCEPT
iptables -A INPUT -s 0.0.0.0/0 -p tcp --dport 110 -j ACCEPT
iptables -A INPUT -p icmp -j ACCEPT
iptables -A INPUT -p udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp -m state --state ESTABLISHED,RELATED \
-j ACCEPT
#Transparent Proxy
iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT \
--to-port 3128
#Modules for in orde to ftp work correctly
insmod ip_nat_ftp
insmod ip_conntrack_ftp
[]s Rafael.
----------
+++++
Contributed by Stephen Young <revoquer@mailandnews.com>
+++++
Here is a ruleset that is specifically made to allow http, irc,
connect to ftp and run a web server. It is a script that runs
from rc.local when i boot.
#!/bin/bash
#######################################################
#IPTABLES: Script/Ruleset made by Stephen Young 2001
#######################################################
# Flush
/sbin/iptables -F INPUT
/sbin/iptables -F OUTPUT
/sbin/iptables -F FORWARD
# Base Policies
/sbin/iptables -P INPUT DROP
/sbin/iptables -P OUTPUT ACCEPT
/sbin/iptables -P FORWARD DROP
# Localhost
/sbin/iptables -A INPUT -i lo -j ACCEPT
# Accept if there is no SYN packet attached
/sbin/iptables -A INPUT -i ppp0 -p tcp ! --syn -j ACCEPT
# DNS replies
/sbin/iptables -A INPUT -i ppp0 -p tcp --sport 53 -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p udp --sport 53 -j ACCEPT
# FTP
/sbin/iptables -A INPUT -i ppp0 -p tcp --sport 20 -j ACCEPT
# IDENT
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 113 -j ACCEPT
# Outbound WWW server
/sbin/iptables -A INPUT -i ppp0 -p tcp --dport 80 -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p udp --dport 80 -j ACCEPT
# Type 0 which is echo reply(Ping Reply)
# Type 3 which is Destination Unreachable
# Type 11 which is Time Exceed(Trace Route)
/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type 0 -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type 3 -j ACCEPT
/sbin/iptables -A INPUT -i ppp0 -p icmp --icmp-type 11 -j ACCEPT
# Log denials
/sbin/iptables -A INPUT -j LOG --log-level debug --log-prefix ---DROPPED---
Later and good luck,
Stephen Young
----------
+++++
Contributed by Alexander Gran <alex@zodiac.dnsalias.org>
+++++
This is my local firewall ruleset, doing masq for the LAN.
Not really experienced, though.
#!/bin/bash
# Firewall
# Portfilter Configuration
FILTERUTIL=/usr/sbin/iptables
WORLD=ppp0
HOME=eth0
# Flush old rules
$FILTERUTIL -F
# Set Policies
$FILTERUTIL -P INPUT DROP
$FILTERUTIL -P OUTPUT ACCEPT
$FILTERUTIL -P FORWARD ACCEPT
# Don't allow faked sender IP's
$FILTERUTIL -A INPUT -i $WORLD -s 192.168.0.0/16 -j DROP
$FILTERUTIL -A INPUT -i $WORLD -s 127.0.0.1/8 -j DROP
$FILTERUTIL -A INPUT -i $WORLD -s 10.0.0.1/8 -j DROP
$FILTERUTIL -A INPUT -i $WORLD -s 127.0.0.1/8 -j DROP
$FILTERUTIL -A INPUT -i $WORLD -s 255.255.255.255 -j DROP
# Activate NAT without netbios
$FILTERUTIL -A FORWARD -s 192.168.0.0/24 -p UDP --sport 137:138 -j REJECT
$FILTERUTIL -A FORWARD -s 192.168.0.0/24 -p TCP --sport 139 -j REJECT
$FILTERUTIL -A FORWARD -i $WORLD -m state --state NEW,INVALID -j REJECT
$FILTERUTIL -t nat -A POSTROUTING -o $WORLD -j MASQUERADE
# Accept anything from me
$FILTERUTIL -A INPUT -i lo -j ACCEPT
# Accept anything from my LAN
$FILTERUTIL -A INPUT -i $HOME -s 192.168.0.0/24 -j ACCEPT
# Open standart services
#$FILTERUTIL -A INPUT -i $WORLD -p TCP --dport talk -j ACCEPT
$FILTERUTIL -A INPUT -i $WORLD -p TCP --dport smtp -j ACCEPT
#$FILTERUTIL -A INPUT -i $WORLD -p TCP --dport ftp -j ACCEPT
#$FILTERUTIL -A INPUT -i $WORLD -p TCP --dport telnet -j ACCEPT
#$FILTERUTIL -A INPUT -i $WORLD -p TCP --dport ssh -j LOG
$FILTERUTIL -A INPUT -i $WORLD -p TCP --dport ssh -j ACCEPT
$FILTERUTIL -A INPUT -i $WORLD -p TCP --dport 2011 -j ACCEPT
# Open ICMP
$FILTERUTIL -A INPUT -i $WORLD -p ICMP -j ACCEPT
# Free anything above 1024 except 3000 (ntop)
$FILTERUTIL -A INPUT -i $WORLD -p TCP --dport 3000 -j REJECT
$FILTERUTIL -A INPUT -i $WORLD -p TCP --dport 1023: -j ACCEPT
$FILTERUTIL -A INPUT -i $WORLD -p UDP --dport 1023: -j ACCEPT
$FILTERUTIL -A INPUT -i $WORLD -p TCP -j REJECT
$FILTERUTIL -A INPUT -i $WORLD -p UDP -j REJECT
----------
+++++
Contributed by R Dicaire <rdicair@home.com>
+++++
http://rdb.linux-help.org/ipmasq/ipmasq.php3 has example ipchains and
iptables firewall scripts to build from.
----------
+++++
Contributed by Edmund Haworth <ehaworth@wortech.ac.uk>
+++++
This is what i used at home, it probably needs a lot of cleaning :)
change "yourip" to your internet IP and "iptb" to the correct path
#!/bin/bash
#setup iptables filtering and nating under 2.3/2.4
anywhere=0.0.0.0/0
yourip=!fill me in!
iptb=/usr/local/sbin/iptables
# turn on forwarding in kernel
echo "1" > /proc/sys/net/ipv4/ip_forward
# set up masquerade rule
$iptb -t nat -A POSTROUTING -o ippp0 -j MASQUERADE -s 192.168.1.0/24
#setup INPUT chain
$iptb -P INPUT DROP
#allow on trusted devices, do i trust my self? yes.. stupidly
$iptb -A INPUT -j ACCEPT -i eth0
$iptb -A INPUT -j ACCEPT -i lo
#create/setup the ppp-in chain
$iptb -N ppp-in
#allow icmp
$iptb -A ppp-in -j ACCEPT -p icmp
#specific port denies >1024 tcp
#LOG connections
$iptb -A ppp-in -j LOG -p tcp -d $anywhere --dport 1080
$iptb -A ppp-in -j LOG -p tcp -d $anywhere --dport 2049
$iptb -A ppp-in -j LOG -p tcp -d $anywhere --dport 2064
$iptb -A ppp-in -j LOG -p tcp -d $anywhere --dport 3128
$iptb -A ppp-in -j LOG -p tcp -d $anywhere --dport 3333
$iptb -A ppp-in -j LOG -p tcp -d $anywhere --dport 10000
$iptb -A ppp-in -j LOG -p tcp -d $anywhere --dport 20005
#REJECT the connections after being logged
$iptb -A ppp-in -j REJECT -p tcp -d $anywhere --dport 1080
$iptb -A ppp-in -j REJECT -p tcp -d $anywhere --dport 2049
$iptb -A ppp-in -j REJECT -p tcp -d $anywhere --dport 2064
$iptb -A ppp-in -j REJECT -p tcp -d $anywhere --dport 3128
$iptb -A ppp-in -j REJECT -p tcp -d $anywhere --dport 3333
$iptb -A ppp-in -j REJECT -p tcp -d $anywhere --dport 10000
$iptb -A ppp-in -j REJECT -p tcp -d $anywhere --dport 20005
#specific port denies >1024 udp
$iptb -A ppp-in -j LOG -p udp -d $anywhere --dport 1031
$iptb -A ppp-in -j LOG -p udp -d $anywhere --dport 2049
$iptb -A ppp-in -j LOG -p udp -d $anywhere --dport 3130
$iptb -A ppp-in -j LOG -p udp -d $anywhere --dport 5555
$iptb -A ppp-in -j REJECT -p udp -d $anywhere --dport 1031
$iptb -A ppp-in -j REJECT -p udp -d $anywhere --dport 2049
$iptb -A ppp-in -j REJECT -p udp -d $anywhere --dport 3130
$iptb -A ppp-in -j REJECT -p udp -d $anywhere --dport 5555
#allow specific ports 1024> and all ports >1024 tcp
$iptb -A ppp-in -j ACCEPT -p tcp -d $anywhere --dport 21
$iptb -A ppp-in -j ACCEPT -p tcp -d $anywhere --dport 22
$iptb -A ppp-in -j ACCEPT -p tcp -d $anywhere --dport 25
$iptb -A ppp-in -j ACCEPT -p tcp -d $anywhere --dport 80
$iptb -A ppp-in -j ACCEPT -p tcp -d $anywhere --dport auth
$iptb -A ppp-in -j ACCEPT -p tcp -d $anywhere --dport 443
$iptb -A ppp-in -j ACCEPT -p tcp -d $anywhere --dport 1024:
#allow domain and all ports >1024 udp
$iptb -A ppp-in -j ACCEPT -p udp -d $anywhere --dport 53
$iptb -A ppp-in -j ACCEPT -p udp -d $anywhere --dport 1024:
# add ppp-in chain to INPUT chain for both
# ppp0 and ippp0 (my external devices)
$iptb -A INPUT -i ippp0 -j ppp-in
$iptb -A INPUT -i ppp0 -j ppp-in
# DMZ stuff
#Forward smtp/imap requests to the mail server
$iptb -A PREROUTING -m state --state NEW -t nat -p tcp -j DNAT -d
$inetip --dport 25 --to 192.168.1.10:25
$iptb -A PREROUTING -m state --state NEW -t nat -p tcp -j DNAT -d
$inetip --dport 143 --to 192.168.1.10:143
$iptb -A PREROUTING -m state --state NEW -t nat -p tcp -j DNAT -d
$inetip --dport 993 --to 192.168.1.10:993
#redirect www trafic to squid for transparent proxying
$iptb -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j ACCEPT \
-s 192.168.1.10
$iptb -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
- --to 192.168.1.10:3128
#EOF
Edmund Haworth
----------
+++++
Contributed by Ross Vandegrift <ross@willow.seitz.com>
+++++
My firewalling script starts by classifying traffic based on
incoming interface. I figure if the Linux kernel gives us
rp_filter, we might as well take advantage of it. Once we know
what the incoming interface is, it makes it much easer to classify
the traffic - we know that incoming packets on the external interface
should never be allowed to hit the NFS port, for example.
I wouldn't recommend most people have telnet and tftp open, but I
have an eccentric boss who is known to run DOS telnet and tftp servers
to enable connectivity at odd times...
Ross Vandegrift
ross@willow.seitz.com
#!/bin/sh
DMZIP=207.106.55.128/26
MAINIP=207.106.55.64/26
FWMAINIP=207.106.55.126
IPT=/usr/local/sbin/iptables
TCP_OPENPORTS=20,21,22,23,25,53,69,80,113
UDP_OPENPORTS=53,123
WORMPORTS=31337,33270,1234,6711,16660,60001,12345,12346,1524,27665,27444,31335,6000,6001,6002
# Correctly configure draconian routing policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# Add the chains we need
$IPT -N IN_ETH0
$IPT -N IN_TCP
$IPT -N IN_UDP
$IPT -N FOR_ETH0
$IPT -N FOR_ETH1
$IPT -N FOR_TCP0
$IPT -N FOR_UDP0
$IPT -N FOR_TCP1
$IPT -N FOR_UDP1
#
# table: filter, chain: INPUT
#
# First make decisions based on the incoming interface
$IPT -A INPUT -i lo -j ACCEPT
$IPT -A INPUT -i eth1 -j ACCEPT
$IPT -A INPUT -i eth0 -j IN_ETH0
# Then look at relevant subnets
$IPT -A INPUT -s 207.106.55.0/24 -j ACCEPT
$IPT -A INPUT -s 63.121.145.0/24 -j ACCEPT
# Should be the end for INPUT - LOG what's left
#$IPT -A INPUT -m limit --limit 3/minute -j LOG
#
# table: filter, chain: OUTPUT
#
$IPT -A OUTPUT -s $DMZIP -j ACCEPT
$IPT -A OUTPUT -s $FWMAINIP -j ACCEPT
$IPT -A OUTPUT -o lo -d 127.0.0.0/8 -j ACCEPT
$IPT -A OUTPUT -m limit --limit 3/minute -j LOG
#
# table: filter, chain IN_ETH0
#
$IPT -A IN_ETH0 -d $DMZIP -p icmp -j ACCEPT
$IPT -A IN_ETH0 -d $DMZIP -p tcp -j IN_TCP
$IPT -A IN_ETH0 -d $DMZIP -p udp -j IN_UDP
#
# table: filter, chain: IN_TCP
#
# Now install our rules for tcp packets
$IPT -A IN_TCP -p tcp -m multiport \
-d $DMZIP --dport $TCP_OPENPORTS -j ACCEPT -m tcp --syn
$IPT -A IN_TCP -p tcp -m state --state RELATED -j ACCEPT
$IPT -A IN_TCP -p tcp -m state --state ESTABLISHED -j ACCEPT
#
# table: filter, chain: IN_UDP
# Rules for udp packets
$IPT -A IN_UDP -m multiport -p udp \
-d $DMZIP --dport $UDP_OPENPORTS -j ACCEPT
$IPT -A IN_UDP -m multiport -p udp \
-d $DMZIP --sport $UDP_OPENPORTS -j ACCEPT
#
# table: filter, chain: FORWARD
#
# Again, look at incoming interface
$IPT -A FORWARD -i eth0 -j FOR_ETH0
$IPT -A FORWARD -i eth1 -j FOR_ETH1
#
# table: filter, chain: FOR_ETH0
#
$IPT -A FOR_ETH0 -p icmp -j ACCEPT
$IPT -A FOR_ETH0 -p udp -j FOR_UDP0
$IPT -A FOR_ETH0 -p tcp -j FOR_TCP0
#
# table: filter, chain: FOR_ETH1
#
$IPT -A FOR_ETH1 -p icmp -j ACCEPT
$IPT -A FOR_ETH1 -p udp -j FOR_UDP1
$IPT -A FOR_ETH1 -p tcp -j FOR_TCP1
$IPT -A FOR_ETH1 -j ACCEPT
#
# table: filter, chain: FOR_UDP0
#
# Allow IPX over UDP tunnelling
$IPT -A FOR_UDP0 -p udp -s $DMZIP -d $MAINIP -j ACCEPT
$IPT -A FOR_UDP0 -p udp -s ! $DMZIP -d $MAINIP --dport 213 -j ACCEPT
#
# table: filter, chain: FOR_TCP0
#
$IPT -A FOR_TCP0 -p tcp -m multiport \
-d $MAINIP --dport $TCP_OPENPORTS -j ACCEPT -m tcp --syn
$IPT -A FOR_TCP0 -p tcp -m state --state ESTABLISHED -j ACCEPT
$IPT -A FOR_TCP0 -p tcp -m state --state RELATED -j ACCEPT
#
# table: filter, chain: FOR_UDP1
#
$IPT -A FOR_UDP1 -p udp -m multiport --dport $WORMPORTS -j DROP
#
# table: filter, chain FOR_TCP1
#
$IPT -A FOR_TCP1 -p tcp -m multiport --dport $WORMPORTS -j DROP
#
# table: nat, chain: PREROUTING
#
# Spoof protection goes in prerouting, to stop badness
# before it even his the routing tables
$IPT -t nat -A PREROUTING -s 1.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 2.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 7.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 10.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 23.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 27.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 31.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 41.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 45.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 60.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 68.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 69.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 70.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 71.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 80.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 88.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 90.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 91.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 92.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 100.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 111.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 112.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -i ! lo -s 127.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 128.66.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -s 172.16.0.0/12 -j DROP
$IPT -t nat -A PREROUTING -s 192.168.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -s 197.0.0.0/16 -j DROP
$IPT -t nat -A PREROUTING -s 201.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 220.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 222.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 224.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 240.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 242.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 244.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 251.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 254.0.0.0/8 -j DROP
$IPT -t nat -A PREROUTING -s 255.255.255.255 -j DROP
----------
+++++
Contributed by Brian Youngstrom <briany@altavista.net>
+++++
Here is my IPTables ruleset that I use. It is running on a Slackware 7.1
based system on an @Home connection. I start it from /etc/rc.d/rc.inet1
_before_ the first interface comes up. This does have the unpleasant
side-effect of failing for the NTP host lookup rules...
#!/bin/sh
IPT=/usr/local/sbin/iptables
I_IFACE=eth1
I_IP='internal.ip.add.ress'
E_IFACE=eth0
E_IP='external.ip.add.ress'
# Allow time servers to query me for time
NTP_SERVERS='ntp2.tcp-udp.net allison.radiks.net cuckoo.nevada.edu'
case "$1" in
start)
;;
stop)
echo -n "Stopping Firewall..."
echo 0 > /proc/sys/net/ipv4/ip_forward
$IPT -F
$IPT -F LogNack
$IPT -X LogNack
$IPT -F LogAck
$IPT -t nat -F PREROUTING
$IPT -t nat -F POSTROUTING
$IPT -X LogAck
$IPT -P INPUT ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
echo done
exit 0
;;
restart)
$0 stop
$0 start
exit 0
;;
*)
echo "USAGE: $0 [start|stop|restart]"
exit 1
;;
esac
echo "Starting Firewall..."
echo "Creating LogNack"
$IPT -N LogNack
$IPT -A LogNack -j LOG --log-level warn --log-prefix "FW_Deny: "
$IPT -A LogNack -j DROP
echo "Creating LogAck"
$IPT -N LogAck
$IPT -A LogAck -j LOG --log-level warn --log-prefix "FW_Allow: "
$IPT -A LogAck -j ACCEPT
echo "Allowing lo traffic"
$IPT -A INPUT -i lo -j ACCEPT
echo "Allowing internal <-> FW traffic"
$IPT -A INPUT -i $I_IFACE -j ACCEPT
$IPT -A OUTPUT -o $I_IFACE -j ACCEPT
echo "Allowing ICMP traffic"
#$IPT -A INPUT -p icmp -j ACCEPT
$IPT -A INPUT -p icmp --icmp-type echo-request -i $E_IFACE -j DROP
$IPT -A INPUT -p icmp --icmp-type ! echo-request -j ACCEPT
echo "Starting masq"
#$IPT -t nat -A POSTROUTING -o $E_IFACE -j MASQUERADE
$IPT -t nat -A POSTROUTING -o $E_IFACE -j SNAT --to $E_IP
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# 1 - Enables source-address
# 2 - Enables egress filtering
for f in /proc/sys/net/ipv4/conf/*/rp_filter;do
echo 2 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_redirects;do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects;do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/accept_source_route;do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/log_martians;do
echo 1 > $f
done
if [ -f /proc/sys/net/ipv4/tcp_ecn ]; then
echo 0 > /proc/sys/net/ipv4/tcp_ecn
echo "Disabling ECN support"
fi
echo "Allowing related traffic"
$IPT -A INPUT -m state -p all --state ESTABLISHED,RELATED -j ACCEPT
echo "Some basic sanity checking..."
$IPT -A INPUT -s $I_IP -j LogNack
$IPT -A INPUT -i $E_IFACE -s 10.0.0.0/8 -j LogNack
$IPT -A INPUT -i $E_IFACE -s 172.16.0.0/12 -j LogNack
$IPT -A INPUT -i $E_IFACE -s 192.168.0.0/16 -j LogNack
$IPT -A INPUT -s 255.255.255.255 -j LogNack
$IPT -A INPUT -d 0.0.0.0 -j LogNack
$IPT -A INPUT -s 224.0.0.0/4 -j LogNack
$IPT -A INPUT -s 240.0.0.0/5 -j LogNack
echo "Allowing inbound SSH"
$IPT -A INPUT -i $E_IFACE -p tcp --destination-port 22 -j ACCEPT
echo "Allowing inbound SMTP"
$IPT -A INPUT -i $E_IFACE -p tcp --destination-port 25 -j ACCEPT
echo "Allowing inbound www"
$IPT -A INPUT -i $E_IFACE -p tcp --destination-port 80 -j ACCEPT
$IPT -A INPUT -i $E_IFACE -p tcp --destination-port 81 -j ACCEPT
#$IPT -A INPUT -i $E_IFACE -p tcp --destination-port 443 -j ACCEPT
echo "Allowing inbound imap"
$IPT -A INPUT -i $E_IFACE -p tcp --destination-port 143 -j ACCEPT
$IPT -A INPUT -i $E_IFACE -p tcp --destination-port 993 -j ACCEPT
echo "NTP Servers"
for server in $NTP_SERVERS;do
$IPT -A INPUT -i $E_IFACE -p tcp --source $server/24 \
--destination-port 123 -j ACCEPT
$IPT -A INPUT -i $E_IFACE -p udp --source $server/24 \
--destination-port 123 -j ACCEPT
done
echo "Allowing SpeakFreely traffic..."
$IPT -t nat -A PREROUTING -i $E_IFACE -p udp --dport 2074 -j \
DNAT --to 10.0.0.101:2074
$IPT -t nat -A PREROUTING -i $E_IFACE -p udp --dport 2075 -j \
DNAT --to 10.0.0.101:2075
echo "Ignoring traffic"
echo " Finger" ;$IPT -A INPUT -p tcp --destination-port 113 -j LogNack
echo " DHCP(TCP)"; $IPT -A INPUT -p udp --source-port 67 \
--destination-port 68 -j DROP
echo " DHCP(UDP)"; $IPT -A INPUT -p tcp --source-port 67 \
--destination-port 68 -j DROP
echo " Nbs Brdcst";$IPT -A OUTPUT -o $E_IFACE -p udp \
--destination-port 137 -j DROP
echo "Deny all"
$IPT -A INPUT -j LogNack
$IPT -P INPUT DROP
$IPT -P OUTPUT ACCEPT
$IPT -P FORWARD ACCEPT
echo 1 > /proc/sys/net/ipv4/ip_forward
----------
+++++
Contributed by Richard Caasi <caasi@gort.ucsd.edu>
+++++
#!/bin/sh
# richard caasi
# --------------------------------------------------------------------
# ipchains rc.firewall for localhost
#
# --------------------------------------------------------------------
echo "Setting up ipchains ruleset"
# Some definitions for easy maintenance:
# --------------------------------------------------------------------
EXTERNAL_INTERFACE="eth0" # Internet connected interface
LOOPBACK_INTERFACE="lo" # or your local naming convention
IPADDR="aaa.bbb.ccc.ddd" # your IP address
SUBNET="aaa.bbb.ccc.0/24" # Class C subnet mask
ANYWHERE="any/0" # match any IP address
MY_DOMAIN="aaa.bbb.0.0/16" # Domain address range
NAMESERVER_1="aaa.bbb.ccc.dns" # Primary DNS server
NAMESERVER_2="aaa.bbb.ccc.dd2" # Second DNS server
NAMESERVER_3="aaa.bbb.ccc.ns3" # Third DNS server
SMTP_SERVER="any/0" # external mail server
POP_SERVER="any/0" # external pop server, if any
IMAP_SERVER="any/0" # external imap server, if any
NEWS_SERVER="aaa.bbb.ccc.nnn" # external news server
NTP_SERVER="aaa.bbb.ccc.nws" # external time server
NTP2_SERVER="aaa.bbb.ccc.nw2" # second external time server
LOOPBACK="127.0.0.0/8" # reserved loopback address range
CLASS_A="10.0.0.0/8" # class A private networks
CLASS_B="172.16.0.0/12" # class B private networks
CLASS_C="192.168.0.0/16" # class C private networks
CLASS_D_MULTICAST="224.0.0.0/4" # class D multicast addresses
CLASS_E_RESERVED_NET="240.0.0.0/5" # class E reserved addresses
BROADCAST_SRC="0.0.0.0" # broadcast source address
BROADCAST_DEST="255.255.255.255" # broadcast destination address
PRIVPORTS="0:1023" # well known, privileged port range
UNPRIVPORTS="1024:65535" # unprivileged port range
TRACEROUTE_SRC_PORTS="32769:65535"
TRACEROUTE_DEST_PORTS="33434:33523"
# ....................................................................
# EDIT THESE TO MATCH THE NUMBER OF SERVERS OR CONNECTIONS YOU SUPPORT
# X Windows port allocation begins at 6000 and increments
# for each additional server running from 6000 to 6063.
XWINDOW_PORTS="6000:6063" # (TCP) X windows
# SSH starts at 1023 and works down to 513 for
# each additional simultaneous incoming connection.
SSH_PORTS="900:1023" # simultaneous connections
# --------------------------------------------------------------------
SOCKS_PORT="1080" # (TCP) socks
OPENWINDOWS_PORT="2000" # (TCP) openwindows
NFS_PORT="2049" # (TCP/UDP) NFS
# --------------------------------------------------------------------
# Enable TCP SYN Cookie Protection
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
# Enable always defragging Protection
echo 1 > /proc/sys/net/ipv4/ip_always_defrag
# Enable broadcast echo Protection
echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
# Enable bad error message Protection
echo 1 > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
# Enable IP spoofing protection
# turn on Source Address Verification
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 1 > $f
done
# Disable ICMP Redirect Acceptance
for f in /proc/sys/net/ipv4/conf/*/accept_redirects; do
echo 0 > $f
done
for f in /proc/sys/net/ipv4/conf/*/send_redirects; do
echo 0 > $f
done
# Disable Source Routed Packets
for f in /proc/sys/net/ipv4/conf/*/accept_source_route; do
echo 0 > $f
done
# Log Spoofed Packets, Source Routed Packets, Redirect Packets
for f in /proc/sys/net/ipv4/conf/*/log_martians; do
echo 1 > $f
done
# --------------------------------------------------------------------
# Flush any existing rules from all chains
ipchains -F
# Set the default policy to deny
ipchains -P input DENY
ipchains -P output REJECT
ipchains -P forward REJECT
# Set masquerade timeout to 10 hours for TCP connections.
ipchains -M -S 36000 0 0
# Disallow Fragmented Packets
ipchains -A input -f -i $EXTERNAL_INTERFACE -j DENY
# --------------------------------------------------------------------
# LOOPBACK
# Unlimited traffic on the loopback interface
ipchains -A input -i $LOOPBACK_INTERFACE -j ACCEPT
ipchains -A output -i $LOOPBACK_INTERFACE -j ACCEPT
# --------------------------------------------------------------------
# Refuse any connections from problem sites
# /etc/rc.d/rc.firewall.blocked contains a list of
# ipchains -A input -i $EXTERNAL_INTERFACE -s <address/mask> -j DENY
# rules to block all access.
# Refuse packets claiming to be from the banned list
if [ -f /etc/rc.d/rc.firewall.blocked ]; then
. /etc/rc.d/rc.firewall.blocked
fi
# --------------------------------------------------------------------
# SPOOFING & BAD ADDRESSES
# Refuse spoofed packets.
# Ignore blatantly illegal source addresses.
# Protect yourself from sending to bad addresses.
# Refuse spoofed packets pretending to be from
# the external interface's IP address
ipchains -A input -i $EXTERNAL_INTERFACE -s $IPADDR -j DENY
# Refuse packets claiming to be to or from a Class A private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_A -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_A -j DENY
# Refuse packets claiming to be to or from a Class B private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_B -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_B -j DENY
# Refuse packets claiming to be to or from a Class C private network
ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_C -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_C -j DENY
# Refuse packets claiming to be to the loopback interface
ipchains -A input -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $LOOPBACK -j DENY
# block directed broadcasts:
# Network base address
# Network broadcast address
DOMAIN_BROADCAST="aaa.bbb.255.255"
DOMAIN_BASE="aaa.bbb.0.0"
ipchains -A input -i $EXTERNAL_INTERFACE -d $DOMAIN_BASE -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $DOMAIN_BROADCAST -j DENY
SUBNET_BROADCAST="aaa.bbb.ccc.255"
SUBNET_BASE="aaa.bbb.ccc.0"
ipchains -A input -i $EXTERNAL_INTERFACE -d $SUBNET_BASE -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $SUBNET_BROADCAST -j DENY
# Refuse malformed broadcast packets
ipchains -A input -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $BROADCAST_DEST -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -d $BROADCAST_SRC -j DENY
# Refuse Class D multicast addresses
# Multicast is only illegal as a source address.
# Multicast uses UDP
# incoming blocked below
# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
# -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -s $CLASS_D_MULTICAST \
-j REJECT
# Refuse Class E reserved IP addresses
# incoming blocked below
# ipchains -A input -i $EXTERNAL_INTERFACE -s $CLASS_E_RESERVED_NET \
# -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -d $CLASS_E_RESERVED_NET \
-j REJECT
# Refuse addresses defined as reserved by the IANA.
# Note: The reserved addresses are allocated periodically.
# Filtering them requires checking the IANA address lists,
# preferably monthly.
# The following matches the IANA list on October 14, 2000.
# 1.*.*.*, 2.*.*.*, 5.*.*.*, 7.*.*.*, 23.*.*.*, 27.*.*.*
# 31.*.*.*, 36.*.*.*, 37.*.*.*, 39.*.*.*, 41.*.*.*, 42.*.*.*
# 49-50.*.*.*, 58-60.*.*.*
# 67-127.*.*.*
# 169.254.0.0/16 - Link Local Networks
# 192.0.2.0/24 - TEST-NET
# 197.*.*.*, 218-255.*.*.*
# 0.*.*.* - Can't be blocked for DHCP users.
ipchains -A input -i $EXTERNAL_INTERFACE -s 0.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 1.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 2.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 5.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 7.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 23.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 27.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 31.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 36.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 37.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 39.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 41.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 42.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 49.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 50.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 58.0.0.0/7 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 60.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 67.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 68.0.0.0/6 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 72.0.0.0/5 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 80.0.0.0/4 -j DENY
# 96-126
ipchains -A input -i $EXTERNAL_INTERFACE -s 96.0.0.0/3 -j DENY
# Link local networks
ipchains -A input -i $EXTERNAL_INTERFACE -s 169.254.0.0/16 -j DENY
# Test NET
ipchains -A input -i $EXTERNAL_INTERFACE -s 192.0.2.0/24 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 197.0.0.0/8 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 218.0.0.0/7 -j DENY
ipchains -A input -i $EXTERNAL_INTERFACE -s 220.0.0.0/6 -j DENY
# includes multicast, reserved and unallocated addresses
ipchains -A input -i $EXTERNAL_INTERFACE -s 224.0.0.0/3 -j DENY
# --------------------------------------------------------------------
# UNPRIVILEGED PORTS
# Avoid ports subject to protocol & system administration problems.
# Open Windows: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $OPENWINDOWS_PORT -j REJECT
# Open Windows incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $OPENWINDOWS_PORT -j DENY
# X Windows: establishing a remote connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $XWINDOW_PORTS -j REJECT
# X Windows: incoming connection attempt
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $XWINDOW_PORTS -j DENY
# SOCKS: establishing a connection
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-s $IPADDR \
-d $ANYWHERE $SOCKS_PORT -j REJECT
# SOCKS incoming connection
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $SOCKS_PORT -j DENY
# NFS: TCP connections
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp -y \
-d $IPADDR $NFS_PORT -j DENY
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp -y \
-d $ANYWHERE $NFS_PORT -j REJECT
# NFS: UDP connections
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR $NFS_PORT -j DENY
# NFS incoming request (normal UDP mode)
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-d $ANYWHERE $NFS_PORT -j REJECT
# --------------------------------------------------------------------
# NOTE:
# The symbolic names used in /etc/services for the port numbers
# vary by supplier. Using them is less error prone and more
# meaningful.
# --------------------------------------------------------------------
# Required Services
# DNS client modes (53)
# ---------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_2 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_2 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_3 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NAMESERVER_3 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# TCP client to server requests are allowed by the protocol
# if UDP requests fail. This is rarely seen. Usually, clients
# use TCP as a secondary nameserver for zone transfers from
# their primary nameservers, and as hackers.
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NAMESERVER_1 53 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NAMESERVER_1 53 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# AUTH (113) - Allowing Your Outgoing AUTH Requests as a Client
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 113 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 113 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# AUTH server (113)
# -----------------
# Rejecting Incoming AUTH Requests
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR 113 -j REJECT
# --------------------------------------------------------------------
# TCP services on selected ports
# Sending Mail through a remote SMTP gateway (25)
# -----------------------------------------------
# Sending Mail through a local SMTP server
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 25 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 25 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# Receiving Mail as a Local SMTP server (25)
# ------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 25 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 25 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# POP (110) - Retrieving Mail as a POP Client
# -------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $POP_SERVER 110 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $POP_SERVER 110 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# POP (110) - Hosting a POP Server for Remote Clients
# ---------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 110 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 110 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# IMAP (143) - Retrieving Mail as an IMAP Client
# ----------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $IMAP_SERVER 143 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IMAP_SERVER 143 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# IMAP (143) - Hosting an IMAP Server for Remote Clients
# ------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 143 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 143 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# NNTP (119) - Reading and Posting News as a Usenet Client
# --------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $NEWS_SERVER 119 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $NEWS_SERVER 119 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# TELNET (23) - Allowing Outgoing Client Access to Remote Sites
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 23 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 23 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# SSH client (22) - Allowing Client Access to Remote SSH Servers
# --------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 22 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $SSH_PORTS \
-d $ANYWHERE 22 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 22 \
-d $IPADDR $SSH_PORTS -j ACCEPT
# SSH (22) - Allowing Remote Client Access to Your Local SSH Server
# -----------------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $SSH_PORTS \
-d $IPADDR 22 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 22 \
-d $ANYWHERE $SSH_PORTS -j ACCEPT
# --------------------------------------------------------------------
# FTP (20, 21) - Allowing Outgoing Client Access to Remote FTP Servers
# --------------------------------------------------------------------
# outgoing request
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 21 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 21 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# Normal Port Mode FTP Data Channels
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE 20 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 20 -j ACCEPT
# Passive Mode FTP Data Channels
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# FTP (20, 21) - Allowing Incoming Access to Your Local FTP Server
# ----------------------------------------------------------------
# incoming request
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $MY_DOMAIN $UNPRIVPORTS \
-d $IPADDR 21 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 21 \
-d $MY_DOMAIN $UNPRIVPORTS -j ACCEPT
# Normal Port Mode FTP Data Channel Responses
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR 20 \
-d $MY_DOMAIN $UNPRIVPORTS -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $MY_DOMAIN $UNPRIVPORTS \
-d $IPADDR 20 -j ACCEPT
# Passive Mode FTP Data Channel Responses
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $MY_DOMAIN $UNPRIVPORTS \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR $UNPRIVPORTS \
-d $MY_DOMAIN $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# HTTP (80) - Accessing Remote Web Sites as a Client
# --------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 80 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 80 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# HTTP (80) - Allowing Remote Access to a Local Web Server
# --------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 80 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 80 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# HTTPS (443) - Accessing Remote Web Sites Over SSL as a Client
# -------------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 443 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 443 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# HTTPS (443) - Allowing Remote Access to a Local SSL Web Server
# --------------------------------------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $ANYWHERE $UNPRIVPORTS \
-d $IPADDR 443 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $IPADDR 443 \
-d $ANYWHERE $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# FINGER (79) - Accessing Remote finger Servers as a Client
# ---------------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 79 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 79 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# WHOIS client (43)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 43 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 43 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# Gopher client (70)
# ------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 70 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 70 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# WAIS client (210)
# -----------------
ipchains -A output -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR $UNPRIVPORTS \
-d $ANYWHERE 210 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp ! -y \
-s $ANYWHERE 210 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
# --------------------------------------------------------------------
# UDP accept only on selected ports
# TRACEROUTE
# traceroute usually uses -S 32769:65535 -D 33434:33523
# -----------------------------------------------------
# Enabling Outgoing traceroute Requests
# -------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $TRACEROUTE_SRC_PORTS \
-d $ANYWHERE $TRACEROUTE_DEST_PORTS -j ACCEPT
# incoming query from the ISP.
# All others are denied by default.
# ---------------------------------
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_DOMAIN 32769:65535 \
-d $IPADDR 33434:33523 -j ACCEPT
# --------------------------------------------------------------------
# --------------------------------------------------------------------
# NTP (123) - Accessing Remote Network Time Servers
# -------------------------------------------------
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NTP_SERVER 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NTP_SERVER 123 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 123 \
-d $NTP_SERVER 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NTP_SERVER 123 \
-d $IPADDR 123 -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR $UNPRIVPORTS \
-d $NTP2_SERVER 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NTP2_SERVER 123 \
-d $IPADDR $UNPRIVPORTS -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 123 \
-d $NTP2_SERVER 123 -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $NTP2_SERVER 123 \
-d $IPADDR 123 -j ACCEPT
# --------------------------------------------------------------------
# RSH (514) - rsh for remote backups and restores
# -------------------------------------------------
BACKUP1="aaa.bbb.ccc.bb1"
BACKUP2="aaa.bbb.ccc.bb2"
ipchains -A input -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $BACKUP1 514 -d $IPADDR
ipchains -A input -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $BACKUP1 -d $IPADDR
ipchains -A output -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d 0/0 514
ipchains -A output -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $BACKUP1
ipchains -A input -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $BACKUP2 514 -d $IPADDR
ipchains -A input -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $BACKUP2 -d $IPADDR
ipchains -A output -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d 0/0 514
ipchains -A output -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $BACKUP2
# --------------------------------------------------------------------
# SYSLOG (514) - syslog to remote loghost
# -------------------------------------------------
LOGHOST="aaa.bbb.ccc.log"
ipchains -A output -i $EXTERNAL_INTERFACE -p udp \
-s $IPADDR 514 \
-d $LOGHOST 514 -j ACCEPT
# --------------------------------------------------------------------
# LDAP - ldap server
# -------------------------------------------------
LDAP="aaa.bbb.ccc.ldp"
ipchains -A input -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $LDAP 389 -d $IPADDR
ipchains -A input -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $LDAP -d $IPADDR
ipchains -A output -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d 0/0 389
ipchains -A output -j ACCEPT -i $EXTERNAL_INTERFACE -p tcp \
-s $IPADDR -d $LDAP
# --------------------------------------------------------------------
# ICMP
# (4) Source_Quench
# incoming & outgoing requests to slow down (flow control)
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 4 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 4 -d $ANYWHERE -j ACCEPT
# (12) Parameter_Problem
# incoming & outgoing error messages
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 12 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 12 -d $ANYWHERE -j ACCEPT
# (3) Dest_Unreachable, Service_Unavailable
# incoming & outgoing size negotiation, service or
# destination unavailability, final traceroute response
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 3 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 3 -d $MY_DOMAIN -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR fragmentation-needed -d $ANYWHERE -j ACCEPT
# (11) Time_Exceeded
# incoming & outgoing time out conditions,
# also intermediate TTL response to traceroutes
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 11 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 11 -d $MY_DOMAIN -j ACCEPT
# allow outgoing pings to anywhere
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 8 -d $ANYWHERE -j ACCEPT
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE 0 -d $IPADDR -j ACCEPT
# allow incoming pings from trusted hosts
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $SUBNET 8 -d $IPADDR -j ACCEPT
ipchains -A output -i $EXTERNAL_INTERFACE -p icmp \
-s $IPADDR 0 -d $SUBNET -j ACCEPT
# --------------------------------------------------------------------
# Reject certain types of common local traffic
# --------------------------------------------------------------------
# ftp
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $MY_DOMAIN \
-d $IPADDR 21 -j REJECT
# telnet
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $MY_DOMAIN \
-d $IPADDR 23 -j REJECT
# bootp, dhcp
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $MY_DOMAIN \
-d $IPADDR 67:68 -j REJECT
# pop3, sunrpc
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $MY_DOMAIN \
-d $IPADDR 110:111 -j REJECT
# netbios
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $MY_DOMAIN \
-d $IPADDR 135:139 -j REJECT
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_DOMAIN \
-d $IPADDR 135:139 -j REJECT
# ms ds
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $MY_DOMAIN \
-d $IPADDR 445 -j REJECT
# compaq insight management web agent
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-s $MY_DOMAIN \
-d $IPADDR 2301 -j REJECT
# bootps and bootpc
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_DOMAIN \
-d $IPADDR 67:68 -j REJECT
# sunrpc
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_DOMAIN \
-d $IPADDR 111 -j REJECT
# snmp
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_DOMAIN \
-d $IPADDR 161:162 -j REJECT
# ms ds
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_DOMAIN \
-d $IPADDR 445 -j REJECT
# carbon copy
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_DOMAIN \
-d $IPADDR 1680 -j REJECT
# pc anywhere
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_DOMAIN \
-d $IPADDR 5632 -j REJECT
# traceroute
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-s $MY_DOMAIN \
-d $IPADDR 33434 -j REJECT
# icmp to port 0
ipchains -A input -i $EXTERNAL_INTERFACE -p icmp \
-s $ANYWHERE \
-d $IPADDR 0 -j DENY -l
# ----------------------------------------------------------------------------
# Enable logging for selected denied packets
ipchains -A input -i $EXTERNAL_INTERFACE -p tcp \
-d $IPADDR 0:65535 -j DENY -l
ipchains -A input -i $EXTERNAL_INTERFACE -p udp \
-d $IPADDR 0:65535 -j DENY -l
# --------------------------------------------------------------------
echo "Load complete"
exit 0
----------
+++++
Contributed by Matthew Sachs <matthewg@zevils.com>
+++++
The init script I use to initialize my firewall is attached. It is
configurable through /etc/firewall.conf (also attached). It does NAT
and can also be configured to do IPSec and port redirection.
*****
Begin firewall
*****
#!/bin/sh
#
# Set up a firewall using iptables that works with NAT and can
# be configured to work with IPSEC. See /etc/firewall.conf.
set -x
. /etc/firewall.conf
getaddr () {
if [ $1 = "addr" ]
then FIELD=2
elif [ $1 = "bcast" ]
then FIELD=3
elif [ $1 = "netmask" ]
then FIELD=4
fi
ifconfig $2 | grep 'inet addr' | awk "{print \$$FIELD}" | \
sed 's/.*://'
}
LOCAL_IF=lo
LOCAL_IP=`getaddr addr $LOCAL_IF`
LOCAL_NET=`getaddr netmask $LOCAL_IF`
LOCAL_BCAST=`getaddr bcast $LOCAL_IF`
LAN_IP=`getaddr addr $LAN_IF`
LAN_NET=`getaddr netmask $LAN_IF`
LAN_BCAST=`getaddr bcast $LAN_IF`
WAN_IP=`getaddr addr $WAN_IF`
WAN_NET=`getaddr netmask $WAN_IF`
WAN_BCAST=`getaddr bcast $WAN_IF`
case $1 in
start|restart|force-reload)
;;
stop)
exit 0
;;
esac
if [ -f /proc/sys/net/ipv4/ip_forward ]
then if [ $FORWARDING ]
then echo "Enabling IP forwarding..."
echo "1" > /proc/sys/net/ipv4/ip_forward
else
echo "Disabling IP forwarding..."
echo "0" > /proc/sys/net/ipv4/ip_forward
fi
fi
if [ -f /proc/sys/net/ipv4/tcp_ecn ]
then if [ $ECN ]
then echo "Enabling ECN..."
echo "1" > /proc/sys/net/ipv4/tcp_ecn
else
echo "Disabling ECN..."
echo "0" > /proc/sys/net/ipv4/tcp_ecn
fi
fi
for CHAIN in `$IPTABLES -L -n | grep Chain | awk '{ print $2 }'`
do $IPTABLES -F $CHAIN
done
for TABLE in `cat /proc/net/ip_tables_names`
do for CHAIN in `$IPTABLES -t $TABLE -L -n | grep Chain | \
awk '{ print $2 }'`
do $IPTABLES -t $TABLE -F $CHAIN
done
done
echo "Clearing tables..."
$IPTABLES -P INPUT DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -t nat -A POSTROUTING -o $WAN_IF -j SNAT --to-source $WAN_IP
$IPTABLES -A FORWARD -i ! $WAN_IF -j ACCEPT
$IPTABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A FORWARD -j REJECT
$IPTABLES -X icmp_packets 2>&1 > /dev/null
$IPTABLES -N icmp_packets
$IPTABLES -X tcp_packets 2>&1 > /dev/null
$IPTABLES -N tcp_packets
$IPTABLES -X udpincoming_packets 2>&1 > /dev/null
$IPTABLES -N udpincoming_packets
echo "Setting up rules..."
for PORT in $TCPALLOW
do $IPTABLES -A tcp_packets -p TCP -m state --state NEW \
--dport $PORT -j ACCEPT
done
$IPTABLES -A tcp_packets -p TCP -m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A tcp_packets -j REJECT
for PORT in $UDPALLOW
do $IPTABLES -A udpincoming_packets -p UDP --sport $PORT -j ACCEPT
$IPTABLES -A udpincoming_packets -p UDP --dport $PORT -j ACCEPT
done
$IPTABLES -A udpincoming_packets -j REJECT
$IPTABLES -A icmp_packets -p ICMP -j ACCEPT
echo "Setting up forwarding..."
for FORWARDER in ${FORWARD[*]}
do TMPFWD=`echo $FORWARDER | sed 's/:/ /g'`
PROTO=`echo $TMPFWD | awk '{print $1}'`
LOCALPORT=`echo $TMPFWD | awk '{print $2}'`
REMOTEHOST=`echo $TMPFWD | awk '{print $3}'`
REMOTEPORT=`echo $TMPFWD | awk '{print $4}'`
$IPTABLES -t nat -A PREROUTING -p $PROTO -i $WAN_IF \
--dport $LOCALPORT -j DNAT --to-destination $REMOTEHOST:$REMOTEPORT
$IPTABLES -A FORWARD -p $PROTO -d $REMOTEHOST \
--dport $LOCALPORT -j ACCEPT
done
echo "Setting up protocol allows..."
# Let in IPSec traffic
for PROTO in $PROTOALLOW
do $IPTABLES -A INPUT -p $PROTO -i $WAN_IF -j ACCEPT
done
echo "Setting up flow rules..."
$IPTABLES -A INPUT -i ! $WAN_IF -j ACCEPT
$IPTABLES -A INPUT -p ICMP -i $WAN_IF -j icmp_packets
$IPTABLES -A INPUT -p TCP -i $WAN_IF -j tcp_packets
$IPTABLES -A INPUT -p UDP -i $WAN_IF -j udpincoming_packets
$IPTABLES -A INPUT -p ALL -i ! $WAN_IF -d $LOCAL_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -i ! $WAN_IF -d $LAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $WAN_IP -s $WAN_IP -j ACCEPT
$IPTABLES -A INPUT -p ALL -d $WAN_IP -m state \
--state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A INPUT -j REJECT
$IPTABLES -A OUTPUT -p ALL -s $LOCAL_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $LAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s $WAN_IP -j ACCEPT
$IPTABLES -A OUTPUT -p ALL -s 0.0.0.0 -j ACCEPT
$IPTABLES -A OUTPUT -j DROP
echo "done."
*****
End firewall
Begin firewall.conf
*****
# Firewall configuration file
# Remember to run /etc/rc.d/init.d/firewall restart after modifying!
# Interfaces are defined in /etc/network/interfaces
LAN_IF=eth1
WAN_IF=eth0
# Incoming ports to not block - we need domain to let in responses
# to DNS queries. Port names are from /etc/services, or just use
# port numbers.
TCPALLOW="ssh"
UDPALLOW="domain 500" #500 is IPSEC IKE
PROTOALLOW="50 51" #50 and 51 are for IPSEC.
# Ports to forward
FORWARD=()
# Forward TCP port 8000 to 192.168.5.2:80, port 8001 to 192.168.5.3:80
#FORWARD=(tcp:8000:192.168.5.2:80 tcp:8001:192.168.5.3:80)
# Location of the iptables binary
IPTABLES=/sbin/iptables
# Turn on forwarding
FORWARDING="1"
# Turn off explicit congestion notification
ECN=""
*****
End firewall.conf
*****
----------
+++++
Contributed by Stephen A. Zarkos <Obsid@Sentry.net>
+++++
Hello,
I developed a couple IPTables based rulesets a few months ago, and so
far I've had some pretty good feedback. They can be obtained at the
following URL:
http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/
Or individually at:
http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/rc.firewall.iptables.dual
http://www.sentry.net/~obsid/IPTables/rc.scripts.dir/current/rc.firewall.iptables.multi
Hope they prove useful.
Steve.
----------
+++++
Contributed by vogt@hansenet.com
+++++
#! /bin/sh
#
# firewall setting up IPTables firewalling
#
IPTABLES="/sbin/iptables"
set -e
case "$1" in
start)
echo "Starting firewall: "
modprobe ip_conntrack
echo -n "setting default policy: "
# syncookies, connection tracking and NO ip-forwarding
echo "1" > /proc/sys/net/ipv4/tcp_syncookies
# echo "1" > /proc/net/ip_conntrack
echo "0" > /proc/sys/net/ipv4/ip_forward
$IPTABLES -F
$IPTABLES -X
$IPTABLES -Z
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT DROP
$IPTABLES -N in_icmp
$IPTABLES -N in_tcp
$IPTABLES -N in_udp
$IPTABLES -A INPUT -p tcp -j in_tcp
$IPTABLES -A INPUT -p udp -j in_udp
$IPTABLES -A INPUT -p icmp -j in_icmp
echo "done"
echo -n "spoofing, redirect and broadcast protection/logging: "
echo "1" > /proc/sys/net/ipv4/conf/all/log_martians
echo "0" > /proc/sys/net/ipv4/conf/all/accept_redirects
echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "done"
echo -n "enabling scan detection: "
if [ -f /lib/modules/`uname -r`/kernel/net/ipv4/netfilter/ipt_psd.o ]; then
$IPTABLES -A INPUT -m psd -m limit --limit 5/minute \
-j LOG --log-prefix '#### Port Scan ####'
echo "psd enabled"
else
$IPTABLES -A INPUT -p icmp --icmp-type echo-request \
-m limit --limit 5/minute -j LOG --log-prefix '#### Ping Scan ####'
# high rate for stealth scans, since they could be
# legitimate connection attempts as well
$IPTABLES -A in_tcp -p tcp --tcp-flags SYN,ACK,FIN,RST RST \
-m limit --limit 1/s --limit-burst 5 -j LOG \
--log-level info --log-prefix '#### Stealth Scan ####'
$IPTABLES -A in_tcp -p tcp --tcp-flags ALL FIN,URG,PSH \
-m limit --limit 5/m -j LOG --log-level info \
--log-prefix '#### XMAS Scan ####'
$IPTABLES -A in_tcp -p tcp --tcp-flags SYN,RST SYN,RST \
-m limit --limit 5/m -j LOG --log-level info \
--log-prefix '#### SYN/RST Scan ####'
$IPTABLES -A in_tcp -p tcp --tcp-flags SYN,FIN SYN,FIN \
-m limit --limit 5/m -j LOG --log-level info \
--log-prefix '#### SYN/FIN Scan ####'
echo "limited detection enabled (no ipt_psd module)"
fi
echo -n "flood, fragment and various other protections: "
# we allow 4 TCP connects per second, no more
$IPTABLES -N syn-flood
$IPTABLES -A INPUT -p tcp --syn -j syn-flood
$IPTABLES -A syn-flood -m limit --limit 1/s --limit-burst 4 -j RETURN
$IPTABLES -A syn-flood -j DROP
# new connections that have no syn set are most probably evil
$IPTABLES -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
# invalid packets
$IPTABLES -A INPUT -p tcp -m state --state INVALID \
-m limit --limit 10/m -j LOG --log-level info \
--log-prefix "### Invalid Packet ###"
$IPTABLES -A INPUT -p tcp --tcp-option 64 -m limit \
--limit 5/m -j LOG --log-level info \
--log-prefix "### Bad TCP FLAG(64) ###"
$IPTABLES -A INPUT -p tcp --tcp-option 128 -m limit \
--limit 5/m -j LOG --log-level info \
--log-prefix "### Bad TCP FLAG(128) ###"
echo "done"
echo -n "setting up ICMP: "
# we allow echo requests and replies
# could limit replies to could limit replies to related, but since we
# answer ping requests, where would be the point in that?
$IPTABLES -A in_icmp -p icmp --icmp-type 0 -j ACCEPT
$IPTABLES -A in_icmp -p icmp --icmp-type 8 -j ACCEPT
# we need destination unreachable
$IPTABLES -A in_icmp -p icmp --icmp-type 3 -j ACCEPT
# we are nice and allow traceroute, though it is not required
$IPTABLES -A in_icmp -p icmp --icmp-type 11 -j ACCEPT
$IPTABLES -A in_icmp -p icmp --icmp-type 30 -j ACCEPT
echo "done"
echo -n "enabling local and outgoing traffic: "
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -I in_tcp -p tcp --dport 1024:65535 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
$IPTABLES -A OUTPUT -j ACCEPT
# we are nice and reject instead of drop ident traffic
$IPTABLES -I in_tcp -p tcp --dport auth --j REJECT
echo "done"
echo -n "enabling selected services:"
$IPTABLES -I in_tcp -p tcp --dport http -m state \
--state NEW,ESTABLISHED -j ACCEPT
echo -n " http"
$IPTABLES -I in_tcp -p tcp --dport ssh -m state \
--state NEW,ESTABLISHED -j ACCEPT
echo -n " ssh"
$IPTABLES -I in_tcp -p tcp --dport smtp -m state \
--state NEW,ESTABLISHED -j ACCEPT
echo -n " smtp"
$IPTABLES -I in_tcp -p tcp --dport imaps -m state \
--state NEW,ESTABLISHED -j ACCEPT
echo -n " imaps"
$IPTABLES -I in_tcp -p tcp --dport domain -m state \
--state NEW,ESTABLISHED -j ACCEPT
$IPTABLES -I in_udp -p udp --dport domain -m state \
--state NEW,ESTABLISHED -j ACCEPT
echo -n " dns"
$IPTABLES -I in_tcp -p tcp --dport ftp -m state \
--state NEW,ESTABLISHED -j ACCEPT
# active ftp
$IPTABLES -I in_tcp -p tcp --dport ftp-data -m state \
--state ESTABLISHED,RELATED -j ACCEPT
echo -n " ftp"
# quake3
$IPTABLES -I in_udp -p udp --dport 1024:65535 -j ACCEPT
echo -n " quake (all UDP >1024)"
echo " - all done"
echo "Firewall setup complete."
;;
stop)
echo -n "Shutting down firewall: "
$IPTABLES -F
$IPTABLES -X
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
echo "done"
;;
*)
N=/etc/init.d/$NAME
echo "Usage: $N {start|stop}" >&2
exit 1
;;
esac
exit 0
----------
- Previous message: Rob 'Feztaa' Park: "Re: Disabling X and KDM from listening on a port."
- Next in thread: Brian Cervenka: "Re: Firewall Rules Summary"
- Reply: Brian Cervenka: "Re: Firewall Rules Summary"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
